first stable version that uses OpenSAML 3.x

3 files changed, 80 insertions, 39 deletions

diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java
index 31ffd5a7..ca6f29e4 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java
@@ -21,13 +21,13 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.utils;
 
 import java.util.List;
 
+import at.gv.egiz.eaaf.core.api.data.EaafConstants;
+import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotAllowedException;
+
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import at.gv.egiz.eaaf.core.api.data.EaafConstants;
-import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotAllowedException;
-
 /**
  * EAAF LoA Level verifier checks if requested LoA matchs to LoA of
  * authentication.
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/Saml2Utils.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/Saml2Utils.java
index 763c07f6..dc7e9338 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/Saml2Utils.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/Saml2Utils.java
@@ -37,6 +37,14 @@ import javax.xml.transform.dom.DOMSource;
 import javax.xml.validation.Schema;
 import javax.xml.validation.Validator;
 
+import at.gv.egiz.eaaf.core.impl.utils.DomUtils;
+import at.gv.egiz.eaaf.core.impl.utils.Random;
+import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
+import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException;
+
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.opensaml.core.xml.XMLObject;
@@ -82,13 +90,6 @@ import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.xml.sax.SAXException;
 
-import at.gv.egiz.eaaf.core.impl.utils.DomUtils;
-import at.gv.egiz.eaaf.core.impl.utils.Random;
-import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
-import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
-import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException;
 import net.shibboleth.utilities.java.support.xml.QNameSupport;
 import net.shibboleth.utilities.java.support.xml.SerializeSupport;
 
@@ -114,13 +115,14 @@ public class Saml2Utils {
   }
 
   /**
-   * Sign a OpenSAML 3.x object with a {@link X509Credential}.
-   * <br>
-   * <p>This method used {@link PvpConstants.DEFAULT_SIGNING_METHODE_RSA}
-   * or {@link PvpConstants.DEFAULT_SIGNING_METHODE_EC} as algorithm</p>
+   * Sign a OpenSAML 3.x object with a {@link X509Credential}. <br>
+   * <p>
+   * This method used {@link PvpConstants.DEFAULT_SIGNING_METHODE_RSA} or
+   * {@link PvpConstants.DEFAULT_SIGNING_METHODE_EC} as algorithm
+   * </p>
    *
-   * @param <T> {@link SignableXMLObject}
-   * @param toSign object that should be signed
+   * @param <T>               {@link SignableXMLObject}
+   * @param toSign            object that should be signed
    * @param signingCredential Credentials that should be used for signing
    * @param injectCertificate true, if certificate should be part of the signature
    * @return Signed object
@@ -157,18 +159,20 @@ public class Saml2Utils {
 
     } catch (final SignatureException | MarshallingException | SecurityException e) {
       throw new SamlSigningException("internal.pvp.96",
-          new Object[] {signingCredential.getEntityId(), e.getMessage()}, e);
+          new Object[] { signingCredential.getEntityId(), e.getMessage() }, e);
 
     }
 
   }
 
   /**
-   * SAML2 message unmarshaller that performs schema validation before unmarshall the message.
-   * 
+   * SAML2 message unmarshaller that performs schema validation before unmarshall
+   * the message.
+   *
    * @param messageStream SAML2 message that shoulld be unmarshalled
    * @return OpenSAML XML object
-   * @throws MessageDecodingException In case of a schema-validation or unmarshalling error
+   * @throws MessageDecodingException In case of a schema-validation or
+   *                                  unmarshalling error
    */
   public static XMLObject unmarshallMessage(final InputStream messageStream) throws MessageDecodingException {
     try {
@@ -201,22 +205,24 @@ public class Saml2Utils {
 
     } catch (ParserConfigurationException | SAXException e) {
       log.warn("Message schema-validation failed.");
-      throw new MessageDecodingException("Message schema-validation failed.", 
+      throw new MessageDecodingException("Message schema-validation failed.",
           new SchemaValidationException("internal.pvp.03", new Object[] { e.getMessage() }, e));
 
     } catch (final IOException e) {
       log.error("Error read message from input stream", e);
       throw new MessageDecodingException("Error read message from input stream", e);
-      
+
     }
   }
-  
+
   /**
    * Select signature algorithm for a given credential.
    *
-   * @param credentials {@link X509Credential} that will be used for signing
-   * @param rsaSigAlgorithm RSA based signing algorithm that should be used in case of RSA credential
-   * @param ecSigAlgorithm EC based signing algorithm that should be used in case of RSA credential
+   * @param credentials     {@link X509Credential} that will be used for signing
+   * @param rsaSigAlgorithm RSA based signing algorithm that should be used in
+   *                        case of RSA credential
+   * @param ecSigAlgorithm  EC based signing algorithm that should be used in case
+   *                        of RSA credential
    * @return either the rsaSigAlgorithm or the ecSigAlgorithm
    * @throws SamlSigningException In case of an unsupported credential
    */
@@ -233,7 +239,7 @@ public class Saml2Utils {
       log.warn("Could NOT evaluate the Private-Key type from " + credentials.getEntityId()
           + " credential.");
       throw new SamlSigningException("internal.pvp.97",
-          new Object[] {credentials.getEntityId(), privatekey.getClass().getName()});
+          new Object[] { credentials.getEntityId(), privatekey.getClass().getName() });
 
     }
   }
@@ -263,14 +269,16 @@ public class Saml2Utils {
   }
 
   /**
-   * Get a {@link KeyInfoGenerator} that injects key information into XML signature.
+   * Get a {@link KeyInfoGenerator} that injects key information into XML
+   * signature.
    *
-   * @param credential @link X509Credential} that will be used for signing
-   * @param injectCertificate Set <code>true</code> if the certificate should be added to KeyInfo
+   * @param credential        @link X509Credential} that will be used for signing
+   * @param injectCertificate Set <code>true</code> if the certificate should be
+   *                          added to KeyInfo
    * @return Generator for a XML signature key-information
    */
   public static KeyInfoGenerator getKeyInfoGenerator(X509Credential credential, boolean injectCertificate) {
-    //OpenSAML3 only support RSA and DSA for direct key injection
+    // OpenSAML3 only support RSA and DSA for direct key injection
     KeyInfoGeneratorFactory keyInfoGenFac = null;
     if (injectCertificate || credential.getPublicKey() instanceof ECPublicKey) {
       final SignatureSigningConfiguration secConfiguration = SecurityConfigurationSupport
@@ -280,7 +288,7 @@ public class Saml2Utils {
       keyInfoGenFac = keyInfoGenManager.getFactory(credential);
 
     } else {
-      keyInfoGenFac = createKeyInfoWithoutCertificate(credential);
+      keyInfoGenFac = createKeyInfoWithoutCertificate();
 
     }
 
@@ -288,7 +296,6 @@ public class Saml2Utils {
 
   }
 
-
   /**
    * Create a SAML2 object.
    *
@@ -462,19 +469,20 @@ public class Saml2Utils {
         .buildObject(Signature.DEFAULT_ELEMENT_NAME);
     signature.setSigningCredential(signingCredential);
     signature.setSignatureAlgorithm(usedSigAlg);
-    final KeyInfo keyInfo = getKeyInfoGenerator(signingCredential, injectCertificate).generate(signingCredential);
+    final KeyInfo keyInfo = getKeyInfoGenerator(signingCredential, injectCertificate).generate(
+        signingCredential);
     signature.setKeyInfo(keyInfo);
     signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
     return signature;
 
   }
 
-  private static KeyInfoGeneratorFactory createKeyInfoWithoutCertificate(X509Credential credential) {
+  private static KeyInfoGeneratorFactory createKeyInfoWithoutCertificate() {
     final KeyInfoGeneratorFactory keyInfoGenFac = new BasicKeyInfoGeneratorFactory();
-    ((BasicKeyInfoGeneratorFactory)keyInfoGenFac).setEmitPublicKeyValue(true);
-    ((BasicKeyInfoGeneratorFactory)keyInfoGenFac).setEmitEntityIDAsKeyName(true);
-    ((BasicKeyInfoGeneratorFactory)keyInfoGenFac).setEmitKeyNames(true);
-    ((BasicKeyInfoGeneratorFactory)keyInfoGenFac).setEmitPublicDEREncodedKeyValue(true);
+    ((BasicKeyInfoGeneratorFactory) keyInfoGenFac).setEmitPublicKeyValue(true);
+    ((BasicKeyInfoGeneratorFactory) keyInfoGenFac).setEmitEntityIDAsKeyName(true);
+    ((BasicKeyInfoGeneratorFactory) keyInfoGenFac).setEmitKeyNames(true);
+    ((BasicKeyInfoGeneratorFactory) keyInfoGenFac).setEmitPublicDEREncodedKeyValue(true);
     return keyInfoGenFac;
   }
 
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/SamlHttpUtils.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/SamlHttpUtils.java
new file mode 100644
index 00000000..2e02bf22
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/SamlHttpUtils.java
@@ -0,0 +1,33 @@
+package at.gv.egiz.eaaf.modules.pvp2.impl.utils;
+
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import javax.servlet.http.HttpServletRequest;
+
+public class SamlHttpUtils {
+
+  /**
+   * Always read the last parameter with this name from request to get a strict
+   * deterministic behavior. <br>
+   * <br>
+   * <b><i>If more than one parameters with the same name exists, this method
+   * always select the last parameter value.</i></b>
+   *
+   * @param request   Incoming http request
+   * @param paramName Name of the http parameter
+   * @return the last parameter value with this name, or <code>null</code> if the
+   *         parameter not exists
+   */
+  @Nullable
+  public static String getLastParameterFromRequest(@Nonnull HttpServletRequest request,
+      @Nonnull String paramName) {
+    final String[] values = request.getParameterValues(paramName);
+    if (values != null && values.length > 0) {
+      return values[values.length - 1];
+
+    }
+
+    return null;
+
+  }
+}