diff options
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java')
| -rw-r--r-- | eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java | 75 |
1 files changed, 37 insertions, 38 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java index e0a3ab8e..8bc770eb 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java @@ -27,17 +27,6 @@ import javax.xml.transform.dom.DOMSource; import javax.xml.validation.Schema; import javax.xml.validation.Validator; -import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException; -import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; -import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; -import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; - import org.apache.commons.lang3.StringUtils; import org.joda.time.DateTime; import org.opensaml.core.criterion.EntityIdCriterion; @@ -70,10 +59,20 @@ import org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyR import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver; import org.opensaml.xmlsec.signature.support.SignatureException; import org.opensaml.xmlsec.signature.support.SignatureTrustEngine; -import org.springframework.beans.factory.annotation.Autowired; import org.w3c.dom.Element; import org.xml.sax.SAXException; +import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException; +import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; +import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.SignatureTrustEngineDecorator; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.net.BasicURLComparator; import net.shibboleth.utilities.java.support.net.URIException; @@ -97,13 +96,7 @@ public class SamlVerificationEngine { */ private static final int TIME_JITTER = 3; - - - - - @Autowired(required = true) - IPvp2MetadataProvider metadataProvider; - + /** * Verify signature of a signed SAML2 object. * @@ -140,27 +133,36 @@ public class SamlVerificationEngine { log.debug("PVP2X message validation FAILED. Relead metadata for entityID: {}", msg.getEntityID()); - if (metadataProvider == null || !(metadataProvider instanceof IRefreshableMetadataProvider) - || !((IRefreshableMetadataProvider) metadataProvider) - .refreshMetadataProvider(msg.getEntityID())) { - throw e; - - } else { - log.trace("PVP2X metadata reload finished. Check validate message again."); - - if (msg instanceof PvpSProfileRequest - && ((PvpSProfileRequest) msg).getSamlRequest() instanceof RequestAbstractType) { - verifyRequest((RequestAbstractType) ((PvpSProfileRequest) msg).getSamlRequest(), - sigTrustEngine); + if (sigTrustEngine instanceof SignatureTrustEngineDecorator) { + IPvp2MetadataProvider metadataProvider = + ((SignatureTrustEngineDecorator) sigTrustEngine).getMetadataProvider(); + if (metadataProvider == null || !(metadataProvider instanceof IRefreshableMetadataProvider) + || !((IRefreshableMetadataProvider) metadataProvider).refreshMetadataProvider(msg.getEntityID())) { + + throw e; } else { - verifyIdpResponse(((PvpSProfileResponse) msg).getResponse(), sigTrustEngine); + log.trace("PVP2X metadata reload finished. Check validate message again."); - } + if (msg instanceof PvpSProfileRequest + && ((PvpSProfileRequest) msg).getSamlRequest() instanceof RequestAbstractType) { + verifyRequest((RequestAbstractType) ((PvpSProfileRequest) msg).getSamlRequest(), + sigTrustEngine); - } - log.trace("Second PVP2X message validation finished"); + } else { + verifyIdpResponse(((PvpSProfileResponse) msg).getResponse(), sigTrustEngine); + } + + } + log.trace("Second PVP2X message validation finished"); + + } else { + log.debug("TrustEninge is not of type: {} Dynamic SAML2 metadata refresh not possibile.", + SignatureTrustEngineDecorator.class); + throw e; + + } } } @@ -270,9 +272,6 @@ public class SamlVerificationEngine { throw new SamlAssertionValidationExeption(ERROR_16, new Object[] { e.getMessage() }, e); -// } catch (final ConfigurationException e) { -// throw new AssertionValidationExeption("pvp.12", -// new Object[]{loggerName, e.getMessage()}, e); } } |