org.apache.rahas.impl.util
Class SAMLUtils

java.lang.Object
  extended by org.apache.rahas.impl.util.SAMLUtils

public class SAMLUtils
extends java.lang.Object

Utility class for SAML 1 assertions. Responsible for manipulating all SAML1 specific objects like Assertion, ConfirmationMethod etc ...


Constructor Summary
SAMLUtils()
           
 
Method Summary
static org.opensaml.saml1.core.Assertion buildAssertion(org.w3c.dom.Element assertionElement)
          Builds an assertion from an XML element.
static org.opensaml.xml.XMLObject buildXMLObject(javax.xml.namespace.QName objectQName)
          Builds the requested XMLObject.
static org.joda.time.DateTime convertToDateTime(java.util.Date date)
          Converts java.util.Date to opensaml DateTime object.
static org.opensaml.saml1.core.Assertion createAssertion(java.lang.String issuerName, org.joda.time.DateTime notBefore, org.joda.time.DateTime notOnOrAfter, java.util.List<org.opensaml.saml1.core.Statement> statements)
          This method creates the final SAML assertion.
static org.opensaml.saml1.core.Attribute createAttribute(java.lang.String name, java.lang.String namespace, java.lang.String value)
          Creates a SAML attribute similar to following, gold
static org.opensaml.saml1.core.AttributeStatement createAttributeStatement(org.opensaml.saml1.core.Subject subject, java.util.List<org.opensaml.saml1.core.Attribute> attributeList)
          Creates an attribute statement.
static org.opensaml.saml1.core.AuthenticationStatement createAuthenticationStatement(org.opensaml.saml1.core.Subject subject, java.lang.String authenticationMethod, org.joda.time.DateTime authenticationInstant)
          Creates an AuthenticationStatement.
static org.opensaml.saml1.core.Conditions createConditions(org.joda.time.DateTime notBefore, org.joda.time.DateTime notOnOrAfter)
          Creates Conditions object.
static org.opensaml.xml.signature.KeyInfo createKeyInfo()
          Creates a KeyInfo object
static org.opensaml.xml.signature.KeyInfo createKeyInfo(org.opensaml.xml.encryption.EncryptedKey encryptedKey)
          Creates a KeyInfo element given EncryptedKey.
static org.opensaml.xml.signature.KeyInfo createKeyInfo(org.opensaml.xml.signature.X509Data x509Data)
          Creates a KeyInfo element given EncryptedKey.
static org.opensaml.saml1.core.NameIdentifier createNamedIdentifier(java.lang.String principalName, java.lang.String format)
          Create named identifier.
static org.opensaml.saml1.core.Subject createSubject(org.opensaml.saml1.core.NameIdentifier nameIdentifier, java.lang.String confirmationMethod, org.opensaml.xml.signature.KeyInfo keyInfoContent)
          Creates an opensaml Subject representation.
static org.opensaml.saml1.core.SubjectConfirmation createSubjectConfirmation(java.lang.String confirmationMethod, org.opensaml.xml.signature.KeyInfo keyInfoContent)
          Creates opensaml SubjectConfirmation representation.
static org.opensaml.saml1.core.ConfirmationMethod createSubjectConfirmationMethod(java.lang.String confirmationMethod)
          Creates the subject confirmation method.
static java.util.Collection<java.security.cert.X509Certificate> getCertChainCollection(java.security.cert.X509Certificate[] issuerCerts)
           
static org.opensaml.xml.signature.KeyInfo getCertificateBasedKeyInfo(java.security.cert.X509Certificate certificate)
          Creates the certificate based KeyInfo object.
static java.lang.String getSAML11SubjectConfirmationMethod(org.opensaml.saml1.core.Assertion assertion)
          Get subject confirmation method of the given SAML 1.1 Assertion.
static org.opensaml.xml.signature.KeyInfo getSymmetricKeyBasedKeyInfo(org.w3c.dom.Document doc, RahasData data, java.security.cert.X509Certificate serviceCert, int keySize, org.apache.ws.security.components.crypto.Crypto crypto, int keyComputation)
          This method creates KeyInfo element of an assertion.
static void signAssertion(org.opensaml.saml1.core.Assertion assertion, org.apache.ws.security.components.crypto.Crypto crypto, java.lang.String issuerKeyAlias, java.lang.String issuerKeyPassword)
          Signs the SAML assertion.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

SAMLUtils

public SAMLUtils()
Method Detail

getCertChainCollection

public static java.util.Collection<java.security.cert.X509Certificate> getCertChainCollection(java.security.cert.X509Certificate[] issuerCerts)

buildXMLObject

public static org.opensaml.xml.XMLObject buildXMLObject(javax.xml.namespace.QName objectQName)
                                                 throws TrustException
Builds the requested XMLObject.

Parameters:
objectQName - name of the XMLObject
Returns:
the build XMLObject
Throws:
TrustException - If unable to find the appropriate builder.

buildAssertion

public static org.opensaml.saml1.core.Assertion buildAssertion(org.w3c.dom.Element assertionElement)
Builds an assertion from an XML element.

Parameters:
assertionElement - The XML element.
Returns:
An Assertion object.

signAssertion

public static void signAssertion(org.opensaml.saml1.core.Assertion assertion,
                                 org.apache.ws.security.components.crypto.Crypto crypto,
                                 java.lang.String issuerKeyAlias,
                                 java.lang.String issuerKeyPassword)
                          throws TrustException
Signs the SAML assertion. The steps to sign SAML assertion is as follows,
  1. Get certificate for issuer alias
  2. Extract private key
  3. Create Credential object
  4. Create Signature object
  5. Set Signature object in Assertion
  6. Prepare signing environment - SecurityHelper.prepareSignatureParams
  7. Perform signing action - Signer.signObject

Parameters:
assertion - The assertion to be signed.
crypto - Certificate and private key data are stored in Crypto object
issuerKeyAlias - Key alias
issuerKeyPassword - Key password
Throws:
TrustException - If an error occurred while signing the assertion.

getSAML11SubjectConfirmationMethod

public static java.lang.String getSAML11SubjectConfirmationMethod(org.opensaml.saml1.core.Assertion assertion)
Get subject confirmation method of the given SAML 1.1 Assertion. This is used in rampart-core.

Parameters:
assertion - SAML 1.1 Assertion
Returns:
subject confirmation method

createNamedIdentifier

public static org.opensaml.saml1.core.NameIdentifier createNamedIdentifier(java.lang.String principalName,
                                                                           java.lang.String format)
                                                                    throws TrustException
Create named identifier.

Parameters:
principalName - Name of the subject.
format - Format of the subject, whether it is an email, uid etc ...
Returns:
The NamedIdentifier object.
Throws:
TrustException - If unable to find the builder.

createSubjectConfirmationMethod

public static org.opensaml.saml1.core.ConfirmationMethod createSubjectConfirmationMethod(java.lang.String confirmationMethod)
                                                                                  throws TrustException
Creates the subject confirmation method. Relevant XML element would look like as follows, urn:oasis:names:tc:SAML:1.0:cm:holder-of-key

Parameters:
confirmationMethod - Name of the actual confirmation method. Could be holder-of-key - "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key" sender-vouches - "urn:oasis:names:tc:SAML:1.0:cm:sender-vouches" bearer - TODO
Returns:
Returns the opensaml representation of the ConfirmationMethod.
Throws:
TrustException - If unable to find appropriate XMLObject builder for confirmation QName.

createSubjectConfirmation

public static org.opensaml.saml1.core.SubjectConfirmation createSubjectConfirmation(java.lang.String confirmationMethod,
                                                                                    org.opensaml.xml.signature.KeyInfo keyInfoContent)
                                                                             throws TrustException
Creates opensaml SubjectConfirmation representation. The relevant XML would looks as follows, urn:oasis:names:tc:SAML:1.0:cm:sender-vouches

Parameters:
confirmationMethod - The subject confirmation method. Bearer, Sender-Vouches or Holder-Of-Key.
keyInfoContent - The KeyInfo content. According to SPEC (SAML 1.1) this could be null.
Returns:
OpenSAML representation of SubjectConfirmation.
Throws:
TrustException - If unable to find any of the XML builders.

createSubject

public static org.opensaml.saml1.core.Subject createSubject(org.opensaml.saml1.core.NameIdentifier nameIdentifier,
                                                            java.lang.String confirmationMethod,
                                                            org.opensaml.xml.signature.KeyInfo keyInfoContent)
                                                     throws TrustException
Creates an opensaml Subject representation. The relevant XML would looks as follows, uid=joe,ou=people,ou=saml-demo,o=baltimore.com urn:oasis:names:tc:SAML:1.0:cm:holder-of-key ...

Parameters:
nameIdentifier - Represent the "NameIdentifier" of XML element above.
confirmationMethod - Represent the bearer, HOK or Sender-Vouches.
keyInfoContent - Key info information. This could be null.
Returns:
OpenSAML representation of the Subject.
Throws:
TrustException - If a relevant XML builder is unable to find.

createAuthenticationStatement

public static org.opensaml.saml1.core.AuthenticationStatement createAuthenticationStatement(org.opensaml.saml1.core.Subject subject,
                                                                                            java.lang.String authenticationMethod,
                                                                                            org.joda.time.DateTime authenticationInstant)
                                                                                     throws TrustException
Creates an AuthenticationStatement. The relevant XML element looks as follows, scott@example.org urn:oasis:names:tc:SAML:1.0:cm:bearer

Parameters:
subject - OpenSAML Subject implementation.
authenticationMethod - How subject is authenticated ? i.e. by using a password, kerberos, certificate etc ... The method is defined as a URL in SAML specification.
authenticationInstant - Time which authentication took place.
Returns:
opensaml AuthenticationStatement object.
Throws:
TrustException - If unable to find the builder.

createAttributeStatement

public static org.opensaml.saml1.core.AttributeStatement createAttributeStatement(org.opensaml.saml1.core.Subject subject,
                                                                                  java.util.List<org.opensaml.saml1.core.Attribute> attributeList)
                                                                           throws TrustException
Creates an attribute statement. Sample attribute statement would look like follows, uid=joe,ou=people,ou=saml-demo,o=baltimore.com urn:oasis:names:tc:SAML:1.0:cm:holder-of-key ... gold joe@yahoo.com

Parameters:
subject - The OpenSAML representation of the Subject.
attributeList - List of attribute values to include within the message.
Returns:
OpenSAML representation of AttributeStatement.
Throws:
TrustException - If unable to find the appropriate builder.

createConditions

public static org.opensaml.saml1.core.Conditions createConditions(org.joda.time.DateTime notBefore,
                                                                  org.joda.time.DateTime notOnOrAfter)
                                                           throws TrustException
Creates Conditions object. Analogous XML element is as follows, NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/>

Parameters:
notBefore - The validity of the Assertion starts from this value.
notOnOrAfter - The validity ends from this value.
Returns:
OpenSAML Conditions object.
Throws:
TrustException - If unable to find appropriate builder.

createAssertion

public static org.opensaml.saml1.core.Assertion createAssertion(java.lang.String issuerName,
                                                                org.joda.time.DateTime notBefore,
                                                                org.joda.time.DateTime notOnOrAfter,
                                                                java.util.List<org.opensaml.saml1.core.Statement> statements)
                                                         throws TrustException
This method creates the final SAML assertion. The final SAML assertion would looks like as follows, NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> uid=joe,ou=people,ou=saml-demo,o=baltimore.com urn:oasis:names:tc:SAML:1.0:cm:holder-of-key ... gold joe@yahoo.com ...

Parameters:
issuerName - Represents the "Issuer" in Assertion.
notBefore - The Condition's NotBefore value
notOnOrAfter - The Condition's NotOnOrAfter value
statements - Other statements.
Returns:
An opensaml Assertion object.
Throws:
TrustException - If unable to find the appropriate builder.

createAttribute

public static org.opensaml.saml1.core.Attribute createAttribute(java.lang.String name,
                                                                java.lang.String namespace,
                                                                java.lang.String value)
                                                         throws TrustException
Creates a SAML attribute similar to following, gold

Parameters:
name - attribute name
namespace - attribute namespace.
value - attribute value.
Returns:
OpenSAML representation of the attribute.
Throws:
TrustException - If unable to find the appropriate builder.

createKeyInfo

public static org.opensaml.xml.signature.KeyInfo createKeyInfo()
                                                        throws TrustException
Creates a KeyInfo object

Returns:
OpenSAML KeyInfo representation.
Throws:
TrustException - If an error occurred while creating KeyInfo.

createKeyInfo

public static org.opensaml.xml.signature.KeyInfo createKeyInfo(org.opensaml.xml.encryption.EncryptedKey encryptedKey)
                                                        throws TrustException
Creates a KeyInfo element given EncryptedKey. The relevant XML would looks as follows,

Parameters:
encryptedKey - The OpemSAML representation of encrypted key.
Returns:
The appropriate opensaml representation of the KeyInfo.
Throws:
TrustException - If unable to find the builder.

createKeyInfo

public static org.opensaml.xml.signature.KeyInfo createKeyInfo(org.opensaml.xml.signature.X509Data x509Data)
                                                        throws TrustException
Creates a KeyInfo element given EncryptedKey. The relevant XML would looks as follows,

Parameters:
x509Data - The OpemSAML representation X509Data
Returns:
The appropriate opensaml representation of the KeyInfo.
Throws:
TrustException - If unable to find the builder.

getCertificateBasedKeyInfo

public static org.opensaml.xml.signature.KeyInfo getCertificateBasedKeyInfo(java.security.cert.X509Certificate certificate)
                                                                     throws TrustException
Creates the certificate based KeyInfo object.

Parameters:
certificate - The public key certificate used to create the KeyInfo object.
Returns:
OpenSAML representation of KeyInfo object.
Throws:
TrustException - If an error occurred while creating the KeyInfo

getSymmetricKeyBasedKeyInfo

public static org.opensaml.xml.signature.KeyInfo getSymmetricKeyBasedKeyInfo(org.w3c.dom.Document doc,
                                                                             RahasData data,
                                                                             java.security.cert.X509Certificate serviceCert,
                                                                             int keySize,
                                                                             org.apache.ws.security.components.crypto.Crypto crypto,
                                                                             int keyComputation)
                                                                      throws org.apache.ws.security.WSSecurityException,
                                                                             TrustException
This method creates KeyInfo element of an assertion. This is a facade, in which it calls to other helper methods to create KeyInfo. The TokenIssuer will call this method to create the KeyInfo.

Parameters:
doc - An Axiom based DOM Document.
data - The ephemeral key which we use here need in encrypting the message also. Therefore we need to save the ephemeral key in RahasData passed here.
serviceCert - Public key used to encrypt the assertion is extracted from this certificate.
keySize - Size of the key to be used
crypto - The relevant private key
keyComputation - Key computation mechanism.
Returns:
OpenSAML KeyInfo representation.
Throws:
org.apache.ws.security.WSSecurityException - We use WSS4J to generate encrypted key. This exception will trigger if an error occurs while generating the encrypted key.
TrustException - If an error occurred while creating KeyInfo object.

convertToDateTime

public static org.joda.time.DateTime convertToDateTime(java.util.Date date)
Converts java.util.Date to opensaml DateTime object.

Parameters:
date - Java util date
Returns:
opensaml specific DateTime object.