[security-dev] About keeping SPFilter more up-to-date

Adam Dong adamdong at vidder.com
Thu Aug 7 19:17:58 EDT 2014


Hi, guys,

The current SPFilter doesn't support

1.       signing AuthnRequest

2.       decrypting Assertion NameID (it seems to support validating assertion signature, but I didn't get that far yet)

3.       loading/understanding the standard IDP metadata file (example below).

Is my understanding above correct ?

The reason I'm using the filter and not the valve is because I have to support web containers other than JBoss.

If I need those three things, should I go ahead and code them myself (and after testing, I could contribute back to the community, with the permission of my company) ?
Or is there effort already under-way ?
Or better yet, these are already done and ready to be shared ?

Thanks for any feed back.

Adam Dong

---------------------------------------- example IDP metadata file --------------------------------------------------------------------------------

<?xml version="1.0" encoding="UTF-8" standalone="true"?>

-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://idp.ssocircle.com">


-<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">


-<KeyDescriptor use="signing">


-<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">


-<ds:X509Data>

<ds:X509Certificate> MIICjDCCAXSgAwIBAgIFAJRvxcMwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMCREUxEjAQBgNV BAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMTEwNTE3MTk1NzIxWhcNMTYwODE3MTk1NzIx WjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NPQ2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNV BAMTEWlkcC5zc29jaXJjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/ aC2gMqRVVaLdPJJEwpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78 fP1cmt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4KU6zCsM62 2Kvp5wW67QIDAQABoxgwFjAUBglghkgBhvhCAQEBAf8EBAMCBHAwDQYJKoZIhvcNAQEEBQADggEB AJ0heua7mFO3QszdGu1NblGaTDXtf6Txte0zpYIt+8YUcza2SaZXXvCLb9DvGxW1TJWaZpPGpHz5 tLXJbdYQn7xTAnL4yQOKN6uNqUA/aTVgyyUJkWZt2giwEsWUvG0UBMSPS1tp2pV2c6/olIcbdYU6 ZecUz6N24sSS7itEBC6nwCVBoHOL8u6MsfxMLDzJIPBI68UZjz3IMKTDUDv6U9DtYmXLc8iMVZBn cYJn9NgNi3ghl9fYPpHcc6QbXeDUjhdzXXUqG+hB6FabGqdTdkIZwoi4gNpyr3kacKRVWJssDgak eL2MoDNqJyQ0fXC6Ze3f79CKy/WjeU5FLwDZR0Q= </ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</KeyDescriptor>


-<KeyDescriptor use="encryption">


-<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">


-<ds:X509Data>

<ds:X509Certificate> MIICjDCCAXSgAwIBAgIFAJRvxcMwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMCREUxEjAQBgNV BAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMTEwNTE3MTk1NzIxWhcNMTYwODE3MTk1NzIx WjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NPQ2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNV BAMTEWlkcC5zc29jaXJjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/ aC2gMqRVVaLdPJJEwpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78 fP1cmt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4KU6zCsM62 2Kvp5wW67QIDAQABoxgwFjAUBglghkgBhvhCAQEBAf8EBAMCBHAwDQYJKoZIhvcNAQEEBQADggEB AJ0heua7mFO3QszdGu1NblGaTDXtf6Txte0zpYIt+8YUcza2SaZXXvCLb9DvGxW1TJWaZpPGpHz5 tLXJbdYQn7xTAnL4yQOKN6uNqUA/aTVgyyUJkWZt2giwEsWUvG0UBMSPS1tp2pV2c6/olIcbdYU6 ZecUz6N24sSS7itEBC6nwCVBoHOL8u6MsfxMLDzJIPBI68UZjz3IMKTDUDv6U9DtYmXLc8iMVZBn cYJn9NgNi3ghl9fYPpHcc6QbXeDUjhdzXXUqG+hB6FabGqdTdkIZwoi4gNpyr3kacKRVWJssDgak eL2MoDNqJyQ0fXC6Ze3f79CKy/WjeU5FLwDZR0Q= </ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>


-<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">

<xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize>

</EncryptionMethod>

</KeyDescriptor>

<ArtifactResolutionService Location="https://idp.ssocircle.com:443/sso/ArtifactResolver/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" isDefault="true" index="0"/>

<SingleLogoutService Location="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle"/>

<SingleLogoutService Location="https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle"/>

<SingleLogoutService Location="https://idp.ssocircle.com:443/sso/IDPSloSoap/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>

<ManageNameIDService Location="https://idp.ssocircle.com:443/sso/IDPMniRedirect/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPMniRedirect/metaAlias/ssocircle"/>

<ManageNameIDService Location="https://idp.ssocircle.com:443/sso/IDPMniPOSTmetaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPMniPOST/metaAlias/ssocircle"/>

<ManageNameIDService Location="https://idp.ssocircle.com:443/sso/IDPMniSoap/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>

<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>

<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>

<SingleSignOnService Location="https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>

<SingleSignOnService Location="https://idp.ssocircle.com:443/sso/SSOPOST/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

<SingleSignOnService Location="https://idp.ssocircle.com:443/sso/SSOSoap/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>

<NameIDMappingService Location="https://idp.ssocircle.com:443/sso/NIMSoap/metaAlias/ssocircle" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>

</IDPSSODescriptor>

</EntityDescriptor>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/security-dev/attachments/20140807/9e02943c/attachment.html 


More information about the security-dev mailing list