...
Now you have a bean name you can inject into other components that support an httpClientRef property that will behave differently than the defaults.
Security Configuration
TLS Server Trust
A common use for advanced configuration is to control the server certificate evaluation process. While the IdP typically relies on SAML metadata for this when communicating with servers, this doesn't work for a lot of non-SAML use cases. However, much of the same machinery can be repurposed to support a variety of trust models, and we have integrated this into the HttpClient library.
By default, the HttpClient will rely on Java's built-in TLS behavior and code built into the HttpClient library, and perform basic hostname/certificate checks and will rely on the Java global trust store to determine whether to trust the certificate (or its issuer). This is where most non-Shibboleth software stops, and where we start. In testing scenarios, you can turn off this checking via the connectionDisregardTLSCertificate property, but this should never be used in production.
For more advanced control over this process, you need to perform additional steps, and add more complex Spring wiring involving the org.opensaml.security.httpclient.HttpClientSecurityParameters class, which provides a mechanism for applying advanced security options to components that use an HttpClient.
You also need to be very careful because leaving out a step can introduce security holes. In particular, if you want an HttpClient bean to use the special TLSSocketFactory we provide that supports these features, you MUST provide an HttpClientSecurityParameters instance to the component using the HttpClient bean to configure the security behavior you want.
Repeating: you can tell the HttpClient bean that you want to support "advanced mode", but you configure that mode not on the HttpClient bean but rather on the component using the client bean. This is because the injection of the rules you want to apply have to be added at runtime when the client gets used and not into the client's own data structures. It's a consequence of the library's design. The risk is that if you tell the client you want "advanced mode" but then don't configure the component that's using it properly, the default Java behavior is also skipped, and you get no security at all.
The examples below, which are necessarily specific to particular components' use of the HttpClient, demonstrate how this works, but in practice what it means is that you should always start by configuring a component using the HttpClient with the HttpClientSecurityParameters wiring needed to implement your needs, let it fail and log something like the following:
| Code Block |
|---|
TBD |
Then make the final change to the HttpClient bean to fix the error by overriding the tLSSocketFactory property (note the weird mixed case, that's due to the usual "first character is lower case" property convention in Java beans). The IdP includes a pair of socket factories declared for this purpose, shibboleth.SecurityEnhancedTLSSocketFactory and shibboleth.SecurityEnhancedTLSSocketFactoryWithClientTLS
So the final step to adding advanced TLS support is, for example:
| Code Block |
|---|
<bean id="SecurityEnhancedHttpClient parent="shibboleth.NonCachingHttpClient"
p:tLSSocketFactory-ref="shibboleth.SecurityEnhancedTLSSocketFactory" /> |
You won't generally need to configure your own instance of the socket factories, because all the interesting settings are part of the other component's configuration, via HttpClientSecurityParameters.
TLS Server Authentication
TBD
TLS Client Authentication
...