cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: Added support for KeyDescriptors in SAML SSO Metadata
Date Wed, 30 Jul 2014 13:39:00 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 7c5463176 -> 84a57eead


Added support for KeyDescriptors in SAML SSO Metadata


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/84a57eea
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/84a57eea
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/84a57eea

Branch: refs/heads/master
Commit: 84a57eead9e3fdbb9a9d4b24a880f304b62967b8
Parents: 7c54631
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Jul 30 14:38:35 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Jul 30 14:38:35 2014 +0100

----------------------------------------------------------------------
 .../apache/cxf/fediz/core/config/Protocol.java  |  8 +++++
 .../cxf/fediz/core/metadata/MetadataWriter.java | 38 ++++++++++++++++++--
 .../src/main/resources/schemas/FedizConfig.xsd  |  2 ++
 .../fediz/tomcat/FederationAuthenticator.java   | 31 +++++++++-------
 4 files changed, 65 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/84a57eea/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
index d49e24d..803e228 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/Protocol.java
@@ -108,6 +108,14 @@ public abstract class Protocol {
     public void setRoleURI(String value) {
         getProtocolType().setRoleURI(value);
     }
+    
+    public String getMetadataURI() {
+        return getProtocolType().getMetadataURI();
+    }
+    
+    public void setMetadataURI(String value) {
+        getProtocolType().setMetadataURI(value);
+    }
 
     public Object getIssuer() {
         if (this.issuer != null) {

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/84a57eea/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
index af3a558..333d039 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
@@ -24,6 +24,7 @@ import java.io.ByteArrayOutputStream;
 import java.io.InputStream;
 import java.io.OutputStreamWriter;
 import java.io.Writer;
+import java.security.cert.X509Certificate;
 import java.util.List;
 
 import javax.security.auth.callback.CallbackHandler;
@@ -39,9 +40,11 @@ import org.apache.cxf.fediz.core.config.FedizContext;
 import org.apache.cxf.fediz.core.config.Protocol;
 import org.apache.cxf.fediz.core.config.SAMLProtocol;
 import org.apache.cxf.fediz.core.exception.ProcessingException;
+import org.apache.cxf.fediz.core.util.CertsUtils;
 import org.apache.cxf.fediz.core.util.DOMUtils;
 import org.apache.cxf.fediz.core.util.SignatureUtils;
 import org.apache.xml.security.stax.impl.util.IDGenerator;
+import org.apache.xml.security.utils.Base64;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -231,7 +234,7 @@ public class MetadataWriter {
         XMLStreamWriter writer, 
         FedizContext config,
         String serviceURL
-    ) throws XMLStreamException {
+    ) throws Exception {
         
         SAMLProtocol protocol = (SAMLProtocol)config.getProtocol();
         
@@ -245,8 +248,39 @@ public class MetadataWriter {
         writer.writeAttribute("isDefault", "true");
         writer.writeAttribute("Binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
         writer.writeAttribute("Location", serviceURL);
-
         writer.writeEndElement(); // AssertionConsumerService
+        
+        if (config.getSigningKey() != null && protocol.isSignRequest()) {
+            writer.writeStartElement("", "KeyDescriptor", SAML2_METADATA_NS);
+            writer.writeAttribute("use", "signing");
+            
+            writer.writeStartElement("ds", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
+            writer.writeNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
+            writer.writeStartElement("ds", "X509Data", "http://www.w3.org/2000/09/xmldsig#");
+            writer.writeStartElement("ds", "X509Certificate", "http://www.w3.org/2000/09/xmldsig#");
+
+            // Write the Base-64 encoded certificate
+            String keyAlias = config.getSigningKey().getKeyAlias();
+            if (keyAlias == null || "".equals(keyAlias)) {
+                keyAlias = config.getSigningKey().getCrypto().getDefaultX509Identifier();
+            }
+            X509Certificate cert = 
+                CertsUtils.getX509Certificate(config.getSigningKey().getCrypto(), keyAlias);
+            if (cert == null) {
+                throw new ProcessingException(
+                    "No signing certs were found to insert into the metadata using name:
" 
+                        + keyAlias);
+            }
+            byte data[] = cert.getEncoded();
+            String encodedCertificate = Base64.encode(data);
+            writer.writeCharacters(encodedCertificate);
+            
+            writer.writeEndElement(); // X509Certificate
+            writer.writeEndElement(); // X509Data
+            writer.writeEndElement(); // KeyInfo
+            writer.writeEndElement(); // KeyDescriptor
+        }
+        
         writer.writeEndElement(); // SPSSODescriptor
     }
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/84a57eea/plugins/core/src/main/resources/schemas/FedizConfig.xsd
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/resources/schemas/FedizConfig.xsd b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
index 516e03d..dee904e 100644
--- a/plugins/core/src/main/resources/schemas/FedizConfig.xsd
+++ b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
@@ -124,6 +124,7 @@
 	<xs:element name="roleURI" type="xs:string" />
 	<xs:element name="realm" type="CallbackType" />
 	<xs:element name="applicationServiceURL" type="xs:string" />
+	<xs:element name="metadataURI" type="xs:string" />
 
 	<xs:element name="signRequest" type="xs:boolean" />
 	<xs:element name="stateTimeToLive" type="xs:long" default="120000" />
@@ -140,6 +141,7 @@
 	        <xs:element ref="issuer" />
 	        <xs:element ref="realm" />
 	        <xs:element ref="tokenValidators" />
+	        <xs:element ref="metadataURI" />
 		</xs:sequence>
 	</xs:complexType>
  

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/84a57eea/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
index 73c9d97..d99670e 100644
--- a/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
+++ b/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java
@@ -181,19 +181,20 @@ public class FederationAuthenticator extends FormAuthenticator {
         LOG.debug("WsFedAuthenticator:invoke()");
         request.setCharacterEncoding(this.encoding);
         
+        String contextName = request.getServletContext().getContextPath();
+        if (contextName == null || contextName.isEmpty()) {
+            contextName = "/";
+        }
+        FedizContext fedConfig = getContextConfiguration(contextName);
+        
         if (request.getRequestURL().indexOf(FederationConstants.METADATA_PATH_URI) != -1
-            || request.getRequestURL().indexOf(FederationConstants.FEDIZ_SAML_METADATA_PATH_URI)
!= -1) {
+            || request.getRequestURL().indexOf(getMetadataURI(fedConfig)) != -1) {
             if (LOG.isInfoEnabled()) {
                 LOG.info("Metadata document requested");
             }
             response.setContentType("text/xml");
             PrintWriter out = response.getWriter();
             
-            String contextName = request.getServletContext().getContextPath();
-            if (contextName == null || contextName.isEmpty()) {
-                contextName = "/";
-            }
-            FedizContext fedConfig = getContextConfiguration(contextName);
             FedizProcessor wfProc = 
                 FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol());
             try {
@@ -208,12 +209,6 @@ public class FederationAuthenticator extends FormAuthenticator {
         }
 
         //logout
-        String contextName = request.getServletContext().getContextPath();
-        if (contextName == null || contextName.isEmpty()) {
-            contextName = "/";
-        }
-        FedizContext fedConfig = getContextConfiguration(contextName);
-
         String logoutUrl = fedConfig.getLogoutURL();
         if (logoutUrl != null && !logoutUrl.isEmpty()) {
             HttpSession httpSession = request.getSession(false);
@@ -258,6 +253,18 @@ public class FederationAuthenticator extends FormAuthenticator {
         super.invoke(request, response);
 
     }
+    
+    private String getMetadataURI(FedizContext fedConfig) {
+        if (fedConfig.getProtocol().getMetadataURI() != null) {
+            return fedConfig.getProtocol().getMetadataURI();
+        } else if (fedConfig.getProtocol() instanceof FederationProtocol) {
+            return FederationConstants.METADATA_PATH_URI;
+        } else if (fedConfig.getProtocol() instanceof SAMLProtocol) {
+            return FederationConstants.FEDIZ_SAML_METADATA_PATH_URI;
+        }
+        
+        return FederationConstants.METADATA_PATH_URI;
+    }
 
     //CHECKSTYLE:OFF
     @Override


Mime
View raw message