...
- loading service configuration resources from an HTTP server (HTTPResource)
- advanced/custom configuration of remote metadata sources (FileBackedHTTPMetadataProvider, DynamicHTTPMetadataProvider)
- reporting of metrics via an HTTP collector (MetricsConfiguration)
- a forthcoming HTTPDataConnector the HTTP DataConnector for web service access in the attribute resolver
...
Code Block | ||
---|---|---|
| ||
<bean id="SecurityEnhancedHttpClient" parent="shibboleth.NonCachingHttpClient"
p:tLSSocketFactory-ref="shibboleth.SecurityEnhancedTLSSocketFactory" /> |
...
TLS Client Authentication
Note |
---|
The code as it stands does not generally support TLS Renegotiation, which is most commonly encountered when using a virtual host that applies client TLS to only a subset of paths and not the host as a whole. |
Configuring a component using the HttpClient with a private key and certificate for authenticating itself to a server is a simple two step process:
...
Currently it is less than straightforward to configure more typical HTTP credentials such as a basic-auth name username and password, due to a lack of abstraction methods in our code to hide some of the gory details of the HttpClient's data model. In particular, some of the methods that need to be called take multiple parameters, which violates the bean convention for a setter. It's possible to invoke more complex methods in Spring, but it takes some extra wiring. We intend to supply some additional code for this in a future release.
Note that some of the older custom schemas such as the metadata configuration schema may support shorthand for supplying nameusername/password credentials, and while these do work, they're deprecated in favor of the more generic httpClientSecurityParameters-ref
syntax.
At the moment, it's fairly simple to supply a name username and password that gets used unilaterally with a given component's requests. That is, it's not "scoped" to limit its use to a particular server. This implies that you have a working configuration in place to authenticate the server's certificate so that the password isn't sent inadvertently to a malicious location. An example follows (again, building on the server authentication case):
...
Name | Type | Description |
---|---|---|
shibboleth.NonCachingHttpClient | HttpClientFactoryBean | Factory bean for creating non-caching HTTP clientHTTPClient |
shibboleth.FileCachingHttpClient | FileCachingHttpClientFactoryBean | Factory bean for creating file-based-caching HTTP clientHTTPClient |
shibboleth.MemoryCachingHttpClient | InMemoryCachingHttpClientFactoryBean | Factory bean for creating in-memory-caching HTTP clientHTTPClient |
shibboleth.StaticExplicitTrustEngine 3.3 | StaticExplicitKeyFactoryBean | Factory bean for creating ExplicitKeyTrustEngine |
shibboleth.StaticPKIXTrustEngine 3.3 | StaticPKIXFactoryBean | Factory bean for creating PKIXX509CredentialTrustEngine |
shibboleth.SecurityEnhancedTLSSocketFactory 3.2 | SecurityEnhancedTLSSocketFactory | Socket factory that supports HttpClientSecurityParameters-aware components |
shibboleth.SecurityEnhancedTLSSocketFactoryWithClientTLS 3.3 | SecurityEnhancedTLSSocketFactory | Client-TLS-capable socket factory that supports HttpClientSecurityParameters-aware components |
shibboleth.SecurityEnhancedTLSSocketFactoryWithClientTLSOnly 3.4 | SecurityEnhancedTLSSocketFactory | Client-TLS-capable socket factory that supports HttpClientSecurityParameters-aware components but does not accept a pluggable TrustEngine |
...
Name | Type | Default | Description |
---|---|---|---|
idp.httpclient.useSecurityEnhancedTLSSocketFactory 3.2 | Boolean | false | If true, causes the default clients to be injected with a special socket factory that supports advanced TLS features (requires substantial additional configuration) |
idp.httpclient.connectionDisregardTLSCertificate | Boolean | false | If the previous property is false, this allows the default TLS behavior of the client to ignore the TLS server certificate entirely (use with obvious caution, typically only while testing) |
idp.httpclient.connectionRequestTimeout | Duration | PT1M (one min) | TIme to wait for a connection to be returned from the pool (can be 0 for no imposed value) |
idp.httpclient.connectionTimeout | Duration | PT1M (one min) | TIme to wait for a connection to be established (can be 0 for no imposed value) |
idp.httpclient.socketTimeout | Duration | PT1M (one min) | Time to allow between packets on a connection (can be 0 for no imposed value) |
idp.httpclient.maxConnectionsTotal | Integer | 100 | Caps the number of simultaneous connections created by the pooling connection manager |
idp.httpclient.maxConnectionsPerRoute | Integer | 100 | Caps the number of simultaneous connections per route created by the pooling connection manager |
idp.httpclient.memorycaching.maxCacheEntries | Integer | 50 | Size of the in-memory result cache |
idp.httpclient.memorycaching.maxCacheEntrySize | Long | 1048576 (1MB) | Largest size to allow for an in-memory cache entry |
idp.httpclient.filecaching.maxCacheEntries | Integer | 100 | Size of the nonon-disk result cache |
idp.httpclient.filecaching.maxCacheEntrySize | Long | 10485760 (10MB) | Largest sze to allow for an on-disk cache entry |
idp.httpclient.filecaching.cacheDirectory | Local directory | Location of on-disk cache |