Author: anil.saldhana(a)jboss.com
Date: 2010-07-29 14:18:00 -0400 (Thu, 29 Jul 2010)
New Revision: 335
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPRedirectWithSignatureValve.java
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java
federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/sig/SAML2Signature.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/config/ProviderType.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/config/STSType.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/XMLSignatureUtil.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/PicketLinkSTSConfiguration.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/STSConfiguration.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/StandardRequestHandler.java
federation/trunk/picketlink-fed-core/src/main/resources/schema/config/picketlink-fed.xsd
federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/PicketLinkSTSConfigUnitTestCase.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/filters/SPFilter.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureGenerationHandler.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java
Log:
PLFED-91: make the canonicalization method for the xml dsig configurable
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPRedirectWithSignatureValve.java
===================================================================
---
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPRedirectWithSignatureValve.java 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPRedirectWithSignatureValve.java 2010-07-29
18:18:00 UTC (rev 335)
@@ -107,7 +107,7 @@
List<AuthPropertyType> authProperties =
CoreConfigUtil.getKeyProviderProperties(keyProvider);
keyManager.setAuthProperties( authProperties );
- keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
+ keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
}
catch(Exception e)
{
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java
===================================================================
---
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPWebBrowserSSOValve.java 2010-07-29
18:18:00 UTC (rev 335)
@@ -40,6 +40,7 @@
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
+import javax.xml.crypto.dsig.CanonicalizationMethod;
import org.apache.catalina.Context;
import org.apache.catalina.Lifecycle;
@@ -136,6 +137,9 @@
private transient String samlHandlerChainClass = null;
+
+ protected String canonicalizationMethod =
CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
+
/**
* A Lock for Handler operations in the chain
*/
@@ -544,6 +548,8 @@
{
//Validate
SAML2Signature samlSignature = new SAML2Signature();
+ samlSignature.setCanonicalizationMethod(canonicalizationMethod);
+
if( ignoreIncomingSignatures == false && signOutgoingMessages
== true )
{
PublicKey publicKey = keyManager.getValidatingKey(remoteAddress);
@@ -885,6 +891,8 @@
this.identityURL = idpConfiguration.getIdentityURL();
if(trace) log.trace("Identity Provider URL=" + this.identityURL);
this.assertionValidity = idpConfiguration.getAssertionValidity();
+ this.canonicalizationMethod = idpConfiguration.getCanonicalizationMethod();
+
//Get the attribute manager
String attributeManager = idpConfiguration.getAttributeManager();
if(attributeManager != null && !"".equals(attributeManager))
@@ -931,10 +939,12 @@
Map<String, Object> chainConfigOptions = new HashMap<String,
Object>();
chainConfigOptions.put(GeneralConstants.ROLE_GENERATOR, roleGenerator);
chainConfigOptions.put(GeneralConstants.CONFIGURATION, idpConfiguration);
+ chainConfigOptions.put( GeneralConstants.CANONICALIZATION_METHOD,
canonicalizationMethod );
if(this.keyManager != null)
chainConfigOptions.put(GeneralConstants.KEYPAIR,
keyManager.getSigningKeyPair());
SAML2HandlerChainConfig handlerChainConfig = new
DefaultSAML2HandlerChainConfig(chainConfigOptions);
+
Set<SAML2Handler> samlHandlers = chain.handlers();
for(SAML2Handler handler: samlHandlers)
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java
===================================================================
---
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/BaseFormAuthenticator.java 2010-07-29
18:18:00 UTC (rev 335)
@@ -31,6 +31,7 @@
import java.util.concurrent.locks.ReentrantLock;
import javax.servlet.ServletContext;
+import javax.xml.crypto.dsig.CanonicalizationMethod;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.authenticator.FormAuthenticator;
@@ -78,6 +79,9 @@
* A Lock for Handler operations in the chain
*/
protected Lock chainLock = new ReentrantLock();
+
+
+ protected String canonicalizationMethod =
CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
public BaseFormAuthenticator()
{
@@ -152,6 +156,8 @@
spConfiguration = ConfigurationUtil.getSPConfiguration(is);
this.identityURL = spConfiguration.getIdentityURL();
this.serviceURL = spConfiguration.getServiceURL();
+ this.canonicalizationMethod = spConfiguration.getCanonicalizationMethod();
+
if(trace) log.trace("Identity Provider URL=" + this.identityURL);
}
catch (Exception e)
@@ -180,6 +186,7 @@
{
populateChainConfig();
SAML2HandlerChainConfig handlerChainConfig = new
DefaultSAML2HandlerChainConfig(chainConfigOptions);
+
Set<SAML2Handler> samlHandlers = chain.handlers();
for(SAML2Handler handler: samlHandlers)
@@ -192,6 +199,7 @@
throws ConfigurationException, ProcessingException
{
chainConfigOptions.put(GeneralConstants.CONFIGURATION, spConfiguration);
+ chainConfigOptions.put( GeneralConstants.CANONICALIZATION_METHOD,
canonicalizationMethod );
chainConfigOptions.put(GeneralConstants.ROLE_VALIDATOR_IGNORE, "false");
//No validator as tomcat realm does validn
}
}
\ No newline at end of file
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java
===================================================================
---
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPPostSignatureFormAuthenticator.java 2010-07-29
18:18:00 UTC (rev 335)
@@ -67,7 +67,7 @@
public void setSignAssertions(boolean signAssertions)
{
this.signAssertions = signAssertions;
- }
+ }
@Override
public void start() throws LifecycleException
@@ -120,6 +120,8 @@
//Sign the document
SAML2Signature samlSignature = new SAML2Signature();
KeyPair keypair = keyManager.getSigningKeyPair();
+
+ samlSignature.setCanonicalizationMethod( this.canonicalizationMethod );
samlSignature.signSAMLDocument(samlDocument, keypair);
if(trace)
Modified:
federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/sig/SAML2Signature.java
===================================================================
---
federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/sig/SAML2Signature.java 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/api/saml/v2/sig/SAML2Signature.java 2010-07-29
18:18:00 UTC (rev 335)
@@ -28,6 +28,7 @@
import javax.xml.bind.JAXBException;
import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.XMLSignatureException;
@@ -57,6 +58,8 @@
{
private String signatureMethod = SignatureMethod.RSA_SHA1;
private String digestMethod = DigestMethod.SHA1;
+ private String canonicalizationMethod =
CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
+
public String getSignatureMethod()
{
@@ -79,6 +82,24 @@
}
/**
+ * Get the configured XML DSIG CanonicalizationMethod
+ * @return
+ */
+ public String getCanonicalizationMethod()
+ {
+ return canonicalizationMethod;
+ }
+
+ /**
+ * Set the XML DSIG Canonicalization Method
+ * @param canonicalizationMethod
+ */
+ public void setCanonicalizationMethod(String canonicalizationMethod)
+ {
+ this.canonicalizationMethod = canonicalizationMethod;
+ }
+
+ /**
* Sign an RequestType at the root
* @param request
* @param keypair Key Pair
@@ -210,6 +231,9 @@
"ID",
idValueOfAssertion);
+ //Set the configured canonicalization method
+ XMLSignatureUtil.setCanonicalizationMethodType( canonicalizationMethod );
+
return XMLSignatureUtil.sign(doc, assertionNode,
keypair,
digestMethod, signatureMethod,
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/config/ProviderType.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/config/ProviderType.java 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/config/ProviderType.java 2010-07-29
18:18:00 UTC (rev 335)
@@ -14,6 +14,7 @@
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlSeeAlso;
import javax.xml.bind.annotation.XmlType;
+import javax.xml.crypto.dsig.CanonicalizationMethod;
/**
@@ -41,6 +42,9 @@
* </restriction>
* </simpleType>
* </attribute>
+ *
+ <attribute name="CanonicalizationMethod"
use="optional"
default="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
+ type="string"/>
* </restriction>
* </complexContent>
* </complexType>
@@ -71,6 +75,8 @@
protected MetadataProviderType metaDataProvider;
@XmlAttribute(name = "ServerEnvironment")
protected String serverEnvironment;
+ @XmlAttribute(name = "CanonicalizationMethod")
+ protected String canonicalizationMethod;
/**
* Gets the value of the identityURL property.
@@ -196,4 +202,34 @@
this.serverEnvironment = value;
}
-}
+
+ /**
+ * Gets the value of the canonicalizationMethod property.
+ *
+ * @return
+ * possible object is
+ * {@link String }
+ *
+ */
+ public String getCanonicalizationMethod()
+ {
+ if( canonicalizationMethod == null )
+ canonicalizationMethod = CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
+
+ return canonicalizationMethod;
+ }
+
+ /**
+ * Sets the value of the canonicalizationMethod property.
+ *
+ * @param value
+ * allowed object is
+ * {@link String }
+ *
+ */
+ public void setCanonicalizationMethod(String canonicalizationMethod)
+ {
+ this.canonicalizationMethod = canonicalizationMethod;
+ }
+
+}
\ No newline at end of file
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/config/STSType.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/config/STSType.java 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/config/STSType.java 2010-07-29
18:18:00 UTC (rev 335)
@@ -13,6 +13,7 @@
import javax.xml.bind.annotation.XmlAttribute;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlType;
+import javax.xml.crypto.dsig.CanonicalizationMethod;
/**
@@ -35,6 +36,8 @@
* <attribute name="TokenTimeout"
type="{http://www.w3.org/2001/XMLSchema}int" default="3600" />
* <attribute name="SignToken"
type="{http://www.w3.org/2001/XMLSchema}boolean" default="true" />
* <attribute name="EncryptToken"
type="{http://www.w3.org/2001/XMLSchema}boolean" default="false"
/>
+ * <attribute name="CanonicalizationMethod"
default="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
+ * type="string" use="optional"/>
* </restriction>
* </complexContent>
* </complexType>
@@ -70,6 +73,8 @@
protected Boolean signToken;
@XmlAttribute(name = "EncryptToken")
protected Boolean encryptToken;
+ @XmlAttribute(name = "CanonicalizationMethod")
+ protected String canonicalizationMethod;
/**
* Gets the value of the keyProvider property.
@@ -303,4 +308,32 @@
this.encryptToken = value;
}
-}
+ /**
+ * Gets the value of the canonicalizationMethod property.
+ *
+ * @return
+ * possible object is
+ * {@link String }
+ *
+ */
+ public String getCanonicalizationMethod()
+ {
+ if( canonicalizationMethod == null )
+ canonicalizationMethod = CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
+
+ return canonicalizationMethod;
+ }
+
+ /**
+ * Sets the value of the canonicalizationMethod property.
+ *
+ * @param value
+ * allowed object is
+ * {@link String }
+ *
+ */
+ public void setCanonicalizationMethod(String canonicalizationMethod)
+ {
+ this.canonicalizationMethod = canonicalizationMethod;
+ }
+}
\ No newline at end of file
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/XMLSignatureUtil.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/XMLSignatureUtil.java 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/util/XMLSignatureUtil.java 2010-07-29
18:18:00 UTC (rev 335)
@@ -85,7 +85,7 @@
private static String pkgName =
"org.picketlink.identity.federation.w3.xmldsig";
private static String schemaLocation =
"schema/saml/v2/xmldsig-core-schema.xsd";
- private static String canonicalizationMethodType = null;
+ private static String canonicalizationMethodType =
CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
private static ObjectFactory objectFactory = new ObjectFactory();
@@ -115,10 +115,7 @@
{
public Object run()
{
- System.setProperty("org.apache.xml.security.ignoreLineBreaks",
"true");
-
- canonicalizationMethodType = System.getProperty(
"picketlink.xmlsig.canonicalization",
- CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS );
+ System.setProperty("org.apache.xml.security.ignoreLineBreaks",
"true");
return null;
}
});
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/PicketLinkSTSConfiguration.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/PicketLinkSTSConfiguration.java 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/PicketLinkSTSConfiguration.java 2010-07-29
18:18:00 UTC (rev 335)
@@ -366,4 +366,12 @@
}
return certificate;
}
-}
+
+ /**
+ * @see STSConfiguration#getXMLDSigCanonicalizationMethod()
+ */
+ public String getXMLDSigCanonicalizationMethod()
+ {
+ return delegate.getCanonicalizationMethod();
+ }
+}
\ No newline at end of file
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/STSConfiguration.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/STSConfiguration.java 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/STSConfiguration.java 2010-07-29
18:18:00 UTC (rev 335)
@@ -31,6 +31,7 @@
* </p>
*
* @author <a href="mailto:sguilhen@redhat.com">Stefan Guilhen</a>
+ * @author Anil.Saldhana(a)redhat.com
*/
public interface STSConfiguration
{
@@ -172,4 +173,15 @@
* @return the {@code Certificate} obtained from the keystore, or {@code null} if no
certificate was found.
*/
public Certificate getCertificate(String alias);
-}
+
+ /**
+ * <p>
+ * Returns the configured canonicalization method.
+ * </p>
+ * <p>
+ * <b>NOTE:</b> Defaults to
javax.xml.crypto.dsig.CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS
+ * </p>
+ * @return
+ */
+ public String getXMLDSigCanonicalizationMethod();
+}
\ No newline at end of file
Modified:
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/StandardRequestHandler.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/StandardRequestHandler.java 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/StandardRequestHandler.java 2010-07-29
18:18:00 UTC (rev 335)
@@ -544,6 +544,9 @@
if (trace)
log.trace("NamespaceURI of element to be signed:" +
tokenElement.getNamespaceURI());
+ //Set the CanonicalizationMethod if any
+ XMLSignatureUtil.setCanonicalizationMethodType(
configuration.getXMLDSigCanonicalizationMethod() );
+
rstrDocument = XMLSignatureUtil.sign(rstrDocument, tokenElement, keyPair,
DigestMethod.SHA1,
signatureMethod, "#" +
tokenElement.getAttribute("ID"));
if (trace)
Modified:
federation/trunk/picketlink-fed-core/src/main/resources/schema/config/picketlink-fed.xsd
===================================================================
---
federation/trunk/picketlink-fed-core/src/main/resources/schema/config/picketlink-fed.xsd 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-fed-core/src/main/resources/schema/config/picketlink-fed.xsd 2010-07-29
18:18:00 UTC (rev 335)
@@ -121,6 +121,8 @@
</restriction>
</simpleType>
</attribute>
+ <attribute name="CanonicalizationMethod" use="optional"
default="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
+ type="string"/>
</complexType>
<complexType name="SPType">
@@ -180,6 +182,7 @@
<attribute name="TokenTimeout" default="3600"
type="int" use="optional"/>
<attribute name="SignToken" default="true"
type="boolean" use="optional"/>
<attribute name="EncryptToken" default="false"
type="boolean" use="optional"/>
+ <attribute name="CanonicalizationMethod"
default="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
type="string" use="optional"/>
</complexType>
<complexType name="ClaimsProcessorsType">
Modified:
federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/PicketLinkSTSConfigUnitTestCase.java
===================================================================
---
federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/PicketLinkSTSConfigUnitTestCase.java 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/PicketLinkSTSConfigUnitTestCase.java 2010-07-29
18:18:00 UTC (rev 335)
@@ -21,10 +21,13 @@
*/
package org.picketlink.test.identity.federation.core.wstrust;
+import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import java.security.cert.Certificate;
+import javax.xml.crypto.dsig.CanonicalizationMethod;
+
import org.junit.Test;
import org.picketlink.identity.federation.core.wstrust.STSConfiguration;
import
org.picketlink.test.identity.federation.core.wstrust.PicketLinkSTSUnitTestCase.TestSTS;
@@ -36,6 +39,10 @@
*/
public class PicketLinkSTSConfigUnitTestCase
{
+ /**
+ * Test the masking of passwords
+ * @throws Exception
+ */
@Test
public void testMaskedPassword() throws Exception
{
@@ -49,4 +56,20 @@
cert = stsConfiguration.getCertificate( "service2" );
assertNotNull( "cert is not null", cert );
}
+
+ /**
+ * Test the introduction of the CanonicalizationMethod attribute
+ * on the STSType
+ * @throws Exception
+ */
+ @Test
+ public void testXMLDSigCanonicalization() throws Exception
+ {
+ PicketLinkSTSUnitTestCase plstsTest = new PicketLinkSTSUnitTestCase();
+ TestSTS sts = plstsTest.new
TestSTS("sts/picketlink-sts-xmldsig-Canonicalization.xml");
+
+ STSConfiguration stsConfiguration = sts.getConfiguration();
+ assertNotNull( "STS Configuration is not null", stsConfiguration );
+ assertEquals( CanonicalizationMethod.EXCLUSIVE,
stsConfiguration.getXMLDSigCanonicalizationMethod() );
+ }
}
\ No newline at end of file
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2010-07-29
18:18:00 UTC (rev 335)
@@ -34,6 +34,7 @@
String ATTRIBUTE_KEYS = "ATTRIBUTE_KEYS";
String ATTIBUTE_MANAGER = "ATTRIBUTE_MANAGER";
+ String CANONICALIZATION_METHOD = "CANONICALIZATION_METHOD";
String CONFIGURATION = "CONFIGURATION";
String CONFIG_FILE_LOCATION = "/WEB-INF/picketlink-idfed.xml";
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/filters/SPFilter.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/filters/SPFilter.java 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/filters/SPFilter.java 2010-07-29
18:18:00 UTC (rev 335)
@@ -53,6 +53,7 @@
import javax.xml.bind.JAXBElement;
import javax.xml.bind.JAXBException;
import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.XMLSignatureException;
import org.apache.log4j.Logger;
@@ -141,6 +142,8 @@
private IRoleValidator roleValidator = new DefaultRoleValidator();
private String logOutPage = GeneralConstants.LOGOUT_PAGE_NAME;
+
+ protected String canonicalizationMethod =
CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
public void destroy()
{
@@ -451,6 +454,8 @@
spConfiguration = ConfigurationUtil.getSPConfiguration(is);
this.identityURL = spConfiguration.getIdentityURL();
this.serviceURL = spConfiguration.getServiceURL();
+ this.canonicalizationMethod = spConfiguration.getCanonicalizationMethod();
+
log.trace("Identity Provider URL=" + this.identityURL);
}
catch (Exception e)
@@ -507,6 +512,7 @@
Map<String, Object> chainConfigOptions = new HashMap<String,
Object>();
chainConfigOptions.put(GeneralConstants.CONFIGURATION, spConfiguration);
chainConfigOptions.put(GeneralConstants.ROLE_VALIDATOR, roleValidator);
+ chainConfigOptions.put( GeneralConstants.CANONICALIZATION_METHOD,
canonicalizationMethod );
SAML2HandlerChainConfig handlerChainConfig = new
DefaultSAML2HandlerChainConfig(chainConfigOptions);
Set<SAML2Handler> samlHandlers = chain.handlers();
@@ -603,6 +609,8 @@
if(!ignoreSignatures)
{
SAML2Signature samlSignature = new SAML2Signature();
+ samlSignature.setCanonicalizationMethod( canonicalizationMethod );
+
KeyPair keypair = keyManager.getSigningKeyPair();
samlSignature.signSAMLDocument(samlDocument, keypair);
}
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureGenerationHandler.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureGenerationHandler.java 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureGenerationHandler.java 2010-07-29
18:18:00 UTC (rev 335)
@@ -56,6 +56,7 @@
//Get the Key Pair
KeyPair keypair = (KeyPair)
this.handlerChainConfig.getParameter(GeneralConstants.KEYPAIR);
+ String canonicalizationMethod = (String) this.handlerChainConfig.getParameter(
GeneralConstants.CANONICALIZATION_METHOD );
if(keypair == null)
{
@@ -63,7 +64,7 @@
throw new ProcessingException("KeyPair not found");
}
- sign(samlDocument, keypair);
+ sign(samlDocument, keypair, canonicalizationMethod );
}
public void handleRequestType(SAML2HandlerRequest request, SAML2HandlerResponse
response) throws ProcessingException
@@ -80,8 +81,9 @@
//Get the Key Pair
KeyPair keypair = (KeyPair)
this.handlerChainConfig.getParameter(GeneralConstants.KEYPAIR);
+ String canonicalizationMethod = (String) this.handlerChainConfig.getParameter(
GeneralConstants.CANONICALIZATION_METHOD );
- this.sign(responseDocument, keypair);
+ this.sign(responseDocument, keypair, canonicalizationMethod );
}
@Override
@@ -100,14 +102,16 @@
//Get the Key Pair
KeyPair keypair = (KeyPair)
this.handlerChainConfig.getParameter(GeneralConstants.KEYPAIR);
+ String canonicalizationMethod = (String) this.handlerChainConfig.getParameter(
GeneralConstants.CANONICALIZATION_METHOD );
- this.sign(responseDocument, keypair);
+ this.sign(responseDocument, keypair, canonicalizationMethod );
}
- private void sign(Document samlDocument, KeyPair keypair) throws ProcessingException
+ private void sign(Document samlDocument, KeyPair keypair, String
canonicalizationMethod ) throws ProcessingException
{
SAML2Signature samlSignature = new SAML2Signature();
+ samlSignature.setCanonicalizationMethod(canonicalizationMethod);
samlSignature.signSAMLDocument(samlDocument, keypair);
}
}
\ No newline at end of file
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/servlets/IDPServlet.java 2010-07-29
18:18:00 UTC (rev 335)
@@ -40,6 +40,7 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
+import javax.xml.crypto.dsig.CanonicalizationMethod;
import org.apache.log4j.Logger;
import org.picketlink.identity.federation.core.config.AuthPropertyType;
@@ -117,6 +118,8 @@
private Boolean signOutgoingMessages = true;
+ protected String canonicalizationMethod =
CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
+
private transient ServletContext context = null;
private transient SAML2HandlerChain chain = null;
@@ -149,6 +152,8 @@
log.trace("Identity Provider URL=" + this.identityURL);
this.assertionValidity = idpConfiguration.getAssertionValidity();
+ this.canonicalizationMethod = idpConfiguration.getCanonicalizationMethod();
+
//Get the attribute manager
String attributeManager = idpConfiguration.getAttributeManager();
if(attributeManager != null && !"".equals(attributeManager))
@@ -166,6 +171,7 @@
Map<String, Object> chainConfigOptions = new HashMap<String,
Object>();
chainConfigOptions.put(GeneralConstants.ROLE_GENERATOR, roleGenerator);
chainConfigOptions.put(GeneralConstants.CONFIGURATION, idpConfiguration);
+ chainConfigOptions.put( GeneralConstants.CANONICALIZATION_METHOD,
canonicalizationMethod );
SAML2HandlerChainConfig handlerChainConfig = new
DefaultSAML2HandlerChainConfig(chainConfigOptions);
Set<SAML2Handler> samlHandlers = chain.handlers();
@@ -272,6 +278,7 @@
idpConfiguration, keyManager);
webRequestUtil.setAttributeManager(this.attribManager);
webRequestUtil.setAttributeKeys(attributeKeys);
+ webRequestUtil.setCanonicalizationMethod(canonicalizationMethod);
boolean willSendRequest = true;
Modified:
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java
===================================================================
---
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java 2010-07-13
21:49:34 UTC (rev 334)
+++
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util/IDPWebRequestUtil.java 2010-07-29
18:18:00 UTC (rev 335)
@@ -39,6 +39,7 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.bind.JAXBException;
+import javax.xml.crypto.dsig.CanonicalizationMethod;
import org.apache.log4j.Logger;
import org.picketlink.identity.federation.api.saml.v2.request.SAML2Request;
@@ -87,6 +88,8 @@
private TrustKeyManager keyManager;
private AttributeManager attributeManager;
private List<String> attribKeys;
+
+ protected String canonicalizationMethod =
CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
public IDPWebRequestUtil(HttpServletRequest request, IDPType idp, TrustKeyManager
keym)
{
@@ -94,8 +97,22 @@
this.keyManager = keym;
this.redirectProfile = "GET".equals(request.getMethod());
this.postProfile = "POST".equals(request.getMethod());
+ }
+
+ public String getCanonicalizationMethod()
+ {
+ return canonicalizationMethod;
}
-
+
+
+
+ public void setCanonicalizationMethod(String canonicalizationMethod)
+ {
+ this.canonicalizationMethod = canonicalizationMethod;
+ }
+
+
+
public void setAttributeKeys(List<String> attribKeys)
{
this.attribKeys = attribKeys;
@@ -253,6 +270,7 @@
try
{
SAML2Signature saml2Signature = new SAML2Signature();
+ saml2Signature.setCanonicalizationMethod(canonicalizationMethod);
samlResponseDocument = saml2Signature.sign(responseType,
keyManager.getSigningKeyPair());
}
catch (Exception e)
@@ -422,6 +440,7 @@
{
//Sign the document
SAML2Signature samlSignature = new SAML2Signature();
+ samlSignature.setCanonicalizationMethod(canonicalizationMethod);
KeyPair keypair = keyManager.getSigningKeyPair();
samlSignature.signSAMLDocument(responseDoc, keypair);
@@ -545,6 +564,7 @@
try
{
SAML2Signature ss = new SAML2Signature();
+ ss.setCanonicalizationMethod(canonicalizationMethod);
samlResponse = ss.sign(responseType, keyManager.getSigningKeyPair());
}
catch (Exception e)