Author: anil.saldhana(a)jboss.com Date: 2011-08-08 15:17:22 -0400 (Mon, 08 Aug 2011) New Revision: 1158 Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/impl/KeyStoreKeyManager.java federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/TrustKeyManager.java federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderBaseProcessor.java federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java Log: PLFED-220: allow users to configure idp validating alias Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java =================================================================== --- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2011-08-08 17:09:25 UTC (rev 1157) +++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2011-08-08 19:17:22 UTC (rev 1158) @@ -69,16 +69,20 @@ private TrustKeyManager keyManager; - protected String validatingAlias = null; + protected String idpAddress = null; public SPRedirectSignatureFormAuthenticator() { super(); } - public void setValidatingAlias(String validatingAlias) + /** + * If the request.getRemoteAddr is not exactly the IDP address that you have keyed + * in your deployment descriptor for keystore alias, you can set it here explicitly + */ + public void setIdpAddress(String idpAddress) { - this.validatingAlias = validatingAlias; + this.idpAddress = idpAddress; } @Override @@ -104,6 +108,16 @@ List<AuthPropertyType> authProperties = CoreConfigUtil.getKeyProviderProperties(keyProvider); keyManager.setAuthProperties(authProperties); keyManager.setValidatingAlias(keyProvider.getValidatingAlias()); + + /** + * Since the user has explicitly configured the idp address, we need + * to add an option on the keymanager such that users of keymanager + * can choose the proper idp key for validation + */ + if (StringUtil.isNotNull(idpAddress)) + { + keyManager.addAdditionalOption(ServiceProviderBaseProcessor.IDP_KEY, this.idpAddress); + } } catch (Exception e) { @@ -155,11 +169,11 @@ PublicKey validatingKey; try { - if (StringUtil.isNullOrEmpty(validatingAlias)) + if (StringUtil.isNullOrEmpty(idpAddress)) { - validatingAlias = request.getRemoteAddr(); + idpAddress = request.getRemoteAddr(); } - validatingKey = keyManager.getValidatingKey(validatingAlias); + validatingKey = keyManager.getValidatingKey(idpAddress); } catch (TrustKeyConfigurationException e) { Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/impl/KeyStoreKeyManager.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/impl/KeyStoreKeyManager.java 2011-08-08 17:09:25 UTC (rev 1157) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/impl/KeyStoreKeyManager.java 2011-08-08 19:17:22 UTC (rev 1158) @@ -69,6 +69,8 @@ */ private final Map<String, SecretKey> keys = new HashMap<String, SecretKey>(); + private final Map<String, Object> options = new HashMap<String, Object>(); + private static Logger log = Logger.getLogger(KeyStoreKeyManager.class); private final boolean trace = log.isTraceEnabled(); @@ -339,6 +341,23 @@ return key; } + /** + * @see org.picketlink.identity.federation.core.interfaces.TrustKeyManager#addAdditionalOption(java.lang.String, java.lang.Object) + */ + public void addAdditionalOption(String key, Object value) + { + this.options.put(key, value); + } + + /** + * + * @see org.picketlink.identity.federation.core.interfaces.TrustKeyManager#getAdditionalOption(java.lang.String) + */ + public Object getAdditionalOption(String key) + { + return this.options.get(key); + } + private void setUpKeyStore() throws GeneralSecurityException, IOException { //Keystore URL/Pass can be either by configuration or on the HTTPS connector Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/TrustKeyManager.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/TrustKeyManager.java 2011-08-08 17:09:25 UTC (rev 1157) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/TrustKeyManager.java 2011-08-08 19:17:22 UTC (rev 1158) @@ -31,7 +31,6 @@ import org.picketlink.identity.federation.core.config.AuthPropertyType; import org.picketlink.identity.federation.core.config.KeyValueType; - /** * Key Manager interface used in trust decisions @@ -46,9 +45,9 @@ * @param authList * @throws {@link IOException} */ - void setAuthProperties(List<AuthPropertyType> authList) - throws TrustKeyConfigurationException, TrustKeyProcessingException; - + void setAuthProperties(List<AuthPropertyType> authList) throws TrustKeyConfigurationException, + TrustKeyProcessingException; + /** * Set a list of (domain,alias) tuple to trust domains * The alias is a string that represents the validating key stored @@ -56,17 +55,16 @@ * @param aliases * @throws {@link IOException} */ - void setValidatingAlias(List<KeyValueType> aliases) - throws TrustKeyConfigurationException, TrustKeyProcessingException; - + void setValidatingAlias(List<KeyValueType> aliases) throws TrustKeyConfigurationException, + TrustKeyProcessingException; + /** * Get the Signing Key * @return * @throws {@link CertificateException} */ - PrivateKey getSigningKey() - throws TrustKeyConfigurationException, TrustKeyProcessingException; - + PrivateKey getSigningKey() throws TrustKeyConfigurationException, TrustKeyProcessingException; + /** * <p> * Constructs a {@code KeyPair} instance containing the signing key ({@code PrivateKey}) and associated @@ -75,27 +73,24 @@ * * @return the constructed {@code KeyPair} object. */ - KeyPair getSigningKeyPair() - throws TrustKeyConfigurationException, TrustKeyProcessingException; - + KeyPair getSigningKeyPair() throws TrustKeyConfigurationException, TrustKeyProcessingException; + /** * Get the certificate given an alias * @param alias * @return * @throws {@link CertificateException} */ - Certificate getCertificate(String alias) - throws TrustKeyConfigurationException, TrustKeyProcessingException; - + Certificate getCertificate(String alias) throws TrustKeyConfigurationException, TrustKeyProcessingException; + /** * Get a Public Key given an alias * @param alias * @return * @throws {@link CertificateException} */ - PublicKey getPublicKey(String alias) - throws TrustKeyConfigurationException, TrustKeyProcessingException; - + PublicKey getPublicKey(String alias) throws TrustKeyConfigurationException, TrustKeyProcessingException; + /** * Given a domain, obtain a secret key * @see {@code EncryptionKeyUtil} @@ -104,14 +99,27 @@ * @param keyLength length of keys * @return */ - SecretKey getEncryptionKey(String domain, String encryptionAlgorithm, int keyLength) - throws TrustKeyConfigurationException, TrustKeyProcessingException; - + SecretKey getEncryptionKey(String domain, String encryptionAlgorithm, int keyLength) + throws TrustKeyConfigurationException, TrustKeyProcessingException; + /** * Get the Validating Public Key of the domain * @param domain * @return */ - PublicKey getValidatingKey(String domain) - throws TrustKeyConfigurationException, TrustKeyProcessingException; + PublicKey getValidatingKey(String domain) throws TrustKeyConfigurationException, TrustKeyProcessingException; + + /** + * Add general options + * @param key + * @param value + */ + void addAdditionalOption(String key, Object value); + + /** + * Get additional option + * @param key + * @return + */ + Object getAdditionalOption(String key); } \ No newline at end of file Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderBaseProcessor.java =================================================================== --- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderBaseProcessor.java 2011-08-08 17:09:25 UTC (rev 1157) +++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderBaseProcessor.java 2011-08-08 19:17:22 UTC (rev 1158) @@ -40,10 +40,10 @@ import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerRequest; import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerResponse; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler; +import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler.HANDLER_TYPE; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest; +import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest.GENERATE_REQUEST_TYPE; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse; -import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler.HANDLER_TYPE; -import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest.GENERATE_REQUEST_TYPE; import org.picketlink.identity.federation.web.constants.GeneralConstants; import org.picketlink.identity.federation.web.core.HTTPContext; @@ -55,20 +55,25 @@ public class ServiceProviderBaseProcessor { protected static Logger log = Logger.getLogger(ServiceProviderBaseProcessor.class); + protected boolean trace = log.isTraceEnabled(); - + protected boolean postBinding; + protected String serviceURL; - + protected String identityURL; - + protected SPType spConfiguration; + protected TrustKeyManager keyManager; - + protected String issuer = null; - + protected boolean supportSignatures = false; + public static final String IDP_KEY = "idp.key"; + /** * Construct * @param postBinding Whether it is the Post Binding @@ -79,7 +84,7 @@ this.postBinding = postBinding; this.serviceURL = serviceURL; } - + /** * Set the SP configuration * @param sp @@ -88,7 +93,7 @@ { this.spConfiguration = sp; } - + /** * Set the {@code TrustKeyManager} * @param tkm @@ -97,7 +102,7 @@ { this.keyManager = tkm; } - + /** * Set the Identity URL * @param identityURL @@ -114,8 +119,8 @@ public void setSupportSignatures(boolean supportSignatures) { this.supportSignatures = supportSignatures; - } - + } + /** * Set a separate issuer that is different from the service url * @param issuer @@ -125,87 +130,82 @@ this.issuer = issuer; } - public SAML2HandlerResponse process(HTTPContext httpContext, - Set<SAML2Handler> handlers, - Lock chainLock) - throws ProcessingException, IOException, ParsingException, ConfigurationException + public SAML2HandlerResponse process(HTTPContext httpContext, Set<SAML2Handler> handlers, Lock chainLock) + throws ProcessingException, IOException, ParsingException, ConfigurationException { - if(trace) + if (trace) log.trace("Handlers are:" + handlers); - + //Neither saml request nor response from IDP //So this is a user request //Ask the handler chain to generate the saml request - + //Create the request/response - SAML2HandlerRequest saml2HandlerRequest = getSAML2HandlerRequest(null,httpContext); + SAML2HandlerRequest saml2HandlerRequest = getSAML2HandlerRequest(null, httpContext); SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse(); - - saml2HandlerResponse.setDestination( identityURL ); + saml2HandlerResponse.setDestination(identityURL); + //Reset the state try { - if(trace) + if (trace) log.trace("Handlers are : " + handlers); - + chainLock.lock(); - - for(SAML2Handler handler: handlers) + + for (SAML2Handler handler : handlers) { handler.reset(); - if(saml2HandlerResponse.isInError()) + if (saml2HandlerResponse.isInError()) { httpContext.getResponse().sendError(saml2HandlerResponse.getErrorCode()); break; - } + } - if(isLogOutRequest(httpContext)) + if (isLogOutRequest(httpContext)) saml2HandlerRequest.setTypeOfRequestToBeGenerated(GENERATE_REQUEST_TYPE.LOGOUT); - else + else saml2HandlerRequest.setTypeOfRequestToBeGenerated(GENERATE_REQUEST_TYPE.AUTH); handler.generateSAMLRequest(saml2HandlerRequest, saml2HandlerResponse); - if(trace) + if (trace) log.trace("Finished Processing handler:" + handler.getClass().getCanonicalName()); - } + } } - catch(ProcessingException pe) + catch (ProcessingException pe) { log.error("Processing Exception:", pe); throw new RuntimeException(pe); - } + } finally { chainLock.unlock(); } - + return saml2HandlerResponse; } - - protected SAML2HandlerRequest getSAML2HandlerRequest(SAMLDocumentHolder documentHolder, - HTTPContext httpContext) + + protected SAML2HandlerRequest getSAML2HandlerRequest(SAMLDocumentHolder documentHolder, HTTPContext httpContext) { IssuerInfoHolder holder = null; - - if( issuer == null ) + + if (issuer == null) { holder = new IssuerInfoHolder(this.serviceURL); } else { - holder = new IssuerInfoHolder( issuer ); - } + holder = new IssuerInfoHolder(issuer); + } - return new DefaultSAML2HandlerRequest(httpContext, - holder.getIssuer(), documentHolder, - HANDLER_TYPE.SP); + return new DefaultSAML2HandlerRequest(httpContext, holder.getIssuer(), documentHolder, HANDLER_TYPE.SP); } - + protected boolean isLogOutRequest(HTTPContext httpContext) { HttpServletRequest request = httpContext.getRequest(); String gloStr = request.getParameter(GeneralConstants.GLOBAL_LOGOUT); - return isNotNull(gloStr) && "true".equalsIgnoreCase(gloStr); - } + return isNotNull(gloStr) && "true".equalsIgnoreCase(gloStr); + } } \ No newline at end of file Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java =================================================================== --- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java 2011-08-08 17:09:25 UTC (rev 1157) +++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java 2011-08-08 19:17:22 UTC (rev 1158) @@ -48,6 +48,7 @@ import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest; import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse; import org.picketlink.identity.federation.core.util.CoreConfigUtil; +import org.picketlink.identity.federation.core.util.StringUtil; import org.picketlink.identity.federation.core.util.XMLSignatureUtil; import org.picketlink.identity.federation.saml.v2.SAML2Object; import org.picketlink.identity.federation.saml.v2.protocol.StatusResponseType; @@ -152,7 +153,12 @@ { log.trace("ServiceProviderSAMLResponseProcessor::Remote Host=" + remoteHost); } - PublicKey validatingKey = CoreConfigUtil.getValidatingKey(keyManager, remoteHost); + String idpKey = (String) keyManager.getAdditionalOption(ServiceProviderBaseProcessor.IDP_KEY); + if (StringUtil.isNullOrEmpty(idpKey)) + { + idpKey = remoteHost; + } + PublicKey validatingKey = CoreConfigUtil.getValidatingKey(keyManager, idpKey); requestOptions.put(GeneralConstants.SENDER_PUBLIC_KEY, validatingKey); requestOptions.put(GeneralConstants.DECRYPTING_KEY, keyManager.getSigningKey()); }