aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2016-03-02 22:10:36 +0100
committerThomas Lenz <thomas.lenz@egiz.gv.at>2016-03-02 22:10:36 +0100
commitda937437e46e06365072820aa555d4cb3f9f9110 (patch)
tree3c9f062ab6f8c87abc063db44d8828a4065329ba
parent48fd33725c53136fe505067b93390b39e19c41b7 (diff)
downloadmoa-id-spss-da937437e46e06365072820aa555d4cb3f9f9110.tar.gz
moa-id-spss-da937437e46e06365072820aa555d4cb3f9f9110.tar.bz2
moa-id-spss-da937437e46e06365072820aa555d4cb3f9f9110.zip
next parts of new federated authentication implementation
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java226
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java71
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java125
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java30
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java17
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java4
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties7
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties5
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java39
11 files changed, 201 insertions, 333 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 999f289e0..8b9918eab 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -32,6 +32,7 @@ import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
+import java.util.Set;
import java.util.Map.Entry;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -45,6 +46,9 @@ import javax.xml.bind.Marshaller;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeQuery;
import org.opensaml.saml2.core.AuthnStatement;
+import org.opensaml.saml2.core.Response;
+import org.opensaml.ws.soap.common.SOAPException;
+import org.opensaml.xml.XMLObject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.w3c.dom.Element;
@@ -77,7 +81,9 @@ import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.data.AuthenticationRoleFactory;
import at.gv.egovernment.moa.id.data.IAuthData;
@@ -86,13 +92,16 @@ import at.gv.egovernment.moa.id.moduls.IRequest;
import at.gv.egovernment.moa.id.moduls.RequestImpl;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage;
import at.gv.egovernment.moa.id.util.IdentityLinkReSigner;
@@ -118,9 +127,11 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
@Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage;
@Autowired protected AuthConfiguration authConfig;
+ @Autowired private AttributQueryBuilder attributQueryBuilder;
+ @Autowired private SAMLVerificationEngine samlVerificationEngine;
public IAuthData buildAuthenticationDataForAttributQuery(IRequest pendingReq,
- AuthenticationSession session, List<Attribute> reqAttributes) {
+ AuthenticationSession session, List<Attribute> reqAttributes, InterfederationSessionStore nextIDPInformation) throws MOAIDException {
AuthenticationData authdata = new AuthenticationData();
try {
@@ -146,134 +157,147 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
}
}
}
-
- getAuthDataFromInterfederation(authdata, session, spConfig, pendingReq, interfIDP, idp, reqAttributes);
-
-
-
-
+ //build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) and configuration
+ IOAAuthParameters spConfig = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(reqAttributes);
- //mark attribute request as used
- try {
- interfIDP.setAttributesRequested(true);
- MOASessionDBUtils.saveOrUpdate(interfIDP);
-
- } catch (MOADatabaseException e) {
- Logger.error("MOASession interfederation information can not stored to database.", e);
+ //search federated IDP information for this MOASession
+ if (nextIDPInformation != null) {
+ Logger.info("Find active federated IDP information."
+ + ". --> Request next IDP:" + nextIDPInformation.getIdpurlprefix()
+ + " for authentication information.");
+
+ //load configuration of next IDP
+ OAAuthParameter idp = authConfig.getOnlineApplicationParameter(nextIDPInformation.getIdpurlprefix());
+ if (idp == null) {
+ Logger.warn("Configuration for federated IDP:" + nextIDPInformation.getIdpurlprefix()
+ + "is not loadable.");
+ throw new MOAIDException("auth.32", new Object[]{nextIDPInformation.getIdpurlprefix()});
+
+ }
+
+ //check if next IDP config allows inbound messages
+ if (!idp.isInboundSSOInterfederationAllowed()) {
+ Logger.warn("Configuration for federated IDP:" + nextIDPInformation.getIdpurlprefix()
+ + "disallow inbound authentication messages.");
+ throw new MOAIDException("auth.33", new Object[]{nextIDPInformation.getIdpurlprefix()});
+
+ }
+
+ //check next IDP service area policy. BusinessService IDPs can only request wbPKs
+ if (!spConfig.getBusinessService() && !idp.isIDPPublicService()) {
+ Logger.error("Interfederated IDP " + idp.getPublicURLPrefix()
+ + " has a BusinessService-IDP but requests PublicService attributes.");
+ throw new MOAIDException("auth.34", new Object[]{nextIDPInformation.getIdpurlprefix()});
+
+ }
+
+ //validation complete --> start AttributeQuery Request
+ getAuthDataFromInterfederation(authdata, reqAttributes, nextIDPInformation, idp);
+
+ } else {
+ Logger.debug("Build authData for AttributQuery from local MOASession.");
+ buildAuthDataFormMOASession(authdata, session, spConfig, pendingReq);
}
-
-
+
return authdata;
-
- } catch (DynamicOABuildException e) {
- //TODO:
-
+
+ } catch (MOAIDException e) {
+ throw e;
}
}
private void getAuthDataFromInterfederation(
- AuthenticationData authdata, AuthenticationSession session,
- IOAAuthParameters oaParam, IRequest req,
- InterfederationSessionStore interfIDP, OAAuthParameter idp, List<Attribute> reqQueryAttr) throws BuildException, ConfigurationException{
+ AuthenticationData authdata, List<Attribute> reqQueryAttr,
+ InterfederationSessionStore nextIDPInfo, OAAuthParameter nextIDPConfig ) throws MOAIDException{
+ String idpEnityID = nextIDPConfig.getPublicURLPrefix();
+ AssertionAttributeExtractor extractor;
try {
- List<Attribute> attributs = null;
-
- //IDP is a chained interfederated IDP and request is of type AttributQuery
- if (oaParam.isInderfederationIDP() && req instanceof PVPTargetConfiguration &&
- (((PVPTargetConfiguration)req).getRequest() instanceof AttributeQuery) &&
- reqQueryAttr != null) {
- attributs = reqQueryAttr;
-
- //IDP is a service provider IDP and request interfederated IDP to collect attributes
- } else {
- //get PVP 2.1 attributes from protocol specific requested attributes
- attributs = (List<Attribute>) req.getGenericData(RequestImpl.DATAID_REQUESTED_ATTRIBUTES);
+ Logger.debug("Starting AttributeQuery process ...");
+ //collect attributes by using BackChannel communication
+ String endpoint = nextIDPConfig.getIDPAttributQueryServiceURL();
+ if (MiscUtil.isEmpty(endpoint)) {
+ Logger.error("No AttributeQueryURL for interfederationIDP " + idpEnityID);
+ throw new ConfigurationException("config.26", new Object[]{idpEnityID});
}
-
- //get SAML2 Response from federated IDP
- Response intfResp =
- (Response) req.getGenericData(
- RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, MOAResponse.class).getResponse();
-
- //initialize Attribute extractor
- AssertionAttributeExtractor extractor = new AssertionAttributeExtractor(intfResp);
-
- //check if SAML2 Assertion contains already all required attributes
- if (!extractor.containsAllRequiredAttributes()) {
- Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ...");
- //collect attributes by using BackChannel communication
- String endpoint = idp.getIDPAttributQueryServiceURL();
- if (MiscUtil.isEmpty(endpoint)) {
- Logger.error("No AttributeQueryURL for interfederationIDP " + idp.getPublicURLPrefix());
- throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + idp.getPublicURLPrefix(), null);
- }
- //build attributQuery request
- AttributeQuery query =
- attributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs);
+ //build attributQuery request
+ AttributeQuery query = attributQueryBuilder.buildAttributQueryRequest(nextIDPInfo.getUserNameID(), endpoint, reqQueryAttr);
- //build SOAP request
- List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
+ //build SOAP request
+ List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
+
+ if (xmlObjects.size() == 0) {
+ Logger.error("Receive emptry AttributeQuery response-body.");
+ throw new AttributQueryException("auth.27",
+ new Object[]{idpEnityID, "Receive emptry AttributeQuery response-body."});
- if (xmlObjects.size() == 0) {
- Logger.error("Receive emptry AttributeQuery response-body.");
- throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null);
-
- }
+ }
+
+ Response intfResp;
+ if (xmlObjects.get(0) instanceof Response) {
+ intfResp = (Response) xmlObjects.get(0);
- if (xmlObjects.get(0) instanceof Response) {
- intfResp = (Response) xmlObjects.get(0);
-
- //validate PVP 2.1 response
- try {
- samlVerificationEngine.verifyIDPResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine());
-
- //TODO: find better solution
- //SAMLVerificationEngine.validateAssertion(intfResp, false);
-
- } catch (Exception e) {
- Logger.warn("PVP 2.1 assertion validation FAILED.", e);
- throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e);
+ //validate PVP 2.1 response
+ try {
+ samlVerificationEngine.verifyIDPResponse(intfResp,
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(
+ MOAMetadataProvider.getInstance()));
+
+ //create assertion attribute extractor from AttributeQuery response
+ extractor = new AssertionAttributeExtractor(intfResp);
+
+ //copy attributes into authData object
+ Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames();
+ for (String el : includedAttrNames) {
+ authdata.setGenericData(el, extractor.getSingleAttributeValue(el));
+ Logger.debug("Add PVP-attribute " + el + " into authData objext");
+
}
-
- } else {
- Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response");
- throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null);
-
+
+
+ } catch (Exception e) {
+ Logger.warn("PVP 2.1 assertion validation FAILED.", e);
+ throw new AssertionValidationExeption("auth.27",
+ new Object[]{idpEnityID, e.getMessage()}, e);
}
-
- //create assertion attribute extractor from AttributeQuery response
- extractor = new AssertionAttributeExtractor(intfResp);
-
+
} else {
- Logger.info("Interfedation response include all attributes with are required. Skip AttributQuery request step. ");
+ Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response");
+ throw new AttributQueryException("auth.27",
+ new Object[]{idpEnityID, "Receive AttributeQuery response-body include no PVP 2.1 response"});
+
+ }
+
+ try {
+ //mark attribute request as used
+ if (nextIDPInfo.isStoreSSOInformation()) {
+ nextIDPInfo.setAttributesRequested(true);
+ MOASessionDBUtils.saveOrUpdate(nextIDPInfo);
+
+ //delete federated IDP from Session
+ } else {
+ MOASessionDBUtils.delete(nextIDPInfo);
+
+ }
+
+ } catch (MOADatabaseException e) {
+ Logger.error("MOASession interfederation information can not stored to database.", e);
}
- //parse response information to authData
- buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam, req);
-
+
} catch (SOAPException e) {
throw new BuildException("builder.06", null, e);
} catch (SecurityException e) {
throw new BuildException("builder.06", null, e);
-
- } catch (AttributQueryException e) {
- throw new BuildException("builder.06", null, e);
-
- } catch (BuildException e) {
- throw new BuildException("builder.06", null, e);
-
- } catch (AssertionValidationExeption e) {
- throw new BuildException("builder.06", null, e);
-
- } catch (AssertionAttributeExtractorExeption e) {
- throw new BuildException("builder.06", null, e);
+
+ } catch (org.opensaml.xml.security.SecurityException e1) {
+ throw new BuildException("builder.06", null, e1);
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
index ab43f2f79..8c0de1121 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
@@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.moduls.IRequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.MiscUtil;
/**
* @author tlenz
@@ -45,65 +46,35 @@ import at.gv.egovernment.moa.util.Constants;
*/
public class DynamicOAAuthParameterBuilder {
- public static IOAAuthParameters buildFromAttributeQuery(OAAuthParameter oa, List<Attribute> reqAttributes, InterfederationSessionStore interfIDP) throws DynamicOABuildException {
+ public static IOAAuthParameters buildFromAttributeQuery(List<Attribute> reqAttributes) throws DynamicOABuildException {
Logger.debug("Build dynamic OAConfiguration from AttributeQuery and interfederation information");
- try {
- DynamicOAAuthParameters dynamicOA = new DynamicOAAuthParameters();
-
- for (Attribute attr : reqAttributes) {
- //get Target or BusinessService from request
- if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
- String attrValue = attr.getAttributeValues().get(0).getDOM().getTextContent();
- if (attrValue.startsWith(Constants.URN_PREFIX_CDID)) {
- dynamicOA.setBusinessService(false);
- dynamicOA.setTarget(attrValue.substring((Constants.URN_PREFIX_CDID + "+").length()));
-
- } else if( attrValue.startsWith(Constants.URN_PREFIX_WBPK) ||
- attrValue.startsWith(Constants.URN_PREFIX_STORK) ) {
- dynamicOA.setBusinessService(true);
- dynamicOA.setTarget(attrValue);
-
- } else {
- Logger.error("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea");
- throw new DynamicOABuildException("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea", null);
-
- }
-
- }
+ DynamicOAAuthParameters dynamicOA = new DynamicOAAuthParameters();
- }
-
- if (interfIDP != null) {
- //load interfederated IDP informations
- OAAuthParameter idp = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(interfIDP.getIdpurlprefix());
- if (idp == null) {
- Logger.warn("Interfederated IDP configuration is not loadable.");
- throw new DynamicOABuildException("Interfederated IDP configuration is not loadable.", null);
+ for (Attribute attr : reqAttributes) {
+ //get Target or BusinessService from request
+ if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
+ String attrValue = attr.getAttributeValues().get(0).getDOM().getTextContent();
+ if (attrValue.startsWith(Constants.URN_PREFIX_CDID)) {
+ dynamicOA.setBusinessService(false);
+ dynamicOA.setTarget(attrValue.substring((Constants.URN_PREFIX_CDID + "+").length()));
+
+ } else if( attrValue.startsWith(Constants.URN_PREFIX_WBPK) ||
+ attrValue.startsWith(Constants.URN_PREFIX_STORK) ) {
+ dynamicOA.setBusinessService(true);
+ dynamicOA.setTarget(attrValue);
+
+ } else {
+ Logger.error("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea");
+ throw new DynamicOABuildException("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea", null);
}
-
- dynamicOA.setApplicationID(idp.getPublicURLPrefix());
- dynamicOA.setInderfederatedIDP(idp.isInderfederationIDP());
- dynamicOA.setIDPQueryURL(idp.getIDPAttributQueryServiceURL());
- //check if IDP service area policy. BusinessService IDPs can only request wbPKs
- if (!dynamicOA.getBusinessService() && !idp.isIDPPublicService()) {
- Logger.error("Interfederated IDP " + idp.getPublicURLPrefix()
- + " has a BusinessService-IDP but requests PublicService attributes.");
- throw new DynamicOABuildException("Interfederated IDP " + idp.getPublicURLPrefix()
- + " has a BusinessService-IDP but requests PublicService attributes.", null);
-
- }
}
- return dynamicOA;
-
- } catch (ConfigurationException e) {
- Logger.warn("Internel server errror. Basic configuration load failed.", e);
- throw new DynamicOABuildException("Basic configuration load failed.", null);
- }
+ }
+ return dynamicOA;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java
deleted file mode 100644
index 9af247714..000000000
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java
+++ /dev/null
@@ -1,125 +0,0 @@
-/*
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-package at.gv.egovernment.moa.id.data;
-
-import java.io.Serializable;
-
-import at.gv.egovernment.moa.id.util.Random;
-
-/**
- * @author tlenz
- *
- */
-public class FederatedAuthenticatenContainer implements Serializable {
-
- /**
- *
- */
- private static final long serialVersionUID = 6075571915585105988L;
-
- private String id;
- private String moaSessionID;
-
- private String idpEntityID;
- private String userNameID;
- private String userQAALevel;
-
- /**
- * Build a new data-container for federated authentication with Attribute-Query
- *
- */
- public FederatedAuthenticatenContainer() {
- this.id = Random.nextRandom();
-
- }
-
- /**
- * Get the identifier of this container
- *
- * @return the identifier of this container, but never null
- */
- public String getId() {
- return id;
- }
-
- /**
- * Get the MOASessionID, of the corresponding MOASession
- *
- * @return the moaSessionID, or null if no MOASession exists
- */
- public String getMoaSessionID() {
- return moaSessionID;
- }
- /**
- * @param moaSessionID the moaSessionID to set
- */
- public void setMoaSessionID(String moaSessionID) {
- this.moaSessionID = moaSessionID;
- }
- /**
- * Get the Entity of the federated IDP, which has the authentication data
- *
- * @return the idpEntityID, but never null
- */
- public String getIdpEntityID() {
- return idpEntityID;
- }
- /**
- * @param idpEntityID the idpEntityID to set
- */
- public void setIdpEntityID(String idpEntityID) {
- this.idpEntityID = idpEntityID;
- }
- /**
- * Get the SAML2 NameID of the user, which is used to identify the user on the federated IDP
- *
- * @return the SAML2 NameID, but never null
- */
- public String getUserNameID() {
- return userNameID;
- }
- /**
- * @param userNameID the userNameID to set
- */
- public void setUserNameID(String userNameID) {
- this.userNameID = userNameID;
- }
- /**
- * Get the SAML2 QAA-level, which should be send to the federated IDP
- *
- * @return the userQAALevel, but never null
- */
- public String getUserQAALevel() {
- return userQAALevel;
- }
- /**
- * @param userQAALevel the userQAALevel to set
- */
- public void setUserQAALevel(String userQAALevel) {
- this.userQAALevel = userQAALevel;
- }
-
-
-
-
-}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
index c733e662a..042eeeed8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
@@ -41,8 +41,13 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
+import at.gv.egovernment.moa.id.auth.builder.DynamicOAAuthParameterBuilder;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
+import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
+import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
+import at.gv.egovernment.moa.id.data.FederatedAuthenticatenContainer;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.data.SLOInformationInterface;
import at.gv.egovernment.moa.id.moduls.IAction;
@@ -53,7 +58,9 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionB
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage;
+import at.gv.egovernment.moa.id.storage.ITransactionStorage;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
/**
* @author tlenz
@@ -62,9 +69,10 @@ import at.gv.egovernment.moa.logging.Logger;
@Service("AttributQueryAction")
public class AttributQueryAction implements IAction {
- @Autowired IAuthenticationSessionStoreage authenticationSessionStorage;
+ @Autowired private IAuthenticationSessionStoreage authenticationSessionStorage;
@Autowired private AuthenticationDataBuilder authDataBuilder;
@Autowired private IDPCredentialProvider pvpCredentials;
+ @Autowired private ITransactionStorage transactionStorage;
private final static List<String> DEFAULTSTORKATTRIBUTES = Arrays.asList(
new String[]{PVPConstants.EID_STORK_TOKEN_NAME});
@@ -90,16 +98,22 @@ public class AttributQueryAction implements IAction {
//set time reference
DateTime date = new DateTime();
- //load session and request information
- AuthenticationSession moaSession =
- pendingReq.getGenericData(PVPTargetConfiguration.DATAID_MOASESSION, AuthenticationSession.class);
-
+ //get Single Sign-On information for the Service-Provider
+ // which sends the Attribute-Query request
+ AuthenticationSession moaSession = authenticationSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+ if (moaSession == null) {
+ Logger.warn("No MOASession with ID:" + pendingReq.getMOASessionIdentifier() + " FOUND.");
+ throw new MOAIDException("auth.02", new Object[]{pendingReq.getMOASessionIdentifier()});
+ }
+
+ InterfederationSessionStore nextIDPInformation =
+ authenticationSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(moaSession.getSessionID());
+
AttributeQuery attrQuery =
(AttributeQuery)((MOARequest)((PVPTargetConfiguration) pendingReq).getRequest()).getSamlRequest();
-
-
+
//generate authData for AttributQueryRequest
- authData = authDataBuilder.buildAuthenticationDataForAttributQuery(pendingReq, moaSession, attrQuery.getAttributes());
+ authData = authDataBuilder.buildAuthenticationDataForAttributQuery(pendingReq, moaSession, attrQuery.getAttributes(), nextIDPInformation);
//add default attributes in case of mandates or STORK is in use
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 57c1aa8af..4dbc35041 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -593,23 +593,14 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
AuthenticationSession session = authenticatedSessionStorage.getSessionWithUserNameID(nameID);
if (session == null) {
Logger.warn("AttributeQuery nameID does not match to an active single sign-on session.");
- throw new AttributQueryException("AttributeQuery nameID does not match to an active single sign-on session.", null);
+ throw new AttributQueryException("auth.31", null);
}
- //search federated IDP information for this MOASession
-
-
- InterfederationSessionStore interfIDP =
- authenticatedSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session);
-
- //build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) and configuration
- IOAAuthParameters spConfig = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(oa, attrQuery.getAttributes(), interfIDP);
-
//set preProcessed information into pending-request
pendingReq.setRequest(moaRequest);
pendingReq.setOAURL(moaRequest.getEntityID());
- pendingReq.setOnlineApplicationConfiguration(spConfig);
+ pendingReq.setOnlineApplicationConfiguration(oa);
pendingReq.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI);
//Attribute-Query Request needs authentication, because session MUST be already authenticated
@@ -619,8 +610,8 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
pendingReq.setAction(AttributQueryAction.class.getName());
//add moasession
- pendingReq.setGenericDataToSession(PVPTargetConfiguration.DATAID_MOASESSION, session);
-
+ pendingReq.setMOASessionIdentifier(session.getSessionID());
+
//write revisionslog entry
revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_ATTRIBUTQUERY);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
index a8e02c317..b8ced1198 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
@@ -46,11 +46,9 @@ import at.gv.egovernment.moa.logging.Logger;
@Scope(value = BeanDefinition.SCOPE_PROTOTYPE)
public class PVPTargetConfiguration extends RequestImpl {
- public static final String DATAID_MOASESSION = "moasession";
public static final String DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP = "useMinimalFrontChannelResponse";
public static final String DATAID_INTERFEDERATION_NAMEID = "federatedNameID";
public static final String DATAID_INTERFEDERATION_QAALEVEL = "federatedQAALevel";
- public static final String DATAID_INTERFEDERATION_ATTRQUERYCONTAINERID = "attrQueryContainerID";
private static final long serialVersionUID = 4889919265919638188L;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java
index c190ad779..316ca2177 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java
@@ -832,9 +832,9 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
}
@Override
- public InterfederationSessionStore searchInterfederatedIDPFORAttributeQueryWithSessionID(AuthenticationSession moaSession) {
- MiscUtil.assertNotNull(moaSession, "MOASession");
- Logger.trace("Get interfederated IDP for AttributeQuery with sessionID " + moaSession.getSessionID() + " from database.");
+ public InterfederationSessionStore searchInterfederatedIDPFORAttributeQueryWithSessionID(String moaSessionID) {
+ MiscUtil.assertNotNull(moaSessionID, "MOASessionID");
+ Logger.trace("Get interfederated IDP for AttributeQuery with sessionID " + moaSessionID + " from database.");
Session session = MOASessionDBUtils.getCurrentSession();
List<AuthenticatedSessionStore> result;
@@ -843,7 +843,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
synchronized (session) {
tx = session.beginTransaction();
Query query = session.getNamedQuery("getInterfederatedIDPForAttributeQueryWithSessionID");
- query.setParameter("sessionID", moaSession.getSessionID());
+ query.setParameter("sessionID", moaSessionID);
result = query.list();
//send transaction
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java
index aaa54fbb9..666511425 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java
@@ -253,10 +253,10 @@ public interface IAuthenticationSessionStoreage {
/**
* Search an active federation IDP which could be used for federated Single Sign-On by using an AttributeQuery
*
- * @param moaSession MOASession data object
+ * @param moaSessionID ID of a active MOASession
* @return Information of the federated IDP, or null if no active federated IDP is found
*/
- public InterfederationSessionStore searchInterfederatedIDPFORAttributeQueryWithSessionID(AuthenticationSession moaSession);
+ public InterfederationSessionStore searchInterfederatedIDPFORAttributeQueryWithSessionID(String moaSessionID);
/**
* Remove an active federation IDP from MOASession
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index a94b90931..cf2e9d6d5 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -44,10 +44,14 @@ auth.23=Das BKU-Selektion Template entspricht nicht der Spezifikation von MOA-ID
auth.24=Das Send-Assertion Template entspricht nicht der Spezifikation von MOA-ID 2.x.
auth.25=Fehler beim validieren der SZR-Gateway Response.
auth.26=SessionID unbekannt.
-auth.27=Federated authentication FAILED! Assertion from {0} IDP is not valid.
+auth.27=Federated authentication FAILED! Assertion from {0} IDP is not valid. (Msg:{1})
auth.28=Transaktion {0} kann nicht weitergef\u00FChrt werden. Wahrscheinlich wurde ein TimeOut erreicht.
auth.29=Federated authentication FAILED! Can not build authentication request for IDP {0}
auth.30=No valid Single Sign-On session found. Authentication process is aborted.
+auth.31=Federated authentication FAILED. No information for AttributeQuery, maybe a timeout occures.
+auth.32=Federated authentication FAILED. No configuration for IDP {0}
+auth.33=Federated authentication FAILED. Configuration of IDP {0} does not allow inbound messages.
+auth.34=Federated authentication FAILED. Configuration of IDP {0} is marked as BusinessService-IDP, but Public-Service attributes are requested.
init.00=MOA ID Authentisierung wurde erfolgreich gestartet
init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m\u00F6glicherweise nicht verf\u00FCgbar
@@ -82,6 +86,7 @@ config.22=F\u00FCr den Interfederation-Gateway mit der ID {0} ist kein Endpunkt
config.23=Fehler beim initialisieren von OpenSAML
config.24=MOA-ID-Auth Configfile {1} does not start with {0} prefix.
config.25=Der verwendete IDP PublicURLPrefix {0} ist nicht erlaubt.
+config.26=Federated IDP {0} contains no AttributeQuery URL.
parser.00=Leichter Fehler beim Parsen: {0}
parser.01=Fehler beim Parsen: {0}
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index 4e36e2cbf..2aed7d47d 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -28,6 +28,10 @@ auth.27=4401
auth.28=1100
auth.29=4401
auth.30=1110
+auth.31=TODO
+auth.32=TODO
+auth.33=TODO
+auth.34=TODO
init.00=9199
init.01=9199
@@ -62,6 +66,7 @@ config.22=9008
config.23=9199
config.24=9199
config.25=9199
+config.26=TODO
parser.00=1101
parser.01=1101
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
index d87109244..a07a87c2b 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
@@ -171,31 +171,10 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
PVPTargetConfiguration.DATAID_INTERFEDERATION_NAMEID, extractor.getNameID());
pendingReq.setGenericDataToSession(
PVPTargetConfiguration.DATAID_INTERFEDERATION_QAALEVEL, extractor.getQAALevel());
-
- //build data-container for AttributeQuery
- FederatedAuthenticatenContainer container = new FederatedAuthenticatenContainer();
- container.setIdpEntityID(idpConfig.getPublicURLPrefix());
- container.setUserNameID(extractor.getNameID());
- container.setUserQAALevel(extractor.getQAALevel());
-
- if (idpConfig.isInterfederationSSOStorageAllowed()) {
- //open SSO session and store IDP as federated IDP
- container.setMoaSessionID(moasession.getSessionID());
-
- //store federatedIDP to MOASession
- authenticatedSessionStorage.
- addFederatedSessionInformation(pendingReq,
- idpConfig.getPublicURLPrefix(), extractor);
-
- }
-
- //store container into transaction storage
- transactionStorage.put(container.getId(), container);
-
- //store container ID to pending-request
- pendingReq.setGenericDataToSession(
- PVPTargetConfiguration.DATAID_INTERFEDERATION_ATTRQUERYCONTAINERID,
- container.getId());
+
+ authenticatedSessionStorage.
+ addFederatedSessionInformation(pendingReq,
+ idpConfig.getPublicURLPrefix(), extractor);
} else {
//SP is real Service-Provider --> check attributes in response
@@ -204,12 +183,18 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
//get authenticationData and store it into MOASession
getAuthDataFromInterfederation(extractor, pendingReq.getOnlineApplicationConfiguration(),
idpConfig);
+
+ //store federatedIDP to MOASession
+ if (idpConfig.isInterfederationSSOStorageAllowed())
+ authenticatedSessionStorage.
+ addFederatedSessionInformation(pendingReq,
+ idpConfig.getPublicURLPrefix(), extractor);
//update MOASession
authenticatedSessionStorage.storeSession(moasession);
}
-
+
//store valid assertion into pending-request
pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg);
@@ -268,7 +253,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
String endpoint = idpConfig.getIDPAttributQueryServiceURL();
if (MiscUtil.isEmpty(endpoint)) {
Logger.error("No AttributeQueryURL for interfederationIDP " + idpConfig.getPublicURLPrefix());
- throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + idpConfig.getPublicURLPrefix(), null);
+ throw new ConfigurationException("config.26", new Object[]{idpConfig.getPublicURLPrefix()});
}