View Javadoc
1   package com.github.choonchernlim.security.adfs.saml2;
2   
3   import static com.github.choonchernlim.betterPreconditions.preconditions.PreconditionFactory.expect;
4   import org.opensaml.Configuration;
5   import org.opensaml.xml.security.BasicSecurityConfiguration;
6   import org.opensaml.xml.signature.SignatureConstants;
7   import org.springframework.beans.BeansException;
8   import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
9   import org.springframework.security.saml.SAMLBootstrap;
10  
11  /**
12   * By default, Spring Security SAML uses SHA1withRSA for signature algorithm and SHA-1 for digest algorithm.
13   * <p/>
14   * This class allows app to use stronger encryption such as SHA-256.
15   * <p/>
16   * See: http://stackoverflow.com/questions/23681362/how-to-change-the-signature-algorithm-of-saml-request-in-spring-security
17   * See: http://stackoverflow.com/questions/25982093/setting-the-extendedmetadata-signingalgorithm-field/26004147
18   */
19  public final class DefaultSAMLBootstrap extends SAMLBootstrap {
20  
21      private final String signatureAlgorithmName;
22      private final String signatureAlgorithmURI;
23      private final String digestAlgorithmURI;
24  
25      /**
26       * Default signature algorithm is SHA256withRSA and default digest algorithm is SHA-256.
27       */
28      public DefaultSAMLBootstrap() {
29          this("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256, SignatureConstants.ALGO_ID_DIGEST_SHA256);
30      }
31  
32      /**
33       * Allows user to specify different algorithm URIs.
34       *
35       * @param signatureAlgorithmName Signature algorithm name
36       * @param signatureAlgorithmURI  Signature algorithm URI
37       * @param digestAlgorithmURI     Digest algorithm URI
38       */
39      public DefaultSAMLBootstrap(final String signatureAlgorithmName,
40                                  final String signatureAlgorithmURI,
41                                  final String digestAlgorithmURI) {
42          //@formatter:off
43          this.signatureAlgorithmName = expect(signatureAlgorithmName, "Signature algorithm name").not().toBeBlank().check();
44          this.signatureAlgorithmURI = expect(signatureAlgorithmURI, "Signature algorithm URI").not().toBeBlank().check();
45          this.digestAlgorithmURI = expect(digestAlgorithmURI, "Digest algorithm URI").not().toBeBlank().check();
46          //@formatter:on
47      }
48  
49      @Override
50      public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
51          super.postProcessBeanFactory(beanFactory);
52          BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
53          config.registerSignatureAlgorithmURI(signatureAlgorithmName, signatureAlgorithmURI);
54          config.setSignatureReferenceDigestMethod(digestAlgorithmURI);
55      }
56  }