private void processIdPMetadata(SPType spConfiguration) {
IDPSSODescriptorType idpssoDescriptorType = null;
if (isNotNull(spConfiguration.getIdpMetadataFile())) {
idpssoDescriptorType = getIdpMetadataFromFile(spConfiguration);
} else {
idpssoDescriptorType = getIdpMetadataFromProvider(spConfiguration);
}
if (idpssoDescriptorType != null) {
List<EndpointType> endpoints = idpssoDescriptorType.getSingleSignOnService();
for (EndpointType endpoint : endpoints) {
String endpointBinding = endpoint.getBinding().toString();
if (endpointBinding.contains("HTTP-POST")) {
endpointBinding = "POST";
} else if (endpointBinding.contains("HTTP-Redirect")) {
endpointBinding = "REDIRECT";
}
if (spConfiguration.getBindingType().equals(endpointBinding)) {
spConfiguration.setIdentityURL(endpoint.getLocation().toString());
break;
}
}
this.idpMetadata = idpssoDescriptorType;
}
}
protected void initKeyProvider() {
if (!doSupportSignature()) {
return;
}
SPType configuration = getConfiguration();
KeyProviderType keyProvider = configuration.getKeyProvider();
if (keyProvider == null && doSupportSignature()) {
throw new RuntimeException(
ErrorCodes.NULL_VALUE + "KeyProvider is null for context=" + getContextPath());
}
try {
String keyManagerClassName = keyProvider.getClassName();
if (keyManagerClassName == null) {
throw new RuntimeException(ErrorCodes.NULL_VALUE + "KeyManager class name");
}
Class<?> clazz = SecurityActions.loadClass(getClass(), keyManagerClassName);
if (clazz == null) {
throw new ClassNotFoundException(ErrorCodes.CLASS_NOT_LOADED + keyManagerClassName);
}
TrustKeyManager keyManager = (TrustKeyManager) clazz.newInstance();
List<AuthPropertyType> authProperties = CoreConfigUtil.getKeyProviderProperties(keyProvider);
keyManager.setAuthProperties(authProperties);
keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
String identityURL = configuration.getIdentityURL();
// Special case when you need X509Data in SignedInfo
if (authProperties != null) {
for (AuthPropertyType authPropertyType : authProperties) {
String key = authPropertyType.getKey();
if (GeneralConstants.X509CERTIFICATE.equals(key)) {
// we need X509Certificate in SignedInfo. The value is the alias name
keyManager.addAdditionalOption(
GeneralConstants.X509CERTIFICATE, authPropertyType.getValue());
break;
}
}
}
keyManager.addAdditionalOption(
ServiceProviderBaseProcessor.IDP_KEY, new URL(identityURL).getHost());
this.keyManager = keyManager;
} catch (Exception e) {
logger.trustKeyManagerCreationError(e);
throw new RuntimeException(e.getLocalizedMessage());
}
logger.trace("Key Provider=" + keyProvider.getClassName());
}
protected IDPSSODescriptorType getIdpMetadataFromFile(SPType configuration) {
InputStream is = this.servletContext.getResourceAsStream(configuration.getIdpMetadataFile());
if (is == null) {
return null;
}
Object metadata = null;
try {
Document samlDocument = DocumentUtil.getDocument(is);
SAMLParser parser = new SAMLParser();
metadata = parser.parse(DocumentUtil.getNodeAsStream(samlDocument));
} catch (Exception e) {
throw new RuntimeException(e);
}
IDPSSODescriptorType idpSSO = null;
if (metadata instanceof EntitiesDescriptorType) {
EntitiesDescriptorType entities = (EntitiesDescriptorType) metadata;
idpSSO = handleMetadata(entities);
} else {
idpSSO = handleMetadata((EntityDescriptorType) metadata);
}
if (idpSSO == null) {
logger.samlSPUnableToGetIDPDescriptorFromMetadata();
return idpSSO;
}
return idpSSO;
}
/** @see SAMLConfigurationProvider#getSPConfiguration() */
public SPType getSPConfiguration() throws ProcessingException {
SPType spType = null;
if (fileAvailable()) {
try {
EntitiesDescriptorType entities = parseMDFile();
spType = CoreConfigUtil.getSPConfiguration(entities, bindingURI);
} catch (ParsingException e) {
throw logger.processingError(e);
}
} else {
throw logger.nullValueError(SP_MD_FILE);
}
if (configParsedSPType != null) {
spType.importFrom(configParsedSPType);
}
return spType;
}
protected void processConfiguration(FilterConfig filterConfig) {
InputStream is;
if (isNullOrEmpty(this.configFile)) {
is = servletContext.getResourceAsStream(CONFIG_FILE_LOCATION);
} else {
try {
is = new FileInputStream(this.configFile);
} catch (FileNotFoundException e) {
throw logger.samlIDPConfigurationError(e);
}
}
PicketLinkType picketLinkType;
String configurationProviderName = filterConfig.getInitParameter(CONFIGURATION_PROVIDER);
if (configurationProviderName != null) {
try {
Class<?> clazz = SecurityActions.loadClass(getClass(), configurationProviderName);
if (clazz == null) {
throw new ClassNotFoundException(ErrorCodes.CLASS_NOT_LOADED + configurationProviderName);
}
this.configProvider = (SAMLConfigurationProvider) clazz.newInstance();
} catch (Exception e) {
throw new RuntimeException(
"Could not create configuration provider [" + configurationProviderName + "].", e);
}
}
try {
// Work on the IDP Configuration
if (configProvider != null) {
try {
if (is == null) {
// Try the older version
is =
servletContext.getResourceAsStream(
GeneralConstants.DEPRECATED_CONFIG_FILE_LOCATION);
// Additionally parse the deprecated config file
if (is != null && configProvider instanceof AbstractSAMLConfigurationProvider) {
((AbstractSAMLConfigurationProvider) configProvider).setConfigFile(is);
}
} else {
// Additionally parse the consolidated config file
if (is != null && configProvider instanceof AbstractSAMLConfigurationProvider) {
((AbstractSAMLConfigurationProvider) configProvider).setConsolidatedConfigFile(is);
}
}
picketLinkType = configProvider.getPicketLinkConfiguration();
picketLinkType.setIdpOrSP(configProvider.getSPConfiguration());
} catch (ProcessingException e) {
throw logger.samlSPConfigurationError(e);
} catch (ParsingException e) {
throw logger.samlSPConfigurationError(e);
}
} else {
if (is != null) {
try {
picketLinkType = ConfigurationUtil.getConfiguration(is);
} catch (ParsingException e) {
logger.trace(e);
throw logger.samlSPConfigurationError(e);
}
} else {
is = servletContext.getResourceAsStream(GeneralConstants.DEPRECATED_CONFIG_FILE_LOCATION);
if (is == null) {
throw logger.configurationFileMissing(configFile);
}
picketLinkType = new PicketLinkType();
picketLinkType.setIdpOrSP(ConfigurationUtil.getSPConfiguration(is));
}
}
// Close the InputStream as we no longer need it
if (is != null) {
try {
is.close();
} catch (IOException e) {
// ignore
}
}
Boolean enableAudit = picketLinkType.isEnableAudit();
// See if we have the system property enabled
if (!enableAudit) {
String sysProp = SecurityActions.getSystemProperty(GeneralConstants.AUDIT_ENABLE, "NULL");
if (!"NULL".equals(sysProp)) {
enableAudit = Boolean.parseBoolean(sysProp);
}
}
if (enableAudit) {
if (auditHelper == null) {
String securityDomainName = PicketLinkAuditHelper.getSecurityDomainName(servletContext);
auditHelper = new PicketLinkAuditHelper(securityDomainName);
}
}
SPType spConfiguration = (SPType) picketLinkType.getIdpOrSP();
processIdPMetadata(spConfiguration);
this.serviceURL = spConfiguration.getServiceURL();
this.canonicalizationMethod = spConfiguration.getCanonicalizationMethod();
this.picketLinkConfiguration = picketLinkType;
this.issuerID = filterConfig.getInitParameter(ISSUER_ID);
this.characterEncoding = filterConfig.getInitParameter(CHARACTER_ENCODING);
this.samlHandlerChainClass = filterConfig.getInitParameter(SAML_HANDLER_CHAIN_CLASS);
logger.samlSPSettingCanonicalizationMethod(canonicalizationMethod);
XMLSignatureUtil.setCanonicalizationMethodType(canonicalizationMethod);
try {
this.initKeyProvider();
this.initializeHandlerChain(picketLinkType);
} catch (Exception e) {
throw new RuntimeException(e);
}
logger.trace("Identity Provider URL=" + getConfiguration().getIdentityURL());
} catch (Exception e) {
throw new RuntimeException(e);
}
}