Started to improve loggin/error handling in SHIRE (fixed init())
authorwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 31 Jul 2002 22:04:21 +0000 (22:04 +0000)
committerwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 31 Jul 2002 22:04:21 +0000 (22:04 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@243 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/common/OriginSiteMapperException.java [new file with mode: 0644]
src/edu/internet2/middleware/shibboleth/shire/ShireServlet.java
src/edu/internet2/middleware/shibboleth/shire/XMLOriginSiteMapper.java

diff --git a/src/edu/internet2/middleware/shibboleth/common/OriginSiteMapperException.java b/src/edu/internet2/middleware/shibboleth/common/OriginSiteMapperException.java
new file mode 100644 (file)
index 0000000..e0219e2
--- /dev/null
@@ -0,0 +1,65 @@
+/* 
+ * The OpenSAML License, Version 1. 
+ * Copyright (c) 2002 
+ * University Corporation for Advanced Internet Development, Inc. 
+ * All rights reserved
+ * 
+ * 
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice, this 
+ * list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice, 
+ * this list of conditions and the following disclaimer in the documentation 
+ * and/or other materials provided with the distribution, if any, must include 
+ * the following acknowledgment: "This product includes software developed by 
+ * the University Corporation for Advanced Internet Development 
+ * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement 
+ * may appear in the software itself, if and wherever such third-party 
+ * acknowledgments normally appear.
+ * 
+ * Neither the name of OpenSAML nor the names of its contributors, nor 
+ * Internet2, nor the University Corporation for Advanced Internet Development, 
+ * Inc., nor UCAID may be used to endorse or promote products derived from this 
+ * software without specific prior written permission. For written permission, 
+ * please contact opensaml@opensaml.org
+ * 
+ * Products derived from this software may not be called OpenSAML, Internet2, 
+ * UCAID, or the University Corporation for Advanced Internet Development, nor 
+ * may OpenSAML appear in their name, without prior written permission of the 
+ * University Corporation for Advanced Internet Development.
+ * 
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
+ * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 
+ * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK 
+ * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. 
+ * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY 
+ * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT, 
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+ package edu.internet2.middleware.shibboleth.common;
+
+/**
+ * Signals that an error occurred while creating or using an <code>OriginSiteMapper</code>
+ * 
+ * @author Walter Hoehn wassa&#064;columbia.edu
+ *
+ */
+public class OriginSiteMapperException extends Exception {
+       
+       public OriginSiteMapperException(String message) {
+               super(message);
+       }
+
+}
+
index 8be7a1f..20d3688 100755 (executable)
 
 package edu.internet2.middleware.shibboleth.shire;
 
-import edu.internet2.middleware.shibboleth.common.*;
-
-import java.io.*;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.io.PrintWriter;
 import java.security.Key;
 import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.Certificate;
-import java.text.*;
-import javax.servlet.*;
-import javax.servlet.http.*;
-import org.doomdark.uuid.*;
-import org.opensaml.*;
+import java.security.cert.CertificateException;
+
+import javax.servlet.ServletException;
+import javax.servlet.UnavailableException;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpUtils;
+
+import org.apache.log4j.Logger;
+import org.doomdark.uuid.UUIDGenerator;
+import org.opensaml.SAMLAuthenticationStatement;
+import org.opensaml.SAMLAuthorityBinding;
+import org.opensaml.SAMLException;
+import org.opensaml.SAMLResponse;
+
+import edu.internet2.middleware.shibboleth.common.Constants;
+import edu.internet2.middleware.shibboleth.common.OriginSiteMapperException;
+import edu.internet2.middleware.shibboleth.common.ShibPOSTProfile;
+import edu.internet2.middleware.shibboleth.common.ShibPOSTProfileFactory;
 
 /**
  *  Implements a SAML POST profile consumer
@@ -69,14 +89,23 @@ import org.opensaml.*;
  */
 public class ShireServlet extends HttpServlet
 {
-    private String shireLocation = null;
-    private String cookieName = null;
-    private String cookieDomain = null;
-    private String sessionDir = null;
+       
+    private String shireLocation;
+    private String cookieName;
+    private String cookieDomain;
+    private String sessionDir;
+    private String keyStorePath;
+    private String keyStorePasswd;
+    private String keyStoreAlias;
+    private String registryURI;
     private boolean sslOnly = true;
     private boolean checkAddress = true;
     private boolean verbose = false;
+
+    
     private XMLOriginSiteMapper mapper = null;
+       private static Logger log = Logger.getLogger(ShireServlet.class.getName());
+       
 
     private static void HTMLFormat(PrintWriter pw, String buf)
     {
@@ -124,79 +153,117 @@ public class ShireServlet extends HttpServlet
      *    <DD> Verbosity of redirection response</DD>
      *  </DL>
      *
-     *
-     * @exception  ServletException  Raised if the servlet cannot be initialized
      */
     public void init()
         throws ServletException
     {
+       super.init();
+       log.info("Initializing SHIRE.");
+                       
         edu.internet2.middleware.shibboleth.common.Init.init();
 
-        ServletConfig conf = getServletConfig();
-
-        shireLocation = conf.getInitParameter("shire-location");
-        cookieDomain = conf.getInitParameter("cookie-domain");
-
-        cookieName = conf.getInitParameter("cookie-name");
-        if (cookieName == null)
-            throw new ServletException("ShireServlet.init() missing init parameter: cookie-name");
-
-        sessionDir = conf.getInitParameter("session-dir");
-        if (sessionDir == null)
-            sessionDir = "/tmp";
-
-        String temp = conf.getInitParameter("ssl-only");
-        if (temp != null && (temp.equalsIgnoreCase("false") || temp.equals("0")))
-            sslOnly = false;
+               loadInitParams();
+               verifyConfig();
 
-        temp = conf.getInitParameter("check-address");
-        if (temp != null && (temp.equalsIgnoreCase("false") || temp.equals("0")))
-            checkAddress = false;
-
-        temp = conf.getInitParameter("verbose");
-        if (temp != null && (temp.equalsIgnoreCase("true") || temp.equals("1")))
-            verbose = true;
-
-        try
-        {
+               log.info("Loading keystore.");
+               try {       
             Key k = null;
             KeyStore ks = KeyStore.getInstance("JKS");
-            ks.load(conf.getServletContext().getResourceAsStream(conf.getInitParameter("keystore-path")),
-                    conf.getInitParameter("keystore-password").toCharArray());
-            if (conf.getInitParameter("keystore-alias") != null)
+                               ks.load(getServletContext().getResourceAsStream(keyStorePath), keyStorePasswd.toCharArray());
+
+            if (keyStoreAlias != null)
             {
-                Certificate cert = ks.getCertificate(conf.getInitParameter("keystore-alias"));
-                if (cert == null || (k = cert.getPublicKey()) == null)
-                    throw new ServletException("ShireServlet.init() unable to find registry verification certificate/key");
+                Certificate cert;
+                               cert = ks.getCertificate(keyStoreAlias);
+                                                       
+                if (cert == null || (k = cert.getPublicKey()) == null) {
+                       log.fatal("Unable to load registry verification certificate (" +keyStoreAlias +") from keystore");
+                    throw new UnavailableException("Unable to load registry verification certificate (" +keyStoreAlias +") from keystore");
+                }
             }
-            mapper = new XMLOriginSiteMapper(conf.getInitParameter("registry-uri"), k, ks);
-        }
-        catch (java.security.KeyStoreException e)
-        {
-            throw new ServletException("ShireServlet.init() unable to load Java keystore");
-        }
-        catch (java.security.NoSuchAlgorithmException e)
-        {
-            throw new ServletException("ShireServlet.init() unable to load Java keystore");
-        }
-        catch (java.security.cert.CertificateException e)
-        {
-            throw new ServletException("ShireServlet.init() unable to load Java keystore");
-        }
-        catch (FileNotFoundException e)
-        {
-            throw new ServletException("ShireServlet.init() unable to locate Java keystore");
-        }
-        catch (IOException e)
-        {
-            throw new ServletException("ShireServlet.init() unable to load Java keystore");
-        }
-        catch (Exception e)
-        {
-            throw new ServletException("ShireServlet.init() unable to load origin site registry: " + e.getMessage());
-        }
+            
+               log.info("Loading shibboleth site information.");
+               mapper = new XMLOriginSiteMapper(registryURI, k, ks);
+                       
+               } catch (OriginSiteMapperException e) {
+                       log.fatal("Unable load shibboleth site information." + e.getMessage());
+                       throw new UnavailableException("Unable load shibboleth site information." + e.getMessage());
+               } catch (KeyStoreException e) {
+                       log.fatal("Unable supplied keystore." + e.getMessage());
+                       throw new UnavailableException("Unable load supplied keystore." + e.getMessage());
+               } catch (NoSuchAlgorithmException e) {
+                       log.fatal("Unable supplied keystore." + e.getMessage());
+                       throw new UnavailableException("Unable load supplied keystore." + e.getMessage());
+               } catch (CertificateException e) {
+                       log.fatal("Unable supplied keystore." + e.getMessage());
+                       throw new UnavailableException("Unable load supplied keystore." + e.getMessage());
+               } catch (IOException e) {
+                       log.fatal("Unable supplied keystore." + e.getMessage());
+                       throw new UnavailableException("Unable load supplied keystore." + e.getMessage());
+               }
+   
     }
 
+       /**
+        * Method verifyConfig.
+        */
+       private void verifyConfig() throws UnavailableException {
+               
+               if (cookieName == null) {
+                       log.fatal("Init parameter (cookie-name) is required in deployment descriptor.");
+            throw new UnavailableException("Init parameter (cookie-name) is required in deployment descriptor.");
+               }
+               
+               if (registryURI == null) {
+                       log.fatal("Init parameter (registry-uri) is required in deployment descriptor.");
+            throw new UnavailableException("Init parameter (registry-uri) is required in deployment descriptor.");
+               }
+               
+               if (keyStorePath == null) {
+                       log.fatal("Init parameter (keystore-path) is required in deployment descriptor.");
+            throw new UnavailableException("Init parameter (keystore-path) is required in deployment descriptor.");
+               }
+               
+               if (keyStorePasswd == null) {
+                       log.fatal("Init parameter (keystore-password) is required in deployment descriptor.");
+            throw new UnavailableException("Init parameter (keystore-password) is required in deployment descriptor.");
+               }
+
+       }
+
+
+       private void loadInitParams() {
+               
+               log.info("Loading configuration from deployment descriptor (web.xml).");
+               
+               shireLocation = getServletConfig().getInitParameter("shire-location");
+               cookieDomain = getServletConfig().getInitParameter("cookie-domain");
+               cookieName = getServletConfig().getInitParameter("cookie-name");        
+               keyStorePath = getServletConfig().getInitParameter("keystore-path");
+               keyStorePasswd = getServletConfig().getInitParameter("keystore-password");
+               keyStoreAlias = getServletConfig().getInitParameter("keystore-alias");
+               registryURI = getServletConfig().getInitParameter("registry-uri");
+               
+               sessionDir = getServletConfig().getInitParameter("session-dir");
+               if (sessionDir == null) {       
+                   sessionDir = "/tmp";
+                   log.warn("No session-dir parameter found... using default location: (" + sessionDir +").");
+               }      
+               
+               String temp = getServletConfig().getInitParameter("ssl-only");
+               if (temp != null && (temp.equalsIgnoreCase("false") || temp.equals("0")))
+                   sslOnly = false;
+               
+               temp = getServletConfig().getInitParameter("check-address");
+               if (temp != null && (temp.equalsIgnoreCase("false") || temp.equals("0")))
+                   checkAddress = false;
+               
+               temp = getServletConfig().getInitParameter("verbose");
+               if (temp != null && (temp.equalsIgnoreCase("true") || temp.equals("1")))
+                   verbose = true;
+                   
+       }
+
     /**
      *  Processes a sign-on submission<P>
      *
index a9acf44..e935826 100755 (executable)
 
 package edu.internet2.middleware.shibboleth.shire;
 
-import edu.internet2.middleware.shibboleth.common.*;
+import java.io.IOException;
 import java.security.Key;
 import java.security.KeyStore;
 import java.security.PublicKey;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Vector;
-import javax.xml.parsers.*;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.ParserConfigurationException;
+
 import org.apache.xml.security.c14n.Canonicalizer;
 import org.apache.xml.security.exceptions.XMLSecurityException;
 import org.apache.xml.security.keys.KeyInfo;
-import org.apache.xml.security.signature.*;
-import org.apache.xml.security.transforms.Transform;
+import org.apache.xml.security.signature.Reference;
+import org.apache.xml.security.signature.SignedInfo;
+import org.apache.xml.security.signature.XMLSignature;
 import org.apache.xml.security.transforms.Transforms;
-import org.w3c.dom.*;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.xml.sax.SAXException;
+
+import edu.internet2.middleware.shibboleth.common.OriginSiteMapper;
+import edu.internet2.middleware.shibboleth.common.OriginSiteMapperException;
+import edu.internet2.middleware.shibboleth.common.XML;
 
 /**
  *  OriginSiteMapper implementation using an XML file to populate an in-memory
@@ -72,212 +84,206 @@ import org.w3c.dom.*;
  * @author     Scott Cantor
  * @created    June 8, 2002
  */
-public class XMLOriginSiteMapper implements OriginSiteMapper
-{
+public class XMLOriginSiteMapper implements OriginSiteMapper {
 
-    private HashMap originSites = null;
-    private HashMap hsKeys = null;
-    private KeyStore ks = null;
+       private HashMap originSites = null;
+       private HashMap hsKeys = null;
+       private KeyStore ks = null;
 
-    /**
-     *  Constructor for the XMLOriginSiteMapper object
-     *
-     * @param  registryURI               Tells where to find/download origin
-     *      site registry file
-     * @param  verifyKey                 Optional key to verify signature with
-     * @param  ks                        Key store containing the trusted roots
-     *      to be used by SHIRE
-     * @exception  Exception             Raised if the registry file cannot be
-     *      parsed and loaded
-     */
-    public XMLOriginSiteMapper(String registryURI, Key verifyKey, KeyStore ks)
-        throws Exception
-    {
-        this.ks = ks;
-       originSites = new HashMap();
-       hsKeys = new HashMap();
+       /**
+        *  Constructor for the XMLOriginSiteMapper object
+        *
+        * @param  registryURI               Tells where to find/download origin
+        *      site registry file
+        * @param  verifyKey                 Optional key to verify signature with
+        * @param  ks                        Key store containing the trusted roots
+        *      to be used by SHIRE
+        * @exception  Exception             Raised if the registry file cannot be
+        *      parsed and loaded
+        */
 
-        DocumentBuilder builder = null;
-        try
-        {
-            builder = org.opensaml.XML.parserPool.get();
-            Document doc = builder.parse(registryURI);
-            Element e = doc.getDocumentElement();
-            if (!XML.SHIB_NS.equals(e.getNamespaceURI()) || !"Sites".equals(e.getLocalName()))
-                throw new Exception("XMLOriginSiteMapper() requires shib:Sites as root element");
+       public XMLOriginSiteMapper(String registryURI, Key verifyKey, KeyStore ks)
+               throws OriginSiteMapperException {
+               this.ks = ks;
+               originSites = new HashMap();
+               hsKeys = new HashMap();
 
-            // Loop over the OriginSite elements.
-            NodeList nlist = e.getElementsByTagNameNS(XML.SHIB_NS,"OriginSite");
-            for (int i=0; nlist!=null && i<nlist.getLength(); i++)
-            {
-                String os_name = ((Element)nlist.item(i)).getAttributeNS(null, "Name").trim();
-                if (os_name.length() == 0)
-                    continue;
+               DocumentBuilder builder = null;
+               try {
+                       builder = org.opensaml.XML.parserPool.get();
+                       Document doc;
+                       doc = builder.parse(registryURI);
+                       Element e = doc.getDocumentElement();
+                       if (!XML.SHIB_NS.equals(e.getNamespaceURI()) || !"Sites".equals(e.getLocalName()))
+                               throw new OriginSiteMapperException("XMLOriginSiteMapper() requires shib:Sites as root element");
 
-                OriginSite os_obj = new OriginSite(os_name);
-                originSites.put(os_name, os_obj);
+                       // Loop over the OriginSite elements.
+                       NodeList nlist = e.getElementsByTagNameNS(XML.SHIB_NS, "OriginSite");
+                       for (int i = 0; nlist != null && i < nlist.getLength(); i++) {
+                               String os_name = ((Element) nlist.item(i)).getAttributeNS(null, "Name").trim();
+                               if (os_name.length() == 0)
+                                       continue;
 
-                Node os_child = nlist.item(i).getFirstChild();
-                while (os_child != null)
-                {
-                    if (os_child.getNodeType() != Node.ELEMENT_NODE)
-                    {
-                        os_child = os_child.getNextSibling();
-                        continue;
-                    }
+                               OriginSite os_obj = new OriginSite(os_name);
+                               originSites.put(os_name, os_obj);
 
-                    // Process the various kinds of OriginSite children that we care about...
-                    if (XML.SHIB_NS.equals(os_child.getNamespaceURI()) && "HandleService".equals(os_child.getLocalName()))
-                    {
-                        String hs_name = ((Element)os_child).getAttributeNS(null, "Name").trim();
-                        if (hs_name.length() > 0)
-                        {
-                            os_obj.handleServices.add(hs_name);
+                               Node os_child = nlist.item(i).getFirstChild();
+                               while (os_child != null) {
+                                       if (os_child.getNodeType() != Node.ELEMENT_NODE) {
+                                               os_child = os_child.getNextSibling();
+                                               continue;
+                                       }
 
-                            // Check for KeyInfo.
-                            Node ki = os_child.getFirstChild();
-                            while (ki != null && ki.getNodeType() != Node.ELEMENT_NODE)
-                                ki = ki.getNextSibling();
-                            if (ki != null && org.opensaml.XML.XMLSIG_NS.equals(ki.getNamespaceURI()) &&
-                                "KeyInfo".equals(ki.getLocalName()))
-                            {
-                                try
-                                {
-                                    KeyInfo kinfo = new KeyInfo((Element)ki, null);
-                                    PublicKey pubkey = kinfo.getPublicKey();
-                                    if (pubkey != null)
-                                        hsKeys.put(hs_name, pubkey);
-                                }
-                                catch (XMLSecurityException exc)
-                                {
-                                }
-                            }
-                        }
-                    }
-                    else if (XML.SHIB_NS.equals(os_child.getNamespaceURI()) && "Domain".equals(os_child.getLocalName()))
-                    {
-                        String dom = os_child.getFirstChild().getNodeValue().trim();
-                        if (dom.length() > 0)
-                            os_obj.domains.add(dom);
-                    }
-                    os_child = os_child.getNextSibling();
-                }
-            }
+                                       // Process the various kinds of OriginSite children that we care about...
+                                       if (XML.SHIB_NS.equals(os_child.getNamespaceURI())
+                                               && "HandleService".equals(os_child.getLocalName())) {
+                                               String hs_name = ((Element) os_child).getAttributeNS(null, "Name").trim();
+                                               if (hs_name.length() > 0) {
+                                                       os_obj.handleServices.add(hs_name);
 
-           if (verifyKey == null)
-                return;
+                                                       // Check for KeyInfo.
+                                                       Node ki = os_child.getFirstChild();
+                                                       while (ki != null && ki.getNodeType() != Node.ELEMENT_NODE)
+                                                               ki = ki.getNextSibling();
+                                                       if (ki != null
+                                                               && org.opensaml.XML.XMLSIG_NS.equals(ki.getNamespaceURI())
+                                                               && "KeyInfo".equals(ki.getLocalName())) {
+                                                               try {
+                                                                       KeyInfo kinfo = new KeyInfo((Element) ki, null);
+                                                                       PublicKey pubkey = kinfo.getPublicKey();
+                                                                       if (pubkey != null)
+                                                                               hsKeys.put(hs_name, pubkey);
+                                                               } catch (XMLSecurityException exc) {
+                                                               }
+                                                       }
+                                               }
+                                       } else if (
+                                               XML.SHIB_NS.equals(os_child.getNamespaceURI())
+                                                       && "Domain".equals(os_child.getLocalName())) {
+                                               String dom = os_child.getFirstChild().getNodeValue().trim();
+                                               if (dom.length() > 0)
+                                                       os_obj.domains.add(dom);
+                                       }
+                                       os_child = os_child.getNextSibling();
+                               }
+                       }
 
-            Node n=e.getLastChild();
-            while (n!=null && n.getNodeType()!=Node.ELEMENT_NODE)
-                n=n.getPreviousSibling();
+                       if (verifyKey == null)
+                               return;
 
-            if (n!=null && org.opensaml.XML.XMLSIG_NS.equals(n.getNamespaceURI()) && "Signature".equals(n.getLocalName()))
-            {
-                XMLSignature sig = new XMLSignature((Element)n, null);
-                if (sig.checkSignatureValue(verifyKey))
-               {
-                    // Now we verify that what is signed is what we expect.
-                    SignedInfo sinfo = sig.getSignedInfo();
-                    if (sinfo.getLength()==1 && (
-                        sinfo.getCanonicalizationMethodURI().equals(Canonicalizer.ALGO_ID_C14N_WITH_COMMENTS) ||
-                        sinfo.getCanonicalizationMethodURI().equals(Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS)))
-//                        sinfo.getCanonicalizationMethodURI().equals(Canonicalizer.ALGO_ID_C14N_EXCL_WITH_COMMENTS) ||
-//                        sinfo.getCanonicalizationMethodURI().equals(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS))
-                    {
-                        Reference ref = sinfo.item(0);
-                        if (ref.getURI() == null || ref.getURI().equals(""))
-                        {
-                            Transforms trans = ref.getTransforms();
-                            if (trans.getLength() == 1 && trans.item(0).getURI().equals(Transforms.TRANSFORM_ENVELOPED_SIGNATURE))
-                                return;
-                        }
-                    }
-                }
-            }
-            throw new Exception("XMLOriginSiteMapper() unable to verify signature on registry file");
-        }
-        catch (ParserConfigurationException pce)
-        {
-            throw new Exception("XMLOriginSiteMapper() parser configuration error");
-        }
-        finally
-        {
-            if (builder != null)
-                org.opensaml.XML.parserPool.put(builder);
-        }
-    }
+                       Node n = e.getLastChild();
+                       while (n != null && n.getNodeType() != Node.ELEMENT_NODE)
+                               n = n.getPreviousSibling();
 
-    /**
-     *  Provides an iterator over the trusted Handle Services for the specified
-     *  origin site
-     *
-     * @param  originSite  The DNS name of the origin site to query
-     * @return             An iterator over the Handle Service DNS names
-     */
-    public Iterator getHandleServiceNames(String originSite)
-    {
-        OriginSite o = (OriginSite)originSites.get(originSite);
-        if (o != null)
-            return o.handleServices.iterator();
-        return null;
-    }
+                       if (n != null
+                               && org.opensaml.XML.XMLSIG_NS.equals(n.getNamespaceURI())
+                               && "Signature".equals(n.getLocalName())) {
+                               try {
+                                       XMLSignature sig = new XMLSignature((Element) n, null);
+                                       if (sig.checkSignatureValue(verifyKey)) {
+                                               // Now we verify that what is signed is what we expect.
+                                               SignedInfo sinfo = sig.getSignedInfo();
+                                               if (sinfo.getLength() == 1
+                                                       && (sinfo
+                                                               .getCanonicalizationMethodURI()
+                                                               .equals(Canonicalizer.ALGO_ID_C14N_WITH_COMMENTS)
+                                                               || sinfo.getCanonicalizationMethodURI().equals(
+                                                                       Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS)))
+                                                       //                                sinfo.getCanonicalizationMethodURI().equals(Canonicalizer.ALGO_ID_C14N_EXCL_WITH_COMMENTS) ||
+                                                       //                         sinfo.getCanonicalizationMethodURI().equals(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS))
+                                                       {
+                                                       Reference ref = sinfo.item(0);
+                                                       if (ref.getURI() == null || ref.getURI().equals("")) {
+                                                               Transforms trans = ref.getTransforms();
+                                                               if (trans.getLength() == 1
+                                                                       && trans.item(0).getURI().equals(Transforms.TRANSFORM_ENVELOPED_SIGNATURE))
+                                                                       return;
+                                                       }
+                                               }
+                                       }
+                               } catch (Exception sigE) {
+                                       throw new OriginSiteMapperException(
+                                               "Unable to verify signature on registry file: Site file not signed correctly with specified key:"
+                                                       + sigE);
+                               }
+                       }
+                       throw new OriginSiteMapperException("Unable to verify signature on registry file: no signature found.");
+               } catch (SAXException e) {
+                       throw new OriginSiteMapperException("Problem parsing site configuration" + e.getMessage());
+               } catch (IOException e) {
+                       throw new OriginSiteMapperException("Problem accessing site configuration" + e.getMessage());
+               } catch (ParserConfigurationException pce) {
+                       throw new OriginSiteMapperException("Parser configuration error" + pce.getMessage());
+               } finally {
+                       if (builder != null)
+                               org.opensaml.XML.parserPool.put(builder);
+               }
+       }
 
-    /**
-     *  Returns a preconfigured key to use in verifying a signature created by
-     *  the specified HS<P>
-     *
-     *  Any key returned is implicitly trusted and a certificate signed by
-     *  another trusted entity is not sought or required
-     *
-     * @param  handleService  Description of Parameter
-     * @return                A trusted key (probably public but could be
-     *      secret) or null
-     */
-    public Key getHandleServiceKey(String handleService)
-    {
-        return (Key)hsKeys.get(handleService);
-    }
+       /**
+        *  Provides an iterator over the trusted Handle Services for the specified
+        *  origin site
+        *
+        * @param  originSite  The DNS name of the origin site to query
+        * @return             An iterator over the Handle Service DNS names
+        */
+       public Iterator getHandleServiceNames(String originSite) {
+               OriginSite o = (OriginSite) originSites.get(originSite);
+               if (o != null)
+                       return o.handleServices.iterator();
+               return null;
+       }
 
-    /**
-     *  Provides an iterator over the security domain expressions for which the
-     *  specified origin site is considered to be authoritative
-     *
-     * @param  originSite  The DNS name of the origin site to query
-     * @return             An iterator over a set of regular expression strings
-     */
-    public Iterator getSecurityDomains(String originSite)
-    {
-        OriginSite o = (OriginSite)originSites.get(originSite);
-        if (o != null)
-            return o.domains.iterator();
-        return null;
-    }
+       /**
+        *  Returns a preconfigured key to use in verifying a signature created by
+        *  the specified HS<P>
+        *
+        *  Any key returned is implicitly trusted and a certificate signed by
+        *  another trusted entity is not sought or required
+        *
+        * @param  handleService  Description of Parameter
+        * @return                A trusted key (probably public but could be
+        *      secret) or null
+        */
+       public Key getHandleServiceKey(String handleService) {
+               return (Key) hsKeys.get(handleService);
+       }
 
-    /**
-     *  Gets a key store containing certificate entries that are trusted to sign
-     *  Handle Service certificates that are encountered during processing<P>
-     *
-     *
-     *
-     * @return    A key store containing trusted certificate issuers
-     */
-    public KeyStore getTrustedRoots()
-    {
-        return ks;
-    }
+       /**
+        *  Provides an iterator over the security domain expressions for which the
+        *  specified origin site is considered to be authoritative
+        *
+        * @param  originSite  The DNS name of the origin site to query
+        * @return             An iterator over a set of regular expression strings
+        */
+       public Iterator getSecurityDomains(String originSite) {
+               OriginSite o = (OriginSite) originSites.get(originSite);
+               if (o != null)
+                       return o.domains.iterator();
+               return null;
+       }
 
-    private class OriginSite
-    {
+       /**
+        *  Gets a key store containing certificate entries that are trusted to sign
+        *  Handle Service certificates that are encountered during processing<P>
+        *
+        *
+        *
+        * @return    A key store containing trusted certificate issuers
+        */
+       public KeyStore getTrustedRoots() {
+               return ks;
+       }
 
-        private Vector domains = null;
-        private Vector handleServices = null;
+       private class OriginSite {
 
-        private OriginSite(String name)
-        {
-            domains = new Vector();
-            domains.add(name);
-            handleServices = new Vector();
-        }
-    }
-}
+               private Vector domains = null;
+               private Vector handleServices = null;
 
+               private OriginSite(String name) {
+                       domains = new Vector();
+                       domains.add(name);
+                       handleServices = new Vector();
+               }
+       }
+}