This repository has been archived by the owner on Nov 29, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 482
/
ExtendedMetadata.java
executable file
·614 lines (547 loc) · 21.3 KB
/
ExtendedMetadata.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
/* Copyright 2011 Vladimir Schaefer
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.saml.metadata;
import java.io.Serializable;
import java.util.Set;
import org.springframework.security.saml.SAMLConstants;
/**
* Class contains additional information describing a SAML entity. Metadata can be used both for local entities
* (= the ones accessible as part of the deployed application using the SAML Extension) and remote entities (= the ones
* user can interact with like IDPs).
*
* @author Vladimir Schaefer
*/
public class ExtendedMetadata implements Serializable, Cloneable {
/**
* Setting of the value determines whether the entity is deployed locally (hosted on the current installation) or
* whether it's an entity deployed elsewhere.
*/
private boolean local;
/**
* Local alias of the entity used for construction of well-known metadata address and determining target
* entity from incoming requests.
*/
private String alias;
/**
* When true IDP discovery will be invoked before SSO. Only valid for local entities.
*/
private boolean idpDiscoveryEnabled;
/**
* URL of the IDP Discovery service user should be redirected to upon request to determine which IDP to use.
* Value can override settings in the local SP metadata. Only valid for local entities.
*/
private String idpDiscoveryURL;
/**
* URL where the discovery service should send back response to our discovery request. Only valid for local
* entities.
*/
private String idpDiscoveryResponseURL;
/**
* Indicates whether Enhanced Client/Proxy profile should be used for requests which support it. Only valid for
* local entities.
*/
private boolean ecpEnabled;
/**
* Profile used for trust verification, MetaIOP by default. Only relevant for local entities.
*/
private String securityProfile = "metaiop";
/**
* Profile used for SSL/TLS trust verification, PKIX by default. Only relevant for local entities.
*/
private String sslSecurityProfile = "pkix";
/**
* Hostname verifier to use for verification of SSL connections, e.g. for ArtifactResolution.
*/
private String sslHostnameVerification = "default";
/**
* Key (stored in the local keystore) used for signing/verifying signature of messages sent/coming from this
* entity. For local entities private key must be available, for remote entities only public key is required.
*/
private String signingKey;
/**
* Algorithm used for creation of digital signatures of this entity. At the moment only used for metadata signatures.
* Only valid for local entities.
*/
private String signingAlgorithm;
/**
* Flag indicating whether to sign metadata for this entity. Only valid for local entities.
*/
private boolean signMetadata;
/**
* Name of generator for KeyInfo elements in metadata and signatures. At the moment only used for metadata signatures.
* Only valid for local entities.
*/
private String keyInfoGeneratorName = SAMLConstants.SAML_METADATA_KEY_INFO_GENERATOR;
/**
* Key (stored in the local keystore) used for encryption/decryption of messages coming/sent from this entity. For local entities
* private key must be available, for remote entities only public key is required.
*/
private String encryptionKey;
/**
* Key used for verification of SSL/TLS connections. For local entities key is included in the generated metadata when specified.
* For remote entities key is used to for server authentication of SSL/TLS when specified and when MetaIOP security profile is used.
*/
private String tlsKey;
/**
* Keys used as anchors for trust verification when PKIX mode is enabled for the local entity. In case value is null
* all keys in the keyStore will be treated as trusted.
*/
private Set<String> trustedKeys;
/**
* SAML specification mandates that incoming LogoutRequests must be authenticated.
*/
private boolean requireLogoutRequestSigned = true;
/**
* Flag indicating whether incoming LogoutResposne messages must be authenticated.
*/
private boolean requireLogoutResponseSigned;
/**
* If true received artifactResolve messages will require a signature, sent artifactResolve will be signed.
*/
private boolean requireArtifactResolveSigned = true;
/**
* Flag indicating whether to support unsolicited responses (IDP-initialized SSO). Only valid for remote
* entities.
*/
private boolean supportUnsolicitedResponse = true;
/**
* Algorithm used for creation of digest method of this entity. At the moment only used for metadata signatures.
* Only valid for local entities.
*/
private String digestMethodAlgorithm;
/**
* Security profile to use for this local entity - MetaIOP (default) or PKIX.
*
* @return profile
*/
public String getSecurityProfile() {
return securityProfile;
}
/**
* Sets profile used for verification of signatures and encryption. The following profiles are available:
* <p>
* MetaIOP profile (by default):
* <br>
* Uses cryptographic data from the metadata document of the entity in question. No checks for validity
* or revocation of certificates is done in this mode. All keys must be known in advance.
* <p>
* PKIX profile:
* <br>
* Signatures are deemed as trusted when credential can be verified using PKIX with trusted keys of the peer
* configured as trusted anchors.
* <p>
* This setting is only relevant for local entities.
*
* @param securityProfile profile to use - PKIX when set to "pkix", MetaIOP otherwise
*/
public void setSecurityProfile(String securityProfile) {
this.securityProfile = securityProfile;
}
/**
* Security profile used for SSL/TLS connections of the local entity.
*
* @return profile
*/
public String getSslSecurityProfile() {
return sslSecurityProfile;
}
/**
* Sets profile used for verification of SSL/TLS connections. The following profiles are available:
* <p>
* PKIX profile (by default), value "pkix":
* <br>
* Signatures are deemed as trusted when credential can be verified using PKIX with trusted keys of the peer
* configured as trusted anchors.
* <p>
* MetaIOP profile, any other value:
* <br>
* Uses cryptographic data from the metadata document of the entity in question. No checks for validity
* or revocation of certificates is done in this mode. All keys must be known in advance.
* <p>
* Logic is enforced in SAMLContextProviderImpl#populateSSLTrustEngine. Values are case insensitive.
* <p>
* This setting is only relevant for local entities.
*
* @param sslSecurityProfile profile to use - PKIX when set to "pkix", MetaIOP otherwise
*/
public void setSslSecurityProfile(String sslSecurityProfile) {
this.sslSecurityProfile = sslSecurityProfile;
}
/**
* Hostname verifier for SSL connections.
*
* @return hostname verifier
*/
public String getSslHostnameVerification() {
return sslHostnameVerification;
}
/**
* Sets hostname verifier to use for verification of SSL connections. The following values are available:
* <p>
* default: org.apache.commons.ssl.HostnameVerifier.DEFAULT
* <br>
* defaultAndLocalhost: org.apache.commons.ssl.HostnameVerifier.DEFAULT_AND_LOCALHOST
* <br>
* strict: org.apache.commons.ssl.HostnameVerifier.STRICT
* <br>
* allowAll: org.apache.commons.ssl.HostnameVerifier.ALLOW_ALL, doesn't perform any validation
* <p>
* Logic is enforced in SAMLContextProviderImpl#populateSSLHostnameVerifier. Values are case insensitive.
* Unrecognized value revert to default setting.
* <p>
* This setting is only relevant for local entities.
*
* @param sslHostnameVerification hostname verification type flag
*/
public void setSslHostnameVerification(String sslHostnameVerification) {
this.sslHostnameVerification = sslHostnameVerification;
}
/**
* Returns alias. Value should be null for remote entities.
*
* @return alias
*/
public String getAlias() {
return alias;
}
/**
* Alias is used to identify a destination entity as part of the URL. It only applies to local entities. Only
* ASCII characters can be used as alias.
* <p>
* In case the alias is null on a local entity it must be set as a default
* to be accessible.
* <p>
* Alias must be unique for each local entityId.
*
* @param alias alias value
*/
public void setAlias(String alias) {
this.alias = alias;
}
/**
* Signing key used for signing messages or verifying signatures of this entity.
*
* @return signing key, default if null
*/
public String getSigningKey() {
return signingKey;
}
/**
* Sets signing key to be used for interaction with the current entity. In case the entity is local the keyStore
* must contain a private and public key with the given name. For remote entities only public key is required.
* <p>
* Value can be used to override credential contained in the remote metadata.
*
* @param signingKey key for creation/verification of signatures
*/
public void setSigningKey(String signingKey) {
this.signingKey = signingKey;
}
/**
* Encryption key used for encrypting messages send to the remote entity or decrypting data sent to the local one.
*
* @return encryption key, default if null
*/
public String getEncryptionKey() {
return encryptionKey;
}
/**
* Sets encryption key to be used for interaction with the current entity. In case the entity is local the keyStore
* must contain a private key with the given name which will be used for decryption incoming message.
* For remote entities only public key is required and will be used for encryption of the sent data.
* <p>
* Value can be used to override credential contained in the remote metadata.
*
* @param encryptionKey key for creation/verification of signatures
*/
public void setEncryptionKey(String encryptionKey) {
this.encryptionKey = encryptionKey;
}
/**
* Flag indicating whether entity in question requires logout request to be signed.
*
* @return signature flag
*/
public boolean isRequireLogoutRequestSigned() {
return requireLogoutRequestSigned;
}
/**
* If true logoutRequests received will require a signature, sent logoutRequests will be signed.
*
* @param requireLogoutRequestSigned logout request signature flag
*/
public void setRequireLogoutRequestSigned(boolean requireLogoutRequestSigned) {
this.requireLogoutRequestSigned = requireLogoutRequestSigned;
}
/**
* Flag indicating whether entity in question requires logout response to be signed.
*
* @return signature flag
*/
public boolean isRequireLogoutResponseSigned() {
return requireLogoutResponseSigned;
}
/**
* If true logoutResponses received will require a signature, sent logoutResponses will be signed.
*
* @param requireLogoutResponseSigned logout response signature flag
*/
public void setRequireLogoutResponseSigned(boolean requireLogoutResponseSigned) {
this.requireLogoutResponseSigned = requireLogoutResponseSigned;
}
/**
* Flag indicating whether entity in question requires artifact resolve messages to be signed.
*
* @return signature flag
*/
public boolean isRequireArtifactResolveSigned() {
return requireArtifactResolveSigned;
}
/**
* If true received artifactResolve messages will require a signature, sent artifactResolve will be signed.
*
* @param requireArtifactResolveSigned artifact resolve signature flag
*/
public void setRequireArtifactResolveSigned(boolean requireArtifactResolveSigned) {
this.requireArtifactResolveSigned = requireArtifactResolveSigned;
}
/**
* Key used to authenticate instance against remote peers when specified on local entity. When specified on
* remote entity the key is added as a trust anchor during communication with the entity using SSL/TLS.
*
* @return tls key
*/
public String getTlsKey() {
return tlsKey;
}
/**
* For local entities denotes alias of the key used to authenticate this instance against peer servers using SSL/TLS connections. When
* not set no key will be available for client authentication. Alias must be associated with a key containing a private key and being
* of X509 type. For remote entities denotes key to be used as a trust anchor for SSL/TLS connections.
*
* @param tlsKey tls key
*/
public void setTlsKey(String tlsKey) {
this.tlsKey = tlsKey;
}
/**
* Trusted keys usable for signature and server SSL/TLS verification for entities with PKIX verification enabled.
* Value is ignored when PKIX security is not enabled. In case value is null all keys in the keyStore will be
* treated as trusted.
*
* @return trusted keys
*/
public Set<String> getTrustedKeys() {
return trustedKeys;
}
/**
* Set of keys used as anchors for PKIX verification of messages coming from this entity. Only applicable for
* remote entities and used when local entity has the PKIX profile enabled.
* <p>
* When no trusted keys are specified all keys in the keyManager are treated as trusted.
* <p>
* This setting is only relevant for remote entities.
*
* @param trustedKeys keys
*/
public void setTrustedKeys(Set<String> trustedKeys) {
this.trustedKeys = trustedKeys;
}
public boolean isLocal() {
return local;
}
/**
* When set to true entity is treated as locally deployed and will be able to accept messages on endpoints determined
* by the selected alias.
*
* @param local true when entity is deployed locally
*/
public void setLocal(boolean local) {
this.local = local;
}
public String getIdpDiscoveryURL() {
return idpDiscoveryURL;
}
/**
* URL to invoke while initializing IDP Discovery protocol for the local SP.
*
* @param idpDiscoveryURL IDP discovery URL
*/
public void setIdpDiscoveryURL(String idpDiscoveryURL) {
this.idpDiscoveryURL = idpDiscoveryURL;
}
public String getIdpDiscoveryResponseURL() {
return idpDiscoveryResponseURL;
}
/**
* When set our local IDP Discovery implementation will send response back to Service Provider on this address.
* Value should be set in situations when public address of the SP differs from values seen by the application sever.
*
* @param idpDiscoveryResponseURL discovery response URL
*/
public void setIdpDiscoveryResponseURL(String idpDiscoveryResponseURL) {
this.idpDiscoveryResponseURL = idpDiscoveryResponseURL;
}
/**
* When true IDP discovery will be invoked before initializing WebSSO, unless IDP is already specified inside
* SAMLContext.
*
* @return true when idp discovery is enabled
*/
public boolean isIdpDiscoveryEnabled() {
return idpDiscoveryEnabled;
}
public void setIdpDiscoveryEnabled(boolean idpDiscoveryEnabled) {
this.idpDiscoveryEnabled = idpDiscoveryEnabled;
}
public void setEcpEnabled(boolean ecpEnabled) {
this.ecpEnabled = ecpEnabled;
}
public boolean isEcpEnabled() {
return ecpEnabled;
}
/**
* Gets the signing algorithm to use when signing the SAML messages.
* This can be used, for example, when a strong algorithm is required (e.g. SHA 256 instead of SHA 128).
*
* Value only applies to local entities.
*
* At the moment the value is only used for signatures on metadata.
*
* @return A signing algorithm URI, if set. Otherwise returns null.
* @see org.opensaml.xml.signature.SignatureConstants
*/
public String getSigningAlgorithm() {
return signingAlgorithm;
}
/**
* Sets the signing algorithm to use when signing the SAML messages.
* This can be used, for example, when a strong algorithm is required (e.g. SHA 256 instead of SHA 128).
* If this property is null, then the {@link org.opensaml.xml.security.credential.Credential} default algorithm will be used instead.
*
* Value only applies to local entities.
*
* At the moment the value is only used for signatures on metadata.
*
* Typical values are:
* https://www.w3.org/2000/09/xmldsig#rsa-sha1
* https://www.w3.org/2001/04/xmldsig-more#rsa-sha256
* https://www.w3.org/2001/04/xmldsig-more#rsa-sha512
*
* @param signingAlgorithm The new signing algorithm to use
* @see org.opensaml.xml.signature.SignatureConstants
*/
public void setSigningAlgorithm(String signingAlgorithm) {
this.signingAlgorithm = signingAlgorithm;
}
/**
* Sets KeyInfoGenerator used to create KeyInfo elements in metadata and digital signatures. Only valid
* for local entities.
*
* @param keyInfoGeneratorName generator name
*/
public void setKeyInfoGeneratorName(String keyInfoGeneratorName) {
this.keyInfoGeneratorName = keyInfoGeneratorName;
}
/**
* Name of the KeyInfoGenerator registered at default KeyInfoGeneratorManager. Used to generate
* KeyInfo elements in metadata and signatures.
*
* @return key info generator name
* @see org.opensaml.Configuration#getGlobalSecurityConfiguration()
* @see org.opensaml.xml.security.SecurityConfiguration#getKeyInfoGeneratorManager()
*/
public String getKeyInfoGeneratorName() {
return keyInfoGeneratorName;
}
/**
* Flag indicating whether local metadata will be digitally signed.
*
* @return metadata signing flag
*/
public boolean isSignMetadata() {
return signMetadata;
}
/**
* When set to true metadata generated for this entity will be digitally signed by the signing certificate.
* Only applies to local entities.
*
* @param signMetadata metadata signing flag
*/
public void setSignMetadata(boolean signMetadata) {
this.signMetadata = signMetadata;
}
/**
* @return true when system should accept unsolicited response messages from this remote entity
*/
public boolean isSupportUnsolicitedResponse() {
return supportUnsolicitedResponse;
}
/**
* When set to true system will support reception of Unsolicited SAML Response messages (IDP-initialized single
* sign-on) from this remote entity. When disabled such messages will be rejected.
*
* Unsolicited Responses are by default enabled.
*
* @param supportUnsolicitedResponse unsolicited response flag
*/
public void setSupportUnsolicitedResponse(boolean supportUnsolicitedResponse) {
this.supportUnsolicitedResponse = supportUnsolicitedResponse;
}
/**
* Clones the existing metadata object.
*
* @return clone of the metadata
*/
@Override
public ExtendedMetadata clone() {
try {
return (ExtendedMetadata) super.clone();
} catch (CloneNotSupportedException e) {
throw new RuntimeException("Extended metadata not cloneable", e);
}
}
/**
* Returns digest method algorithm value
* @return String
*/
public String getDigestMethodAlgorithm()
{
return digestMethodAlgorithm;
}
/**
* Sets the digest method algorithm to use when signing the SAML messages.
* This can be used, for example, when a strong algorithm is required (e.g. SHA 256 instead of SHA 128).
* If this property is null, then the {@link org.opensaml.xml.Configuration} default algorithm will be used instead.
*
* Value only applies to local entities.
*
* At the moment the value is only used for signatures on metadata.
*
* Typical values are:
* https://www.w3.org/2001/04/xmlenc#sha1
* https://www.w3.org/2001/04/xmlenc#sha256
* https://www.w3.org/2001/04/xmlenc#sha384
* https://www.w3.org/2001/04/xmlenc#sha512
* https://www.w3.org/2001/04/xmlenc#ripemd160
*
* @param digestMethodAlgorithm The new digest method algorithm to use
* @see org.opensaml.xml.signature.SignatureConstants
*/
public void setDigestMethodAlgorithm(String digestMethodAlgorithm)
{
this.digestMethodAlgorithm = digestMethodAlgorithm;
}
}