solve some SLO bugs

2 files changed, 44 insertions, 43 deletions

diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
index 24ba26a59..65a4ab2a7 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
@@ -244,7 +244,7 @@ public class BuildMetadata extends HttpServlet {
 			
 			//set Single Log-Out service
 			SingleLogoutService sloService =  SAML2Utils.createSAMLObject(SingleLogoutService.class);
-			sloService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
+			sloService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
 			sloService.setLocation(serviceURL + Constants.SERVLET_PVPSINGLELOGOUT);
 			spSSODescriptor.getSingleLogoutServices().add(sloService);
 			
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Index.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Index.java
index c68ea9b1f..666ecaeee 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Index.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Index.java
@@ -41,7 +41,11 @@ import org.opensaml.common.binding.BasicSAMLMessageContext;
 import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
+import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;
 import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
+import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
+import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
+import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
 import org.opensaml.saml2.core.Issuer;
 import org.opensaml.saml2.core.LogoutRequest;
 import org.opensaml.saml2.core.LogoutResponse;
@@ -61,6 +65,9 @@ import org.opensaml.security.MetadataCredentialResolver;
 import org.opensaml.security.MetadataCredentialResolverFactory;
 import org.opensaml.security.MetadataCriteria;
 import org.opensaml.security.SAMLSignatureProfileValidator;
+import org.opensaml.ws.security.SecurityPolicyResolver;
+import org.opensaml.ws.security.provider.BasicSecurityPolicy;
+import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver;
 import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
 import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
 import org.opensaml.xml.parse.BasicParserPool;
@@ -114,31 +121,27 @@ public class Index extends HttpServlet {
 			return;
 		}
 		
-		if (method.equals("POST")) {					
+		if (method.equals("GET")) {					
 			try {
 				Configuration config = Configuration.getInstance();
 				
 				//Decode with HttpPost Binding
-				HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool());
-				BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
+				HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(
+						new BasicParserPool());
+				BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
 				messageContext
-					.setInboundMessageTransport(new HttpServletRequestAdapter(
-							request));
+						.setInboundMessageTransport(new HttpServletRequestAdapter(request));
+
 				decode.decode(messageContext);
-							
-				SignableXMLObject samlResponse = (SignableXMLObject) messageContext.getInboundMessage();
-			
-				Signature sign = samlResponse.getSignature();
-				if (sign == null) {
-					log.info("Only http POST Requests can be used");
-					bean.setErrorMessage("Only http POST Requests can be used");
-					setAnser(request, response, bean);
-					return;
-				}
 				
-				//Validate Signature
-				SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
-				profileValidator.validate(sign);
+				messageContext.setMetadataProvider(config.getMetaDataProvier());
+				CriteriaSet criteriaSet = new CriteriaSet();  
+				criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));  
+				criteriaSet.add(new EntityIDCriteria(config.getPVP2IDPMetadataEntityName()));
+				criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
+				  				
+				MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory();    
+				MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(config.getMetaDataProvier());
 				
 				//Verify Signature
 				List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();
@@ -149,17 +152,28 @@ public class Index extends HttpServlet {
 				KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
 						keyInfoProvider);
 				
-				MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory();    
-				MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(config.getMetaDataProvier());  
-				  
-				CriteriaSet criteriaSet = new CriteriaSet();  
-				criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));  
-				criteriaSet.add(new EntityIDCriteria(config.getPVP2IDPMetadataEntityName()));
-				criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
-				  				
+				
 				ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver);
-				trustEngine.validate(sign, criteriaSet);
 				
+				
+				SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
+						trustEngine);
+				SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();
+				BasicSecurityPolicy policy = new BasicSecurityPolicy();
+				policy.getPolicyRules().add(signatureRule);
+				policy.getPolicyRules().add(signedRole);		
+				SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(
+						policy);		
+				messageContext.setSecurityPolicyResolver(resolver);
+				
+				messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
+				
+				signatureRule.evaluate(messageContext);	
+											
+				SignableXMLObject samlResponse = (SignableXMLObject) messageContext.getInboundMessage();
+			
+
+							
 				log.info("PVP2 statusrequest or statusresponse is valid");
 				
 				
@@ -232,7 +246,7 @@ public class Index extends HttpServlet {
 							idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleLogoutServices()) {
 						
 						//Get the service address for the binding you wish to use
-						if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { 
+						if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { 
 							redirectEndpoint = sss;  
 						}  
 					}
@@ -251,20 +265,7 @@ public class Index extends HttpServlet {
 					signer.setSigningCredential(authcredential);
 					sloResp.setSignature(signer);
 
-					//generate Http-POST Binding message
-					VelocityEngine engine = new VelocityEngine();
-					engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
-					engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
-					engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
-					engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
-					engine.setProperty("classpath.resource.loader.class",
-							"org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
-					engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS,
-							"org.apache.velocity.runtime.log.SimpleLog4JLogSystem");
-					engine.init();
-
-					HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
-							"templates/pvp_postbinding_template.html");
+					HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();					
 					HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
 							response, true);
 					BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();