...
- loading service configuration resources from an HTTP server (HTTPResource)
- advanced/custom configuration of remote metadata sources (FileBackedHTTPMetadataProvider, DynamicHTTPMetadataProvider)
- reporting of metrics via an HTTP collector (MetricsConfiguration)
- a forthcoming HTTPDataConnector the HTTP DataConnector for web service access in the attribute resolver
...
Code Block | ||
---|---|---|
| ||
<bean id="SecurityEnhancedHttpClient" parent="shibboleth.NonCachingHttpClient"
p:tLSSocketFactory-ref="shibboleth.SecurityEnhancedTLSSocketFactory" /> |
...
TLS Client Authentication
Note |
---|
The code as it stands does not generally support TLS Renegotiation, which is most commonly encountered when using a virtual host that applies client TLS to only a subset of paths and not the host as a whole. |
Configuring a component using the HttpClient with a private key and certificate for authenticating itself to a server is a simple two step process:
...
Name | Type | Description |
---|---|---|
shibboleth.NonCachingHttpClient | HttpClientFactoryBean | Factory bean for creating non-caching HTTP clientHTTPClient |
shibboleth.FileCachingHttpClient | FileCachingHttpClientFactoryBean | Factory bean for creating file-based-caching HTTP clientHTTPClient |
shibboleth.MemoryCachingHttpClient | InMemoryCachingHttpClientFactoryBean | Factory bean for creating in-memory-caching HTTP clientHTTPClient |
shibboleth.StaticExplicitTrustEngine 3.3 | StaticExplicitKeyFactoryBean | Factory bean for creating ExplicitKeyTrustEngine |
shibboleth.StaticPKIXTrustEngine 3.3 | StaticPKIXFactoryBean | Factory bean for creating PKIXX509CredentialTrustEngine |
shibboleth.SecurityEnhancedTLSSocketFactory 3.2 | SecurityEnhancedTLSSocketFactory | Socket factory that supports HttpClientSecurityParameters-aware components |
shibboleth.SecurityEnhancedTLSSocketFactoryWithClientTLS 3.3 | SecurityEnhancedTLSSocketFactory | Client-TLS-capable socket factory that supports HttpClientSecurityParameters-aware components |
shibboleth.SecurityEnhancedTLSSocketFactoryWithClientTLSOnly 3.4 | SecurityEnhancedTLSSocketFactory | Client-TLS-capable socket factory that supports HttpClientSecurityParameters-aware components but does not accept a pluggable TrustEngine |
...
Name | Type | Default | Description |
---|---|---|---|
idp.httpclient.useSecurityEnhancedTLSSocketFactory 3.2 | Boolean | false | If true, causes the default clients to be injected with a special socket factory that supports advanced TLS features (requires substantial additional configuration) |
idp.httpclient.connectionDisregardTLSCertificate | Boolean | false | If the previous property is false, this allows the default TLS behavior of the client to ignore the TLS server certificate entirely (use with obvious caution, typically only while testing) |
idp.httpclient.connectionRequestTimeout | Duration | PT1M (one min) | TIme to wait for a connection to be returned from the pool (can be 0 for no imposed value) |
idp.httpclient.connectionTimeout | Duration | PT1M (one min) | TIme to wait for a connection to be established (can be 0 for no imposed value) |
idp.httpclient.socketTimeout | Duration | PT1M (one min) | Time to allow between packets on a connection (can be 0 for no imposed value) |
idp.httpclient.maxConnectionsTotal | Integer | 100 | Caps the number of simultaneous connections created by the pooling connection manager |
idp.httpclient.maxConnectionsPerRoute | Integer | 100 | Caps the number of simultaneous connections per route created by the pooling connection manager |
idp.httpclient.memorycaching.maxCacheEntries | Integer | 50 | Size of the in-memory result cache |
idp.httpclient.memorycaching.maxCacheEntrySize | Long | 1048576 (1MB) | Largest size to allow for an in-memory cache entry |
idp.httpclient.filecaching.maxCacheEntries | Integer | 100 | Size of the nonon-disk result cache |
idp.httpclient.filecaching.maxCacheEntrySize | Long | 10485760 (10MB) | Largest sze to allow for an on-disk cache entry |
idp.httpclient.filecaching.cacheDirectory | Local directory | Location of on-disk cache |