diff options
author | pdanner <pdanner@d688527b-c9ab-4aba-bd8d-4036d912da1d> | 2008-06-03 12:37:28 +0000 |
---|---|---|
committer | pdanner <pdanner@d688527b-c9ab-4aba-bd8d-4036d912da1d> | 2008-06-03 12:37:28 +0000 |
commit | 3bbc64da1cd1a70fd255442574b354dad49bf3ed (patch) | |
tree | 19e5f3163d5cf77381bb21169fca9aba65d210d0 | |
parent | f5f802c85e912ce6ea466a2dc5bff02eda8b6f38 (diff) | |
download | moa-id-spss-3bbc64da1cd1a70fd255442574b354dad49bf3ed.tar.gz moa-id-spss-3bbc64da1cd1a70fd255442574b354dad49bf3ed.tar.bz2 moa-id-spss-3bbc64da1cd1a70fd255442574b354dad49bf3ed.zip |
Changes for load balancing and szr-gateway communication
git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1082 d688527b-c9ab-4aba-bd8d-4036d912da1d
7 files changed, 119 insertions, 24 deletions
diff --git a/common/src/main/resources/resources/schemas/MOA-ID-Configuration-1.4.3.xsd b/common/src/main/resources/resources/schemas/MOA-ID-Configuration-1.4.3.xsd index 02183819c..570bebd37 100644 --- a/common/src/main/resources/resources/schemas/MOA-ID-Configuration-1.4.3.xsd +++ b/common/src/main/resources/resources/schemas/MOA-ID-Configuration-1.4.3.xsd @@ -179,6 +179,7 @@ <xsd:enumeration value="FrontendServlets.DataURLPrefix"/>
<xsd:enumeration value="AuthenticationServer.KeepAssertion"/>
<xsd:enumeration value="AuthenticationServer.WriteAssertionToFile"/>
+ <xsd:enumeration value="AuthenticationServer.SourceID"/>
</xsd:restriction>
</xsd:simpleType>
</xsd:attribute>
diff --git a/id/history.txt b/id/history.txt index c0f80c7c6..95ea0c78d 100644 --- a/id/history.txt +++ b/id/history.txt @@ -3,13 +3,34 @@ von MOA-ID auf. History MOA-ID:
=====
+Version MOA-ID 1.4.4: Änderungen seit Version MOA-ID 1.4.3:
+
+Verbesserungen/Erweiterungen:
+- Bei der beruflichen Parteienvertretung wurde das Stammzahlenregister in den
+ Beispielkonfigurationen vorkonfiguriert.
+
+- MOA-ID erlaubt ab sofort Load-Balancing. Dies wird durch die Konfigurations-
+ möglichkeit der Source-ID für das SAML-Artifact gewährleistet. Das Border-
+ Gateway kann dann anhand dieser Kennung an den zuständigen Server zur Abholung
+ der SAML-Assertion weiterleiten. Über den Konfigurationsparameter
+ <GenericConfiguration name="AuthenticationServer.SourceID" value="Cluster-A"/>
+ kann die authURL bei der Kodierung des SAML-Artifakts durch eine fix
+ definierte URI (z.B. "Cluster-A") ersetzt werden.
+
+Fixes:
+- In der Kommunikation mit dem Stammzahlenregistergateway die beim Einsatz der
+ beruflichen Parteienvertretung notwendig ist, verlangt das Service ein
+ adaptiertes Anfrageformat. MOA-ID wurde im Zuge dessen auf dieses Anfrage-
+ format umgestellt (Version SZR-GW-0.0.2.xsd).
+
+=====
Version MOA-ID 1.4.3-1 (Bugfix Release): Änderungen seit Version MOA-ID 1.4.3:
Verbesserungen/Erweiterungen:
- keine
Fixes:
-- Falscher Schemabenennung in Constants.java des common-Projekts wurde korrigiert.
+- Falsche Schemabenennung in Constants.java des common-Projekts wurde korrigiert.
=====
Version MOA-ID 1.4.3: Änderungen seit Version MOA-ID 1.4.2:
@@ -41,6 +62,7 @@ Fixes: iaik-cms: Version 4.01_MOA
aik-moa: Version 1.23
iaik-ecc: Version 2.16
+
=====
Version MOA-ID 1.4.2: Änderungen seit Version MOA-ID 1.4.2 beta2:
diff --git a/id/server/data/deploy/conf/moa-id/certs/ca-certs/gateway.stammzahlenregister.gv.at.cer b/id/server/data/deploy/conf/moa-id/certs/ca-certs/gateway.stammzahlenregister.gv.at.cer new file mode 100644 index 000000000..c3b67e05d --- /dev/null +++ b/id/server/data/deploy/conf/moa-id/certs/ca-certs/gateway.stammzahlenregister.gv.at.cer @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE-----
+MIIFSDCCBDCgAwIBAgIDA/o/MA0GCSqGSIb3DQEBBQUAMIGHMQswCQYDVQQGEwJB
+VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp
+bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRYwFAYDVQQLDA1hLXNpZ24tU1NM
+LTAzMRYwFAYDVQQDDA1hLXNpZ24tU1NMLTAzMB4XDTA4MDUxOTA4MzUzNloXDTEz
+MDUxOTA4MzUzNlowgZYxCzAJBgNVBAYTAkFUMR4wHAYDVQQKDBVEYXRlbnNjaHV0
+emtvbW1pc3Npb24xJDAiBgNVBAsMG1N0YW1temFobGVucmVnaXN0ZXJiZWhvZXJk
+ZTEqMCgGA1UEAwwhZ2F0ZXdheS5zdGFtbXphaGxlbnJlZ2lzdGVyLmd2LmF0MRUw
+EwYDVQQFEww2NTYwNzMwNDAyNjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCtAK7fsx5MgRrm7EIF3sxWKroNi+EBitJ1itnXix3L3npMIRUduDLIaMZm
+oLHSMkJmk0ePB74Wvsk/yJt2qTf6N0rDqmn9+lORF242cZeljJ9vVYhIRwbyj5IL
+Qng9vnIr0esCVadknSo357wQSss6oRBuclzf99cNt7zaPqT3+4kyLVtj3/N+ipgn
+8l5ZCNHq+kx+HjssXGARDUFgTFAFcJPDDR6bNWHjsa6Kq6DgXTqUX/tHaJATwkP8
+3bkn0ECAWF5hCVhzGd20MWzSVejkyWnjxxYSXVEsLM17hApDb5Ui01Qyb1RHyYuC
+hXpVuUqHXIZK4MyrUkfBcvMIExYJAgMBAAGjggGqMIIBpjATBgNVHSMEDDAKgAhA
+PqHTYrQD3TByBggrBgEFBQcBAQRmMGQwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3Nw
+LmEtdHJ1c3QuYXQvb2NzcDA5BggrBgEFBQcwAoYtaHR0cDovL3d3dy5hLXRydXN0
+LmF0L2NlcnRzL2Etc2lnbi1zc2wtMDMuY3J0MEsGA1UdIAREMEIwQAYGKigAEQEU
+MDYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuYS10cnVzdC5hdC9kb2NzL2NwL2Et
+c2lnbi1zc2wwgY8GA1UdHwSBhzCBhDCBgaB/oH2Ge2xkYXA6Ly9sZGFwLmEtdHJ1
+c3QuYXQvb3U9YS1zaWduLVNTTC0wMyxvPUEtVHJ1c3QsYz1BVD9jZXJ0aWZpY2F0
+ZXJldm9jYXRpb25saXN0P2Jhc2U/b2JqZWN0Y2xhc3M9ZWlkQ2VydGlmaWNhdGlv
+bkF1dGhvcml0eTARBgNVHQ4ECgQIT1qEKtHyOygwDgYDVR0PAQH/BAQDAgWgMAkG
+A1UdEwQCMAAwDgYHKigACgEBAQQDAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBtb/dG
+Qn/r/MTqnjwFeHTlGwsuKyzx13PE3ZxBa5Q1YvNO9IbTHEi7dIb7LjdFQkkzn/sa
+PREGTRdaukD6JiUNFP0FV1hTNOUfctjiLy212VupdIyC6GYouL11A5UzBoZ5l5xq
+IpYWGJq0JP26jYlu93sSY0m35vVX6FLxJAuy8zQpOoqP4XcIZE4qDC5SqTvmRtLR
+AFCQD3C59/SaBKc73z3GQrfkXfUqKLd+8l0b58FnLNKjHCUvTlt/egmqb6ar/rGj
+fD9pCROYB6H1ryYWTbqCYyG4oNuZ9AwodY7GcDWpIPBP/VVyARgF6V1pEhAdAXMH
+zh/WsPsLHrdYA0/3
+-----END CERTIFICATE-----
diff --git a/id/server/doc/MOA-ID-Configuration-1.4.3.xsd b/id/server/doc/MOA-ID-Configuration-1.4.3.xsd index 02183819c..570bebd37 100644 --- a/id/server/doc/MOA-ID-Configuration-1.4.3.xsd +++ b/id/server/doc/MOA-ID-Configuration-1.4.3.xsd @@ -179,6 +179,7 @@ <xsd:enumeration value="FrontendServlets.DataURLPrefix"/>
<xsd:enumeration value="AuthenticationServer.KeepAssertion"/>
<xsd:enumeration value="AuthenticationServer.WriteAssertionToFile"/>
+ <xsd:enumeration value="AuthenticationServer.SourceID"/>
</xsd:restriction>
</xsd:simpleType>
</xsd:attribute>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java index 27e19e830..b5d18b451 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java @@ -4,6 +4,9 @@ import java.io.ByteArrayOutputStream; import java.security.MessageDigest; import at.gv.egovernment.moa.id.BuildException; +import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; /** @@ -16,6 +19,11 @@ import at.gv.egovernment.moa.util.Base64Utils; public class SAMLArtifactBuilder { /** + * The generic configuration parameter for an alternative SourceID. + */ + private static final String GENERIC_CONFIG_PARAM_SOURCEID = "AuthenticationServer.SourceID"; + + /** * Constructor for SAMLArtifactBuilder. */ public SAMLArtifactBuilder() { @@ -36,25 +44,34 @@ public class SAMLArtifactBuilder { * @return the 42-byte SAML artifact, encoded BASE64 */ public String build(String authURL, String sessionID) throws BuildException { - try { - MessageDigest md = MessageDigest.getInstance("SHA-1"); - byte[] sourceID = md.digest(authURL.getBytes()); - byte[] assertionHandle = md.digest(sessionID.getBytes()); - ByteArrayOutputStream out = new ByteArrayOutputStream(42); - out.write(0); - out.write(1); - out.write(sourceID, 0, 20); - out.write(assertionHandle, 0, 20); - byte[] samlArtifact = out.toByteArray(); - String samlArtifactBase64 = Base64Utils.encode(samlArtifact); - return samlArtifactBase64; - } - catch (Throwable ex) { - throw new BuildException( - "builder.00", - new Object[] {"SAML Artifact, MOASessionID=" + sessionID, ex.toString()}, - ex); - } + try { + MessageDigest md = MessageDigest.getInstance("SHA-1"); + byte[] sourceID; + // alternative sourceId + String alternativeSourceID = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter(GENERIC_CONFIG_PARAM_SOURCEID); + if (!ParepUtils.isEmpty(alternativeSourceID)) { + // if generic config parameter "AuthenticationServer.SourceID" is given, use that sourceID instead of authURL; + sourceID = md.digest(alternativeSourceID.getBytes()); + Logger.info("Building SAMArtifact from sourceID \"" + alternativeSourceID + "\" instead of authURL \"" + authURL + "\"."); + } else { + sourceID = md.digest(authURL.getBytes()); + } + byte[] assertionHandle = md.digest(sessionID.getBytes()); + ByteArrayOutputStream out = new ByteArrayOutputStream(42); + out.write(0); + out.write(1); + out.write(sourceID, 0, 20); + out.write(assertionHandle, 0, 20); + byte[] samlArtifact = out.toByteArray(); + String samlArtifactBase64 = Base64Utils.encode(samlArtifact); + return samlArtifactBase64; + } + catch (Throwable ex) { + throw new BuildException( + "builder.00", + new Object[] {"SAML Artifact, MOASessionID=" + sessionID, ex.toString()}, + ex); + } } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/CreateMandateRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/CreateMandateRequest.java index fe8e263ff..3077ba185 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/CreateMandateRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/CreateMandateRequest.java @@ -6,6 +6,7 @@ import java.util.List; import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
+import org.apache.xpath.XPathAPI;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -204,11 +205,31 @@ public class CreateMandateRequest { Element representativeElem = representativeDocument.createElementNS(SZRGWConstants.SZRGW_REQUEST_NS, SZRGWConstants.SZRGW_PREFIX + SZRGWConstants.REPRESENTATIVE);
// representativeElem.setAttribute("xmlns" + SZRGWConstants.PD_POSTFIX, Constants.PD_NS_URI);
// representativeElem.setAttribute("xmlns" + SZRGWConstants.SZRGW_POSTFIX, SZRGWConstants.SZRGW_REQUEST_NS);
+
+ //Old Version 0.0.1 of SZR-Gateway
+// representativeElem.appendChild(createIdentificationElem(representativeDocument, identificationType, identificationValue));
+// representativeElem.appendChild(createNameElem(representativeDocument, params.getGivenName(), params.getFamilyName()));
+// representativeElem.appendChild(createPersonDataElem(representativeDocument, SZRGWConstants.DATEOFBIRTH, params.getDateOfBirth()));
- representativeElem.appendChild(createIdentificationElem(representativeDocument, identificationType, identificationValue));
- representativeElem.appendChild(createNameElem(representativeDocument, params.getGivenName(), params.getFamilyName()));
- representativeElem.appendChild(createPersonDataElem(representativeDocument, SZRGWConstants.DATEOFBIRTH, params.getDateOfBirth()));
-
+ //New since version 0.0.2 of SZR-Gateway:
+ // we need to send an identity link and must replace its identification value
+ representativeElem.appendChild(representativeElem.getOwnerDocument().importNode(params.getIdentityLink(), true));
+ try {
+ Element nameSpaceNode = representativeElem.getOwnerDocument().createElement("NameSpaceNode");
+ nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.PD_POSTFIX, Constants.PD_NS_URI);
+ nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.SAML_POSTFIX, Constants.SAML_NS_URI);
+ nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.SZRGW_POSTFIX, SZRGWConstants.SZRGW_REQUEST_NS);
+ Element identificationValueElement = (Element) XPathAPI.selectSingleNode(representativeElem, "descendant-or-self::" + SZRGWConstants.SZRGW_PREFIX + SZRGWConstants.REPRESENTATIVE + "/" +SZRGWConstants.SAML_PREFIX + "Assertion/saml:AttributeStatement/saml:Subject/saml:SubjectConfirmation/saml:SubjectConfirmationData/pr:Person/pr:Identification/pr:Value", nameSpaceNode);
+ if (identificationValueElement != null) {
+ identificationValueElement.setTextContent(identificationValue);
+ }
+ Element identificationTypeElement = (Element) XPathAPI.selectSingleNode(representativeElem, "descendant-or-self::" + SZRGWConstants.SZRGW_PREFIX + SZRGWConstants.REPRESENTATIVE + "/" +SZRGWConstants.SAML_PREFIX + "Assertion/saml:AttributeStatement/saml:Subject/saml:SubjectConfirmation/saml:SubjectConfirmationData/pr:Person/pr:Identification/pr:Type", nameSpaceNode);
+ if (identificationTypeElement != null) {
+ identificationTypeElement.setTextContent(identificationType);
+ }
+ } catch (Exception e) {
+ throw new SZRGWClientException("validator.63", null);
+ }
this.representative = representativeElem;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWConstants.java index 006b2b9f2..cc0cc4862 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWConstants.java @@ -10,6 +10,8 @@ public interface SZRGWConstants { //PersonData
public static final String PD_PREFIX = "pr:";
public static final String PD_POSTFIX = ":pr";
+ public static final String SAML_PREFIX = "saml:";
+ public static final String SAML_POSTFIX = ":saml";
public static final String PERSON = "Person";
public static final String PHYSICALPERSON = "PhysicalPerson";
public static final String CORPORATEBODY = "CorporateBody";
|