[SHIBUI-808]

refactor web security configuration (rename, annotations)
Domain class enhancements to support pac4j
update opensaml initialization
initial autoconfiguration setup
pac4j sample authentication

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/ShibbolethUiApplication.java

@@ -3,21 +3,29 @@
 import edu.internet2.tier.shibboleth.admin.ui.repository.MetadataResolverRepository;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.autoconfigure.domain.EntityScan;
 import org.springframework.boot.builder.SpringApplicationBuilder;
 import org.springframework.boot.context.event.ApplicationStartedEvent;
 import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.FilterType;
 import org.springframework.context.annotation.Profile;
 import org.springframework.context.event.EventListener;
 import org.springframework.data.jpa.repository.config.EnableJpaAuditing;
 import org.springframework.scheduling.annotation.EnableScheduling;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.stereotype.Component;
 
-@SpringBootApplication
+@Configuration
+@EnableAutoConfiguration
+@ComponentScan(excludeFilters = @ComponentScan.Filter(type = FilterType.REGEX, pattern = "edu.internet2.tier.shibboleth.admin.ui.configuration.auto.*"))
 @EntityScan(basePackages = "edu.internet2.tier.shibboleth.admin.ui.domain")
 @EnableJpaAuditing
 @EnableScheduling
+@EnableWebSecurity
 public class ShibbolethUiApplication extends SpringBootServletInitializer {
 
     @Override

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/WebSecurityConfig.java → backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java

@@ -1,9 +1,10 @@
-package edu.internet2.tier.shibboleth.admin.ui.configuration;
+package edu.internet2.tier.shibboleth.admin.ui.configuration.auto;
 
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -20,7 +21,7 @@
  *
  * Workaround for slashes in URL from [https://stackoverflow.com/questions/48453980/spring-5-0-3-requestrejectedexception-the-request-was-rejected-because-the-url]
  */
-@EnableWebSecurity
+@Configuration
 public class WebSecurityConfig {
 
     @Value("${shibui.logout-url:/dashboard}")
@@ -37,8 +38,7 @@ public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
     }
 
     @Bean
-    @Profile("default")
-    @ConditionalOnMissingBean(value = {WebSecurityConfigurerAdapter.class})
+    @ConditionalOnMissingBean(name = "webSecurityConfig")
     public WebSecurityConfigurerAdapter defaultAuth() {
         return new WebSecurityConfigurerAdapter() {
 

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/RequestInitiator.java

@@ -0,0 +1,50 @@
+package edu.internet2.tier.shibboleth.admin.ui.domain;
+
+import org.opensaml.core.xml.util.AttributeMap;
+
+import javax.annotation.Nonnull;
+
+public class RequestInitiator extends AbstractElementExtensibleXMLObject implements org.opensaml.saml.ext.saml2mdreqinit.RequestInitiator {
+    private String binding;
+    @Override
+    public String getBinding() {
+        return this.binding;
+    }
+
+    @Override
+    public void setBinding(String binding) {
+        this.binding = binding;
+    }
+
+    private String location;
+
+    @Override
+    public String getLocation() {
+        return location;
+    }
+
+    @Override
+    public void setLocation(String location) {
+        this.location = location;
+    }
+
+    private String responseLocation;
+
+    @Override
+    public String getResponseLocation() {
+        return this.responseLocation;
+    }
+
+    @Override
+    public void setResponseLocation(String location) {
+        this.responseLocation = location;
+    }
+
+    private AttributeMap attributeMap = new AttributeMap(this);
+
+    @Nonnull
+    @Override
+    public AttributeMap getUnknownAttributes() {
+        return this.attributeMap;
+    }
+}

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/RequestInitiatorBuilder.java

@@ -0,0 +1,43 @@
+package edu.internet2.tier.shibboleth.admin.ui.domain;
+
+import org.opensaml.saml.common.AbstractSAMLObjectBuilder;
+import org.opensaml.saml.common.xml.SAMLConstants;
+import org.w3c.dom.Element;
+
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import javax.xml.namespace.QName;
+
+public class RequestInitiatorBuilder extends AbstractSAMLObjectBuilder<RequestInitiator> {
+
+    /**
+     * Constructor.
+     */
+    public RequestInitiatorBuilder() {
+
+    }
+
+    /** {@inheritDoc} */
+    public RequestInitiator buildObject() {
+        return buildObject(SAMLConstants.SAML20MDRI_NS, org.opensaml.saml.ext.saml2mdreqinit.RequestInitiator.DEFAULT_ELEMENT_LOCAL_NAME,
+                SAMLConstants.SAML20MDRI_PREFIX);
+    }
+
+    /** {@inheritDoc} */
+    public RequestInitiator buildObject(final String namespaceURI, final String localName,
+                                        final String namespacePrefix) {
+        RequestInitiator o = new RequestInitiator();
+        o.setNamespaceURI(namespaceURI);
+        o.setElementLocalName(localName);
+        o.setNamespacePrefix(namespacePrefix);
+        return o;
+    }
+
+    @Nonnull
+    @Override
+    public RequestInitiator buildObject(@Nullable String namespaceURI, @Nonnull String localName, @Nullable String namespacePrefix, @Nullable QName schemaType) {
+        RequestInitiator requestInitiator = buildObject(namespaceURI, localName, namespacePrefix);
+        requestInitiator.setSchemaType(schemaType);
+        return requestInitiator;
+    }
+}

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/RoleDescriptor.java

@@ -83,11 +83,7 @@ public void setSupportedProtocols(List<String> supportedProtocols) {
 
     @Override
     public boolean isSupportedProtocol(String s) {
-        return isSupportedProtocol;
-    }
-
-    public void setIsSupportedProtocol(boolean isSupportedProtocol) {
-        this.isSupportedProtocol = isSupportedProtocol;
+        return this.supportedProtocols.contains(s);
     }
 
     @Override

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/SPSSODescriptor.java

@@ -32,6 +32,9 @@ public class SPSSODescriptor extends SSODescriptor implements org.opensaml.saml.
 
     @Override
     public Boolean isAuthnRequestsSigned() {
+        if (isAuthnRequestsSigned == null) {
+            return false;
+        }
         return isAuthnRequestsSigned;
     }
 
@@ -55,7 +58,7 @@ public void setAuthnRequestsSigned(XSBooleanValue xsBooleanValue) {
 
     @Override
     public Boolean getWantAssertionsSigned() {
-        return wantAssertionsSigned;
+        return wantAssertionsSigned == null ? false : wantAssertionsSigned;
     }
 
     @Override

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/X509Data.java

@@ -65,7 +65,7 @@ public List<X509SubjectName> getX509SubjectNames() {
     @Nonnull
     @Override
     public List<X509Certificate> getX509Certificates() {
-        return Arrays.asList(this.xmlObjects.stream().filter(i -> i instanceof org.opensaml.xmlsec.signature.X509Certificate).toArray(org.opensaml.xmlsec.signature.X509Certificate[]::new));
+        return new ArrayList<>(Arrays.asList(this.xmlObjects.stream().filter(i -> i instanceof org.opensaml.xmlsec.signature.X509Certificate).toArray(org.opensaml.xmlsec.signature.X509Certificate[]::new)));
     }
 
     public void addX509Certificate(edu.internet2.tier.shibboleth.admin.ui.domain.X509Certificate x509Certificate) {

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/opensaml/config/InitializationService.java

@@ -2,7 +2,6 @@
 
 import org.opensaml.core.config.InitializationException;
 import org.opensaml.core.config.Initializer;
-import org.opensaml.core.xml.config.XMLObjectProviderInitializer;
 
 import java.util.ServiceLoader;
 
@@ -15,7 +14,11 @@ protected InitializationService() {
     public static synchronized void initialize() throws InitializationException {
         final ServiceLoader<Initializer> serviceLoader = ServiceLoader.load(Initializer.class);
         for (Initializer initializer : serviceLoader) {
-            if (initializer.getClass().equals(org.opensaml.saml.config.impl.XMLObjectProviderInitializer.class) || initializer.getClass().equals(XMLObjectProviderInitializer.class) || initializer.getClass().equals(org.opensaml.xmlsec.config.impl.XMLObjectProviderInitializer.class)) {
+            if (
+                    initializer.getClass().equals(org.opensaml.saml.config.impl.XMLObjectProviderInitializer.class)
+                            || initializer.getClass().equals(org.opensaml.core.xml.config.XMLObjectProviderInitializer.class)
+                            || initializer.getClass().equals(org.opensaml.xmlsec.config.impl.XMLObjectProviderInitializer.class)
+            ) {
                 continue;
             }
             initializer.init();

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/opensaml/config/JPAXMLObjectProviderInitializer.java

@@ -13,7 +13,12 @@ protected String[] getConfigResources() {
                 "/jpa-saml2-assertion-config.xml",
                 "/jpa-schema-config.xml",
                 "/jpa-saml2-metadata-ui-config.xml",
-                "/jpa-signature-config.xml"
+                "/jpa-signature-config.xml",
+                "/encryption-config.xml",
+                "/saml2-metadata-algorithm-config.xml",
+                "/jpa-saml2-metadata-reqinit-config.xml",
+                "/saml2-protocol-config.xml",
+                "/modified-saml2-assertion-config.xml"
         };
     }
 }

backend/src/main/resources/META-INF/spring.factories

@@ -1,2 +1,4 @@
 org.springframework.boot.env.EnvironmentPostProcessor=\
-  edu.internet2.tier.shibboleth.admin.ui.configuration.postprocessors.IdpHomeValueSettingEnvironmentPostProcessor
+  edu.internet2.tier.shibboleth.admin.ui.configuration.postprocessors.IdpHomeValueSettingEnvironmentPostProcessor
+org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
+    edu.internet2.tier.shibboleth.admin.ui.configuration.auto.WebSecurityConfig

backend/src/main/resources/jpa-saml2-metadata-reqinit-config.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<XMLTooling xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" xmlns="http://www.opensaml.org/xmltooling-config" xsi:schemaLocation="http://www.opensaml.org/xmltooling-config ../../src/schema/xmltooling-config.xsd">
+
+	<!-- SAML 2.0 Metadata SSO Service Provider Request Initiation Extension. -->
+	<ObjectProviders>
+
+		<!-- RequestInitiator provider -->
+		<ObjectProvider qualifiedName="init:RequestInitiator">
+			<BuilderClass className="edu.internet2.tier.shibboleth.admin.ui.domain.RequestInitiatorBuilder"/>
+			<MarshallingClass className="org.opensaml.saml.ext.saml2mdreqinit.impl.RequestInitiatorMarshaller"/>
+			<UnmarshallingClass className="org.opensaml.saml.ext.saml2mdreqinit.impl.RequestInitiatorUnmarshaller"/>
+		</ObjectProvider>
+
+	</ObjectProviders>
+</XMLTooling>