Spring Security SAML

org.springframework.security.saml.metadata
Class ExtendedMetadata

java.lang.Object
  extended by org.springframework.security.saml.metadata.ExtendedMetadata
All Implemented Interfaces:
Serializable, Cloneable

public class ExtendedMetadata
extends Object
implements Serializable, Cloneable

Class contains additional information describing a SAML entity. Metadata can be used both for local entities (= the ones accessible as part of the deployed application using the SAML Extension) and remove entities (= the ones user can interact with like IDPs).

Author:
Vladimir Schaefer
See Also:
Serialized Form

Constructor Summary
ExtendedMetadata()
           
 
Method Summary
 ExtendedMetadata clone()
          Clones the existing metadata object.
 String getAlias()
          Returns alias.
 String getEncryptionKey()
          Encryption key used for encrypting messages send to the remote entity or decrypting data sent to the local one.
 String getIdpDiscoveryResponseURL()
           
 String getIdpDiscoveryURL()
           
 String getSecurityProfile()
          Security profile to use for this local entity - MetaIOP (default) or PKIX.
 String getSigningKey()
          Signing key used for signing messages or verifying signatures of this entity.
 String getSslSecurityProfile()
          Security profile used for SSL/TLS connections of the local entity.
 String getTlsKey()
          Key used to authenticate instance against remote peers when specified on local entity.
 Set<String> getTrustedKeys()
          Trusted keys usable for signature and server SSL/TLS verification for entities with PKIX verification enabled.
 boolean isEcpEnabled()
           
 boolean isIdpDiscoveryEnabled()
          When true IDP discovery will be invoked before initializing WebSSO, unless IDP is already specified inside SAMLContext.
 boolean isLocal()
           
 boolean isRequireArtifactResolveSigned()
          Flag indicating whether entity in question requires artifact resolve messages to be signed.
 boolean isRequireLogoutRequestSigned()
          Flag indicating whether entity in question requires logout request to be signed.
 boolean isRequireLogoutResponseSigned()
          Flag indicating whether entity in question requires logout response to be signed.
 void setAlias(String alias)
          Alias is used to identify a destination entity as part of the URL.
 void setEcpEnabled(boolean ecpEnabled)
           
 void setEncryptionKey(String encryptionKey)
          Sets encryption key to be used for interaction with the current entity.
 void setIdpDiscoveryEnabled(boolean idpDiscoveryEnabled)
           
 void setIdpDiscoveryResponseURL(String idpDiscoveryResponseURL)
          When set our local IDP Discovery implementation will send response back to Service Provider on this address.
 void setIdpDiscoveryURL(String idpDiscoveryURL)
          URL to invoke while initializing IDP Discovery protocol for the local SP.
 void setLocal(boolean local)
          When set to true entity is treated as locally deployed and will be able to accepte messages on endpoints determined by the selected alias.
 void setRequireArtifactResolveSigned(boolean requireArtifactResolveSigned)
          If true received artifactResolve messages will require a signature, sent artifactResolve will be signed.
 void setRequireLogoutRequestSigned(boolean requireLogoutRequestSigned)
          If true logoutRequests received will require a signature, sent logoutRequests will be signed.
 void setRequireLogoutResponseSigned(boolean requireLogoutResponseSigned)
          If true logoutResponses received will require a signature, sent logoutResponses will be signed.
 void setSecurityProfile(String securityProfile)
          Sets profile used for verification of signatures and encryption.
 void setSigningKey(String signingKey)
          Sets signing key to be used for interaction with the current entity.
 void setSslSecurityProfile(String sslSecurityProfile)
          Sets profile used for verification of SSL/TLS connections.
 void setTlsKey(String tlsKey)
          For local entities denotes alias of the key used to authenticate this instance against peer servers using SSL/TLS connections.
 void setTrustedKeys(Set<String> trustedKeys)
          Set of keys used as anchors for PKIX verification of messages coming from this entity.
 
Methods inherited from class java.lang.Object
equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

ExtendedMetadata

public ExtendedMetadata()
Method Detail

getSecurityProfile

public String getSecurityProfile()
Security profile to use for this local entity - MetaIOP (default) or PKIX.

Returns:
profile

setSecurityProfile

public void setSecurityProfile(String securityProfile)
Sets profile used for verification of signatures and encryption. The following profiles are available:

MetaIOP profile (by default):
Uses cryptographic data from the metadata document of the entity in question. No checks for validity or revocation of certificates is done in this mode. All keys must be known in advance.

PKIX profile:
Signatures are deemed as trusted when credential can be verified using PKIX with trusted keys of the peer configured as trusted anchors.

This setting is only relevant for local entities.

Parameters:
securityProfile - profile to use - PKIX when set to "pkix", MetaIOP otherwise

getSslSecurityProfile

public String getSslSecurityProfile()
Security profile used for SSL/TLS connections of the local entity.

Returns:
profile

setSslSecurityProfile

public void setSslSecurityProfile(String sslSecurityProfile)
Sets profile used for verification of SSL/TLS connections. The following profiles are available:

PKIX profile (by default):
Signatures are deemed as trusted when credential can be verified using PKIX with trusted keys of the peer configured as trusted anchors.

MetaIOP profile:
Uses cryptographic data from the metadata document of the entity in question. No checks for validity or revocation of certificates is done in this mode. All keys must be known in advance.

This setting is only relevant for local entities.

Parameters:
sslSecurityProfile - profile to use - PKIX when set to "pkix", MetaIOP otherwise

getAlias

public String getAlias()
Returns alias. Value should be null for remote entities.

Returns:
alias

setAlias

public void setAlias(String alias)
Alias is used to identify a destination entity as part of the URL. It only applies to local entities. Only ASCII characters can be used as alias.

In case the alias is null on a local entity it must be set as a default to be accessible.

Alias must be unique for each local entityId.

Parameters:
alias - alias value

getSigningKey

public String getSigningKey()
Signing key used for signing messages or verifying signatures of this entity.

Returns:
signing key, default if null

setSigningKey

public void setSigningKey(String signingKey)
Sets signing key to be used for interaction with the current entity. In case the entity is local the keyStore must contain a private and public key with the given name. For remote entities only public key is required.

Value can be used to override credential contained in the remote metadata.

Parameters:
signingKey - key for creation/verification of signatures

getEncryptionKey

public String getEncryptionKey()
Encryption key used for encrypting messages send to the remote entity or decrypting data sent to the local one.

Returns:
encryption key, default if null

setEncryptionKey

public void setEncryptionKey(String encryptionKey)
Sets encryption key to be used for interaction with the current entity. In case the entity is local the keyStore must contain a private key with the given name which will be used for decryption incoming message. For remote entities only public key is required and will be used for encryption of the sent data.

Value can be used to override credential contained in the remote metadata.

Parameters:
encryptionKey - key for creation/verification of signatures

isRequireLogoutRequestSigned

public boolean isRequireLogoutRequestSigned()
Flag indicating whether entity in question requires logout request to be signed.

Returns:
signature flag

setRequireLogoutRequestSigned

public void setRequireLogoutRequestSigned(boolean requireLogoutRequestSigned)
If true logoutRequests received will require a signature, sent logoutRequests will be signed.

Parameters:
requireLogoutRequestSigned - logout request signature flag

isRequireLogoutResponseSigned

public boolean isRequireLogoutResponseSigned()
Flag indicating whether entity in question requires logout response to be signed.

Returns:
signature flag

setRequireLogoutResponseSigned

public void setRequireLogoutResponseSigned(boolean requireLogoutResponseSigned)
If true logoutResponses received will require a signature, sent logoutResponses will be signed.

Parameters:
requireLogoutResponseSigned - logout response signature flag

isRequireArtifactResolveSigned

public boolean isRequireArtifactResolveSigned()
Flag indicating whether entity in question requires artifact resolve messages to be signed.

Returns:
signature flag

setRequireArtifactResolveSigned

public void setRequireArtifactResolveSigned(boolean requireArtifactResolveSigned)
If true received artifactResolve messages will require a signature, sent artifactResolve will be signed.

Parameters:
requireArtifactResolveSigned - artifact resolve signature flag

getTlsKey

public String getTlsKey()
Key used to authenticate instance against remote peers when specified on local entity. When specified on remote entity the key is added as a trust anchor during communication with the entity using SSL/TLS.

Returns:
tls key

setTlsKey

public void setTlsKey(String tlsKey)
For local entities denotes alias of the key used to authenticate this instance against peer servers using SSL/TLS connections. When not set no key will be available for client authentication. Alias must be associated with a key containing a private key and being of X509 type. For remote entities denotes key to be used as a trust anchor for SSL/TLS connections.

Parameters:
tlsKey - tls key

getTrustedKeys

public Set<String> getTrustedKeys()
Trusted keys usable for signature and server SSL/TLS verification for entities with PKIX verification enabled. Value is ignored when PKIX security is not enabled.

Returns:
trusted keys

setTrustedKeys

public void setTrustedKeys(Set<String> trustedKeys)
Set of keys used as anchors for PKIX verification of messages coming from this entity. Only applicable for remote entities and used when local entity has the PKIX profile enabled.

When no trusted keys are specified all keys in the keyManager are treated as trusted.

This setting is only relevant for remote entities.

Parameters:
trustedKeys - keys

isLocal

public boolean isLocal()

setLocal

public void setLocal(boolean local)
When set to true entity is treated as locally deployed and will be able to accepte messages on endpoints determined by the selected alias.

Parameters:
local - true when entity is deployed locally

getIdpDiscoveryURL

public String getIdpDiscoveryURL()

setIdpDiscoveryURL

public void setIdpDiscoveryURL(String idpDiscoveryURL)
URL to invoke while initializing IDP Discovery protocol for the local SP.

Parameters:
idpDiscoveryURL - IDP discovery URL

getIdpDiscoveryResponseURL

public String getIdpDiscoveryResponseURL()

setIdpDiscoveryResponseURL

public void setIdpDiscoveryResponseURL(String idpDiscoveryResponseURL)
When set our local IDP Discovery implementation will send response back to Service Provider on this address. Value should be set in situations when public address of the SP differs from values seen by the application sever.

Parameters:
idpDiscoveryResponseURL - discovery response URL

isIdpDiscoveryEnabled

public boolean isIdpDiscoveryEnabled()
When true IDP discovery will be invoked before initializing WebSSO, unless IDP is already specified inside SAMLContext.


setIdpDiscoveryEnabled

public void setIdpDiscoveryEnabled(boolean idpDiscoveryEnabled)

setEcpEnabled

public void setEcpEnabled(boolean ecpEnabled)

isEcpEnabled

public boolean isEcpEnabled()

clone

public ExtendedMetadata clone()
Clones the existing metadata object.

Overrides:
clone in class Object
Returns:
clone of the metadata

Spring Security SAML