11:21 p.m.
Author: anil.saldhana(a)jboss.com
Date: 2009-11-21 00:21:37 -0500 (Sat, 21 Nov 2009)
New Revision: 1058
Modified:
migration/picketlink/federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
migration/picketlink/federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
migration/picketlink/federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java
migration/picketlink/federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2LogoutTomcatWorkflowUnitTestCase.java
migration/picketlink/federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectTomcatWorkflowUnitTestCase.java
migration/picketlink/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/sig/SAML2Signature.java
migration/picketlink/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/impl/KeyStoreKeyManager.java
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/filters/SPFilter.java
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureGenerationHandler.java
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderBaseProcessor.java
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLRequestProcessor.java
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java
Log:
handle signatures properly
Modified:
migration/picketlink/federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
===================================================================
---
migration/picketlink/federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2009-11-21
05:08:18 UTC (rev 1057)
+++
migration/picketlink/federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2009-11-21
05:21:37 UTC (rev 1058)
@@ -51,6 +51,7 @@
import org.apache.catalina.util.LifecycleSupport;
import org.apache.catalina.valves.ValveBase;
import org.apache.log4j.Logger;
+import org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature;
import org.picketlink.identity.federation.bindings.tomcat.TomcatRoleGenerator;
import org.picketlink.identity.federation.core.config.IDPType;
import org.picketlink.identity.federation.core.config.KeyProviderType;
@@ -120,7 +121,7 @@
private TrustKeyManager keyManager;
- private Boolean ignoreIncomingSignatures = true;
+ private Boolean ignoreIncomingSignatures = false;
private Boolean signOutgoingMessages = true;
@@ -507,10 +508,24 @@
samlObject = (SAML2Object) samlDocumentHolder.getSamlObject();
boolean isPost = webRequestUtil.hasSAMLRequestInPostProfile();
- boolean isValid = validate(request.getRemoteAddr(),
- request.getQueryString(),
- new SessionHolder(samlResponseMessage, signature, sigAlg), isPost);
+ boolean isValid = false;
+ String remoteAddress = request.getRemoteAddr();
+
+ if(isPost)
+ {
+ //Validate
+ SAML2Signature samlSignature = new SAML2Signature();
+ PublicKey publicKey = keyManager.getValidatingKey(remoteAddress);
+ isValid = samlSignature.validate(samlDocumentHolder.getSamlDocument(),
publicKey);
+ }
+ else
+ {
+ isValid = validate(remoteAddress,
+ request.getQueryString(),
+ new SessionHolder(samlResponseMessage, signature, sigAlg),
isPost);
+ }
+
if(!isValid)
throw new GeneralSecurityException("Validation check
failed");
Modified:
migration/picketlink/federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java
===================================================================
---
migration/picketlink/federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2009-11-21
05:08:18 UTC (rev 1057)
+++
migration/picketlink/federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostFormAuthenticator.java 2009-11-21
05:21:37 UTC (rev 1058)
@@ -44,6 +44,7 @@
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ParsingException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
+import org.picketlink.identity.federation.core.interfaces.TrustKeyManager;
import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
import
org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
import org.picketlink.identity.federation.core.saml.v2.holders.DestinationInfoHolder;
@@ -76,6 +77,10 @@
private String logOutPage = GeneralConstants.LOGOUT_PAGE_NAME;
+ protected boolean supportSignatures = false;
+
+ protected TrustKeyManager keyManager;
+
public SPPostFormAuthenticator()
{
super();
@@ -262,6 +267,8 @@
{
ServiceProviderSAMLRequestProcessor requestProcessor =
new ServiceProviderSAMLRequestProcessor(true, this.serviceURL);
+ requestProcessor.setTrustKeyManager(keyManager);
+ requestProcessor.setSupportSignatures(supportSignatures);
boolean result = requestProcessor.process(samlRequest, httpContext, handlers,
chainLock);
if(result)
@@ -289,7 +296,7 @@
* @throws ProcessingException
* @throws ConfigurationException
* @throws IOException
- */
+ */
protected void sendRequestToIDP(
String destination, Document samlDocument,String relayState, Response response,
boolean willSendRequest)
Modified:
migration/picketlink/federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java
===================================================================
---
migration/picketlink/federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java 2009-11-21
05:08:18 UTC (rev 1057)
+++
migration/picketlink/federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java 2009-11-21
05:21:37 UTC (rev 1058)
@@ -21,34 +21,31 @@
*/
package org.picketlink.identity.federation.bindings.tomcat.sp;
-import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
-import java.security.GeneralSecurityException;
+import java.security.KeyPair;
import java.security.PublicKey;
-import javax.xml.bind.JAXBException;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.XMLSignatureException;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Response;
import org.apache.log4j.Logger;
-import org.picketlink.identity.federation.api.saml.v2.request.SAML2Request;
+import org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature;
import org.picketlink.identity.federation.core.config.KeyProviderType;
+import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
+import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import
org.picketlink.identity.federation.core.interfaces.TrustKeyConfigurationException;
import org.picketlink.identity.federation.core.interfaces.TrustKeyManager;
import org.picketlink.identity.federation.core.interfaces.TrustKeyProcessingException;
import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
import
org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException;
-import org.picketlink.identity.federation.core.saml.v2.holders.DestinationInfoHolder;
+import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
import org.picketlink.identity.federation.core.util.XMLSignatureUtil;
-import org.picketlink.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
-import org.picketlink.identity.federation.web.util.PostBindingUtil;
import org.w3c.dom.Document;
-import org.xml.sax.SAXException;
/**
* JBID-142: POST form authenticator that can
@@ -61,8 +58,6 @@
private static Logger log = Logger.getLogger(SPPostSignatureFormAuthenticator.class);
private boolean trace = log.isTraceEnabled();
- private TrustKeyManager keyManager;
-
private boolean signAssertions = false;
public boolean isSignAssertions()
@@ -79,6 +74,8 @@
public void start() throws LifecycleException
{
super.start();
+ this.supportSignatures = true;
+
KeyProviderType keyProvider = this.spConfiguration.getKeyProvider();
if(keyProvider == null)
throw new LifecycleException("KeyProvider is null");
@@ -102,19 +99,34 @@
if(trace) log.trace("Key Provider=" + keyProvider.getClassName());
}
- protected void sendRequestToIDP(AuthnRequestType authnRequest, String relayState,
Response response)
- throws IOException, SAXException, JAXBException, GeneralSecurityException
+ /**
+ * Send the request to the IDP
+ * @param destination idp url
+ * @param samlDocument request or response document
+ * @param relayState
+ * @param response
+ * @param willSendRequest are we sending Request or Response to IDP
+ * @throws ProcessingException
+ * @throws ConfigurationException
+ * @throws IOException
+ */
+ @Override
+ protected void sendRequestToIDP(
+ String destination, Document samlDocument,String relayState, Response response,
+ boolean willSendRequest)
+ throws ProcessingException, ConfigurationException, IOException
{
- SAML2Request saml2Request = new SAML2Request();
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
- saml2Request.marshall(authnRequest, baos);
-
- String samlMessage = PostBindingUtil.base64Encode(baos.toString());
- String destination = authnRequest.getDestination();
+ //Sign the document
+ SAML2Signature samlSignature = new SAML2Signature();
+ KeyPair keypair = keyManager.getSigningKeyPair();
+ samlSignature.signSAMLDocument(samlDocument, keypair);
- PostBindingUtil.sendPost(new DestinationInfoHolder(destination, samlMessage,
relayState),
- response, true);
- }
+ if(trace)
+ log.trace("Sending to IDP:" + DocumentUtil.asString(samlDocument));
+ //Let the super class handle the sending
+ super.sendRequestToIDP(destination, samlDocument, relayState, response,
willSendRequest);
+ }
+
@Override
protected boolean verifySignature(SAMLDocumentHolder samlDocumentHolder) throws
IssuerNotTrustedException
Modified:
migration/picketlink/federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2LogoutTomcatWorkflowUnitTestCase.java
===================================================================
---
migration/picketlink/federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2LogoutTomcatWorkflowUnitTestCase.java 2009-11-21
05:08:18 UTC (rev 1057)
+++
migration/picketlink/federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2LogoutTomcatWorkflowUnitTestCase.java 2009-11-21
05:21:37 UTC (rev 1058)
@@ -128,7 +128,7 @@
assertEquals("Match Employee URL", employee,
lor.getIssuer().getValue());
}
- public void testSAML2LogOutFromIDPServlet() throws Exception
+ public void testSAML2LogOutFromIDP() throws Exception
{
MockCatalinaSession session = new MockCatalinaSession();
@@ -145,6 +145,7 @@
idp.setContainer(catalinaContext);
idp.setSignOutgoingMessages(false);
+ idp.setIgnoreIncomingSignatures(true);
idp.start();
//Assume that we already have the principal and roles set in the session
Modified:
migration/picketlink/federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectTomcatWorkflowUnitTestCase.java
===================================================================
---
migration/picketlink/federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectTomcatWorkflowUnitTestCase.java 2009-11-21
05:08:18 UTC (rev 1057)
+++
migration/picketlink/federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectTomcatWorkflowUnitTestCase.java 2009-11-21
05:21:37 UTC (rev 1058)
@@ -105,6 +105,7 @@
IDPWebBrowserSSOValve idp = new IDPWebBrowserSSOValve();
idp.setSignOutgoingMessages(false);
+ idp.setIgnoreIncomingSignatures(true);
idp.setContainer(context);
idp.start();
Modified:
migration/picketlink/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/sig/SAML2Signature.java
===================================================================
---
migration/picketlink/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/sig/SAML2Signature.java 2009-11-21
05:08:18 UTC (rev 1057)
+++
migration/picketlink/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/sig/SAML2Signature.java 2009-11-21
05:21:37 UTC (rev 1058)
@@ -24,6 +24,7 @@
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
+import java.security.PublicKey;
import javax.xml.bind.JAXBException;
import javax.xml.crypto.MarshalException;
@@ -37,6 +38,7 @@
import org.picketlink.identity.federation.api.saml.v2.request.SAML2Request;
import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
+import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import org.picketlink.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
import org.picketlink.identity.federation.core.util.XMLSignatureUtil;
@@ -213,4 +215,47 @@
digestMethod, signatureMethod,
referenceURI);
}
+
+ /**
+ * Sign a SAML Document
+ * @param samlDocument
+ * @param keypair
+ * @throws ProcessingException
+ */
+ public void signSAMLDocument(Document samlDocument, KeyPair keypair) throws
ProcessingException
+ {
+ //Get the ID from the root
+ String id = samlDocument.getDocumentElement().getAttribute("ID");
+ try
+ {
+ sign(samlDocument, id, keypair);
+ }
+ catch (Exception e)
+ {
+ throw new ProcessingException(e);
+ }
+ }
+
+ /**
+ * Validate the SAML2 Document
+ * @param signedDocument
+ * @param publicKey
+ * @return
+ * @throws ProcessingException
+ */
+ public boolean validate(Document signedDocument, PublicKey publicKey) throws
ProcessingException
+ {
+ try
+ {
+ return XMLSignatureUtil.validate(signedDocument, publicKey);
+ }
+ catch(MarshalException me)
+ {
+ throw new ProcessingException(me.getLocalizedMessage());
+ }
+ catch(XMLSignatureException xse)
+ {
+ throw new ProcessingException(xse.getLocalizedMessage());
+ }
+ }
}
\ No newline at end of file
Modified:
migration/picketlink/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/impl/KeyStoreKeyManager.java
===================================================================
---
migration/picketlink/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/impl/KeyStoreKeyManager.java 2009-11-21
05:08:18 UTC (rev 1057)
+++
migration/picketlink/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/impl/KeyStoreKeyManager.java 2009-11-21
05:21:37 UTC (rev 1058)
@@ -197,7 +197,10 @@
try
{
if(ks == null)
- this.setUpKeyStore();
+ {
+ if(trace) log.trace("getPublicKey::Keystore is null. so setting it
up");
+ this.setUpKeyStore();
+ }
if(ks == null)
throw new IllegalStateException("KeyStore is null");
@@ -225,8 +228,11 @@
}
/**
+ * Get the validating public key
+ * <b>Note:</b>: The domain is mapped to an alias in the keystore
* @throws IOException
* @see TrustKeyManager#getValidatingKey(String)
+ * @see TrustKeyManager#getPublicKey(String)
*/
public PublicKey getValidatingKey(String domain)
throws TrustKeyConfigurationException, TrustKeyProcessingException
Modified:
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
===================================================================
---
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2009-11-21
05:08:18 UTC (rev 1057)
+++
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2009-11-21
05:21:37 UTC (rev 1058)
@@ -32,7 +32,7 @@
String ATTRIBUTES = "ATTRIBUTES";
String ATTRIBUTE_KEYS = "ATTRIBUTE_KEYS";
- String ATTIBUTE_MANAGER = "ATTRIBUTE_MANAGER";
+ String ATTIBUTE_MANAGER = "ATTRIBUTE_MANAGER";
String CONFIGURATION = "CONFIGURATION";
String CONFIG_FILE_LOCATION = "/WEB-INF/picketlink-idfed.xml";
Modified:
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/filters/SPFilter.java
===================================================================
---
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/filters/SPFilter.java 2009-11-21
05:08:18 UTC (rev 1057)
+++
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/filters/SPFilter.java 2009-11-21
05:21:37 UTC (rev 1058)
@@ -30,6 +30,7 @@
import java.net.MalformedURLException;
import java.net.URL;
import java.security.GeneralSecurityException;
+import java.security.KeyPair;
import java.security.Principal;
import java.security.PublicKey;
import java.util.ArrayList;
@@ -57,6 +58,7 @@
import org.apache.log4j.Logger;
import org.picketlink.identity.federation.api.saml.v2.request.SAML2Request;
import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
+import org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature;
import org.picketlink.identity.federation.core.config.KeyProviderType;
import org.picketlink.identity.federation.core.config.SPType;
import org.picketlink.identity.federation.core.config.TrustType;
@@ -99,6 +101,7 @@
import org.picketlink.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.picketlink.identity.federation.saml.v2.protocol.RequestAbstractType;
import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
+import org.picketlink.identity.federation.saml.v2.protocol.StatusResponseType;
import org.picketlink.identity.federation.saml.v2.protocol.StatusType;
import org.picketlink.identity.federation.web.constants.GeneralConstants;
import org.picketlink.identity.federation.web.core.HTTPContext;
@@ -283,6 +286,12 @@
SAML2Object samlObject = saml2Response.getSAML2ObjectFromStream(is);
SAMLDocumentHolder documentHolder =
saml2Response.getSamlDocumentHolder();
+
+ if(!ignoreSignatures)
+ {
+ if(!verifySignature(documentHolder))
+ throw new ServletException("Cannot verify sender");
+ }
Set<SAML2Handler> handlers = chain.handlers();
IssuerInfoHolder holder = new IssuerInfoHolder(this.serviceURL);
@@ -370,6 +379,12 @@
SAML2Object samlObject = saml2Request.getSAML2ObjectFromStream(is);
SAMLDocumentHolder documentHolder = saml2Request.getSamlDocumentHolder();
+ if(!ignoreSignatures)
+ {
+ if(!verifySignature(documentHolder))
+ throw new ServletException("Cannot verify sender");
+ }
+
Set<SAML2Handler> handlers = chain.handlers();
IssuerInfoHolder holder = new IssuerInfoHolder(this.serviceURL);
ProtocolContext protocolContext = new HTTPContext(request,response,
context);
@@ -580,6 +595,12 @@
boolean request)
throws IOException, SAXException, JAXBException,GeneralSecurityException
{
+ if(!ignoreSignatures)
+ {
+ SAML2Signature samlSignature = new SAML2Signature();
+ KeyPair keypair = keyManager.getSigningKeyPair();
+ samlSignature.signSAMLDocument(samlDocument, keypair);
+ }
String samlMessage =
PostBindingUtil.base64Encode(DocumentUtil.getDocumentAsString(samlDocument));
PostBindingUtil.sendPost(new DestinationInfoHolder(destination, samlMessage,
relayState),
response, request);
@@ -593,9 +614,17 @@
protected boolean verifySignature(SAMLDocumentHolder samlDocumentHolder) throws
IssuerNotTrustedException
{
Document samlResponse = samlDocumentHolder.getSamlDocument();
- ResponseType response = (ResponseType) samlDocumentHolder.getSamlObject();
+ SAML2Object samlObject = samlDocumentHolder.getSamlObject();
- String issuerID = response.getIssuer().getValue();
+ String issuerID = null;
+ if(samlObject instanceof StatusResponseType)
+ {
+ issuerID = ((StatusResponseType)samlObject).getIssuer().getValue();
+ }
+ else
+ {
+ issuerID = ((RequestAbstractType)samlObject).getIssuer().getValue();
+ }
if(issuerID == null)
throw new IssuerNotTrustedException("Issue missing");
Modified:
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureGenerationHandler.java
===================================================================
---
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureGenerationHandler.java 2009-11-21
05:08:18 UTC (rev 1057)
+++
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureGenerationHandler.java 2009-11-21
05:21:37 UTC (rev 1058)
@@ -103,25 +103,11 @@
this.sign(responseDocument, keypair);
}
+
-
-
private void sign(Document samlDocument, KeyPair keypair) throws ProcessingException
{
SAML2Signature samlSignature = new SAML2Signature();
- //Get the ID from the root
- String id = samlDocument.getDocumentElement().getAttribute("ID");
-
- try
- {
- samlSignature.sign(samlDocument, id, keypair);
- }
- catch (Exception e)
- {
- log.error("Unable to sign:",e);
- throw new ProcessingException("Unable to sign");
- }
- }
-
-
+ samlSignature.signSAMLDocument(samlDocument, keypair);
+ }
}
\ No newline at end of file
Modified:
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java
===================================================================
---
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java 2009-11-21
05:08:18 UTC (rev 1057)
+++
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.java 2009-11-21
05:21:37 UTC (rev 1058)
@@ -25,7 +25,6 @@
import java.util.Map;
import org.apache.log4j.Logger;
-import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import
org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerErrorCodes;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
@@ -64,7 +63,9 @@
PublicKey publicKey = (PublicKey)
request.getOptions().get(GeneralConstants.SENDER_PUBLIC_KEY);
try
{
- this.validateSender(signedDocument, publicKey);
+ boolean isValid = this.validateSender(signedDocument, publicKey);
+ if(!isValid)
+ throw new ProcessingException();
}
catch(ProcessingException pe)
{
@@ -93,12 +94,12 @@
this.validateSender(signedDocument, publicKey);
}
- private void validateSender(Document signedDocument, PublicKey publicKey)
+ private boolean validateSender(Document signedDocument, PublicKey publicKey)
throws ProcessingException
{
try
{
- XMLSignatureUtil.validate(signedDocument, publicKey);
+ return XMLSignatureUtil.validate(signedDocument, publicKey);
}
catch (Exception e)
{
Modified:
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderBaseProcessor.java
===================================================================
---
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderBaseProcessor.java 2009-11-21
05:08:18 UTC (rev 1057)
+++
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderBaseProcessor.java 2009-11-21
05:21:37 UTC (rev 1058)
@@ -62,6 +62,8 @@
protected SPType spConfiguration;
protected TrustKeyManager keyManager;
+
+ protected boolean supportSignatures = false;
/**
* Construct
@@ -92,6 +94,15 @@
this.keyManager = tkm;
}
+ /**
+ * Whether we support signatures during the current processing
+ * @param supportSignatures
+ */
+ public void setSupportSignatures(boolean supportSignatures)
+ {
+ this.supportSignatures = supportSignatures;
+ }
+
public SAML2HandlerResponse process(HTTPContext httpContext,
Set<SAML2Handler> handlers,
Lock chainLock)
Modified:
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLRequestProcessor.java
===================================================================
---
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLRequestProcessor.java 2009-11-21
05:08:18 UTC (rev 1057)
+++
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLRequestProcessor.java 2009-11-21
05:21:37 UTC (rev 1058)
@@ -31,6 +31,7 @@
import javax.servlet.http.HttpServletResponse;
import org.picketlink.identity.federation.api.saml.v2.request.SAML2Request;
+import org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ParsingException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
@@ -158,6 +159,12 @@
boolean willSendRequest)
throws ProcessingException, ConfigurationException, IOException
{
+ if(this.supportSignatures)
+ {
+ SAML2Signature ss = new SAML2Signature();
+ ss.signSAMLDocument(samlDocument, keyManager.getSigningKeyPair());
+ }
+
String samlMessage = DocumentUtil.getDocumentAsString(samlDocument);
samlMessage = PostBindingUtil.base64Encode(samlMessage);
PostBindingUtil.sendPost(new DestinationInfoHolder(destination, samlMessage,
relayState),
Modified:
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java
===================================================================
---
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java 2009-11-21
05:08:18 UTC (rev 1057)
+++
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java 2009-11-21
05:21:37 UTC (rev 1058)
@@ -110,7 +110,7 @@
private transient TrustKeyManager keyManager;
- private Boolean ignoreIncomingSignatures = true;
+ private Boolean ignoreIncomingSignatures = false;
private Boolean signOutgoingMessages = true;
@@ -516,8 +516,8 @@
{
if(trace) log.trace(e);
}
-
- return;
+
+ return;
}
}
Modified:
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java
===================================================================
---
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java 2009-11-21
05:08:18 UTC (rev 1057)
+++
migration/picketlink/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java 2009-11-21
05:21:37 UTC (rev 1058)
@@ -29,6 +29,7 @@
import java.io.StringWriter;
import java.net.URL;
import java.security.GeneralSecurityException;
+import java.security.KeyPair;
import java.security.Principal;
import java.security.PrivateKey;
import java.util.List;
@@ -266,7 +267,7 @@
}
catch (Exception e)
{
- log.trace(e);
+ if(trace) log.trace(e);
}
return samlResponseDocument;
@@ -336,10 +337,11 @@
if(responseDoc == null)
throw new IllegalArgumentException("responseType is null");
- byte[] responseBytes =
DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8");
-
+
if(redirectProfile)
{
+ byte[] responseBytes =
DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8");
+
String urlEncodedResponse =
RedirectBindingUtil.deflateBase64URLEncode(responseBytes);
if(trace) log.trace("IDP:Destination=" + destination);
@@ -354,8 +356,22 @@
}
else
{
+ //If we support signature
+ if(supportSignature)
+ {
+ //Sign the document
+ SAML2Signature samlSignature = new SAML2Signature();
+
+ KeyPair keypair = keyManager.getSigningKeyPair();
+ samlSignature.signSAMLDocument(responseDoc, keypair);
+
+ if(trace)
+ log.trace("Sending over to SP:" +
DocumentUtil.asString(responseDoc));
+ }
+ byte[] responseBytes =
DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8");
+
String samlResponse = PostBindingUtil.base64Encode(new String(responseBytes));
-
+
PostBindingUtil.sendPost(new DestinationInfoHolder(destination,
samlResponse, relayState), response, sendRequest);
}