My Shitty Code

Embracing the Messiness in Search of Epic Solutions

Month: February 2016

  • Spring Security SAML: Replacing SHA-1 with SHA-256 on Signature and Digest Algorithms

    PROBLEM By default, Spring Security SAML’s SAMLBootstrap uses SHA1withRSA for signature algorithm and SHA-1 for digest algorithm. For example, the above configuration will generate the following SAML request payload when using HTTP-POST binding:- Unfortunately, SHA-1 is now deemed insecure due to “Freestart Collision” attack. Further, most modern browsers have ceased to trust SHA-1 code signing… Read More…

  • Spring Security SAML: Handling IdP’s Public Certificate When Loading Metadata Over HTTPS

    PROBLEM By default, when loading IdP’s metadata over HTTPS (ex: https://adfs-server/federationmetadata/2007-06/federationmetadata.xml), Spring Security SAML will perform the trust verification configured in JDK. However, there are times we do not have direct access to JDK home directory especially if the web apps are hosted on someone else’s JEE or PaaS servers. SOLUTION To fix this, the… Read More…

  • Java + SAML: Illegal Key Size

    PROBLEM When attempting to decrypt the SAML response from IdP, the following exception occurs:- SOLUTION When inspecting the SAML response payload below, the data is encrypted with AES-256:- By default, Java’s keysize is limited to 128-bit key due to US export laws and a few countries’ import laws. To fix this… Read More…

  • Spring Security SAML: Configuring Binding for Sending SAML Messages to IdP

    PROBLEM Depending on each institution’s Identity Provider (IdP) configuration, the Service Provider (Sp) may need to configure the correct binding for sending SAML messages to IdP. SOLUTION Using Spring Security SAML, the binding configuration is highlighted below:- HTTP-POST Binding Configuration:- Using HTTP-POST binding, the SAML message to IdP will contain the signature information:- HTTP-Redirect Binding… Read More…