use different endpoints for IDP and interfederation SP

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2014-06-06 13:47:15 +0200
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2014-06-06 13:47:15 +0200
commit: 5677982c24ada5c0a56e11588b5839bc2a75b83e (patch)
tree: f6142920f704222386fff9996b3e3b019d6e0129
parent: c8a872dcffe918d9ed1e867cb9fc18f639a715b4 (diff)
download: moa-id-spss-5677982c24ada5c0a56e11588b5839bc2a75b83e.tar.gz
moa-id-spss-5677982c24ada5c0a56e11588b5839bc2a75b83e.tar.bz2
moa-id-spss-5677982c24ada5c0a56e11588b5839bc2a75b83e.zip
8 files changed, 103 insertions, 68 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
index 1085e4cbc..fec8e3b98 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
@@ -244,7 +244,7 @@ public class MetadataAction implements IAction {
 		postassertionConsumerService.setIndex(0);
 		postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
 		postassertionConsumerService.setLocation(PVPConfiguration
-				.getInstance().getIDPSSOPostService());	
+				.getInstance().getSPSSOPostService());	
 		postassertionConsumerService.setIsDefault(true);
 		spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService);
 				
@@ -253,7 +253,7 @@ public class MetadataAction implements IAction {
 		redirectassertionConsumerService.setIndex(1);
 		redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
 		redirectassertionConsumerService.setLocation(PVPConfiguration
-				.getInstance().getIDPSSORedirectService());
+				.getInstance().getSPSSORedirectService());
 		spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService);
 		
 		
@@ -269,7 +269,7 @@ public class MetadataAction implements IAction {
 		SingleLogoutService redirectSLOService = 
 				SAML2Utils.createSAMLObject(SingleLogoutService.class);			
 		redirectSLOService.setLocation(PVPConfiguration
-				.getInstance().getIDPSSOPostService());
+				.getInstance().getSPSSORedirectService());
 		redirectSLOService
 				.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
 		spSSODescriptor.getSingleLogoutServices().add(redirectSLOService);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index d9ce6250a..7f8ea91bd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -111,6 +111,11 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 	public static final String ATTRIBUTEQUERY = "AttributeQuery";
 	public static final String SINGLELOGOUT = "SingleLogOut";
 
+	public static final String ENDPOINT_IDP = "idp";
+	public static final String ENDPOINT_SP = "sp";
+	
+	public static final String PARAMETER_ENDPOINT = "endpointtype";
+	
 	private static List<IDecoder> decoder = new ArrayList<IDecoder>();
 
 	private static HashMap<String, IAction> actions = new HashMap<String, IAction>();
@@ -168,6 +173,23 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 		return null;
 	}
 
+	private boolean isServiceProviderEndPointUsed(HttpServletRequest req) throws InvalidProtocolRequestException {
+		Object obj = req.getParameter(PARAMETER_ENDPOINT);
+		if (obj instanceof String) {
+			String param = (String) obj;
+			if (MiscUtil.isNotEmpty(param)) {
+				if (ENDPOINT_IDP.equals(param))
+					return false;
+				
+				else if (ENDPOINT_SP.equals(param))
+					return true;
+			}			
+		}
+		
+		Logger.error("No valid PVP 2.1 entpoint descriptor");
+		throw new InvalidProtocolRequestException("pvp2.20", new Object[] {});
+	}
+	
 	public PVP2XProtocol() {
 		super();
 	}
@@ -193,7 +215,8 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 			return null;
 		}
 		try {
-			InboundMessage msg = (InboundMessage) decoder.decode(request, response);
+						
+			InboundMessage msg = (InboundMessage) decoder.decode(request, response, isServiceProviderEndPointUsed(request));
 			
 			if (MiscUtil.isEmpty(msg.getEntityID())) {
 				throw new InvalidProtocolRequestException("pvp2.20", new Object[] {});
@@ -217,13 +240,14 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 
 			else if (msg instanceof MOARequest && 
 					((MOARequest)msg).getSamlRequest() instanceof LogoutRequest)
-				return preProcessLogOut(request, response, (MOARequest) msg);
+				return preProcessLogOut(request, response, msg);
 			
-			else if (msg instanceof MOARequest && 
-					((MOARequest)msg).getSamlRequest() instanceof LogoutResponse)
-				return preProcessLogOut(request, response, (MOARequest) msg);
+			else if (msg instanceof MOAResponse && 
+					((MOAResponse)msg).getResponse() instanceof LogoutResponse)
+				return preProcessLogOut(request, response, msg);
 			
-			else if (msg instanceof MOAResponse) {
+			else if (msg instanceof MOAResponse &&
+					((MOAResponse)msg).getResponse() instanceof Response) {
 				//load service provider AuthRequest from session
 											
 				IRequest obj = RequestStorage.getPendingRequest(msg.getRelayState());
@@ -420,20 +444,22 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 	 * @throws MOAIDException 
 	 */
 	private IRequest preProcessLogOut(HttpServletRequest request,
-			HttpServletResponse response, MOARequest msg) throws MOAIDException {
+			HttpServletResponse response, InboundMessage inMsg) throws MOAIDException {
 
 		PVPTargetConfiguration config = new PVPTargetConfiguration();
 		
-		if (((MOARequest)msg).getSamlRequest() instanceof LogoutRequest) {
+		MOARequest msg;
+		if (inMsg instanceof MOARequest && 
+				((MOARequest)inMsg).getSamlRequest() instanceof LogoutRequest) {
 			//preProcess single logout request from service provider
-					
+			
+			msg = (MOARequest) inMsg;
+			
 			EntityDescriptor metadata = msg.getEntityMetadata();
 			if(metadata == null) {
 				throw new NoMetadataInformationException();
 			}
 
-
-			
 			String oaURL = metadata.getEntityID();
 			oaURL = StringEscapeUtils.escapeHtml(oaURL);
 			
@@ -443,10 +469,11 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 			config.setBinding(msg.getRequestBinding());									
 
 						
-		} else if (((MOARequest)msg).getSamlRequest() instanceof LogoutResponse) {
+		} else if (inMsg instanceof MOAResponse && 
+				((MOAResponse)inMsg).getResponse() instanceof LogoutResponse) {
 			//preProcess single logour response from service provider
 						
-			LogoutResponse resp = (LogoutResponse) (((MOARequest)msg).getSamlRequest());
+			LogoutResponse resp = (LogoutResponse) (((MOAResponse)inMsg).getResponse());
 			
 			Logger.debug("PreProcess SLO Response from " + resp.getIssuer());
 			
@@ -458,14 +485,14 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 			}
 						
 			//TODO: check if relayState exists
-			msg.getRelayState();
+			inMsg.getRelayState();
 						
 						
 		} else 
 			throw new MOAIDException("Unsupported request", new Object[] {});
 		
 		
-		config.setRequest(msg);
+		config.setRequest(inMsg);
 		config.setAction(SINGLELOGOUT);
 		return config;
 	}
@@ -624,7 +651,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 	 */
 	private MOAResponse preProcessAuthResponse(MOAResponse msg) {
 		Logger.debug("Start PVP21 assertion processing... ");
-		Response samlResp = msg.getResponse();
+		Response samlResp = (Response) msg.getResponse();
 		
 		try {
 			if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java
index 8691667f0..4d353ffcd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java
@@ -102,7 +102,7 @@ public class ArtifactBinding implements IDecoder, IEncoder {
 	}
 
 	public InboundMessageInterface decode(HttpServletRequest req,
-			HttpServletResponse resp) throws MessageDecodingException,
+			HttpServletResponse resp, boolean isSPEndPoint) throws MessageDecodingException,
 			SecurityException {
 
 		return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java
index fb17c02b8..6619876dc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java
@@ -33,7 +33,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface
 
 public interface IDecoder {
 	public InboundMessageInterface decode(HttpServletRequest req, 
-			HttpServletResponse resp)
+			HttpServletResponse resp, boolean isSPEndPoint)
 					throws MessageDecodingException, SecurityException, PVP2Exception;
 		
 	public boolean handleDecode(String action, HttpServletRequest req);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index a2fe5c01b..7f73b1ed7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -139,7 +139,7 @@ public class PostBinding implements IDecoder, IEncoder {
 	}
 
 	public InboundMessageInterface decode(HttpServletRequest req,
-			HttpServletResponse resp) throws MessageDecodingException,
+			HttpServletResponse resp, boolean isSPEndPoint) throws MessageDecodingException,
 			SecurityException {
 
 		HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool());
@@ -152,39 +152,38 @@ public class PostBinding implements IDecoder, IEncoder {
 		} catch (ConfigurationException e) {
 			throw new SecurityException(e);
 		}
-		
-		decode.decode(messageContext);		
-				
+							
 		messageContext.setMetadataProvider(MOAMetadataProvider.getInstance());
 		
-		InboundMessage msg = null;
+		//set metadata descriptor type
+		if (isSPEndPoint)
+			messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
+		else
+			messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
 		
-		if (messageContext.getInboundMessage() instanceof RequestAbstractType) {
-			messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);			
-			
+		decode.decode(messageContext);
+		
+		InboundMessage msg = null;		
+		if (messageContext.getInboundMessage() instanceof RequestAbstractType) {			
 			RequestAbstractType inboundMessage = (RequestAbstractType) messageContext
 					.getInboundMessage();			
 			msg = new MOARequest(inboundMessage, getSAML2BindingName());
 			
-		} else if (messageContext.getInboundMessage() instanceof Response){
-			messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
-			
-			Response inboundMessage = (Response) messageContext.getInboundMessage();			
+		} else if (messageContext.getInboundMessage() instanceof StatusResponseType){
+			StatusResponseType inboundMessage = (StatusResponseType) messageContext.getInboundMessage();			
 			msg = new MOAResponse(inboundMessage);
 			
 		} else
 			//create empty container if request type is unknown
 			msg = new InboundMessage();
-		
-		msg.setVerified(false);
-		
-		decode.decode(messageContext);
+				
 		if (messageContext.getPeerEntityMetadata() != null)
 			msg.setEntityID(messageContext.getPeerEntityMetadata().getEntityID());
 		
 		else
 			Logger.info("No Metadata found for OA with EntityID " + messageContext.getInboundMessageIssuer());
-				
+		
+		msg.setVerified(false);
 		msg.setRelayState(messageContext.getRelayState());
 		
 		return msg;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 8fba6cde0..26f6f3a62 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -129,7 +129,7 @@ public class RedirectBinding implements IDecoder, IEncoder {
 	}
 
 	public InboundMessageInterface decode(HttpServletRequest req,
-			HttpServletResponse resp) throws MessageDecodingException,
+			HttpServletResponse resp, boolean isSPEndPoint) throws MessageDecodingException,
 			SecurityException {
 
 		HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(
@@ -146,8 +146,6 @@ public class RedirectBinding implements IDecoder, IEncoder {
 		BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
 		messageContext
 				.setInboundMessageTransport(new HttpServletRequestAdapter(req));
-
-		decode.decode(messageContext);
 					
 		messageContext.setMetadataProvider(MOAMetadataProvider.getInstance());
 				
@@ -161,36 +159,39 @@ public class RedirectBinding implements IDecoder, IEncoder {
 				policy);		
 		messageContext.setSecurityPolicyResolver(resolver);
 		
-		InboundMessage msg = null;
-		
-		if (messageContext.getInboundMessage() instanceof RequestAbstractType) {
+		//set metadata descriptor type
+		if (isSPEndPoint)
+			messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
+		else
 			messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
-			
+		
+		decode.decode(messageContext);
+
+		//check signature
+		signatureRule.evaluate(messageContext);		
+
+		InboundMessage msg = null;
+		if (messageContext.getInboundMessage() instanceof RequestAbstractType) {			
 			RequestAbstractType inboundMessage = (RequestAbstractType) messageContext
 					.getInboundMessage();			
 			msg = new MOARequest(inboundMessage, getSAML2BindingName());
 			
 			
-		} else if (messageContext.getInboundMessage() instanceof Response){
-			messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
-			
-			Response inboundMessage = (Response) messageContext.getInboundMessage();			
+		} else if (messageContext.getInboundMessage() instanceof StatusResponseType){
+			StatusResponseType inboundMessage = (StatusResponseType) messageContext.getInboundMessage();			
 			msg = new MOAResponse(inboundMessage);
 			
 		} else 
 			//create empty container if request type is unknown
 			msg = new InboundMessage();
 
-		signatureRule.evaluate(messageContext);		
-		msg.setVerified(true);
-
-		decode.decode(messageContext);
 		if (messageContext.getPeerEntityMetadata() != null)
 			msg.setEntityID(messageContext.getPeerEntityMetadata().getEntityID());
 		
 		else
 			Logger.info("No Metadata found for OA with EntityID " + messageContext.getInboundMessageIssuer());
 		
+		msg.setVerified(true);
 		msg.setRelayState(messageContext.getRelayState());
 		
 		return msg;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
index 75332cfea..f0eafe272 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
@@ -59,7 +59,7 @@ import at.gv.egovernment.moa.logging.Logger;
 public class SoapBinding implements IDecoder, IEncoder {
 
 	public InboundMessageInterface decode(HttpServletRequest req,
-			HttpServletResponse resp) throws MessageDecodingException,
+			HttpServletResponse resp, boolean isSPEndPoint) throws MessageDecodingException,
 			SecurityException, PVP2Exception {
 		HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder(new BasicParserPool());
 		BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
index 255fba093..d3a9ad3e7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
@@ -33,7 +33,6 @@ import java.util.Properties;
 import java.util.jar.Attributes;
 import java.util.jar.Manifest;
 
-import org.opensaml.Configuration;
 import org.opensaml.saml2.metadata.Company;
 import org.opensaml.saml2.metadata.ContactPerson;
 import org.opensaml.saml2.metadata.ContactPersonTypeEnumeration;
@@ -46,7 +45,6 @@ import org.opensaml.saml2.metadata.OrganizationName;
 import org.opensaml.saml2.metadata.OrganizationURL;
 import org.opensaml.saml2.metadata.SurName;
 import org.opensaml.saml2.metadata.TelephoneNumber;
-import org.opensaml.xml.security.SecurityConfiguration;
 
 import at.gv.egovernment.moa.id.commons.db.dao.config.Contact;
 import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2;
@@ -71,10 +69,12 @@ public class PVPConfiguration {
 	}
 
 	public static final String PVP2_METADATA = 	"/pvp2/metadata";
-	public static final String PVP2_REDIRECT = 	"/pvp2/redirect";
-	public static final String PVP2_POST = 		"/pvp2/post";
-	public static final String PVP2_SOAP = 		"/pvp2/soap";
-	public static final String PVP2_ATTRIBUTEQUERY = "/pvp2/attributequery";
+	public static final String PVP2_IDP_REDIRECT = 	"/pvp2/redirect";
+	public static final String PVP2_IDP_POST = 		"/pvp2/post";
+	public static final String PVP2_IDP_SOAP = 		"/pvp2/soap";
+	public static final String PVP2_IDP_ATTRIBUTEQUERY = "/pvp2/attributequery";
+	public static final String PVP2_SP_REDIRECT = 	"/pvp2/sp/redirect";
+	public static final String PVP2_SP_POST = 		"/pvp2/sp/post";
 	
 	public static final String PVP_CONFIG_FILE = "pvp2config.properties";
 	
@@ -143,22 +143,30 @@ public class PVPConfiguration {
 		return publicPath;
 	}
 
-	public String getIDPSSOPostService() throws ConfigurationException {
-		return getIDPPublicPath() + PVP2_POST;
+	public String getSPSSOPostService() throws ConfigurationException {
+		return getIDPPublicPath() + PVP2_SP_POST;
 	}
 
-	public String getIDPSSOSOAPService() throws ConfigurationException {
-		return getIDPPublicPath() + PVP2_SOAP;
+	public String getSPSSORedirectService() throws ConfigurationException {
+		return getIDPPublicPath() + PVP2_SP_REDIRECT;
 	}
 	
-	public String getIDPAttributeQueryService() throws ConfigurationException {
-		return getIDPPublicPath() + PVP2_ATTRIBUTEQUERY;
+	public String getIDPSSOPostService() throws ConfigurationException {
+		return getIDPPublicPath() + PVP2_IDP_POST;
 	}
-	
+
 	public String getIDPSSORedirectService() throws ConfigurationException {
-		return getIDPPublicPath() + PVP2_REDIRECT;
+		return getIDPPublicPath() + PVP2_IDP_REDIRECT;
 	}
 	
+	public String getIDPSSOSOAPService() throws ConfigurationException {
+		return getIDPPublicPath() + PVP2_IDP_SOAP;
+	}
+	
+	public String getIDPAttributeQueryService() throws ConfigurationException {
+		return getIDPPublicPath() + PVP2_IDP_ATTRIBUTEQUERY;
+	}
+		
 	public String getIDPSSOMetadataService() throws ConfigurationException {
 		return getIDPPublicPath() + PVP2_METADATA;
 	}
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2014-06-06 13:47:15 +0200
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2014-06-06 13:47:15 +0200
commit	5677982c24ada5c0a56e11588b5839bc2a75b83e (patch)
tree	f6142920f704222386fff9996b3e3b019d6e0129
parent	c8a872dcffe918d9ed1e867cb9fc18f639a715b4 (diff)
download	moa-id-spss-5677982c24ada5c0a56e11588b5839bc2a75b83e.tar.gz moa-id-spss-5677982c24ada5c0a56e11588b5839bc2a75b83e.tar.bz2 moa-id-spss-5677982c24ada5c0a56e11588b5839bc2a75b83e.zip