aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2017-07-26 15:35:42 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2017-07-26 15:35:42 +0200
commitac7930ec5d3505dc9ef47fef045d6b5bae53eadb (patch)
treec646ce7a306684b358572f96c6feedcbdfbebb21
parent98d740f873ac66522f3ebfb02a2433c98fde3a1d (diff)
downloadmoa-id-spss-ac7930ec5d3505dc9ef47fef045d6b5bae53eadb.tar.gz
moa-id-spss-ac7930ec5d3505dc9ef47fef045d6b5bae53eadb.tar.bz2
moa-id-spss-ac7930ec5d3505dc9ef47fef045d6b5bae53eadb.zip
fix some bugs in combination with eIDAS saml-engine 1.3
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java3
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java4
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java4
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java1
4 files changed, 7 insertions, 5 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index adf6c4979..c0101b553 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -72,7 +72,8 @@ public class Constants {
//timeouts and clock skews
- public static final int CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000; //2 minutes skew time for response validation
+ public static final long CONFIG_PROPS_SKEWTIME_BEFORE = -2 * 60 * 1000; //5 minutes skew time for response validation
+ public static final long CONFIG_PROPS_SKEWTIME_AFTER = 2 * 60 * 1000; //5 minutes skew time for response validation
public static final long CONFIG_PROPS_METADATA_GARBAGE_TIMEOUT = 7 * 24 * 60 * 60 * 1000; //remove unused eIDAS metadata after 7 days
//eIDAS request parameters
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java
index d9453322f..9895ca79f 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java
@@ -56,7 +56,7 @@ public class MoaEidasConditionsValidator extends ConditionsSpecValidator {
throw new ValidationException("NotBefore is required.");
}
- if (conditions.getNotBefore().minusMillis(Constants.CONFIG_PROPS_SKEWTIME).isAfterNow()) {
+ if (conditions.getNotBefore().plusMillis((int)Constants.CONFIG_PROPS_SKEWTIME_BEFORE).isAfterNow()) {
throw new ValidationException("Current time is before NotBefore condition");
}
@@ -64,7 +64,7 @@ public class MoaEidasConditionsValidator extends ConditionsSpecValidator {
throw new ValidationException("NotOnOrAfter is required.");
}
- if (conditions.getNotOnOrAfter().isBeforeNow()) {
+ if (conditions.getNotOnOrAfter().plusMillis((int)Constants.CONFIG_PROPS_SKEWTIME_AFTER).isBeforeNow()) {
throw new ValidationException("Current time is after NotOnOrAfter condition");
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
index a31bbaf02..17e112c4c 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
@@ -57,8 +57,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
//validate SAML token
IAuthenticationResponse samlResp = engine.unmarshallResponseAndValidate(decSamlToken,
request.getRemoteHost(),
- Constants.CONFIG_PROPS_SKEWTIME,
- Constants.CONFIG_PROPS_SKEWTIME,
+ Constants.CONFIG_PROPS_SKEWTIME_BEFORE,
+ Constants.CONFIG_PROPS_SKEWTIME_AFTER,
pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_METADATA);
if (samlResp.isEncrypted()) {
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java
index bfe410fc2..cc9b09107 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java
@@ -126,6 +126,7 @@ public class EidasMetaDataRequest implements IAction {
metadataConfigBuilder.entityID(metadata_url);
metadataConfigBuilder.assertionConsumerUrl(sp_return_url);
+ metadataConfigBuilder.addProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI);
metadataConfigBuilder.addProtocolBindingLocation(
SAMLConstants.SAML2_POST_BINDING_URI,
pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_IDP_COLLEAGUEREQUEST);