add additional errorcodes if SAML request validation failed

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2014-05-15 09:08:44 +0200
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2014-05-15 09:08:44 +0200
commit: aae0d003526cb8665df93bb715ba126dd12a473d (patch)
tree: 8de60c929677823f5af2c2e74a01c2bb657ff435
parent: 67a903a6a33bd8b40e84a12a3ba9c556eb0eb275 (diff)
download: moa-id-spss-aae0d003526cb8665df93bb715ba126dd12a473d.tar.gz
moa-id-spss-aae0d003526cb8665df93bb715ba126dd12a473d.tar.bz2
moa-id-spss-aae0d003526cb8665df93bb715ba126dd12a473d.zip
9 files changed, 57 insertions, 18 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
index 4eba83ad5..a3827ab73 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
@@ -36,6 +36,7 @@ import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer;
 import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
+import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
@@ -56,6 +57,7 @@ import at.gv.egovernment.moa.id.moduls.SSOManager;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestValidatorException;
 import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.storage.DBExceptionStoreImpl;
+import at.gv.egovernment.moa.id.util.ErrorResponseUtils;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
 import at.gv.egovernment.moa.id.util.Random;
 import at.gv.egovernment.moa.id.util.legacy.LegacyHelper;
@@ -310,11 +312,23 @@ public class DispatcherServlet extends AuthServlet{
 						StatisticLogger logger = StatisticLogger.getInstance();
 						logger.logErrorOperation(e, e.getErrorRequest());						
 						return;
-											
-					} catch (MOAIDException e) {
+						
+					}catch (InvalidProtocolRequestException e) {
+						ErrorResponseUtils utils = ErrorResponseUtils.getInstance();
+						String code = utils.mapInternalErrorToExternalError(e.getMessageId());
+						String descr = e.getMessage();
+						Logger.error("Protocol validation FAILED!");
+						resp.setContentType("text/html;charset=UTF-8");
+						resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Protocol validation FAILED!" +
+								"(Errorcode=" + code +
+								" | Description=" + descr + ")");
+						return;
+					} catch (MOAIDException e) {						
 						Logger.error("Failed to generate a valid protocol request!");
 						resp.setContentType("text/html;charset=UTF-8");
-						resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!");
+						resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!" +
+								"(Errorcode=6000"
+								+" | Description=Das Authentifizierungsprotokoll wurde nicht erkannt oder wird nicht unterst\u00FCzt" + ")");
 						return;
 						
 					}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 8732409b5..863bfe501 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -22,8 +22,6 @@
  *******************************************************************************/
 package at.gv.egovernment.moa.id.protocols.pvp2x;
 
-import iaik.pkcs.pkcs11.objects.Object;
-
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -52,12 +50,15 @@ import org.opensaml.saml2.metadata.AssertionConsumerService;
 import org.opensaml.saml2.metadata.AttributeConsumingService;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.ws.security.SecurityPolicyException;
 import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.security.SecurityException;
 import org.opensaml.xml.signature.SignableXMLObject;
 
 import edu.emory.mathcs.backport.java.util.Arrays;
 
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
@@ -191,16 +192,20 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 			return null;
 		}
 		try {
-
 			InboundMessage msg = (InboundMessage) decoder.decode(request, response);
 			
+			if (MiscUtil.isEmpty(msg.getEntityID())) {
+				throw new InvalidProtocolRequestException("pvp2.20", new Object[] {});
+				
+			}
+			
 			if(!msg.isVerified()) {
 				SAMLVerificationEngine engine = new SAMLVerificationEngine();
 				engine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine());
 				msg.setVerified(true);
 				
 			}
-			
+							
 			if (msg instanceof MOARequest && 
 					((MOARequest)msg).getSamlRequest() instanceof AuthnRequest)
 				return preProcessAuthRequest(request, response, (MOARequest) msg);
@@ -252,9 +257,23 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 				throw new MOAIDException("Unsupported PVP21 message", new Object[] {});
 			}
 			
-
 		} catch (PVP2Exception e) {
 			throw e;
+		
+		} catch (SecurityPolicyException e) {
+			String samlRequest = request.getParameter("SAMLRequest");			
+			Logger.warn("Receive INVALID protocol request: " + samlRequest, e);
+			throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
+			
+		} catch (SecurityException e) {
+			String samlRequest = request.getParameter("SAMLRequest");			
+			Logger.warn("Receive INVALID protocol request: " + samlRequest, e);
+			throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()});
+			
+		} catch (InvalidProtocolRequestException e) {
+			String samlRequest = request.getParameter("SAMLRequest");			
+			Logger.warn("Receive INVALID protocol request: " + samlRequest, e);
+			throw e;
 			
 		} catch (Throwable e) {			
 			String samlRequest = request.getParameter("SAMLRequest");			
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java
index 3094abba8..6080f8a33 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java
@@ -36,8 +36,7 @@ public class MOAURICompare implements URIComparator {
 		this.serviceURL = serviceURL;
 	}
 
-	public boolean compare(String uri1, String uri2) {
-		
+	public boolean compare(String uri1, String uri2) {				
 		if (this.serviceURL.equals(uri1))		
 			return true;
 		
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index f5dba014b..8fba6cde0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -148,7 +148,7 @@ public class RedirectBinding implements IDecoder, IEncoder {
 				.setInboundMessageTransport(new HttpServletRequestAdapter(req));
 
 		decode.decode(messageContext);
-		
+					
 		messageContext.setMetadataProvider(MOAMetadataProvider.getInstance());
 				
 		SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
index 048c7f14c..75332cfea 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
@@ -79,7 +79,7 @@ public class SoapBinding implements IDecoder, IEncoder {
 			if (!xmlElemList.isEmpty()) {
 				SignableXMLObject attrReq = (SignableXMLObject) xmlElemList.get(0);			
 				MOARequest request = new MOARequest(attrReq, getSAML2BindingName());
-			
+				request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID());
 				request.setVerified(false);			
 				return request;
 						
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index fde453920..6388042d9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -51,6 +51,7 @@ import org.opensaml.xml.security.x509.X509Credential;
 import org.opensaml.xml.signature.SignatureTrustEngine;
 import org.opensaml.xml.validation.ValidationException;
 
+import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
 import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
@@ -91,11 +92,11 @@ public class SAMLVerificationEngine {
 
 		try {
 		    if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) {
-		        throw new Exception("Signature was either invalid or signing key could not be established as trusted");
+		    	throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
 		    }
 		} catch (SecurityException e) {
-		    // Indicates processing error evaluating the signature
 		    e.printStackTrace();
+		    throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
 		}
 	}
 	
@@ -116,11 +117,11 @@ public class SAMLVerificationEngine {
 
 		try {
 		    if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) {
-		        throw new Exception("Signature was either invalid or signing key could not be established as trusted");
+		        throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
 		    }
 		} catch (SecurityException e) {
-		    // Indicates processing error evaluating the signature
-		    e.printStackTrace();
+			e.printStackTrace();
+			throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
 		}
 	}
 	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ErrorResponseUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ErrorResponseUtils.java
index 778351d1f..aff7e5057 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ErrorResponseUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ErrorResponseUtils.java
@@ -42,7 +42,7 @@ public class ErrorResponseUtils {
 	
 	private static ErrorResponseUtils instance = null;
 	private static final String[] DEFAULT_MESSAGE_RESOURCES =
-		    { "resources/properties/id_messages" };  
+		    { "resources/properties/protocol_response_statuscodes" };  
 	private static final Locale[] DEFAULT_MESSAGE_LOCALES =
 		    new Locale[] { new Locale("de", "AT") };
 	private Messages messages = null;
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 603815154..c8cca157d 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -243,6 +243,9 @@ pvp2.16=Fehler beim verschl\u00FCsseln der PVP2 Assertion
 pvp2.17=Der QAA Level {0} entspricht nicht dem angeforderten QAA Level {1}
 pvp2.18=Es konnten nicht alle Single Sign-On Sessions beendet werden.
 pvp2.19=Der Single LogOut Vorgang musste wegen eines unkorregierbaren Fehler abgebrochen werden. 
+pvp2.20=Für die im Request angegebene EntityID konnten keine g\u00FCltigen Metadaten gefunden werden.
+pvp2.21=Die Signature des Requests konnte nicht g\u00FCltig validiert werden.  
+pvp2.22=Der Request konnte nicht g\u00FCltig validiert werden (Fehler={0}).
 
 oauth20.01=Fehlerhafte redirect url
 oauth20.02=Fehlender Parameter "{0}"
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index 99be5df59..2a55ea64c 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -173,6 +173,9 @@ pvp2.06=6100
 pvp2.13=9199
 pvp2.16=6101
 pvp2.17=6102 
+pvp2.20=6103
+pvp2.21=6104
+pvp2.22=6105
 
 oauth20.01=6200
 oauth20.06=1000
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2014-05-15 09:08:44 +0200
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2014-05-15 09:08:44 +0200
commit	aae0d003526cb8665df93bb715ba126dd12a473d (patch)
tree	8de60c929677823f5af2c2e74a01c2bb657ff435
parent	67a903a6a33bd8b40e84a12a3ba9c556eb0eb275 (diff)
download	moa-id-spss-aae0d003526cb8665df93bb715ba126dd12a473d.tar.gz moa-id-spss-aae0d003526cb8665df93bb715ba126dd12a473d.tar.bz2 moa-id-spss-aae0d003526cb8665df93bb715ba126dd12a473d.zip