Spring Security SAML

org.springframework.security.saml.websso
Class ArtifactResolutionProfileImpl

java.lang.Object
  extended by org.springframework.security.saml.websso.AbstractProfileBase
      extended by org.springframework.security.saml.websso.ArtifactResolutionProfileBase
          extended by org.springframework.security.saml.websso.ArtifactResolutionProfileImpl
All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean, ArtifactResolutionProfile

public class ArtifactResolutionProfileImpl
extends ArtifactResolutionProfileBase

Implementation of the artifact resolution protocol which uses Apache HTTPClient for SOAP binding transport.


Field Summary
 
Fields inherited from class org.springframework.security.saml.websso.AbstractProfileBase
artifactMap, builderFactory, log, metadata, processor, uriComparator
 
Constructor Summary
ArtifactResolutionProfileImpl(org.apache.commons.httpclient.HttpClient httpClient)
           
 
Method Summary
protected  void getArtifactResponse(String endpointURI, SAMLMessageContext context)
          Uses HTTPClient to send and retrieve ArtifactMessages.
protected  org.apache.commons.httpclient.HostConfiguration getHostConfiguration(org.apache.commons.httpclient.URI uri, SAMLMessageContext context)
          Method is expected to determine hostConfiguration used to send request to the server by back-channel.
protected  org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory getSSLSocketFactory(SAMLMessageContext context, X509KeyManager manager, X509TrustManager trustManager, HostnameVerifier hostnameVerifier)
          Method returns SecureProtocolSocketFactory used to connect to create SSL connections for artifact resolution.
protected  boolean isHostnameVerificationSupported()
          Check for the latest OpenSAML library.
 
Methods inherited from class org.springframework.security.saml.websso.ArtifactResolutionProfileBase
createArtifactResolve, getProfileIdentifier, resolveArtifact
 
Methods inherited from class org.springframework.security.saml.websso.AbstractProfileBase
afterPropertiesSet, buildCommonAttributes, generateID, getEndpointBinding, getIssuer, getMaxAssertionTime, getResponseSkew, getStatus, isEndpointMatching, sendMessage, sendMessage, setArtifactMap, setMaxAssertionTime, setMetadata, setProcessor, setResponseSkew, verifyEndpoint, verifyIssuer, verifySignature
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

ArtifactResolutionProfileImpl

public ArtifactResolutionProfileImpl(org.apache.commons.httpclient.HttpClient httpClient)
Parameters:
httpClient - client used to send SOAP messages
Method Detail

getArtifactResponse

protected void getArtifactResponse(String endpointURI,
                                   SAMLMessageContext context)
                            throws org.opensaml.common.SAMLException,
                                   org.opensaml.ws.message.encoder.MessageEncodingException,
                                   org.opensaml.ws.message.decoder.MessageDecodingException,
                                   org.opensaml.saml2.metadata.provider.MetadataProviderException,
                                   org.opensaml.xml.security.SecurityException
Uses HTTPClient to send and retrieve ArtifactMessages.

Specified by:
getArtifactResponse in class ArtifactResolutionProfileBase
Parameters:
endpointURI - URI incoming artifactMessage is addressed to
context - context with filled communicationProfileId, outboundMessage, outboundSAMLMessage, peerEntityEndpoint, peerEntityId, peerEntityMetadata, peerEntityRole, peerEntityRoleMetadata
Throws:
org.opensaml.common.SAMLException - error processing artifact messages
org.opensaml.ws.message.encoder.MessageEncodingException - error sending artifactRequest
org.opensaml.ws.message.decoder.MessageDecodingException - error retrieving artifactResponse
org.opensaml.saml2.metadata.provider.MetadataProviderException - error resolving metadata
org.opensaml.xml.security.SecurityException - invalid message signature

getHostConfiguration

protected org.apache.commons.httpclient.HostConfiguration getHostConfiguration(org.apache.commons.httpclient.URI uri,
                                                                               SAMLMessageContext context)
                                                                        throws org.opensaml.ws.message.encoder.MessageEncodingException
Method is expected to determine hostConfiguration used to send request to the server by back-channel. Configuration should contain URI of the host and used protocol including all security settings.

Default implementation uses either default http protocol for non-SSL requests or constructs a separate TrustManager using trust engine specified in the SAMLMessageContext - based either on MetaIOP (certificates obtained from Metadata and ExtendedMetadata are trusted) or PKIX (certificates from metadata and ExtendedMetadata including specified trust anchors are trusted and verified using PKIX).

Used trust engine can be customized as part of the SAMLContextProvider used to process this request.

Default values for the HostConfiguration are cloned from the HTTPClient set in this instance, when there are no defaults available a new object is created.

Parameters:
uri - uri the request should be sent to
context - context including the peer address
Returns:
host configuration
Throws:
org.opensaml.ws.message.encoder.MessageEncodingException - in case peer URI can't be parsed

getSSLSocketFactory

protected org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory getSSLSocketFactory(SAMLMessageContext context,
                                                                                                 X509KeyManager manager,
                                                                                                 X509TrustManager trustManager,
                                                                                                 HostnameVerifier hostnameVerifier)
Method returns SecureProtocolSocketFactory used to connect to create SSL connections for artifact resolution. By default we create instance of org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.

Parameters:
context - current SAML context
manager - keys used for client authentication
trustManager - trust manager for server verification
hostnameVerifier - verifier for server hostname, or null
Returns:
socket factory

isHostnameVerificationSupported

protected boolean isHostnameVerificationSupported()
Check for the latest OpenSAML library. Support for HostnameVerification was added in openws-1.5.1 and customers might use previous versions of OpenSAML.

Returns:
true when OpenSAML library support hostname verification

Spring Security SAML