Spring Security SAML

org.springframework.security.saml.util
Class SAMLUtil

java.lang.Object
  extended by org.springframework.security.saml.util.SAMLUtil

public class SAMLUtil
extends Object

Utility class for SAML entities

Author:
Vladimir Schaefer

Constructor Summary
SAMLUtil()
           
 
Method Summary
static boolean compare(byte[] hashID, String entityId)
          Helper method compares whether SHA-1 hash of the entityId equals the hashID.
static org.opensaml.saml2.metadata.ArtifactResolutionService getArtifactResolutionService(org.opensaml.saml2.metadata.IDPSSODescriptor idpssoDescriptor, int endpointIndex)
           
static List<String> getBase64EncodeCertificates(org.opensaml.xml.signature.KeyInfo keyInfo)
          Parses list of all Base64 encoded certificates found inside the KeyInfo element.
static List<String> getBase64EncodedCertificates(org.opensaml.xml.signature.X509Data x509Data)
          Parses list of Base64 encoded certificates present in the X509Data element.
static String getBindingForEndpoint(org.opensaml.saml2.metadata.Endpoint endpoint)
          Method determines binding supported by the given endpoint.
static org.opensaml.saml2.metadata.AssertionConsumerService getConsumerService(org.opensaml.saml2.metadata.SPSSODescriptor ssoDescriptor, Integer index)
          Loads the assertionConsumerIndex designated by the index.
static String getDefaultBinding(org.opensaml.saml2.metadata.IDPSSODescriptor descriptor)
          Returns default binding supported by IDP.
static
<T extends org.opensaml.saml2.metadata.Endpoint>
T
getEndpoint(List<T> endpoints, String messageBinding, String filterURL)
          Method helps to identify which endpoint is used to process the current message.
static org.opensaml.saml2.metadata.IDPSSODescriptor getIDPDescriptor(MetadataManager metadata, String idpId)
          Loads IDP descriptor for entity with the given entityID.
static org.opensaml.saml2.metadata.IDPSSODescriptor getIDPSSODescriptor(org.opensaml.saml2.metadata.EntityDescriptor idpEntityDescriptor)
           
static String getLogoutBinding(org.opensaml.saml2.metadata.IDPSSODescriptor idp, org.opensaml.saml2.metadata.SPSSODescriptor sp)
           
static org.opensaml.saml2.metadata.SingleLogoutService getLogoutServiceForBinding(org.opensaml.saml2.metadata.SSODescriptor descriptor, String binding)
          Returns Single logout service for given binding of the IDP.
static boolean isDateTimeSkewValid(int skewInSec, org.joda.time.DateTime time)
          Verifies that the current time is within skewInSec interval from the time value.
static boolean isDateTimeSkewValid(int skewInSec, int forwardInterval, org.joda.time.DateTime time)
          Verifies that the current time fits into interval defined by time minus backwardInterval minus skew and time plus forward interval plus skew.
static boolean isECPRequest(HttpServletRequest request)
          Analyzes the request headers in order to determine if it comes from an ECP-enabled client and based on this decides whether ECP profile will be used.
static Element marshallMessage(org.opensaml.xml.XMLObject message)
          Helper method that marshals the given message.
static boolean processFilter(String filterName, HttpServletRequest request)
          Determines whether filter with the given name should be invoked for the current request.
static void verifyAlias(String alias, String entityId)
          Verifies that the alias is valid.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

SAMLUtil

public SAMLUtil()
Method Detail

getBindingForEndpoint

public static String getBindingForEndpoint(org.opensaml.saml2.metadata.Endpoint endpoint)
Method determines binding supported by the given endpoint. Usually the biding is encoded in the binding attribute of the endpoint, but in some cases more processing is needed (e.g. for HoK profile).

Parameters:
endpoint - endpoint
Returns:
binding supported by the endpoint
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case binding can't be determined

getLogoutServiceForBinding

public static org.opensaml.saml2.metadata.SingleLogoutService getLogoutServiceForBinding(org.opensaml.saml2.metadata.SSODescriptor descriptor,
                                                                                         String binding)
                                                                                  throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Returns Single logout service for given binding of the IDP.

Parameters:
descriptor - IDP to search for service in
binding - binding supported by the service
Returns:
SSO service capable of handling the given binding
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - if the service can't be determined

getLogoutBinding

public static String getLogoutBinding(org.opensaml.saml2.metadata.IDPSSODescriptor idp,
                                      org.opensaml.saml2.metadata.SPSSODescriptor sp)
                               throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException

getDefaultBinding

public static String getDefaultBinding(org.opensaml.saml2.metadata.IDPSSODescriptor descriptor)
                                throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Returns default binding supported by IDP.

Parameters:
descriptor - descriptor to return binding for
Returns:
first binding in the list of supported
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - no binding found

getIDPSSODescriptor

public static org.opensaml.saml2.metadata.IDPSSODescriptor getIDPSSODescriptor(org.opensaml.saml2.metadata.EntityDescriptor idpEntityDescriptor)
                                                                        throws org.opensaml.ws.message.decoder.MessageDecodingException
Throws:
org.opensaml.ws.message.decoder.MessageDecodingException

getConsumerService

public static org.opensaml.saml2.metadata.AssertionConsumerService getConsumerService(org.opensaml.saml2.metadata.SPSSODescriptor ssoDescriptor,
                                                                                      Integer index)
Loads the assertionConsumerIndex designated by the index. In case an index is specified the consumer is located and returned, otherwise default consumer is used.

Parameters:
ssoDescriptor - descriptor
index - to load, can be null
Returns:
consumer service
Throws:
org.opensaml.common.SAMLRuntimeException - in case assertionConsumerService with given index isn't found

getArtifactResolutionService

public static org.opensaml.saml2.metadata.ArtifactResolutionService getArtifactResolutionService(org.opensaml.saml2.metadata.IDPSSODescriptor idpssoDescriptor,
                                                                                                 int endpointIndex)
                                                                                          throws org.opensaml.ws.message.decoder.MessageDecodingException
Throws:
org.opensaml.ws.message.decoder.MessageDecodingException

processFilter

public static boolean processFilter(String filterName,
                                    HttpServletRequest request)
Determines whether filter with the given name should be invoked for the current request. Filter is used when requestURI contains the filterName.

Parameters:
filterName - name of the filter to search URI for
request - request
Returns:
true if filter should be processed for this request

compare

public static boolean compare(byte[] hashID,
                              String entityId)
                       throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Helper method compares whether SHA-1 hash of the entityId equals the hashID.

Parameters:
hashID - hash id to compare
entityId - entity id to hash and verify
Returns:
true if values match
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case SHA-1 hash can't be initialized

verifyAlias

public static void verifyAlias(String alias,
                               String entityId)
                        throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Verifies that the alias is valid.

Parameters:
alias - alias to verify
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case any validation problem is found

getBase64EncodeCertificates

public static List<String> getBase64EncodeCertificates(org.opensaml.xml.signature.KeyInfo keyInfo)
Parses list of all Base64 encoded certificates found inside the KeyInfo element. All present X509Data elements are processed.

Parameters:
keyInfo - key info to parse
Returns:
found base64 encoded certificates

getBase64EncodedCertificates

public static List<String> getBase64EncodedCertificates(org.opensaml.xml.signature.X509Data x509Data)
Parses list of Base64 encoded certificates present in the X509Data element.

Parameters:
x509Data - data to parse
Returns:
list with 0..n certificates

isECPRequest

public static boolean isECPRequest(HttpServletRequest request)
Analyzes the request headers in order to determine if it comes from an ECP-enabled client and based on this decides whether ECP profile will be used. Subclasses can override the method to control when is the ECP invoked.

Parameters:
request - request to analyze
Returns:
whether the request comes from an ECP-enabled client or not

getEndpoint

public static <T extends org.opensaml.saml2.metadata.Endpoint> T getEndpoint(List<T> endpoints,
                                                                             String messageBinding,
                                                                             String filterURL)
                                                                  throws org.opensaml.common.SAMLException
Method helps to identify which endpoint is used to process the current message. It expects a list of potential endpoints based on the current profile and selects the one which uses the specified binding and contains the filterURL in it's name. We presume that each profile-binding combination has a unique name. We also presume that filterURL string is contained exactly once in the endpoint location.

Type Parameters:
T - type of the endpoint
Parameters:
endpoints - endpoints to check
messageBinding - binding
filterURL - url of the filter processing the request
Returns:
first endpoint satisfying the filterURL and binding conditions
Throws:
org.opensaml.common.SAMLException - in case endpoint can't be found

getIDPDescriptor

public static org.opensaml.saml2.metadata.IDPSSODescriptor getIDPDescriptor(MetadataManager metadata,
                                                                            String idpId)
                                                                     throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Loads IDP descriptor for entity with the given entityID. Fails when it can't be found.

Parameters:
metadata - metadata manager
idpId - entity ID
Returns:
descriptor
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case descriptor can't be found

marshallMessage

public static Element marshallMessage(org.opensaml.xml.XMLObject message)
                               throws org.opensaml.ws.message.encoder.MessageEncodingException
Helper method that marshals the given message.

Parameters:
message - message the marshall and serialize
Returns:
marshaled message
Throws:
org.opensaml.ws.message.encoder.MessageEncodingException - thrown if the give message can not be marshaled into its DOM representation

isDateTimeSkewValid

public static boolean isDateTimeSkewValid(int skewInSec,
                                          org.joda.time.DateTime time)
Verifies that the current time is within skewInSec interval from the time value.

Parameters:
skewInSec - skew interval in seconds
time - time the current time must fit into with the given skew
Returns:
true if time matches, false otherwise

isDateTimeSkewValid

public static boolean isDateTimeSkewValid(int skewInSec,
                                          int forwardInterval,
                                          org.joda.time.DateTime time)
Verifies that the current time fits into interval defined by time minus backwardInterval minus skew and time plus forward interval plus skew.

Parameters:
skewInSec - skew interval in seconds
forwardInterval - forward interval in sec
time - time the current time must fit into with the given skew
Returns:
true if time matches, false otherwise

Spring Security SAML