Versions Compared

Old Version 9

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Christopher Bongaarts

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: add http proxy example

...

Expand
titleHTTP Authentication
Note

This material has changed with V5 due to changes in the underlying HttpClient library and the original examples from V4 do not work for this release.

There is now official support for Basic Authentication using our APIs. Other HTTP authentication mechanisms may work but likely require interacting with lower-level HttpClient library objects.

The supported API for this involves injecting a map keyed by HttpHost objects whose value is the username and password to use. This API supports pre-emptive authentication; that is, the code will offer the credentials automatically when contacting the specified host and will not wait for a challenge from the server to do so. It should therefore be used only with TLS-protected hosts with appropriate verification, as described earlier.

We have defined a pair of parent beans to abstract some of the classes needed to define the map:

  • shibboleth.HttpHost – a parent bean that wraps the Apache client’s HttpHost class

  • shibbleth.BasicAuthCredentials – a parent bean that wraps the Apache client’s UsernamePasswordCredentials class

The map must be injected into the HttpClientSecurityParameters bean via the preemptiveBasicAuthMap property.

Example of Basic Authentication along with TLS Verification
Code Block
languagexml
<bean id="CustomHttpSecurity" class="org.opensaml.security.httpclient.HttpClientSecurityParameters"
        p:preemptiveBasicAuthMap-ref="restAuthMap">
	<property name="tLSTrustEngine">
		<bean parent="shibboleth.StaticExplicitTrustEngine"
			p:certificates="%{idp.home}/credentials/server.pem" />
	</property>
</bean>

<util:map id="restAuthMap">
    <entry>
        <key>
            <bean parent="shibboleth.HttpHost"
                p:scheme="https" p:hostname="rest.service.example.org" p:port="443" />
        </key>
        <bean parent="shibboleth.BasicAuthCredentials"
            p:username="%{rest.username}" p:password="%{rest.password}" />
    </entry>
</util:map>

Since the map discriminates the credentials by host, it’s safe to define all your various credentials in one map and use it wherever needed.

Expand
titleHTTP Proxy

The HTTPClientBuilder object that is the base for the HTTPClient beans has properties for HTTP proxy settings. For example, the Duo OIDC Nimbus plugin can be configured to use a proxy for its Duo API calls by adding this bean to conf/authn/duo-oidc-authn-config.xml:

Code Block
languagexml
 <bean id="shibboleth.authn.DuoOIDC.nimbus.HttpClient"
        parent="shibboleth.authn.DuoOIDC.nimbus.InternalHttpClient"
           p:connectionProxyHost="tfauth-ldap.umn.edu"
           p:connectionProxyPort="3128" />

Reference

Expand
titleProperties

These properties are used in a set of DEPRECATED parent beans that are no longer supported due to a Spring bug that can impact the reloading of service configurations. They remain present for compatibility and for convenience should you choose to use them in your own bean definitions

Name

Type

Default

Description

idp.httpclient.useSecurityEnhancedTLSSocketFactory

Boolean

false

If true, causes the default clients to be injected with a special socket factory that supports advanced TLS features (requires substantial additional configuration)

idp.httpclient.connectionDisregardTLSCertificate              

Boolean

false

If the previous property is false, this allows the default TLS behavior of the client to ignore the TLS server certificate entirely (use with obvious caution, typically only while testing)

idp.httpclient.connectionRequestTimeout

Duration

PT1M

TIme to wait for a connection to be returned from the pool (can be 0 for no imposed value)

idp.httpclient.connectionTimeout

Duration

PT1M

TIme to wait for a connection to be established (can be 0 for no imposed value)

idp.httpclient.socketTimeout

Duration

PT1M

Time to allow between packets on a connection (can be 0 for no imposed value)

idp.httpclient.maxConnectionsTotal

Integer

100

Caps the number of simultaneous connections created by the pooling connection manager

idp.httpclient.maxConnectionsPerRoute

Integer

100

Caps the number of simultaneous connections per route created by the pooling connection manager

idp.httpclient.memorycaching.maxCacheEntries

Integer

50

Size of the in-memory result cache

idp.httpclient.memorycaching.maxCacheEntrySize

Long

1048576 (1MB)

Largest size to allow for an in-memory cache entry

idp.httpclient.filecaching.maxCacheEntries

Integer

100

Size of the on-disk result cache

idp.httpclient.filecaching.maxCacheEntrySize

Long

10485760 (10MB)

Largest sze to allow for an on-disk cache entry

idp.httpclient.filecaching.cacheDirectory

Local directory

Location of on-disk cache

...