1 /*
2 * Licensed to the University Corporation for Advanced Internet Development,
3 * Inc. (UCAID) under one or more contributor license agreements. See the
4 * NOTICE file distributed with this work for additional information regarding
5 * copyright ownership. The UCAID licenses this file to You under the Apache
6 * License, Version 2.0 (the "License"); you may not use this file except in
7 * compliance with the License. You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17
18 package edu.internet2.middleware.shibboleth.common.relyingparty.provider;
19
20 import java.util.Collection;
21
22 import org.opensaml.ws.security.SecurityPolicy;
23 import org.opensaml.xml.security.credential.Credential;
24 import org.opensaml.xml.util.LazySet;
25
26 import edu.internet2.middleware.shibboleth.common.relyingparty.ProfileConfiguration;
27
28 /**
29 * Profile settings common to SAML 1 and SAML 2.
30 */
31 public abstract class AbstractSAMLProfileConfiguration implements ProfileConfiguration {
32
33 /** Audiences for the assertion. */
34 private Collection<String> assertionAudiences;
35
36 /** Life of the assertion in milliseconds. */
37 private long assertionLifetime;
38
39 /** 2-byte artifact type used on outbound messages. */
40 private byte[] outboundArtifactType;
41
42 /** Security policy for this profile. */
43 private SecurityPolicy profileSecurityPolicy;
44
45 /** Whether to sign assertions. */
46 private CryptoOperationRequirementLevel signAssertions;
47
48 /** Assertion signing credential. */
49 private Credential signingCredential;
50
51 /** Whether to sign protocol requests. */
52 private CryptoOperationRequirementLevel signRequests;
53
54 /** Whether to sign protocol responses. */
55 private CryptoOperationRequirementLevel signResponses;
56
57 /** Constructor. */
58 protected AbstractSAMLProfileConfiguration() {
59 assertionAudiences = new LazySet<String>();
60 }
61
62 /**
63 * Gets the list of audiences an assertion is intended for.
64 *
65 * @return list of audiences an assertion is intended for
66 */
67 public Collection<String> getAssertionAudiences() {
68 return assertionAudiences;
69 }
70
71 /**
72 * Gets the lifetime, in millisecond, for an issued assertion.
73 *
74 * This value should be used to compute the NotOnOrAfter condition.
75 *
76 * @return lifetime, in millisecond, for an issued assertion
77 */
78 public long getAssertionLifetime() {
79 return assertionLifetime;
80 }
81
82 /**
83 * Gets the 2-byte artifact type used on outbound messages.
84 *
85 * @return 2-byte artifact type used on outbound messages
86 */
87 public byte[] getOutboundArtifactType() {
88 return outboundArtifactType;
89 }
90
91 /** {@inheritDoc} */
92 public SecurityPolicy getSecurityPolicy() {
93 return profileSecurityPolicy;
94 }
95
96 /**
97 * Gets whether assertions should be signed.
98 *
99 * @return whether assertions should be signed
100 */
101 public CryptoOperationRequirementLevel getSignAssertions() {
102 return signAssertions;
103 }
104
105 /**
106 * Gets the credential that should be used to sign a message.
107 *
108 * @return credential that should be used to sign a message
109 */
110 public Credential getSigningCredential() {
111 return signingCredential;
112 }
113
114 /**
115 * Gets whether to sign protocol requests.
116 *
117 * @return whether to sign protocol requests
118 */
119 public CryptoOperationRequirementLevel getSignRequests() {
120 return signRequests;
121 }
122
123 /**
124 * Gets whether to sign protocol responses.
125 *
126 * @return whether to sign protocol responses
127 */
128 public CryptoOperationRequirementLevel getSignResponses() {
129 return signResponses;
130 }
131
132 /**
133 * Sets the list of audiences an assertion is intended for.
134 *
135 * @param audiences list of audiences an assertion is intended for
136 */
137 public void setAssertionAudiences(Collection<String> audiences) {
138 assertionAudiences = audiences;
139 }
140
141 /**
142 * Sets the lifetime, in millisecond, for an issued assertion.
143 *
144 * @param lifetime lifetime, in millisecond, for an issued assertion
145 */
146 public void setAssertionLifetime(long lifetime) {
147 assertionLifetime = lifetime;
148 }
149
150 /**
151 * Sets the 2-byte artifact type used on outbound messages.
152 *
153 * @param type 2-byte artifact type used on outbound messages.
154 */
155 public void setOutboundArtifactType(byte[] type) {
156 outboundArtifactType = type;
157 }
158
159 /**
160 * Sets the security policy for this profile.
161 *
162 * @param policy security policy for this profile
163 */
164 public void setSecurityPolicy(SecurityPolicy policy) {
165 profileSecurityPolicy = policy;
166 }
167
168 /**
169 * Sets whether assertions should be signed.
170 *
171 * @param sign whether assertions should be signed
172 */
173 public void setSignAssertions(CryptoOperationRequirementLevel sign) {
174 signAssertions = sign;
175 }
176
177 /**
178 * Gets the credential that should be used for sign a message. Credential <strong>MUST</strong> include a private
179 * key.
180 *
181 * @param credential credential that should be used for sign a message
182 */
183 public void setSigningCredential(Credential credential) {
184 if (credential != null && credential.getPrivateKey() == null) {
185 throw new IllegalArgumentException("Credential does not contain a private key");
186 }
187 signingCredential = credential;
188 }
189
190 /**
191 * Sets whether to sign protocol requests.
192 *
193 * @param sign whether to sign protocol requests
194 */
195 public void setSignRequests(CryptoOperationRequirementLevel sign) {
196 signRequests = sign;
197 }
198
199 /**
200 * Sets whether to sign protocol responses.
201 *
202 * @param sign whether to sign protocol responses
203 */
204 public void setSignResponses(CryptoOperationRequirementLevel sign) {
205 signResponses = sign;
206 }
207 }