a lot of more OpenSAML3 refactoring staff

This version is also NOT stable!

3 files changed, 284 insertions, 178 deletions

diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSaml2Bootstrap.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSaml2Bootstrap.java
deleted file mode 100644
index 9625b591..00000000
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSaml2Bootstrap.java
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
- * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
- * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
- * compliance with the Licence. You may obtain a copy of the Licence at:
- * https://joinup.ec.europa.eu/news/understanding-eupl-v12
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the Licence
- * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
- * or implied. See the Licence for the specific language governing permissions and limitations under
- * the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text file for details on the
- * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
- * works that you distribute must include a readable copy of the "NOTICE" text file.
-*/
-
-package at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize;
-
-import org.opensaml.DefaultBootstrap;
-import org.opensaml.xml.ConfigurationException;
-
-import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute;
-import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes;
-import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeBuilder;
-import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeMarshaller;
-import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeUnmarshaller;
-import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesBuilder;
-import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesMarshaller;
-import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesUnmarshaller;
-
-/**
- * EAAF specific OpenSAML Initializer.
- *
- * @author tlenz
- *
- */
-public class EaafDefaultSaml2Bootstrap extends DefaultBootstrap {
-
-  /**
-   * OpenSAML2 bootstrap.
-   *
-   * @throws ConfigurationException In case of an error
-   */
-  public static synchronized void bootstrap() throws ConfigurationException {
-
-    initializeXMLSecurity();
-
-    initializeXMLTooling();
-
-    initializeArtifactBuilderFactories();
-
-    initializeGlobalSecurityConfiguration();
-
-    initializeParserPool();
-
-    initializeESAPI();
-
-    initializeExtenstions();
-
-  }
-
-  private static void initializeExtenstions() {
-    org.opensaml.xml.Configuration.registerObjectProvider(
-        EaafRequestedAttribute.DEFAULT_ELEMENT_NAME, new EaafRequestedAttributeBuilder(),
-        new EaafRequestedAttributeMarshaller(), new EaafRequestedAttributeUnmarshaller());
-
-    org.opensaml.xml.Configuration.registerObjectProvider(
-        EaafRequestedAttributes.DEFAULT_ELEMENT_NAME, new EaafRequestedAttributesBuilder(),
-        new EaafRequestedAttributesMarshaller(), new EaafRequestedAttributesUnmarshaller());
-
-  }
-
-  public static void initializeDefaultPvpConfiguration() {
-    initializeGlobalSecurityConfiguration();
-
-  }
-
-  /**
-   * Initializes the default global security configuration.
-   */
-  protected static void initializeGlobalSecurityConfiguration() {
-    org.opensaml.xml.Configuration.setGlobalSecurityConfiguration(
-        EaafDefaultSecurityConfigurationBootstrap.buildDefaultConfig());
-  }
-}
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java
index f3e50e4e..97f0f225 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafDefaultSecurityConfigurationBootstrap.java
@@ -19,14 +19,17 @@
 
 package at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize;
 
-import org.opensaml.xml.encryption.EncryptionConstants;
-import org.opensaml.xml.security.BasicSecurityConfiguration;
-import org.opensaml.xml.security.DefaultSecurityConfigurationBootstrap;
-import org.opensaml.xml.security.credential.BasicKeyInfoGeneratorFactory;
-import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorManager;
-import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager;
-import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
-import org.opensaml.xml.signature.SignatureConstants;
+import java.util.Arrays;
+import java.util.Collections;
+
+import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
+import org.opensaml.xmlsec.encryption.support.EncryptionConstants;
+import org.opensaml.xmlsec.encryption.support.RSAOAEPParameters;
+import org.opensaml.xmlsec.impl.BasicDecryptionConfiguration;
+import org.opensaml.xmlsec.impl.BasicEncryptionConfiguration;
+import org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration;
+import org.opensaml.xmlsec.impl.BasicSignatureValidationConfiguration;
+import org.opensaml.xmlsec.signature.support.SignatureConstants;
 
 /**
  * EAAF specific OpenSAML2 security configuration.
@@ -38,102 +41,137 @@ public class EaafDefaultSecurityConfigurationBootstrap
     extends DefaultSecurityConfigurationBootstrap {
 
   /**
-   * Build EAAF security configuration for OpenSAML2.
+   * Set EAAF specific encryption configuration to OpenSAML 3.x.
    *
    * @return
    */
-  public static BasicSecurityConfiguration buildDefaultConfig() {
-    final BasicSecurityConfiguration config = new BasicSecurityConfiguration();
-
-    populateSignatureParams(config);
-    populateEncryptionParams(config);
-    populateKeyInfoCredentialResolverParams(config);
-    populateKeyInfoGeneratorManager(config);
-    populateKeyParams(config);
+  public static BasicEncryptionConfiguration buildEaafEncryptionConfiguration() {
+    final BasicEncryptionConfiguration config = new BasicEncryptionConfiguration();
+
+    config.setBlacklistedAlgorithms(Arrays.asList(
+        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15,
+        EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES,
+        EncryptionConstants.ALGO_ID_KEYWRAP_TRIPLEDES));
+
+    config.setDataEncryptionAlgorithms(Arrays.asList(
+        // The order of these is significant.
+        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128,
+        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192,
+        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256,
+
+        // register GCM algorithms
+        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM,
+        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM,
+        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM));
+
+    config.setKeyTransportEncryptionAlgorithms(Arrays.asList(
+        // The order of the RSA algos is significant.
+        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP,
+        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11,
+
+        // The order of these is not significant.
+        // These aren't really "preferences" per se. They just need to be registered
+        // so that they can be used if a credential with a key of that type and size is
+        // seen.
+        EncryptionConstants.ALGO_ID_KEYWRAP_AES128,
+        EncryptionConstants.ALGO_ID_KEYWRAP_AES192,
+        EncryptionConstants.ALGO_ID_KEYWRAP_AES256));
+
+    config.setRSAOAEPParameters(new RSAOAEPParameters(
+        SignatureConstants.ALGO_ID_DIGEST_SHA1,
+        EncryptionConstants.ALGO_ID_MGF1_SHA1,
+        null));
+
+    config.setDataKeyInfoGeneratorManager(buildDataEncryptionKeyInfoGeneratorManager());
+    config.setKeyTransportKeyInfoGeneratorManager(buildKeyTransportEncryptionKeyInfoGeneratorManager());
 
     return config;
   }
 
-  protected static void populateKeyInfoGeneratorManager(final BasicSecurityConfiguration config) {
-    final NamedKeyInfoGeneratorManager namedManager = new NamedKeyInfoGeneratorManager();
-    config.setKeyInfoGeneratorManager(namedManager);
-
-    namedManager.setUseDefaultManager(true);
-    final KeyInfoGeneratorManager defaultManager = namedManager.getDefaultManager();
+  /**
+   * Set EAAF specific decryption configuration to OpenSAML 3.x.
+   *
+   * @return
+   */
+  public static BasicDecryptionConfiguration buildEaaftDecryptionConfiguration() {
+    final BasicDecryptionConfiguration config = new BasicDecryptionConfiguration();
 
-    final BasicKeyInfoGeneratorFactory basicFactory = new BasicKeyInfoGeneratorFactory();
-    basicFactory.setEmitPublicKeyValue(true);
+    config.setBlacklistedAlgorithms(Collections.singletonList(
+        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));
 
-    final X509KeyInfoGeneratorFactory x509Factory = new X509KeyInfoGeneratorFactory();
-    x509Factory.setEmitEntityCertificate(true);
+    config.setEncryptedKeyResolver(buildBasicEncryptedKeyResolver());
 
-    defaultManager.registerFactory(basicFactory);
-    defaultManager.registerFactory(x509Factory);
+    return config;
   }
 
-  protected static void populateSignatureParams(final BasicSecurityConfiguration config) {
-
-    // use SHA256 instead of SHA1
-    config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
-
-    config.registerSignatureAlgorithmURI("DSA", "http://www.w3.org/2000/09/xmldsig#dsa-sha1");
-
-    // use SHA256 instead of SHA1
-    config.registerSignatureAlgorithmURI("EC", SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256);
-
-    // use SHA256 instead of SHA1
-    config.registerSignatureAlgorithmURI("AES", SignatureConstants.ALGO_ID_MAC_HMAC_SHA256);
-
-    config.registerSignatureAlgorithmURI("DESede", SignatureConstants.ALGO_ID_MAC_HMAC_SHA256);
-
-    config.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
-    config.setSignatureHMACOutputLength(null);
+  /**
+   * Set EAAF specific signature-creation configuration to OpenSAML 3.x.
+   *
+   * @return
+   */
+  public static BasicSignatureSigningConfiguration buildEaafSignatureSigningConfiguration() {
+    final BasicSignatureSigningConfiguration config = new BasicSignatureSigningConfiguration();
+
+    config.setBlacklistedAlgorithms(Arrays.asList(
+        SignatureConstants.ALGO_ID_DIGEST_NOT_RECOMMENDED_MD5,
+        SignatureConstants.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5,
+        SignatureConstants.ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5,
+        SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
+        SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1,
+        SignatureConstants.ALGO_ID_SIGNATURE_DSA_SHA1,
+        SignatureConstants.ALGO_ID_DIGEST_SHA1));
+
+    config.setSignatureAlgorithms(Arrays.asList(
+        // The order within each key group is significant.
+        // The order of the key groups themselves is not significant.
+
+        // RSA
+        SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256,
+        SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA384,
+        SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512,
+
+        // ECDSA
+        SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256,
+        SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA384,
+        SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA512
+
+    // HMAC (all symmetric keys)
+    // SignatureConstants.ALGO_ID_MAC_HMAC_SHA256,
+    // SignatureConstants.ALGO_ID_MAC_HMAC_SHA384,
+    // SignatureConstants.ALGO_ID_MAC_HMAC_SHA512,
+    // SignatureConstants.ALGO_ID_MAC_HMAC_SHA1
+    ));
+
+    config.setSignatureReferenceDigestMethods(Arrays.asList(
+        // The order of these is significant.
+        SignatureConstants.ALGO_ID_DIGEST_SHA256,
+        SignatureConstants.ALGO_ID_DIGEST_SHA384,
+        SignatureConstants.ALGO_ID_DIGEST_SHA512));
+
+    config.setSignatureCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+
+    config.setKeyInfoGeneratorManager(buildSignatureKeyInfoGeneratorManager());
 
-    // use SHA256 instead of SHA1
-    config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
+    return config;
   }
 
-  protected static void populateEncryptionParams(final BasicSecurityConfiguration config) {
-    config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128),
-        "http://www.w3.org/2001/04/xmlenc#aes128-cbc");
-    config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192),
-        "http://www.w3.org/2001/04/xmlenc#aes192-cbc");
-    config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256),
-        "http://www.w3.org/2001/04/xmlenc#aes256-cbc");
-
-    // support GCM mode
-    config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128),
-        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM);
-
-    config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192),
-        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM);
-
-    config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256),
-        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM);
-
-    config.registerDataEncryptionAlgorithmURI("DESede", Integer.valueOf(168),
-        "http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
-    config.registerDataEncryptionAlgorithmURI("DESede", Integer.valueOf(192),
-        "http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
-
-    config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "AES",
-        "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
-
-    config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "DESede",
-        "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
-
-    config.registerKeyTransportEncryptionAlgorithmURI("AES", Integer.valueOf(128), null,
-        "http://www.w3.org/2001/04/xmlenc#kw-aes128");
-    config.registerKeyTransportEncryptionAlgorithmURI("AES", Integer.valueOf(192), null,
-        "http://www.w3.org/2001/04/xmlenc#kw-aes192");
-    config.registerKeyTransportEncryptionAlgorithmURI("AES", Integer.valueOf(256), null,
-        "http://www.w3.org/2001/04/xmlenc#kw-aes256");
-    config.registerKeyTransportEncryptionAlgorithmURI("DESede", Integer.valueOf(168), null,
-        "http://www.w3.org/2001/04/xmlenc#kw-tripledes");
-    config.registerKeyTransportEncryptionAlgorithmURI("DESede", Integer.valueOf(192), null,
-        "http://www.w3.org/2001/04/xmlenc#kw-tripledes");
-
-    config.setAutoGeneratedDataEncryptionKeyAlgorithmURI(
-        "http://www.w3.org/2001/04/xmlenc#aes128-cbc");
+  /**
+   * Set EAAF specific signature-verification configuration to OpenSAML 3.x.
+   *
+   * @return
+   */
+  public static BasicSignatureValidationConfiguration buildEaafSignatureValidationConfiguration() {
+    final BasicSignatureValidationConfiguration config = new BasicSignatureValidationConfiguration();
+
+    config.setBlacklistedAlgorithms(Arrays.asList(
+        SignatureConstants.ALGO_ID_DIGEST_NOT_RECOMMENDED_MD5,
+        SignatureConstants.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5,
+        SignatureConstants.ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5,
+        SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
+        SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1,
+        SignatureConstants.ALGO_ID_SIGNATURE_DSA_SHA1,
+        SignatureConstants.ALGO_ID_DIGEST_SHA1));
+
+    return config;
   }
 }
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java
new file mode 100644
index 00000000..42d4d736
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java
@@ -0,0 +1,156 @@
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.annotation.Nonnull;
+import javax.xml.XMLConstants;
+
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute;
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeBuilder;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeMarshaller;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeUnmarshaller;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesBuilder;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesMarshaller;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesUnmarshaller;
+
+import org.opensaml.core.config.ConfigurationService;
+import org.opensaml.core.config.InitializationException;
+import org.opensaml.core.config.InitializationService;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
+import org.opensaml.xmlsec.DecryptionConfiguration;
+import org.opensaml.xmlsec.EncryptionConfiguration;
+import org.opensaml.xmlsec.SignatureSigningConfiguration;
+import org.opensaml.xmlsec.SignatureValidationConfiguration;
+
+import lombok.extern.slf4j.Slf4j;
+import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
+import net.shibboleth.utilities.java.support.xml.BasicParserPool;
+import net.shibboleth.utilities.java.support.xml.ParserPool;
+
+/**
+ * EAAF specific OpenSAML Initializer.
+ *
+ * @author tlenz
+ *
+ */
+@Slf4j
+public class EaafOpenSaml3xInitializer extends InitializationService {
+
+  /**
+   * EAAF specific OpenSAML3.x initialization.
+   *
+   * @throws InitializationException In case of an error
+   * @throws ComponentInitializationException
+   */
+  public static synchronized void eaafInitialize() throws InitializationException, ComponentInitializationException {
+    log.debug("Initializing OpenSAML 3.x ... ");
+    initialize();
+
+    log.debug("Injecting EAAF-specific configuration into OpenSAML 3.x ... ");
+    injectEaafSecurityProperty();
+    injectEaafExtenstions();
+
+    XMLObjectProviderRegistrySupport.setParserPool(eaafSecuredBasicParserPool());
+
+    log.info("OpenSAML3.x with EAAF extensions initialized");
+
+  }
+
+  private static void injectEaafSecurityProperty() {
+    ConfigurationService.register(EncryptionConfiguration.class,
+        EaafDefaultSecurityConfigurationBootstrap.buildEaafEncryptionConfiguration());
+
+    ConfigurationService.register(DecryptionConfiguration.class,
+        EaafDefaultSecurityConfigurationBootstrap.buildEaaftDecryptionConfiguration());
+
+    ConfigurationService.register(SignatureSigningConfiguration.class,
+        EaafDefaultSecurityConfigurationBootstrap.buildEaafSignatureSigningConfiguration());
+
+    ConfigurationService.register(SignatureValidationConfiguration.class,
+        EaafDefaultSecurityConfigurationBootstrap.buildEaafSignatureValidationConfiguration());
+
+  }
+
+  private static void injectEaafExtenstions() {
+    XMLObjectProviderRegistrySupport.registerObjectProvider(
+        EaafRequestedAttribute.DEFAULT_ELEMENT_NAME, new EaafRequestedAttributeBuilder(),
+        new EaafRequestedAttributeMarshaller(), new EaafRequestedAttributeUnmarshaller());
+
+    XMLObjectProviderRegistrySupport.registerObjectProvider(
+        EaafRequestedAttributes.DEFAULT_ELEMENT_NAME, new EaafRequestedAttributesBuilder(),
+        new EaafRequestedAttributesMarshaller(), new EaafRequestedAttributesUnmarshaller());
+
+  }
+
+  /**
+   * Build a secured OpenSAML 3.x XML parser-pool.
+   *
+   * @return {@link ParserPool}
+   * @throws ComponentInitializationException In case of an initialization error
+   */
+  @Nonnull
+  private static ParserPool eaafSecuredBasicParserPool() throws ComponentInitializationException {
+    // Get parser pool manager
+    final BasicParserPool ppMgr = new BasicParserPool();
+    // Note: this is necessary due to an unresolved Xerces deferred DOM issue/bug
+    ppMgr.setBuilderFeatures(getSecureDocumentBuilderFeatures());
+    ppMgr.setNamespaceAware(true);
+    ppMgr.setIgnoreComments(true);
+    ppMgr.setExpandEntityReferences(false);
+    ppMgr.setXincludeAware(false);
+    ppMgr.initialize();
+    return ppMgr;
+  }
+
+  @Nonnull
+  private static Map<String, Boolean> getSecureDocumentBuilderFeatures() {
+    final Map<String, Boolean> features = new HashMap<>();
+    features.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+
+    // Ignore the external DTD completely
+    // Note: this is for Xerces only:
+    features.put("http://apache.org/xml/features/nonvalidating/load-external-dtd", Boolean.FALSE);
+    // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all
+    // XML entity attacks are prevented
+    // Xerces 2 only -
+    // http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
+    features.put("http://apache.org/xml/features/disallow-doctype-decl", Boolean.TRUE);
+
+    // If you can't completely disable DTDs, then at least do the following:
+    // Xerces 1 -
+    // http://xerces.apache.org/xerces-j/features.html#external-general-entities
+    // Xerces 2 -
+    // http://xerces.apache.org/xerces2-j/features.html#external-general-entities
+    features.put("http://xml.org/sax/features/external-general-entities", Boolean.FALSE);
+
+    // Xerces 1 -
+    // http://xerces.apache.org/xerces-j/features.html#external-parameter-entities
+    // Xerces 2 -
+    // http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities
+    features.put("http://xml.org/sax/features/external-parameter-entities", Boolean.FALSE);
+
+    return features;
+  }
+
+}