+++ /dev/null
-/*
- * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
- * All rights reserved
- *
- *
- * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
- * following conditions are met:
- *
- * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
- * disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided with the distribution, if any, must include the
- * following acknowledgment: "This product includes software developed by the University Corporation for Advanced
- * Internet Development <http://www.ucaid.edu> Internet2 Project. Alternately, this acknowledegement may appear in the
- * software itself, if and wherever such third-party acknowledgments normally appear.
- *
- * Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor the University Corporation for
- * Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote products derived from this software
- * without specific prior written permission. For written permission, please contact shibboleth@shibboleth.org
- *
- * Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the University Corporation
- * for Advanced Internet Development, nor may Shibboleth appear in their name, without prior written permission of the
- * University Corporation for Advanced Internet Development.
- *
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE,
- * ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
- * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-package edu.internet2.middleware.shibboleth.aa;
-
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-
-/**
- * Defines a method for obtaining configuration data that is specific to a {@link RelyingParty}and is needed by the
- * Shibboleth Attribute Authority.
- *
- * @author Walter Hoehn
- */
-public interface AARelyingParty extends RelyingParty {
-
- /**
- * A boolean indication of whether internal errors should be transmitted to this {@link RelyingParty}
- */
- public boolean passThruErrors();
-
-}
\ No newline at end of file
+++ /dev/null
-/*
- * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
- * All rights reserved Redistribution and use in source and binary forms, with or without modification, are permitted
- * provided that the following conditions are met: Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the
- * above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other
- * materials provided with the distribution, if any, must include the following acknowledgment: "This product includes
- * software developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu> Internet2
- * Project. Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2,
- * nor the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
- * products derived from this software without specific prior written permission. For written permission, please
- * contact shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2,
- * UCAID, or the University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name,
- * without prior written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS
- * PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND
- * NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS
- * WITH LICENSEE. IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED
- * INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
- * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
- * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-package edu.internet2.middleware.shibboleth.aa;
-
-import org.apache.log4j.Logger;
-import org.w3c.dom.Element;
-import org.w3c.dom.NodeList;
-
-import edu.internet2.middleware.shibboleth.common.Credential;
-import edu.internet2.middleware.shibboleth.common.Credentials;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-import edu.internet2.middleware.shibboleth.common.ServiceProviderMapper;
-import edu.internet2.middleware.shibboleth.common.ServiceProviderMapperException;
-import edu.internet2.middleware.shibboleth.idp.IdPConfig;
-import edu.internet2.middleware.shibboleth.metadata.Metadata;
-
-/**
- * Class for determining the effective relying party for the Shibboleth attribute authority from the unique id of the
- * service provider.
- *
- * @author Walter Hoehn
- */
-public class AAServiceProviderMapper extends ServiceProviderMapper {
-
- private static Logger log = Logger.getLogger(AAServiceProviderMapper.class.getName());
- private IdPConfig configuration;
- private Credentials credentials;
-
- /**
- * Constructs a new service provider mapper for the attribute authority.
- *
- * @param rawConfig
- * DOM representation of the attribute authority configuration
- * @param configuration
- * global attribute authority configuration
- * @throws ServiceProviderMapperException
- * if the configuration is invalid
- */
- public AAServiceProviderMapper(Element rawConfig, IdPConfig configuration, Credentials credentials, Metadata metaData)
- throws ServiceProviderMapperException {
- super(metaData);
- this.configuration = configuration;
- this.credentials = credentials;
-
- NodeList itemElements = rawConfig.getElementsByTagNameNS(IdPConfig.originConfigNamespace,
- "RelyingParty");
-
- for (int i = 0; i < itemElements.getLength(); i++) {
- addRelyingParty((Element) itemElements.item(i));
- }
-
- verifyDefaultParty(configuration);
- }
-
- private void addRelyingParty(Element e) throws ServiceProviderMapperException {
-
- log.debug("Found a Relying Party.");
- try {
- if (e.getLocalName().equals("RelyingParty")) {
- RelyingParty party = new AARelyingPartyImpl(e, configuration, credentials);
- log.debug("Relying Party (" + party.getName() + ") loaded.");
- relyingParties.put(party.getName(), party);
- }
- } catch (ServiceProviderMapperException exc) {
- log.error("Encountered an error while attempting to load Relying Party configuration. Skipping...");
- }
- }
-
- /**
- * Returns the appropriate relying party for the supplied service provider id.
- */
- public AARelyingParty getRelyingParty(String providerIdFromTarget) {
- return (AARelyingParty) getRelyingPartyImpl(providerIdFromTarget);
- }
-
- protected IdPConfig getOriginConfig() {
- return configuration;
- }
-
- /**
- * AA-specific relying party implementation.
- *
- * @author Walter Hoehn
- */
- class AARelyingPartyImpl extends BaseRelyingPartyImpl implements AARelyingParty {
-
- private IdPConfig aaConfig;
- private boolean overridenPassThruErrors = false;
- private boolean passThruIsOverriden = false;
-
- public AARelyingPartyImpl(Element partyConfig, IdPConfig globalConfig, Credentials credentials)
- throws ServiceProviderMapperException {
- super(partyConfig);
-
- aaConfig = globalConfig;
-
- String attribute = ((Element) partyConfig).getAttribute("passThruErrors");
- if (attribute != null && !attribute.equals("")) {
- log.debug("Overriding passThruErrors for Relying Pary (" + name + ") with (" + attribute + ").");
- overridenPassThruErrors = Boolean.valueOf(attribute).booleanValue();
- passThruIsOverriden = true;
- }
-
- //Load a credential for signing if we need it
- boolean signAttrResponses = new Boolean(((Element) partyConfig).getAttribute("signAttrResponses"))
- .booleanValue();
- boolean signAttrAssertions = new Boolean(((Element) partyConfig).getAttribute("signAttrAssertions"))
- .booleanValue();
-
- Credential credential = null;
- if (signAttrAssertions || signAttrResponses) {
-
- String credentialName = ((Element) partyConfig).getAttribute("AASigningCredential");
- if (credentialName == null || credentialName.equals("")) {
- credentialName = ((Element) partyConfig).getAttribute("signingCredential");
- } else {
- log.debug("Using (AASigningCredential) for AA signing.");
- }
-
- credential = credentials.getCredential(credentialName);
- if ((credential == null) && (signAttrResponses || signAttrAssertions)) {
- if (credentialName == null || credentialName.equals("")) {
- log
- .error("Relying Party credential not set. Add a (AASigningCredential) or (signingCredential) attribute to <RelyingParty>.");
- throw new ServiceProviderMapperException("Required configuration not specified.");
- } else {
- log
- .error("Relying Party credential invalid. Fix the (signingCredential) attribute on <RelyingParty>.");
- throw new ServiceProviderMapperException("Required configuration is invalid.");
- }
- }
-
- }
-
- identityProvider = new RelyingPartyIdentityProvider(overridenOriginProviderId != null
- ? overridenOriginProviderId
- : configuration.getProviderId(), signAttrResponses ? credential : null, signAttrAssertions
- ? credential
- : null);
- }
-
- public boolean passThruErrors() {
- if (passThruIsOverriden) {
- return overridenPassThruErrors;
- } else {
- return aaConfig.passThruErrors();
- }
- }
-
- }
-}
import org.opensaml.SAMLAssertion;
-import edu.internet2.middleware.shibboleth.hs.HSRelyingParty;
+import edu.internet2.middleware.shibboleth.common.RelyingParty;
/**
* Translates back and forth between SAML assertions and mapping strings (artifacts) needed for the SAML artifact
* the relying party on behalf of which the artifact is being created
* @return the artifact
*/
- public String generateArtifact(SAMLAssertion assertion, HSRelyingParty relyingParty);
+ public String generateArtifact(SAMLAssertion assertion, RelyingParty relyingParty);
/**
* @param artifact
import sun.misc.BASE64Encoder;
import edu.internet2.middleware.shibboleth.artifact.ArtifactMapper;
import edu.internet2.middleware.shibboleth.artifact.ArtifactMapping;
+import edu.internet2.middleware.shibboleth.common.RelyingParty;
import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.hs.HSRelyingParty;
/**
* Functionality common to most <code>ArtifactMapper</code> implementations, including creation and basic
}
}
- public String generateArtifact(SAMLAssertion assertion, HSRelyingParty relyingParty) {
+ public String generateArtifact(SAMLAssertion assertion, RelyingParty relyingParty) {
byte[] allArtifactComponents = new byte[42];
/*
* The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
- * All rights reserved
- *
- *
- * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
- * following conditions are met:
- *
- * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
- * disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided with the distribution, if any, must include the
- * following acknowledgment: "This product includes software developed by the University Corporation for Advanced
- * Internet Development <http://www.ucaid.edu> Internet2 Project. Alternately, this acknowledegement may appear in the
- * software itself, if and wherever such third-party acknowledgments normally appear.
- *
- * Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor the University Corporation for
- * Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote products derived from this software
- * without specific prior written permission. For written permission, please contact shibboleth@shibboleth.org
- *
- * Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the University Corporation
- * for Advanced Internet Development, nor may Shibboleth appear in their name, without prior written permission of the
- * University Corporation for Advanced Internet Development.
- *
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE,
- * ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
- * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * All rights reserved Redistribution and use in source and binary forms, with or without modification, are permitted
+ * provided that the following conditions are met: Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials
+ * provided with the distribution, if any, must include the following acknowledgment: "This product includes software
+ * developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu> Internet2 Project.
+ * Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
+ * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor
+ * the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
+ * products derived from this software without specific prior written permission. For written permission, please contact
+ * shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the
+ * University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name, without prior
+ * written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS PROVIDED BY THE
+ * COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE
+ * DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO
+ * EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC.
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
package edu.internet2.middleware.shibboleth.common;
/**
- * Defines a producer of SAML authentication and attribute assertions. A single instantiation of a Shibboleth origin
- * may represent more than one logical identity provider.
+ * Defines a producer of SAML authentication and attribute assertions. A single instantiation of the Shibboleth IdP
+ * software may represent more than one logical identity provider.
*
* @see ServiceProvider
* @author Walter Hoehn
public String getProviderId();
/**
- * Returns the credential that this provider uses to sign SAML responses to requests, or <code>null</code> if
- * responses should not be signed.
+ * Returns the credential that this provider uses to sign SAML authentication responses to requests, or
+ * <code>null</code> if responses should not be signed.
*
* @return the credential or <code>null</code>
*/
- public Credential getResponseSigningCredential();
+ public Credential getAuthNResponseSigningCredential();
/**
- * Returns the credential that this provider uses to sign SAML assertions, or <code>null</code> if assertions
- * should not be signed.
+ * Returns the credential that this provider uses to sign SAML authentication assertions, or <code>null</code> if
+ * assertions should not be signed.
*
* @return the credential or <code>null</code>
*/
- public Credential getAssertionSigningCredential();
+ public Credential getAuthNAssertionSigningCredential();
+
+ /**
+ * Returns the credential that this provider uses to sign SAML attribute responses to requests, or <code>null</code>
+ * if responses should not be signed.
+ *
+ * @return the credential or <code>null</code>
+ */
+ public Credential getAttributeResponseSigningCredential();
+
+ /**
+ * Returns the credential that this provider uses to sign SAML attribute assertions, or <code>null</code> if
+ * assertions should not be signed.
+ *
+ * @return the credential or <code>null</code>
+ */
+ public Credential getAttributeAssertionSigningCredential();
+
}
/*
* The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
- * All rights reserved
- *
- *
- * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
- * following conditions are met:
- *
- * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
- * disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided with the distribution, if any, must include the
- * following acknowledgment: "This product includes software developed by the University Corporation for Advanced
- * Internet Development <http://www.ucaid.edu> Internet2 Project. Alternately, this acknowledegement may appear in the
- * software itself, if and wherever such third-party acknowledgments normally appear.
- *
- * Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor the University Corporation for
- * Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote products derived from this software
- * without specific prior written permission. For written permission, please contact shibboleth@shibboleth.org
- *
- * Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the University Corporation
- * for Advanced Internet Development, nor may Shibboleth appear in their name, without prior written permission of the
- * University Corporation for Advanced Internet Development.
- *
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE,
- * ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
- * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * All rights reserved Redistribution and use in source and binary forms, with or without modification, are permitted
+ * provided that the following conditions are met: Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials
+ * provided with the distribution, if any, must include the following acknowledgment: "This product includes software
+ * developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu> Internet2 Project.
+ * Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
+ * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor
+ * the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
+ * products derived from this software without specific prior written permission. For written permission, please contact
+ * shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the
+ * University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name, without prior
+ * written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS PROVIDED BY THE
+ * COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE
+ * DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO
+ * EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC.
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
package edu.internet2.middleware.shibboleth.common;
+import java.net.URI;
+import java.net.URL;
+
/**
* Defines a relationship between service providers and an identity provider. In Shibboleth parlance, a relying party
- * represents a target or federation.
+ * represents a SP or group of SPs (perhaps a federation).
*
* @author Walter Hoehn
*/
public interface RelyingParty extends ServiceProvider {
/**
- * Returns the name of the relying party. If the relying party is a Shibboleth target (not a federation), this
+ * Returns the name of the relying party. If the relying party is a Shibboleth SP (not a group), this
* function returns the same thing as {@link #getProviderId}.
*
* @return name of the relying party
* @return the identity provider
*/
public IdentityProvider getIdentityProvider();
+
+ /**
+ * Returns the id of the name format that should be used in authentication assertions issued to this
+ * {@link RelyingParty}.
+ *
+ * @return the id for the format
+ */
+ public String getHSNameFormatId();
+
+ /**
+ * Returns a boolean indication of whether this {@link RelyingParty}is running <= Shibboleth v1.1. Used to
+ * ensure backward compatibility.
+ */
+ public boolean isLegacyProvider();
+
+ /**
+ * Returns the location of the Shibboleth Attribute Authority that should answer requests for this
+ * {@link RelyingParty}.
+ *
+ * @return the URL
+ */
+ public URL getAAUrl();
+
+ /**
+ * The authentication method that should be included in assertions to the {@link RelyingParty}, if one is not found
+ * in HTTP request headers.
+ *
+ * @return the identifier for the method
+ */
+ public URI getDefaultAuthMethod();
+
+ /**
+ * A boolean indication of whether internal errors should be transmitted to this {@link RelyingParty}
+ */
+ public boolean passThruErrors();
}
* The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
* All rights reserved Redistribution and use in source and binary forms, with or without modification, are permitted
* provided that the following conditions are met: Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the
- * above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other
- * materials provided with the distribution, if any, must include the following acknowledgment: "This product includes
- * software developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu> Internet2
- * Project. Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2,
- * nor the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
- * products derived from this software without specific prior written permission. For written permission, please
- * contact shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2,
- * UCAID, or the University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name,
- * without prior written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS
- * PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND
- * NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS
- * WITH LICENSEE. IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED
- * INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
- * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
- * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
+ * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials
+ * provided with the distribution, if any, must include the following acknowledgment: "This product includes software
+ * developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu> Internet2 Project.
+ * Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
+ * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor
+ * the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
+ * products derived from this software without specific prior written permission. For written permission, please contact
+ * shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the
+ * University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name, without prior
+ * written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS PROVIDED BY THE
+ * COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE
+ * DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO
+ * EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC.
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
package edu.internet2.middleware.shibboleth.common;
+import java.net.MalformedURLException;
import java.net.URI;
+import java.net.URISyntaxException;
import java.net.URL;
import java.util.HashMap;
import java.util.Map;
import org.apache.log4j.Logger;
import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
-import edu.internet2.middleware.shibboleth.aa.AARelyingParty;
-import edu.internet2.middleware.shibboleth.hs.HSRelyingParty;
import edu.internet2.middleware.shibboleth.idp.IdPConfig;
import edu.internet2.middleware.shibboleth.metadata.Metadata;
import edu.internet2.middleware.shibboleth.metadata.Provider;
/**
- * Base class for determining the effective relying party from the unique id of the service provider. Checks first for
- * an exact match on the service provider, then for membership in a federation. Uses the default relying party if
- * neither is found.
+ * Class for determining the effective relying party from the unique id of the service provider. Checks first for an
+ * exact match on the service provider, then for membership in a federation. Uses the default relying party if neither
+ * is found.
*
* @author Walter Hoehn
*/
-public abstract class ServiceProviderMapper {
+public class ServiceProviderMapper {
- private static Logger log = Logger.getLogger(ServiceProviderMapper.class.getName());
- protected Map relyingParties = new HashMap();
- private Metadata metaData;
+ private static Logger log = Logger.getLogger(ServiceProviderMapper.class.getName());
+ protected Map relyingParties = new HashMap();
+ private Metadata metaData;
+ private IdPConfig configuration;
+ private Credentials credentials;
+ private NameMapper nameMapper;
+
+ public ServiceProviderMapper(Element rawConfig, IdPConfig configuration, Credentials credentials,
+ NameMapper nameMapper, Metadata metaData) throws ServiceProviderMapperException {
- /**
- * @param metaData
- */
- public ServiceProviderMapper(Metadata metaData) {
this.metaData = metaData;
+ this.configuration = configuration;
+ this.credentials = credentials;
+ this.nameMapper = nameMapper;
+
+ NodeList itemElements = rawConfig.getElementsByTagNameNS(IdPConfig.originConfigNamespace, "RelyingParty");
+
+ for (int i = 0; i < itemElements.getLength(); i++) {
+ addRelyingParty((Element) itemElements.item(i));
+ }
+
+ verifyDefaultParty(configuration);
+
}
- protected abstract IdPConfig getOriginConfig();
+ private IdPConfig getOriginConfig() {
+
+ return configuration;
+ }
protected void verifyDefaultParty(IdPConfig configuration) throws ServiceProviderMapperException {
- //Verify we have a proper default party
+
+ // Verify we have a proper default party
String defaultParty = configuration.getDefaultRelyingPartyName();
if (defaultParty == null || defaultParty.equals("")) {
if (relyingParties.size() != 1) {
protected RelyingParty getRelyingPartyImpl(String providerIdFromTarget) {
- //Null request, send the default
+ // Null request, send the default
if (providerIdFromTarget == null) {
RelyingParty relyingParty = getDefaultRelyingParty();
log.info("Using default Relying Party: (" + relyingParty.getName() + ").");
return new UnknownProviderWrapper(relyingParty, providerIdFromTarget);
}
- //Look for a configuration for the specific relying party
+ // Look for a configuration for the specific relying party
if (relyingParties.containsKey(providerIdFromTarget)) {
log.info("Found Relying Party for (" + providerIdFromTarget + ").");
return (RelyingParty) relyingParties.get(providerIdFromTarget);
}
- //Next, check to see if the relying party is in any groups
+ // Next, check to see if the relying party is in any groups
RelyingParty groupParty = findRelyingPartyByGroup(providerIdFromTarget);
if (groupParty != null) {
log.info("Provider is a member of Relying Party (" + groupParty.getName() + ").");
return new RelyingPartyGroupWrapper(groupParty, providerIdFromTarget);
}
- //OK, we can't find it... just send the default
+ // OK, we can't find it... just send the default
RelyingParty relyingParty = getDefaultRelyingParty();
log.info("Could not locate Relying Party configuration for (" + providerIdFromTarget
+ "). Using default Relying Party: (" + relyingParty.getName() + ").");
if (provider != null) {
String[] groups = provider.getGroups();
for (int i = 0; groups.length > i; i++) {
- //We need to iterate backward because the groups go from least to most specific
+ // We need to iterate backward because the groups go from least to most specific
String group = groups[groups.length - 1 - i];
if (relyingParties.containsKey(group)) {
log.info("Found matching Relying Party for group (" + group + ").");
public RelyingParty getDefaultRelyingParty() {
- //If there is no explicit default, pick the single configured Relying
+ // If there is no explicit default, pick the single configured Relying
// Party
String defaultParty = getOriginConfig().getDefaultRelyingPartyName();
- if (defaultParty == null || defaultParty.equals("")) {
- return (RelyingParty) relyingParties.values().iterator().next();
- }
+ if (defaultParty == null || defaultParty.equals("")) { return (RelyingParty) relyingParties.values().iterator()
+ .next(); }
- //If we do have a default specified, use it...
+ // If we do have a default specified, use it...
return (RelyingParty) relyingParties.get(defaultParty);
}
/**
+ * Returns the relying party for a legacy provider(the default)
+ */
+ public RelyingParty getLegacyRelyingParty() {
+
+ RelyingParty relyingParty = getDefaultRelyingParty();
+ log.info("Request is from legacy shib target. Selecting default Relying Party: (" + relyingParty.getName()
+ + ").");
+ return new LegacyWrapper((RelyingParty) relyingParty);
+
+ }
+
+ /**
+ * Returns the appropriate relying party for the supplied service provider id.
+ */
+ public RelyingParty getRelyingParty(String providerIdFromTarget) {
+
+ if (providerIdFromTarget == null || providerIdFromTarget.equals("")) {
+ RelyingParty relyingParty = getDefaultRelyingParty();
+ log.info("Selecting default Relying Party: (" + relyingParty.getName() + ").");
+ return new NoMetadataWrapper((RelyingParty) relyingParty);
+ }
+
+ return (RelyingParty) getRelyingPartyImpl(providerIdFromTarget);
+ }
+
+ private void addRelyingParty(Element e) throws ServiceProviderMapperException {
+
+ log.debug("Found a Relying Party.");
+ try {
+ if (e.getLocalName().equals("RelyingParty")) {
+ RelyingParty party = new RelyingPartyImpl(e, configuration, credentials, nameMapper);
+ log.debug("Relying Party (" + party.getName() + ") loaded.");
+ relyingParties.put(party.getName(), party);
+ }
+ } catch (ServiceProviderMapperException exc) {
+ log.error("Encountered an error while attempting to load Relying Party configuration. Skipping...");
+ }
+
+ }
+
+ /**
* Base relying party implementation.
*
* @author Walter Hoehn
*/
- protected abstract class BaseRelyingPartyImpl implements RelyingParty {
+ protected class RelyingPartyImpl implements RelyingParty {
+
+ private RelyingPartyIdentityProvider identityProvider;
+ private String name;
+ private String overridenOriginProviderId;
+ private URL overridenAAUrl;
+ private URI overridenDefaultAuthMethod;
+ private String hsNameFormatId;
+ private IdPConfig configuration;
+ private boolean overridenPassThruErrors = false;
+ private boolean passThruIsOverriden = false;
- protected RelyingPartyIdentityProvider identityProvider;
- protected String name;
- protected String overridenOriginProviderId;
+ public RelyingPartyImpl(Element partyConfig, IdPConfig globalConfig, Credentials credentials,
+ NameMapper nameMapper) throws ServiceProviderMapperException {
- public BaseRelyingPartyImpl(Element partyConfig) throws ServiceProviderMapperException {
+ configuration = globalConfig;
- //Get party name
+ // Get party name
name = ((Element) partyConfig).getAttribute("name");
if (name == null || name.equals("")) {
log.error("Relying Party name not set. Add a (name) attribute to <RelyingParty>.");
}
log.debug("Loading Relying Party: (" + name + ").");
- //Process overrides for global data
+ // Process overrides for global configuration data
String attribute = ((Element) partyConfig).getAttribute("providerId");
if (attribute != null && !attribute.equals("")) {
log.debug("Overriding providerId for Relying Pary (" + name + ") with (" + attribute + ").");
overridenOriginProviderId = attribute;
}
+ attribute = ((Element) partyConfig).getAttribute("AAUrl");
+ if (attribute != null && !attribute.equals("")) {
+ log.debug("Overriding AAUrl for Relying Pary (" + name + ") with (" + attribute + ").");
+ try {
+ overridenAAUrl = new URL(attribute);
+ } catch (MalformedURLException e) {
+ log.error("(AAUrl) attribute to is not a valid URL.");
+ throw new ServiceProviderMapperException("Configuration is invalid.");
+ }
+ }
+
+ attribute = ((Element) partyConfig).getAttribute("defaultAuthMethod");
+ if (attribute != null && !attribute.equals("")) {
+ log.debug("Overriding defaultAuthMethod for Relying Pary (" + name + ") with (" + attribute + ").");
+ try {
+ overridenDefaultAuthMethod = new URI(attribute);
+ } catch (URISyntaxException e1) {
+ log.error("(defaultAuthMethod) attribute to is not a valid URI.");
+ throw new ServiceProviderMapperException("Configuration is invalid.");
+ }
+ }
+
+ attribute = ((Element) partyConfig).getAttribute("passThruErrors");
+ if (attribute != null && !attribute.equals("")) {
+ log.debug("Overriding passThruErrors for Relying Pary (" + name + ") with (" + attribute + ").");
+ overridenPassThruErrors = Boolean.valueOf(attribute).booleanValue();
+ passThruIsOverriden = true;
+ }
+
+ // Load and verify the name format that the HS should use in
+ // assertions for this RelyingParty
+ NodeList hsNameFormats = ((Element) partyConfig).getElementsByTagNameNS(IdPConfig.originConfigNamespace,
+ "HSNameFormat");
+ // If no specification. Make sure we have a default mapping
+ if (hsNameFormats.getLength() < 1) {
+ if (nameMapper.getNameIdentifierMappingById(null) == null) {
+ log.error("Relying Party HS Name Format not set. Add a <HSNameFormat> element to <RelyingParty>.");
+ throw new ServiceProviderMapperException("Required configuration not specified.");
+ }
+
+ } else {
+ // We do have a specification, so make sure it points to a
+ // valid Name Mapping
+ if (hsNameFormats.getLength() > 1) {
+ log.warn("Found multiple HSNameFormat specifications for Relying Party (" + name
+ + "). Ignoring all but the first.");
+ }
+
+ hsNameFormatId = ((Element) hsNameFormats.item(0)).getAttribute("nameMapping");
+ if (hsNameFormatId == null || hsNameFormatId.equals("")) {
+ log.error("HS Name Format mapping not set. Add a (nameMapping) attribute to <HSNameFormat>.");
+ throw new ServiceProviderMapperException("Required configuration not specified.");
+ }
+
+ if (nameMapper.getNameIdentifierMappingById(hsNameFormatId) == null) {
+ log.error("Relying Party HS Name Format refers to a name mapping that is not loaded.");
+ throw new ServiceProviderMapperException("Required configuration not specified.");
+ }
+ }
+
+ // Load credentials for signing
+ Credential authNCredential = null;
+ Credential attrCredential = null;
+
+ boolean signAuthResponses = new Boolean(((Element) partyConfig).getAttribute("signAuthResponses"))
+ .booleanValue();
+ boolean signAuthAssertions = new Boolean(((Element) partyConfig).getAttribute("signAuthAssertions"))
+ .booleanValue();
+ boolean signAttrResponses = new Boolean(((Element) partyConfig).getAttribute("signAttrResponses"))
+ .booleanValue();
+ boolean signAttrAssertions = new Boolean(((Element) partyConfig).getAttribute("signAttrAssertions"))
+ .booleanValue();
+
+ String credentialName = ((Element) partyConfig).getAttribute("signingCredential");
+
+ // Load the credential for AuthN signing
+ if (signAuthResponses || signAuthAssertions) {
+
+ authNCredential = credentials.getCredential(credentialName);
+ if (authNCredential == null) {
+ if (credentialName == null || credentialName.equals("")) {
+ log.error("Relying Party credential not set. Add a (signingCredential) "
+ + "attribute to <RelyingParty>.");
+ throw new ServiceProviderMapperException("Required configuration not specified.");
+ } else {
+ log.error("Relying Party credential invalid. Fix the (signingCredential) attribute "
+ + "on <RelyingParty>.");
+ throw new ServiceProviderMapperException("Required configuration is invalid.");
+ }
+ }
+ }
+
+ // Load the credential for Attribute signing
+ if (signAttrAssertions || signAttrResponses) {
+ String aaCredentialName = ((Element) partyConfig).getAttribute("AASigningCredential");
+ attrCredential = credentials.getCredential(aaCredentialName);
+ if (aaCredentialName == null || aaCredentialName.equals("")) {
+ if (authNCredential != null) {
+ attrCredential = authNCredential;
+ } else {
+ aaCredentialName = ((Element) partyConfig).getAttribute("signingCredential");
+ attrCredential = credentials.getCredential(aaCredentialName);
+ }
+ } else {
+ log.debug("Using (AASigningCredential) for AA signing.");
+ }
+ }
+
+ if ((attrCredential == null) && (signAttrResponses || signAttrAssertions)) {
+ if (credentialName == null || credentialName.equals("")) {
+ log.error("Relying Party credential not set. Add a (AASigningCredential) or (signingCredential) "
+ + "attribute to <RelyingParty>.");
+ throw new ServiceProviderMapperException("Required configuration not specified.");
+ } else {
+ log.error("Relying Party credential invalid. Fix the (signingCredential) attribute "
+ + "on <RelyingParty>.");
+ throw new ServiceProviderMapperException("Required configuration is invalid.");
+ }
+ }
+
+ // Initialize and Identity Provider object for this use by this relying party
+ identityProvider = new RelyingPartyIdentityProvider(overridenOriginProviderId != null
+ ? overridenOriginProviderId
+ : configuration.getProviderId(), signAuthResponses ? authNCredential : null, signAuthAssertions
+ ? authNCredential
+ : null, signAttrResponses ? attrCredential : null, signAttrAssertions ? attrCredential : null);
+
}
public String getProviderId() {
+
return name;
}
public String getName() {
+
return name;
}
public IdentityProvider getIdentityProvider() {
+
return identityProvider;
}
+ public boolean isLegacyProvider() {
+
+ return false;
+ }
+
+ public String getHSNameFormatId() {
+
+ return hsNameFormatId;
+ }
+
+ public URI getDefaultAuthMethod() {
+
+ if (overridenDefaultAuthMethod != null) {
+ return overridenDefaultAuthMethod;
+ } else {
+ return configuration.getDefaultAuthMethod();
+ }
+ }
+
+ public URL getAAUrl() {
+
+ if (overridenAAUrl != null) {
+ return overridenAAUrl;
+ } else {
+ return configuration.getAAUrl();
+ }
+ }
+
+ public boolean passThruErrors() {
+
+ if (passThruIsOverriden) {
+ return overridenPassThruErrors;
+ } else {
+ return configuration.passThruErrors();
+ }
+ }
+
/**
* Default identity provider implementation.
*
*/
protected class RelyingPartyIdentityProvider implements IdentityProvider {
- private String providerId;
- private Credential responseSigningCredential;
- private Credential assertionSigningCredential;
+ private String providerId;
+ private Credential authNResponseSigningCredential;
+ private Credential authNAssertionSigningCredential;
+ private Credential attributeResponseSigningCredential;
+ private Credential attributeAssertionSigningCredential;
- public RelyingPartyIdentityProvider(String providerId, Credential responseSigningCred) {
- this.providerId = providerId;
- this.responseSigningCredential = responseSigningCred;
- }
+ public RelyingPartyIdentityProvider(String providerId, Credential authNResponseSigningCredential,
+ Credential authNAssertionSigningCredential, Credential attributeResponseSigningCredential,
+ Credential attributeAssertionSigningCredential) {
- public RelyingPartyIdentityProvider(String providerId, Credential responseSigningCred,
- Credential assertionSigningCred) {
this.providerId = providerId;
- this.responseSigningCredential = responseSigningCred;
- this.assertionSigningCredential = assertionSigningCred;
+ this.authNResponseSigningCredential = authNResponseSigningCredential;
+ this.authNAssertionSigningCredential = authNAssertionSigningCredential;
+ this.attributeResponseSigningCredential = attributeResponseSigningCredential;
+ this.attributeAssertionSigningCredential = attributeAssertionSigningCredential;
}
public String getProviderId() {
+
return providerId;
}
- public Credential getResponseSigningCredential() {
- return responseSigningCredential;
+ public Credential getAuthNResponseSigningCredential() {
+
+ return authNResponseSigningCredential;
}
- public Credential getAssertionSigningCredential() {
- return assertionSigningCredential;
+ public Credential getAuthNAssertionSigningCredential() {
+
+ return authNAssertionSigningCredential;
+ }
+
+ public Credential getAttributeResponseSigningCredential() {
+
+ return attributeResponseSigningCredential;
+ }
+
+ public Credential getAttributeAssertionSigningCredential() {
+
+ return attributeAssertionSigningCredential;
}
}
*
* @author Walter Hoehn
*/
- class RelyingPartyGroupWrapper implements RelyingParty, HSRelyingParty, AARelyingParty {
+ class RelyingPartyGroupWrapper implements RelyingParty {
- private RelyingParty wrapped;
- private String providerId;
+ private RelyingParty wrapped;
+ private String providerId;
RelyingPartyGroupWrapper(RelyingParty wrapped, String providerId) {
+
this.wrapped = wrapped;
this.providerId = providerId;
}
public String getName() {
+
return wrapped.getName();
}
public boolean isLegacyProvider() {
+
return false;
}
public IdentityProvider getIdentityProvider() {
+
return wrapped.getIdentityProvider();
}
public String getProviderId() {
+
return providerId;
}
public String getHSNameFormatId() {
- if (!(wrapped instanceof HSRelyingParty)) {
- return null;
- }
- return ((HSRelyingParty) wrapped).getHSNameFormatId();
+
+ return wrapped.getHSNameFormatId();
}
public URL getAAUrl() {
- if (!(wrapped instanceof HSRelyingParty)) {
- return null;
- }
- return ((HSRelyingParty) wrapped).getAAUrl();
+
+ return wrapped.getAAUrl();
}
public URI getDefaultAuthMethod() {
- if (!(wrapped instanceof HSRelyingParty)) {
- return null;
- }
- return ((HSRelyingParty) wrapped).getDefaultAuthMethod();
+
+ return wrapped.getDefaultAuthMethod();
}
public boolean passThruErrors() {
- if (!(wrapped instanceof AARelyingParty)) {
- return false;
- }
- return ((AARelyingParty) wrapped).passThruErrors();
+
+ return wrapped.passThruErrors();
}
}
*
* @author Walter Hoehn
*/
- protected class UnknownProviderWrapper implements RelyingParty, HSRelyingParty, AARelyingParty {
+ protected class UnknownProviderWrapper implements RelyingParty {
- protected RelyingParty wrapped;
- protected String providerId;
+ protected RelyingParty wrapped;
+ protected String providerId;
protected UnknownProviderWrapper(RelyingParty wrapped, String providerId) {
+
this.wrapped = wrapped;
this.providerId = providerId;
}
public String getName() {
+
return wrapped.getName();
}
public IdentityProvider getIdentityProvider() {
+
return wrapped.getIdentityProvider();
}
public String getProviderId() {
+
return providerId;
}
public String getHSNameFormatId() {
- if (!(wrapped instanceof HSRelyingParty)) {
- return null;
- }
- return ((HSRelyingParty) wrapped).getHSNameFormatId();
+
+ return wrapped.getHSNameFormatId();
}
public boolean isLegacyProvider() {
- if (!(wrapped instanceof HSRelyingParty)) {
- return false;
- }
- return ((HSRelyingParty) wrapped).isLegacyProvider();
+
+ return wrapped.isLegacyProvider();
}
public URL getAAUrl() {
- if (!(wrapped instanceof HSRelyingParty)) {
- return null;
- }
- return ((HSRelyingParty) wrapped).getAAUrl();
+
+ return wrapped.getAAUrl();
}
public URI getDefaultAuthMethod() {
- if (!(wrapped instanceof HSRelyingParty)) {
- return null;
- }
- return ((HSRelyingParty) wrapped).getDefaultAuthMethod();
+
+ return wrapped.getDefaultAuthMethod();
}
public boolean passThruErrors() {
- if (!(wrapped instanceof AARelyingParty)) {
- return false;
- }
- return ((AARelyingParty) wrapped).passThruErrors();
+
+ return wrapped.passThruErrors();
}
}
+ /**
+ * Relying party wrapper for Shibboleth <=1.1 service providers.
+ *
+ * @author Walter Hoehn
+ */
+ class LegacyWrapper extends UnknownProviderWrapper implements RelyingParty {
+
+ LegacyWrapper(RelyingParty wrapped) {
+
+ super(wrapped, null);
+ }
+
+ public boolean isLegacyProvider() {
+
+ return true;
+ }
+
+ public String getHSNameFormatId() {
+
+ return ((RelyingParty) wrapped).getHSNameFormatId();
+ }
+
+ public URL getAAUrl() {
+
+ return ((RelyingParty) wrapped).getAAUrl();
+ }
+
+ public URI getDefaultAuthMethod() {
+
+ return ((RelyingParty) wrapped).getDefaultAuthMethod();
+ }
+ }
+
+ /**
+ * Relying party wrapper for providers for which we have no metadata
+ *
+ * @author Walter Hoehn
+ */
+ class NoMetadataWrapper extends UnknownProviderWrapper implements RelyingParty {
+
+ NoMetadataWrapper(RelyingParty wrapped) {
+
+ super(wrapped, null);
+ }
+
+ public String getHSNameFormatId() {
+
+ return ((RelyingParty) wrapped).getHSNameFormatId();
+ }
+
+ public URL getAAUrl() {
+
+ return ((RelyingParty) wrapped).getAAUrl();
+ }
+
+ public URI getDefaultAuthMethod() {
+
+ return ((RelyingParty) wrapped).getDefaultAuthMethod();
+ }
+ }
}
import org.apache.log4j.Logger;
import org.apache.log4j.NDC;
import org.apache.xml.security.signature.XMLSignature;
-import org.opensaml.*;
+import org.opensaml.InvalidCryptoException;
+import org.opensaml.NoSuchProviderException;
+import org.opensaml.ReplayCache;
+import org.opensaml.SAMLAssertion;
+import org.opensaml.SAMLAudienceRestrictionCondition;
+import org.opensaml.SAMLAuthenticationStatement;
+import org.opensaml.SAMLBrowserProfile;
+import org.opensaml.SAMLBrowserProfileFactory;
+import org.opensaml.SAMLConfig;
+import org.opensaml.SAMLException;
+import org.opensaml.SAMLNameIdentifier;
+import org.opensaml.SAMLResponse;
+import org.opensaml.SAMLSignedObject;
+import org.opensaml.SAMLSubject;
+import org.opensaml.TrustException;
import org.w3c.dom.Document;
-import edu.internet2.middleware.shibboleth.hs.HSRelyingParty;
import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
import edu.internet2.middleware.shibboleth.metadata.IDPProviderRole;
import edu.internet2.middleware.shibboleth.metadata.MetadataException;
* @exception SAMLException
* Base class of exceptions that may be thrown during processing
*/
- public SAMLResponse prepare(String recipient, HSRelyingParty relyingParty, SAMLNameIdentifier nameId,
+ public SAMLResponse prepare(String recipient, RelyingParty relyingParty, SAMLNameIdentifier nameId,
String subjectIP, String authMethod, Date authInstant, Collection bindings) throws SAMLException {
Document doc = org.opensaml.XML.parserPool.newDocument();
if (relyingParty.isLegacyProvider()) {
log.debug("Service Provider is running Shibboleth <= 1.1. Using old style issuer.");
- if (relyingParty.getIdentityProvider().getResponseSigningCredential() == null
- || relyingParty.getIdentityProvider().getResponseSigningCredential().getX509Certificate() == null) {
+ if (relyingParty.getIdentityProvider().getAuthNResponseSigningCredential() == null
+ || relyingParty.getIdentityProvider().getAuthNResponseSigningCredential().getX509Certificate() == null) {
throw new SAMLException("Cannot serve legacy style assertions without an X509 certificate");
}
- issuer = getHostNameFromDN(relyingParty.getIdentityProvider().getResponseSigningCredential()
+ issuer = getHostNameFromDN(relyingParty.getIdentityProvider().getAuthNResponseSigningCredential()
.getX509Certificate().getSubjectX500Principal());
if (issuer == null || issuer.equals("")) {
throw new SAMLException("Error parsing certificate DN while determining legacy issuer name.");
r.toDOM(doc);
//Sign the assertions, if appropriate
- if (relyingParty.getIdentityProvider().getAssertionSigningCredential() != null
- && relyingParty.getIdentityProvider().getAssertionSigningCredential().getPrivateKey() != null) {
+ if (relyingParty.getIdentityProvider().getAuthNAssertionSigningCredential() != null
+ && relyingParty.getIdentityProvider().getAuthNAssertionSigningCredential().getPrivateKey() != null) {
String assertionAlgorithm;
- if (relyingParty.getIdentityProvider().getAssertionSigningCredential().getCredentialType() == Credential.RSA) {
+ if (relyingParty.getIdentityProvider().getAuthNAssertionSigningCredential().getCredentialType() == Credential.RSA) {
assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
- } else if (relyingParty.getIdentityProvider().getAssertionSigningCredential().getCredentialType() == Credential.DSA) {
+ } else if (relyingParty.getIdentityProvider().getAuthNAssertionSigningCredential().getCredentialType() == Credential.DSA) {
assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
} else {
throw new InvalidCryptoException(SAMLException.RESPONDER,
}
((SAMLAssertion) r.getAssertions().next()).sign(assertionAlgorithm, relyingParty.getIdentityProvider()
- .getAssertionSigningCredential().getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider()
- .getAssertionSigningCredential().getX509CertificateChain()));
+ .getAuthNAssertionSigningCredential().getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider()
+ .getAuthNAssertionSigningCredential().getX509CertificateChain()));
}
//Sign the response, if appropriate
- if (relyingParty.getIdentityProvider().getResponseSigningCredential() != null
- && relyingParty.getIdentityProvider().getResponseSigningCredential().getPrivateKey() != null) {
+ if (relyingParty.getIdentityProvider().getAuthNResponseSigningCredential() != null
+ && relyingParty.getIdentityProvider().getAuthNResponseSigningCredential().getPrivateKey() != null) {
String responseAlgorithm;
- if (relyingParty.getIdentityProvider().getResponseSigningCredential().getCredentialType() == Credential.RSA) {
+ if (relyingParty.getIdentityProvider().getAuthNResponseSigningCredential().getCredentialType() == Credential.RSA) {
responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
- } else if (relyingParty.getIdentityProvider().getResponseSigningCredential().getCredentialType() == Credential.DSA) {
+ } else if (relyingParty.getIdentityProvider().getAuthNResponseSigningCredential().getCredentialType() == Credential.DSA) {
responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
} else {
throw new InvalidCryptoException(SAMLException.RESPONDER,
}
r.sign(responseAlgorithm,
- relyingParty.getIdentityProvider().getResponseSigningCredential().getPrivateKey(), Arrays
- .asList(relyingParty.getIdentityProvider().getResponseSigningCredential()
+ relyingParty.getIdentityProvider().getAuthNResponseSigningCredential().getPrivateKey(), Arrays
+ .asList(relyingParty.getIdentityProvider().getAuthNResponseSigningCredential()
.getX509CertificateChain()));
}
+++ /dev/null
-/*
- * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
- * All rights reserved
- *
- *
- * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
- * following conditions are met:
- *
- * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
- * disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided with the distribution, if any, must include the
- * following acknowledgment: "This product includes software developed by the University Corporation for Advanced
- * Internet Development <http://www.ucaid.edu> Internet2 Project. Alternately, this acknowledegement may appear in the
- * software itself, if and wherever such third-party acknowledgments normally appear.
- *
- * Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor the University Corporation for
- * Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote products derived from this software
- * without specific prior written permission. For written permission, please contact shibboleth@shibboleth.org
- *
- * Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the University Corporation
- * for Advanced Internet Development, nor may Shibboleth appear in their name, without prior written permission of the
- * University Corporation for Advanced Internet Development.
- *
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE,
- * ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
- * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-package edu.internet2.middleware.shibboleth.hs;
-
-import java.net.URI;
-import java.net.URL;
-
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-
-/**
- * Defines a method for obtaining configuration data that is specific to a {@link RelyingParty}and is needed by the
- * Shibboleth Handle Service.
- *
- * @author Walter Hoehn
- */
-public interface HSRelyingParty extends RelyingParty {
-
- /**
- * Returns the id of the name format that should be used in authentication assertions issued to this
- * {@link RelyingParty}.
- *
- * @return the id for the format
- */
- public String getHSNameFormatId();
-
- /**
- * Returns a boolean indication of whether this {@link RelyingParty}is running <= Shibboleth v1.1. Used to
- * ensure backward compatibility.
- */
- public boolean isLegacyProvider();
-
- /**
- * Returns the location of the Shibboleth Attribute Authority that should answer requests for this
- * {@link RelyingParty}.
- *
- * @return the URL
- */
- public URL getAAUrl();
-
- /**
- * The authentication method that should be included in assertions to the {@link RelyingParty}, if one is not
- * found in HTTP request headers.
- *
- * @return the identifier for the method
- */
- public URI getDefaultAuthMethod();
-}
+++ /dev/null
-/*
- * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
- * All rights reserved Redistribution and use in source and binary forms, with or without modification, are permitted
- * provided that the following conditions are met: Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials
- * provided with the distribution, if any, must include the following acknowledgment: "This product includes software
- * developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu> Internet2 Project.
- * Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor
- * the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
- * products derived from this software without specific prior written permission. For written permission, please contact
- * shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the
- * University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name, without prior
- * written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS PROVIDED BY THE
- * COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE
- * DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO
- * EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC.
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
- * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-package edu.internet2.middleware.shibboleth.hs;
-
-import java.net.MalformedURLException;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.net.URL;
-
-import org.apache.log4j.Logger;
-import org.w3c.dom.Element;
-import org.w3c.dom.NodeList;
-
-import edu.internet2.middleware.shibboleth.common.Credential;
-import edu.internet2.middleware.shibboleth.common.Credentials;
-import edu.internet2.middleware.shibboleth.common.NameMapper;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-import edu.internet2.middleware.shibboleth.common.ServiceProviderMapper;
-import edu.internet2.middleware.shibboleth.common.ServiceProviderMapperException;
-import edu.internet2.middleware.shibboleth.idp.IdPConfig;
-import edu.internet2.middleware.shibboleth.metadata.Metadata;
-
-/**
- * Class for determining the effective relying party for the Shibboleth handle service from the unique id of the service
- * provider.
- *
- * @author Walter Hoehn
- */
-public class HSServiceProviderMapper extends ServiceProviderMapper {
-
- private static Logger log = Logger.getLogger(HSServiceProviderMapper.class.getName());
- private IdPConfig configuration;
- private Credentials credentials;
- private NameMapper nameMapper;
-
- /**
- * Constructs a new service provider mapper for the handle service.
- *
- * @param rawConfig
- * DOM representation of the handle service configuration
- * @param configuration
- * global handle service configuration
- * @param credentials
- * credentials for the handle service using this provider mapper
- * @param nameMapper
- * name mapper for the handle service using this provider mapper
- * @throws ServiceProviderMapperException
- * if the configuration is invalid
- */
- public HSServiceProviderMapper(Element rawConfig, IdPConfig configuration, Credentials credentials,
- NameMapper nameMapper, Metadata metaData) throws ServiceProviderMapperException {
-
- super(metaData);
- this.configuration = configuration;
- this.credentials = credentials;
- this.nameMapper = nameMapper;
-
- NodeList itemElements = rawConfig.getElementsByTagNameNS(IdPConfig.originConfigNamespace,
- "RelyingParty");
-
- for (int i = 0; i < itemElements.getLength(); i++) {
- addRelyingParty((Element) itemElements.item(i));
- }
-
- verifyDefaultParty(configuration);
- }
-
- private void addRelyingParty(Element e) throws ServiceProviderMapperException {
-
- log.debug("Found a Relying Party.");
- try {
- if (e.getLocalName().equals("RelyingParty")) {
- RelyingParty party = new HSRelyingPartyImpl(e, configuration, credentials, nameMapper);
- log.debug("Relying Party (" + party.getName() + ") loaded.");
- relyingParties.put(party.getName(), party);
- }
- } catch (ServiceProviderMapperException exc) {
- log.error("Encountered an error while attempting to load Relying Party configuration. Skipping...");
- }
- }
-
- /**
- * Returns the appropriate relying party for the supplied service provider id.
- */
- public HSRelyingParty getRelyingParty(String providerIdFromTarget) {
-
- if (providerIdFromTarget == null || providerIdFromTarget.equals("")) {
- RelyingParty relyingParty = getDefaultRelyingParty();
- log.info("Selecting default Relying Party: (" + relyingParty.getName() + ").");
- return new NoMetadataWrapper((HSRelyingParty) relyingParty);
- }
-
- return (HSRelyingParty) getRelyingPartyImpl(providerIdFromTarget);
- }
-
- /**
- * Returns the relying party for a legacy provider(the default)
- */
- public HSRelyingParty getLegacyRelyingParty() {
-
- RelyingParty relyingParty = getDefaultRelyingParty();
- log.info("Request is from legacy shib target. Selecting default Relying Party: (" + relyingParty.getName()
- + ").");
- return new LegacyWrapper((HSRelyingParty) relyingParty);
-
- }
-
- protected IdPConfig getOriginConfig() {
-
- return configuration;
- }
-
- /**
- * HS-specific relying party implementation.
- *
- * @author Walter Hoehn
- */
- class HSRelyingPartyImpl extends BaseRelyingPartyImpl implements HSRelyingParty {
-
- private URL overridenAAUrl;
- private URI overridenDefaultAuthMethod;
- protected String hsNameFormatId;
- private IdPConfig configuration;
-
- HSRelyingPartyImpl(Element partyConfig, IdPConfig globalConfig, Credentials credentials, NameMapper nameMapper)
- throws ServiceProviderMapperException {
-
- super(partyConfig);
-
- configuration = globalConfig;
-
- //Load a credential for signing
- String credentialName = ((Element) partyConfig).getAttribute("signingCredential");
- boolean signAuthResponses = new Boolean(((Element) partyConfig).getAttribute("signAuthResponses"))
- .booleanValue();
- boolean signAuthAssertions = new Boolean(((Element) partyConfig).getAttribute("signAuthAssertions"))
- .booleanValue();
- Credential credential = credentials.getCredential(credentialName);
-
- if ((credential == null) && (signAuthResponses || signAuthAssertions)) {
- if (credentialName == null || credentialName.equals("")) {
- log
- .error("Relying Party credential not set. Add a (signingCredential) attribute to <RelyingParty>.");
- throw new ServiceProviderMapperException("Required configuration not specified.");
- } else {
- log
- .error("Relying Party credential invalid. Fix the (signingCredential) attribute on <RelyingParty>.");
- throw new ServiceProviderMapperException("Required configuration is invalid.");
- }
- }
-
- //Load and verify the name format that the HS should use in
- //assertions for this RelyingParty
- NodeList hsNameFormats = ((Element) partyConfig).getElementsByTagNameNS(
- IdPConfig.originConfigNamespace, "HSNameFormat");
- //If no specification. Make sure we have a default mapping
- if (hsNameFormats.getLength() < 1) {
- if (nameMapper.getNameIdentifierMappingById(null) == null) {
- log.error("Relying Party HS Name Format not set. Add a <HSNameFormat> element to <RelyingParty>.");
- throw new ServiceProviderMapperException("Required configuration not specified.");
- }
-
- } else {
- //We do have a specification, so make sure it points to a
- // valid Name Mapping
- if (hsNameFormats.getLength() > 1) {
- log.warn("Found multiple HSNameFormat specifications for Relying Party (" + name
- + "). Ignoring all but the first.");
- }
-
- hsNameFormatId = ((Element) hsNameFormats.item(0)).getAttribute("nameMapping");
- if (hsNameFormatId == null || hsNameFormatId.equals("")) {
- log.error("HS Name Format mapping not set. Add a (nameMapping) attribute to <HSNameFormat>.");
- throw new ServiceProviderMapperException("Required configuration not specified.");
- }
-
- if (nameMapper.getNameIdentifierMappingById(hsNameFormatId) == null) {
- log.error("Relying Party HS Name Format refers to a name mapping that is not loaded.");
- throw new ServiceProviderMapperException("Required configuration not specified.");
- }
- }
-
- //Global overrides
- String attribute = ((Element) partyConfig).getAttribute("AAUrl");
- if (attribute != null && !attribute.equals("")) {
- log.debug("Overriding AAUrl for Relying Pary (" + name + ") with (" + attribute + ").");
- try {
- overridenAAUrl = new URL(attribute);
- } catch (MalformedURLException e) {
- log.error("(AAUrl) attribute to is not a valid URL.");
- throw new ServiceProviderMapperException("Configuration is invalid.");
- }
- }
-
- attribute = ((Element) partyConfig).getAttribute("defaultAuthMethod");
- if (attribute != null && !attribute.equals("")) {
- log.debug("Overriding defaultAuthMethod for Relying Pary (" + name + ") with (" + attribute + ").");
- try {
- overridenDefaultAuthMethod = new URI(attribute);
- } catch (URISyntaxException e1) {
- log.error("(defaultAuthMethod) attribute to is not a valid URI.");
- throw new ServiceProviderMapperException("Configuration is invalid.");
- }
- }
-
- identityProvider = new RelyingPartyIdentityProvider(overridenOriginProviderId != null
- ? overridenOriginProviderId
- : configuration.getProviderId(), signAuthResponses ? credential : null, signAuthAssertions
- ? credential
- : null);
- }
-
- public boolean isLegacyProvider() {
-
- return false;
- }
-
- public String getHSNameFormatId() {
-
- return hsNameFormatId;
- }
-
- public URI getDefaultAuthMethod() {
-
- if (overridenDefaultAuthMethod != null) {
- return overridenDefaultAuthMethod;
- } else {
- return configuration.getDefaultAuthMethod();
- }
- }
-
- public URL getAAUrl() {
-
- if (overridenAAUrl != null) {
- return overridenAAUrl;
- } else {
- return configuration.getAAUrl();
- }
- }
- }
-
- /**
- * Relying party wrapper for Shibboleth <=1.1 service providers.
- *
- * @author Walter Hoehn
- */
- class LegacyWrapper extends UnknownProviderWrapper implements HSRelyingParty {
-
- LegacyWrapper(HSRelyingParty wrapped) {
-
- super(wrapped, null);
- }
-
- public boolean isLegacyProvider() {
-
- return true;
- }
-
- public String getHSNameFormatId() {
-
- return ((HSRelyingParty) wrapped).getHSNameFormatId();
- }
-
- public URL getAAUrl() {
-
- return ((HSRelyingParty) wrapped).getAAUrl();
- }
-
- public URI getDefaultAuthMethod() {
-
- return ((HSRelyingParty) wrapped).getDefaultAuthMethod();
- }
- }
-
- /**
- * Relying party wrapper for providers for which we have no metadata
- *
- * @author Walter Hoehn
- */
- class NoMetadataWrapper extends UnknownProviderWrapper implements HSRelyingParty {
-
- NoMetadataWrapper(HSRelyingParty wrapped) {
-
- super(wrapped, null);
- }
-
- public String getHSNameFormatId() {
-
- return ((HSRelyingParty) wrapped).getHSNameFormatId();
- }
-
- public URL getAAUrl() {
-
- return ((HSRelyingParty) wrapped).getAAUrl();
- }
-
- public URI getDefaultAuthMethod() {
-
- return ((HSRelyingParty) wrapped).getDefaultAuthMethod();
- }
- }
-
-}
\ No newline at end of file
import sun.misc.BASE64Decoder;
import edu.internet2.middleware.shibboleth.aa.AAException;
-import edu.internet2.middleware.shibboleth.aa.AARelyingParty;
import edu.internet2.middleware.shibboleth.aa.AAResponder;
-import edu.internet2.middleware.shibboleth.aa.AAServiceProviderMapper;
import edu.internet2.middleware.shibboleth.aa.arp.ArpEngine;
import edu.internet2.middleware.shibboleth.aa.arp.ArpException;
import edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver;
import edu.internet2.middleware.shibboleth.common.NameMapper;
import edu.internet2.middleware.shibboleth.common.OriginConfig;
import edu.internet2.middleware.shibboleth.common.RelyingParty;
+import edu.internet2.middleware.shibboleth.common.ServiceProviderMapper;
import edu.internet2.middleware.shibboleth.common.ServiceProviderMapperException;
import edu.internet2.middleware.shibboleth.common.ShibBrowserProfile;
import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
import edu.internet2.middleware.shibboleth.common.TargetFederationComponent;
-import edu.internet2.middleware.shibboleth.hs.HSRelyingParty;
-import edu.internet2.middleware.shibboleth.hs.HSServiceProviderMapper;
import edu.internet2.middleware.shibboleth.metadata.AttributeConsumerRole;
import edu.internet2.middleware.shibboleth.metadata.Endpoint;
import edu.internet2.middleware.shibboleth.metadata.KeyDescriptor;
// TODO Maybe should rethink the inheritance here, since there is only one
// servlet
+ // TODO signing is broken... it doesn't distinguish between authn and attr signing
private static Logger transactionLog = Logger.getLogger("Shibboleth-TRANSACTION");
private static Logger log = Logger.getLogger(IdPResponder.class.getName());
private SSOProfileHandler[] profileHandlers;
private IdPConfig configuration;
private NameMapper nameMapper;
-
- // TODO unify
- private AAServiceProviderMapper targetMapper;
- private HSServiceProviderMapper hsTargetMapper;
+ private ServiceProviderMapper spMapper;
// TODO Need to rename, rework, and init
private AAResponder responder;
// Load relying party config
try {
- // TODO unify the service provider mapper
- targetMapper = new AAServiceProviderMapper(originConfig.getDocumentElement(), configuration, credentials,
- this);
+ spMapper = new ServiceProviderMapper(originConfig.getDocumentElement(), configuration, credentials,
+ nameMapper, this);
} catch (ServiceProviderMapperException e) {
log.error("Could not load Identity Provider configuration: " + e);
throw new ShibbolethConfigurationException("Could not load Identity Provider configuration.");
// TODO validate that the endpoint is valid for the request type
- AARelyingParty relyingParty = null;
+ RelyingParty relyingParty = null;
SAMLAttributeQuery attributeQuery = (SAMLAttributeQuery) samlRequest.getQuery();
} else {
// Identify a Relying Party
- relyingParty = targetMapper.getRelyingParty(attributeQuery.getResource());
+ relyingParty = spMapper.getRelyingParty(attributeQuery.getResource());
try {
effectiveName = getEffectiveName(request, relyingParty);
if (effectiveName == null) {
log.debug("Using default Relying Party for unauthenticated provider.");
- relyingParty = targetMapper.getRelyingParty(null);
+ relyingParty = spMapper.getRelyingParty(null);
}
// Fail if we can't honor SAML Subject Confirmation
.getRemoteUser() : request.getHeader(configuration.getAuthHeaderName());
// Select the appropriate Relying Party configuration for the request
- HSRelyingParty relyingParty = null;
+ RelyingParty relyingParty = null;
String remoteProviderId = activeHandler.getRemoteProviderId(request);
// If the target did not send a Provider Id, then assume it is a Shib
// 1.1 or older target
if (remoteProviderId == null) {
- relyingParty = hsTargetMapper.getLegacyRelyingParty();
+ relyingParty = spMapper.getLegacyRelyingParty();
} else if (remoteProviderId.equals("")) {
throw new InvalidClientDataException("Invalid service provider id.");
} else {
log.debug("Remote provider has identified itself as: (" + remoteProviderId + ").");
- relyingParty = hsTargetMapper.getRelyingParty(remoteProviderId);
+ relyingParty = spMapper.getRelyingParty(remoteProviderId);
}
// Grab the metadata for the provider
if (provider == null) {
log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
- relyingParty = hsTargetMapper.getRelyingParty(null);
+ relyingParty = spMapper.getRelyingParty(null);
} else {
return true;
}
- private String getEffectiveName(HttpServletRequest req, AARelyingParty relyingParty)
+ private String getEffectiveName(HttpServletRequest req, RelyingParty relyingParty)
throws InvalidProviderCredentialException {
// X500Principal credentialName = getCredentialName(req);
private static void addSignatures(SAMLResponse reponse, RelyingParty relyingParty) throws SAMLException {
// TODO make sure this signing optionally happens according to origin.xml params
+ // TODO this has to be made to work for both AuthN and Attr assertion types
// Sign the assertions, if appropriate
- if (relyingParty.getIdentityProvider().getAssertionSigningCredential() != null
- && relyingParty.getIdentityProvider().getAssertionSigningCredential().getPrivateKey() != null) {
+ if (relyingParty.getIdentityProvider().getAuthNAssertionSigningCredential() != null
+ && relyingParty.getIdentityProvider().getAttributeAssertionSigningCredential().getPrivateKey() != null) {
String assertionAlgorithm;
- if (relyingParty.getIdentityProvider().getAssertionSigningCredential().getCredentialType() == Credential.RSA) {
+ if (relyingParty.getIdentityProvider().getAttributeAssertionSigningCredential().getCredentialType() == Credential.RSA) {
assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
- } else if (relyingParty.getIdentityProvider().getAssertionSigningCredential().getCredentialType() == Credential.DSA) {
+ } else if (relyingParty.getIdentityProvider().getAttributeAssertionSigningCredential().getCredentialType() == Credential.DSA) {
assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
} else {
throw new InvalidCryptoException(SAMLException.RESPONDER,
}
((SAMLAssertion) reponse.getAssertions().next()).sign(assertionAlgorithm, relyingParty
- .getIdentityProvider().getAssertionSigningCredential().getPrivateKey(), Arrays.asList(relyingParty
- .getIdentityProvider().getAssertionSigningCredential().getX509CertificateChain()));
+ .getIdentityProvider().getAttributeAssertionSigningCredential().getPrivateKey(), Arrays
+ .asList(relyingParty.getIdentityProvider().getAttributeAssertionSigningCredential()
+ .getX509CertificateChain()));
}
// Sign the response, if appropriate
- if (relyingParty.getIdentityProvider().getResponseSigningCredential() != null
- && relyingParty.getIdentityProvider().getResponseSigningCredential().getPrivateKey() != null) {
+ if (relyingParty.getIdentityProvider().getAttributeResponseSigningCredential() != null
+ && relyingParty.getIdentityProvider().getAttributeResponseSigningCredential().getPrivateKey() != null) {
String responseAlgorithm;
- if (relyingParty.getIdentityProvider().getResponseSigningCredential().getCredentialType() == Credential.RSA) {
+ if (relyingParty.getIdentityProvider().getAttributeResponseSigningCredential().getCredentialType() == Credential.RSA) {
responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
- } else if (relyingParty.getIdentityProvider().getResponseSigningCredential().getCredentialType() == Credential.DSA) {
+ } else if (relyingParty.getIdentityProvider().getAttributeResponseSigningCredential().getCredentialType() == Credential.DSA) {
responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
} else {
throw new InvalidCryptoException(SAMLException.RESPONDER,
"The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
}
- reponse.sign(responseAlgorithm, relyingParty.getIdentityProvider().getResponseSigningCredential()
- .getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider().getResponseSigningCredential()
- .getX509CertificateChain()));
+ reponse.sign(responseAlgorithm, relyingParty.getIdentityProvider().getAttributeResponseSigningCredential()
+ .getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider()
+ .getAttributeResponseSigningCredential().getX509CertificateChain()));
}
}
abstract boolean preProcessHook(HttpServletRequest request, HttpServletResponse response) throws IOException;
- abstract SAMLAssertion[] processHook(HttpServletRequest request, HSRelyingParty relyingParty,
- Provider provider, SAMLNameIdentifier nameId, String authenticationMethod, Date authTime)
- throws SAMLException, IOException;
+ abstract SAMLAssertion[] processHook(HttpServletRequest request, RelyingParty relyingParty, Provider provider,
+ SAMLNameIdentifier nameId, String authenticationMethod, Date authTime) throws SAMLException,
+ IOException;
- abstract String getSAMLTargetParameter(HttpServletRequest request, HSRelyingParty relyingParty,
- Provider provider);
+ abstract String getSAMLTargetParameter(HttpServletRequest request, RelyingParty relyingParty, Provider provider);
- abstract String getAcceptanceURL(HttpServletRequest request, HSRelyingParty relyingParty, Provider provider)
+ abstract String getAcceptanceURL(HttpServletRequest request, RelyingParty relyingParty, Provider provider)
throws InvalidClientDataException;
}
return id;
}
- public Credential getResponseSigningCredential() {
+
+ public Credential getAuthNResponseSigningCredential() {
+
+ return null;
+ }
+
+ public Credential getAuthNAssertionSigningCredential() {
+
+ return null;
+ }
+
+ public Credential getAttributeResponseSigningCredential() {
return null;
}
- public Credential getAssertionSigningCredential() {
+ public Credential getAttributeAssertionSigningCredential() {
return null;
}
projects / java-idp.git / commitdiff