summaryrefslogtreecommitdiff
path: root/eaaf_modules/eaaf_module_pvp2_idp/src
diff options
context:
space:
mode:
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_idp/src')
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/PVP2SProfileIDPSpringResourceProvider.java54
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/Pvp2SProfileIdpSpringResourceProvider.java47
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/api/builder/ISubjectNameIdGenerator.java62
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/InvalidAssertionConsumerServiceException.java75
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/InvalidAssertionEncryptionException.java54
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/RequestDeniedException.java57
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/ResponderErrorException.java67
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/SAMLRequestNotSignedException.java50
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/SAMLRequestNotSupported.java46
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/SamlRequestNotSignedException.java42
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/SamlRequestNotSupported.java39
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/UnprovideableAttributeException.java56
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPVP2XProtocol.java541
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java561
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java312
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/MetadataAction.java206
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/PVPSProfilePendingRequest.java69
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/PvpSProfilePendingRequest.java61
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.java234
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java459
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java465
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider2
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/resources/eaaf_pvp_idp.beans.xml35
23 files changed, 1768 insertions, 1826 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/PVP2SProfileIDPSpringResourceProvider.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/PVP2SProfileIDPSpringResourceProvider.java
deleted file mode 100644
index d50c5ee4..00000000
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/PVP2SProfileIDPSpringResourceProvider.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/*******************************************************************************
- * Copyright 2017 Graz University of Technology
- * EAAF-Core Components has been developed in a cooperation between EGIZ,
- * A-SIT Plus, A-SIT, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * https://joinup.ec.europa.eu/news/understanding-eupl-v12
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-package at.gv.egiz.eaaf.modules.pvp2.idp;
-
-import org.springframework.core.io.ClassPathResource;
-import org.springframework.core.io.Resource;
-
-import at.gv.egiz.components.spring.api.SpringResourceProvider;
-
-public class PVP2SProfileIDPSpringResourceProvider implements SpringResourceProvider {
-
- @Override
- public String getName() {
- return "EAAF PVP2 S-Profile IDP SpringResourceProvider";
- }
-
- @Override
- public String[] getPackagesToScan() {
- // TODO Auto-generated method stub
- return null;
- }
-
- @Override
- public Resource[] getResourcesToLoad() {
- ClassPathResource sl20AuthConfig = new ClassPathResource("/eaaf_pvp_idp.beans.xml", PVP2SProfileIDPSpringResourceProvider.class);
-
- return new Resource[] {sl20AuthConfig};
- }
-
-}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/Pvp2SProfileIdpSpringResourceProvider.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/Pvp2SProfileIdpSpringResourceProvider.java
new file mode 100644
index 00000000..9414dc33
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/Pvp2SProfileIdpSpringResourceProvider.java
@@ -0,0 +1,47 @@
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.gv.egiz.eaaf.modules.pvp2.idp;
+
+import at.gv.egiz.components.spring.api.SpringResourceProvider;
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
+
+public class Pvp2SProfileIdpSpringResourceProvider implements SpringResourceProvider {
+
+ @Override
+ public String getName() {
+ return "EAAF PVP2 S-Profile IDP SpringResourceProvider";
+ }
+
+ @Override
+ public String[] getPackagesToScan() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Resource[] getResourcesToLoad() {
+ final ClassPathResource sl20AuthConfig = new ClassPathResource("/eaaf_pvp_idp.beans.xml",
+ Pvp2SProfileIdpSpringResourceProvider.class);
+
+ return new Resource[] {sl20AuthConfig};
+ }
+
+}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/api/builder/ISubjectNameIdGenerator.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/api/builder/ISubjectNameIdGenerator.java
index 90662f48..131be543 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/api/builder/ISubjectNameIdGenerator.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/api/builder/ISubjectNameIdGenerator.java
@@ -1,45 +1,39 @@
-/*******************************************************************************
- * Copyright 2017 Graz University of Technology
- * EAAF-Core Components has been developed in a cooperation between EGIZ,
- * A-SIT Plus, A-SIT, and Graz University of Technology.
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
*
- * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
* https://joinup.ec.europa.eu/news/understanding-eupl-v12
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
package at.gv.egiz.eaaf.modules.pvp2.idp.api.builder;
import at.gv.egiz.eaaf.core.api.idp.IAuthData;
-import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
+import at.gv.egiz.eaaf.core.api.idp.IspConfiguration;
import at.gv.egiz.eaaf.core.impl.data.Pair;
-import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
public interface ISubjectNameIdGenerator {
- /**
- * Generates a SAML2 subjectNameId from authentication data
- *
- * @param authData Authentication data for the current pending request
- * @param spConfig Service provider configuration
- * @return Pair of subjectNameId and NameIdFormat
- * @throws PVP2Exception
- */
- public Pair<String, String> generateSubjectNameId(IAuthData authData, ISPConfiguration spConfig) throws PVP2Exception;
+ /**
+ * Generates a SAML2 subjectNameId from authentication data.
+ *
+ * @param authData Authentication data for the current pending request
+ * @param spConfig Service provider configuration
+ * @return Pair of subjectNameId and NameIdFormat
+ * @throws Pvp2Exception In case of an error
+ */
+ public Pair<String, String> generateSubjectNameId(IAuthData authData, IspConfiguration spConfig)
+ throws Pvp2Exception;
}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/InvalidAssertionConsumerServiceException.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/InvalidAssertionConsumerServiceException.java
index 42424726..6d868558 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/InvalidAssertionConsumerServiceException.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/InvalidAssertionConsumerServiceException.java
@@ -1,54 +1,47 @@
-/*******************************************************************************
- * Copyright 2017 Graz University of Technology
- * EAAF-Core Components has been developed in a cooperation between EGIZ,
- * A-SIT Plus, A-SIT, and Graz University of Technology.
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
*
- * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
* https://joinup.ec.europa.eu/news/understanding-eupl-v12
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
package at.gv.egiz.eaaf.modules.pvp2.idp.exception;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
import org.opensaml.saml2.core.StatusCode;
-import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception;
+public class InvalidAssertionConsumerServiceException extends Pvp2Exception {
+
+ private static final long serialVersionUID = 7861790149343943091L;
+
+ public InvalidAssertionConsumerServiceException(final int idx) {
+ super("pvp2.28", new Object[] {idx});
+ this.statusCodeValue = StatusCode.REQUESTER_URI;
+ }
-public class InvalidAssertionConsumerServiceException extends PVP2Exception {
+ /**
+ * Invalid assertion consumer-service URL.
+ *
+ * @param wrongUrl invalid URL
+ */
+ public InvalidAssertionConsumerServiceException(final String wrongUrl) {
+ super("pvp2.23", new Object[] {wrongUrl});
+ this.statusCodeValue = StatusCode.REQUESTER_URI;
- public InvalidAssertionConsumerServiceException(int idx) {
- super("pvp2.28", new Object[]{idx});
- this.statusCodeValue = StatusCode.REQUESTER_URI;
- }
+ }
- /**
- *
- */
- public InvalidAssertionConsumerServiceException(String wrongURL) {
- super("pvp2.23", new Object[]{wrongURL});
- this.statusCodeValue = StatusCode.REQUESTER_URI;
-
- }
- /**
- *
- */
- private static final long serialVersionUID = 7861790149343943091L;
}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/InvalidAssertionEncryptionException.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/InvalidAssertionEncryptionException.java
index 55c94df1..0d75616a 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/InvalidAssertionEncryptionException.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/InvalidAssertionEncryptionException.java
@@ -1,42 +1,34 @@
-/*******************************************************************************
- * Copyright 2017 Graz University of Technology
- * EAAF-Core Components has been developed in a cooperation between EGIZ,
- * A-SIT Plus, A-SIT, and Graz University of Technology.
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
*
- * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
* https://joinup.ec.europa.eu/news/understanding-eupl-v12
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
package at.gv.egiz.eaaf.modules.pvp2.idp.exception;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
import org.opensaml.saml2.core.StatusCode;
-import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception;
-
-public class InvalidAssertionEncryptionException extends PVP2Exception {
+public class InvalidAssertionEncryptionException extends Pvp2Exception {
- private static final long serialVersionUID = 6513388841485355549L;
+ private static final long serialVersionUID = 6513388841485355549L;
- public InvalidAssertionEncryptionException() {
- super("pvp2.16", new Object[]{});
- this.statusCodeValue = StatusCode.RESPONDER_URI;
- }
+ public InvalidAssertionEncryptionException() {
+ super("pvp2.16", new Object[] {});
+ this.statusCodeValue = StatusCode.RESPONDER_URI;
+ }
}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/RequestDeniedException.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/RequestDeniedException.java
index 6109c78d..ecceea12 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/RequestDeniedException.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/RequestDeniedException.java
@@ -1,45 +1,34 @@
-/*******************************************************************************
- * Copyright 2017 Graz University of Technology
- * EAAF-Core Components has been developed in a cooperation between EGIZ,
- * A-SIT Plus, A-SIT, and Graz University of Technology.
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
*
- * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
* https://joinup.ec.europa.eu/news/understanding-eupl-v12
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
package at.gv.egiz.eaaf.modules.pvp2.idp.exception;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
import org.opensaml.saml2.core.StatusCode;
-import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception;
-
-public class RequestDeniedException extends PVP2Exception {
+public class RequestDeniedException extends Pvp2Exception {
- public RequestDeniedException() {
- super("pvp2.14", null);
- this.statusCodeValue = StatusCode.REQUEST_DENIED_URI;
- }
+ private static final long serialVersionUID = 4415896615794730553L;
- /**
- *
- */
- private static final long serialVersionUID = 4415896615794730553L;
+ public RequestDeniedException() {
+ super("pvp2.14", null);
+ this.statusCodeValue = StatusCode.REQUEST_DENIED_URI;
+ }
}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/ResponderErrorException.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/ResponderErrorException.java
index 7f565c00..331e11cd 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/ResponderErrorException.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/ResponderErrorException.java
@@ -1,50 +1,39 @@
-/*******************************************************************************
- * Copyright 2017 Graz University of Technology
- * EAAF-Core Components has been developed in a cooperation between EGIZ,
- * A-SIT Plus, A-SIT, and Graz University of Technology.
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
*
- * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
* https://joinup.ec.europa.eu/news/understanding-eupl-v12
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
package at.gv.egiz.eaaf.modules.pvp2.idp.exception;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
import org.opensaml.saml2.core.StatusCode;
-import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception;
+public class ResponderErrorException extends Pvp2Exception {
-public class ResponderErrorException extends PVP2Exception {
+ private static final long serialVersionUID = -425416760138285446L;
- /**
- *
- */
- private static final long serialVersionUID = -425416760138285446L;
+ public ResponderErrorException(final String messageId, final Object[] parameters,
+ final Throwable wrapped) {
+ super(messageId, parameters, wrapped);
+ this.statusCodeValue = StatusCode.RESPONDER_URI;
+ }
- public ResponderErrorException(String messageId, Object[] parameters,
- Throwable wrapped) {
- super(messageId, parameters, wrapped);
- this.statusCodeValue = StatusCode.RESPONDER_URI;
- }
-
- public ResponderErrorException(String messageId, Object[] parameters) {
- super(messageId, parameters);
- this.statusCodeValue = StatusCode.RESPONDER_URI;
- }
+ public ResponderErrorException(final String messageId, final Object[] parameters) {
+ super(messageId, parameters);
+ this.statusCodeValue = StatusCode.RESPONDER_URI;
+ }
}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/SAMLRequestNotSignedException.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/SAMLRequestNotSignedException.java
deleted file mode 100644
index a0fad363..00000000
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/SAMLRequestNotSignedException.java
+++ /dev/null
@@ -1,50 +0,0 @@
-/*******************************************************************************
- * Copyright 2017 Graz University of Technology
- * EAAF-Core Components has been developed in a cooperation between EGIZ,
- * A-SIT Plus, A-SIT, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * https://joinup.ec.europa.eu/news/understanding-eupl-v12
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-package at.gv.egiz.eaaf.modules.pvp2.idp.exception;
-
-import org.opensaml.saml2.core.StatusCode;
-
-import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception;
-
-public class SAMLRequestNotSignedException extends PVP2Exception {
-
- public SAMLRequestNotSignedException() {
- super("pvp2.07", null);
- this.statusCodeValue = StatusCode.REQUESTER_URI;
- }
-
- public SAMLRequestNotSignedException(Throwable e) {
- super("pvp2.07", null, e);
- this.statusCodeValue = StatusCode.REQUESTER_URI;
- }
-
- /**
- *
- */
- private static final long serialVersionUID = 1L;
-
-}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/SAMLRequestNotSupported.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/SAMLRequestNotSupported.java
deleted file mode 100644
index e59ebe0a..00000000
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/SAMLRequestNotSupported.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/*******************************************************************************
- * Copyright 2017 Graz University of Technology
- * EAAF-Core Components has been developed in a cooperation between EGIZ,
- * A-SIT Plus, A-SIT, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * https://joinup.ec.europa.eu/news/understanding-eupl-v12
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-package at.gv.egiz.eaaf.modules.pvp2.idp.exception;
-
-import org.opensaml.saml2.core.StatusCode;
-
-import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception;
-
-
-public class SAMLRequestNotSupported extends PVP2Exception {
-
- public SAMLRequestNotSupported() {
- super("pvp2.09", null);
- this.statusCodeValue = StatusCode.REQUEST_UNSUPPORTED_URI;
- }
-
- /**
- *
- */
- private static final long serialVersionUID = 1244883178458802767L;
-
-}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/SamlRequestNotSignedException.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/SamlRequestNotSignedException.java
new file mode 100644
index 00000000..4650506d
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/SamlRequestNotSignedException.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.gv.egiz.eaaf.modules.pvp2.idp.exception;
+
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
+import org.opensaml.saml2.core.StatusCode;
+
+public class SamlRequestNotSignedException extends Pvp2Exception {
+
+ private static final long serialVersionUID = 1L;
+
+ public SamlRequestNotSignedException() {
+ super("pvp2.07", null);
+ this.statusCodeValue = StatusCode.REQUESTER_URI;
+ }
+
+ public SamlRequestNotSignedException(final Throwable e) {
+ super("pvp2.07", null, e);
+ this.statusCodeValue = StatusCode.REQUESTER_URI;
+ }
+
+
+
+
+}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/SamlRequestNotSupported.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/SamlRequestNotSupported.java
new file mode 100644
index 00000000..58a493b9
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/SamlRequestNotSupported.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.gv.egiz.eaaf.modules.pvp2.idp.exception;
+
+import org.opensaml.saml2.core.StatusCode;
+
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
+
+
+public class SamlRequestNotSupported extends Pvp2Exception {
+
+ private static final long serialVersionUID = 1244883178458802767L;
+
+ public SamlRequestNotSupported() {
+ super("pvp2.09", null);
+ this.statusCodeValue = StatusCode.REQUEST_UNSUPPORTED_URI;
+ }
+
+
+
+
+}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/UnprovideableAttributeException.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/UnprovideableAttributeException.java
index 0dfda55f..41252b78 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/UnprovideableAttributeException.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/exception/UnprovideableAttributeException.java
@@ -1,43 +1,33 @@
-/*******************************************************************************
- * Copyright 2017 Graz University of Technology
- * EAAF-Core Components has been developed in a cooperation between EGIZ,
- * A-SIT Plus, A-SIT, and Graz University of Technology.
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
*
- * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
* https://joinup.ec.europa.eu/news/understanding-eupl-v12
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
package at.gv.egiz.eaaf.modules.pvp2.idp.exception;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
import org.opensaml.saml2.core.StatusCode;
-import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception;
+public class UnprovideableAttributeException extends Pvp2Exception {
-public class UnprovideableAttributeException extends PVP2Exception {
- /**
- *
- */
- private static final long serialVersionUID = 3972197758163647157L;
+ private static final long serialVersionUID = 3972197758163647157L;
- public UnprovideableAttributeException(String attributeName) {
- super("pvp2.10", new Object[] {attributeName});
- this.statusCodeValue = StatusCode.UNKNOWN_ATTR_PROFILE_URI;
- }
+ public UnprovideableAttributeException(final String attributeName) {
+ super("pvp2.10", new Object[] {attributeName});
+ this.statusCodeValue = StatusCode.UNKNOWN_ATTR_PROFILE_URI;
+ }
}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPVP2XProtocol.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPVP2XProtocol.java
deleted file mode 100644
index 3298559a..00000000
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPVP2XProtocol.java
+++ /dev/null
@@ -1,541 +0,0 @@
-/*******************************************************************************
- * Copyright 2017 Graz University of Technology
- * EAAF-Core Components has been developed in a cooperation between EGIZ,
- * A-SIT Plus, A-SIT, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * https://joinup.ec.europa.eu/news/understanding-eupl-v12
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-package at.gv.egiz.eaaf.modules.pvp2.idp.impl;
-
-import java.util.List;
-
-import javax.annotation.PostConstruct;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.commons.lang.StringEscapeUtils;
-import org.apache.commons.lang3.StringUtils;
-import org.joda.time.DateTime;
-import org.opensaml.common.xml.SAMLConstants;
-import org.opensaml.saml2.core.AuthnRequest;
-import org.opensaml.saml2.core.Issuer;
-import org.opensaml.saml2.core.NameID;
-import org.opensaml.saml2.core.Response;
-import org.opensaml.saml2.core.Status;
-import org.opensaml.saml2.core.StatusCode;
-import org.opensaml.saml2.core.StatusMessage;
-import org.opensaml.saml2.metadata.AssertionConsumerService;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.opensaml.ws.security.SecurityPolicyException;
-import org.opensaml.xml.security.x509.X509Credential;
-import org.opensaml.xml.signature.SignableXMLObject;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
-
-import at.gv.egiz.components.eventlog.api.EventConstants;
-import at.gv.egiz.eaaf.core.api.IRequest;
-import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
-import at.gv.egiz.eaaf.core.api.idp.IModulInfo;
-import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger;
-import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException;
-import at.gv.egiz.eaaf.core.exceptions.EAAFException;
-import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
-import at.gv.egiz.eaaf.core.exceptions.NoPassivAuthenticationException;
-import at.gv.egiz.eaaf.core.exceptions.SLOException;
-import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController;
-import at.gv.egiz.eaaf.modules.pvp2.PVPEventConstants;
-import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration;
-import at.gv.egiz.eaaf.modules.pvp2.api.binding.IEncoder;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPVPMetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestValidator;
-import at.gv.egiz.eaaf.modules.pvp2.exception.InvalidPVPRequestException;
-import at.gv.egiz.eaaf.modules.pvp2.exception.NameIDFormatNotSupportedException;
-import at.gv.egiz.eaaf.modules.pvp2.exception.NoMetadataInformationException;
-import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception;
-import at.gv.egiz.eaaf.modules.pvp2.idp.exception.InvalidAssertionConsumerServiceException;
-import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding;
-import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding;
-import at.gv.egiz.eaaf.modules.pvp2.impl.binding.SoapBinding;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileRequest;
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider;
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
-import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EAAFURICompare;
-import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
-import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SAMLVerificationEngine;
-
-public abstract class AbstractPVP2XProtocol extends AbstractController implements IModulInfo {
- private static final Logger log = LoggerFactory.getLogger(AbstractPVP2XProtocol.class);
-
- @Autowired(required=true) protected IPVP2BasicConfiguration pvpBasicConfiguration;
- @Autowired(required=true) protected IPVPMetadataProvider metadataProvider;
- @Autowired(required=true) protected SAMLVerificationEngine samlVerificationEngine;
- @Autowired(required=true) protected IAuthnRequestValidator authRequestValidator;
-
- private AbstractCredentialProvider pvpIDPCredentials;
-
-
-
- /**
- * Sets a specific credential provider for PVP S-Profile IDP component.
- * @param pvpIDPCredentials credential provider
- */
- public void setPvpIDPCredentials(AbstractCredentialProvider pvpIDPCredentials) {
- this.pvpIDPCredentials = pvpIDPCredentials;
-
- }
-
- public boolean generateErrorMessage(Throwable e,
- HttpServletRequest request, HttpServletResponse response,
- IRequest protocolRequest) throws Throwable {
-
- if(protocolRequest == null) {
- throw e;
- }
-
- if(!(protocolRequest instanceof PVPSProfilePendingRequest) ) {
- throw e;
- }
- PVPSProfilePendingRequest pvpRequest = (PVPSProfilePendingRequest)protocolRequest;
-
- Response samlResponse =
- SAML2Utils.createSAMLObject(Response.class);
- Status status = SAML2Utils.createSAMLObject(Status.class);
- StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class);
- StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class);
-
- String moaError = null;
-
- if(e instanceof NoPassivAuthenticationException) {
- statusCode.setValue(StatusCode.NO_PASSIVE_URI);
- statusMessage.setMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage()));
-
- } else if (e instanceof NameIDFormatNotSupportedException) {
- statusCode.setValue(StatusCode.INVALID_NAMEID_POLICY_URI);
- statusMessage.setMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage()));
-
- } else if (e instanceof SLOException) {
- //SLOExecpetions only occurs if session information is lost
- return false;
-
- } else if(e instanceof PVP2Exception) {
- PVP2Exception ex = (PVP2Exception) e;
- statusCode.setValue(ex.getStatusCodeValue());
- String statusMessageValue = ex.getStatusMessageValue();
- if(statusMessageValue != null) {
- statusMessage.setMessage(StringEscapeUtils.escapeXml(statusMessageValue));
- }
- moaError = statusMessager.mapInternalErrorToExternalError(ex.getErrorId());
-
- } else {
- statusCode.setValue(StatusCode.RESPONDER_URI);
- statusMessage.setMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage()));
- moaError = statusMessager.getResponseErrorCode(e);
- }
-
-
- if (StringUtils.isNotEmpty(moaError)) {
- StatusCode moaStatusCode = SAML2Utils.createSAMLObject(StatusCode.class);
- moaStatusCode.setValue(moaError);
- statusCode.setStatusCode(moaStatusCode);
- }
-
- status.setStatusCode(statusCode);
- if(statusMessage.getMessage() != null) {
- status.setStatusMessage(statusMessage);
- }
- samlResponse.setStatus(status);
- String remoteSessionID = SAML2Utils.getSecureIdentifier();
- samlResponse.setID(remoteSessionID);
-
- samlResponse.setIssueInstant(new DateTime());
- Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
- nissuer.setValue(pvpBasicConfiguration.getIDPEntityId(pvpRequest.getAuthURL()));
- nissuer.setFormat(NameID.ENTITY);
- samlResponse.setIssuer(nissuer);
-
- IEncoder encoder = null;
-
- if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
- encoder = applicationContext.getBean("PVPRedirectBinding", RedirectBinding.class);
-
- } else if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) {
- encoder = applicationContext.getBean("PVPPOSTBinding", PostBinding.class);
-
- } else if (pvpRequest.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
- encoder = applicationContext.getBean("PVPSOAPBinding", SoapBinding.class);
- }
-
- if(encoder == null) {
- // default to redirect binding
- encoder = new RedirectBinding();
- }
-
- String relayState = null;
- if (pvpRequest.getRequest() != null)
- relayState = pvpRequest.getRequest().getRelayState();
-
- X509Credential signCred = pvpIDPCredentials.getIDPAssertionSigningCredential();
-
- encoder.encodeRespone(request, response, samlResponse, pvpRequest.getConsumerURL(),
- relayState, signCred, protocolRequest);
- return true;
- }
-
- public boolean validate(HttpServletRequest request,
- HttpServletResponse response, IRequest pending) {
-
- return true;
- }
-
- protected void pvpMetadataRequest(HttpServletRequest req, HttpServletResponse resp) throws EAAFException {
- //create pendingRequest object
- PVPSProfilePendingRequest pendingReq = applicationContext.getBean(PVPSProfilePendingRequest.class);
- pendingReq.initialize(req, authConfig);
- pendingReq.setModule(getName());
-
- revisionsLogger.logEvent(
- pendingReq.getUniqueSessionIdentifier(),
- pendingReq.getUniqueTransactionIdentifier(),
- EventConstants.TRANSACTION_IP,
- req.getRemoteAddr());
-
- MetadataAction metadataAction = applicationContext.getBean(MetadataAction.class);
- metadataAction.processRequest(pendingReq,
- req, resp, null);
-
- }
-
- protected void PVPIDPPostRequest(HttpServletRequest req, HttpServletResponse resp) throws EAAFException {
- PVPSProfilePendingRequest pendingReq = null;
-
- try {
- //create pendingRequest object
- pendingReq = applicationContext.getBean(PVPSProfilePendingRequest.class);
- pendingReq.initialize(req, authConfig);
- pendingReq.setModule(getName());
-
- revisionsLogger.logEvent(EventConstants.SESSION_CREATED, pendingReq.getUniqueSessionIdentifier());
- revisionsLogger.logEvent(EventConstants.TRANSACTION_CREATED, pendingReq.getUniqueTransactionIdentifier());
- revisionsLogger.logEvent(
- pendingReq.getUniqueSessionIdentifier(),
- pendingReq.getUniqueTransactionIdentifier(),
- EventConstants.TRANSACTION_IP,
- req.getRemoteAddr());
-
- //get POST-Binding decoder implementation
- InboundMessage msg = (InboundMessage) new PostBinding().decode(
- req, resp, metadataProvider, false,
- new EAAFURICompare(pvpBasicConfiguration.getIDPSSOPostService(pendingReq.getAuthURL())));
- pendingReq.setRequest(msg);
-
- //preProcess Message
- preProcess(req, resp, pendingReq);
-
- } catch (SecurityPolicyException e) {
- String samlRequest = req.getParameter("SAMLRequest");
- log.warn("Receive INVALID protocol request: " + samlRequest, e);
-
- //write revision log entries
- if (pendingReq != null)
- revisionsLogger.logEvent(pendingReq, EventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier());
-
- throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
-
- } catch (SecurityException e) {
- String samlRequest = req.getParameter("SAMLRequest");
- log.warn("Receive INVALID protocol request: " + samlRequest, e);
-
- //write revision log entries
- if (pendingReq != null)
- revisionsLogger.logEvent(pendingReq, EventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier());
-
- throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()});
-
- } catch (EAAFException e) {
-
- //write revision log entries
- if (pendingReq != null)
- revisionsLogger.logEvent(pendingReq, EventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier());
-
- throw e;
-
- } catch (Throwable e) {
- String samlRequest = req.getParameter("SAMLRequest");
- log.warn("Receive INVALID protocol request: " + samlRequest, e);
-
- //write revision log entries
- if (pendingReq != null)
- revisionsLogger.logEvent(pendingReq, EventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier());
-
- throw new EAAFException("pvp2.24", new Object[] {e.getMessage()}, e);
- }
- }
-
- protected void PVPIDPRedirecttRequest(HttpServletRequest req, HttpServletResponse resp) throws EAAFException {
- PVPSProfilePendingRequest pendingReq = null;
- try {
- //create pendingRequest object
- pendingReq = applicationContext.getBean(PVPSProfilePendingRequest.class);
- pendingReq.initialize(req, authConfig);
- pendingReq.setModule(getName());
-
- revisionsLogger.logEvent(EventConstants.SESSION_CREATED, pendingReq.getUniqueSessionIdentifier());
- revisionsLogger.logEvent(EventConstants.TRANSACTION_CREATED, pendingReq.getUniqueTransactionIdentifier());
- revisionsLogger.logEvent(
- pendingReq.getUniqueSessionIdentifier(),
- pendingReq.getUniqueTransactionIdentifier(),
- EventConstants.TRANSACTION_IP,
- req.getRemoteAddr());
-
- //get POST-Binding decoder implementation
- InboundMessage msg = (InboundMessage) new RedirectBinding().decode(
- req, resp, metadataProvider, false,
- new EAAFURICompare(pvpBasicConfiguration.getIDPSSORedirectService(pendingReq.getAuthURL())));
- pendingReq.setRequest(msg);
-
- //preProcess Message
- preProcess(req, resp, pendingReq);
-
- } catch (SecurityPolicyException e) {
- String samlRequest = req.getParameter("SAMLRequest");
- log.warn("Receive INVALID protocol request: " + samlRequest, e);
-
- //write revision log entries
- if (pendingReq != null)
- revisionsLogger.logEvent(pendingReq, EventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier());
-
- throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
-
- } catch (SecurityException e) {
- String samlRequest = req.getParameter("SAMLRequest");
- log.warn("Receive INVALID protocol request: " + samlRequest, e);
-
- //write revision log entries
- if (pendingReq != null)
- revisionsLogger.logEvent(pendingReq, EventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier());
-
- throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()});
-
- } catch (EAAFException e) {
- String samlRequest = req.getParameter("SAMLRequest");
- log.info("Receive INVALID protocol request: " + samlRequest);
-
- //write revision log entries
- if (pendingReq != null)
- revisionsLogger.logEvent(pendingReq, EventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier());
-
- throw e;
-
- } catch (Throwable e) {
- String samlRequest = req.getParameter("SAMLRequest");
- log.warn("Receive INVALID protocol request: " + samlRequest, e);
-
- //write revision log entries
- if (pendingReq != null)
- revisionsLogger.logEvent(pendingReq, EventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier());
-
- throw new EAAFException("pvp2.24", new Object[] {e.getMessage()}, e);
- }
- }
-
-
-
- /**
- *
- *
- * @param request
- * @param response
- * @param msg
- * @return true if preprocess can handle this request type, otherwise false
- * @throws Throwable
- */
- abstract protected boolean childPreProcess(HttpServletRequest request,
- HttpServletResponse response, PVPSProfilePendingRequest pendingReq) throws Throwable;
-
- protected void preProcess(HttpServletRequest request,
- HttpServletResponse response, PVPSProfilePendingRequest pendingReq) throws Throwable {
-
- InboundMessage msg = pendingReq.getRequest();
-
- if (StringUtils.isEmpty(msg.getEntityID())) {
- throw new InvalidProtocolRequestException("pvp2.20", new Object[] {});
-
- }
-
- if(!msg.isVerified()) {
- samlVerificationEngine.verify(msg,
- TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
- msg.setVerified(true);
-
- }
-
- revisionsLogger.logEvent(pendingReq, IRevisionLogger.AUTHPROTOCOL_TYPE, getAuthProtocolIdentifier());
-
- if (msg instanceof PVPSProfileRequest &&
- ((PVPSProfileRequest)msg).getSamlRequest() instanceof AuthnRequest)
- preProcessAuthRequest(request, response, pendingReq);
-
- else if (childPreProcess(request, response, pendingReq))
- log.debug("Find protocol handler in child implementation");
-
- else {
- log.error("Receive unsupported PVP21 message of type: " + ((PVPSProfileRequest)msg).getSamlRequest().getClass().getName());
- throw new InvalidPVPRequestException("pvp2.09",
- new Object[] {((PVPSProfileRequest)msg).getSamlRequest().getClass().getName()});
- }
-
-
-
- //switch to session authentication
- protAuthService.performAuthentication(request, response, pendingReq);
- }
-
-
- /**
- * PreProcess Authn request
- * @param request
- * @param response
- * @param pendingReq
- * @throws Throwable
- */
- private void preProcessAuthRequest(HttpServletRequest request,
- HttpServletResponse response, PVPSProfilePendingRequest pendingReq) throws Throwable {
-
- PVPSProfileRequest moaRequest = ((PVPSProfileRequest)pendingReq.getRequest());
- SignableXMLObject samlReq = moaRequest.getSamlRequest();
-
- if(!(samlReq instanceof AuthnRequest)) {
- throw new InvalidPVPRequestException("Unsupported request", new Object[] {});
- }
-
- EntityDescriptor metadata = moaRequest.getEntityMetadata(metadataProvider);
- if(metadata == null) {
- throw new NoMetadataInformationException();
- }
- SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
-
- AuthnRequest authnRequest = (AuthnRequest)samlReq;
-
- if (authnRequest.getIssueInstant() == null) {
- log.warn("Unsupported request: No IssueInstant Attribute found.");
- throw new AuthnRequestValidatorException("pvp2.22",
- new Object[] {"Unsupported request: No IssueInstant Attribute found"},
- pendingReq);
-
- }
-
- if (authnRequest.getIssueInstant().minusMinutes(EAAFConstants.ALLOWED_TIME_JITTER).isAfterNow()) {
- log.warn("Unsupported request: No IssueInstant DateTime is not valid anymore.");
- throw new AuthnRequestValidatorException("pvp2.22",
- new Object[] {"Unsupported request: No IssueInstant DateTime is not valid anymore."},
- pendingReq);
-
- }
-
- //parse AssertionConsumerService
- AssertionConsumerService consumerService = null;
- if (StringUtils.isNotEmpty(authnRequest.getAssertionConsumerServiceURL()) &&
- StringUtils.isNotEmpty(authnRequest.getProtocolBinding())) {
- //use AssertionConsumerServiceURL from request
-
- //check requested AssertionConsumingService URL against metadata
- List<AssertionConsumerService> metadataAssertionServiceList = spSSODescriptor.getAssertionConsumerServices();
- for (AssertionConsumerService service : metadataAssertionServiceList) {
- if (authnRequest.getProtocolBinding().equals(service.getBinding())
- && authnRequest.getAssertionConsumerServiceURL().equals(service.getLocation())) {
- consumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class);
- consumerService.setBinding(authnRequest.getProtocolBinding());
- consumerService.setLocation(authnRequest.getAssertionConsumerServiceURL());
- log.debug("Requested AssertionConsumerServiceURL is valid.");
- }
- }
-
- if (consumerService == null) {
- throw new InvalidAssertionConsumerServiceException(authnRequest.getAssertionConsumerServiceURL());
-
- }
-
-
- } else {
- //use AssertionConsumerServiceIndex and select consumerService from metadata
- Integer aIdx = authnRequest.getAssertionConsumerServiceIndex();
- int assertionidx = 0;
-
- if(aIdx != null) {
- assertionidx = aIdx.intValue();
-
- } else {
- assertionidx = SAML2Utils.getDefaultAssertionConsumerServiceIndex(spSSODescriptor);
-
- }
- consumerService = spSSODescriptor.getAssertionConsumerServices().get(assertionidx);
-
- if (consumerService == null) {
- throw new InvalidAssertionConsumerServiceException(aIdx);
-
- }
- }
-
-
- //validate AuthnRequest
- AuthnRequest authReq = (AuthnRequest) samlReq;
- String oaURL = moaRequest.getEntityMetadata(metadataProvider).getEntityID();
- log.info("Dispatch PVP2 AuthnRequest: OAURL=" + oaURL + " Binding=" + consumerService.getBinding());
-
- pendingReq.setSPEntityId(StringEscapeUtils.escapeHtml(oaURL));
- pendingReq.setOnlineApplicationConfiguration(authConfig.getServiceProviderConfiguration(pendingReq.getSPEntityId()));
- pendingReq.setBinding(consumerService.getBinding());
- pendingReq.setRequest(moaRequest);
- pendingReq.setConsumerURL(consumerService.getLocation());
-
- //parse AuthRequest
- pendingReq.setPassiv(authReq.isPassive());
- pendingReq.setForce(authReq.isForceAuthn());
-
- //AuthnRequest needs authentication
- pendingReq.setNeedAuthentication(true);
-
- //set protocol action, which should be executed after authentication
- pendingReq.setAction(AuthenticationAction.class.getName());
-
- log.trace("Starting extended AuthnRequest validation and processing ... ");
- authRequestValidator.validate(request, pendingReq, authReq, spSSODescriptor);
- log.debug("Extended AuthnRequest validation and processing finished");
-
- //write revisionslog entry
- revisionsLogger.logEvent(pendingReq, PVPEventConstants.AUTHPROTOCOL_PVP_REQUEST_AUTHREQUEST, authReq.getID());
-
- }
-
- @PostConstruct
- private void verifyInitialization() {
- if (pvpIDPCredentials == null) {
- log.error("No SAML2 credentialProvider injected!");
- throw new RuntimeException("No SAML2 credentialProvider injected!");
-
- }
- }
-
-}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java
new file mode 100644
index 00000000..3fac7894
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java
@@ -0,0 +1,561 @@
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.gv.egiz.eaaf.modules.pvp2.idp.impl;
+
+import java.util.List;
+import javax.annotation.PostConstruct;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import at.gv.egiz.components.eventlog.api.EventConstants;
+import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
+import at.gv.egiz.eaaf.core.api.idp.IModulInfo;
+import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger;
+import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
+import at.gv.egiz.eaaf.core.exceptions.NoPassivAuthenticationException;
+import at.gv.egiz.eaaf.core.exceptions.SloException;
+import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController;
+import at.gv.egiz.eaaf.modules.pvp2.PvpEventConstants;
+import at.gv.egiz.eaaf.modules.pvp2.api.IPvo2BasicConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.api.binding.IEncoder;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestValidator;
+import at.gv.egiz.eaaf.modules.pvp2.exception.InvalidPvpRequestException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.NameIdFormatNotSupportedException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.NoMetadataInformationException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
+import at.gv.egiz.eaaf.modules.pvp2.idp.exception.InvalidAssertionConsumerServiceException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding;
+import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding;
+import at.gv.egiz.eaaf.modules.pvp2.impl.binding.SoapBinding;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EaafUriCompare;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
+import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine;
+import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.joda.time.DateTime;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.Issuer;
+import org.opensaml.saml2.core.NameIDType;
+import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.Status;
+import org.opensaml.saml2.core.StatusCode;
+import org.opensaml.saml2.core.StatusMessage;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.ws.security.SecurityPolicyException;
+import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.signature.SignableXMLObject;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+
+public abstract class AbstractPvp2XProtocol extends AbstractController implements IModulInfo {
+ private static final Logger log = LoggerFactory.getLogger(AbstractPvp2XProtocol.class);
+
+ @Autowired(required = true)
+ protected IPvo2BasicConfiguration pvpBasicConfiguration;
+ @Autowired(required = true)
+ protected IPvpMetadataProvider metadataProvider;
+ @Autowired(required = true)
+ protected SamlVerificationEngine samlVerificationEngine;
+ @Autowired(required = true)
+ protected IAuthnRequestValidator authRequestValidator;
+
+ private AbstractCredentialProvider pvpIdpCredentials;
+
+
+
+ /**
+ * Sets a specific credential provider for PVP S-Profile IDP component.
+ *
+ * @param pvpIdpCredentials credential provider
+ */
+ public void setPvpIdpCredentials(final AbstractCredentialProvider pvpIdpCredentials) {
+ this.pvpIdpCredentials = pvpIdpCredentials;
+
+ }
+
+ @Override
+ public boolean generateErrorMessage(final Throwable e, final HttpServletRequest request,
+ final HttpServletResponse response, final IRequest protocolRequest) throws Throwable {
+
+ if (protocolRequest == null) {
+ throw e;
+ }
+
+ if (!(protocolRequest instanceof PvpSProfilePendingRequest)) {
+ throw e;
+ }
+ final PvpSProfilePendingRequest pvpRequest = (PvpSProfilePendingRequest) protocolRequest;
+
+ final Response samlResponse = Saml2Utils.createSamlObject(Response.class);
+ final Status status = Saml2Utils.createSamlObject(Status.class);
+ final StatusCode statusCode = Saml2Utils.createSamlObject(StatusCode.class);
+ final StatusMessage statusMessage = Saml2Utils.createSamlObject(StatusMessage.class);
+
+ String moaError = null;
+
+ if (e instanceof NoPassivAuthenticationException) {
+ statusCode.setValue(StatusCode.NO_PASSIVE_URI);
+ statusMessage.setMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage()));
+
+ } else if (e instanceof NameIdFormatNotSupportedException) {
+ statusCode.setValue(StatusCode.INVALID_NAMEID_POLICY_URI);
+ statusMessage.setMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage()));
+
+ } else if (e instanceof SloException) {
+ // SLOExecpetions only occurs if session information is lost
+ return false;
+
+ } else if (e instanceof Pvp2Exception) {
+ final Pvp2Exception ex = (Pvp2Exception) e;
+ statusCode.setValue(ex.getStatusCodeValue());
+ final String statusMessageValue = ex.getStatusMessageValue();
+ if (statusMessageValue != null) {
+ statusMessage.setMessage(StringEscapeUtils.escapeXml(statusMessageValue));
+ }
+ moaError = statusMessager.mapInternalErrorToExternalError(ex.getErrorId());
+
+ } else {
+ statusCode.setValue(StatusCode.RESPONDER_URI);
+ statusMessage.setMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage()));
+ moaError = statusMessager.getResponseErrorCode(e);
+ }
+
+
+ if (StringUtils.isNotEmpty(moaError)) {
+ final StatusCode moaStatusCode = Saml2Utils.createSamlObject(StatusCode.class);
+ moaStatusCode.setValue(moaError);
+ statusCode.setStatusCode(moaStatusCode);
+ }
+
+ status.setStatusCode(statusCode);
+ if (statusMessage.getMessage() != null) {
+ status.setStatusMessage(statusMessage);
+ }
+ samlResponse.setStatus(status);
+ final String remoteSessionID = Saml2Utils.getSecureIdentifier();
+ samlResponse.setID(remoteSessionID);
+
+ samlResponse.setIssueInstant(new DateTime());
+ final Issuer nissuer = Saml2Utils.createSamlObject(Issuer.class);
+ nissuer.setValue(pvpBasicConfiguration.getIdpEntityId(pvpRequest.getAuthUrl()));
+ nissuer.setFormat(NameIDType.ENTITY);
+ samlResponse.setIssuer(nissuer);
+
+ IEncoder encoder = null;
+
+ if (pvpRequest.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
+ encoder = applicationContext.getBean("PVPRedirectBinding", RedirectBinding.class);
+
+ } else if (pvpRequest.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) {
+ encoder = applicationContext.getBean("PVPPOSTBinding", PostBinding.class);
+
+ } else if (pvpRequest.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
+ encoder = applicationContext.getBean("PVPSOAPBinding", SoapBinding.class);
+ }
+
+ if (encoder == null) {
+ // default to redirect binding
+ encoder = new RedirectBinding();
+ }
+
+ String relayState = null;
+ if (pvpRequest.getRequest() != null) {
+ relayState = pvpRequest.getRequest().getRelayState();
+ }
+
+ final X509Credential signCred = pvpIdpCredentials.getIdpAssertionSigningCredential();
+
+ encoder.encodeRespone(request, response, samlResponse, pvpRequest.getConsumerUrl(), relayState,
+ signCred, protocolRequest);
+ return true;
+ }
+
+ @Override
+ public boolean validate(final HttpServletRequest request, final HttpServletResponse response,
+ final IRequest pending) {
+
+ return true;
+ }
+
+ protected void pvpMetadataRequest(final HttpServletRequest req, final HttpServletResponse resp)
+ throws EaafException {
+ // create pendingRequest object
+ final PvpSProfilePendingRequest pendingReq =
+ applicationContext.getBean(PvpSProfilePendingRequest.class);
+ pendingReq.initialize(req, authConfig);
+ pendingReq.setModule(getName());
+
+ revisionsLogger.logEvent(pendingReq.getUniqueSessionIdentifier(),
+ pendingReq.getUniqueTransactionIdentifier(), EventConstants.TRANSACTION_IP,
+ req.getRemoteAddr());
+
+ final MetadataAction metadataAction = applicationContext.getBean(MetadataAction.class);
+ metadataAction.processRequest(pendingReq, req, resp, null);
+
+ }
+
+ protected void pvpIdpPostRequest(final HttpServletRequest req, final HttpServletResponse resp)
+ throws EaafException {
+ PvpSProfilePendingRequest pendingReq = null;
+
+ try {
+ // create pendingRequest object
+ pendingReq = applicationContext.getBean(PvpSProfilePendingRequest.class);
+ pendingReq.initialize(req, authConfig);
+ pendingReq.setModule(getName());
+
+ revisionsLogger.logEvent(EventConstants.SESSION_CREATED,
+ pendingReq.getUniqueSessionIdentifier());
+ revisionsLogger.logEvent(EventConstants.TRANSACTION_CREATED,
+ pendingReq.getUniqueTransactionIdentifier());
+ revisionsLogger.logEvent(pendingReq.getUniqueSessionIdentifier(),
+ pendingReq.getUniqueTransactionIdentifier(), EventConstants.TRANSACTION_IP,
+ req.getRemoteAddr());
+
+ // get POST-Binding decoder implementation
+ final InboundMessage msg = (InboundMessage) new PostBinding().decode(req, resp,
+ metadataProvider, false,
+ new EaafUriCompare(pvpBasicConfiguration.getIdpSsoPostService(pendingReq.getAuthUrl())));
+ pendingReq.setRequest(msg);
+
+ // preProcess Message
+ preProcess(req, resp, pendingReq);
+
+ } catch (final SecurityPolicyException e) {
+ final String samlRequest = req.getParameter("SAMLRequest");
+ log.warn("Receive INVALID protocol request: " + samlRequest, e);
+
+ // write revision log entries
+ if (pendingReq != null) {
+ revisionsLogger.logEvent(pendingReq, EventConstants.TRANSACTION_ERROR,
+ pendingReq.getUniqueTransactionIdentifier());
+ }
+
+ throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
+
+ } catch (final SecurityException e) {
+ final String samlRequest = req.getParameter("SAMLRequest");
+ log.warn("Receive INVALID protocol request: " + samlRequest, e);
+
+ // write revision log entries
+ if (pendingReq != null) {
+ revisionsLogger.logEvent(pendingReq, EventConstants.TRANSACTION_ERROR,
+ pendingReq.getUniqueTransactionIdentifier());
+ }
+
+ throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()});
+
+ } catch (final EaafException e) {
+
+ // write revision log entries
+ if (pendingReq != null) {
+ revisionsLogger.logEvent(pendingReq, EventConstants.TRANSACTION_ERROR,
+ pendingReq.getUniqueTransactionIdentifier());
+ }
+
+ throw e;
+
+ } catch (final Throwable e) {
+ final String samlRequest = req.getParameter("SAMLRequest");
+ log.warn("Receive INVALID protocol request: " + samlRequest, e);
+
+ // write revision log entries
+ if (pendingReq != null) {
+ revisionsLogger.logEvent(pendingReq, EventConstants.TRANSACTION_ERROR,
+ pendingReq.getUniqueTransactionIdentifier());
+ }
+
+ throw new EaafException("pvp2.24", new Object[] {e.getMessage()}, e);
+ }
+ }
+
+ protected void pvpIdpRedirecttRequest(final HttpServletRequest req,
+ final HttpServletResponse resp) throws EaafException {
+ PvpSProfilePendingRequest pendingReq = null;
+ try {
+ // create pendingRequest object
+ pendingReq = applicationContext.getBean(PvpSProfilePendingRequest.class);
+ pendingReq.initialize(req, authConfig);
+ pendingReq.setModule(getName());
+
+ revisionsLogger.logEvent(EventConstants.SESSION_CREATED,
+ pendingReq.getUniqueSessionIdentifier());
+ revisionsLogger.logEvent(EventConstants.TRANSACTION_CREATED,
+ pendingReq.getUniqueTransactionIdentifier());
+ revisionsLogger.logEvent(pendingReq.getUniqueSessionIdentifier(),
+ pendingReq.getUniqueTransactionIdentifier(), EventConstants.TRANSACTION_IP,
+ req.getRemoteAddr());
+
+ // get POST-Binding decoder implementation
+ final InboundMessage msg = (InboundMessage) new RedirectBinding().decode(req, resp,
+ metadataProvider, false, new EaafUriCompare(
+ pvpBasicConfiguration.getIdpSsoRedirectService(pendingReq.getAuthUrl())));
+ pendingReq.setRequest(msg);
+
+ // preProcess Message
+ preProcess(req, resp, pendingReq);
+
+ } catch (final SecurityPolicyException e) {
+ final String samlRequest = req.getParameter("SAMLRequest");
+ log.warn("Receive INVALID protocol request: " + samlRequest, e);
+
+ // write revision log entries
+ if (pendingReq != null) {
+ revisionsLogger.logEvent(pendingReq, EventConstants.TRANSACTION_ERROR,
+ pendingReq.getUniqueTransactionIdentifier());
+ }
+
+ throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
+
+ } catch (final SecurityException e) {
+ final String samlRequest = req.getParameter("SAMLRequest");
+ log.warn("Receive INVALID protocol request: " + samlRequest, e);
+
+ // write revision log entries
+ if (pendingReq != null) {
+ revisionsLogger.logEvent(pendingReq, EventConstants.TRANSACTION_ERROR,
+ pendingReq.getUniqueTransactionIdentifier());
+ }
+
+ throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()});
+
+ } catch (final EaafException e) {
+ final String samlRequest = req.getParameter("SAMLRequest");
+ log.info("Receive INVALID protocol request: " + samlRequest);
+
+ // write revision log entries
+ if (pendingReq != null) {
+ revisionsLogger.logEvent(pendingReq, EventConstants.TRANSACTION_ERROR,
+ pendingReq.getUniqueTransactionIdentifier());
+ }
+
+ throw e;
+
+ } catch (final Throwable e) {
+ final String samlRequest = req.getParameter("SAMLRequest");
+ log.warn("Receive INVALID protocol request: " + samlRequest, e);
+
+ // write revision log entries
+ if (pendingReq != null) {
+ revisionsLogger.logEvent(pendingReq, EventConstants.TRANSACTION_ERROR,
+ pendingReq.getUniqueTransactionIdentifier());
+ }
+
+ throw new EaafException("pvp2.24", new Object[] {e.getMessage()}, e);
+ }
+ }
+
+
+
+ /**
+ * Authentication request pre-processor.
+ *
+ * @param request http request
+ * @param response http response
+ * @param pendingReq current pending request
+ * @return true if preprocess can handle this request type, otherwise false
+ * @throws Throwable In case of an error
+ */
+ protected abstract boolean childPreProcess(HttpServletRequest request,
+ HttpServletResponse response, PvpSProfilePendingRequest pendingReq) throws Throwable;
+
+ protected void preProcess(final HttpServletRequest request, final HttpServletResponse response,
+ final PvpSProfilePendingRequest pendingReq) throws Throwable {
+
+ final InboundMessage msg = pendingReq.getRequest();
+
+ if (StringUtils.isEmpty(msg.getEntityID())) {
+ throw new InvalidProtocolRequestException("pvp2.20", new Object[] {});
+
+ }
+
+ if (!msg.isVerified()) {
+ samlVerificationEngine.verify(msg,
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+ msg.setVerified(true);
+
+ }
+
+ revisionsLogger.logEvent(pendingReq, IRevisionLogger.AUTHPROTOCOL_TYPE,
+ getAuthProtocolIdentifier());
+
+ if (msg instanceof PvpSProfileRequest
+ && ((PvpSProfileRequest) msg).getSamlRequest() instanceof AuthnRequest) {
+ preProcessAuthRequest(request, response, pendingReq);
+ } else if (childPreProcess(request, response, pendingReq)) {
+ log.debug("Find protocol handler in child implementation");
+ } else {
+ log.error("Receive unsupported PVP21 message of type: "
+ + ((PvpSProfileRequest) msg).getSamlRequest().getClass().getName());
+ throw new InvalidPvpRequestException("pvp2.09",
+ new Object[] {((PvpSProfileRequest) msg).getSamlRequest().getClass().getName()});
+ }
+
+
+
+ // switch to session authentication
+ protAuthService.performAuthentication(request, response, pendingReq);
+ }
+
+
+ /**
+ * PreProcess Authn request.
+ *
+ * @param request http request
+ * @param response http response
+ * @param pendingReq current pending request
+ * @throws Throwable in case of an error
+ */
+ private void preProcessAuthRequest(final HttpServletRequest request,
+ final HttpServletResponse response, final PvpSProfilePendingRequest pendingReq)
+ throws Throwable {
+
+ final PvpSProfileRequest moaRequest = ((PvpSProfileRequest) pendingReq.getRequest());
+ final SignableXMLObject samlReq = moaRequest.getSamlRequest();
+
+ if (!(samlReq instanceof AuthnRequest)) {
+ throw new InvalidPvpRequestException("Unsupported request", new Object[] {});
+ }
+
+ final EntityDescriptor metadata = moaRequest.getEntityMetadata(metadataProvider);
+ if (metadata == null) {
+ throw new NoMetadataInformationException();
+ }
+ final SPSSODescriptor spSsoDescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
+
+ final AuthnRequest authnRequest = (AuthnRequest) samlReq;
+
+ if (authnRequest.getIssueInstant() == null) {
+ log.warn("Unsupported request: No IssueInstant Attribute found.");
+ throw new AuthnRequestValidatorException("pvp2.22",
+ new Object[] {"Unsupported request: No IssueInstant Attribute found"}, pendingReq);
+
+ }
+
+ if (authnRequest.getIssueInstant().minusMinutes(EAAFConstants.ALLOWED_TIME_JITTER)
+ .isAfterNow()) {
+ log.warn("Unsupported request: No IssueInstant DateTime is not valid anymore.");
+ throw new AuthnRequestValidatorException("pvp2.22",
+ new Object[] {"Unsupported request: No IssueInstant DateTime is not valid anymore."},
+ pendingReq);
+
+ }
+
+ // parse AssertionConsumerService
+ AssertionConsumerService consumerService = null;
+ if (StringUtils.isNotEmpty(authnRequest.getAssertionConsumerServiceURL())
+ && StringUtils.isNotEmpty(authnRequest.getProtocolBinding())) {
+ // use AssertionConsumerServiceURL from request
+
+ // check requested AssertionConsumingService URL against metadata
+ final List<AssertionConsumerService> metadataAssertionServiceList =
+ spSsoDescriptor.getAssertionConsumerServices();
+ for (final AssertionConsumerService service : metadataAssertionServiceList) {
+ if (authnRequest.getProtocolBinding().equals(service.getBinding())
+ && authnRequest.getAssertionConsumerServiceURL().equals(service.getLocation())) {
+ consumerService = Saml2Utils.createSamlObject(AssertionConsumerService.class);
+ consumerService.setBinding(authnRequest.getProtocolBinding());
+ consumerService.setLocation(authnRequest.getAssertionConsumerServiceURL());
+ log.debug("Requested AssertionConsumerServiceURL is valid.");
+ }
+ }
+
+ if (consumerService == null) {
+ throw new InvalidAssertionConsumerServiceException(
+ authnRequest.getAssertionConsumerServiceURL());
+
+ }
+
+
+ } else {
+ // use AssertionConsumerServiceIndex and select consumerService from metadata
+ final Integer aIdx = authnRequest.getAssertionConsumerServiceIndex();
+ int assertionidx = 0;
+
+ if (aIdx != null) {
+ assertionidx = aIdx.intValue();
+
+ } else {
+ assertionidx = Saml2Utils.getDefaultAssertionConsumerServiceIndex(spSsoDescriptor);
+
+ }
+ consumerService = spSsoDescriptor.getAssertionConsumerServices().get(assertionidx);
+
+ if (consumerService == null) {
+ throw new InvalidAssertionConsumerServiceException(aIdx);
+
+ }
+ }
+
+
+ // validate AuthnRequest
+ final AuthnRequest authReq = (AuthnRequest) samlReq;
+ final String oaUrl = moaRequest.getEntityMetadata(metadataProvider).getEntityID();
+ log.info(
+ "Dispatch PVP2 AuthnRequest: OAURL=" + oaUrl + " Binding=" + consumerService.getBinding());
+
+ pendingReq.setSpEntityId(StringEscapeUtils.escapeHtml(oaUrl));
+ pendingReq.setOnlineApplicationConfiguration(
+ authConfig.getServiceProviderConfiguration(pendingReq.getSpEntityId()));
+ pendingReq.setBinding(consumerService.getBinding());
+ pendingReq.setRequest(moaRequest);
+ pendingReq.setConsumerUrl(consumerService.getLocation());
+
+ // parse AuthRequest
+ pendingReq.setPassiv(authReq.isPassive());
+ pendingReq.setForce(authReq.isForceAuthn());
+
+ // AuthnRequest needs authentication
+ pendingReq.setNeedAuthentication(true);
+
+ // set protocol action, which should be executed after authentication
+ pendingReq.setAction(AuthenticationAction.class.getName());
+
+ log.trace("Starting extended AuthnRequest validation and processing ... ");
+ authRequestValidator.validate(request, pendingReq, authReq, spSsoDescriptor);
+ log.debug("Extended AuthnRequest validation and processing finished");
+
+ // write revisionslog entry
+ revisionsLogger.logEvent(pendingReq, PvpEventConstants.AUTHPROTOCOL_PVP_REQUEST_AUTHREQUEST,
+ authReq.getID());
+
+ }
+
+ @PostConstruct
+ private void verifyInitialization() {
+ if (pvpIdpCredentials == null) {
+ log.error("No SAML2 credentialProvider injected!");
+ throw new RuntimeException("No SAML2 credentialProvider injected!");
+
+ }
+ }
+
+}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java
index cbbed659..9378b579 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java
@@ -1,35 +1,47 @@
-/*******************************************************************************
- * Copyright 2017 Graz University of Technology
- * EAAF-Core Components has been developed in a cooperation between EGIZ,
- * A-SIT Plus, A-SIT, and Graz University of Technology.
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
*
- * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
* https://joinup.ec.europa.eu/news/understanding-eupl-v12
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
package at.gv.egiz.eaaf.modules.pvp2.idp.impl;
import javax.annotation.PostConstruct;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-
+import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.idp.IAction;
+import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface;
+import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.data.SLOInformationImpl;
+import at.gv.egiz.eaaf.modules.pvp2.api.IPvo2BasicConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.api.binding.IEncoder;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.exception.BindingNotSupportedException;
+import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException;
+import at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.AuthResponseBuilder;
+import at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.Pvp2AssertionBuilder;
+import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding;
+import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
import org.joda.time.DateTime;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.Assertion;
@@ -45,141 +57,125 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.stereotype.Service;
-import at.gv.egiz.eaaf.core.api.IRequest;
-import at.gv.egiz.eaaf.core.api.idp.IAction;
-import at.gv.egiz.eaaf.core.api.idp.IAuthData;
-import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
-import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface;
-import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger;
-import at.gv.egiz.eaaf.core.exceptions.EAAFException;
-import at.gv.egiz.eaaf.core.impl.data.SLOInformationImpl;
-import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration;
-import at.gv.egiz.eaaf.modules.pvp2.api.binding.IEncoder;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPVPMetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.exception.BindingNotSupportedException;
-import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException;
-import at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.AuthResponseBuilder;
-import at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.PVP2AssertionBuilder;
-import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding;
-import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileRequest;
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider;
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
-
@Service("PVPAuthenticationRequestAction")
public class AuthenticationAction implements IAction {
- private static final Logger log = LoggerFactory.getLogger(AuthenticationAction.class);
-
- private static final String CONFIG_PROPERTY_PVP2_ENABLE_ENCRYPTION = "protocols.pvp2.assertion.encryption.active";
-
- @Autowired(required=true) private IPVPMetadataProvider metadataProvider;
- @Autowired(required=true) ApplicationContext springContext;
- @Autowired(required=true) IConfiguration authConfig;
- @Autowired(required=true) PVP2AssertionBuilder assertionBuilder;
- @Autowired(required=true) IPVP2BasicConfiguration pvpBasicConfiguration;
- @Autowired(required=true) IRevisionLogger revisionsLogger;
-
- private AbstractCredentialProvider pvpIDPCredentials;
-
- /**
- * Sets a specific credential provider for PVP S-Profile IDP component.
- * @param pvpIDPCredentials credential provider
- */
- public void setPvpIDPCredentials(AbstractCredentialProvider pvpIDPCredentials) {
- this.pvpIDPCredentials = pvpIDPCredentials;
-
- }
-
- @Override
- public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq,
- HttpServletResponse httpResp, IAuthData authData) throws ResponderErrorException {
- final PVPSProfilePendingRequest pvpRequest = (PVPSProfilePendingRequest) req;
- try {
- //get basic information
- final PVPSProfileRequest moaRequest = (PVPSProfileRequest) pvpRequest.getRequest();
- final AuthnRequest authnRequest = (AuthnRequest) moaRequest.getSamlRequest();
- final EntityDescriptor peerEntity = moaRequest.getEntityMetadata(metadataProvider);
-
- final AssertionConsumerService consumerService =
- SAML2Utils.createSAMLObject(AssertionConsumerService.class);
- consumerService.setBinding(pvpRequest.getBinding());
- consumerService.setLocation(pvpRequest.getConsumerURL());
-
- final DateTime date = new DateTime();
- final SLOInformationImpl sloInformation = new SLOInformationImpl();
- final String issuerEntityID = pvpBasicConfiguration.getIDPEntityId(pvpRequest.getAuthURL());
-
- //build Assertion
- final Assertion assertion = assertionBuilder.buildAssertion(issuerEntityID, pvpRequest, authnRequest, authData,
- peerEntity, date, consumerService, sloInformation);
-
- final Response authResponse = AuthResponseBuilder.buildResponse(
- metadataProvider, issuerEntityID, authnRequest,
- date, assertion, authConfig.getBasicConfigurationBoolean(
- CONFIG_PROPERTY_PVP2_ENABLE_ENCRYPTION, true));
-
- IEncoder binding = null;
-
- if (consumerService.getBinding().equals(
- SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
- binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class);
-
- } else if (consumerService.getBinding().equals(
- SAMLConstants.SAML2_POST_BINDING_URI)) {
- binding = springContext.getBean("PVPPOSTBinding", PostBinding.class);
-
- }
-
- if (binding == null) {
- throw new BindingNotSupportedException(consumerService.getBinding());
- }
-
- binding.encodeRespone(httpReq, httpResp, authResponse,
- consumerService.getLocation(), moaRequest.getRelayState(),
- pvpIDPCredentials.getIDPAssertionSigningCredential(), req);
-
- revisionsLogger.logEvent(req, 3105, authResponse.getID());
-
- //set protocol type
- sloInformation.setProtocolType(req.requestedModule());
- sloInformation.setSpEntityID(req.getServiceProviderConfiguration().getUniqueIdentifier());
- return sloInformation;
-
- } catch (MessageEncodingException | SecurityException e) {
- log.warn("Message Encoding exception", e);
- throw new ResponderErrorException("pvp2.01", null, e);
-
- } catch (final EAAFException e) {
- log.info("Response generation error: Msg: ", e.getMessage());
- throw new ResponderErrorException(e.getErrorId(), e.getParams(), e);
-
- } catch (final Exception e) {
- log.warn("Response generation error", e);
- throw new ResponderErrorException("pvp2.01", null, e);
-
- }
-
- }
-
- @Override
- public boolean needAuthentication(IRequest req, HttpServletRequest httpReq,
- HttpServletResponse httpResp) {
- return true;
- }
-
- @Override
- public String getDefaultActionName() {
- return "PVPAuthenticationRequestAction";
-
- }
-
- @PostConstruct
- private void verifyInitialization() {
- if (pvpIDPCredentials == null) {
- log.error("No SAML2 credentialProvider injected!");
- throw new RuntimeException("No SAML2 credentialProvider injected!");
-
- }
- }
+ private static final Logger log = LoggerFactory.getLogger(AuthenticationAction.class);
+
+ private static final String CONFIG_PROPERTY_PVP2_ENABLE_ENCRYPTION =
+ "protocols.pvp2.assertion.encryption.active";
+
+ @Autowired(required = true)
+ private IPvpMetadataProvider metadataProvider;
+ @Autowired(required = true)
+ ApplicationContext springContext;
+ @Autowired(required = true)
+ IConfiguration authConfig;
+ @Autowired(required = true)
+ Pvp2AssertionBuilder assertionBuilder;
+ @Autowired(required = true)
+ IPvo2BasicConfiguration pvpBasicConfiguration;
+ @Autowired(required = true)
+ IRevisionLogger revisionsLogger;
+
+ private AbstractCredentialProvider pvpIdpCredentials;
+
+ /**
+ * Sets a specific credential provider for PVP S-Profile IDP component.
+ *
+ * @param pvpIdpCredentials credential provider
+ */
+ public void setPvpIdpCredentials(final AbstractCredentialProvider pvpIdpCredentials) {
+ this.pvpIdpCredentials = pvpIdpCredentials;
+
+ }
+
+ @Override
+ public SloInformationInterface processRequest(final IRequest req,
+ final HttpServletRequest httpReq, final HttpServletResponse httpResp,
+ final IAuthData authData) throws ResponderErrorException {
+ final PvpSProfilePendingRequest pvpRequest = (PvpSProfilePendingRequest) req;
+ try {
+ // get basic information
+ final PvpSProfileRequest moaRequest = (PvpSProfileRequest) pvpRequest.getRequest();
+ final AuthnRequest authnRequest = (AuthnRequest) moaRequest.getSamlRequest();
+ final EntityDescriptor peerEntity = moaRequest.getEntityMetadata(metadataProvider);
+
+ final AssertionConsumerService consumerService =
+ Saml2Utils.createSamlObject(AssertionConsumerService.class);
+ consumerService.setBinding(pvpRequest.getBinding());
+ consumerService.setLocation(pvpRequest.getConsumerUrl());
+
+ final DateTime date = new DateTime();
+ final SLOInformationImpl sloInformation = new SLOInformationImpl();
+ final String issuerEntityID = pvpBasicConfiguration.getIdpEntityId(pvpRequest.getAuthUrl());
+
+ // build Assertion
+ final Assertion assertion = assertionBuilder.buildAssertion(issuerEntityID, pvpRequest,
+ authnRequest, authData, peerEntity, date, consumerService, sloInformation);
+
+ final Response authResponse = AuthResponseBuilder.buildResponse(metadataProvider,
+ issuerEntityID, authnRequest, date, assertion,
+ authConfig.getBasicConfigurationBoolean(CONFIG_PROPERTY_PVP2_ENABLE_ENCRYPTION, true));
+
+ IEncoder binding = null;
+
+ if (consumerService.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
+ binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class);
+
+ } else if (consumerService.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) {
+ binding = springContext.getBean("PVPPOSTBinding", PostBinding.class);
+
+ }
+
+ if (binding == null) {
+ throw new BindingNotSupportedException(consumerService.getBinding());
+ }
+
+ binding.encodeRespone(httpReq, httpResp, authResponse, consumerService.getLocation(),
+ moaRequest.getRelayState(), pvpIdpCredentials.getIdpAssertionSigningCredential(), req);
+
+ revisionsLogger.logEvent(req, 3105, authResponse.getID());
+
+ // set protocol type
+ sloInformation.setProtocolType(req.requestedModule());
+ sloInformation.setSpEntityID(req.getServiceProviderConfiguration().getUniqueIdentifier());
+ return sloInformation;
+
+ } catch (MessageEncodingException | SecurityException e) {
+ log.warn("Message Encoding exception", e);
+ throw new ResponderErrorException("pvp2.01", null, e);
+
+ } catch (final EaafException e) {
+ log.info("Response generation error: Msg: ", e.getMessage());
+ throw new ResponderErrorException(e.getErrorId(), e.getParams(), e);
+
+ } catch (final Exception e) {
+ log.warn("Response generation error", e);
+ throw new ResponderErrorException("pvp2.01", null, e);
+
+ }
+
+ }
+
+ @Override
+ public boolean needAuthentication(final IRequest req, final HttpServletRequest httpReq,
+ final HttpServletResponse httpResp) {
+ return true;
+ }
+
+ @Override
+ public String getDefaultActionName() {
+ return "PVPAuthenticationRequestAction";
+
+ }
+
+ @PostConstruct
+ private void verifyInitialization() {
+ if (pvpIdpCredentials == null) {
+ log.error("No SAML2 credentialProvider injected!");
+ throw new RuntimeException("No SAML2 credentialProvider injected!");
+
+ }
+ }
}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/MetadataAction.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/MetadataAction.java
index 6b957522..a1e8b5ba 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/MetadataAction.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/MetadataAction.java
@@ -1,123 +1,121 @@
-/*******************************************************************************
- * Copyright 2017 Graz University of Technology
- * EAAF-Core Components has been developed in a cooperation between EGIZ,
- * A-SIT Plus, A-SIT, and Graz University of Technology.
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
*
- * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
* https://joinup.ec.europa.eu/news/understanding-eupl-v12
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
package at.gv.egiz.eaaf.modules.pvp2.idp.impl;
import javax.annotation.PostConstruct;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.http.MediaType;
-import org.springframework.stereotype.Service;
-
import at.gv.egiz.eaaf.core.api.IRequest;
import at.gv.egiz.eaaf.core.api.idp.IAction;
import at.gv.egiz.eaaf.core.api.idp.IAuthData;
-import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface;
+import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface;
import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger;
-import at.gv.egiz.eaaf.modules.pvp2.PVPEventConstants;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPVPMetadataBuilderConfiguration;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPVPMetadataConfigurationFactory;
-import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2MetadataException;
-import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPMetadataBuilder;
+import at.gv.egiz.eaaf.modules.pvp2.PvpEventConstants;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataBuilderConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataConfigurationFactory;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpMetadataBuilder;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.MediaType;
+import org.springframework.stereotype.Service;
@Service("pvpMetadataService")
public class MetadataAction implements IAction {
- private static final Logger log = LoggerFactory.getLogger(MetadataAction.class);
-
- @Autowired private IRevisionLogger revisionsLogger;
- @Autowired private PVPMetadataBuilder metadatabuilder;
- @Autowired private IPVPMetadataConfigurationFactory configFactory;
-
- private AbstractCredentialProvider pvpIDPCredentials;
-
- /**
- * Sets a specific credential provider for PVP S-Profile IDP component.
- * @param pvpIDPCredentials credential provider
- */
- public void setPvpIDPCredentials(AbstractCredentialProvider pvpIDPCredentials) {
- this.pvpIDPCredentials = pvpIDPCredentials;
-
- }
-
- public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq,
- HttpServletResponse httpResp, IAuthData authData) throws PVP2MetadataException {
- try {
- revisionsLogger.logEvent(req, PVPEventConstants.AUTHPROTOCOL_PVP_METADATA);
-
- //build metadata
- IPVPMetadataBuilderConfiguration metadataConfig =
- configFactory.generateMetadataBuilderConfiguration(
- req.getAuthURLWithOutSlash(),
- pvpIDPCredentials);
-
- ;
-
- String metadataXML = metadatabuilder.buildPVPMetadata(metadataConfig);
- log.debug("METADATA: " + metadataXML);
-
- byte[] content = metadataXML.getBytes("UTF-8");
- httpResp.setStatus(HttpServletResponse.SC_OK);
- httpResp.setContentLength(content.length);
- httpResp.setContentType(MediaType.APPLICATION_XML_VALUE);
- httpResp.getOutputStream().write(content);
- return null;
-
- } catch (Exception e) {
- log.error("Failed to generate metadata", e);
- throw new PVP2MetadataException("pvp2.27", null);
- }
- }
-
- public boolean needAuthentication(IRequest req, HttpServletRequest httpReq,
- HttpServletResponse httpResp) {
- return false;
- }
-
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.moduls.IAction#getDefaultActionName()
- */
- @Override
- public String getDefaultActionName() {
- return "IDP - PVP Metadata action";
- }
-
- @PostConstruct
- private void verifyInitialization() {
- if (pvpIDPCredentials == null) {
- log.error("No SAML2 credentialProvider injected!");
- throw new RuntimeException("No SAML2 credentialProvider injected!");
-
- }
- }
-
+ private static final Logger log = LoggerFactory.getLogger(MetadataAction.class);
+
+ @Autowired
+ private IRevisionLogger revisionsLogger;
+ @Autowired
+ private PvpMetadataBuilder metadatabuilder;
+ @Autowired
+ private IPvpMetadataConfigurationFactory configFactory;
+
+ private AbstractCredentialProvider pvpIdpCredentials;
+
+ /**
+ * Sets a specific credential provider for PVP S-Profile IDP component.
+ *
+ * @param pvpIdpCredentials credential provider
+ */
+ public void setPvpIdpCredentials(final AbstractCredentialProvider pvpIdpCredentials) {
+ this.pvpIdpCredentials = pvpIdpCredentials;
+
+ }
+
+ @Override
+ public SloInformationInterface processRequest(final IRequest req,
+ final HttpServletRequest httpReq, final HttpServletResponse httpResp,
+ final IAuthData authData) throws Pvp2MetadataException {
+ try {
+ revisionsLogger.logEvent(req, PvpEventConstants.AUTHPROTOCOL_PVP_METADATA);
+
+ // build metadata
+ final IPvpMetadataBuilderConfiguration metadataConfig = configFactory
+ .generateMetadataBuilderConfiguration(req.getAuthUrlWithOutSlash(), pvpIdpCredentials);
+
+
+
+ final String metadataXml = metadatabuilder.buildPvpMetadata(metadataConfig);
+ log.trace("METADATA: " + metadataXml);
+
+ final byte[] content = metadataXml.getBytes("UTF-8");
+ httpResp.setStatus(HttpServletResponse.SC_OK);
+ httpResp.setContentLength(content.length);
+ httpResp.setContentType(MediaType.APPLICATION_XML_VALUE);
+ httpResp.getOutputStream().write(content);
+ return null;
+
+ } catch (final Exception e) {
+ log.error("Failed to generate metadata", e);
+ throw new Pvp2MetadataException("pvp2.27", null);
+ }
+ }
+
+ @Override
+ public boolean needAuthentication(final IRequest req, final HttpServletRequest httpReq,
+ final HttpServletResponse httpResp) {
+ return false;
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see at.gv.egovernment.moa.id.moduls.IAction#getDefaultActionName()
+ */
+ @Override
+ public String getDefaultActionName() {
+ return "IDP - PVP Metadata action";
+ }
+
+ @PostConstruct
+ private void verifyInitialization() {
+ if (pvpIdpCredentials == null) {
+ log.error("No SAML2 credentialProvider injected!");
+ throw new RuntimeException("No SAML2 credentialProvider injected!");
+
+ }
+ }
+
}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/PVPSProfilePendingRequest.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/PVPSProfilePendingRequest.java
deleted file mode 100644
index 7f086ff6..00000000
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/PVPSProfilePendingRequest.java
+++ /dev/null
@@ -1,69 +0,0 @@
-/*******************************************************************************
- * Copyright 2017 Graz University of Technology
- * EAAF-Core Components has been developed in a cooperation between EGIZ,
- * A-SIT Plus, A-SIT, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * https://joinup.ec.europa.eu/news/understanding-eupl-v12
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-package at.gv.egiz.eaaf.modules.pvp2.idp.impl;
-
-import org.springframework.beans.factory.config.BeanDefinition;
-import org.springframework.context.annotation.Scope;
-import org.springframework.stereotype.Component;
-
-import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
-
-@Component("PVPSProfilePendingRequest")
-@Scope(value = BeanDefinition.SCOPE_PROTOTYPE)
-public class PVPSProfilePendingRequest extends RequestImpl {
- private static final long serialVersionUID = 4889919265919638188L;
-
- InboundMessage request;
- String binding;
- String consumerURL;
-
- public InboundMessage getRequest() {
- return request;
- }
-
- public void setRequest(InboundMessage request) {
- this.request = request;
- }
-
- public String getBinding() {
- return binding;
- }
-
- public void setBinding(String binding) {
- this.binding = binding;
- }
-
- public String getConsumerURL() {
- return consumerURL;
- }
-
- public void setConsumerURL(String consumerURL) {
- this.consumerURL = consumerURL;
-
- }
-}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/PvpSProfilePendingRequest.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/PvpSProfilePendingRequest.java
new file mode 100644
index 00000000..6c621841
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/PvpSProfilePendingRequest.java
@@ -0,0 +1,61 @@
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.gv.egiz.eaaf.modules.pvp2.idp.impl;
+
+import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.context.annotation.Scope;
+import org.springframework.stereotype.Component;
+
+@Component("PVPSProfilePendingRequest")
+@Scope(value = BeanDefinition.SCOPE_PROTOTYPE)
+public class PvpSProfilePendingRequest extends RequestImpl {
+ private static final long serialVersionUID = 4889919265919638188L;
+
+ InboundMessage request;
+ String binding;
+ String consumerUrl;
+
+ public InboundMessage getRequest() {
+ return request;
+ }
+
+ public void setRequest(final InboundMessage request) {
+ this.request = request;
+ }
+
+ public String getBinding() {
+ return binding;
+ }
+
+ public void setBinding(final String binding) {
+ this.binding = binding;
+ }
+
+ public String getConsumerUrl() {
+ return consumerUrl;
+ }
+
+ public void setConsumerUrl(final String consumerUrl) {
+ this.consumerUrl = consumerUrl;
+
+ }
+}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.java
index 07423c19..bf51ac0f 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.java
@@ -1,41 +1,35 @@
-/*******************************************************************************
- * Copyright 2017 Graz University of Technology
- * EAAF-Core Components has been developed in a cooperation between EGIZ,
- * A-SIT Plus, A-SIT, and Graz University of Technology.
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
*
- * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
* https://joinup.ec.europa.eu/news/understanding-eupl-v12
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
package at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder;
import java.util.ArrayList;
import java.util.List;
-
+import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
+import at.gv.egiz.eaaf.modules.pvp2.idp.exception.InvalidAssertionEncryptionException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
import org.joda.time.DateTime;
-import org.opensaml.Configuration;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.Issuer;
-import org.opensaml.saml2.core.NameID;
+import org.opensaml.saml2.core.NameIDType;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.encryption.Encrypter;
@@ -57,97 +51,111 @@ import org.opensaml.xml.security.x509.X509Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import at.gv.egiz.eaaf.modules.pvp2.PVPConstants;
-import at.gv.egiz.eaaf.modules.pvp2.idp.exception.InvalidAssertionEncryptionException;
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
-
/**
+ * Authentication response builder.
+ *
* @author tlenz
*
*/
public class AuthResponseBuilder {
- private static final Logger log = LoggerFactory.getLogger(AuthResponseBuilder.class);
-
- public static Response buildResponse(MetadataProvider metadataProvider, String issuerEntityID, RequestAbstractType req, DateTime date, Assertion assertion, boolean enableEncryption) throws InvalidAssertionEncryptionException {
- Response authResponse = SAML2Utils.createSAMLObject(Response.class);
-
- Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
-
- nissuer.setValue(issuerEntityID);
- nissuer.setFormat(NameID.ENTITY);
- authResponse.setIssuer(nissuer);
- authResponse.setInResponseTo(req.getID());
-
- //set responseID
- String remoteSessionID = SAML2Utils.getSecureIdentifier();
- authResponse.setID(remoteSessionID);
-
-
- //SAML2 response required IssueInstant
- authResponse.setIssueInstant(date);
-
- authResponse.setStatus(SAML2Utils.getSuccessStatus());
-
- //check, if metadata includes an encryption key
- MetadataCredentialResolver mdCredResolver =
- new MetadataCredentialResolver(metadataProvider);
-
- CriteriaSet criteriaSet = new CriteriaSet();
- criteriaSet.add( new EntityIDCriteria(req.getIssuer().getValue()) );
- criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) );
- criteriaSet.add( new UsageCriteria(UsageType.ENCRYPTION) );
-
- X509Credential encryptionCredentials = null;
- try {
- encryptionCredentials = (X509Credential) mdCredResolver.resolveSingle(criteriaSet);
-
- } catch (SecurityException e2) {
- log.warn("Can not extract the Assertion Encryption-Key from metadata", e2);
- throw new InvalidAssertionEncryptionException();
-
- }
-
- if (encryptionCredentials != null && enableEncryption) {
- //encrypt SAML2 assertion
-
- try {
-
- EncryptionParameters dataEncParams = new EncryptionParameters();
- dataEncParams.setAlgorithm(PVPConstants.DEFAULT_SYM_ENCRYPTION_METHODE);
-
- List<KeyEncryptionParameters> keyEncParamList = new ArrayList<KeyEncryptionParameters>();
- KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters();
-
- keyEncParam.setEncryptionCredential(encryptionCredentials);
- keyEncParam.setAlgorithm(PVPConstants.DEFAULT_ASYM_ENCRYPTION_METHODE);
- KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration()
- .getKeyInfoGeneratorManager().getDefaultManager()
- .getFactory(encryptionCredentials);
- keyEncParam.setKeyInfoGenerator(kigf.newInstance());
- keyEncParamList.add(keyEncParam);
-
- Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList);
- //samlEncrypter.setKeyPlacement(KeyPlacement.INLINE);
- samlEncrypter.setKeyPlacement(KeyPlacement.PEER);
-
- EncryptedAssertion encryptAssertion = null;
-
- encryptAssertion = samlEncrypter.encrypt(assertion);
-
- authResponse.getEncryptedAssertions().add(encryptAssertion);
-
- } catch (EncryptionException e1) {
- log.warn("Can not encrypt the PVP2 assertion", e1);
- throw new InvalidAssertionEncryptionException();
-
- }
-
- } else {
- authResponse.getAssertions().add(assertion);
-
- }
-
- return authResponse;
- }
+ private static final Logger log = LoggerFactory.getLogger(AuthResponseBuilder.class);
+
+ /**
+ * Build PVP2 S-Profile authentication response.
+ *
+ * @param metadataProvider Service-Provider metadata
+ * @param issuerEntityID IDP entityId
+ * @param req current pending request
+ * @param date Timestamp
+ * @param assertion PVP2 S-Profil Assertion
+ * @param enableEncryption encrypt Assertion flag
+ * @return PVP2 S-Profile authentication response
+ * @throws InvalidAssertionEncryptionException In case of an error
+ */
+ public static Response buildResponse(final MetadataProvider metadataProvider,
+ final String issuerEntityID, final RequestAbstractType req, final DateTime date,
+ final Assertion assertion, final boolean enableEncryption)
+ throws InvalidAssertionEncryptionException {
+ final Response authResponse = Saml2Utils.createSamlObject(Response.class);
+
+ final Issuer nissuer = Saml2Utils.createSamlObject(Issuer.class);
+
+ nissuer.setValue(issuerEntityID);
+ nissuer.setFormat(NameIDType.ENTITY);
+ authResponse.setIssuer(nissuer);
+ authResponse.setInResponseTo(req.getID());
+
+ // set responseID
+ final String remoteSessionID = Saml2Utils.getSecureIdentifier();
+ authResponse.setID(remoteSessionID);
+
+
+ // SAML2 response required IssueInstant
+ authResponse.setIssueInstant(date);
+
+ authResponse.setStatus(Saml2Utils.getSuccessStatus());
+
+ // check, if metadata includes an encryption key
+ final MetadataCredentialResolver mdCredResolver =
+ new MetadataCredentialResolver(metadataProvider);
+
+ final CriteriaSet criteriaSet = new CriteriaSet();
+ criteriaSet.add(new EntityIDCriteria(req.getIssuer().getValue()));
+ criteriaSet
+ .add(new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));
+ criteriaSet.add(new UsageCriteria(UsageType.ENCRYPTION));
+
+ X509Credential encryptionCredentials = null;
+ try {
+ encryptionCredentials = (X509Credential) mdCredResolver.resolveSingle(criteriaSet);
+
+ } catch (final SecurityException e2) {
+ log.warn("Can not extract the Assertion Encryption-Key from metadata", e2);
+ throw new InvalidAssertionEncryptionException();
+
+ }
+
+ if (encryptionCredentials != null && enableEncryption) {
+ // encrypt SAML2 assertion
+
+ try {
+
+ final EncryptionParameters dataEncParams = new EncryptionParameters();
+ dataEncParams.setAlgorithm(PvpConstants.DEFAULT_SYM_ENCRYPTION_METHODE);
+
+ final List<KeyEncryptionParameters> keyEncParamList = new ArrayList<>();
+ final KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters();
+
+ keyEncParam.setEncryptionCredential(encryptionCredentials);
+ keyEncParam.setAlgorithm(PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE);
+ final KeyInfoGeneratorFactory kigf =
+ org.opensaml.xml.Configuration.getGlobalSecurityConfiguration()
+ .getKeyInfoGeneratorManager().getDefaultManager().getFactory(encryptionCredentials);
+ keyEncParam.setKeyInfoGenerator(kigf.newInstance());
+ keyEncParamList.add(keyEncParam);
+
+ final Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList);
+ // samlEncrypter.setKeyPlacement(KeyPlacement.INLINE);
+ samlEncrypter.setKeyPlacement(KeyPlacement.PEER);
+
+ EncryptedAssertion encryptAssertion = null;
+
+ encryptAssertion = samlEncrypter.encrypt(assertion);
+
+ authResponse.getEncryptedAssertions().add(encryptAssertion);
+
+ } catch (final EncryptionException e1) {
+ log.warn("Can not encrypt the PVP2 assertion", e1);
+ throw new InvalidAssertionEncryptionException();
+
+ }
+
+ } else {
+ authResponse.getAssertions().add(assertion);
+
+ }
+
+ return authResponse;
+ }
}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java
deleted file mode 100644
index 2ccc2c9e..00000000
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java
+++ /dev/null
@@ -1,459 +0,0 @@
-/*******************************************************************************
- * Copyright 2017 Graz University of Technology
- * EAAF-Core Components has been developed in a cooperation between EGIZ,
- * A-SIT Plus, A-SIT, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * https://joinup.ec.europa.eu/news/understanding-eupl-v12
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-/*******************************************************************************
- *******************************************************************************/
-package at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder;
-
-import java.security.MessageDigest;
-import java.util.ArrayList;
-import java.util.Iterator;
-import java.util.List;
-
-import org.apache.commons.lang3.StringUtils;
-import org.joda.time.DateTime;
-import org.opensaml.common.xml.SAMLConstants;
-import org.opensaml.saml2.core.Assertion;
-import org.opensaml.saml2.core.Attribute;
-import org.opensaml.saml2.core.AttributeQuery;
-import org.opensaml.saml2.core.AttributeStatement;
-import org.opensaml.saml2.core.Audience;
-import org.opensaml.saml2.core.AudienceRestriction;
-import org.opensaml.saml2.core.AuthnContext;
-import org.opensaml.saml2.core.AuthnContextClassRef;
-import org.opensaml.saml2.core.AuthnRequest;
-import org.opensaml.saml2.core.AuthnStatement;
-import org.opensaml.saml2.core.Conditions;
-import org.opensaml.saml2.core.Issuer;
-import org.opensaml.saml2.core.NameID;
-import org.opensaml.saml2.core.RequestedAuthnContext;
-import org.opensaml.saml2.core.Subject;
-import org.opensaml.saml2.core.SubjectConfirmation;
-import org.opensaml.saml2.core.SubjectConfirmationData;
-import org.opensaml.saml2.core.impl.AuthnRequestImpl;
-import org.opensaml.saml2.metadata.AssertionConsumerService;
-import org.opensaml.saml2.metadata.AttributeConsumingService;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.NameIDFormat;
-import org.opensaml.saml2.metadata.RequestedAttribute;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Service;
-import org.springframework.util.Base64Utils;
-
-import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
-import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper;
-import at.gv.egiz.eaaf.core.api.idp.IAuthData;
-import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
-import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface;
-import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
-import at.gv.egiz.eaaf.core.impl.data.Pair;
-import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl;
-import at.gv.egiz.eaaf.core.impl.utils.Random;
-import at.gv.egiz.eaaf.modules.pvp2.PVPConstants;
-import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception;
-import at.gv.egiz.eaaf.modules.pvp2.exception.QAANotSupportedException;
-import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator;
-import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException;
-import at.gv.egiz.eaaf.modules.pvp2.idp.exception.UnprovideableAttributeException;
-import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PVPSProfilePendingRequest;
-import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder;
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.QAALevelVerifier;
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
-
-@Service("PVP2AssertionBuilder")
-public class PVP2AssertionBuilder implements PVPConstants {
-
- private static final Logger log = LoggerFactory.getLogger(PVP2AssertionBuilder.class);
- @Autowired private ILoALevelMapper loaLevelMapper;
- @Autowired private ISubjectNameIdGenerator subjectNameIdGenerator;
-
-
- /**
- * Build a PVP assertion as response for a SAML2 AttributeQuery request
- *
- * @param issuerEntityID EnitiyID, which should be used for this IDP response
- * @param attrQuery AttributeQuery request from Service-Provider
- * @param attrList List of PVP response attributes
- * @param now Current time
- * @param validTo ValidTo time of the assertion
- * @param qaaLevel QAA level of the authentication
- * @param sessionIndex SAML2 SessionIndex, which should be included *
- * @return PVP 2.1 Assertion
- * @throws PVP2Exception
- */
- public Assertion buildAssertion(String issuerEntityID, AttributeQuery attrQuery,
- List<Attribute> attrList, DateTime now, DateTime validTo, String qaaLevel, String sessionIndex) throws PVP2Exception {
-
- AuthnContextClassRef authnContextClassRef = SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
- authnContextClassRef.setAuthnContextClassRef(qaaLevel);
-
- NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class);
- subjectNameID.setFormat(attrQuery.getSubject().getNameID().getFormat());
- subjectNameID.setValue(attrQuery.getSubject().getNameID().getValue());
-
- SubjectConfirmationData subjectConfirmationData = null;
-
- return buildGenericAssertion(issuerEntityID, attrQuery.getIssuer().getValue(), now,
- authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex,
- validTo);
- }
-
-
- /**
- * Build a PVP 2.1 assertion as response of a SAML2 AuthnRequest
- *
- * @param issuerEntityID EnitiyID, which should be used for this IDP response
- * @param pendingReq Current processed pendingRequest DAO
- * @param authnRequest Current processed PVP AuthnRequest
- * @param authData AuthenticationData of the user, which is already authenticated
- * @param peerEntity SAML2 EntityDescriptor of the service-provider, which receives the response
- * @param date TimeStamp
- * @param assertionConsumerService SAML2 endpoint of the service-provider, which should be used
- * @param sloInformation Single LogOut information DAO
- * @return
- * @throws PVP2Exception
- */
- public Assertion buildAssertion(String issuerEntityID, PVPSProfilePendingRequest pendingReq, AuthnRequest authnRequest,
- IAuthData authData, EntityDescriptor peerEntity, DateTime date,
- AssertionConsumerService assertionConsumerService, SLOInformationInterface sloInformation)
- throws PVP2Exception {
-
- ISPConfiguration oaParam = pendingReq.getServiceProviderConfiguration();
- AuthnContextClassRef authnContextClassRef = SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
-
- //check if authn. request contains LoA
- RequestedAuthnContext reqAuthnContext = authnRequest.getRequestedAuthnContext();
- if (reqAuthnContext == null) {
- authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel());
-
- } else {
- //authn. request requests LoA levels. To LoA validation
- List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs();
-
- //get matching mode from authn. request
- String loaMatchingMode = EAAFConstants.EIDAS_LOA_MATCHING_MINIMUM;
- if (reqAuthnContext.getComparison() != null &&
- StringUtils.isNotEmpty(reqAuthnContext.getComparison().toString()))
- loaMatchingMode = reqAuthnContext.getComparison().toString();
-
- //get requested LoAs
- if (reqAuthnContextClassRefIt.size() == 0) {
- QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(),
- oaParam.getRequiredLoA(), loaMatchingMode);
- authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel());
-
- } else {
- List<String> eIDASLoaFromRequest = new ArrayList<String>();
- for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) {
- String qaa_uri = authnClassRef.getAuthnContextClassRef();
-
- if (!qaa_uri.trim().startsWith(EAAFConstants.EIDAS_LOA_PREFIX)) {
- if (loaLevelMapper != null) {
- log.debug("Find no eIDAS LoA in AuthnReq. Start mapping process ... " );
- eIDASLoaFromRequest.add(loaLevelMapper.mapToeIDASLoA(qaa_uri.trim()));
-
- } else
- log.debug("AuthnRequest contains no eIDAS LoA. NO LoA mapper FOUND, ignore "
- + "'" + qaa_uri.trim() + "'");
- } else
- eIDASLoaFromRequest.add(qaa_uri.trim());
-
- }
-
- //stop process if no supported LoA scheme is requested
- if (eIDASLoaFromRequest.isEmpty()) {
- log.info("Authn. request contains no supported LoA level. Stop authentication process ... ");
- throw new QAANotSupportedException("No supported LoA in Authn. request");
-
- }
-
- //verifiy LoAs from request to authentication LoA
- QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(), eIDASLoaFromRequest , loaMatchingMode);
- authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel());
-
- }
- }
-
-
- //load SPSS decriptor from service-provider metadata
- SPSSODescriptor spSSODescriptor = peerEntity.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
-
- //add Attributes to Assertion
- List<Attribute> attrList = new ArrayList<Attribute>();
- if (spSSODescriptor.getAttributeConsumingServices() != null &&
- spSSODescriptor.getAttributeConsumingServices().size() > 0) {
-
- Integer aIdx = authnRequest.getAttributeConsumingServiceIndex();
- int idx = 0;
-
- AttributeConsumingService attributeConsumingService = null;
- if (aIdx != null) {
- idx = aIdx.intValue();
- attributeConsumingService = spSSODescriptor
- .getAttributeConsumingServices().get(idx);
-
- } else {
- List<AttributeConsumingService> attrConsumingServiceList = spSSODescriptor.getAttributeConsumingServices();
- for (AttributeConsumingService el : attrConsumingServiceList) {
- if (el.isDefault())
- attributeConsumingService = el;
- }
- }
-
- /*
- * TODO: maybe use first AttributeConsumingService if no is selected
- * in request or on service is marked as default
- *
- */
- if (attributeConsumingService == null ) {
- List<AttributeConsumingService> attrConsumingServiceList = spSSODescriptor.getAttributeConsumingServices();
- if (attrConsumingServiceList != null && !attrConsumingServiceList.isEmpty())
- attributeConsumingService = attrConsumingServiceList.get(0);
-
- }
-
-
- if (attributeConsumingService != null) {
- Iterator<RequestedAttribute> it = attributeConsumingService
- .getRequestAttributes().iterator();
- while (it.hasNext()) {
- RequestedAttribute reqAttribut = it.next();
- try {
- Attribute attr = PVPAttributeBuilder.buildAttribute(
- reqAttribut.getName(), oaParam, authData);
- if (attr == null) {
- if (reqAttribut.isRequired()) {
- throw new UnprovideableAttributeException(
- reqAttribut.getName());
- }
- } else {
- attrList.add(attr);
- }
-
- } catch (UnavailableAttributeException e) {
- log.info(
- "Attribute generation for "
- + reqAttribut.getFriendlyName() + " not possible.");
- if (reqAttribut.isRequired()) {
- throw new UnprovideableAttributeException(
- reqAttribut.getName());
- }
-
-
- } catch (PVP2Exception e) {
- log.info(
- "Attribute generation failed! for "
- + reqAttribut.getFriendlyName());
- if (reqAttribut.isRequired()) {
- throw new UnprovideableAttributeException(
- reqAttribut.getName());
- }
-
- } catch (Exception e) {
- log.warn(
- "General Attribute generation failed! for "
- + reqAttribut.getFriendlyName(), e);
- if (reqAttribut.isRequired()) {
- throw new UnprovideableAttributeException(
- reqAttribut.getName());
- }
-
- }
- }
- }
- }
-
- //generate subjectNameId
- NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class);
- Pair<String, String> subjectNameIdPair = subjectNameIdGenerator.generateSubjectNameId(authData, oaParam);
- subjectNameID.setValue(subjectNameIdPair.getFirst());
- subjectNameID.setNameQualifier(subjectNameIdPair.getSecond());
-
- //get NameIDFormat from request
- String nameIDFormat = NameID.TRANSIENT;
- AuthnRequest authnReq = (AuthnRequestImpl) authnRequest;
- if (authnReq.getNameIDPolicy() != null &&
- StringUtils.isNotEmpty(authnReq.getNameIDPolicy().getFormat())) {
- nameIDFormat = authnReq.getNameIDPolicy().getFormat();
-
- } else {
- //get NameIDFormat from metadata
- List<NameIDFormat> metadataNameIDFormats = spSSODescriptor.getNameIDFormats();
-
- if (metadataNameIDFormats != null) {
-
- for (NameIDFormat el : metadataNameIDFormats) {
- if (NameID.PERSISTENT.equals(el.getFormat())) {
- nameIDFormat = NameID.PERSISTENT;
- break;
-
- } else if (NameID.TRANSIENT.equals(el.getFormat()) ||
- NameID.UNSPECIFIED.equals(el.getFormat()))
- break;
-
- }
- }
- }
-
- if (NameID.TRANSIENT.equals(nameIDFormat) || NameID.UNSPECIFIED.equals(nameIDFormat)) {
- String random = Random.nextHexRandom32();
- String nameID = subjectNameID.getValue();
-
- try {
- MessageDigest md = MessageDigest.getInstance("SHA-1");
- byte[] hash = md.digest((nameID + random).getBytes("ISO-8859-1"));
- subjectNameID.setValue(Base64Utils.encodeToString(hash));
- subjectNameID.setNameQualifier(null);
- subjectNameID.setFormat(NameID.TRANSIENT);
-
- } catch (Exception e) {
- log.warn("PVP2 subjectNameID error", e);
- throw new ResponderErrorException("internal.03", null, e);
-
- }
-
- } else
- subjectNameID.setFormat(nameIDFormat);
-
-
- String sessionIndex = null;
-
- //if request is a reauthentication and NameIDFormat match reuse old session information
- if (StringUtils.isNotEmpty(authData.getNameID()) &&
- StringUtils.isNotEmpty(authData.getNameIDFormat()) &&
- nameIDFormat.equals(authData.getNameIDFormat())) {
- subjectNameID.setValue(authData.getNameID());
- sessionIndex = authData.getSessionIndex();
-
- }
-
- //
- if (StringUtils.isEmpty(sessionIndex))
- sessionIndex = SAML2Utils.getSecureIdentifier();
-
- SubjectConfirmationData subjectConfirmationData = SAML2Utils
- .createSAMLObject(SubjectConfirmationData.class);
- subjectConfirmationData.setInResponseTo(authnRequest.getID());
- subjectConfirmationData.setNotOnOrAfter(new DateTime(authData.getSsoSessionValidTo().getTime()));
-
- //set 'recipient' attribute in subjectConformationData
- subjectConfirmationData.setRecipient(assertionConsumerService.getLocation());
-
- //set IP address of the user machine as 'Address' attribute in subjectConformationData
- String usersIPAddress = pendingReq.getRawData(
- RequestImpl.DATAID_REQUESTER_IP_ADDRESS, String.class);
- if (StringUtils.isNotEmpty(usersIPAddress))
- subjectConfirmationData.setAddress(usersIPAddress);
-
- //set SLO information
- sloInformation.setUserNameIdentifier(subjectNameID.getValue());
- sloInformation.setNameIDFormat(subjectNameID.getFormat());
- sloInformation.setSessionIndex(sessionIndex);
-
- return buildGenericAssertion(issuerEntityID, peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter());
- }
-
- /**
- *
- * @param issuer IDP EntityID
- * @param entityID Service Provider EntityID
- * @param date
- * @param authnContextClassRef
- * @param attrList
- * @param subjectNameID
- * @param subjectConfirmationData
- * @param sessionIndex
- * @param isValidTo
- * @return
- * @throws ConfigurationException
- */
-
- public Assertion buildGenericAssertion(String issuer, String entityID, DateTime date,
- AuthnContextClassRef authnContextClassRef, List<Attribute> attrList,
- NameID subjectNameID, SubjectConfirmationData subjectConfirmationData,
- String sessionIndex, DateTime isValidTo) throws ResponderErrorException {
- Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class);
-
- AuthnContext authnContext = SAML2Utils
- .createSAMLObject(AuthnContext.class);
- authnContext.setAuthnContextClassRef(authnContextClassRef);
-
- AuthnStatement authnStatement = SAML2Utils
- .createSAMLObject(AuthnStatement.class);
-
- authnStatement.setAuthnInstant(date);
- authnStatement.setSessionIndex(sessionIndex);
- authnStatement.setAuthnContext(authnContext);
-
- assertion.getAuthnStatements().add(authnStatement);
-
- AttributeStatement attributeStatement = SAML2Utils
- .createSAMLObject(AttributeStatement.class);
- attributeStatement.getAttributes().addAll(attrList);
- if (attributeStatement.getAttributes().size() > 0) {
- assertion.getAttributeStatements().add(attributeStatement);
- }
-
- Subject subject = SAML2Utils.createSAMLObject(Subject.class);
- subject.setNameID(subjectNameID);
-
- SubjectConfirmation subjectConfirmation = SAML2Utils
- .createSAMLObject(SubjectConfirmation.class);
- subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER);
- subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
-
- subject.getSubjectConfirmations().add(subjectConfirmation);
-
- Conditions conditions = SAML2Utils.createSAMLObject(Conditions.class);
- AudienceRestriction audienceRestriction = SAML2Utils
- .createSAMLObject(AudienceRestriction.class);
- Audience audience = SAML2Utils.createSAMLObject(Audience.class);
-
- audience.setAudienceURI(entityID);
- audienceRestriction.getAudiences().add(audience);
- conditions.setNotBefore(date);
- conditions.setNotOnOrAfter(isValidTo);
-
- conditions.getAudienceRestrictions().add(audienceRestriction);
-
- assertion.setConditions(conditions);
-
- Issuer issuerObj = SAML2Utils.createSAMLObject(Issuer.class);
-
- if (issuer.endsWith("/"))
- issuer = issuer.substring(0, issuer.length()-1);
- issuerObj.setValue(issuer);
- issuerObj.setFormat(NameID.ENTITY);
-
- assertion.setIssuer(issuerObj);
- assertion.setSubject(subject);
- assertion.setID(SAML2Utils.getSecureIdentifier());
- assertion.setIssueInstant(date);
-
- return assertion;
- }
-}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java
new file mode 100644
index 00000000..79de4567
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java
@@ -0,0 +1,465 @@
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder;
+
+import java.security.MessageDigest;
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
+import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper;
+import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.api.idp.IspConfiguration;
+import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface;
+import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl;
+import at.gv.egiz.eaaf.core.impl.utils.Random;
+import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
+import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotSupportedException;
+import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator;
+import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException;
+import at.gv.egiz.eaaf.modules.pvp2.idp.exception.UnprovideableAttributeException;
+import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PvpSProfilePendingRequest;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.QaaLevelVerifier;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
+import org.apache.commons.lang3.StringUtils;
+import org.joda.time.DateTime;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.core.Assertion;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.AttributeQuery;
+import org.opensaml.saml2.core.AttributeStatement;
+import org.opensaml.saml2.core.Audience;
+import org.opensaml.saml2.core.AudienceRestriction;
+import org.opensaml.saml2.core.AuthnContext;
+import org.opensaml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.AuthnStatement;
+import org.opensaml.saml2.core.Conditions;
+import org.opensaml.saml2.core.Issuer;
+import org.opensaml.saml2.core.NameID;
+import org.opensaml.saml2.core.NameIDType;
+import org.opensaml.saml2.core.RequestedAuthnContext;
+import org.opensaml.saml2.core.Subject;
+import org.opensaml.saml2.core.SubjectConfirmation;
+import org.opensaml.saml2.core.SubjectConfirmationData;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml2.metadata.AttributeConsumingService;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.NameIDFormat;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+import org.springframework.util.Base64Utils;
+
+@Service("PVP2AssertionBuilder")
+public class Pvp2AssertionBuilder implements PvpConstants {
+
+ private static final Logger log = LoggerFactory.getLogger(Pvp2AssertionBuilder.class);
+ @Autowired
+ private ILoALevelMapper loaLevelMapper;
+ @Autowired
+ private ISubjectNameIdGenerator subjectNameIdGenerator;
+
+
+ /**
+ * Build a PVP assertion as response for a SAML2 AttributeQuery request.
+ *
+ * @param issuerEntityID EnitiyID, which should be used for this IDP response
+ * @param attrQuery AttributeQuery request from Service-Provider
+ * @param attrList List of PVP response attributes
+ * @param now Current time
+ * @param validTo ValidTo time of the assertion
+ * @param qaaLevel QAA level of the authentication
+ * @param sessionIndex SAML2 SessionIndex, which should be included *
+ * @return PVP 2.1 Assertion
+ * @throws Pvp2Exception In case of an error
+ */
+ public Assertion buildAssertion(final String issuerEntityID, final AttributeQuery attrQuery,
+ final List<Attribute> attrList, final DateTime now, final DateTime validTo,
+ final String qaaLevel, final String sessionIndex) throws Pvp2Exception {
+
+ final AuthnContextClassRef authnContextClassRef =
+ Saml2Utils.createSamlObject(AuthnContextClassRef.class);
+ authnContextClassRef.setAuthnContextClassRef(qaaLevel);
+
+ final NameID subjectNameID = Saml2Utils.createSamlObject(NameID.class);
+ subjectNameID.setFormat(attrQuery.getSubject().getNameID().getFormat());
+ subjectNameID.setValue(attrQuery.getSubject().getNameID().getValue());
+
+ final SubjectConfirmationData subjectConfirmationData = null;
+
+ return buildGenericAssertion(issuerEntityID, attrQuery.getIssuer().getValue(), now,
+ authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex,
+ validTo);
+ }
+
+
+ /**
+ * Build a PVP 2.1 assertion as response of a SAML2 AuthnRequest.
+ *
+ * @param issuerEntityID EnitiyID, which should be used for this IDP response
+ * @param pendingReq Current processed pendingRequest DAO
+ * @param authnRequest Current processed PVP AuthnRequest
+ * @param authData AuthenticationData of the user, which is already authenticated
+ * @param peerEntity SAML2 EntityDescriptor of the service-provider, which receives the response
+ * @param date TimeStamp
+ * @param assertionConsumerService SAML2 endpoint of the service-provider, which should be used
+ * @param sloInformation Single LogOut information DAO
+ * @return PVP2 S-Profil Assertion
+ * @throws Pvp2Exception In case of an error
+ */
+ public Assertion buildAssertion(final String issuerEntityID,
+ final PvpSProfilePendingRequest pendingReq, final AuthnRequest authnRequest,
+ final IAuthData authData, final EntityDescriptor peerEntity, final DateTime date,
+ final AssertionConsumerService assertionConsumerService,
+ final SloInformationInterface sloInformation) throws Pvp2Exception {
+
+ final IspConfiguration oaParam = pendingReq.getServiceProviderConfiguration();
+ final AuthnContextClassRef authnContextClassRef =
+ Saml2Utils.createSamlObject(AuthnContextClassRef.class);
+
+ // check if authn. request contains LoA
+ final RequestedAuthnContext reqAuthnContext = authnRequest.getRequestedAuthnContext();
+ if (reqAuthnContext == null) {
+ authnContextClassRef.setAuthnContextClassRef(authData.getEidasQaaLevel());
+
+ } else {
+ // authn. request requests LoA levels. To LoA validation
+ final List<AuthnContextClassRef> reqAuthnContextClassRefIt =
+ reqAuthnContext.getAuthnContextClassRefs();
+
+ // get matching mode from authn. request
+ String loaMatchingMode = EAAFConstants.EIDAS_LOA_MATCHING_MINIMUM;
+ if (reqAuthnContext.getComparison() != null
+ && StringUtils.isNotEmpty(reqAuthnContext.getComparison().toString())) {
+ loaMatchingMode = reqAuthnContext.getComparison().toString();
+ }
+
+ // get requested LoAs
+ if (reqAuthnContextClassRefIt.size() == 0) {
+ QaaLevelVerifier.verifyQaaLevel(authData.getEidasQaaLevel(), oaParam.getRequiredLoA(),
+ loaMatchingMode);
+ authnContextClassRef.setAuthnContextClassRef(authData.getEidasQaaLevel());
+
+ } else {
+ final List<String> eidasLoaFromRequest = new ArrayList<>();
+ for (final AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) {
+ final String qaa_uri = authnClassRef.getAuthnContextClassRef();
+
+ if (!qaa_uri.trim().startsWith(EAAFConstants.EIDAS_LOA_PREFIX)) {
+ if (loaLevelMapper != null) {
+ log.debug("Find no eIDAS LoA in AuthnReq. Start mapping process ... ");
+ eidasLoaFromRequest.add(loaLevelMapper.mapToeIDASLoA(qaa_uri.trim()));
+
+ } else {
+ log.debug("AuthnRequest contains no eIDAS LoA. NO LoA mapper FOUND, ignore " + "'"
+ + qaa_uri.trim() + "'");
+ }
+ } else {
+ eidasLoaFromRequest.add(qaa_uri.trim());
+ }
+
+ }
+
+ // stop process if no supported LoA scheme is requested
+ if (eidasLoaFromRequest.isEmpty()) {
+ log.info(
+ "Authn. request contains no supported LoA level. Stop authentication process ... ");
+ throw new QaaNotSupportedException("No supported LoA in Authn. request");
+
+ }
+
+ // verifiy LoAs from request to authentication LoA
+ QaaLevelVerifier.verifyQaaLevel(authData.getEidasQaaLevel(), eidasLoaFromRequest,
+ loaMatchingMode);
+ authnContextClassRef.setAuthnContextClassRef(authData.getEidasQaaLevel());
+
+ }
+ }
+
+
+ // load SPSS decriptor from service-provider metadata
+ final SPSSODescriptor spSsoDescriptor = peerEntity.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
+
+ // add Attributes to Assertion
+ final List<Attribute> attrList = new ArrayList<>();
+ if (spSsoDescriptor.getAttributeConsumingServices() != null
+ && spSsoDescriptor.getAttributeConsumingServices().size() > 0) {
+
+ final Integer aIdx = authnRequest.getAttributeConsumingServiceIndex();
+ int idx = 0;
+
+ AttributeConsumingService attributeConsumingService = null;
+ if (aIdx != null) {
+ idx = aIdx.intValue();
+ attributeConsumingService = spSsoDescriptor.getAttributeConsumingServices().get(idx);
+
+ } else {
+ final List<AttributeConsumingService> attrConsumingServiceList =
+ spSsoDescriptor.getAttributeConsumingServices();
+ for (final AttributeConsumingService el : attrConsumingServiceList) {
+ if (el.isDefault()) {
+ attributeConsumingService = el;
+ }
+ }
+ }
+
+ /*
+ * TODO: maybe use first AttributeConsumingService if no is selected in request or on service
+ * is marked as default
+ *
+ */
+ if (attributeConsumingService == null) {
+ final List<AttributeConsumingService> attrConsumingServiceList =
+ spSsoDescriptor.getAttributeConsumingServices();
+ if (attrConsumingServiceList != null && !attrConsumingServiceList.isEmpty()) {
+ attributeConsumingService = attrConsumingServiceList.get(0);
+ }
+
+ }
+
+
+ if (attributeConsumingService != null) {
+ final Iterator<RequestedAttribute> it =
+ attributeConsumingService.getRequestAttributes().iterator();
+ while (it.hasNext()) {
+ final RequestedAttribute reqAttribut = it.next();
+ try {
+ final Attribute attr =
+ PvpAttributeBuilder.buildAttribute(reqAttribut.getName(), oaParam, authData);
+ if (attr == null) {
+ if (reqAttribut.isRequired()) {
+ throw new UnprovideableAttributeException(reqAttribut.getName());
+ }
+ } else {
+ attrList.add(attr);
+ }
+
+ } catch (final UnavailableAttributeException e) {
+ log.info(
+ "Attribute generation for " + reqAttribut.getFriendlyName() + " not possible.");
+ if (reqAttribut.isRequired()) {
+ throw new UnprovideableAttributeException(reqAttribut.getName());
+ }
+
+
+ } catch (final Pvp2Exception e) {
+ log.info("Attribute generation failed! for " + reqAttribut.getFriendlyName());
+ if (reqAttribut.isRequired()) {
+ throw new UnprovideableAttributeException(reqAttribut.getName());
+ }
+
+ } catch (final Exception e) {
+ log.warn("General Attribute generation failed! for " + reqAttribut.getFriendlyName(),
+ e);
+ if (reqAttribut.isRequired()) {
+ throw new UnprovideableAttributeException(reqAttribut.getName());
+ }
+
+ }
+ }
+ }
+ }
+
+ // generate subjectNameId
+ final NameID subjectNameID = Saml2Utils.createSamlObject(NameID.class);
+ final Pair<String, String> subjectNameIdPair =
+ subjectNameIdGenerator.generateSubjectNameId(authData, oaParam);
+ subjectNameID.setValue(subjectNameIdPair.getFirst());
+ subjectNameID.setNameQualifier(subjectNameIdPair.getSecond());
+
+ // get NameIDFormat from request
+ String nameIdFormat = NameIDType.TRANSIENT;
+ final AuthnRequest authnReq = authnRequest;
+ if (authnReq.getNameIDPolicy() != null
+ && StringUtils.isNotEmpty(authnReq.getNameIDPolicy().getFormat())) {
+ nameIdFormat = authnReq.getNameIDPolicy().getFormat();
+
+ } else {
+ // get NameIDFormat from metadata
+ final List<NameIDFormat> metadataNameIdFormats = spSsoDescriptor.getNameIDFormats();
+
+ if (metadataNameIdFormats != null) {
+
+ for (final NameIDFormat el : metadataNameIdFormats) {
+ if (NameIDType.PERSISTENT.equals(el.getFormat())) {
+ nameIdFormat = NameIDType.PERSISTENT;
+ break;
+
+ } else if (NameIDType.TRANSIENT.equals(el.getFormat())
+ || NameIDType.UNSPECIFIED.equals(el.getFormat())) {
+ break;
+ }
+
+ }
+ }
+ }
+
+ if (NameIDType.TRANSIENT.equals(nameIdFormat) || NameIDType.UNSPECIFIED.equals(nameIdFormat)) {
+ final String random = Random.nextHexRandom32();
+ final String nameID = subjectNameID.getValue();
+
+ try {
+ final MessageDigest md = MessageDigest.getInstance("SHA-1");
+ final byte[] hash = md.digest((nameID + random).getBytes("ISO-8859-1"));
+ subjectNameID.setValue(Base64Utils.encodeToString(hash));
+ subjectNameID.setNameQualifier(null);
+ subjectNameID.setFormat(NameIDType.TRANSIENT);
+
+ } catch (final Exception e) {
+ log.warn("PVP2 subjectNameID error", e);
+ throw new ResponderErrorException("internal.03", null, e);
+
+ }
+
+ } else {
+ subjectNameID.setFormat(nameIdFormat);
+ }
+
+
+ String sessionIndex = null;
+
+ // if request is a reauthentication and NameIDFormat match reuse old session information
+ if (StringUtils.isNotEmpty(authData.getNameID())
+ && StringUtils.isNotEmpty(authData.getNameIdFormat())
+ && nameIdFormat.equals(authData.getNameIdFormat())) {
+ subjectNameID.setValue(authData.getNameID());
+ sessionIndex = authData.getSessionIndex();
+
+ }
+
+ //
+ if (StringUtils.isEmpty(sessionIndex)) {
+ sessionIndex = Saml2Utils.getSecureIdentifier();
+ }
+
+ final SubjectConfirmationData subjectConfirmationData =
+ Saml2Utils.createSamlObject(SubjectConfirmationData.class);
+ subjectConfirmationData.setInResponseTo(authnRequest.getID());
+ subjectConfirmationData
+ .setNotOnOrAfter(new DateTime(authData.getSsoSessionValidTo().getTime()));
+
+ // set 'recipient' attribute in subjectConformationData
+ subjectConfirmationData.setRecipient(assertionConsumerService.getLocation());
+
+ // set IP address of the user machine as 'Address' attribute in subjectConformationData
+ final String usersIpAddress =
+ pendingReq.getRawData(RequestImpl.DATAID_REQUESTER_IP_ADDRESS, String.class);
+ if (StringUtils.isNotEmpty(usersIpAddress)) {
+ subjectConfirmationData.setAddress(usersIpAddress);
+ }
+
+ // set SLO information
+ sloInformation.setUserNameIdentifier(subjectNameID.getValue());
+ sloInformation.setNameIdFormat(subjectNameID.getFormat());
+ sloInformation.setSessionIndex(sessionIndex);
+
+ return buildGenericAssertion(issuerEntityID, peerEntity.getEntityID(), date,
+ authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex,
+ subjectConfirmationData.getNotOnOrAfter());
+ }
+
+ /**
+ * Build generic part of PVP S-Profile Assertion.
+ *
+ * @param issuer IDP EntityID
+ * @param entityID Service Provider EntityID
+ * @param date Timestamp
+ * @param authnContextClassRef SAML2 AuthnContextClassReference
+ * @param attrList List of attributes
+ * @param subjectNameID SubjectNameId
+ * @param subjectConfirmationData SubjectConfirmationInformation
+ * @param sessionIndex SessionIndex
+ * @param isValidTo ValidTo Timestamp
+ * @return PVP S-Profile Assertion
+ * @throws ConfigurationException In case on an error
+ */
+
+ public Assertion buildGenericAssertion(String issuer, final String entityID, final DateTime date,
+ final AuthnContextClassRef authnContextClassRef, final List<Attribute> attrList,
+ final NameID subjectNameID, final SubjectConfirmationData subjectConfirmationData,
+ final String sessionIndex, final DateTime isValidTo) throws ResponderErrorException {
+ final Assertion assertion = Saml2Utils.createSamlObject(Assertion.class);
+
+ final AuthnContext authnContext = Saml2Utils.createSamlObject(AuthnContext.class);
+ authnContext.setAuthnContextClassRef(authnContextClassRef);
+
+ final AuthnStatement authnStatement = Saml2Utils.createSamlObject(AuthnStatement.class);
+
+ authnStatement.setAuthnInstant(date);
+ authnStatement.setSessionIndex(sessionIndex);
+ authnStatement.setAuthnContext(authnContext);
+
+ assertion.getAuthnStatements().add(authnStatement);
+
+ final AttributeStatement attributeStatement =
+ Saml2Utils.createSamlObject(AttributeStatement.class);
+ attributeStatement.getAttributes().addAll(attrList);
+ if (attributeStatement.getAttributes().size() > 0) {
+ assertion.getAttributeStatements().add(attributeStatement);
+ }
+
+ final Subject subject = Saml2Utils.createSamlObject(Subject.class);
+ subject.setNameID(subjectNameID);
+
+ final SubjectConfirmation subjectConfirmation =
+ Saml2Utils.createSamlObject(SubjectConfirmation.class);
+ subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER);
+ subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
+
+ subject.getSubjectConfirmations().add(subjectConfirmation);
+
+ final Conditions conditions = Saml2Utils.createSamlObject(Conditions.class);
+ final AudienceRestriction audienceRestriction =
+ Saml2Utils.createSamlObject(AudienceRestriction.class);
+ final Audience audience = Saml2Utils.createSamlObject(Audience.class);
+
+ audience.setAudienceURI(entityID);
+ audienceRestriction.getAudiences().add(audience);
+ conditions.setNotBefore(date);
+ conditions.setNotOnOrAfter(isValidTo);
+
+ conditions.getAudienceRestrictions().add(audienceRestriction);
+
+ assertion.setConditions(conditions);
+
+ final Issuer issuerObj = Saml2Utils.createSamlObject(Issuer.class);
+
+ if (issuer.endsWith("/")) {
+ issuer = issuer.substring(0, issuer.length() - 1);
+ }
+ issuerObj.setValue(issuer);
+ issuerObj.setFormat(NameIDType.ENTITY);
+
+ assertion.setIssuer(issuerObj);
+ assertion.setSubject(subject);
+ assertion.setID(Saml2Utils.getSecureIdentifier());
+ assertion.setIssueInstant(date);
+
+ return assertion;
+ }
+}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider b/eaaf_modules/eaaf_module_pvp2_idp/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
index cda12a62..c3c68e20 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
@@ -1 +1 @@
-at.gv.egiz.eaaf.modules.pvp2.idp.PVP2SProfileIDPSpringResourceProvider \ No newline at end of file
+at.gv.egiz.eaaf.modules.pvp2.idp.Pvp2SProfileIdpSpringResourceProvider \ No newline at end of file
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/resources/eaaf_pvp_idp.beans.xml b/eaaf_modules/eaaf_module_pvp2_idp/src/main/resources/eaaf_pvp_idp.beans.xml
index b01a09ff..d29b5aba 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/resources/eaaf_pvp_idp.beans.xml
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/resources/eaaf_pvp_idp.beans.xml
@@ -1,22 +1,19 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!--
- -->
-
<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:tx="http://www.springframework.org/schema/tx"
- xmlns:aop="http://www.springframework.org/schema/aop"
- xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
- http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
- http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
-
- <bean id="PVP2AssertionBuilder"
- class="at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.PVP2AssertionBuilder" />
-
- <bean id="PVPSProfilePendingRequest"
- class="at.gv.egiz.eaaf.modules.pvp2.idp.impl.PVPSProfilePendingRequest"
- scope="prototype"/>
-
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:tx="http://www.springframework.org/schema/tx"
+ xmlns:aop="http://www.springframework.org/schema/aop"
+ xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
+ http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
+ http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
+
+ <bean id="PVP2AssertionBuilder"
+ class="at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.Pvp2AssertionBuilder" />
+
+ <bean id="PVPSProfilePendingRequest"
+ class="at.gv.egiz.eaaf.modules.pvp2.idp.impl.PvpSProfilePendingRequest"
+ scope="prototype" />
+
</beans> \ No newline at end of file