...
The next level up in complexity is the desirable ability to limit the scope of the credentials for safety's sake. The example relies on the hostname and port of the server to scope the password. There are more advanced ways to build the AuthScope object being passed into the API such as including the Realm challenge from the server.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<bean id="CustomHttpSecurity" class="org.opensaml.security.httpclient.HttpClientSecurityParameters">
<property name="tLSTrustEngine">
<bean parent="shibboleth.StaticExplicitTrustEngine"
p:certificates="%{idp.home}/credentials/server.pem" />
</property>
</bean>
<bean id="ScopedBasicAuth" class="org.springframework.beans.factory.config.MethodInvokingBean"
p:targetObject-ref="CustomHttpSecurity"
p:targetMethod="setBasicCredentialsWithScope">
<property name="arguments">
<list>
<bean class="org.apache.http.auth.UsernamePasswordCredentials"
c:_0="webauth" c:_1="%{idp.collector.password}" />
<bean class="org.apache.http.auth.AuthScope"
c:_0="log.example.org" c:_1="443" />
</list>
</property>
</bean>
<!-- Sample feature we're actually trying to use, which we inject custom rules into. -->
<bean id="PushReporter" parent="shibboleth.metrics.HTTPReporter" c:name="MyCollector"
p:httpClient-ref="CustomHttpClient"
p:httpClientSecurityParameters-ref="CustomHttpSecurity"
p:collectorURL="https://log.example.org/cgi-bin/collector.cgi" /> |
...