summaryrefslogtreecommitdiff
path: root/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2020-02-04 17:37:34 +0100
committerThomas Lenz <thomas.lenz@egiz.gv.at>2020-02-04 17:37:34 +0100
commite7610325ee2f1d1f4e97e1e7a9b212e692836b5a (patch)
treeed7c0dba5fed47e80e68b4ab5a63846c5724a8e7 /eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml
parent41ea2fdf782cd64d7d29f73c2e83f9c255810818 (diff)
downloadEAAF-Components-e7610325ee2f1d1f4e97e1e7a9b212e692836b5a.tar.gz
EAAF-Components-e7610325ee2f1d1f4e97e1e7a9b212e692836b5a.tar.bz2
EAAF-Components-e7610325ee2f1d1f4e97e1e7a9b212e692836b5a.zip
first stable version that uses OpenSAML 3.x
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml')
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpPostDecoder.java60
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpRedirectDeflateDecoder.java37
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafKeyStoreX509CredentialAdapter.java20
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/HttpPostEncoderWithOwnTemplate.java1
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/OpenSaml3ResourceAdapter.java11
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/StringRedirectDeflateEncoder.java10
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java8
7 files changed, 77 insertions, 70 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpPostDecoder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpPostDecoder.java
index d23affba..fdd44b9a 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpPostDecoder.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpPostDecoder.java
@@ -2,18 +2,18 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.opensaml;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
-import javax.annotation.Nonnull;
-import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SamlHttpUtils;
+
import org.opensaml.core.xml.XMLObject;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.saml.saml2.binding.decoding.impl.HTTPPostDecoder;
import com.google.common.base.Strings;
-
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
import lombok.extern.slf4j.Slf4j;
import net.shibboleth.utilities.java.support.codec.Base64Support;
@@ -27,14 +27,22 @@ import net.shibboleth.utilities.java.support.codec.Base64Support;
@Slf4j
public class EaafHttpPostDecoder extends HTTPPostDecoder {
+ private static final String SAML_REQ_PARAM_NAME = "SAMLRequest";
+ private static final String SAML_RESP_PARAM_NAME = "SAMLResponse";
+
+ public EaafHttpPostDecoder(HttpServletRequest req) {
+ setHttpServletRequest(req);
+ }
+
@Override
protected InputStream getBase64DecodedMessage(final HttpServletRequest request)
throws MessageDecodingException {
log.debug("Getting Base64 encoded message from request");
- String encodedMessage = getLastParameterFromRequest(request, "SAMLRequest");
+ String encodedMessage = SamlHttpUtils.getLastParameterFromRequest(request, SAML_REQ_PARAM_NAME);
if (Strings.isNullOrEmpty(encodedMessage)) {
- encodedMessage = getLastParameterFromRequest(request, "SAMLResponse");
+ encodedMessage = SamlHttpUtils.getLastParameterFromRequest(request, SAML_RESP_PARAM_NAME);
+
}
if (Strings.isNullOrEmpty(encodedMessage)) {
@@ -43,14 +51,17 @@ public class EaafHttpPostDecoder extends HTTPPostDecoder {
throw new MessageDecodingException("No SAML message present in request");
}
- log.trace("Base64 decoding SAML message:\n{}", encodedMessage);
+ log.trace("Base64 decoding SAML message: {}", encodedMessage);
final byte[] decodedBytes = Base64Support.decode(encodedMessage);
- if (decodedBytes == null) {
- log.info("Unable to Base64 decode SAML message");
- throw new MessageDecodingException("Unable to Base64 decode SAML message");
+
+ try {
+ log.trace("Decoded SAML message: {}", new String(decodedBytes, "UTF-8"));
+
+ } catch (final UnsupportedEncodingException e) {
+ log.warn("Logging of incomming message failed", e);
+
}
- log.trace("Decoded SAML message:\n{}", new String(decodedBytes));
return new ByteArrayInputStream(decodedBytes);
}
@@ -61,31 +72,8 @@ public class EaafHttpPostDecoder extends HTTPPostDecoder {
*/
@Override
protected XMLObject unmarshallMessage(final InputStream messageStream) throws MessageDecodingException {
- return Saml2Utils.unmarshallMessage(messageStream);
-
- }
-
- /**
- * Always read the last parameter with this name from request to get a strict
- * deterministic behavior. <br>
- * <br>
- * <b><i>If more than one parameters with the same name exists, this method
- * always select the last parameter value.</i></b>
- *
- * @param request Incoming http request
- * @param paramName Name of the http parameter
- * @return the last parameter value with this name, or <code>null</code> if the
- * parameter not exists
- */
- @Nullable
- private String getLastParameterFromRequest(@Nonnull HttpServletRequest request, @Nonnull String paramName) {
- final String[] values = request.getParameterValues(paramName);
- if (values != null && values.length > 0) {
- return values[values.length - 1];
-
- }
-
- return null;
+ return Saml2Utils.unmarshallMessage(messageStream);
}
+
}
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpRedirectDeflateDecoder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpRedirectDeflateDecoder.java
index 16d73296..c5174f02 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpRedirectDeflateDecoder.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpRedirectDeflateDecoder.java
@@ -4,6 +4,9 @@ import java.io.InputStream;
import javax.servlet.http.HttpServletRequest;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SamlHttpUtils;
+
import org.opensaml.core.xml.XMLObject;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.decoder.MessageDecodingException;
@@ -13,10 +16,7 @@ import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder;
import com.google.common.base.Strings;
-
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
import lombok.extern.slf4j.Slf4j;
-import net.shibboleth.utilities.java.support.net.URISupport;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
/**
@@ -29,6 +29,14 @@ import net.shibboleth.utilities.java.support.primitive.StringSupport;
@Slf4j
public class EaafHttpRedirectDeflateDecoder extends HTTPRedirectDeflateDecoder {
+ private static final String SAML_REQ_PARAM_NAME = "SAMLRequest";
+ private static final String SAML_RESP_PARAM_NAME = "SAMLResponse";
+
+ public EaafHttpRedirectDeflateDecoder(HttpServletRequest req) {
+ setHttpServletRequest(req);
+
+ }
+
@Override
protected void doDecode() throws MessageDecodingException {
final MessageContext<SAMLObject> messageContext = new MessageContext<>();
@@ -52,16 +60,19 @@ public class EaafHttpRedirectDeflateDecoder extends HTTPRedirectDeflateDecoder {
// implement parameter extraction as same as in
// SAML2HTTPRedirectDeflateSignatureSecurityHandler.java
- final String queryString = getHttpServletRequest().getQueryString();
- if (!Strings.isNullOrEmpty(URISupport.getRawQueryStringParameter(queryString, "SAMLRequest"))) {
- samlMessageIns = decodeMessage(URISupport.getRawQueryStringParameter(queryString, "SAMLRequest"));
- } else if (!Strings.isNullOrEmpty(URISupport.getRawQueryStringParameter(queryString, "SAMLResponse"))) {
- samlMessageIns = decodeMessage(URISupport.getRawQueryStringParameter(queryString, "SAMLResponse"));
+ final String samlReq = SamlHttpUtils.getLastParameterFromRequest(request, SAML_REQ_PARAM_NAME);
+ final String samlResp = SamlHttpUtils.getLastParameterFromRequest(request, SAML_RESP_PARAM_NAME);
+ if (!Strings.isNullOrEmpty(samlReq)) {
+ samlMessageIns = decodeMessage(samlReq);
+
+ } else if (!Strings.isNullOrEmpty(samlResp)) {
+ samlMessageIns = decodeMessage(samlResp);
+
} else {
throw new MessageDecodingException(
"No SAMLRequest or SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message");
}
-
+
final SAMLObject samlMessage = (SAMLObject) unmarshallMessage(samlMessageIns);
messageContext.setMessage(samlMessage);
log.debug("Decoded SAML message");
@@ -69,9 +80,9 @@ public class EaafHttpRedirectDeflateDecoder extends HTTPRedirectDeflateDecoder {
populateBindingContext(messageContext);
setMessageContext(messageContext);
-
+
}
-
+
/**
* EAAF specific unmarshaller perform XML schema validation before unmarshalling
* the SAML message.
@@ -79,8 +90,8 @@ public class EaafHttpRedirectDeflateDecoder extends HTTPRedirectDeflateDecoder {
*/
@Override
protected XMLObject unmarshallMessage(final InputStream messageStream) throws MessageDecodingException {
- return Saml2Utils.unmarshallMessage(messageStream);
-
+ return Saml2Utils.unmarshallMessage(messageStream);
+
}
}
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafKeyStoreX509CredentialAdapter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafKeyStoreX509CredentialAdapter.java
index 7c433c1c..6d81700a 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafKeyStoreX509CredentialAdapter.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafKeyStoreX509CredentialAdapter.java
@@ -50,21 +50,24 @@ public class EaafKeyStoreX509CredentialAdapter extends KeyStoreX509CredentialAda
/**
* Get an OpenSAML2 keystore.
*
- * @param store Java KeyStore
- * @param alias Key alias
- * @param password key Password
- * @param keyStoreFriendlyName Friendlyname of this keystore for logging purposes
- * @throws CredentialsNotAvailableException In case of an initialization exception
+ * @param store Java KeyStore
+ * @param alias Key alias
+ * @param password key Password
+ * @param keyStoreFriendlyName Friendlyname of this keystore for logging
+ * purposes
+ * @throws CredentialsNotAvailableException In case of an initialization
+ * exception
*/
public EaafKeyStoreX509CredentialAdapter(@Nonnull final KeyStore store, @Nonnull final String alias,
- @Nullable final char[] password, @Nonnull String keyStoreFriendlyName) throws CredentialsNotAvailableException {
+ @Nullable final char[] password, @Nonnull String keyStoreFriendlyName)
+ throws CredentialsNotAvailableException {
super(store, alias, password);
if (getPrivateKey() == null && getSecretKey() == null) {
log.error("KeyStore: {} Key with alias: {} not found or contains no PrivateKey.",
keyStoreFriendlyName, alias);
throw new CredentialsNotAvailableException("internal.pvp.00",
- new Object[] { keyStoreFriendlyName, alias});
+ new Object[] { keyStoreFriendlyName, alias });
}
@@ -74,7 +77,8 @@ public class EaafKeyStoreX509CredentialAdapter extends KeyStoreX509CredentialAda
PvpConstants.DEFAULT_SIGNING_METHODE_EC));
} catch (final SamlSigningException e) {
- throw new CredentialsNotAvailableException("internal.pvp.01", new Object[] {keyStoreFriendlyName, alias}, e);
+ throw new CredentialsNotAvailableException("internal.pvp.01", new Object[] { keyStoreFriendlyName,
+ alias }, e);
}
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/HttpPostEncoderWithOwnTemplate.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/HttpPostEncoderWithOwnTemplate.java
index 3650e617..fa77b73c 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/HttpPostEncoderWithOwnTemplate.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/HttpPostEncoderWithOwnTemplate.java
@@ -19,7 +19,6 @@
package at.gv.egiz.eaaf.modules.pvp2.impl.opensaml;
-
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/OpenSaml3ResourceAdapter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/OpenSaml3ResourceAdapter.java
index 2e45aea2..f474267f 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/OpenSaml3ResourceAdapter.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/OpenSaml3ResourceAdapter.java
@@ -9,22 +9,23 @@ import java.net.URL;
import net.shibboleth.utilities.java.support.resource.Resource;
/**
- * Adapter that connects a Spring {@link org.springframework.core.io.Resource} to a {@link Resource}.
- *
+ * Adapter that connects a Spring {@link org.springframework.core.io.Resource}
+ * to a {@link Resource}.
+ *
* @author tlenz
*
*/
public class OpenSaml3ResourceAdapter implements Resource {
- private org.springframework.core.io.Resource internalResource;
+ private final org.springframework.core.io.Resource internalResource;
public OpenSaml3ResourceAdapter(org.springframework.core.io.Resource resource) {
this.internalResource = resource;
}
-
+
@Override
public boolean exists() {
- return internalResource.exists();
+ return internalResource.exists();
}
@Override
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/StringRedirectDeflateEncoder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/StringRedirectDeflateEncoder.java
index bd450518..38735fb8 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/StringRedirectDeflateEncoder.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/StringRedirectDeflateEncoder.java
@@ -23,8 +23,8 @@ import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.encoder.MessageEncodingException;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.saml2.binding.encoding.impl.HTTPRedirectDeflateEncoder;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+
+import lombok.extern.slf4j.Slf4j;
/**
* Create deflate encoded SAML2 redirect-binding informations.
@@ -32,9 +32,9 @@ import org.slf4j.LoggerFactory;
* @author tlenz
*
*/
-public class StringRedirectDeflateEncoder extends HTTPRedirectDeflateEncoder {
- private static final Logger log = LoggerFactory.getLogger(StringRedirectDeflateEncoder.class);
+@Slf4j
+public class StringRedirectDeflateEncoder extends HTTPRedirectDeflateEncoder {
private String redirectUrl = null;
@Override
@@ -50,6 +50,8 @@ public class StringRedirectDeflateEncoder extends HTTPRedirectDeflateEncoder {
redirectUrl = buildRedirectURL(messageContext, endpointUrl, encodedMessage);
+ log.trace("SAML2 redirect-binding URL was generated as: {}", redirectUrl);
+
}
/**
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java
index 42d4d736..5c6d861d 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java
@@ -60,10 +60,12 @@ public class EaafOpenSaml3xInitializer extends InitializationService {
/**
* EAAF specific OpenSAML3.x initialization.
*
- * @throws InitializationException In case of an error
- * @throws ComponentInitializationException
+ * @throws InitializationException In case of an error
+ * @throws ComponentInitializationException In case of an OpenSAML3
+ * initialization error
*/
- public static synchronized void eaafInitialize() throws InitializationException, ComponentInitializationException {
+ public static synchronized void eaafInitialize() throws InitializationException,
+ ComponentInitializationException {
log.debug("Initializing OpenSAML 3.x ... ");
initialize();