summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--eaaf_core/src/main/java/at/gv/egiz/eaaf/core/api/utils/IPendingRequestIdGenerationStrategy.java10
-rw-r--r--eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/RequestStorage.java6
-rw-r--r--eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/modules/AbstractAuthServletTask.java55
-rw-r--r--eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java2
-rw-r--r--eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/tasks/FinalizeAuthenticationTask.java29
-rw-r--r--eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/tasks/RestartAuthProzessManagement.java18
-rw-r--r--eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java118
-rw-r--r--eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SimplePendingRequestIdGenerationStrategy.java21
-rw-r--r--eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/AbstractSL20AuthenticationModulImpl.java10
-rw-r--r--eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java2
-rw-r--r--eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20HttpBindingUtils.java6
11 files changed, 166 insertions, 111 deletions
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/api/utils/IPendingRequestIdGenerationStrategy.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/api/utils/IPendingRequestIdGenerationStrategy.java
index 443404eb..b0507042 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/api/utils/IPendingRequestIdGenerationStrategy.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/api/utils/IPendingRequestIdGenerationStrategy.java
@@ -27,5 +27,15 @@ public interface IPendingRequestIdGenerationStrategy {
@NonNull
public String validateAndGetPendingRequestId(@Nullable String pendingReqId) throws PendingReqIdValidationException;
+ /**
+ * Get the internal pendingReqId without any validation
+ *
+ * @param pendingReqId pending-request Id that should be validated
+ * @return internalPendingRequestId
+ * @throws PendingReqIdValidationException
+ */
+ @NonNull
+ public String getPendingRequestIdWithOutChecks(@Nullable String externalPendingReqId) throws PendingReqIdValidationException;
+
}
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/RequestStorage.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/RequestStorage.java
index 2115d9b0..2b0cbab3 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/RequestStorage.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/RequestStorage.java
@@ -98,7 +98,7 @@ public class RequestStorage implements IRequestStorage{
if (pendingRequest instanceof IRequest) {
try {
//validate pending-requestId
- final String internalPendingRequestId = pendingReqIdGenerationStrategy.validateAndGetPendingRequestId(pendingRequest.getPendingRequestId());
+ final String internalPendingRequestId = pendingReqIdGenerationStrategy.getPendingRequestIdWithOutChecks(pendingRequest.getPendingRequestId());
//store pending request
transactionStorage.put(internalPendingRequestId, pendingRequest, -1);
@@ -128,7 +128,7 @@ public class RequestStorage implements IRequestStorage{
if (pendingReqID != null) {
String internalPendingReqId = null;
try {
- internalPendingReqId = pendingReqIdGenerationStrategy.validateAndGetPendingRequestId(pendingReqID);
+ internalPendingReqId = pendingReqIdGenerationStrategy.getPendingRequestIdWithOutChecks(pendingReqID);
} catch (final PendingReqIdValidationException e) {
internalPendingReqId = e.getInvalidInternalPendingReqId();
@@ -170,7 +170,7 @@ public class RequestStorage implements IRequestStorage{
String newInternalPendingRequestId = null;
try {
- newInternalPendingRequestId = pendingReqIdGenerationStrategy.validateAndGetPendingRequestId(newRequestID);
+ newInternalPendingRequestId = pendingReqIdGenerationStrategy.getPendingRequestIdWithOutChecks(newRequestID);
} catch (final PendingReqIdValidationException e) {
throw new EAAFException("internal.99", new Object[]{"Generate invalid pendingRequestId. Something looks WRONG"}, e);
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/modules/AbstractAuthServletTask.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/modules/AbstractAuthServletTask.java
index eb87e893..5027a84b 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/modules/AbstractAuthServletTask.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/modules/AbstractAuthServletTask.java
@@ -52,8 +52,10 @@ import at.gv.egiz.eaaf.core.api.IRequest;
import at.gv.egiz.eaaf.core.api.IRequestStorage;
import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.api.idp.auth.services.IProtocolAuthenticationService;
import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger;
+import at.gv.egiz.eaaf.core.exceptions.EAAFException;
import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
import at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController;
import at.gv.egiz.eaaf.core.impl.idp.process.springweb.AbstractTask;
@@ -66,6 +68,7 @@ import at.gv.egiz.eaaf.core.impl.utils.DataURLBuilder;
public abstract class AbstractAuthServletTask extends AbstractTask {
private static final Logger log = LoggerFactory.getLogger(AbstractAuthServletTask.class);
+ @Autowired(required=true) IProtocolAuthenticationService protAuchService;
@Autowired(required=true) protected IRequestStorage requestStoreage;
@Autowired(required=true) protected IConfiguration authConfig;
@@ -75,10 +78,12 @@ public abstract class AbstractAuthServletTask extends AbstractTask {
protected IRequest pendingReq = null;
+ @Override
public abstract void execute(ExecutionContext executionContext, HttpServletRequest request,
HttpServletResponse response) throws TaskExecutionException;
+ @Override
protected final IRequest internalExecute(IRequest pendingReq, ExecutionContext executionContext, HttpServletRequest request,
HttpServletResponse response) throws TaskExecutionException {
//set pending-request object
@@ -96,12 +101,28 @@ public abstract class AbstractAuthServletTask extends AbstractTask {
/**
* Redirect the authentication process to protocol specific finalization endpoint.
+ * @param executionContext
*
* @param pendingReq Actually processed protocol specific authentication request
* @param httpResp
+ * @throws IOException
+ * @throws EAAFException
*/
- protected void performRedirectToProtocolFinialization(IRequest pendingReq, HttpServletResponse httpResp) {
- performRedirectToItself(pendingReq, httpResp, ProtocolFinalizationController.ENDPOINT_FINALIZEPROTOCOL);
+ protected void performRedirectToProtocolFinialization(ExecutionContext executionContext, IRequest pendingReq, HttpServletRequest httpReq, HttpServletResponse httpResp) throws EAAFException, IOException {
+ final Object frontChannelRedirectFlagObj = executionContext.get(EAAFConstants.PROCESS_ENGINE_REQUIRES_NO_POSTAUTH_REDIRECT);
+ if (frontChannelRedirectFlagObj != null && frontChannelRedirectFlagObj instanceof Boolean &&
+ (Boolean)frontChannelRedirectFlagObj) {
+ log.info("AuthProcess finished. Forward to Protocol finalization.");
+ protAuchService.finalizeAuthentication(httpReq, httpResp, pendingReq);
+
+ } else {
+ log.info("AuthProcess finished. Redirect to Protocol Dispatcher.");
+ requestStoreage.storePendingRequest(pendingReq);
+ performRedirectToItself(pendingReq, httpResp, ProtocolFinalizationController.ENDPOINT_FINALIZEPROTOCOL);
+
+ }
+
+
}
@@ -113,7 +134,7 @@ public abstract class AbstractAuthServletTask extends AbstractTask {
* @param idpEndPoint Servlet EndPoint that should receive the redirect
*/
protected void performRedirectToItself(IRequest pendingReq, HttpServletResponse httpResp, String idpEndPoint) {
- String redirectURL = new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(),
+ final String redirectURL = new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(),
idpEndPoint, pendingReq.getPendingRequestId());
httpResp.setContentType("text/html");
@@ -142,32 +163,32 @@ public abstract class AbstractAuthServletTask extends AbstractTask {
protected Map<String, String> getParameters(HttpServletRequest req) throws IOException,
FileUploadException {
- Map<String, String> parameters = new HashMap<String, String>();
+ final Map<String, String> parameters = new HashMap<String, String>();
if (ServletFileUpload.isMultipartContent(req)) {
// request is encoded as mulitpart/form-data
- FileItemFactory factory = new DiskFileItemFactory();
+ final FileItemFactory factory = new DiskFileItemFactory();
ServletFileUpload upload = null;
upload = new ServletFileUpload(factory);
List items = null;
items = upload.parseRequest(req);
for (int i = 0; i < items.size(); i++) {
- FileItem item = (FileItem) items.get(i);
+ final FileItem item = (FileItem) items.get(i);
if (item.isFormField()) {
// Process only form fields - no file upload items
parameters.put(item.getFieldName(), item.getString("UTF-8"));
//log requests on trace
if (log.isTraceEnabled()) {
- String logString = item.getString("UTF-8");
+ final String logString = item.getString("UTF-8");
// TODO use RegExp
- String startS = "<pr:Identification><pr:Value>";
- String endS = "</pr:Value><pr:Type>urn:publicid:gv.at:baseid</pr:Type>";
+ final String startS = "<pr:Identification><pr:Value>";
+ final String endS = "</pr:Value><pr:Type>urn:publicid:gv.at:baseid</pr:Type>";
String logWithMaskedBaseid = logString;
- int start = logString.indexOf(startS);
+ final int start = logString.indexOf(startS);
if (start > -1) {
- int end = logString.indexOf(endS);
+ final int end = logString.indexOf(endS);
if (end > -1) {
logWithMaskedBaseid = logString.substring(0, start);
logWithMaskedBaseid += startS;
@@ -188,11 +209,11 @@ public abstract class AbstractAuthServletTask extends AbstractTask {
}
else {
- Iterator<Entry<String, String[]>> requestParamIt = req.getParameterMap().entrySet().iterator();
+ final Iterator<Entry<String, String[]>> requestParamIt = req.getParameterMap().entrySet().iterator();
while (requestParamIt.hasNext()) {
- Entry<String, String[]> entry = requestParamIt.next();
- String key = entry.getKey();
- String[] values = entry.getValue();
+ final Entry<String, String[]> entry = requestParamIt.next();
+ final String key = entry.getKey();
+ final String[] values = entry.getValue();
// take the last value from the value array since the legacy code above also does it this way
parameters.put(key, ArrayUtils.isEmpty(values) ? null : values[values.length-1]);
}
@@ -214,7 +235,7 @@ public abstract class AbstractAuthServletTask extends AbstractTask {
*/
protected String readBytesUpTo(InputStream in, char delimiter)
throws IOException {
- ByteArrayOutputStream bout = new ByteArrayOutputStream();
+ final ByteArrayOutputStream bout = new ByteArrayOutputStream();
boolean done = false;
int b;
while (!done && (b = in.read()) >= 0) {
@@ -239,7 +260,7 @@ public abstract class AbstractAuthServletTask extends AbstractTask {
*/
protected static String addURLParameter(String url, String paramname,
String paramvalue) {
- String param = paramname + "=" + paramvalue;
+ final String param = paramname + "=" + paramvalue;
if (url.indexOf("?") < 0)
return url + "?" + param;
else
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
index 4edde029..7d3ca2f8 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
@@ -381,7 +381,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
// HTTPUtils.extractAuthURLFromRequest(req),
// DefaultGUIFormBuilderConfiguration.VIEW_ERRORMESSAGE,
// null);
-
+
//add errorcode and errormessage
if (config instanceof ModifyableGuiBuilderConfiguration) {
((ModifyableGuiBuilderConfiguration)config).putCustomParameter("errorMsg", msg);
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/tasks/FinalizeAuthenticationTask.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/tasks/FinalizeAuthenticationTask.java
index eff6b631..b12a69b2 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/tasks/FinalizeAuthenticationTask.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/tasks/FinalizeAuthenticationTask.java
@@ -26,20 +26,15 @@
*******************************************************************************/
package at.gv.egiz.eaaf.core.impl.idp.controller.tasks;
-import java.io.Serializable;
-
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.cglib.proxy.Dispatcher;
import org.springframework.stereotype.Component;
import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
import at.gv.egiz.eaaf.core.api.idp.auth.IAuthenticationManager;
-import at.gv.egiz.eaaf.core.api.idp.auth.services.IProtocolAuthenticationService;
import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
import at.gv.egiz.eaaf.core.exceptions.EAAFException;
import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
@@ -53,9 +48,7 @@ import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
public class FinalizeAuthenticationTask extends AbstractAuthServletTask {
private static final Logger log = LoggerFactory.getLogger(FinalizeAuthenticationTask.class);
-
- @Autowired(required=true) IProtocolAuthenticationService protAuchService;
-
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
*/
@@ -68,25 +61,13 @@ public class FinalizeAuthenticationTask extends AbstractAuthServletTask {
//set pending request to authenticated
pendingReq.setAuthenticated(true);
revisionsLogger.logEvent(pendingReq, IAuthenticationManager.EVENT_AUTHENTICATION_PROCESS_FINISHED);
+ performRedirectToProtocolFinialization(executionContext, pendingReq, request, response);
-
- Object frontChannelRedirectFlagObj = executionContext.get(EAAFConstants.PROCESS_ENGINE_REQUIRES_NO_POSTAUTH_REDIRECT);
- if (frontChannelRedirectFlagObj != null && frontChannelRedirectFlagObj instanceof Boolean &&
- (Boolean)frontChannelRedirectFlagObj) {
- log.info("AuthProcess finished. Forward to Protocol finalization.");
- protAuchService.finalizeAuthentication(request, response, pendingReq);
-
- } else {
- log.info("AuthProcess finished. Redirect to Protocol Dispatcher.");
- requestStoreage.storePendingRequest(pendingReq);
- performRedirectToProtocolFinialization(pendingReq, response);
-
- }
-
- } catch (EAAFException e) {
+
+ } catch (final EAAFException e) {
throw new TaskExecutionException(pendingReq, e.getMessage(), e);
- } catch (Exception e) {
+ } catch (final Exception e) {
log.warn("FinalizeAuthenticationTask has an internal error", e);
throw new TaskExecutionException(pendingReq, e.getMessage(), e);
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/tasks/RestartAuthProzessManagement.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/tasks/RestartAuthProzessManagement.java
index 7ecc7425..1e5b63a2 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/tasks/RestartAuthProzessManagement.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/tasks/RestartAuthProzessManagement.java
@@ -65,13 +65,13 @@ public class RestartAuthProzessManagement extends AbstractAuthServletTask {
if (this.pendingReq.isAbortedByUser()) {
log.debug("AuthProcess was stopped. Forward to finalization ... ");
- performRedirectToProtocolFinialization(pendingReq, response);
+ performRedirectToProtocolFinialization(executionContext, pendingReq, request, response);
} else {
//create a new execution context and copy all elements to new context
- ExecutionContext newec = new ExecutionContextImpl();
- Set<String> entries = executionContext.keySet();
- for (String key : entries) {
+ final ExecutionContext newec = new ExecutionContextImpl();
+ final Set<String> entries = executionContext.keySet();
+ for (final String key : entries) {
newec.put(key, executionContext.get(key));
}
@@ -79,13 +79,13 @@ public class RestartAuthProzessManagement extends AbstractAuthServletTask {
log.debug("Select new auth.-process and restart restart process-engine ... ");
// select and create new process instance
- String processDefinitionId = ModuleRegistration.getInstance().selectProcess(newec);
+ final String processDefinitionId = ModuleRegistration.getInstance().selectProcess(newec);
if (processDefinitionId == null) {
log.warn("No suitable authentication process found for SessionID " + pendingReq.getPendingRequestId());
throw new EAAFException("process.02", new Object[] { pendingReq.getPendingRequestId()});
}
- String processInstanceId = processEngine.createProcessInstance(processDefinitionId, newec);
+ final String processInstanceId = processEngine.createProcessInstance(processDefinitionId, newec);
// keep process instance id in moa session
((RequestImpl)pendingReq).setProcessInstanceId(processInstanceId);
@@ -94,7 +94,7 @@ public class RestartAuthProzessManagement extends AbstractAuthServletTask {
try {
requestStoreage.storePendingRequest(pendingReq);
- } catch (EAAFException e) {
+ } catch (final EAAFException e) {
log.error("Database Error! MOASession is not stored!");
throw new EAAFException("internal.02", null);
@@ -107,10 +107,10 @@ public class RestartAuthProzessManagement extends AbstractAuthServletTask {
}
- } catch (EAAFException e) {
+ } catch (final EAAFException e) {
throw new TaskExecutionException(pendingReq, e.getMessage(), e);
- } catch (Exception e) {
+ } catch (final Exception e) {
log.warn("RestartAuthProzessManagement has an internal error", e);
throw new TaskExecutionException(pendingReq, e.getMessage(), e);
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java
index 0daa0eb7..f0ef9b38 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java
@@ -22,6 +22,8 @@ import org.joda.time.format.DateTimeFormatter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.lang.NonNull;
+import org.springframework.lang.Nullable;
import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
import at.gv.egiz.eaaf.core.api.utils.IPendingRequestIdGenerationStrategy;
@@ -30,7 +32,12 @@ import at.gv.egiz.eaaf.core.exceptions.EAAFException;
import at.gv.egiz.eaaf.core.exceptions.EAAFIllegalStateException;
import at.gv.egiz.eaaf.core.exceptions.PendingReqIdValidationException;
-
+/**
+ * PendingRequestId generation strategy based on signed tokens that facilitates extended token validation
+ *
+ * @author tlenz
+ *
+ */
public class SecurePendingRequestIdGenerationStrategy implements IPendingRequestIdGenerationStrategy {
private static final Logger log = LoggerFactory.getLogger(SecurePendingRequestIdGenerationStrategy.class);
@@ -72,56 +79,43 @@ public class SecurePendingRequestIdGenerationStrategy implements IPendingRequest
}
@Override
- public String validateAndGetPendingRequestId(String externalPendingReqId) throws PendingReqIdValidationException {
- log.trace("RAW external pendingReqId: {}", externalPendingReqId);
+ public String getPendingRequestIdWithOutChecks(String externalPendingReqId) throws PendingReqIdValidationException {
+ final String[] tokenElements = extractTokens(externalPendingReqId);
+ return tokenElements[1];
+ }
+
+ @Override
+ public String validateAndGetPendingRequestId(String externalPendingReqId) throws PendingReqIdValidationException {
try {
- final byte[] externalPendingReqIdBytes = Base64.getUrlDecoder().decode(externalPendingReqId);
-
- if (externalPendingReqIdBytes.length > maxPendingReqIdSize) {
- log.warn("pendingReqId size exceeds {}", maxPendingReqIdSize);
- throw new PendingReqIdValidationException(null, "pendingReqId exceeds max.size: " + maxPendingReqIdSize);
-
- }
-
- final String stringToken = new String(externalPendingReqIdBytes);
- if (StringUtils.countMatches(stringToken, TOKEN_SEPARATOR) == ENCODED_TOKEN_PARTS - 1) {
- final String[] tokenElements = StringUtils.split(stringToken,
- TOKEN_SEPARATOR, ENCODED_TOKEN_PARTS);
-
- final String internalPendingReqId = tokenElements[1];
- final DateTime timeStamp = TOKEN_TEXTUAL_DATE_FORMAT.parseDateTime(tokenElements[0]);
+ final String[] tokenElements = extractTokens(externalPendingReqId);
+ final String internalPendingReqId = tokenElements[1];
+ final DateTime timeStamp = TOKEN_TEXTUAL_DATE_FORMAT.parseDateTime(tokenElements[0]);
- log.trace("Checking HMAC from externalPendingReqId ... ");
- final byte[] tokenDigest = Base64.getDecoder().decode(tokenElements[2]);
- final byte[] refDigist = calculateHMAC(buildInternalToken(internalPendingReqId, timeStamp));
- if (!Arrays.equals(tokenDigest, refDigist)) {
- log.warn("Digest of Token does NOT match");
- log.debug("Token: {} | Ref: {}", tokenDigest, refDigist);
- throw new PendingReqIdValidationException(null, "Digest of pendingRequestId does NOT match");
-
- }
- log.debug("PendingRequestId HMAC digest check successful");
-
- log.trace("Checking valid period ... ");
- final DateTime now = DateTime.now();
- if (timeStamp.withFieldAdded(
- DurationFieldType.seconds(), maxPendingRequestIdLifeTime).isBefore(now)) {
- log.warn("Token exceeds the valid period");
- log.debug("Token: {} | Now: {}", timeStamp, now );
- throw new PendingReqIdValidationException(internalPendingReqId, "PendingRequestId exceeds the valid period");
-
- }
- log.debug("Token valid-period check successful");
+ log.trace("Checking HMAC from externalPendingReqId ... ");
+ final byte[] tokenDigest = Base64.getDecoder().decode(tokenElements[2]);
+ final byte[] refDigist = calculateHMAC(buildInternalToken(internalPendingReqId, timeStamp));
+ if (!Arrays.equals(tokenDigest, refDigist)) {
+ log.warn("Digest of Token does NOT match");
+ log.debug("Token: {} | Ref: {}", tokenDigest, refDigist);
+ throw new PendingReqIdValidationException(null, "Digest of pendingRequestId does NOT match");
+
+ }
+ log.debug("PendingRequestId HMAC digest check successful");
+
+ log.trace("Checking valid period ... ");
+ final DateTime now = DateTime.now();
+ if (timeStamp.withFieldAdded(
+ DurationFieldType.seconds(), maxPendingRequestIdLifeTime).isBefore(now)) {
+ log.warn("Token exceeds the valid period");
+ log.debug("Token: {} | Now: {}", timeStamp, now );
+ throw new PendingReqIdValidationException(internalPendingReqId, "PendingRequestId exceeds the valid period");
- return internalPendingReqId;
-
- } else {
- log.warn("PendingRequestId has an unvalid format");
- log.debug("PendingRequestId: {}", stringToken);
- throw new PendingReqIdValidationException(null, "PendingReqId has an unvalid format");
-
}
+ log.debug("Token valid-period check successful");
+
+ return internalPendingReqId;
+
} catch (final IllegalArgumentException | EAAFIllegalStateException e) {
log.warn("Token is NOT a valid String. Msg: {}", e.getMessage());
@@ -131,6 +125,38 @@ public class SecurePendingRequestIdGenerationStrategy implements IPendingRequest
}
}
+ @NonNull
+ private String[] extractTokens(@Nullable String externalPendingReqId) throws PendingReqIdValidationException {
+ if (StringUtils.isEmpty(externalPendingReqId)) {
+ log.info("PendingReqId is 'null' or empty");
+ throw new PendingReqIdValidationException(null, "PendingReqId is 'null' or empty");
+
+ }
+
+ log.trace("RAW external pendingReqId: {}", externalPendingReqId);
+ final byte[] externalPendingReqIdBytes = Base64.getUrlDecoder().decode(externalPendingReqId);
+
+ if (externalPendingReqIdBytes.length > maxPendingReqIdSize) {
+ log.warn("pendingReqId size exceeds {}", maxPendingReqIdSize);
+ throw new PendingReqIdValidationException(null, "pendingReqId exceeds max.size: " + maxPendingReqIdSize);
+
+ }
+
+ final String stringToken = new String(externalPendingReqIdBytes);
+ if (StringUtils.countMatches(stringToken, TOKEN_SEPARATOR) == ENCODED_TOKEN_PARTS - 1) {
+ final String[] tokenElements = StringUtils.split(stringToken,
+ TOKEN_SEPARATOR, ENCODED_TOKEN_PARTS);
+ return tokenElements;
+
+ } else {
+ log.warn("PendingRequestId has an unvalid format");
+ log.debug("PendingRequestId: {}", stringToken);
+ throw new PendingReqIdValidationException(null, "PendingReqId has an unvalid format");
+
+ }
+
+ }
+
@PostConstruct
private void initialize() throws EAAFConfigurationException {
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SimplePendingRequestIdGenerationStrategy.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SimplePendingRequestIdGenerationStrategy.java
index 59da3d06..6b8fe9b7 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SimplePendingRequestIdGenerationStrategy.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SimplePendingRequestIdGenerationStrategy.java
@@ -5,6 +5,12 @@ import org.apache.commons.lang3.StringUtils;
import at.gv.egiz.eaaf.core.api.utils.IPendingRequestIdGenerationStrategy;
import at.gv.egiz.eaaf.core.exceptions.PendingReqIdValidationException;
+/**
+ * Simple pendingRequestId generation strategy that facilitates no extended validation
+ *
+ * @author tlenz
+ *
+ */
public class SimplePendingRequestIdGenerationStrategy implements IPendingRequestIdGenerationStrategy {
@Override
@@ -15,11 +21,18 @@ public class SimplePendingRequestIdGenerationStrategy implements IPendingRequest
@Override
public String validateAndGetPendingRequestId(String pendingReqId) throws PendingReqIdValidationException {
- if (StringUtils.isEmpty(pendingReqId))
- throw new PendingReqIdValidationException(pendingReqId, "PendingRequestId is empty or null");
-
- return pendingReqId;
+ return getPendingRequestIdWithOutChecks(pendingReqId);
}
+ @Override
+ public String getPendingRequestIdWithOutChecks(String externalPendingReqId) throws PendingReqIdValidationException {
+ if (StringUtils.isEmpty(externalPendingReqId))
+ throw new PendingReqIdValidationException(externalPendingReqId, "PendingRequestId is empty or null");
+
+
+
+ return externalPendingReqId;
+ }
+
}
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/AbstractSL20AuthenticationModulImpl.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/AbstractSL20AuthenticationModulImpl.java
index b23df12e..f6488626 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/AbstractSL20AuthenticationModulImpl.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/AbstractSL20AuthenticationModulImpl.java
@@ -28,7 +28,7 @@ public abstract class AbstractSL20AuthenticationModulImpl implements AuthModule
private int priority = 3;
public static final List<String> VDA_TYPE_IDS = Arrays.asList("1", "2", "3", "4");
-
+
@Autowired(required=true) protected IConfiguration authConfig;
@Autowired(required=true) private AbstractAuthenticationManager authManager;
@@ -59,11 +59,11 @@ public abstract class AbstractSL20AuthenticationModulImpl implements AuthModule
*/
@Override
public String selectProcess(ExecutionContext context) {
- ISPConfiguration spConfig = (ISPConfiguration) context.get(EAAFConstants.PROCESSCONTEXT_SP_CONFIG);
+ final ISPConfiguration spConfig = (ISPConfiguration) context.get(EAAFConstants.PROCESSCONTEXT_SP_CONFIG);
+
+ final String sl20ClientTypeHeader = (String) context.get(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE.toLowerCase());
+ final String sl20VDATypeHeader = (String) context.get(SL20Constants.HTTP_HEADER_SL20_VDA_TYPE.toLowerCase());
- String sl20ClientTypeHeader = (String) context.get(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE.toLowerCase());
- String sl20VDATypeHeader = (String) context.get(SL20Constants.HTTP_HEADER_SL20_VDA_TYPE.toLowerCase());
-
if (spConfig != null &&
StringUtils.isNotEmpty(spConfig.getConfigurationValue(getConfigPropertyNameEnableModule())) &&
Boolean.valueOf(spConfig.getConfigurationValue(getConfigPropertyNameEnableModule()))) {
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java
index b5b82174..416c16b6 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java
@@ -21,6 +21,8 @@ public class SL20Constants {
public static final String HTTP_HEADER_SL20_VDA_TYPE = "X-MOA-VDA";
public static final String HTTP_HEADER_VALUE_NATIVE = "nativeApp";
+ public static final String HTTP_HEADER_SL20_RESP = "X-SL20Operation";
+
//*******************************************************************************************
//JSON signing and encryption headers
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20HttpBindingUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20HttpBindingUtils.java
index 78edf640..e1cca5ef 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20HttpBindingUtils.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20HttpBindingUtils.java
@@ -20,10 +20,12 @@ public class SL20HttpBindingUtils {
public static void writeIntoResponse(HttpServletRequest request, HttpServletResponse response, JsonNode sl20Forward, String redirectURL) throws IOException, URISyntaxException {
//forward SL2.0 command
+ response.addIntHeader(SL20Constants.HTTP_HEADER_SL20_RESP, SL20Constants.CURRENT_SL20_VERSION);
+
if (request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE) != null &&
request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE)) {
log.debug("Client request containts 'native client' header ... ");
- StringWriter writer = new StringWriter();
+ final StringWriter writer = new StringWriter();
writer.write(sl20Forward.toString());
final byte[] content = writer.toString().getBytes("UTF-8");
response.setStatus(HttpServletResponse.SC_OK);
@@ -33,7 +35,7 @@ public class SL20HttpBindingUtils {
} else {
log.debug("Client request containts is no native client ... ");
- URIBuilder clientRedirectURI = new URIBuilder(redirectURL);
+ final URIBuilder clientRedirectURI = new URIBuilder(redirectURL);
clientRedirectURI.addParameter(
SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM,
Base64Url.encode(sl20Forward.toString().getBytes()));