[jboss-cvs] Picketlink SVN: r1158 - in federation/trunk: picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/impl and 2 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Aug 8 15:17:23 EDT 2011
Author: anil.saldhana at jboss.com
Date: 2011-08-08 15:17:22 -0400 (Mon, 08 Aug 2011)
New Revision: 1158
Modified:
federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/impl/KeyStoreKeyManager.java
federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/TrustKeyManager.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderBaseProcessor.java
federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java
Log:
PLFED-220: allow users to configure idp validating alias
Modified: federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
===================================================================
--- federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2011-08-08 17:09:25 UTC (rev 1157)
+++ federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2011-08-08 19:17:22 UTC (rev 1158)
@@ -69,16 +69,20 @@
private TrustKeyManager keyManager;
- protected String validatingAlias = null;
+ protected String idpAddress = null;
public SPRedirectSignatureFormAuthenticator()
{
super();
}
- public void setValidatingAlias(String validatingAlias)
+ /**
+ * If the request.getRemoteAddr is not exactly the IDP address that you have keyed
+ * in your deployment descriptor for keystore alias, you can set it here explicitly
+ */
+ public void setIdpAddress(String idpAddress)
{
- this.validatingAlias = validatingAlias;
+ this.idpAddress = idpAddress;
}
@Override
@@ -104,6 +108,16 @@
List<AuthPropertyType> authProperties = CoreConfigUtil.getKeyProviderProperties(keyProvider);
keyManager.setAuthProperties(authProperties);
keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
+
+ /**
+ * Since the user has explicitly configured the idp address, we need
+ * to add an option on the keymanager such that users of keymanager
+ * can choose the proper idp key for validation
+ */
+ if (StringUtil.isNotNull(idpAddress))
+ {
+ keyManager.addAdditionalOption(ServiceProviderBaseProcessor.IDP_KEY, this.idpAddress);
+ }
}
catch (Exception e)
{
@@ -155,11 +169,11 @@
PublicKey validatingKey;
try
{
- if (StringUtil.isNullOrEmpty(validatingAlias))
+ if (StringUtil.isNullOrEmpty(idpAddress))
{
- validatingAlias = request.getRemoteAddr();
+ idpAddress = request.getRemoteAddr();
}
- validatingKey = keyManager.getValidatingKey(validatingAlias);
+ validatingKey = keyManager.getValidatingKey(idpAddress);
}
catch (TrustKeyConfigurationException e)
{
Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/impl/KeyStoreKeyManager.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/impl/KeyStoreKeyManager.java 2011-08-08 17:09:25 UTC (rev 1157)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/impl/KeyStoreKeyManager.java 2011-08-08 19:17:22 UTC (rev 1158)
@@ -69,6 +69,8 @@
*/
private final Map<String, SecretKey> keys = new HashMap<String, SecretKey>();
+ private final Map<String, Object> options = new HashMap<String, Object>();
+
private static Logger log = Logger.getLogger(KeyStoreKeyManager.class);
private final boolean trace = log.isTraceEnabled();
@@ -339,6 +341,23 @@
return key;
}
+ /**
+ * @see org.picketlink.identity.federation.core.interfaces.TrustKeyManager#addAdditionalOption(java.lang.String, java.lang.Object)
+ */
+ public void addAdditionalOption(String key, Object value)
+ {
+ this.options.put(key, value);
+ }
+
+ /**
+ *
+ * @see org.picketlink.identity.federation.core.interfaces.TrustKeyManager#getAdditionalOption(java.lang.String)
+ */
+ public Object getAdditionalOption(String key)
+ {
+ return this.options.get(key);
+ }
+
private void setUpKeyStore() throws GeneralSecurityException, IOException
{
//Keystore URL/Pass can be either by configuration or on the HTTPS connector
Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/TrustKeyManager.java
===================================================================
--- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/TrustKeyManager.java 2011-08-08 17:09:25 UTC (rev 1157)
+++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/TrustKeyManager.java 2011-08-08 19:17:22 UTC (rev 1158)
@@ -31,7 +31,6 @@
import org.picketlink.identity.federation.core.config.AuthPropertyType;
import org.picketlink.identity.federation.core.config.KeyValueType;
-
/**
* Key Manager interface used in trust decisions
@@ -46,9 +45,9 @@
* @param authList
* @throws {@link IOException}
*/
- void setAuthProperties(List<AuthPropertyType> authList)
- throws TrustKeyConfigurationException, TrustKeyProcessingException;
-
+ void setAuthProperties(List<AuthPropertyType> authList) throws TrustKeyConfigurationException,
+ TrustKeyProcessingException;
+
/**
* Set a list of (domain,alias) tuple to trust domains
* The alias is a string that represents the validating key stored
@@ -56,17 +55,16 @@
* @param aliases
* @throws {@link IOException}
*/
- void setValidatingAlias(List<KeyValueType> aliases)
- throws TrustKeyConfigurationException, TrustKeyProcessingException;
-
+ void setValidatingAlias(List<KeyValueType> aliases) throws TrustKeyConfigurationException,
+ TrustKeyProcessingException;
+
/**
* Get the Signing Key
* @return
* @throws {@link CertificateException}
*/
- PrivateKey getSigningKey()
- throws TrustKeyConfigurationException, TrustKeyProcessingException;
-
+ PrivateKey getSigningKey() throws TrustKeyConfigurationException, TrustKeyProcessingException;
+
/**
* <p>
* Constructs a {@code KeyPair} instance containing the signing key ({@code PrivateKey}) and associated
@@ -75,27 +73,24 @@
*
* @return the constructed {@code KeyPair} object.
*/
- KeyPair getSigningKeyPair()
- throws TrustKeyConfigurationException, TrustKeyProcessingException;
-
+ KeyPair getSigningKeyPair() throws TrustKeyConfigurationException, TrustKeyProcessingException;
+
/**
* Get the certificate given an alias
* @param alias
* @return
* @throws {@link CertificateException}
*/
- Certificate getCertificate(String alias)
- throws TrustKeyConfigurationException, TrustKeyProcessingException;
-
+ Certificate getCertificate(String alias) throws TrustKeyConfigurationException, TrustKeyProcessingException;
+
/**
* Get a Public Key given an alias
* @param alias
* @return
* @throws {@link CertificateException}
*/
- PublicKey getPublicKey(String alias)
- throws TrustKeyConfigurationException, TrustKeyProcessingException;
-
+ PublicKey getPublicKey(String alias) throws TrustKeyConfigurationException, TrustKeyProcessingException;
+
/**
* Given a domain, obtain a secret key
* @see {@code EncryptionKeyUtil}
@@ -104,14 +99,27 @@
* @param keyLength length of keys
* @return
*/
- SecretKey getEncryptionKey(String domain, String encryptionAlgorithm, int keyLength)
- throws TrustKeyConfigurationException, TrustKeyProcessingException;
-
+ SecretKey getEncryptionKey(String domain, String encryptionAlgorithm, int keyLength)
+ throws TrustKeyConfigurationException, TrustKeyProcessingException;
+
/**
* Get the Validating Public Key of the domain
* @param domain
* @return
*/
- PublicKey getValidatingKey(String domain)
- throws TrustKeyConfigurationException, TrustKeyProcessingException;
+ PublicKey getValidatingKey(String domain) throws TrustKeyConfigurationException, TrustKeyProcessingException;
+
+ /**
+ * Add general options
+ * @param key
+ * @param value
+ */
+ void addAdditionalOption(String key, Object value);
+
+ /**
+ * Get additional option
+ * @param key
+ * @return
+ */
+ Object getAdditionalOption(String key);
}
\ No newline at end of file
Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderBaseProcessor.java
===================================================================
--- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderBaseProcessor.java 2011-08-08 17:09:25 UTC (rev 1157)
+++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderBaseProcessor.java 2011-08-08 19:17:22 UTC (rev 1158)
@@ -40,10 +40,10 @@
import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerRequest;
import org.picketlink.identity.federation.core.saml.v2.impl.DefaultSAML2HandlerResponse;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
+import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler.HANDLER_TYPE;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
+import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest.GENERATE_REQUEST_TYPE;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
-import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler.HANDLER_TYPE;
-import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest.GENERATE_REQUEST_TYPE;
import org.picketlink.identity.federation.web.constants.GeneralConstants;
import org.picketlink.identity.federation.web.core.HTTPContext;
@@ -55,20 +55,25 @@
public class ServiceProviderBaseProcessor
{
protected static Logger log = Logger.getLogger(ServiceProviderBaseProcessor.class);
+
protected boolean trace = log.isTraceEnabled();
-
+
protected boolean postBinding;
+
protected String serviceURL;
-
+
protected String identityURL;
-
+
protected SPType spConfiguration;
+
protected TrustKeyManager keyManager;
-
+
protected String issuer = null;
-
+
protected boolean supportSignatures = false;
+ public static final String IDP_KEY = "idp.key";
+
/**
* Construct
* @param postBinding Whether it is the Post Binding
@@ -79,7 +84,7 @@
this.postBinding = postBinding;
this.serviceURL = serviceURL;
}
-
+
/**
* Set the SP configuration
* @param sp
@@ -88,7 +93,7 @@
{
this.spConfiguration = sp;
}
-
+
/**
* Set the {@code TrustKeyManager}
* @param tkm
@@ -97,7 +102,7 @@
{
this.keyManager = tkm;
}
-
+
/**
* Set the Identity URL
* @param identityURL
@@ -114,8 +119,8 @@
public void setSupportSignatures(boolean supportSignatures)
{
this.supportSignatures = supportSignatures;
- }
-
+ }
+
/**
* Set a separate issuer that is different from the service url
* @param issuer
@@ -125,87 +130,82 @@
this.issuer = issuer;
}
- public SAML2HandlerResponse process(HTTPContext httpContext,
- Set<SAML2Handler> handlers,
- Lock chainLock)
- throws ProcessingException, IOException, ParsingException, ConfigurationException
+ public SAML2HandlerResponse process(HTTPContext httpContext, Set<SAML2Handler> handlers, Lock chainLock)
+ throws ProcessingException, IOException, ParsingException, ConfigurationException
{
- if(trace)
+ if (trace)
log.trace("Handlers are:" + handlers);
-
+
//Neither saml request nor response from IDP
//So this is a user request
//Ask the handler chain to generate the saml request
-
+
//Create the request/response
- SAML2HandlerRequest saml2HandlerRequest = getSAML2HandlerRequest(null,httpContext);
+ SAML2HandlerRequest saml2HandlerRequest = getSAML2HandlerRequest(null, httpContext);
SAML2HandlerResponse saml2HandlerResponse = new DefaultSAML2HandlerResponse();
-
- saml2HandlerResponse.setDestination( identityURL );
+ saml2HandlerResponse.setDestination(identityURL);
+
//Reset the state
try
{
- if(trace)
+ if (trace)
log.trace("Handlers are : " + handlers);
-
+
chainLock.lock();
-
- for(SAML2Handler handler: handlers)
+
+ for (SAML2Handler handler : handlers)
{
handler.reset();
- if(saml2HandlerResponse.isInError())
+ if (saml2HandlerResponse.isInError())
{
httpContext.getResponse().sendError(saml2HandlerResponse.getErrorCode());
break;
- }
+ }
- if(isLogOutRequest(httpContext))
+ if (isLogOutRequest(httpContext))
saml2HandlerRequest.setTypeOfRequestToBeGenerated(GENERATE_REQUEST_TYPE.LOGOUT);
- else
+ else
saml2HandlerRequest.setTypeOfRequestToBeGenerated(GENERATE_REQUEST_TYPE.AUTH);
handler.generateSAMLRequest(saml2HandlerRequest, saml2HandlerResponse);
- if(trace)
+ if (trace)
log.trace("Finished Processing handler:" + handler.getClass().getCanonicalName());
- }
+ }
}
- catch(ProcessingException pe)
+ catch (ProcessingException pe)
{
log.error("Processing Exception:", pe);
throw new RuntimeException(pe);
- }
+ }
finally
{
chainLock.unlock();
}
-
+
return saml2HandlerResponse;
}
-
- protected SAML2HandlerRequest getSAML2HandlerRequest(SAMLDocumentHolder documentHolder,
- HTTPContext httpContext)
+
+ protected SAML2HandlerRequest getSAML2HandlerRequest(SAMLDocumentHolder documentHolder, HTTPContext httpContext)
{
IssuerInfoHolder holder = null;
-
- if( issuer == null )
+
+ if (issuer == null)
{
holder = new IssuerInfoHolder(this.serviceURL);
}
else
{
- holder = new IssuerInfoHolder( issuer );
- }
+ holder = new IssuerInfoHolder(issuer);
+ }
- return new DefaultSAML2HandlerRequest(httpContext,
- holder.getIssuer(), documentHolder,
- HANDLER_TYPE.SP);
+ return new DefaultSAML2HandlerRequest(httpContext, holder.getIssuer(), documentHolder, HANDLER_TYPE.SP);
}
-
+
protected boolean isLogOutRequest(HTTPContext httpContext)
{
HttpServletRequest request = httpContext.getRequest();
String gloStr = request.getParameter(GeneralConstants.GLOBAL_LOGOUT);
- return isNotNull(gloStr) && "true".equalsIgnoreCase(gloStr);
- }
+ return isNotNull(gloStr) && "true".equalsIgnoreCase(gloStr);
+ }
}
\ No newline at end of file
Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java
===================================================================
--- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java 2011-08-08 17:09:25 UTC (rev 1157)
+++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/process/ServiceProviderSAMLResponseProcessor.java 2011-08-08 19:17:22 UTC (rev 1158)
@@ -48,6 +48,7 @@
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
import org.picketlink.identity.federation.core.util.CoreConfigUtil;
+import org.picketlink.identity.federation.core.util.StringUtil;
import org.picketlink.identity.federation.core.util.XMLSignatureUtil;
import org.picketlink.identity.federation.saml.v2.SAML2Object;
import org.picketlink.identity.federation.saml.v2.protocol.StatusResponseType;
@@ -152,7 +153,12 @@
{
log.trace("ServiceProviderSAMLResponseProcessor::Remote Host=" + remoteHost);
}
- PublicKey validatingKey = CoreConfigUtil.getValidatingKey(keyManager, remoteHost);
+ String idpKey = (String) keyManager.getAdditionalOption(ServiceProviderBaseProcessor.IDP_KEY);
+ if (StringUtil.isNullOrEmpty(idpKey))
+ {
+ idpKey = remoteHost;
+ }
+ PublicKey validatingKey = CoreConfigUtil.getValidatingKey(keyManager, idpKey);
requestOptions.put(GeneralConstants.SENDER_PUBLIC_KEY, validatingKey);
requestOptions.put(GeneralConstants.DECRYPTING_KEY, keyManager.getSigningKey());
}
More information about the jboss-cvs-commits
mailing list