From 47ca9c6c93447788376ba53e394ed3116d5a3dcc Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 2 Jul 2018 18:10:21 +0200 Subject: add requested attributes to PVP S-profile --- .../pvp2/idp/impl/AbstractPVP2XProtocol.java | 54 ++++++---------------- 1 file changed, 15 insertions(+), 39 deletions(-) (limited to 'eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPVP2XProtocol.java') diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPVP2XProtocol.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPVP2XProtocol.java index 93ffa789..ee0eee0a 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPVP2XProtocol.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPVP2XProtocol.java @@ -19,9 +19,7 @@ import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.Status; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.StatusMessage; -import org.opensaml.saml2.core.impl.AuthnRequestImpl; import org.opensaml.saml2.metadata.AssertionConsumerService; -import org.opensaml.saml2.metadata.AttributeConsumingService; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.ws.security.SecurityPolicyException; @@ -35,7 +33,6 @@ import at.gv.egiz.components.eventlog.api.EventConstants; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.data.EAAFConstants; import at.gv.egiz.eaaf.core.api.idp.IModulInfo; -import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger; import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; import at.gv.egiz.eaaf.core.exceptions.EAAFException; @@ -47,6 +44,7 @@ import at.gv.egiz.eaaf.modules.pvp2.PVPEventConstants; import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration; import at.gv.egiz.eaaf.modules.pvp2.api.binding.IEncoder; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPVPMetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestValidator; import at.gv.egiz.eaaf.modules.pvp2.exception.InvalidPVPRequestException; import at.gv.egiz.eaaf.modules.pvp2.exception.NameIDFormatNotSupportedException; import at.gv.egiz.eaaf.modules.pvp2.exception.NoMetadataInformationException; @@ -61,7 +59,6 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider; import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EAAFURICompare; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; -import at.gv.egiz.eaaf.modules.pvp2.impl.verification.AuthnRequestValidator; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SAMLVerificationEngine; public abstract class AbstractPVP2XProtocol extends AbstractAuthProtocolModulController implements IModulInfo { @@ -70,8 +67,11 @@ public abstract class AbstractPVP2XProtocol extends AbstractAuthProtocolModulCon @Autowired(required=true) protected IPVP2BasicConfiguration pvpBasicConfiguration; @Autowired(required=true) protected IPVPMetadataProvider metadataProvider; @Autowired(required=true) protected SAMLVerificationEngine samlVerificationEngine; + @Autowired(required=true) protected IAuthnRequestValidator authRequestValidator; private AbstractCredentialProvider pvpIDPCredentials; + + /** * Sets a specific credential provider for PVP S-Profile IDP component. @@ -470,42 +470,14 @@ public abstract class AbstractPVP2XProtocol extends AbstractAuthProtocolModulCon } } - - //select AttributeConsumingService from request - AttributeConsumingService attributeConsumer = null; - Integer aIdx = authnRequest.getAttributeConsumingServiceIndex(); - int attributeIdx = 0; - - if(aIdx != null) { - attributeIdx = aIdx.intValue(); - } - - if (spSSODescriptor.getAttributeConsumingServices() != null && - spSSODescriptor.getAttributeConsumingServices().size() > 0) { - attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx); - } - + //validate AuthnRequest - AuthnRequestImpl authReq = (AuthnRequestImpl) samlReq; - AuthnRequestValidator.validate(authReq); - -// String useMandate = request.getParameter(PARAM_USEMANDATE); -// if(useMandate != null) { -// if(useMandate.equals("true") && attributeConsumer != null) { -// if(!CheckMandateAttributes.canHandleMandate(attributeConsumer)) { -// throw new MandateAttributesNotHandleAbleException(); -// } -// } -// } - + AuthnRequest authReq = (AuthnRequest) samlReq; String oaURL = moaRequest.getEntityMetadata(metadataProvider).getEntityID(); - oaURL = StringEscapeUtils.escapeHtml(oaURL); - ISPConfiguration oa = authConfig.getServiceProviderConfiguration(oaURL); - - log.info("Dispatch PVP2 AuthnRequest: OAURL=" + oaURL + " Binding=" + consumerService.getBinding()); - - pendingReq.setSPEntityId(oaURL); - pendingReq.setOnlineApplicationConfiguration(oa); + log.info("Dispatch PVP2 AuthnRequest: OAURL=" + oaURL + " Binding=" + consumerService.getBinding()); + + pendingReq.setSPEntityId(StringEscapeUtils.escapeHtml(oaURL)); + pendingReq.setOnlineApplicationConfiguration(authConfig.getServiceProviderConfiguration(pendingReq.getSPEntityId())); pendingReq.setBinding(consumerService.getBinding()); pendingReq.setRequest(moaRequest); pendingReq.setConsumerURL(consumerService.getLocation()); @@ -513,13 +485,17 @@ public abstract class AbstractPVP2XProtocol extends AbstractAuthProtocolModulCon //parse AuthRequest pendingReq.setPassiv(authReq.isPassive()); pendingReq.setForce(authReq.isForceAuthn()); - + //AuthnRequest needs authentication pendingReq.setNeedAuthentication(true); //set protocol action, which should be executed after authentication pendingReq.setAction(AuthenticationAction.class.getName()); + log.trace("Starting extended AuthnRequest validation and processing ... "); + authRequestValidator.validate(request, pendingReq, authReq, spSSODescriptor); + log.debug("Extended AuthnRequest validation and processing finished"); + //write revisionslog entry revisionsLogger.logEvent(pendingReq, PVPEventConstants.AUTHPROTOCOL_PVP_REQUEST_AUTHREQUEST); -- cgit v1.2.3