Spring Security SAML

org.springframework.security.saml.util
Class SAMLUtil

java.lang.Object
  extended by org.springframework.security.saml.util.SAMLUtil

public class SAMLUtil
extends Object

Utility class for SAML entities

Author:
Vladimir Schaefer

Constructor Summary
SAMLUtil()
           
 
Method Summary
static boolean compare(byte[] hashID, String entityId)
          Helper method compares whether SHA-1 hash of the entityId equals the hashID.
static org.opensaml.saml2.metadata.ArtifactResolutionService getArtifactResolutionService(org.opensaml.saml2.metadata.IDPSSODescriptor idpssoDescriptor, int endpointIndex)
           
static List<String> getBase64EncodeCertificates(org.opensaml.xml.signature.KeyInfo keyInfo)
          Parses list of all Base64 encoded certificates found inside the KeyInfo element.
static List<String> getBase64EncodedCertificates(org.opensaml.xml.signature.X509Data x509Data)
          Parses list of Base64 encoded certificates present in the X509Data element.
static String getBindingForEndpoint(org.opensaml.saml2.metadata.Endpoint endpoint)
          Method determines binding supported by the given endpoint.
static org.opensaml.saml2.metadata.AssertionConsumerService getConsumerService(org.opensaml.saml2.metadata.SPSSODescriptor ssoDescriptor, Integer index)
          Loads the assertionConsumerIndex designated by the index.
static
<T extends org.opensaml.saml2.metadata.Endpoint>
T
getEndpoint(List<T> endpoints, String messageBinding, org.opensaml.ws.transport.InTransport inTransport)
          Method helps to identify which endpoint is used to process the current message.
static HostnameVerifier getHostnameVerifier(String hostnameVerificationType)
          Populates hostname verifier of the given type.
static org.opensaml.saml2.metadata.IDPSSODescriptor getIDPDescriptor(MetadataManager metadata, String idpId)
          Loads IDP descriptor for entity with the given entityID.
static org.opensaml.saml2.metadata.IDPSSODescriptor getIDPSSODescriptor(org.opensaml.saml2.metadata.EntityDescriptor idpEntityDescriptor)
           
static String getLogoutBinding(org.opensaml.saml2.metadata.IDPSSODescriptor idp, org.opensaml.saml2.metadata.SPSSODescriptor sp)
           
static org.opensaml.saml2.metadata.SingleLogoutService getLogoutServiceForBinding(org.opensaml.saml2.metadata.SSODescriptor descriptor, String binding)
          Returns Single logout service for given binding of the IDP.
static String getMetadataAsString(MetadataManager metadataManager, KeyManager keyManager, org.opensaml.saml2.metadata.EntityDescriptor descriptor, ExtendedMetadata extendedMetadata)
          Method digitally signs the EntityDescriptor element (when configured with property sign metadata) and serializes the result into a string.
static String getNCNameString(String value)
          Method replaces all characters which are not allowed in xsd:NCName type with underscores.
static boolean isDateTimeSkewValid(int skewInSec, org.joda.time.DateTime time)
          Verifies that the current time is within skewInSec interval from the time value.
static boolean isDateTimeSkewValid(int skewInSec, long forwardInterval, org.joda.time.DateTime time)
          Verifies that the current time fits into interval defined by time minus backwardInterval minus skew and time plus forward interval plus skew.
static boolean isECPRequest(HttpServletRequest request)
          Analyzes the request headers in order to determine if it comes from an ECP-enabled client and based on this decides whether ECP profile will be used.
static Element marshallAndSignMessage(org.opensaml.xml.signature.SignableXMLObject signableMessage, org.opensaml.xml.security.credential.Credential signingCredential, String signingAlgorithm, String keyInfoGenerator)
          Method digitally signs and marshals the object in case it is signable and the signing credential is provided.
static Element marshallMessage(org.opensaml.xml.XMLObject message)
          Helper method that marshals the given message.
static boolean processFilter(String filterName, HttpServletRequest request)
          Determines whether filter with the given name should be invoked for the current request.
static void verifyAlias(String alias, String entityId)
          Verifies that the alias is valid.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

SAMLUtil

public SAMLUtil()
Method Detail

getBindingForEndpoint

public static String getBindingForEndpoint(org.opensaml.saml2.metadata.Endpoint endpoint)
Method determines binding supported by the given endpoint. Usually the biding is encoded in the binding attribute of the endpoint, but in some cases more processing is needed (e.g. for HoK profile).

Parameters:
endpoint - endpoint
Returns:
binding supported by the endpoint

getLogoutServiceForBinding

public static org.opensaml.saml2.metadata.SingleLogoutService getLogoutServiceForBinding(org.opensaml.saml2.metadata.SSODescriptor descriptor,
                                                                                         String binding)
                                                                                  throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Returns Single logout service for given binding of the IDP.

Parameters:
descriptor - IDP to search for service in
binding - binding supported by the service
Returns:
SSO service capable of handling the given binding
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - if the service can't be determined

getLogoutBinding

public static String getLogoutBinding(org.opensaml.saml2.metadata.IDPSSODescriptor idp,
                                      org.opensaml.saml2.metadata.SPSSODescriptor sp)
                               throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException

getIDPSSODescriptor

public static org.opensaml.saml2.metadata.IDPSSODescriptor getIDPSSODescriptor(org.opensaml.saml2.metadata.EntityDescriptor idpEntityDescriptor)
                                                                        throws org.opensaml.ws.message.decoder.MessageDecodingException
Throws:
org.opensaml.ws.message.decoder.MessageDecodingException

getConsumerService

public static org.opensaml.saml2.metadata.AssertionConsumerService getConsumerService(org.opensaml.saml2.metadata.SPSSODescriptor ssoDescriptor,
                                                                                      Integer index)
Loads the assertionConsumerIndex designated by the index. In case an index is specified the consumer is located and returned, otherwise default consumer is used.

Parameters:
ssoDescriptor - descriptor
index - to load, can be null
Returns:
consumer service
Throws:
org.opensaml.common.SAMLRuntimeException - in case assertionConsumerService with given index isn't found

getArtifactResolutionService

public static org.opensaml.saml2.metadata.ArtifactResolutionService getArtifactResolutionService(org.opensaml.saml2.metadata.IDPSSODescriptor idpssoDescriptor,
                                                                                                 int endpointIndex)
                                                                                          throws org.opensaml.ws.message.decoder.MessageDecodingException
Throws:
org.opensaml.ws.message.decoder.MessageDecodingException

processFilter

public static boolean processFilter(String filterName,
                                    HttpServletRequest request)
Determines whether filter with the given name should be invoked for the current request. Filter is used when requestURI contains the filterName.

Parameters:
filterName - name of the filter to search URI for
request - request
Returns:
true if filter should be processed for this request

compare

public static boolean compare(byte[] hashID,
                              String entityId)
                       throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Helper method compares whether SHA-1 hash of the entityId equals the hashID.

Parameters:
hashID - hash id to compare
entityId - entity id to hash and verify
Returns:
true if values match
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case SHA-1 hash can't be initialized

verifyAlias

public static void verifyAlias(String alias,
                               String entityId)
                        throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Verifies that the alias is valid. Alias mus be non-empty string which only include ASCII characters.

Parameters:
alias - alias to verify
entityId - id of the entity
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case any validation problem is found

getBase64EncodeCertificates

public static List<String> getBase64EncodeCertificates(org.opensaml.xml.signature.KeyInfo keyInfo)
Parses list of all Base64 encoded certificates found inside the KeyInfo element. All present X509Data elements are processed.

Parameters:
keyInfo - key info to parse
Returns:
found base64 encoded certificates

getBase64EncodedCertificates

public static List<String> getBase64EncodedCertificates(org.opensaml.xml.signature.X509Data x509Data)
Parses list of Base64 encoded certificates present in the X509Data element.

Parameters:
x509Data - data to parse
Returns:
list with 0..n certificates

isECPRequest

public static boolean isECPRequest(HttpServletRequest request)
Analyzes the request headers in order to determine if it comes from an ECP-enabled client and based on this decides whether ECP profile will be used. Subclasses can override the method to control when is the ECP invoked.

Parameters:
request - request to analyze
Returns:
whether the request comes from an ECP-enabled client or not

getEndpoint

public static <T extends org.opensaml.saml2.metadata.Endpoint> T getEndpoint(List<T> endpoints,
                                                                             String messageBinding,
                                                                             org.opensaml.ws.transport.InTransport inTransport)
                                                                  throws org.opensaml.common.SAMLException
Method helps to identify which endpoint is used to process the current message. It expects a list of potential endpoints based on the current profile and selects the one which uses the specified binding and matches the URL of incoming message.

Type Parameters:
T - type of the endpoint
Parameters:
endpoints - endpoints to check
messageBinding - binding
inTransport - transport which received the current message
Returns:
first endpoint satisfying the requestURL and binding conditions
Throws:
org.opensaml.common.SAMLException - in case endpoint can't be found

getIDPDescriptor

public static org.opensaml.saml2.metadata.IDPSSODescriptor getIDPDescriptor(MetadataManager metadata,
                                                                            String idpId)
                                                                     throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Loads IDP descriptor for entity with the given entityID. Fails when it can't be found.

Parameters:
metadata - metadata manager
idpId - entity ID
Returns:
descriptor
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case descriptor can't be found

marshallMessage

public static Element marshallMessage(org.opensaml.xml.XMLObject message)
                               throws org.opensaml.ws.message.encoder.MessageEncodingException
Helper method that marshals the given message.

Parameters:
message - message the marshall and serialize
Returns:
marshaled message
Throws:
org.opensaml.ws.message.encoder.MessageEncodingException - thrown if the give message can not be marshaled into its DOM representation

marshallAndSignMessage

public static Element marshallAndSignMessage(org.opensaml.xml.signature.SignableXMLObject signableMessage,
                                             org.opensaml.xml.security.credential.Credential signingCredential,
                                             String signingAlgorithm,
                                             String keyInfoGenerator)
                                      throws org.opensaml.ws.message.encoder.MessageEncodingException
Method digitally signs and marshals the object in case it is signable and the signing credential is provided. In case the object is already signed or the signing credential is not provided message is just marshalled.

Parameters:
signableMessage - object to sign
signingCredential - credential to sign with
signingAlgorithm - signing algorithm to use (optional). Leave null to use credential's default algorithm
keyInfoGenerator - name of generator used to create KeyInfo elements with key data
Returns:
marshalled and signed message
Throws:
org.opensaml.ws.message.encoder.MessageEncodingException - thrown if there is a problem marshalling or signing the message

isDateTimeSkewValid

public static boolean isDateTimeSkewValid(int skewInSec,
                                          org.joda.time.DateTime time)
Verifies that the current time is within skewInSec interval from the time value.

Parameters:
skewInSec - skew interval in seconds
time - time the current time must fit into with the given skew
Returns:
true if time matches, false otherwise

isDateTimeSkewValid

public static boolean isDateTimeSkewValid(int skewInSec,
                                          long forwardInterval,
                                          org.joda.time.DateTime time)
Verifies that the current time fits into interval defined by time minus backwardInterval minus skew and time plus forward interval plus skew.

Parameters:
skewInSec - skew interval in seconds
forwardInterval - forward interval in sec
time - time the current time must fit into with the given skew
Returns:
true if time matches, false otherwise

getNCNameString

public static String getNCNameString(String value)
Method replaces all characters which are not allowed in xsd:NCName type with underscores. It also makes sure that value doesn't start with a hyphen by replacing it with underscore.

Parameters:
value - value to clean
Returns:
null for null input, otherwise cleaned value

getHostnameVerifier

public static HostnameVerifier getHostnameVerifier(String hostnameVerificationType)
Populates hostname verifier of the given type. Supported values are default, defaultAndLocalhost, strict and allowAll. Unsupported values will return default verifier.

Parameters:
hostnameVerificationType - type
Returns:
verifier

getMetadataAsString

public static String getMetadataAsString(MetadataManager metadataManager,
                                         KeyManager keyManager,
                                         org.opensaml.saml2.metadata.EntityDescriptor descriptor,
                                         ExtendedMetadata extendedMetadata)
                                  throws org.opensaml.xml.io.MarshallingException
Method digitally signs the EntityDescriptor element (when configured with property sign metadata) and serializes the result into a string.

Parameters:
metadataManager - metadata manager
keyManager - key manager
descriptor - descriptor to sign and serialize
extendedMetadata - information about metadata signing, looked up when null
Returns:
serialized and signed metadata
Throws:
org.opensaml.xml.io.MarshallingException - in case serialization fails

Spring Security SAML