9:43 p.m.
Author: anil.saldhana(a)jboss.com
Date: 2009-02-08 22:43:49 -0500 (Sun, 08 Feb 2009)
New Revision: 308
Added:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/cert/EncryptionKeyUtil.java
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/constants/JBossEncryptionConstants.java
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/xmlenc/
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/xmlenc/factories/
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/xmlenc/factories/XMLEncryptionFactory.java
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/config/ObjectFactory.java
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/config/package-info.java
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/interfaces/TrustKeyManager.java
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/KeyStoreKeyManager.java
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectWithSignatureValve.java
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPUtil.java
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/ValveUtil.java
identity-federation/trunk/identity-bindings/src/main/resources/schema/config/jboss-identity-fed.xsd
identity-federation/trunk/identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/config/ConfigUnitTestCase.java
identity-federation/trunk/identity-bindings/src/test/resources/config/test-config-2.xml
identity-federation/trunk/identity-fed-core/.classpath
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/constants/JBossSAMLURIConstants.java
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/factories/JBossSAMLAuthnResponseFactory.java
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/factories/SAMLProtocolFactory.java
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/util/DocumentUtil.java
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/util/JAXBElementMappingUtil.java
identity-federation/trunk/pom.xml
Log:
JBID-47: xml enc support
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/config/ObjectFactory.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/config/ObjectFactory.java 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/config/ObjectFactory.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -2,7 +2,7 @@
// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference
Implementation, vhudson-jaxb-ri-2.1-661
// See <a
href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/...
// Any modifications to this file will be lost upon recompilation of the source schema.
-// Generated on: 2009.01.22 at 12:05:50 AM CST
+// Generated on: 2009.02.04 at 09:20:44 PM CST
//
@@ -32,7 +32,6 @@
public class ObjectFactory {
private final static QName _JBossIDP_QNAME = new
QName("urn:jboss:identity-federation:config:1.0", "JBossIDP");
-
private final static QName _JBossSP_QNAME = new
QName("urn:jboss:identity-federation:config:1.0", "JBossSP");
/**
@@ -43,76 +42,85 @@
}
/**
- * Create an instance of {@link SP }
+ * Create an instance of {@link EncryptionType }
*
*/
- public SP createSP() {
- return new SP();
+ public EncryptionType createEncryptionType() {
+ return new EncryptionType();
}
/**
- * Create an instance of {@link KeyProvider }
+ * Create an instance of {@link TrustType }
*
*/
- public KeyProvider createKeyProvider() {
- return new KeyProvider();
+ public TrustType createTrustType() {
+ return new TrustType();
}
/**
- * Create an instance of {@link AuthProperty }
+ * Create an instance of {@link SPType }
*
*/
- public AuthProperty createAuthProperty() {
- return new AuthProperty();
+ public SPType createSPType() {
+ return new SPType();
}
/**
- * Create an instance of {@link Trust }
+ * Create an instance of {@link KeyValueType }
*
*/
- public Trust createTrust() {
- return new Trust();
+ public KeyValueType createKeyValueType() {
+ return new KeyValueType();
}
/**
- * Create an instance of {@link Provider }
+ * Create an instance of {@link AuthPropertyType }
*
*/
- public Provider createProvider() {
- return new Provider();
+ public AuthPropertyType createAuthPropertyType() {
+ return new AuthPropertyType();
}
/**
- * Create an instance of {@link KeyValue }
+ * Create an instance of {@link ProviderType }
*
*/
- public KeyValue createKeyValue() {
- return new KeyValue();
+ public ProviderType createProviderType() {
+ return new ProviderType();
}
/**
- * Create an instance of {@link IDP }
+ * Create an instance of {@link KeyProviderType }
*
*/
- public IDP createIDP() {
- return new IDP();
+ public KeyProviderType createKeyProviderType() {
+ return new KeyProviderType();
}
/**
- * Create an instance of {@link JAXBElement }{@code <}{@link IDP }{@code >}}
+ * Create an instance of {@link IDPType }
*
*/
+ public IDPType createIDPType() {
+ return new IDPType();
+ }
+
+ /**
+ * Create an instance of {@link JAXBElement }{@code <}{@link IDPType }{@code
>}}
+ *
+ */
@XmlElementDecl(namespace = "urn:jboss:identity-federation:config:1.0",
name = "JBossIDP")
- public JAXBElement<IDP> createJBossIDP(IDP value) {
- return new JAXBElement<IDP>(_JBossIDP_QNAME, IDP.class, null, value);
+ public JAXBElement<IDPType> createJBossIDP(IDPType value) {
+ return new JAXBElement<IDPType>(_JBossIDP_QNAME, IDPType.class, null,
value);
}
/**
- * Create an instance of {@link JAXBElement }{@code <}{@link SP }{@code >}}
+ * Create an instance of {@link JAXBElement }{@code <}{@link SPType }{@code
>}}
*
*/
@XmlElementDecl(namespace = "urn:jboss:identity-federation:config:1.0",
name = "JBossSP")
- public JAXBElement<SP> createJBossSP(SP value) {
- return new JAXBElement<SP>(_JBossSP_QNAME, SP.class, null, value);
+ public JAXBElement<SPType> createJBossSP(SPType value) {
+ return new JAXBElement<SPType>(_JBossSP_QNAME, SPType.class, null, value);
}
+
}
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/config/package-info.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/config/package-info.java 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/config/package-info.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -2,7 +2,7 @@
// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference
Implementation, vhudson-jaxb-ri-2.1-661
// See <a
href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/...
// Any modifications to this file will be lost upon recompilation of the source schema.
-// Generated on: 2009.01.22 at 12:05:50 AM CST
+// Generated on: 2009.02.04 at 09:20:44 PM CST
//
@javax.xml.bind.annotation.XmlSchema(namespace =
"urn:jboss:identity-federation:config:1.0", elementFormDefault =
javax.xml.bind.annotation.XmlNsForm.QUALIFIED)
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/interfaces/TrustKeyManager.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/interfaces/TrustKeyManager.java 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/interfaces/TrustKeyManager.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -25,9 +25,12 @@
import java.security.PublicKey;
import java.util.List;
-import org.jboss.identity.federation.bindings.config.AuthProperty;
-import org.jboss.identity.federation.bindings.config.KeyValue;
+import javax.crypto.SecretKey;
+import org.jboss.identity.federation.bindings.config.AuthPropertyType;
+import org.jboss.identity.federation.bindings.config.KeyValueType;
+
+
/**
* Key Manager interface used in trust decisions
* @author Anil.Saldhana(a)redhat.com
@@ -41,7 +44,7 @@
* @param authList
* @throws Exception
*/
- void setAuthProperties(List<AuthProperty> authList) throws Exception;
+ void setAuthProperties(List<AuthPropertyType> authList) throws Exception;
/**
* Set a list of (domain,alias) tuple to trust domains
@@ -50,7 +53,7 @@
* @param aliases
* @throws Exception
*/
- void setValidatingAlias(List<KeyValue> aliases) throws Exception;
+ void setValidatingAlias(List<KeyValueType> aliases) throws Exception;
/**
* Get the Signing Key
@@ -60,6 +63,17 @@
PrivateKey getSigningKey() throws Exception;
/**
+ * Given a domain, obtain a secret key
+ * @see {@code EncryptionKeyUtil}
+ * @param domain
+ * @param encryptionAlgorithm Encryption Algorithm
+ * @param keyLength length of keys
+ * @return
+ * @throws Exception
+ */
+ SecretKey getEncryptionKey(String domain, String encryptionAlgorithm, int keyLength)
throws Exception;
+
+ /**
* Get the Validating Public Key of the domain
* @param domain
* @return
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/KeyStoreKeyManager.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/KeyStoreKeyManager.java 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/KeyStoreKeyManager.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -30,11 +30,15 @@
import java.security.UnrecoverableKeyException;
import java.util.HashMap;
import java.util.List;
+import java.util.Map;
-import org.jboss.identity.federation.bindings.config.AuthProperty;
-import org.jboss.identity.federation.bindings.config.KeyValue;
+import javax.crypto.SecretKey;
+
+import org.jboss.identity.federation.bindings.config.AuthPropertyType;
+import org.jboss.identity.federation.bindings.config.KeyValueType;
import org.jboss.identity.federation.bindings.interfaces.TrustKeyManager;
import org.jboss.identity.federation.bindings.util.ValveUtil;
+import org.jboss.identity.federation.bindings.util.cert.EncryptionKeyUtil;
import org.jboss.identity.federation.bindings.util.cert.KeyStoreUtil;
/**
@@ -44,6 +48,16 @@
*/
public class KeyStoreKeyManager implements TrustKeyManager
{
+ /**
+ * An map of secret keys alive only for the duration of the program.
+ * The keys are generated on the fly. If you sophisticated key
+ * storage, then a custom version of the {@code TrustKeyManager}
+ * needs to be written that either uses a secure thumb drive or
+ * a TPM module or a HSM module.
+ * Also see JBoss XMLKey.
+ */
+ private Map<String,SecretKey> keys = new HashMap<String,SecretKey>();
+
private HashMap<String,String> domainAliasMap = new
HashMap<String,String>();
private HashMap<String,String> authPropsMap = new
HashMap<String,String>();
@@ -101,9 +115,9 @@
/**
* @see TrustKeyManager#setAuthProperties(List)
*/
- public void setAuthProperties(List<AuthProperty> authList) throws Exception
+ public void setAuthProperties(List<AuthPropertyType> authList) throws Exception
{
- for(AuthProperty auth: authList)
+ for(AuthPropertyType auth: authList)
{
this.authPropsMap.put(auth.getKey(), auth.getValue());
}
@@ -123,14 +137,28 @@
/**
* @see TrustKeyManager#setValidatingAlias(List)
*/
- public void setValidatingAlias(List<KeyValue> aliases)
+ public void setValidatingAlias(List<KeyValueType> aliases)
{
- for(KeyValue alias: aliases)
+ for(KeyValueType alias: aliases)
{
domainAliasMap.put(alias.getKey(), alias.getValue());
}
}
+ /**
+ * @see TrustKeyManager#getEncryptionKey(String)
+ */
+ public SecretKey getEncryptionKey(String domain,String encryptionAlgorithm, int
keyLength) throws Exception
+ {
+ SecretKey key = keys.get(domain);
+ if(key == null)
+ {
+ key = EncryptionKeyUtil.getSecretKey(encryptionAlgorithm, keyLength);
+ keys.put(domain, key);
+ }
+ return key;
+ }
+
private void setUpKeyStore() throws GeneralSecurityException, IOException
{
//Keystore URL/Pass can be either by configuration or on the HTTPS connector
@@ -145,5 +173,5 @@
InputStream is = ValveUtil.getKeyStoreInputStream(this.keyStoreURL);
ks = KeyStoreUtil.getKeyStore(is, keyStorePass.toCharArray());
- }
+ }
}
\ No newline at end of file
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectValve.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -43,8 +43,8 @@
import org.jboss.identity.federation.api.saml.v2.common.IDGenerator;
import org.jboss.identity.federation.api.saml.v2.request.SAML2Request;
import org.jboss.identity.federation.api.saml.v2.response.SAML2Response;
-import org.jboss.identity.federation.bindings.config.IDP;
-import org.jboss.identity.federation.bindings.config.Trust;
+import org.jboss.identity.federation.bindings.config.IDPType;
+import org.jboss.identity.federation.bindings.config.TrustType;
import org.jboss.identity.federation.bindings.interfaces.RoleGenerator;
import org.jboss.identity.federation.bindings.tomcat.TomcatRoleGenerator;
import org.jboss.identity.federation.bindings.util.HTTPRedirectUtil;
@@ -70,11 +70,11 @@
{
private static Logger log = Logger.getLogger(IDPRedirectValve.class);
- protected IDP idpConfiguration = null;
+ protected IDPType idpConfiguration = null;
private RoleGenerator rg = new TomcatRoleGenerator();
- private long assertionValidity = 5000; // 5minutes in seconds
+ private long assertionValidity = 5000; // 5 seconds in miliseconds
private String identityURL = null;
@@ -157,7 +157,7 @@
try
{
String issuerDomain = ValveUtil.getDomain(issuer);
- Trust idpTrust = idpConfiguration.getTrust();
+ TrustType idpTrust = idpConfiguration.getTrust();
if(idpTrust != null)
{
String domainsTrusted = idpTrust.getDomains();
@@ -197,6 +197,13 @@
}
}
+ /**
+ * Generate a Destination URL for the HTTPRedirect binding
+ * with the saml response and relay state
+ * @param urlEncodedResponse
+ * @param urlEncodedRelayState
+ * @return
+ */
protected String getDestination(String urlEncodedResponse, String
urlEncodedRelayState)
{
StringBuilder sb = new StringBuilder();
@@ -206,6 +213,12 @@
return sb.toString();
}
+ /**
+ * Validate the incoming Request
+ * @param request
+ * @return
+ * @throws Exception
+ */
protected boolean validate(Request request) throws Exception
{
return this.hasSAMLRequestMessage(request);
@@ -225,8 +238,14 @@
}
-
- private ResponseType getResponse(Request request, Principal userPrincipal) throws
Exception
+ /**
+ * Create a response type
+ * @param request
+ * @param userPrincipal
+ * @return
+ * @throws Exception
+ */
+ protected ResponseType getResponse(Request request, Principal userPrincipal) throws
Exception
{
ResponseType responseType = null;
@@ -268,8 +287,7 @@
//Add timed conditions
saml2Response.createTimedConditions(assertion, this.assertionValidity);
-
- log.debug("ResponseType = ");
+
//Lets see how the response looks like
if(log.isTraceEnabled())
{
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectWithSignatureValve.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectWithSignatureValve.java 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/idp/IDPRedirectWithSignatureValve.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -21,21 +21,38 @@
*/
package org.jboss.identity.federation.bindings.tomcat.idp;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.net.URL;
+import java.security.Principal;
import java.security.PrivateKey;
import java.security.PublicKey;
+import javax.crypto.SecretKey;
+import javax.xml.namespace.QName;
+
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Request;
import org.apache.log4j.Logger;
-import org.jboss.identity.federation.bindings.config.KeyProvider;
+import org.jboss.identity.federation.api.saml.v2.response.SAML2Response;
+import org.jboss.identity.federation.api.util.XMLEncryptionUtil;
+import org.jboss.identity.federation.bindings.config.EncryptionType;
+import org.jboss.identity.federation.bindings.config.KeyProviderType;
import org.jboss.identity.federation.bindings.interfaces.TrustKeyManager;
import org.jboss.identity.federation.bindings.util.RedirectBindingSignatureUtil;
+import org.jboss.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
+import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil;
import org.jboss.identity.federation.core.saml.v2.util.SignatureUtil;
+import org.jboss.identity.federation.saml.v2.assertion.EncryptedElementType;
+import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
/**
* Valve at the Identity Provider that supports
* SAML2 HTTP/Redirect binding with digital signature support
+ * and xml encryption
* @author Anil.Saldhana(a)redhat.com
* @since Jan 14, 2009
*/
@@ -52,6 +69,11 @@
super();
}
+ /**
+ * Indicate whether the signature parameter in the request
+ * needs to be ignored
+ * @param val
+ */
public void setIgnoreSignature(String val)
{
if(val != null && val.length() > 0)
@@ -62,7 +84,7 @@
public void start() throws LifecycleException
{
super.start();
- KeyProvider keyProvider = this.idpConfiguration.getKeyProvider();
+ KeyProviderType keyProvider = this.idpConfiguration.getKeyProvider();
try
{
ClassLoader tcl = SecurityActions.getContextClassLoader();
@@ -83,6 +105,7 @@
log.trace("Key Provider=" + keyProvider.getClassName());
}
+ @Override
protected boolean validate(Request request) throws Exception
{
boolean result = super.validate(request);
@@ -137,4 +160,54 @@
throw new RuntimeException(e);
}
}
+
+ @Override
+ protected ResponseType getResponse(Request request, Principal userPrincipal) throws
Exception
+ {
+ SAML2Response saml2Response = new SAML2Response();
+
+ ResponseType responseType = super.getResponse(request, userPrincipal);
+
+ //If there is a configuration to encrypt
+ if(this.idpConfiguration.isEncrypt())
+ {
+ //Need to encrypt the assertion
+ String sp = responseType.getDestination();
+ if(sp == null)
+ throw new IllegalStateException("Unable to handle encryption as SP url
is null");
+ URL spurl = new URL(sp);
+ PublicKey publicKey = keyManager.getValidatingKey(spurl.getHost());
+ EncryptionType enc = idpConfiguration.getEncryption();
+ if(enc == null)
+ throw new IllegalStateException("EncryptionType not configured");
+ String encAlgo = enc.getEncAlgo().value();
+ int keyLength = enc.getKeySize();
+ //Generate a key on the fly
+ SecretKey sk = keyManager.getEncryptionKey(spurl.getHost(), encAlgo,
keyLength);
+
+ StringWriter sw = new StringWriter();
+ saml2Response.marshall(responseType, sw);
+
+ Document responseDoc = DocumentUtil.getDocument(new
StringReader(sw.toString()));
+
+ String assertionNS = JBossSAMLURIConstants.ASSERTION_NSURI.get();
+
+ QName assertionQName = new QName(assertionNS, "EncryptedAssertion",
"saml");
+
+ Element encAssertion = XMLEncryptionUtil.encryptElementInDocument(responseDoc,
+ publicKey, sk, keyLength, assertionQName, true);
+
+
+ EncryptedElementType eet =
saml2Response.getEncryptedAssertion(DocumentUtil.getNodeAsStream(encAssertion));
+ responseType.getAssertionOrEncryptedAssertion().set(0, eet);
+ }
+ //Lets see how the response looks like
+ if(log.isTraceEnabled())
+ {
+ StringWriter sw = new StringWriter();
+ saml2Response.marshall(responseType, sw);
+ log.trace("IDPRedirectValveWithSignature::Response="+sw.toString());
+ }
+ return responseType;
+ }
}
\ No newline at end of file
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -25,6 +25,7 @@
import java.io.IOException;
import java.io.InputStream;
import java.security.Principal;
+import java.util.List;
import javax.servlet.ServletException;
@@ -41,8 +42,8 @@
import org.jboss.identity.federation.api.saml.v2.response.SAML2Response;
import org.jboss.identity.federation.api.util.Base64;
import org.jboss.identity.federation.api.util.DeflateUtil;
-import org.jboss.identity.federation.bindings.config.SP;
-import org.jboss.identity.federation.bindings.config.Trust;
+import org.jboss.identity.federation.bindings.config.SPType;
+import org.jboss.identity.federation.bindings.config.TrustType;
import org.jboss.identity.federation.bindings.jboss.DefaultJBossSubjectRegistration;
import org.jboss.identity.federation.bindings.jboss.JBossSubjectRegistration;
import org.jboss.identity.federation.bindings.util.HTTPRedirectUtil;
@@ -50,6 +51,7 @@
import org.jboss.identity.federation.bindings.util.ValveUtil;
import org.jboss.identity.federation.core.saml.v2.exceptions.AssertionExpiredException;
import org.jboss.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
+import org.jboss.identity.federation.saml.v2.assertion.EncryptedElementType;
import org.jboss.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
@@ -66,7 +68,7 @@
private static Logger log = Logger.getLogger(SPRedirectFormAuthenticator.class);
- protected SP spConfiguration = null;
+ protected SPType spConfiguration = null;
private String serviceURL = null;
private String identityURL = null;
@@ -210,7 +212,7 @@
try
{
String issuerDomain = ValveUtil.getDomain(issuer);
- Trust idpTrust = spConfiguration.getTrust();
+ TrustType idpTrust = spConfiguration.getTrust();
if(idpTrust != null)
{
String domainsTrusted = idpTrust.getDomains();
@@ -228,6 +230,16 @@
{
return request.getParameter("SAMLResponse") != null;
}
+
+ /**
+ * Subclasses should provide the implementation
+ * @param responseType ResponseType that contains the encrypted assertion
+ * @return response type with the decrypted assertion
+ */
+ protected ResponseType decryptAssertion(ResponseType responseType) throws Exception
+ {
+ throw new RuntimeException("This authenticator does not handle
encryption");
+ }
private Principal process(Request request, Response response) throws Exception
{
@@ -248,6 +260,16 @@
this.isTrusted(responseType.getIssuer().getValue());
+ List<Object> assertions =
responseType.getAssertionOrEncryptedAssertion();
+ if(assertions.size() == 0)
+ throw new IllegalStateException("No assertions in reply from IDP");
+
+ Object assertion = assertions.get(0);
+ if(assertion instanceof EncryptedElementType)
+ {
+ responseType = this.decryptAssertion(responseType);
+ }
+
SPUtil spUtil = new SPUtil();
return spUtil.handleSAMLResponse(request, responseType);
}
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -27,19 +27,27 @@
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Request;
import org.apache.log4j.Logger;
-import org.jboss.identity.federation.bindings.config.KeyProvider;
+import org.jboss.identity.federation.api.saml.v2.response.SAML2Response;
+import org.jboss.identity.federation.api.util.XMLEncryptionUtil;
+import org.jboss.identity.federation.bindings.config.KeyProviderType;
import org.jboss.identity.federation.bindings.interfaces.TrustKeyManager;
import org.jboss.identity.federation.bindings.util.RedirectBindingSignatureUtil;
+import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil;
import org.jboss.identity.federation.core.saml.v2.util.SignatureUtil;
+import org.jboss.identity.federation.saml.v2.assertion.EncryptedElementType;
+import org.jboss.identity.federation.saml.v2.protocol.ResponseType;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
/**
- * Tomcat Authenticator for the HTTP/Redirect
- * binding with Signature support
+ * Tomcat Authenticator for the HTTP/Redirect binding with Signature support
* @author Anil.Saldhana(a)redhat.com
* @since Jan 12, 2009
*/
public class SPRedirectSignatureFormAuthenticator extends SPRedirectFormAuthenticator
{
+
+
private static Logger log =
Logger.getLogger(SPRedirectSignatureFormAuthenticator.class);
private TrustKeyManager keyManager;
@@ -53,7 +61,7 @@
public void start() throws LifecycleException
{
super.start();
- KeyProvider keyProvider = this.spConfiguration.getKeyProvider();
+ KeyProviderType keyProvider = this.spConfiguration.getKeyProvider();
try
{
ClassLoader tcl = SecurityActions.getContextClassLoader();
@@ -122,4 +130,19 @@
throw new RuntimeException(e);
}
}
+
+ @Override
+ protected ResponseType decryptAssertion(ResponseType responseType) throws Exception
+ {
+ SAML2Response saml2Response = new SAML2Response();
+ PrivateKey privateKey = keyManager.getSigningKey();
+
+ EncryptedElementType myEET = (EncryptedElementType)
responseType.getAssertionOrEncryptedAssertion().get(0);
+ Document eetDoc = saml2Response.convert(myEET);
+
+ Element decryptedDocumentElement =
XMLEncryptionUtil.decryptElementInDocument(eetDoc,privateKey);
+
+ //Let us use the encrypted doc element to decrypt it
+ return
saml2Response.getResponseType(DocumentUtil.getNodeAsStream(decryptedDocumentElement));
+ }
}
\ No newline at end of file
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPUtil.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPUtil.java 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPUtil.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -94,7 +94,11 @@
if(JBossSAMLURIConstants.STATUS_SUCCESS.get().equals(statusValue) == false)
throw new SecurityException("IDP forbid the user");
- AssertionType assertion = (AssertionType)
responseType.getAssertionOrEncryptedAssertion().get(0);
+ List<Object> assertions = responseType.getAssertionOrEncryptedAssertion();
+ if(assertions.size() == 0)
+ throw new IllegalStateException("No assertions in reply from IDP");
+
+ AssertionType assertion = (AssertionType)assertions.get(0);
//Check for validity of assertion
ConditionsType conditionsType = assertion.getConditions();
if(conditionsType != null)
@@ -123,6 +127,7 @@
return this.createGenericPrincipal(request, userName, roles);
}
+
private Principal createGenericPrincipal(Request request, String username,
List<String> roles)
{
Context ctx = request.getContext();
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/ValveUtil.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/ValveUtil.java 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/ValveUtil.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -29,8 +29,8 @@
import javax.xml.bind.JAXBElement;
import javax.xml.bind.Unmarshaller;
-import org.jboss.identity.federation.bindings.config.IDP;
-import org.jboss.identity.federation.bindings.config.SP;
+import org.jboss.identity.federation.bindings.config.IDPType;
+import org.jboss.identity.federation.bindings.config.SPType;
import org.jboss.identity.federation.core.saml.v2.factories.JBossSAMLBaseFactory;
/**
@@ -73,26 +73,26 @@
}
@SuppressWarnings("unchecked")
- public static IDP getIDPConfiguration(InputStream is) throws Exception
+ public static IDPType getIDPConfiguration(InputStream is) throws Exception
{
if(is == null)
throw new IllegalArgumentException("inputstream is null");
String schema = "schema/config/jboss-identity-fed.xsd";
Unmarshaller un =
JBossSAMLBaseFactory.getValidatingUnmarshaller("org.jboss.identity.federation.bindings.config",
schema);
- JAXBElement<IDP> jaxbSp = (JAXBElement<IDP>) un.unmarshal(is);
+ JAXBElement<IDPType> jaxbSp = (JAXBElement<IDPType>)
un.unmarshal(is);
return jaxbSp.getValue();
}
@SuppressWarnings("unchecked")
- public static SP getSPConfiguration(InputStream is) throws Exception
+ public static SPType getSPConfiguration(InputStream is) throws Exception
{
if(is == null)
throw new IllegalArgumentException("inputstream is null");
String schema = "schema/config/jboss-identity-fed.xsd";
Unmarshaller un =
JBossSAMLBaseFactory.getValidatingUnmarshaller("org.jboss.identity.federation.bindings.config",
schema);
- JAXBElement<SP> jaxbSp = (JAXBElement<SP>) un.unmarshal(is);
+ JAXBElement<SPType> jaxbSp = (JAXBElement<SPType>) un.unmarshal(is);
return jaxbSp.getValue();
}
Added:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/cert/EncryptionKeyUtil.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/cert/EncryptionKeyUtil.java
(rev 0)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/util/cert/EncryptionKeyUtil.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -0,0 +1,50 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.identity.federation.bindings.util.cert;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+
+/**
+ * Utility to generate symmetric key
+ * @author Anil.Saldhana(a)redhat.com
+ * @since Feb 4, 2009
+ */
+public class EncryptionKeyUtil
+{
+ /**
+ * Generate a secret key useful for encryption/decryption
+ * @param encAlgo
+ * @param keySize Length of the key (if 0, defaults to 128 bits)
+ * @return
+ * @throws Exception
+ */
+ public static SecretKey getSecretKey(String encAlgo, int keySize) throws Exception
+ {
+ KeyGenerator keyGenerator = KeyGenerator.getInstance(encAlgo);
+ if(keySize == 0)
+ keySize = 128;
+ keyGenerator.init(keySize);
+ return keyGenerator.generateKey();
+ }
+
+}
\ No newline at end of file
Modified:
identity-federation/trunk/identity-bindings/src/main/resources/schema/config/jboss-identity-fed.xsd
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/resources/schema/config/jboss-identity-fed.xsd 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-bindings/src/main/resources/schema/config/jboss-identity-fed.xsd 2009-02-09
03:43:49 UTC (rev 308)
@@ -2,7 +2,7 @@
<schema xmlns="http://www.w3.org/2001/XMLSchema"
targetNamespace="urn:jboss:identity-federation:config:1.0"
xmlns:tns="urn:jboss:identity-federation:config:1.0"
elementFormDefault="qualified" version="1.0">
- <complexType name="IDP">
+ <complexType name="IDPType">
<annotation>
<documentation>
IDP Type defines the configuration for an Identity
@@ -10,21 +10,34 @@
</documentation>
</annotation>
<complexContent>
- <extension base="tns:Provider">
- <attribute name="AssertionValidity" type="long"
use="optional" default="5000"></attribute>
- <attribute name="RoleGenerator" type="string"
use="optional"
default="org.jboss.identity.federation.bindings.tomcat.TomcatRoleGenerator"></attribute>
+ <extension base="tns:ProviderType">
+ <sequence>
+ <element name="Encryption" type="tns:EncryptionType"
+ maxOccurs="1" minOccurs="0">
+ </element>
+ </sequence>
+ <attribute name="AssertionValidity" type="long"
+ use="optional" default="300000"> <!-- 5 minutes expressed
in miliseconds -->
+ </attribute>
+ <attribute name="RoleGenerator" type="string"
+ use="optional"
+ default="org.jboss.identity.federation.bindings.tomcat.TomcatRoleGenerator">
+ </attribute>
+ <attribute name="Encrypt" type="boolean"
use="optional"
+ default="false">
+ </attribute>
</extension>
</complexContent>
</complexType>
- <element name="JBossIDP" type="tns:IDP">
+ <element name="JBossIDP" type="tns:IDPType">
<annotation>
<documentation>The root configuration for an Identity Provider(IDP) using
JBoss Identity.</documentation>
</annotation>
</element>
- <complexType name="Trust">
+ <complexType name="TrustType">
<annotation>
<documentation>Aspects involved in trust decisions such as the domains
that the IDP or the Service Provider trusts.</documentation>
</annotation>
@@ -37,14 +50,14 @@
</sequence>
</complexType>
- <complexType name="KeyProvider">
+ <complexType name="KeyProviderType">
<annotation>
<documentation>
Source of the Signing and Validating Key
</documentation>
</annotation>
<sequence>
- <element name="Auth" type="tns:AuthProperty"
+ <element name="Auth" type="tns:AuthPropertyType"
maxOccurs="unbounded" minOccurs="0">
<annotation>
<documentation>
@@ -53,7 +66,7 @@
</documentation>
</annotation>
</element>
- <element name="ValidatingAlias" type="tns:KeyValue"
+ <element name="ValidatingAlias" type="tns:KeyValueType"
maxOccurs="unbounded" minOccurs="0">
<annotation>
<documentation>
@@ -74,12 +87,12 @@
<attribute name="ClassName"
type="string"></attribute>
</complexType>
- <complexType name="KeyValue">
+ <complexType name="KeyValueType">
<attribute name="Key" type="string"></attribute>
<attribute name="Value" type="string"></attribute>
</complexType>
- <complexType name="Provider">
+ <complexType name="ProviderType">
<annotation>
<documentation>Base Type for IDP and SP</documentation>
</annotation>
@@ -87,21 +100,21 @@
<element name="IdentityURL" type="string"
maxOccurs="1"
minOccurs="1">
</element>
- <element name="Trust" type="tns:Trust"
maxOccurs="1"
+ <element name="Trust" type="tns:TrustType"
maxOccurs="1"
minOccurs="0">
</element>
- <element name="KeyProvider" type="tns:KeyProvider"
+ <element name="KeyProvider" type="tns:KeyProviderType"
maxOccurs="1" minOccurs="0">
</element>
</sequence>
</complexType>
- <complexType name="SP">
+ <complexType name="SPType">
<annotation>
<documentation>Service Provider Type</documentation>
</annotation>
<complexContent>
- <extension base="tns:Provider">
+ <extension base="tns:ProviderType">
<sequence>
<element name="ServiceURL"
type="string"></element>
</sequence>
@@ -109,11 +122,26 @@
</complexContent>
</complexType>
- <complexType name="AuthProperty">
+ <complexType name="AuthPropertyType">
<complexContent>
- <extension base="tns:KeyValue"></extension>
+ <extension base="tns:KeyValueType"></extension>
</complexContent>
</complexType>
- <element name="JBossSP" type="tns:SP"></element>
+ <element name="JBossSP" type="tns:SPType"></element>
+
+ <simpleType name="EncAlgoType">
+ <restriction base="string">
+ <enumeration value="AES"></enumeration>
+ <enumeration value="DES"></enumeration>
+ <enumeration value="DESede"></enumeration>
+ </restriction>
+ </simpleType>
+
+ <complexType name="EncryptionType">
+ <sequence>
+ <element name="EncAlgo"
type="tns:EncAlgoType"></element>
+ <element name="KeySize" type="int"></element>
+ </sequence>
+ </complexType>
</schema>
\ No newline at end of file
Modified:
identity-federation/trunk/identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/config/ConfigUnitTestCase.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/config/ConfigUnitTestCase.java 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-bindings/src/test/java/org/jboss/test/identity/federation/bindings/config/ConfigUnitTestCase.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -29,12 +29,12 @@
import junit.framework.TestCase;
-import org.jboss.identity.federation.bindings.config.AuthProperty;
-import org.jboss.identity.federation.bindings.config.IDP;
-import org.jboss.identity.federation.bindings.config.KeyProvider;
-import org.jboss.identity.federation.bindings.config.KeyValue;
-import org.jboss.identity.federation.bindings.config.SP;
-import org.jboss.identity.federation.bindings.config.Trust;
+import org.jboss.identity.federation.bindings.config.AuthPropertyType;
+import org.jboss.identity.federation.bindings.config.IDPType;
+import org.jboss.identity.federation.bindings.config.KeyProviderType;
+import org.jboss.identity.federation.bindings.config.KeyValueType;
+import org.jboss.identity.federation.bindings.config.SPType;
+import org.jboss.identity.federation.bindings.config.TrustType;
import org.jboss.identity.federation.core.saml.v2.factories.JBossSAMLBaseFactory;
/**
@@ -48,11 +48,11 @@
public void test01() throws Exception
{
- IDP idp = this.getIDP(config + "1.xml");
- assertEquals("5000",5000L,idp.getAssertionValidity());
+ IDPType idp = this.getIDP(config + "1.xml");
+ assertEquals("300000",300000L,idp.getAssertionValidity());
assertEquals("org.jboss.identity.federation.bindings.tomcat.TomcatRoleGenerator",idp.getRoleGenerator());
- Trust trust = idp.getTrust();
+ TrustType trust = idp.getTrust();
assertNotNull("Trust is not null", trust);
String domains = trust.getDomains();
assertTrue("localhost trusted", domains.indexOf("localhost")
> -1);
@@ -61,15 +61,16 @@
public void test02() throws Exception
{
- IDP idp = this.getIDP(config + "2.xml");
+ IDPType idp = this.getIDP(config + "2.xml");
assertEquals("20000",20000L,idp.getAssertionValidity());
assertEquals("somefqn",idp.getRoleGenerator());
- KeyProvider kp = idp.getKeyProvider();
+ assertTrue(idp.isEncrypt());
+ KeyProviderType kp = idp.getKeyProvider();
assertNotNull("KeyProvider is not null", kp);
assertEquals("SomeClass", "SomeClass", kp.getClassName());
- List<AuthProperty> authProps = kp.getAuth();
- AuthProperty authProp = authProps.get(0);
+ List<AuthPropertyType> authProps = kp.getAuth();
+ AuthPropertyType authProp = authProps.get(0);
assertEquals("SomeKey", "SomeKey", authProp.getKey());
assertEquals("SomeValue", "SomeValue", authProp.getValue());
@@ -77,10 +78,10 @@
assertEquals("DBURL", "DBURL", authProp.getKey());
assertEquals("SomeDBURL", "SomeDBURL", authProp.getValue());
- List<KeyValue> validatingAliases = kp.getValidatingAlias();
+ List<KeyValueType> validatingAliases = kp.getValidatingAlias();
assertEquals("Validating Alias length is 2", 2,
validatingAliases.size());
- KeyValue kv = validatingAliases.get(0);
+ KeyValueType kv = validatingAliases.get(0);
assertEquals("localhost", kv.getKey());
assertEquals("localhostalias", kv.getValue());
@@ -88,7 +89,7 @@
assertEquals("jboss.com", kv.getKey());
assertEquals("jbossalias", kv.getValue());
- Trust trust = idp.getTrust();
+ TrustType trust = idp.getTrust();
assertNotNull("Trust is not null", trust);
String domains = trust.getDomains();
assertTrue("localhost trusted", domains.indexOf("localhost")
> -1);
@@ -97,13 +98,13 @@
public void test03() throws Exception
{
- SP sp = getSP(config + "3.xml");
+ SPType sp = getSP(config + "3.xml");
assertEquals("http://localhost:8080/idp", sp.getIdentityURL());
assertEquals("http://localhost:8080/sales", sp.getServiceURL());
}
@SuppressWarnings("unchecked")
- private SP getSP(String configFile) throws Exception
+ private SPType getSP(String configFile) throws Exception
{
String schema = "schema/config/jboss-identity-fed.xsd";
@@ -112,12 +113,12 @@
assertNotNull("Inputstream not null", is);
Unmarshaller un =
JBossSAMLBaseFactory.getValidatingUnmarshaller("org.jboss.identity.federation.bindings.config",
schema);
- JAXBElement<SP> jaxbSp = (JAXBElement<SP>) un.unmarshal(is);
+ JAXBElement<SPType> jaxbSp = (JAXBElement<SPType>) un.unmarshal(is);
assertNotNull("SP is not null", jaxbSp);
return jaxbSp.getValue();
}
@SuppressWarnings("unchecked")
- private IDP getIDP(String configFile) throws Exception
+ private IDPType getIDP(String configFile) throws Exception
{
String schema = "schema/config/jboss-identity-fed.xsd";
@@ -126,7 +127,7 @@
assertNotNull("Inputstream not null", is);
Unmarshaller un =
JBossSAMLBaseFactory.getValidatingUnmarshaller("org.jboss.identity.federation.bindings.config",
schema);
- JAXBElement<IDP> jaxbIdp = (JAXBElement<IDP>) un.unmarshal(is);
+ JAXBElement<IDPType> jaxbIdp = (JAXBElement<IDPType>)
un.unmarshal(is);
assertNotNull("IDP is not null", jaxbIdp);
return jaxbIdp.getValue();
}
Modified:
identity-federation/trunk/identity-bindings/src/test/resources/config/test-config-2.xml
===================================================================
---
identity-federation/trunk/identity-bindings/src/test/resources/config/test-config-2.xml 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-bindings/src/test/resources/config/test-config-2.xml 2009-02-09
03:43:49 UTC (rev 308)
@@ -1,6 +1,7 @@
<JBossIDP xmlns="urn:jboss:identity-federation:config:1.0"
AssertionValidity="20000"
- RoleGenerator="somefqn">
+ RoleGenerator="somefqn"
+ Encrypt="true">
<IdentityURL>http://localhost:8080/idp</IdentityURL>
<Trust>
<Domains>localhost,jboss.com,jboss.org</Domains>
Modified: identity-federation/trunk/identity-fed-core/.classpath
===================================================================
--- identity-federation/trunk/identity-fed-core/.classpath 2009-02-09 03:41:50 UTC (rev
307)
+++ identity-federation/trunk/identity-fed-core/.classpath 2009-02-09 03:43:49 UTC (rev
308)
@@ -10,5 +10,6 @@
<classpathentry kind="var"
path="M2_REPO/sun-jaxb/jaxb-api/2.1.9/jaxb-api-2.1.9.jar"/>
<classpathentry kind="var"
path="M2_REPO/org/jboss/security/jboss-xacml/2.0.3-SNAPSHOT/jboss-xacml-2.0.3-SNAPSHOT.jar"/>
<classpathentry kind="var"
path="M2_REPO/stax/stax-api/1.0/stax-api-1.0.jar"/>
+ <classpathentry combineaccessrules="false" kind="src"
path="/identity-xmlsecmodel"/>
<classpathentry kind="output" path="target-eclipse"/>
</classpath>
Added:
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/constants/JBossEncryptionConstants.java
===================================================================
---
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/constants/JBossEncryptionConstants.java
(rev 0)
+++
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/constants/JBossEncryptionConstants.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -0,0 +1,52 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.identity.federation.core.saml.v2.constants;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Encryption Algorithm and XMLEnC URI
+ * @author Anil.Saldhana(a)redhat.com
+ * @since Feb 4, 2009
+ */
+public class JBossEncryptionConstants
+{
+ private static Map<String,String> algoToXmlEncURL = new
HashMap<String,String>();
+
+ static
+ {
+ algoToXmlEncURL.put("DESede",
"http://www.w3.org/2001/04/xmlenc#kw-tripledes");
+ algoToXmlEncURL.put("TRIPLEDES",
"http://www.w3.org/2001/04/xmlenc#kw-tripledes");
+
+ algoToXmlEncURL.put("AES_128",
"http://www.w3.org/2001/04/xmlenc#aes128-cbc");
+ algoToXmlEncURL.put("AES_192",
"http://www.w3.org/2001/04/xmlenc#aes192-cbc");
+ algoToXmlEncURL.put("AES_256",
"http://www.w3.org/2001/04/xmlenc#aes256-cbc");
+ }
+
+ public static String getURL(String algo, int keySize)
+ {
+ if(keySize == 0)
+ return algoToXmlEncURL.get(algo);
+ return algoToXmlEncURL.get(algo+ "_" +keySize);
+ }
+}
Modified:
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/constants/JBossSAMLURIConstants.java
===================================================================
---
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/constants/JBossSAMLURIConstants.java 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/constants/JBossSAMLURIConstants.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -30,9 +30,11 @@
public enum JBossSAMLURIConstants
{
AC_PASSWORD_PROTECTED_TRANSPORT("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"),
+ ASSERTION_NSURI("urn:oasis:names:tc:SAML:2.0:assertion"),
ATTRIBUTE_FORMAT_BASIC("urn:oasis:names:tc:SAML:2.0:attrname-format:basic"),
NAMEID_FORMAT_TRANSIENT("urn:oasis:names:tc:SAML:2.0:nameid-format:transient"),
NAMEID_FORMAT_PERSISTENT("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"),
+ PROTOCOL_NSURI("urn:oasis:names:tc:SAML:2.0:protocol"),
SIGNATURE_DSA_SHA1("http://www.w3.org/2000/09/xmldsig#dsa-sha1"),
SIGNATURE_RSA_SHA1("http://www.w3.org/2000/09/xmldsig#rsa-sha1"),
SUBJECT_CONFIRMATION_BEARER("urn:oasis:names:tc:SAML:2.0:cm:bearer"),
@@ -42,7 +44,10 @@
STATUS_SUCCESS("urn:oasis:names:tc:SAML:2.0:status:Success"),
STATUS_VERSION_MISMATCH("urn:oasis:names:tc:SAML:2.0:status:VersionMismatch"),
TRANSFORM_ENVELOPED_SIGNATURE("http://www.w3.org/2000/09/xmldsig#env...,
-
TRANSFORM_C14N_EXCL_OMIT_COMMENTS("http://www.w3.org/2001/10/xml-exc...;
+
TRANSFORM_C14N_EXCL_OMIT_COMMENTS("http://www.w3.org/2001/10/xml-exc...,
+ XMLSCHEMA_NSURI("http://www.w3.org/2001/XMLSchema"),
+ XMLDSIG_NSURI("http://www.w3.org/2000/09/xmldsig#"),
+ XMLENC_NSURI("http://www.w3.org/2001/04/xmlenc#");
private String uri = null;
Modified:
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/factories/JBossSAMLAuthnResponseFactory.java
===================================================================
---
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/factories/JBossSAMLAuthnResponseFactory.java 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/factories/JBossSAMLAuthnResponseFactory.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -46,7 +46,7 @@
*/
public class JBossSAMLAuthnResponseFactory
{
- private static String pkgName =
"org.jboss.identity.federation.saml.v2.protocol:org.jboss.identity.xmlsec.w3.xmldsig";
+ private static String pkgName =
"org.jboss.identity.federation.saml.v2.protocol:org.jboss.identity.xmlsec.w3.xmldsig:org.jboss.identity.xmlsec.w3.xmlenc";
private static String schemaLocation =
"schema/saml/v2/saml-schema-protocol-2.0.xsd";
/**
@@ -74,38 +74,11 @@
* @throws Exception
*/
public static ResponseType createResponseType(String ID, SPInfoHolder sp,
IDPInfoHolder idp, IssuerInfoHolder issuerInfo) throws Exception
- {
- /*ResponseType responseType = protocolObjectFactory.createResponseType();
- responseType.setVersion(issuerInfo.getSamlVersion());
-
- //ID
- responseType.setID(ID);
- //InResponseTo ID
- responseType.setInResponseTo(sp.getRequestID());
- //Destination
+ {
String responseDestinationURI = sp.getResponseDestinationURI();
- responseType.setDestination(responseDestinationURI);
- //Issuer
- NameIDType issuer = issuerInfo.getIssuer();
- responseType.setIssuer(issuer);
-
- //Status
- String statusCode = issuerInfo.getStatusCode();
- if(statusCode == null)
- throw new IllegalArgumentException("issuerInfo missing status code");
-
- responseType.setStatus(createStatusType(statusCode) );
-
XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
- //IssueInstant
- responseType.setIssueInstant(issueInstant);*/
-
- String responseDestinationURI = sp.getResponseDestinationURI();
-
- XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
-
//Create an assertion
AssertionType assertionType = JBossSAMLBaseFactory.createAssertion();
assertionType.setID("ID_" + JBossSAMLBaseFactory.createUUID());
@@ -172,8 +145,8 @@
//IssueInstant
responseType.setIssueInstant(issueInstant);
-
- responseType.getAssertionOrEncryptedAssertion().add(assertionType);
+
+ responseType.getAssertionOrEncryptedAssertion().add(assertionType);
return responseType;
}
Modified:
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/factories/SAMLProtocolFactory.java
===================================================================
---
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/factories/SAMLProtocolFactory.java 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/factories/SAMLProtocolFactory.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -32,9 +32,9 @@
public class SAMLProtocolFactory
{
private static ObjectFactory factory = new ObjectFactory();
-
+
public static ObjectFactory getObjectFactory()
{
return factory;
- }
+ }
}
\ No newline at end of file
Modified:
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/util/DocumentUtil.java
===================================================================
---
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/util/DocumentUtil.java 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/util/DocumentUtil.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -24,8 +24,13 @@
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
+import java.io.Reader;
+import java.io.StringReader;
import java.io.StringWriter;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.transform.OutputKeys;
import javax.xml.transform.Result;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
@@ -34,6 +39,9 @@
import javax.xml.transform.stream.StreamResult;
import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.xml.sax.InputSource;
/**
* Utility dealing with DOM
@@ -42,31 +50,99 @@
*/
public class DocumentUtil
{
+ /**
+ * Create a new document
+ * @return
+ * @throws Exception
+ */
+ public static Document createDocument() throws Exception
+ {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilder builder = factory.newDocumentBuilder();
+ return builder.newDocument();
+ }
+
+ /**
+ * Parse a document from the string
+ * @param docString
+ * @return
+ * @throws Exception
+ */
+ public static Document getDocument(String docString) throws Exception
+ {
+ return getDocument(new StringReader(docString));
+ }
+
+ /**
+ * Parse a document from a reader
+ * @param reader
+ * @return
+ * @throws Exception
+ */
+ public static Document getDocument(Reader reader) throws Exception
+ {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilder builder = factory.newDocumentBuilder();
+ return builder.parse(new InputSource(reader));
+ }
+
+ /**
+ * Marshall a document into a String
+ * @param signedDoc
+ * @return
+ * @throws Exception
+ */
public static String getDocumentAsString(Document signedDoc) throws Exception
{
Source source = new DOMSource(signedDoc);
StringWriter sw = new StringWriter();
Result streamResult = new StreamResult(sw);
- // Write the DOM document to the file
+ // Write the DOM document to the stream
Transformer xformer = TransformerFactory.newInstance().newTransformer();
xformer.transform(source, streamResult);
return sw.toString();
}
-
- public static InputStream getDocumentAsStream(Document signedDoc) throws Exception
+
+ /**
+ * Marshall a DOM Element as string
+ * @param element
+ * @return
+ * @throws Exception
+ */
+ public static String getDOMElementAsString(Element element) throws Exception
{
- Source source = new DOMSource(signedDoc);
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
-
- Result streamResult = new StreamResult(baos);
+ Source source = new DOMSource(element);
+ StringWriter sw = new StringWriter();
+
+ Result streamResult = new StreamResult(sw);
// Write the DOM document to the file
Transformer xformer = TransformerFactory.newInstance().newTransformer();
xformer.transform(source, streamResult);
- ByteArrayInputStream bis = new ByteArrayInputStream(baos.toByteArray());
-
- return bis;
- }
+ return sw.toString();
+ }
+
+ /**
+ * Stream a DOM Node as an input stream
+ * @param node
+ * @return
+ * @throws Exception
+ */
+ public static InputStream getNodeAsStream(Node node) throws Exception
+ {
+ Source source = new DOMSource(node);
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+ Result streamResult = new StreamResult(baos);
+ // Write the DOM document to the stream
+ Transformer transformer = TransformerFactory.newInstance().newTransformer();
+ transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
+ transformer.transform(source, streamResult);
+
+ ByteArrayInputStream bis = new ByteArrayInputStream(baos.toByteArray());
+
+ return bis;
+ }
}
\ No newline at end of file
Modified:
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/util/JAXBElementMappingUtil.java
===================================================================
---
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/util/JAXBElementMappingUtil.java 2009-02-09
03:41:50 UTC (rev 307)
+++
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/saml/v2/util/JAXBElementMappingUtil.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -23,10 +23,12 @@
import javax.xml.bind.JAXBElement;
+import org.jboss.identity.federation.core.saml.v2.factories.SAMLAssertionFactory;
import org.jboss.identity.federation.core.saml.v2.factories.SAMLProtocolFactory;
import org.jboss.identity.federation.core.saml.v2.factories.SOAPFactory;
import org.jboss.identity.federation.core.saml.v2.factories.XACMLStatementFactory;
import org.jboss.identity.federation.org.xmlsoap.schemas.soap.envelope.Envelope;
+import org.jboss.identity.federation.saml.v2.assertion.EncryptedElementType;
import
org.jboss.identity.federation.saml.v2.profiles.xacml.assertion.XACMLAuthzDecisionStatementType;
import org.jboss.identity.federation.saml.v2.protocol.ArtifactResolveType;
import org.jboss.identity.federation.saml.v2.protocol.AssertionIDRequestType;
@@ -85,16 +87,41 @@
throw new IllegalArgumentException("Unknown Type:"+requestAbstractType);
}
+ /**
+ * Get the JAXBElement for an encrypted assertion
+ * @param encryptedAssertion
+ * @return
+ */
+ public static JAXBElement<?> get(EncryptedElementType encryptedAssertion)
+ {
+ return
SAMLAssertionFactory.getObjectFactory().createEncryptedAssertion(encryptedAssertion);
+ }
+
+ /**
+ * Get the JAXBElement for response
+ * @param responseType
+ * @return
+ */
public static JAXBElement<?> get(ResponseType responseType)
{
return SAMLProtocolFactory.getObjectFactory().createResponse(responseType);
}
+ /**
+ * Get the JAXBElement for a SOAP envelope
+ * @param envelope
+ * @return
+ */
public static JAXBElement<?> get(Envelope envelope)
{
return SOAPFactory.getObjectFactory().createEnvelope(envelope);
}
+ /**
+ * Get the JAXBElement for an XACML authorization statement
+ * @param xacmlStatement
+ * @return
+ */
public static JAXBElement<?> get(XACMLAuthzDecisionStatementType
xacmlStatement)
{
return
XACMLStatementFactory.getObjectFactory().createXACMLAuthzDecisionStatement(xacmlStatement);
Added:
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/xmlenc/factories/XMLEncryptionFactory.java
===================================================================
---
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/xmlenc/factories/XMLEncryptionFactory.java
(rev 0)
+++
identity-federation/trunk/identity-fed-core/src/main/java/org/jboss/identity/federation/core/xmlenc/factories/XMLEncryptionFactory.java 2009-02-09
03:43:49 UTC (rev 308)
@@ -0,0 +1,51 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.identity.federation.core.xmlenc.factories;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Marshaller;
+
+import org.jboss.identity.xmlsec.w3.xmlenc.ObjectFactory;
+
+
+/**
+ * Get the XML Encryption Model Object Factory
+ * @author Anil.Saldhana(a)redhat.com
+ * @since Feb 5, 2009
+ */
+public class XMLEncryptionFactory
+{
+ private static ObjectFactory factory = new ObjectFactory();
+
+ public static ObjectFactory getObjectFactory()
+ {
+ return factory;
+ }
+
+ public static Marshaller getMarshaller() throws Exception
+ {
+ JAXBContext jc =
JAXBContext.newInstance("org.jboss.identity.xmlsec.w3.xmlenc");
+ Marshaller marshaller = jc.createMarshaller();
+ marshaller.setProperty(Marshaller.JAXB_ENCODING, "UTF-8");
+ return marshaller;
+ }
+}
\ No newline at end of file
Modified: identity-federation/trunk/pom.xml
===================================================================
--- identity-federation/trunk/pom.xml 2009-02-09 03:41:50 UTC (rev 307)
+++ identity-federation/trunk/pom.xml 2009-02-09 03:43:49 UTC (rev 308)
@@ -20,7 +20,7 @@
<module>identity-fed-core</module>
<module>identity-fed-api</module>
<module>identity-bindings</module>
- <module>doc</module>
<module>assembly</module>
</modules>
+
</project>