Skip to content
Snippets Groups Projects

Add keystore for EIPDev Queue certificate

Merged Add keystore for EIPDev Queue certificate
283-saml-test-service into development
All threads resolved!
Merged
Chris Lemairerequested to merge
283-saml-test-service into development
All threads resolved!
Compare
and
4 files
+ 89
111
Compare changes
  • Side-by-side
  • Inline

Files

src/main/java/nl/tudelft/ewi/queue/SamlWebSecurityConfig.java
+ 74
22
@@ -51,11 +51,11 @@ import org.springframework.security.saml.log.SAMLDefaultLogger;
import org.springframework.security.saml.metadata.*;
import org.springframework.security.saml.parser.ParserPoolHolder;
import org.springframework.security.saml.processor.*;
import org.springframework.security.saml.storage.EmptyStorageFactory;
import org.springframework.security.saml.util.VelocityFactory;
import org.springframework.security.saml.websso.*;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
@@ -79,38 +79,86 @@ public class SamlWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private SAMLUserDetailsServiceImpl samlUserDetailsServiceImpl;
/**
* In the java keystore, a public-private key pair to identify this service provider (Queue) to an
* identity provider and to sign/encrypt messages exchanged with the IDP.
*
* This is the path to the keystore.
*/
@Value("${saml.keystore.path}")
private String keystorePath;
/**
* The name of the keypair to access from the keystore.
*/
@Value("${saml.keystore.alias}")
private String keystoreAlias;
/**
* Password for accessing the keystore and the specific keypair. Note: currently, the password for
* accessing the private key and the public key have to be exactly the same.
*/
@Value("${saml.keystore.password}")
private String keystorePassword;
/**
* The entity ID of the Queue Service Provider. Normally, this is the URL to
* the metadata.xml file of a service (so queue.tudelft.nl/saml/metadata for instance).
*/
@Value("${saml.entityId}")
private String entityId;
/**
* The URL to construct the SAML POST endpoint from. This URL should contain a protocol, server, port and
* context path. When testing locally, this could be http://localhost:8081 for instance. When live, this
* could be https://queue.tudelft.nl.
*/
@Value("${saml.entityBaseURL}")
private String entityBaseURL;
/**
* The protocol that the IDP is expected to use to contact this SP upon confirmation of the requested
* identity.
*/
@Value("${saml.contextProvider.scheme}")
private String contextProviderScheme;
/**
* The server name the IDP is expected to use to contact this SP.
*/
@Value("${saml.contextProvider.serverName}")
private String contextProviderServerName;
/**
* The port the IDP is expected to use to contact this SP.
*/
@Value("${saml.contextProvider.port}")
private int contextProviderPort;
/**
* The URL at which the metadata.xml file can be found for the configured identity provider.
*/
@Value("${saml.metadataUrl}")
private String metadataProductionUrl;
/**
* If set to true, Spring will check if the signature used in the metadata is valid. (Preferably this
* always happens, just to be sure that the metadata is valid)
*/
@Value("${saml.metadataTrustCheck}")
private boolean metadataProductionTrustCheck;
/**
* If set to true, Spring will reject the metadata file if it is not digitally signed by the IDP.
*/
@Value("${saml.metadataRequirementSignature}")
private boolean metadataProductionRequirementSignature;
private boolean metadataProductionRequireSignature;
/**
* If set to true, Spring will track the HTTP session and check the SentInResponseTo header.
*/
@Value("${saml.checkSentInResponseToHeader}")
private boolean checkSentInResponseToHeader = true;
protected HttpSecurity samlizedConfig(HttpSecurity http) throws Exception {
//@formatter:off
@@ -225,6 +273,10 @@ public class SamlWebSecurityConfig extends WebSecurityConfigurerAdapter {
samlContextProvider.setIncludeServerPortInRequestURL(false);
samlContextProvider.setContextPath("/");
if (!checkSentInResponseToHeader) {
samlContextProvider.setStorageFactory(new EmptyStorageFactory());
}
return samlContextProvider;
}
@@ -250,7 +302,6 @@ public class SamlWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public WebSSOProfile webSSOprofile() {
return new WebSSOProfileImpl();
// WebSSOProfileImpl defines maxAuthenticationAge as 7200 seconds. Increase if necessary
}
@@ -271,7 +322,10 @@ public class SamlWebSecurityConfig extends WebSecurityConfigurerAdapter {
return new SingleLogoutProfileImpl();
}
// Central storage of cryptographic keys
/**
* @return The key manager for SAML. This keymanager refers to the java keystore that can be accessed with
* a configured pass.
*/
@Bean
public KeyManager keyManager() {
return new JKSKeyManager(
@@ -330,7 +384,7 @@ public class SamlWebSecurityConfig extends WebSecurityConfigurerAdapter {
ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(httpMetadataProvider,
extendedMetadata());
extendedMetadataDelegate.setMetadataTrustCheck(metadataProductionTrustCheck);
extendedMetadataDelegate.setMetadataRequireSignature(metadataProductionRequirementSignature);
extendedMetadataDelegate.setMetadataRequireSignature(metadataProductionRequireSignature);
return extendedMetadataDelegate;
}
@@ -353,7 +407,6 @@ public class SamlWebSecurityConfig extends WebSecurityConfigurerAdapter {
metadataGenerator.setEntityId(entityId);
metadataGenerator.setEntityBaseURL(entityBaseURL);
metadataGenerator.setExtendedMetadata(extendedMetadata());
metadataGenerator.setIncludeDiscoveryExtension(false);
metadataGenerator.setKeyManager(keyManager());
return metadataGenerator;
@@ -510,22 +563,21 @@ public class SamlWebSecurityConfig extends WebSecurityConfigurerAdapter {
*/
@Bean
public FilterChainProxy samlFilter() throws Exception {
ImmutableList<SecurityFilterChain> chain = ImmutableList.of(
new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), samlEntryPoint()),
new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"),
samlLogoutFilter()),
new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"),
metadataDisplayFilter()),
new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"),
samlWebSSOProcessingFilter()),
new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSOHoK/**"),
samlWebSSOHoKProcessingFilter()),
new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"),
samlLogoutProcessingFilter()),
new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"),
samlIDPDiscovery()));
return new FilterChainProxy(chain);
return new FilterChainProxy(ImmutableList.of(
new DefaultSecurityFilterChain(
new AntPathRequestMatcher("/saml/login/**"), samlEntryPoint()),
new DefaultSecurityFilterChain(
new AntPathRequestMatcher("/saml/logout/**"), samlLogoutFilter()),
new DefaultSecurityFilterChain(
new AntPathRequestMatcher("/saml/metadata/**"), metadataDisplayFilter()),
new DefaultSecurityFilterChain(
new AntPathRequestMatcher("/saml/SSO/**"), samlWebSSOProcessingFilter()),
new DefaultSecurityFilterChain(
new AntPathRequestMatcher("/saml/SSOHoK/**"), samlWebSSOHoKProcessingFilter()),
new DefaultSecurityFilterChain(
new AntPathRequestMatcher("/saml/SingleLogout/**"), samlLogoutProcessingFilter()),
new DefaultSecurityFilterChain(
new AntPathRequestMatcher("/saml/discovery/**"), samlIDPDiscovery())));
}
/**