org.springframework.security.saml.util

Class SAMLUtil

java.lang.Object

org.springframework.security.saml.util.SAMLUtil

public class SAMLUtil
extends Object

Utility class for SAML entities

Author:

Vladimir Schaefer

Constructor Summary

Constructors

Constructor and Description
SAMLUtil()

Method Summary

Modifier and Type	Method and Description
static boolean	compare(byte[] hashID, String entityId) Helper method compares whether SHA-1 hash of the entityId equals the hashID.
static org.opensaml.saml2.metadata.ArtifactResolutionService	getArtifactResolutionService(org.opensaml.saml2.metadata.IDPSSODescriptor idpssoDescriptor, int endpointIndex)
static List<String>	getBase64EncodeCertificates(org.opensaml.xml.signature.KeyInfo keyInfo) Parses list of all Base64 encoded certificates found inside the KeyInfo element.
static List<String>	getBase64EncodedCertificates(org.opensaml.xml.signature.X509Data x509Data) Parses list of Base64 encoded certificates present in the X509Data element.
static String	getBindingForEndpoint(org.opensaml.saml2.metadata.Endpoint endpoint) Method determines binding supported by the given endpoint.
static org.opensaml.saml2.metadata.AssertionConsumerService	getConsumerService(org.opensaml.saml2.metadata.SPSSODescriptor ssoDescriptor, Integer index) Loads the assertionConsumerIndex designated by the index.
static <T extends org.opensaml.saml2.metadata.Endpoint> T	getEndpoint(List<T> endpoints, String messageBinding, org.opensaml.ws.transport.InTransport inTransport) Method helps to identify which endpoint is used to process the current message.
static <T extends org.opensaml.saml2.metadata.Endpoint> T	getEndpoint(List<T> endpoints, String messageBinding, org.opensaml.ws.transport.InTransport inTransport, org.opensaml.common.binding.decoding.URIComparator uriComparator) Method helps to identify which endpoint is used to process the current message.
static HostnameVerifier	getHostnameVerifier(String hostnameVerificationType) Populates hostname verifier of the given type.
static org.opensaml.saml2.metadata.IDPSSODescriptor	getIDPDescriptor(MetadataManager metadata, String idpId) Loads IDP descriptor for entity with the given entityID.
static org.opensaml.saml2.metadata.IDPSSODescriptor	getIDPSSODescriptor(org.opensaml.saml2.metadata.EntityDescriptor idpEntityDescriptor)
static String	getLogoutBinding(org.opensaml.saml2.metadata.IDPSSODescriptor idp, org.opensaml.saml2.metadata.SPSSODescriptor sp)
static org.opensaml.saml2.metadata.SingleLogoutService	getLogoutServiceForBinding(org.opensaml.saml2.metadata.SSODescriptor descriptor, String binding) Returns Single logout service for given binding of the IDP.
static String	getMetadataAsString(MetadataManager metadataManager, KeyManager keyManager, org.opensaml.saml2.metadata.EntityDescriptor descriptor, ExtendedMetadata extendedMetadata) Method digitally signs the EntityDescriptor element (when configured with property sign metadata) and serializes the result into a string.
static String	getNCNameString(String value) Method replaces all characters which are not allowed in xsd:NCName type with underscores.
static boolean	isDateTimeSkewValid(int skewInSec, org.joda.time.DateTime time) Verifies that the current time is within skewInSec interval from the time value.
static boolean	isDateTimeSkewValid(int skewInSec, long forwardInterval, org.joda.time.DateTime time) Verifies that the current time fits into interval defined by time minus backwardInterval minus skew and time plus forward interval plus skew.
static boolean	isECPRequest(HttpServletRequest request) Analyzes the request headers in order to determine if it comes from an ECP-enabled client and based on this decides whether ECP profile will be used.
static Element	marshallAndSignMessage(org.opensaml.xml.signature.SignableXMLObject signableMessage, org.opensaml.xml.security.credential.Credential signingCredential, String signingAlgorithm, String digestMethodAlgorithm, String keyInfoGenerator) Method digitally signs and marshals the object in case it is signable and the signing credential is provided.
static Element	marshallMessage(org.opensaml.xml.XMLObject message) Helper method that marshals the given message.
static boolean	processFilter(String filterName, HttpServletRequest request) Determines whether filter with the given name should be invoked for the current request.
static void	verifyAlias(String alias, String entityId) Verifies that the alias is valid.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SAMLUtil

public SAMLUtil()

Method Detail

getBindingForEndpoint

public static String getBindingForEndpoint(org.opensaml.saml2.metadata.Endpoint endpoint)

Method determines binding supported by the given endpoint. Usually the biding is encoded in the binding attribute of the endpoint, but in some cases more processing is needed (e.g. for HoK profile).

Parameters:

endpoint - endpoint

Returns:

binding supported by the endpoint

getLogoutServiceForBinding

public static org.opensaml.saml2.metadata.SingleLogoutService getLogoutServiceForBinding(org.opensaml.saml2.metadata.SSODescriptor descriptor,
                                                                                         String binding)
                                                                                  throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Returns Single logout service for given binding of the IDP.

Parameters:

descriptor - IDP to search for service in

binding - binding supported by the service

Returns:

SSO service capable of handling the given binding

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - if the service can't be determined

getLogoutBinding

public static String getLogoutBinding(org.opensaml.saml2.metadata.IDPSSODescriptor idp,
                                      org.opensaml.saml2.metadata.SPSSODescriptor sp)
                               throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException

getIDPSSODescriptor

public static org.opensaml.saml2.metadata.IDPSSODescriptor getIDPSSODescriptor(org.opensaml.saml2.metadata.EntityDescriptor idpEntityDescriptor)
                                                                        throws org.opensaml.ws.message.decoder.MessageDecodingException

Throws:

org.opensaml.ws.message.decoder.MessageDecodingException

getConsumerService

public static org.opensaml.saml2.metadata.AssertionConsumerService getConsumerService(org.opensaml.saml2.metadata.SPSSODescriptor ssoDescriptor,
                                                                                      Integer index)

Loads the assertionConsumerIndex designated by the index. In case an index is specified the consumer is located and returned, otherwise default consumer is used.

Parameters:

ssoDescriptor - descriptor

index - to load, can be null

Returns:

consumer service

Throws:

org.opensaml.common.SAMLRuntimeException - in case assertionConsumerService with given index isn't found

getArtifactResolutionService

public static org.opensaml.saml2.metadata.ArtifactResolutionService getArtifactResolutionService(org.opensaml.saml2.metadata.IDPSSODescriptor idpssoDescriptor,
                                                                                                 int endpointIndex)
                                                                                          throws org.opensaml.ws.message.decoder.MessageDecodingException

Throws:

org.opensaml.ws.message.decoder.MessageDecodingException

processFilter

public static boolean processFilter(String filterName,
                                    HttpServletRequest request)

Determines whether filter with the given name should be invoked for the current request. Filter is used when requestURI contains the filterName.

Parameters:

filterName - name of the filter to search URI for

request - request

Returns:

true if filter should be processed for this request

compare

public static boolean compare(byte[] hashID,
                              String entityId)
                       throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Helper method compares whether SHA-1 hash of the entityId equals the hashID.

Parameters:

hashID - hash id to compare

entityId - entity id to hash and verify

Returns:

true if values match

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case SHA-1 hash can't be initialized

verifyAlias

public static void verifyAlias(String alias,
                               String entityId)
                        throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Verifies that the alias is valid. Alias mus be non-empty string which only include ASCII characters.

Parameters:

alias - alias to verify

entityId - id of the entity

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case any validation problem is found

getBase64EncodeCertificates

public static List<String> getBase64EncodeCertificates(org.opensaml.xml.signature.KeyInfo keyInfo)

Parses list of all Base64 encoded certificates found inside the KeyInfo element. All present X509Data elements are processed.

Parameters:

keyInfo - key info to parse

Returns:

found base64 encoded certificates

getBase64EncodedCertificates

public static List<String> getBase64EncodedCertificates(org.opensaml.xml.signature.X509Data x509Data)

Parses list of Base64 encoded certificates present in the X509Data element.

Parameters:

x509Data - data to parse

Returns:

list with 0..n certificates

isECPRequest

public static boolean isECPRequest(HttpServletRequest request)

Analyzes the request headers in order to determine if it comes from an ECP-enabled client and based on this decides whether ECP profile will be used. Subclasses can override the method to control when is the ECP invoked.

Parameters:

request - request to analyze

Returns:

whether the request comes from an ECP-enabled client or not

getEndpoint

public static <T extends org.opensaml.saml2.metadata.Endpoint> T getEndpoint(List<T> endpoints,
                                                                             String messageBinding,
                                                                             org.opensaml.ws.transport.InTransport inTransport)
                                                                      throws org.opensaml.common.SAMLException

Method helps to identify which endpoint is used to process the current message. It expects a list of potential endpoints based on the current profile and selects the one which uses the specified binding and matches the URL of incoming message.

Type Parameters:

T - type of the endpoint

Parameters:

endpoints - endpoints to check

messageBinding - binding

inTransport - transport which received the current message

Returns:

first endpoint satisfying the requestURL and binding conditions

Throws:

org.opensaml.common.SAMLException - in case endpoint can't be found

getEndpoint

public static <T extends org.opensaml.saml2.metadata.Endpoint> T getEndpoint(List<T> endpoints,
                                                                             String messageBinding,
                                                                             org.opensaml.ws.transport.InTransport inTransport,
                                                                             org.opensaml.common.binding.decoding.URIComparator uriComparator)
                                                                      throws org.opensaml.common.SAMLException

Method helps to identify which endpoint is used to process the current message. It expects a list of potential endpoints based on the current profile and selects the one which uses the specified binding and matches the URL of incoming message.

Type Parameters:

T - type of the endpoint

Parameters:

endpoints - endpoints to check

messageBinding - binding

inTransport - transport which received the current message

uriComparator - URI comparator

Returns:

first endpoint satisfying the requestURL and binding conditions

Throws:

org.opensaml.common.SAMLException - in case endpoint can't be found

getIDPDescriptor

public static org.opensaml.saml2.metadata.IDPSSODescriptor getIDPDescriptor(MetadataManager metadata,
                                                                            String idpId)
                                                                     throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Loads IDP descriptor for entity with the given entityID. Fails when it can't be found.

Parameters:

metadata - metadata manager

idpId - entity ID

Returns:

descriptor

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case descriptor can't be found

marshallMessage

public static Element marshallMessage(org.opensaml.xml.XMLObject message)
                               throws org.opensaml.ws.message.encoder.MessageEncodingException

Helper method that marshals the given message.

Parameters:

message - message the marshall and serialize

Returns:

marshaled message

Throws:

org.opensaml.ws.message.encoder.MessageEncodingException - thrown if the give message can not be marshaled into its DOM representation

marshallAndSignMessage

public static Element marshallAndSignMessage(org.opensaml.xml.signature.SignableXMLObject signableMessage,
                                             org.opensaml.xml.security.credential.Credential signingCredential,
                                             String signingAlgorithm,
                                             String digestMethodAlgorithm,
                                             String keyInfoGenerator)
                                      throws org.opensaml.ws.message.encoder.MessageEncodingException

Method digitally signs and marshals the object in case it is signable and the signing credential is provided. In case the object is already signed or the signing credential is not provided message is just marshalled.

Parameters:

signableMessage - object to sign

signingCredential - credential to sign with

signingAlgorithm - signing algorithm to use (optional). Leave null to use credential's default algorithm

signingAlgorithm - digest method algorithm to use (optional). Leave null to use credential's default algorithm

keyInfoGenerator - name of generator used to create KeyInfo elements with key data

Returns:

marshalled and signed message

Throws:

org.opensaml.ws.message.encoder.MessageEncodingException - thrown if there is a problem marshalling or signing the message

isDateTimeSkewValid

public static boolean isDateTimeSkewValid(int skewInSec,
                                          org.joda.time.DateTime time)

Verifies that the current time is within skewInSec interval from the time value.

Parameters:

skewInSec - skew interval in seconds

time - time the current time must fit into with the given skew

Returns:

true if time matches, false otherwise

isDateTimeSkewValid

public static boolean isDateTimeSkewValid(int skewInSec,
                                          long forwardInterval,
                                          org.joda.time.DateTime time)

Verifies that the current time fits into interval defined by time minus backwardInterval minus skew and time plus forward interval plus skew.

Parameters:

skewInSec - skew interval in seconds

forwardInterval - forward interval in sec

time - time the current time must fit into with the given skew

Returns:

true if time matches, false otherwise

getNCNameString

public static String getNCNameString(String value)

Method replaces all characters which are not allowed in xsd:NCName type with underscores. It also makes sure that value doesn't start with a hyphen by replacing it with underscore.

Parameters:

value - value to clean

Returns:

null for null input, otherwise cleaned value

getHostnameVerifier

public static HostnameVerifier getHostnameVerifier(String hostnameVerificationType)

Populates hostname verifier of the given type. Supported values are default, defaultAndLocalhost, strict and allowAll. Unsupported values will return default verifier.

Parameters:

hostnameVerificationType - type

Returns:

verifier

getMetadataAsString

public static String getMetadataAsString(MetadataManager metadataManager,
                                         KeyManager keyManager,
                                         org.opensaml.saml2.metadata.EntityDescriptor descriptor,
                                         ExtendedMetadata extendedMetadata)
                                  throws org.opensaml.xml.io.MarshallingException

Method digitally signs the EntityDescriptor element (when configured with property sign metadata) and serializes the result into a string.

Parameters:

metadataManager - metadata manager

keyManager - key manager

descriptor - descriptor to sign and serialize

extendedMetadata - information about metadata signing, looked up when null

Returns:

serialized and signed metadata

Throws:

org.opensaml.xml.io.MarshallingException - in case serialization fails