[security-dev] About keeping SPFilter more up-to-date

Anil Saldhana asaldhan at redhat.com
Thu Aug 7 20:42:47 EDT 2014 

Some time ago we did identify that we need to update the SPFilter. We have not got to it yet. We certainly value your contribution immensely.

If you want to contribute, just send in a PR in increments.

> On Aug 7, 2014, at 6:18 PM, Adam Dong <adamdong at vidder.com> wrote:
> 
> Hi, guys,
>  
> The current SPFilter doesn’t support
> 1.       signing AuthnRequest
> 2.       decrypting Assertion NameID (it seems to support validating assertion signature, but I didn’t get that far yet)
> 3.       loading/understanding the standard IDP metadata file (example below).
>  
> Is my understanding above correct ?
>  
> The reason I’m using the filter and not the valve is because I have to support web containers other than JBoss.
>  
> If I need those three things, should I go ahead and code them myself (and after testing, I could contribute back to the community, with the permission of my company) ?
> Or is there effort already under-way ?
> Or better yet, these are already done and ready to be shared ?
>  
> Thanks for any feed back.
>  
> Adam Dong
>  
> ---------------------------------------- example IDP metadata file --------------------------------------------------------------------------------
>  
> <?xml version="1.0" encoding="UTF-8" standalone="true"?>
>  
> -<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://idp.ssocircle.com">
>  
>  
> -<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">
>  
>  
> -<KeyDescriptor use="signing">
>  
>  
> -<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>  
>  
> -<ds:X509Data>
>  
> <ds:X509Certificate> MIICjDCCAXSgAwIBAgIFAJRvxcMwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMCREUxEjAQBgNV BAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMTEwNTE3MTk1NzIxWhcNMTYwODE3MTk1NzIx WjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NPQ2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNV BAMTEWlkcC5zc29jaXJjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/ aC2gMqRVVaLdPJJEwpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78 fP1cmt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4KU6zCsM62 2Kvp5wW67QIDAQABoxgwFjAUBglghkgBhvhCAQEBAf8EBAMCBHAwDQYJKoZIhvcNAQEEBQADggEB AJ0heua7mFO3QszdGu1NblGaTDXtf6Txte0zpYIt+8YUcza2SaZXXvCLb9DvGxW1TJWaZpPGpHz5 tLXJbdYQn7xTAnL4yQOKN6uNqUA/aTVgyyUJkWZt2giwEsWUvG0UBMSPS1tp2pV2c6/olIcbdYU6 ZecUz6N24sSS7itEBC6nwCVBoHOL8u6MsfxMLDzJIPBI68UZjz3IMKTDUDv6U9DtYmXLc8iMVZBn cYJn9NgNi3ghl9fYPpHcc6QbXeDUjhdzXXUqG+hB6FabGqdTdkIZwoi4gNpyr3kacKRVWJssDgak eL2MoDNqJyQ0fXC6Ze3f79CKy/WjeU5FLwDZR0Q= </ds:X509Certificate>
>  
> </ds:X509Data>
>  
> </ds:KeyInfo>
>  
> </KeyDescriptor>
>  
>  
> -<KeyDescriptor use="encryption">
>  
>  
> -<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>  
>  
> -<ds:X509Data>
>  
> <ds:X509Certificate> MIICjDCCAXSgAwIBAgIFAJRvxcMwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMCREUxEjAQBgNV BAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMTEwNTE3MTk1NzIxWhcNMTYwODE3MTk1NzIx WjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NPQ2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNV BAMTEWlkcC5zc29jaXJjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/ aC2gMqRVVaLdPJJEwpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78 fP1cmt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4KU6zCsM62 2Kvp5wW67QIDAQABoxgwFjAUBglghkgBhvhCAQEBAf8EBAMCBHAwDQYJKoZIhvcNAQEEBQADggEB AJ0heua7mFO3QszdGu1NblGaTDXtf6Txte0zpYIt+8YUcza2SaZXXvCLb9DvGxW1TJWaZpPGpHz5 tLXJbdYQn7xTAnL4yQOKN6uNqUA/aTVgyyUJkWZt2giwEsWUvG0UBMSPS1tp2pV2c6/olIcbdYU6 ZecUz6N24sSS7itEBC6nwCVBoHOL8u6MsfxMLDzJIPBI68UZjz3IMKTDUDv6U9DtYmXLc8iMVZBn cYJn9NgNi3ghl9fYPpHcc6QbXeDUjhdzXXUqG+hB6FabGqdTdkIZwoi4gNpyr3kacKRVWJssDgak eL2MoDNqJyQ0fXC6Ze3f79CKy/WjeU5FLwDZR0Q= </ds:X509Certificate>
>  
> </ds:X509Data>
>  
> </ds:KeyInfo>
>  
>  
> -<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
>  
> <xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize>
>  
> </EncryptionMethod>
>  
> </KeyDescriptor>
>  
> <ArtifactResolutionService Location="https://idp.ssocircle.com:443/sso/ArtifactResolver/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" isDefault="true" index="0"/>
>  
> <SingleLogoutService Location="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle"/>
>  
> <SingleLogoutService Location="https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle"/>
>  
> <SingleLogoutService Location="https://idp.ssocircle.com:443/sso/IDPSloSoap/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
>  
> <ManageNameIDService Location="https://idp.ssocircle.com:443/sso/IDPMniRedirect/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPMniRedirect/metaAlias/ssocircle"/>
>  
> <ManageNameIDService Location="https://idp.ssocircle.com:443/sso/IDPMniPOSTmetaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPMniPOST/metaAlias/ssocircle"/>
>  
> <ManageNameIDService Location="https://idp.ssocircle.com:443/sso/IDPMniSoap/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
>  
> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
>  
> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
>  
> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
>  
> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
>  
> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
>  
> <SingleSignOnService Location="https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
>  
> <SingleSignOnService Location="https://idp.ssocircle.com:443/sso/SSOPOST/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
>  
> <SingleSignOnService Location="https://idp.ssocircle.com:443/sso/SSOSoap/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
>  
> <NameIDMappingService Location="https://idp.ssocircle.com:443/sso/NIMSoap/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
>  
> </IDPSSODescriptor>
>  
> </EntityDescriptor>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20140807/38db6d6a/attachment-0001.html

More information about the security-dev mailing list