aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorkstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d>2012-02-09 21:11:31 +0000
committerkstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d>2012-02-09 21:11:31 +0000
commit4af2a06ad0d4dc021277b115d15bbeeede3c23b7 (patch)
tree3deede68bee4e609ebaef22d92a96fb8f650afcc
parent453bd7f12223fe4e58049bb8f2f40d80d80bccd7 (diff)
downloadmoa-id-spss-4af2a06ad0d4dc021277b115d15bbeeede3c23b7.tar.gz
moa-id-spss-4af2a06ad0d4dc021277b115d15bbeeede3c23b7.tar.bz2
moa-id-spss-4af2a06ad0d4dc021277b115d15bbeeede3c23b7.zip
Update MOA-SPSS-Konfig Schema (Blacklists)
MOASecurityManager für Blacklists git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1236 d688527b-c9ab-4aba-bd8d-4036d912da1d
-rw-r--r--common/src/main/java/at/gv/egovernment/moa/util/Constants.java2
-rw-r--r--common/src/main/resources/resources/schemas/MOA-SPSS-config-1.5.1.xsd282
-rw-r--r--id/server/auth/src/main/webapp/iframeHandyBKU.html18
-rw-r--r--id/server/auth/src/main/webapp/iframeOnlineBKU.html18
-rw-r--r--id/server/auth/src/main/webapp/index.html110
-rw-r--r--id/server/auth/src/main/webapp/info_bk.html38
-rw-r--r--id/server/auth/src/main/webapp/template_handyBKU.html7
-rw-r--r--id/server/auth/src/main/webapp/template_localBKU.html5
-rw-r--r--id/server/auth/src/main/webapp/template_onlineBKU.html5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java19
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java2
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerExtended.java111
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerSimple.java165
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java74
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java54
16 files changed, 776 insertions, 138 deletions
diff --git a/common/src/main/java/at/gv/egovernment/moa/util/Constants.java b/common/src/main/java/at/gv/egovernment/moa/util/Constants.java
index ed76c4ac7..769b651f9 100644
--- a/common/src/main/java/at/gv/egovernment/moa/util/Constants.java
+++ b/common/src/main/java/at/gv/egovernment/moa/util/Constants.java
@@ -101,7 +101,7 @@ public interface Constants {
/** Local location of the MOA configuration XML schema definition. */
public static final String MOA_CONFIG_SCHEMA_LOCATION =
- SCHEMA_ROOT + "MOA-SPSS-config-1.4.7.xsd";
+ SCHEMA_ROOT + "MOA-SPSS-config-1.5.1.xsd";
/** Local location of the MOA ID configuration XML schema definition. */
public static final String MOA_ID_CONFIG_SCHEMA_LOCATION =
diff --git a/common/src/main/resources/resources/schemas/MOA-SPSS-config-1.5.1.xsd b/common/src/main/resources/resources/schemas/MOA-SPSS-config-1.5.1.xsd
new file mode 100644
index 000000000..d91f8f46e
--- /dev/null
+++ b/common/src/main/resources/resources/schemas/MOA-SPSS-config-1.5.1.xsd
@@ -0,0 +1,282 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ MOA SP/SS 1.5.1 Configuration Schema
+-->
+<xs:schema xmlns:config="http://reference.e-government.gv.at/namespace/moaconfig/20021122#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://reference.e-government.gv.at/namespace/moaconfig/20021122#" elementFormDefault="qualified" attributeFormDefault="unqualified">
+ <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
+ <xs:element name="MOAConfiguration">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Common" minOccurs="0">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="HardwareCryptoModule" minOccurs="0" maxOccurs="unbounded">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Name" type="xs:string"/>
+ <xs:element name="SlotId" type="xs:string" minOccurs="0"/>
+ <xs:element name="UserPIN" type="xs:string"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="PermitExternalUris" minOccurs="0">
+ <xs:complexType>
+ <xs:sequence minOccurs="0" maxOccurs="unbounded">
+ <xs:element name="BlackListUri">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Host" type="xs:anyURI"/>
+ <xs:element name="Port" type="xs:int" minOccurs="0"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="SignatureCreation" minOccurs="0">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="KeyModules">
+ <xs:complexType>
+ <xs:choice maxOccurs="unbounded">
+ <xs:element name="HardwareKeyModule">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Id" type="xs:token"/>
+ <xs:element name="Name" type="xs:string"/>
+ <xs:element name="SlotId" type="xs:string" minOccurs="0"/>
+ <xs:element name="UserPIN" type="xs:string"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="SoftwareKeyModule">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Id" type="xs:token"/>
+ <xs:element name="FileName" type="xs:string"/>
+ <xs:element name="Password" type="xs:string" minOccurs="0"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:choice>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="KeyGroup" maxOccurs="unbounded">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Id" type="xs:token"/>
+ <xs:sequence maxOccurs="unbounded">
+ <xs:element name="Key">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="KeyModuleId" type="xs:token"/>
+ <xs:element name="KeyCertIssuerSerial" type="dsig:X509IssuerSerialType"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="KeyGroupMapping" maxOccurs="unbounded">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="CustomerId" type="dsig:X509IssuerSerialType" minOccurs="0"/>
+ <xs:element name="KeyGroupId" type="xs:token" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="XMLDSig">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="CanonicalizationAlgorithm" type="xs:anyURI" minOccurs="0"/>
+ <xs:element name="DigestMethodAlgorithm" type="xs:anyURI" minOccurs="0"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="CreateTransformsInfoProfile" type="config:ProfileType" minOccurs="0" maxOccurs="unbounded"/>
+ <xs:element name="CreateSignatureEnvironmentProfile" type="config:ProfileType" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="SignatureVerification" minOccurs="0">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="CertificateValidation">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="PathConstruction">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="AutoAddCertificates" type="xs:boolean"/>
+ <xs:element name="UseAuthorityInformationAccess" type="xs:boolean"/>
+ <xs:element name="CertificateStore">
+ <xs:complexType>
+ <xs:choice>
+ <xs:element name="DirectoryStore">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Location" type="xs:token"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:choice>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="PathValidation">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="ChainingMode">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="DefaultMode" type="config:ChainingModeType"/>
+ <xs:element name="TrustAnchor" minOccurs="0" maxOccurs="unbounded">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Identification" type="dsig:X509IssuerSerialType"/>
+ <xs:element name="Mode" type="config:ChainingModeType"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="TrustProfile" maxOccurs="unbounded">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Id" type="xs:token"/>
+ <xs:element name="TrustAnchorsLocation" type="xs:anyURI"/>
+ <xs:element name="SignerCertsLocation" type="xs:anyURI" minOccurs="0"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="RevocationChecking">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="EnableChecking" type="xs:boolean"/>
+ <xs:element name="MaxRevocationAge" type="xs:integer"/>
+ <xs:element name="ServiceOrder" minOccurs="0">
+ <xs:complexType>
+ <xs:sequence maxOccurs="2">
+ <xs:element name="Service">
+ <xs:simpleType>
+ <xs:restriction base="xs:token">
+ <xs:enumeration value="OCSP"/>
+ <xs:enumeration value="CRL"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="Archiving">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="EnableArchiving" type="xs:boolean"/>
+ <xs:element name="ArchiveDuration" type="xs:nonNegativeInteger" minOccurs="0"/>
+ <xs:element name="Archive" minOccurs="0">
+ <xs:complexType>
+ <xs:choice>
+ <xs:element name="DatabaseArchive">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="JDBCURL" type="xs:anyURI"/>
+ <xs:element name="JDBCDriverClassName" type="xs:token"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:choice>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="DistributionPoint" minOccurs="0" maxOccurs="unbounded">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="CAIssuerDN" type="xs:token"/>
+ <xs:choice maxOccurs="unbounded">
+ <xs:element name="CRLDP">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Location" type="xs:anyURI"/>
+ <xs:element name="ReasonCode" minOccurs="0" maxOccurs="unbounded">
+ <xs:simpleType>
+ <xs:restriction base="xs:token">
+ <xs:enumeration value="unused"/>
+ <xs:enumeration value="keyCompromise"/>
+ <xs:enumeration value="cACompromise"/>
+ <xs:enumeration value="affiliationChanged"/>
+ <xs:enumeration value="superseded"/>
+ <xs:enumeration value="cessationOfOperation"/>
+ <xs:enumeration value="certificateHold"/>
+ <xs:enumeration value="privilegeWithdrawn"/>
+ <xs:enumeration value="aACompromise"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="OCSPDP">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Location" type="xs:anyURI"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:choice>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="CrlRetentionIntervals" minOccurs="0">
+ <xs:complexType>
+ <xs:sequence maxOccurs="unbounded">
+ <xs:element name="CA">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="X509IssuerName" type="xs:string"/>
+ <xs:element name="Interval" type="xs:integer"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="VerifyTransformsInfoProfile" type="config:ProfileType" minOccurs="0" maxOccurs="unbounded"/>
+ <xs:element name="SupplementProfile" type="config:ProfileType" minOccurs="0" maxOccurs="unbounded"/>
+ <xs:element name="PermitFileURIs" type="xs:boolean" default="false" minOccurs="0"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:simpleType name="ChainingModeType">
+ <xs:restriction base="xs:string">
+ <xs:enumeration value="chaining"/>
+ <xs:enumeration value="pkix"/>
+ </xs:restriction>
+ </xs:simpleType>
+ <xs:complexType name="ProfileType">
+ <xs:sequence>
+ <xs:element name="Id" type="xs:token"/>
+ <xs:element name="Location" type="xs:anyURI"/>
+ </xs:sequence>
+ </xs:complexType>
+</xs:schema>
diff --git a/id/server/auth/src/main/webapp/iframeHandyBKU.html b/id/server/auth/src/main/webapp/iframeHandyBKU.html
index 0f6e1e282..a7e541b85 100644
--- a/id/server/auth/src/main/webapp/iframeHandyBKU.html
+++ b/id/server/auth/src/main/webapp/iframeHandyBKU.html
@@ -8,11 +8,13 @@
<script type="text/javascript">
// [MUSS] Geben Sie hier die URL zum Aufruf von MOA-ID an
// z.B.: https://yoururl.at/moa-id-auth/StartAuthentication?Target=IT&OA=https://youronlineapplication.at
- var MOA_ID_STARTAUTHENTICATION = "[MOA_ID_STARTAUTHENTICATION]";
+ // var MOA_ID_STARTAUTHENTICATION = "[MOA_ID_STARTAUTHENTICATION]";
+ var MOA_ID_STARTAUTHENTICATION = "https://localhost:8443/moa-id-auth/StartAuthentication?Target=ZU&OA=https://localhost:8443/TestMOAID_OA/LoginServletExample";
// [MUSS] Geben Sie hier die URL zum MOA-ID Template fuer die Handy Signatur an -->
<!-- z.B.: value="https://yoururl.at/moa-id-auth/template_handyBKU.html"-->
- var URL_TO_HANDYSIGNATUR_TEMPLATE = "[URL_TO_HANDYSIGNATUR_TEMPLATE]";
+ //var URL_TO_HANDYSIGNATUR_TEMPLATE = "[URL_TO_HANDYSIGNATUR_TEMPLATE]";
+ var URL_TO_HANDYSIGNATUR_TEMPLATE = "https://localhost:8443/moa-id-auth/template_handyBKU.html";
window.onload=function() {
@@ -45,13 +47,17 @@
</script>
</head>
- <body>
- Bitte warten...
- <form name="moaidform" method="post" id="moaidform">
+ <body>
+
+ Bitte warten...
+
+ <FORM name="moaidform" method="post" id="moaidform">
<input type="hidden" name="Template" id="Template">
<input type="hidden" name="bkuURI" value="https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx">
<input type="hidden" name="useMandate" id="useMandate">
- </form>
+ </FORM>
+
+
<hr>
</body>
</html> \ No newline at end of file
diff --git a/id/server/auth/src/main/webapp/iframeOnlineBKU.html b/id/server/auth/src/main/webapp/iframeOnlineBKU.html
index a039005e0..bb69bb5d6 100644
--- a/id/server/auth/src/main/webapp/iframeOnlineBKU.html
+++ b/id/server/auth/src/main/webapp/iframeOnlineBKU.html
@@ -8,16 +8,20 @@
<script type="text/javascript">
// [MUSS] Geben Sie hier die URL zum Aufruf von MOA-ID an
// z.B.: https://yoururl.at/moa-id-auth/StartAuthentication?Target=IT&OA=https://youronlineapplication.at
- var MOA_ID_STARTAUTHENTICATION = "[MOA_ID_STARTAUTHENTICATION]";
+ // var MOA_ID_STARTAUTHENTICATION = "[MOA_ID_STARTAUTHENTICATION]";
+ var MOA_ID_STARTAUTHENTICATION = "https://localhost:8443/moa-id-auth/StartAuthentication?Target=ZU&OA=https://localhost:8443/TestMOAID_OA/LoginServletExample&sourceID=ABC123-_ABC123";
+ //var MOA_ID_STARTAUTHENTICATION = "https://localhost:8443/moa-id-auth/StartAuthentication?Target=ZU&OA=https://localhost:8443/TestMOAID_OA/LoginServletExample";
// [MUSS] Geben Sie hier die URL zum MOA-ID Template fuer die Online BKU an
// z.B.: "https://yoururl.at/moa-id-auth/template_onlineBKU.html"
- var URL_TO_ONLINEBKU_TEMPLATE = "[URL_TO_ONLINEBKU_TEMPLATE]";
-
+ //var URL_TO_ONLINEBKU_TEMPLATE = "[URL_TO_ONLINEBKU_TEMPLATE]";
+ var URL_TO_ONLINEBKU_TEMPLATE = "https://localhost:8443/moa-id-auth/template_onlineBKU.html";
+
// [MUSS] Geben Sie hier die URL zur Online BKU an
// z.B.: value="https://yoururl.at/bkuonline/https-security-layer-request"
// Hinweis: Diese URL muss auch bei den vertrauenswürdigen BKUs in der MOA-ID Konfiguration angegeben werden (siehe Element MOA-IDConfiguration/TrustedBKUs/BKUURL)
- var URL_TO_ONLINEBKU = "[URL_TO_ONLINEBKU]";
+ //var URL_TO_ONLINEBKU = "[URL_TO_ONLINEBKU]";
+ var URL_TO_ONLINEBKU = "https://localhost:8444/bkuonline/https-security-layer-request";
window.onload=function() {
document.getElementById('moaidform').action = MOA_ID_STARTAUTHENTICATION;
@@ -48,12 +52,14 @@
</script>
</head>
<body>
- Bitte warten...
+ Bitte warten...
+
<form method="POST" name="moaidform" id="moaidform">
<input type="hidden" name="Template" id="Template">
<input type="hidden" name="bkuURI" id="bkuURI">
<input type="hidden" name="useMandate" id="useMandate">
- </form>
+ </form>
+
<hr>
</body>
</html> \ No newline at end of file
diff --git a/id/server/auth/src/main/webapp/index.html b/id/server/auth/src/main/webapp/index.html
index 533f2830a..d78f01f2a 100644
--- a/id/server/auth/src/main/webapp/index.html
+++ b/id/server/auth/src/main/webapp/index.html
@@ -11,11 +11,13 @@
<script type="text/javascript">
// [MUSS] Geben Sie hier die URL zum Aufruf von MOA-ID an
// z.B.: https://yoururl.at/moa-id-auth/StartAuthentication?Target=IT&OA=https://youronlineapplication.at
- var MOA_ID_STARTAUTHENTICATION = "[MOA_ID_STARTAUTHENTICATION]";
+ // var MOA_ID_STARTAUTHENTICATION = "[MOA_ID_STARTAUTHENTICATION]";
+ var MOA_ID_STARTAUTHENTICATION = "https://localhost:8443/moa-id-auth/StartAuthentication?Target=ZU&OA=https://localhost:8443/TestMOAID_OA/LoginServletExample";
// [MUSS] Geben Sie hier die URL zum MOA-ID Template fuer die lokale BKU an
// z.B.: https://yoururl.at/moa-id-auth/template_localBKU.html
- var URL_TO_LOKALBKU_TEMPLATE = "[URL_TO_LOKALBKU_TEMPLATE]";
+ //var URL_TO_LOKALBKU_TEMPLATE = "[URL_TO_LOKALBKU_TEMPLATE]";
+ var URL_TO_LOKALBKU_TEMPLATE = "https://localhost:8443/moa-id-auth/template_localBKU.html";
window.onload=function() {
@@ -95,9 +97,15 @@
<!-- [OPTIONAL] Aendern Sie hier die Titelueberschrift der Seite) -->
<div id="bannerleft">
<h1>MOA-Template zur B&uuml;rgerkartenauswahl (Musterseite)</h1>
- </div>
+ <!-- Meldung im Browser, wenn JavaScript nicht aktiviert -->
+ <noscript>
+ <p>
+ Bitte aktivieren Sie JavaScript.
+ </p>
+ </noscript>
+ </div>
<!-- [OPTIONAL] Aendern Sie hier das Logo der Seite (und Alternativtext fuer das Bild) -->
- <div id="bannerright">
+ <div id="bannerright">
<img src="img/logo.jpg" alt="Logo">
</div>
</div>
@@ -107,70 +115,21 @@
Login mit B&uuml;rgerkarte
</h2>
<div id="bkulogin" class="hell">
- <!-- No-Script Variante, wenn im Browser JavaScript deaktiviert ist -->
- <!-- Defaulteinstellung: No-Script Variante mit Anmeldung via lokaler BKU oder Handysignatur ohne Vollmacht -->
- <noscript>
- Kein JavaScript aktiviert!
-
- <!-- [OPTIONAL] kommentieren sie folgende entsprechenden Blöcke aus, wenn Sie keine No-Script Variante anbieten möchten oder nur bestimmte BKU/Vollmachten Varianten anzeigen möchten -->
-
- <!-- Block "KARTE": Anmeldung mit lokaler BKU *ohne* Vollmacht (No-Script Variante) -->
- <!-- [MUSS] Geben Sie hier die URL zum Aufruf von MOA-ID an (inkl. Template-URL, bkuURI und useMandate Parameter!) -->
- <!-- z.B.: https://yoururl.at/moa-id-auth/StartAuthentication?Target=IT&OA=https://youronlineapplication.at&Template=https://yoururl.at/moa-id-auth/template_localBKU.html&bkuURI=https://127.0.0.1:3496/https-security-layer-request&useMandate=false -->
- <a href="[MOA_ID_STARTAUTHENTICATION]&Template=[URL_TO_LOKALBKU_TEMPLATE]&bkuURI=https://127.0.0.1:3496/https-security-layer-request&useMandate=false">
- <div id="bkukarte" class="hell">
- <button name="bkuButton" type="button">KARTE</button>
- </div>
- </a>
-
- <!-- Block "KARTE+Vollmacht": Anmeldung mit lokaler BKU *mit* Vollmacht (No-Script Variante) -->
- <!-- [MUSS] Geben Sie hier die URL zum Aufruf von MOA-ID an (inkl. Template-URL, bkuURI und useMandate Parameter!) -->
- <!-- z.B.: https://yoururl.at/moa-id-auth/StartAuthentication?Target=IT&OA=https://youronlineapplication.at&Template=https://yoururl.at/moa-id-auth/template_localBKU.html&bkuURI=https://127.0.0.1:3496/https-security-layer-request&useMandate=true -->
- <!-- <a href="[MOA_ID_STARTAUTHENTICATION]&Template=[URL_TO_LOKALBKU_TEMPLATE]&bkuURI=https://127.0.0.1:3496/https-security-layer-request&useMandate=true">
- <div id="bkukarte" class="hell">
- <button name="bkuButton" type="button">KARTE+<br>Vollmacht</button>
- </div>
- </a> -->
-
-
- <!-- Block "HANDY": Anmeldung mit Handysignatur *ohne* Vollmacht (No-Script Variante) -->
- <!-- [MUSS] Geben Sie hier die URL zum Aufruf von MOA-ID an (inkl. Template-URL, bkuURI und useMandate Parameter!) -->
- <!-- z.B.: https://yoururl.at/moa-id-auth/StartAuthentication?Target=IT&OA=https://youronlineapplication.at&Template=https://yoururl.at/moa-id-auth/template_handyBKU.html&bkuURI=https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx&useMandate=false -->
- <a href="[MOA_ID_STARTAUTHENTICATION]&Template=[URL_TO_HANDYSIGNATUR_TEMPLATE]&bkuURI=https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx&useMandate=false">
- <div id="bkuhandy" class="hell">
- <button name="bkuButton" type="button">HANDY</button>
- </div>
- </a>
+ <!-- [OPTIONAL] Um die Online BKU auszublenden, kommentieren sie das folgende div (bkukarte) aus -->
+ <div id="bkukarte" class="hell">
+ <button name="bkuButton" type="button" onClick="bkuOnlineClicked();">KARTE</button>
+ </div>
+ <!-- [OPTIONAL] Um die Mobile BKU auszublenden, kommentieren sie das folgende div (bkukhandy) aus -->
+ <div id="bkuhandy" class="hell">
+ <button name="bkuButton" type="button" onClick="bkuHandyClicked();">HANDY</button>
+ </div>
- <!-- Block "HANDY+Vollnacht": Anmeldung mit Handysignatur *mit* Vollmacht (No-Script Variante) -->
- <!-- [MUSS] Geben Sie hier die URL zum Aufruf von MOA-ID an (inkl. Template-URL, bkuURI und useMandate Parameter!) -->
- <!-- z.B.: https://yoururl.at/moa-id-auth/StartAuthentication?Target=IT&OA=https://youronlineapplication.at&Template=https://yoururl.at/moa-id-auth/template_handyBKU.html&bkuURI=https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx&useMandate=true -->
- <!-- <a href="[MOA_ID_STARTAUTHENTICATION]&Template=[URL_TO_HANDYSIGNATUR_TEMPLATE]&bkuURI=https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx&useMandate=true">
- <div id="bkuhandy" class="hell">
- <button name="bkuButton" type="button">HANDY</button>
- </div>
- </a> -->
-
- </noscript>
-
- <script>
- <!-- [OPTIONAL] Um die Online BKU auszublenden, kommentieren sie folgende drei Zeilen aus aus -->
- document.write("<div id=\"bkukarte\" class=\"hell\">");
- document.write("<button name=\"bkuButton\" type=\"button\" onClick=\"bkuOnlineClicked();\">KARTE</button>");
- document.write("</div>");
-
- <!-- [OPTIONAL] Um die Handysignatur auszublenden, kommentieren sie folgende drei Zeilen aus aus -->
- document.write("<div id=\"bkuhandy\" class=\"hell\">");
- document.write("<button name=\"bkuButton\" type=\"button\" onClick=\"bkuHandyClicked();\">HANDY</button>");
- document.write("</div>");
-
- <!-- [OPTIONAL] Um die Anmeldung mit Vollmachten auszublenden, kommentieren Sie folgende fünf Zeilen aus -->
- document.write("<div id=\"mandate\">");
- document.write("<input type=\"checkbox\" name=\"Mandate\" style=\"vertical-align: middle; margin-right: 5px;\" id=\"mandateCheckBox\">");
- document.write("<label>in Vertretung anmelden</label>");
- document.write(" <a href=\"info_mandates.html\" target=\"_blank\" class=\"infobutton\" style=\"color:#FFF\">i</a>");
- document.write("</div> ");
- </script>
+ <!-- [OPTIONAL] Um die Anmeldung mit Vollmachten auszublenden, kommentieren Sie das folgende div (mandate) aus -->
+ <div id="mandate">
+ <input type="checkbox" name="Mandate" style="vertical-align: middle; margin-right: 5px;" id="mandateCheckBox">
+ <label>in Vertretung anmelden</label>
+ <a href="info_mandates.html" target="_blank" class="infobutton" style="color:#FFF">i</a>
+ </div>
</div>
@@ -178,10 +137,14 @@
<div id="localBKU" style="display:none" class="hell">
<hr>
+ <!-- [MUSS] Geben Sie hier die URL zum Aufruf von MOA-ID an -->
+ <!-- z.B.: action="https://yoururl.at/moa-id-auth/StartAuthentication?Target=IT&OA=https://youronlineapplication.at"-->
<form method="post" id="moaidform">
<input type="hidden" name="show" value="false">
+ <!-- [MUSS] Geben Sie hier die URL zum MOA-ID Template fuer die lokale BKU an -->
+ <!-- z.B.: value="https://yoururl.at/moa-id-auth/template_localBKU.html"-->
<input type="hidden" name="Template" id="Template">
- <input type="hidden" name="bkuURI" value="https://127.0.0.1:3496/https-security-layer-request">
+ <input type="hidden" name="bkuURI" value="https://localhost:3496/https-security-layer-request">
<input type="hidden" name="useMandate" id="useMandate">
<input type="submit" size="400" value="Lokale BKU" class="sendButton">
</form>
@@ -197,11 +160,9 @@
<div id="navlist" class="hell">
<ul>
<li>
- <a href="http://www.buergerkarte.at" target="_blank">B&uuml;rgerkarte.at</a>
- </li>
+ <a href="http://www.buergerkarte.at" target="_blank">B&uuml;rgerkarte.at</a> </li>
<li>
- <a href="http://www.digitales.oesterreich.gv.at/" target="_blank">Digitales &Ouml;sterreich</a>
- </li>
+ <a href="http://www.digitales.oesterreich.gv.at/" target="_blank">Digitales &Ouml;sterreich</a> </li>
<li>
<a href="http://www.a-sit.at/" target="_blank">A-SIT</a>
</li>
@@ -217,7 +178,10 @@
<div id="rightcontent">
<p>
- <a href="http://www.buergerkarte.at/aktivieren.de.php" target="_blank"><img src="img/bk_aktivieren.jpg" border="0" alt="B6uuml;rgerkarte aktivieren" width="210"></a>
+ <a href="http://www.buergerkarte.at/de/aktivieren/online.html" target="_blank"><img src="img/ecard_aktivieren.jpg" border="0" alt="eCard online aktivieren" width="210"></a>
+ </p>
+ <p>
+ <a href="http://www.buergerkarte.at/de/aktivieren/mobil.html" target="_blank"><img src="img/mobilsig_aktivieren.jpg" border="0" alt="Mobile Signatur aktivieren" width="210"></a>
</p>
</div>
diff --git a/id/server/auth/src/main/webapp/info_bk.html b/id/server/auth/src/main/webapp/info_bk.html
index 59aea64cb..f15501a80 100644
--- a/id/server/auth/src/main/webapp/info_bk.html
+++ b/id/server/auth/src/main/webapp/info_bk.html
@@ -42,42 +42,38 @@
</p>
<ul>
<li>
- eine Chipkarte, die f&uuml;r die Verwendung als B&uuml;rgerkarte geeignet ist, wie zum Beispiel Ihre e-card, Bankomatkarte oder Signaturkarte von A-Trust
- </li>
+ eine Chipkarte, die f&uuml;r die Verwendung als B&uuml;rgerkarte geeignet ist, wie zum Beispiel Ihre e-card, Bankomatkarte oder Signaturkarte von a-trust oder ein Mobiltelefon, das zur Nutzung als Handy BKU (B&uuml;rgerkartenumgebung) registriert ist.
+ </li>
<li>
einen Kartenleser mit den dazugeh&ouml;rigen Treibern
</li>
<li>
eine B&uuml;rgerkartensoftware (BKU)
</li>
- </ul>
- <p>&nbsp;</p>
- <p>oder</p>
- <ul>
- <li>
- ein Mobiltelefon, das zur Nutzung als Handysignatur registriert ist.
- </li>
</ul>
-<p>&nbsp;
- </p>
-<p>Als B&uuml;rgerkartensoftware stehen Ihnen folgende drei Varianten zur Verf&uuml;gung:
- </p>
+ <p>
+ Als B&uuml;rgerkartensoftware stehen folgende drei Varianten zur Verf&uuml;gung:
+ </p>
<ul>
- <li><i>Lokale BKU</i>: Diese Software wird lokal auf Ihrem Computer installiert. Die Software finden sie unter <a href="http://www.buergerkarte.at/download.de.php" target="_blank">http://www.buergerkarte.at/download.de.php</a>
+ <li><i>Lokale BKU</i>: Diese Software wird lokal auf Ihrem Computer installiert. Die Software finden sie unter <a href="http://www.buergerkarte.at/de/voraussetzungen/software.html" target="_blank">http://www.buergerkarte.at/de/voraussetzungen/software.html</a>
</li>
- <li><i>Online BKU</i>: Mit der Online BKU wird keine lokale B&uuml;rgerkartensoftware am PC ben&ouml;tigt. &Uuml;ber JAVA Technologien werden die ben&ouml;tigten Funktionen als Applet im Browser ausgef&uuml;hrt. Einzige Voraussetzung ist eine aktuelle JAVA Version (ab Java 6).
- </li>
- <li><i>Handysignatur</i>: Mit der Handysignatur k&ouml;nnen Sie sich mittels ihres Mobiltelefons anmelden. Voraussetzung ist eine vorherige Registrierung. Mehr Informationen hierzu finden Sie auf: <a href="https://www.handy-signatur.at/" target="_blank">https://www.handy-signatur.at/</a><br>
- <br>
- <b>Informationen zur B&uuml;rgerkarte finden Sie hier:</b>
+ <li><i>Online-BKU</i>: Mit der Online-BKU wird keine lokale B&uuml;rgerkartensoftware am PC ben&ouml;tigt. &Uuml;ber JAVA Technologien werden die ben&ouml;tigten Funktionen als Applet im Browser ausgef&uuml;hrt. Einzige Voraussetzung ist eine aktuelle JAVA Version (ab Java 6).
</li>
+ <li><i>Mobile BKU</i>: Mit der mobilen BKU k&ouml;nnen sie mittels ihres Mobiltelefons. Voraussetzung ist eine vorherige Registrierung. Mehr Informationen hierzu finden Sie auf <a href="http://www.a-trust.at/mobile/" target="_blank">http://www.a-trust.at/mobile/</a><br>
+ <b>Hinweis:</b><br>
+ Wenn das JAVA-Applet nicht funktioniert (bei einer &auml;lteren JAVA Version als Java 6 oder bei einem nicht unterst&uuml;tzten Browser), m&uuml;ssen Sie die lokale BKU installieren und dann &uuml;ber die Button &quot;Login mit B&uuml;rgerkarte&quot; und &quot;Lokale BKU&quot; einsteigen.
+ </li>
</ul>
+ <p>
+ <br>
+ <b>Informationen zur B&uuml;rgerkarte finden Sie hier:</b>
+ </p>
<ul>
- <li>
+ <li>
<a href="http://www.digitales.oesterreich.gv.at" target="_blank">Digitales &Ouml;sterreich</a>: Informationen rund um E-Government
</li>
<li>
- <a href="http://www.buergerkarte.at" target="_blank">B&uuml;rgerkarte</a>: Informationen zur B&uuml;rgerkarte
+ <a href="http://www.buergerkarte.at" target="_blank">B&uuml;rgerkarte</a>: Einfach verst&auml;ndliche Informationen zur B&uuml;rgerkarte
</li>
</ul>
<p>
diff --git a/id/server/auth/src/main/webapp/template_handyBKU.html b/id/server/auth/src/main/webapp/template_handyBKU.html
index 0ad73a6f3..6ccd295b2 100644
--- a/id/server/auth/src/main/webapp/template_handyBKU.html
+++ b/id/server/auth/src/main/webapp/template_handyBKU.html
@@ -10,10 +10,9 @@
}
</script>
</head>
- <body onLoad="onAnmeldeSubmit()">
- <form name="CustomizedForm" action="<BKU>" method="post" enctype="multipart/form-data<>">
- Falls Sie nicht automatisch weitergeleitet werden klicken Sie bitte hier:
- <input class="button" type="submit" value="Starte Anmeldung" name="Senden">
+ <body onLoad="onAnmeldeSubmit()">
+ <form name="CustomizedForm" action="<BKU>" method="post" enctype="multipart/form-data<>">
+ <input class="button" type="hidden" value="Starte Authentisierung" name="Senden">
<input type="hidden" name="XMLRequest" value="<XMLRequest>">
<input type="hidden" name="DataURL" value="<DataURL>">
<input type="hidden" name="PushInfobox" value="<PushInfobox>">
diff --git a/id/server/auth/src/main/webapp/template_localBKU.html b/id/server/auth/src/main/webapp/template_localBKU.html
index f197d2c5c..e07ba5d52 100644
--- a/id/server/auth/src/main/webapp/template_localBKU.html
+++ b/id/server/auth/src/main/webapp/template_localBKU.html
@@ -10,10 +10,9 @@
}
</script>
</head>
- <body onLoad="onAnmeldeSubmit()">
+ <body onLoad="onAnmeldeSubmit()">
<form name="CustomizedForm" action="<BKU>" method="post" enctype="multipart/form-data<>">
- Falls Sie nicht automatisch weitergeleitet werden klicken Sie bitte hier:
- <input class="button" type="submit" value="Starte Anmeldung" name="Senden">
+ <input class="button" type="submit" value="Starte Authentisierung" name="Senden">
<input type="hidden" name="XMLRequest" value="<XMLRequest>">
<input type="hidden" name="DataURL" value="<DataURL>">
<input type="hidden" name="PushInfobox" value="<PushInfobox>">
diff --git a/id/server/auth/src/main/webapp/template_onlineBKU.html b/id/server/auth/src/main/webapp/template_onlineBKU.html
index 565955538..1bb2ac236 100644
--- a/id/server/auth/src/main/webapp/template_onlineBKU.html
+++ b/id/server/auth/src/main/webapp/template_onlineBKU.html
@@ -10,10 +10,9 @@
}
</script>
</head>
- <body onLoad="onAnmeldeSubmit()">
+ <body onLoad="onAnmeldeSubmit()">
<form name="CustomizedForm" action="<BKU>" method="post" enctype="multipart/form-data<>">
- Falls Sie nicht automatisch weitergeleitet werden klicken Sie bitte hier:
- <input class="button" type="hidden" value="Starte Anmeldung" name="Senden">
+ <input class="button" type="hidden" value="Starte Authentisierung" name="Senden">
<input type="hidden" name="XMLRequest" value="<XMLRequest>">
<input type="hidden" name="DataURL" value="<DataURL>">
<input type="hidden" name="PushInfobox" value="<PushInfobox>">
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index a68dca65a..b8fa4f412 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -501,16 +501,19 @@ public class AuthenticationServer implements MOAIDAuthConstants {
// check if an identity link was found
// Errorcode 2911 von Trustdesk BKU (nicht spezifikationskonform (SL1.2))
- CharSequence se = "ErrorCode>2911".substring(0);
- boolean b = xmlInfoboxReadResponse.contains(se);
- if (b) { // no identity link found
+ //CharSequence se = "ErrorCode>2911".substring(0);
+ //boolean b = xmlInfoboxReadResponse.contains(se);
+ String se = "ErrorCode>2911";
+ int b = xmlInfoboxReadResponse.indexOf(se);
+ if (b!=-1) { // no identity link found
Logger.info("Es konnte keine Personenbindung auf der Karte gefunden werden. Versuche Anmeldung als ausländische eID.");
return null;
}
// spezifikationsgemäßer (SL1.2) Errorcode
se = "ErrorCode>4002";
- b = xmlInfoboxReadResponse.contains(se);
- if (b) { // Unbekannter Infoboxbezeichner
+ //b = xmlInfoboxReadResponse.contains(se);
+ b = xmlInfoboxReadResponse.indexOf(se);
+ if (b!=-1) { // Unbekannter Infoboxbezeichner
Logger.info("Unbekannter Infoboxbezeichner. Versuche Anmeldung als ausländische eID.");
return null;
}
@@ -1659,6 +1662,12 @@ public class AuthenticationServer implements MOAIDAuthConstants {
Element mandatePerson = tempIdentityLink.getPrPerson();
+ try {
+ System.out.println("MANDATE: " + DOMUtils.serializeNode(mandatePerson));
+ }
+ catch(Exception e) {
+ e.printStackTrace();
+ }
String mandateData = null;
try {
OAAuthParameter oaParam =
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java
index 2e20f483c..cb3ed5ad9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java
@@ -251,8 +251,8 @@ public class IdentityLinkAssertionParser {
String familyname = XPathUtils.getElementValue(assertionElem, PERSON_FAMILY_NAME_XPATH, "");
// replace ' in name with &#39;
- givenname = givenname.replace("'", "&#39;");
- familyname = familyname.replace("'", "&#39;");
+ givenname = givenname.replaceAll("'", "&#39;");
+ familyname = familyname.replaceAll("'", "&#39;");
identityLink.setGivenName(givenname);
identityLink.setFamilyName(familyname);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index 49105b306..dfad29e50 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -97,7 +97,7 @@ public class CreateXMLSignatureResponseValidator {
throw new ValidateException("validator.32", null);
}
// replace ' in name with &#39;
- issuer = issuer.replace("'", "&#39;");
+ issuer = issuer.replaceAll("'", "&#39;");
String issueInstant = samlAssertion.getAttribute("IssueInstant");
if (!issueInstant.equals(session.getIssueInstant())) {
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerExtended.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerExtended.java
new file mode 100644
index 000000000..ab9c01daa
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerExtended.java
@@ -0,0 +1,111 @@
+package at.gv.egovernment.moa.spss;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.Iterator;
+import java.util.List;
+
+import at.gv.egovernment.moa.logging.Logger;
+
+
+public class MOASecurityManagerExtended extends SecurityManager {
+
+ private List blacklist;
+ private boolean allowExternalUris;
+
+ public MOASecurityManagerExtended(boolean allowExternalUris, List blacklist) {
+ this.blacklist = blacklist;
+ this.allowExternalUris = allowExternalUris;
+ }
+
+
+ /**
+ * Overwrite checkConnect methods with blacklist check
+ */
+
+ public void checkConnect(String host, int port, Object context) {
+ Logger.debug("checkConnect: " + host + ":" + port);
+ if (!checkURI(host, port))
+ throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
+ else {
+ Logger.debug("Perform checkConnect of given SecurityManager");
+ super.checkConnect(host, port, context);
+ }
+ }
+
+ public void checkConnect(String host, int port) {
+ Logger.debug("checkConnect: " + host + ":" + port);
+ if (!checkURI(host, port))
+ throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
+ else {
+ Logger.debug("Perform checkConnect of given SecurityManager");
+ super.checkConnect(host, port);
+ }
+ }
+
+ private boolean checkURI(String host, int port) {
+ if (allowExternalUris) {
+ Iterator it = blacklist.iterator();
+ while (it.hasNext()) {
+ String[] array = (String[])it.next();
+ String bhost = array[0];
+ String bport = array[1];
+ if (bport == null) {
+ // check only host
+ if (bhost.equalsIgnoreCase(host)) {
+ Logger.debug("Security check: " + host + " blacklisted");
+ return false;
+ }
+ }
+ else {
+ // check host and port
+ int iport = new Integer(bport).intValue();
+ if (bhost.equalsIgnoreCase(host) && (iport == port)) {
+ Logger.debug("Security check: " + host + ":" + port + " blacklisted");
+ return false;
+ }
+
+ }
+ }
+
+ Logger.debug("Security check: " + host + ":" + port + " allowed");
+ return true;
+ }
+ else {
+ String localhost = getLocalhostName();
+ if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) {
+ Logger.debug("Security check: localhost name allowed");
+ return true;
+ }
+
+ Logger.debug("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)");
+ return false;
+ }
+ }
+ private String getLocalhostName() {
+ try {
+ // save current SecurityManager
+ SecurityManager sm = System.getSecurityManager();
+ // set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop)
+ System.setSecurityManager(null);
+
+ InetAddress localhostaddress = InetAddress.getLocalHost();
+ String localhost = localhostaddress.getHostName();
+
+ // set previously saved SecurityManager
+ System.setSecurityManager(sm);
+
+ return localhost;
+
+ }
+ catch (UnknownHostException e) {
+ Logger.debug("UnknownHostExeption: Returns \"localhost\" as name for localhost");
+ return "localhost";
+ }
+ }
+
+
+ /**
+ * Don't overwrite other methods
+ */
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerSimple.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerSimple.java
new file mode 100644
index 000000000..361a75e4c
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerSimple.java
@@ -0,0 +1,165 @@
+package at.gv.egovernment.moa.spss;
+
+import java.io.FileDescriptor;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.security.Permission;
+import java.util.Iterator;
+import java.util.List;
+
+import at.gv.egovernment.moa.logging.Logger;
+
+public class MOASecurityManagerSimple extends SecurityManager {
+
+ private List blacklist;
+ private boolean allowExternalUris;
+
+
+ public MOASecurityManagerSimple(boolean allowExternalUris, List blacklist) {
+ this.blacklist = blacklist;
+ this.allowExternalUris = allowExternalUris;
+ }
+
+ /**
+ * Overwrite checkConnect methods with blacklist check
+ */
+
+ public void checkConnect(String host, int port, Object context) {
+ //Logger.debug("checkConnect: " + host + ":" + port);
+ if (!checkURI(host, port))
+ throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
+ }
+
+ public void checkConnect(String host, int port) {
+ //Logger.debug("checkConnect: " + host + ":" + port);
+ if (!checkURI(host, port))
+ throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
+ }
+
+ private boolean checkURI(String host, int port) {
+ if (allowExternalUris) {
+ Iterator it = blacklist.iterator();
+ while (it.hasNext()) {
+ String[] array = (String[])it.next();
+ String bhost = array[0];
+ String bport = array[1];
+ if (bport == null) {
+ // check only host
+ if (bhost.equalsIgnoreCase(host)) {
+ //Logger.debug("Security check: " + host + " blacklisted");
+ return false;
+ }
+ }
+ else {
+ // check host and port
+ int iport = new Integer(bport).intValue();
+ if (bhost.equalsIgnoreCase(host) && (iport == port)) {
+ //Logger.debug("Security check: " + host + ":" + port + " blacklisted");
+ return false;
+ }
+
+ }
+ }
+
+ //Logger.debug("Security check: " + host + ":" + port + " allowed");
+ return true;
+ }
+ else {
+ String localhost = getLocalhostName();
+ if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) {
+ //Logger.debug("Security check: localhost name allowed");
+ return true;
+ }
+
+ //Logger.debug("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)");
+ return false;
+ }
+ }
+
+ private String getLocalhostName() {
+ try {
+ // save current SecurityManager
+ SecurityManager sm = System.getSecurityManager();
+ // set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop)
+ System.setSecurityManager(null);
+
+ InetAddress localhostaddress = InetAddress.getLocalHost();
+ String localhost = localhostaddress.getHostName();
+
+ // set previously saved SecurityManager
+ System.setSecurityManager(sm);
+
+ return localhost;
+
+ }
+ catch (UnknownHostException e) {
+ //Logger.debug("UnknownHostExeption: Returns \"localhost\" as name for localhost");
+ return "localhost";
+ }
+ }
+
+
+ /**
+ * Overwrite all other methods by doing nothing (as no SecurityManager is set initially)
+ */
+
+ public void checkAccept(String host, int port) {
+ }
+ public void checkAccess(Thread t) {
+ }
+ public void checkAccess(ThreadGroup g) {
+ }
+ public void checkAwtEventQueueAccess() {
+ }
+ public void checkCreateClassLoader() {
+ }
+ public void checkDelete(String file) {
+ }
+ public void checkExec(String cmd) {
+ }
+ public void checkExit(int status) {
+ }
+ public void checkLink(String lib) {
+ }
+ public void checkListen(int port) {
+ }
+ public void checkMemberAccess(Class arg0, int arg1) {
+ }
+ public void checkMulticast(InetAddress maddr, byte ttl) {
+ }
+ public void checkMulticast(InetAddress maddr) {
+ }
+ public void checkPackageAccess(String pkg) {
+ }
+ public void checkPackageDefinition(String pkg) {
+ }
+ public void checkPermission(Permission perm, Object context) {
+ }
+ public void checkPermission(Permission perm) {
+ }
+ public void checkPrintJobAccess() {
+ }
+ public void checkPropertiesAccess() {
+ }
+ public void checkPropertyAccess(String key) {
+ }
+ public void checkRead(FileDescriptor fd) {
+ }
+ public void checkRead(String file, Object context) {
+ }
+ public void checkRead(String file) {
+ }
+ public void checkSecurityAccess(String target) {
+ }
+ public void checkSetFactory() {
+ }
+ public void checkSystemClipboardAccess() {
+ }
+ public void checkWrite(FileDescriptor fd) {
+ }
+ public void checkWrite(String file) {
+ }
+
+
+
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
index 9078ecbfa..abc781303 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
@@ -24,6 +24,14 @@
package at.gv.egovernment.moa.spss.server.config;
+import iaik.asn1.structures.Name;
+import iaik.ixsil.exceptions.URIException;
+import iaik.ixsil.util.URI;
+import iaik.pki.pathvalidation.ChainingModes;
+import iaik.pki.revocation.RevocationSourceTypes;
+import iaik.utils.RFC2253NameParser;
+import iaik.utils.RFC2253NameParserException;
+
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
@@ -45,25 +53,15 @@ import javax.xml.parsers.ParserConfigurationException;
import org.w3c.dom.Attr;
import org.w3c.dom.Element;
import org.w3c.dom.traversal.NodeIterator;
-
import org.xml.sax.SAXException;
-import iaik.asn1.structures.Name;
-import iaik.ixsil.exceptions.URIException;
-import iaik.ixsil.util.URI;
-import iaik.pki.pathvalidation.ChainingModes;
-import iaik.pki.revocation.RevocationSourceTypes;
-import iaik.utils.RFC2253NameParser;
-import iaik.utils.RFC2253NameParserException;
-
import at.gv.egovernment.moa.logging.LogMsg;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.spss.util.MessageProvider;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.XPathUtils;
-import at.gv.egovernment.moa.spss.util.MessageProvider;
-
/**
* A class that builds configuration data from a DOM based representation.
*
@@ -103,6 +101,14 @@ public class ConfigurationPartsBuilder {
private static final String HARDWARE_CRYPTO_MODULE_XPATH =
ROOT + CONF + "Common/"
+ CONF + "HardwareCryptoModule";
+ private static final String PERMIT_EXTERNAL_URIS_XPATH =
+ ROOT + CONF + "Common/"
+ + CONF + "PermitExternalUris";
+ private static final String BLACK_LIST_URIS_XPATH =
+ ROOT + CONF + "Common/"
+ + CONF + "PermitExternalUris/"
+ + CONF + "BlackListUri";
+
private static final String HARDWARE_KEY_XPATH =
ROOT + CONF + "SignatureCreation/"
+ CONF + "KeyModules/"
@@ -370,6 +376,52 @@ public class ConfigurationPartsBuilder {
return modules;
}
+
+ /**
+ *
+ * @return
+ */
+ public boolean allowExternalUris() {
+ Element permitExtUris = (Element)XPathUtils.selectSingleNode(getConfigElem(), PERMIT_EXTERNAL_URIS_XPATH);
+
+ // if PermitExternalUris element does not exist - don't allow external uris
+ if (permitExtUris == null)
+ return false;
+ else
+ return true;
+
+ }
+
+ /**
+ *
+ * @return
+ */
+ public List buildPermitExternalUris() {
+ if (!allowExternalUris())
+ return null;
+
+ List blacklist = new ArrayList();
+
+ NodeIterator permitExtIter = XPathUtils.selectNodeIterator(
+ getConfigElem(),
+ BLACK_LIST_URIS_XPATH);
+
+ Element permitExtElem = null;
+ while ((permitExtElem = (Element) permitExtIter.nextNode()) != null) {
+ String host = getElementValue(permitExtElem, CONF + "Host", null);
+ String port = getElementValue(permitExtElem, CONF + "Port", null);
+
+ //System.out.println("Host:Port = " + host + ":" + port);
+
+ String array[] = new String[2];
+ array[0] = host;
+ array[1] = port;
+ blacklist.add(array);
+
+ }
+
+ return blacklist;
+ }
/**
* Build the configured hardware keys.
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
index 51ddf0811..9e0a7fd53 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
@@ -33,7 +33,9 @@ import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.math.BigInteger;
+import java.net.InetAddress;
import java.net.URL;
+import java.net.UnknownHostException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
@@ -46,6 +48,8 @@ import org.w3c.dom.Element;
import at.gv.egovernment.moa.logging.LogMsg;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.spss.MOASecurityManagerExtended;
+import at.gv.egovernment.moa.spss.MOASecurityManagerSimple;
import at.gv.egovernment.moa.spss.util.MessageProvider;
import at.gv.egovernment.moa.util.DOMUtils;
@@ -240,6 +244,16 @@ public class ConfigurationProvider
private Map crlRetentionIntervals;
/**
+ * Indicates wether external URIs are allowed or not
+ */
+ private boolean allowExternalUris_;
+
+ /**
+ * A <code>List</code> of black listed URIs (host and port)
+ */
+ private List blackListedUris_;
+
+ /**
* Return the single instance of configuration data.
*
* @return MOAConfigurationProvider The current configuration data.
@@ -354,6 +368,13 @@ public class ConfigurationProvider
warnings = new ArrayList(builder.getWarnings());
permitFileURIs = builder.getPermitFileURIs();
crlRetentionIntervals = builder.getCrlRetentionIntervals();
+
+ allowExternalUris_= builder.allowExternalUris();
+
+ if (allowExternalUris_)
+ blackListedUris_ = builder.buildPermitExternalUris();
+ else
+ blackListedUris_ = null;
// Set set = crlRetentionIntervals.entrySet();
// Iterator i = set.iterator();
@@ -361,8 +382,37 @@ public class ConfigurationProvider
// Map.Entry me = (Map.Entry)i.next();
// System.out.println("Key: " + me.getKey() + " - Value: " + me.getValue() );
// }
+
+
+ // set SecurityManager for permitting/disallowing external URIs
+ SecurityManager sm = System.getSecurityManager();
+ if (sm == null) {
+ // no security manager exists - create a new one
+ //Logger.debug(new LogMsg("Create new MOASecurityManagerSimple"));
+ sm = new MOASecurityManagerSimple(allowExternalUris_, blackListedUris_);
+
+
+ //Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple"));
+ System.setSecurityManager(sm);
+
+ }
+ else {
+ String classname = sm.getClass().getName();
+ if (!classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.MOASecurityManagerSimple") &&
+ !classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.MOASecurityManagerExtended")) {
+ // if SecurityManager is not already a MOASecurityManager
+
+ // Logger.debug(new LogMsg("Create new MOASecurityManagerExtended (including existing SecurityManager)"));
+ sm = new MOASecurityManagerExtended(allowExternalUris_, blackListedUris_);
+
+ //Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple"));
+ System.setSecurityManager(sm);
+ }
+ //Logger.debug(new LogMsg("No new MOASecurityManager instantiated"));
+ }
+
} catch (Throwable t) {
throw new ConfigurationException("config.11", null, t);
} finally {
@@ -637,8 +687,8 @@ public class ConfigurationProvider
MessageProvider msg = MessageProvider.getInstance();
Logger.info(new LogMsg(msg.getMessage(messageId, parameters)));
}
-
- /**
+
+ /**
* Log a warning.
*
* @param messageId The message ID.