View Javadoc

1   package edu.internet2.middleware.shibboleth.common.binding.security;
2   
3   import java.util.Set;
4   
5   import org.opensaml.common.binding.security.SAMLMDClientCertAuthRule;
6   import org.opensaml.ws.security.provider.CertificateNameOptions;
7   import org.opensaml.xml.security.trust.TrustEngine;
8   import org.opensaml.xml.security.x509.X500DNHandler;
9   import org.opensaml.xml.security.x509.X509Credential;
10  import org.opensaml.xml.security.x509.X509Util;
11  
12  /**
13   * Specialization of {@link SAMLMDClientCertAuthRule} which may include Shibboleth-specific
14   * method overrides for client certificate authentication processing.
15   */
16  public class ShibbolethClientCertAuthRule extends SAMLMDClientCertAuthRule {
17  
18      /**
19       * Constructor.
20       *
21       * @param engine Trust engine used to verify the request X509Credential
22       * @param nameOptions options for deriving issuer names from an X.509 certificate
23       */
24      public ShibbolethClientCertAuthRule(TrustEngine<X509Credential> engine, CertificateNameOptions nameOptions) {
25          super(engine, nameOptions);
26      }
27      
28      /**
29       * Constructor.  The certificate name issuer derivation options are defaulted
30       * to be consistent with the Shibboleth 1.3 identity provider.
31       *
32       * @param engine Trust engine used to verify the request X509Credential
33       */
34      public ShibbolethClientCertAuthRule(TrustEngine<X509Credential> engine) {
35          super(engine, new CertificateNameOptions());
36          
37          CertificateNameOptions nameOptions = getCertificateNameOptions();
38          
39          // This is the behavior used by the Shibboleth 1.3 IdP.
40          nameOptions.setX500SubjectDNFormat(X500DNHandler.FORMAT_RFC2253);
41          nameOptions.setEvaluateSubjectDN(true);
42          nameOptions.setEvaluateSubjectCommonName(true);
43          Set<Integer> altNameTypes = nameOptions.getSubjectAltNames();
44          altNameTypes.add(X509Util.DNS_ALT_NAME);
45          altNameTypes.add(X509Util.URI_ALT_NAME);
46      }
47      
48  }