I'm generating metadata.xml using org.springframework.security.saml.metadata.MetadataGenerator
MetadataGenerator metadataGenerator = new MetadataGenerator();
ExtendedMetadata extendedMetadata = new ExtendedMetadata();
metadataGenerator.setExtendedMetadata(extendedMetadata);
The identity provider (idp) needs to have attributes specific to that idp.
I don't see any way to add custom attributes to the metadata generator.
Is there a way to accomplish this?
You will need to extend the MetadataGenerator. The good candidate methods to override are buildSPSSODescriptor and buildExtensions.
Related
I'm adding SSO support to a spring-based application using the spring-security-saml extension. The idea will be that an IDP can register to use SSO with my application by filling out a form in the UI, specifying their entityId, SSO authentication URL (for SP-initialized login), and public X.509 certificate. This seems to be a common workflow for SaaS applications with SSO support.
I haven't yet been able to find a clean way of implementing this with the spring saml extension, and am wondering if there is one. FilesystemMetadataProvider and HTTPMetadataProvider provide support for loading IDP metadata from an XML file or an HTTP GET, respectively, but I need to instead generate the IDP metadata from the above attributes that are stored in the database.
My current thinking is to use ResourceBackedMetadataProvider and use an implementation of Resource that fetches the metadata attributes from the database for each registered IDP. It would look something like:
class DatabaseBackedResource implements Resource {
MetadataDao metadataDao; // autowired
public InputStream getInputStream() throws ResourceException {
Collection<MetadataPojo> idpMetadata = metadataDao.getMetadata();
return convertMetadataPojosToInputStream(idpMetadata);
}
private InputStream convertMetadataPojosToInputStream(Collection<MetadataPojo> metadata) {
// somehow convert attributes to XMLObject
// then write XMLObject to input stream
// ...
}
// implementations of other methods
// ...
}
where MetadataPojo is simply a wrapper object of the above 3 attributes provided by an IDP. What I'm not sure about is how to generate a valid IDP metadata java object, given some attributes, using the spring saml extension. I see that AbstractMetadataProvider#unmarshallMetadata(InputStream) converts the metadata input stream into an XMLObject, but it is not clear to me how I will convert my collection of MetadataPojos into an XMLObject.
In short, is there a tool in the spring saml extension library to build an IDP metadata xml object given a list of string attributes? Or, taking a step back, is there a better way to implement a MetadataProvider that fetches the metadata information from a database instead of a file or url?
Update:
I implemented the above MetadataProvider implementation and Resource subclass and it's been working like a charm. To generate the IDP metadata documents I used various subclasses of AbstractSAMLObjectBuilder (i.e. EntityDescriptorBuilder, IDPSSODescriptorBuilder, KeyDescriptorBuilder, etc.) and that worked pretty cleanly. It would be nice if the Spring SAML library had an IDPMetadataGenerator class like the MetadataGenerator that exists for SP metadata.
If there was a cleaner way about this, I'd love to hear it.
So I have a need for injecting a number of different services into an authorization attribute I'm using. For simplicity I will leave this to show the configuration manager.
public class FeatureAuthorizeAttribute : AuthorizeAttribute
{
public IConfigurationManager ConfigurationManager;
private readonly string _feature;
public FeatureAuthorizeAttribute(string feature)
{
_feature = feature;
var test = ConfigurationManager.GetCdnPath();
}
}
Which would be used as follows
[FeatureAuthorize("Admin")]
I have tried to use constructor injection
public FeatureAuthorizeAttribute(string feature, IConfigurationManager configurationManager)
{
ConfigurationManager = configurationManager;
_feature = feature
}
However this just causes an error when I attempt
[FeatureAuthorize("Admin", IConfigurationManager)]
Which seems like the wrong way to go about it in the first place. I'm assuming that I need to register my custom authorization attribute with the container to get it to start picking up
Instead of trying to use Dependency Injection with attributes (which you can't do in any sane, useful way), create Passive Attributes.
Specifically, in this case, assuming that this is an ASP.NET MVC scenario, you can't derive from AuthorizeAttribute. Instead, you should make your Authorization service look for your custom attribute, and implement IAuthorizationFilter. Then add the filter to your application's configuration.
More details can be found in this answer: https://stackoverflow.com/a/7194467/126014.
i Have a property CountryText that contain the text to show for the property country, So i need to do somehing like this:
[Display(Name=CountryText)]
public string Country { get; set; }
public string CountryText { get; set; }
How can I do it please??
UPDATE:
It's not possible to do it.
You would need a custom attribute to decorate your properties, and a custom model metada provider (usually inherited from DataAnnotationsModelMetadataProvider, which is the default in MVC apps). The custom provider would be neccessary to set the metadata defined in your custom attribute.
The problem is that you cannot access the model from the model metada provider. You can acces information on the types (model type, container type, attributes...) but not a concrete instance of the model, so you cannot get a property value and use it in the provider.
Alternative
You can however use a Html.Label to show the field title.
If you want to make it more "automatic" you can alwasy write a custom html helper which creates the label for you. This helper have full access to the model type and the model content, so you can still use a custom attribute, look for it on the html helper code, and use the content of the other property.
If it was possible with metadata provider
Your custom metadata provider should add all the neccesary metadata for the view model property. This metadata provider could be convention based or use custom attributes to add the additional info.
These blog entries explain perfecty how to implemente custom attribute and metadata provider.
Diving into ASP.NET MVC 3 Model Metadata Providers
Model Metadata and Validation Localization using Conventions
I've got two grails applications using spring security:
Core
Module (user and role tables mapping to Core db tables)
I want to have a single sign on functionality using "remember me". The problem is that the cookies are stored in different paths "/Core" and "/Module" which I'm guessing is the reason why it isn't working.
Does anyone know how to change the cookie path to be "/"?
Notes:
Do I need to make a change in Spring Security or the Tomcat server configuration (using intellij)
I want to avoid setting up a CAS server if possible
I'm looking into plugins as an alternative
Thanks any help would be greatly appreciated
When the remember-me filter creates the remember-me cookie, it sets the cookie path to the context path obtained from the request object (see related source code here). If you want to customize this behavior, you'll need to override the setCookie() and cancelCookie() methods of the remember-me service implementation your application uses (either TokenBasedRememberMeServices or PersistentTokenBasedRememberMeServices) in a subclass, and configure the RememberMeAuthenticationFilter to use your custom implementation.
Here's how I impltemented it.
create a new service with extends TokenBasedRememberMeServices
override setCookie and cancelCookie method to set cookie path.
Add cookiePath variable and add method to setCookepath()
Update resources.groovy
rememberMeServices(YourTokenBasedRememberMeServices) {
userDetailsService = ref("userDetailsService")
key = conf.rememberMe.key
cookieName = conf.rememberMe.cookieName
alwaysRemember = conf.rememberMe.alwaysRemember
tokenValiditySeconds = conf.rememberMe.tokenValiditySeconds
cookiePath = some config variable
}
I would like to add simple authentication to Data Services, for now only to restrict access for particular applications by simple token.
I don't need Domain Authentication or Forms authentication.
I read a lot about authentication here:
http://franssenden.wordpress.com/2010/06/14/custom-security-odata-service-wcf-data-services/
http://mtaulty.com/CommunityServer/blogs/mike_taultys_blog/archive/2008/06/03/10482.aspx
http://mtaulty.com/CommunityServer/blogs/mike_taultys_blog/archive/2008/01/15/10119.aspx
http://mtaulty.com/CommunityServer/blogs/mike_taultys_blog/archive/2008/01/10/10100.aspx
Unfortunately it all demands a loooot of work.
Most of all creating custom IHttpModule.
There should be more simple solution.
I know that when I create object context on the client (WPF) I can add Credentials.
Uri uri = new Uri("http://localhost/myapp/odata.svc");
MyEntities ent= new MyEntities (uri);
ent.Credentials = new NetworkCredential("token", "zx5as9vxc5sa9h0vb6523cv56");
But where can I read them (without implementation of custom IHttpModule)?
I thought that I can use something in class that is implementation of Data Service for example:
protected override void OnStartProcessingRequest(ProcessRequestArgs args)
{
string cred = args.OperationContext.AbsoluteRequestUri.UserInfo;
}
I'm not familiar with UserInfo but description for it stands "Gets the user name, password, ...)
So I have two main questions:
Where can I read Credentials included by typing ent.Credentials = new NetworkCredential("token", "zx5as9vxc5sa9h0vb6523cv56");
Where can I (if I can) set UserInfo on the client app and use it in OnStartProcessingRequest method.
Regards,
Daniel SkowroĊski
There's a series of post about authentication and WCF Data Services (which is the .NET implementation of the OData protocol): http://blogs.msdn.com/b/astoriateam/archive/tags/authentication/
You should be able to find lot more information there (including code samples).