diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2013-07-12 11:06:06 +0200 |
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2013-07-12 11:06:06 +0200 |
| commit | 31ab8aace485fb61f7c872ebaa143299c6e5dcf1 (patch) | |
| tree | 41da03bf1ce918919fb73da1cecbe3baac7c9594 | |
| parent | 4fd52221a71a7f9f7683c34cc573aa44b9adcc1c (diff) | |
| download | moa-id-spss-31ab8aace485fb61f7c872ebaa143299c6e5dcf1.tar.gz moa-id-spss-31ab8aace485fb61f7c872ebaa143299c6e5dcf1.tar.bz2 moa-id-spss-31ab8aace485fb61f7c872ebaa143299c6e5dcf1.zip | |
SSO Implementation
19 files changed, 460 insertions, 221 deletions
diff --git a/common/src/main/java/at/gv/egovernment/moa/util/Constants.java b/common/src/main/java/at/gv/egovernment/moa/util/Constants.java index c4f7eb3f3..39cee3a04 100644 --- a/common/src/main/java/at/gv/egovernment/moa/util/Constants.java +++ b/common/src/main/java/at/gv/egovernment/moa/util/Constants.java @@ -265,6 +265,8 @@ public interface Constants { /** URI of the XAdES v1.1.1 namespace */ public static final String XADES_1_1_1_NS_URI = "http://uri.etsi.org/01903/v1.1.1#"; + public static final String XADES_1_1_1_NS_PREFIX = "xades"; + /** Local location of the XAdES v1.2.2 schema definition */ public static final String XADES_1_2_2_SCHEMA_LOCATION = SCHEMA_ROOT + "XAdES-1.2.2.xsd"; diff --git a/common/src/main/java/at/gv/egovernment/moa/util/XPathUtils.java b/common/src/main/java/at/gv/egovernment/moa/util/XPathUtils.java index faa009b0e..21c41257a 100644 --- a/common/src/main/java/at/gv/egovernment/moa/util/XPathUtils.java +++ b/common/src/main/java/at/gv/egovernment/moa/util/XPathUtils.java @@ -87,6 +87,7 @@ public class XPathUtils { ctx.addNamespace(Constants.SAML2_PREFIX, Constants.SAML2_NS_URI); ctx.addNamespace(Constants.SAML2P_PREFIX, Constants.SAML2P_NS_URI); ctx.addNamespace(Constants.XENC_PREFIX, Constants.XENC_NS_URI); + ctx.addNamespace(Constants.XADES_1_1_1_NS_PREFIX, Constants.XADES_1_1_1_NS_URI); NS_CONTEXT = ctx; } @@ -480,7 +481,7 @@ public class XPathUtils { else { MessageProvider msg = MessageProvider.getInstance(); - String message = msg.getMessage("xpath.00", new Object[] { "Ungültiger Security Layer Namespace: \"" + sLNamespace + "\"."}); + String message = msg.getMessage("xpath.00", new Object[] { "Ung�ltiger Security Layer Namespace: \"" + sLNamespace + "\"."}); throw new XPathException(message, null); } @@ -546,7 +547,7 @@ public class XPathUtils { return slPrefix; } else { MessageProvider msg = MessageProvider.getInstance(); - String message = msg.getMessage("xpath.00", new Object[] { "Ungültiger SecurityLayer Namespace: \"" + nameSpace + "\"."}); + String message = msg.getMessage("xpath.00", new Object[] { "Ung�ltiger SecurityLayer Namespace: \"" + nameSpace + "\"."}); throw new XPathException(message, null); } } diff --git a/id/server/auth/src/main/webapp/WEB-INF/web.xml b/id/server/auth/src/main/webapp/WEB-INF/web.xml index 68fb1c6c6..dbef0c675 100644 --- a/id/server/auth/src/main/webapp/WEB-INF/web.xml +++ b/id/server/auth/src/main/webapp/WEB-INF/web.xml @@ -16,11 +16,11 @@ <servlet-class>at.gv.egovernment.moa.id.auth.servlet.GenerateIFrameTemplateServlet</servlet-class> </servlet> <servlet> - <servlet-name>StartAuthentication</servlet-name> - <display-name>StartAuthentication</display-name> - <description>Start authentication process</description> - <servlet-class>at.gv.egovernment.moa.id.auth.servlet.StartAuthenticationServlet</servlet-class> - <load-on-startup>0</load-on-startup> + <servlet-name>LogOut</servlet-name> + <display-name>LogOut</display-name> + <description>SSO LogOut</description> + <servlet-class>at.gv.egovernment.moa.id.auth.servlet.LogOutServlet</servlet-class> + <load-on-startup>1</load-on-startup> </servlet> <servlet> <servlet-name>VerifyIdentityLink</servlet-name> @@ -139,10 +139,10 @@ <servlet-name>GenerateIframeTemplate</servlet-name> <url-pattern>/GenerateIframeTemplate</url-pattern> </servlet-mapping>GenerateIframeTemplate -<!-- <servlet-mapping> - <servlet-name>StartAuthentication</servlet-name> - <url-pattern>/StartBKUAuthentication</url-pattern> - </servlet-mapping> --> + <servlet-mapping> + <servlet-name>LogOut</servlet-name> + <url-pattern>/LogOut</url-pattern> + </servlet-mapping> <servlet-mapping> <servlet-name>VerifyIdentityLink</servlet-name> <url-pattern>/VerifyIdentityLink</url-pattern> diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 19af66150..f7c0ff812 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -1850,7 +1850,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { // TODO See Bug #144 // Compare AuthBlock Data with information stored in session, especially // date and time - + CreateXMLSignatureResponseValidator.getInstance().validateSigningDateTime(csresp); + // compares the public keys from the identityLink with the AuthBlock VerifyXMLSignatureResponseValidator.getInstance().validateCertificate( vsresp, session.getIdentityLink()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/VerifyXMLSignatureResponse.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/VerifyXMLSignatureResponse.java index c41de1904..ed54683ca 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/VerifyXMLSignatureResponse.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/VerifyXMLSignatureResponse.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.auth.data; import java.io.Serializable; +import java.util.Date; import iaik.x509.X509Certificate; @@ -64,6 +65,8 @@ public class VerifyXMLSignatureResponse implements Serializable{ */ private int signatureManifestCheckCode = -1; + private Date signingDateTime; + /** * Returns the certificateCheckCode. * @return int @@ -226,4 +229,13 @@ public class VerifyXMLSignatureResponse implements Serializable{ this.signatureManifestCheckCode = signatureManifestCheckCode; } + public Date getSigningDateTime() { + return signingDateTime; + } + + public void setSigningDateTime(Date signingDateTime) { + this.signingDateTime = signingDateTime; + } + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java index 16ff65477..571d4e738 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java @@ -50,8 +50,10 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.config.stork.CPEPS; import at.gv.egovernment.moa.id.config.stork.STORKConfig; +import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.RequestStorage; +import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.HTTPUtils; @@ -66,103 +68,48 @@ import eu.stork.vidp.messages.exception.SAMLValidationException; import eu.stork.vidp.messages.stork.QualityAuthenticationAssuranceLevel; import eu.stork.vidp.messages.stork.RequestedAttributes; -/** - * Servlet requested for starting a MOA ID authentication session. - * Utilizes the {@link AuthenticationServer}. - * - * @author Paul Ivancsics - * @version $Id$ - * @see AuthenticationServer#startAuthentication - */ -public class StartAuthenticationServlet extends AuthServlet { +public class LogOutServlet extends AuthServlet { - /** - * - */ private static final long serialVersionUID = 3908001651893673395L; - -/** - * Responds with an HTML form which upon submit requests the identity link - * from the security layer implementation. - * <br> - * Response: - * <ul> - * <li>Content type: <code>"text/html"</code></li> - * <li>Content: see return value of {@link AuthenticationServer#startAuthentication}</li> - * <li>Error status: <code>500</code> - * </ul> - * @see javax.servlet.http.HttpServlet#doGet(HttpServletRequest, HttpServletResponse) - */ + private static final String REDIRECT_URL = "redirect"; + protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - Logger.debug("GET StartAuthentication"); - - String sessionID = req.getParameter(PARAM_SESSIONID); - sessionID = (String) req.getAttribute(PARAM_SESSIONID); - + Logger.debug("receive LogOut Request"); + String redirectUrl = (String) req.getParameter(REDIRECT_URL); - try { - - if (StringUtils.isEmpty(sessionID)) - throw new MOAIDException("auth.18", null); - - sessionID = StringEscapeUtils.escapeHtml(sessionID); - - if (!ParamValidatorUtils.isValidSessionID(sessionID)) - throw new WrongParametersException("StartAuthentication", PARAM_SESSIONID, "auth.12"); - - setNoCachingHeadersInHttpRespone(req, resp); - - - //TODO: Load MOASession - AuthenticationSession moasession = AuthenticationSessionStoreage.getSession(sessionID); + SSOManager ssomanager = SSOManager.getInstance(); + + //get SSO token from request + String ssoid = ssomanager.getSSOSessionID(req); - STORKConfig storkConfig = AuthConfigurationProvider.getInstance().getStorkConfig(); - - Logger.info("Starting authentication for a citizen of country: " + (StringUtils.isEmpty(moasession.getCcc()) ? "AT" : moasession.getCcc())); - // STORK or normal authentication - if (storkConfig.isSTORKAuthentication(moasession.getCcc())) { - //STORK authentication - Logger.trace("Found C-PEPS configuration for citizen of country: " + moasession.getCcc()); - Logger.debug("Starting STORK authentication"); - - //TODO: insert sessionID to STORK!! - AuthenticationServer.startSTORKAuthentication(req, resp, moasession); - - } else { - //normal MOA-ID authentication - Logger.debug("Starting normal MOA-ID authentication"); - - String getIdentityLinkForm = AuthenticationServer.getInstance().startAuthentication(moasession, req.getScheme()); - - resp.setContentType("text/html;charset=UTF-8"); - PrintWriter out = new PrintWriter(resp.getOutputStream()); - out.print(getIdentityLinkForm); - out.flush(); - } - Logger.debug("Finished GET StartAuthentication"); + if (ssomanager.isValidSSOSession(ssoid, req)) { + + //TODO: Single LogOut Implementation + //delete SSO session and MOA session + AuthenticationManager authmanager = AuthenticationManager.getInstance(); + authmanager.logout(req, resp); + Logger.info("User with SSO Id " + ssoid + " is logged out and get redirect to "+ redirectUrl); + } else { + Logger.info("No active SSO session found. User is maybe logout already and get redirect to "+ redirectUrl); } - catch (WrongParametersException ex) { - handleWrongParameters(ex, req, resp); - } - - catch (MOAIDException ex) { - handleError(null, ex, req, resp); - - } catch (MOADatabaseException e) { - handleError(null, e, req, resp); - } + //Remove SSO token + ssomanager.deleteSSOSessionID(req, resp); + + //invalidate Session + req.getSession().invalidate(); + + //Redirect to Application + resp.setStatus(301); + resp.addHeader("Location", redirectUrl); } - /** - * @see javax.servlet.http.HttpServlet#doPost(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) - */ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index e77dd30d0..115c52688 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -55,6 +55,7 @@ public class CreateXMLSignatureResponseValidator { /** Xpath expression to the dsig:Signature element */ private static final String SIGNATURE_XPATH = Constants.DSIG_PREFIX + ":Signature"; + private static final String XADES_SIGNINGTIME_PATH = Constants.XADES_1_1_1_NS_PREFIX + ":SigningTime"; /** Singleton instance. <code>null</code>, if none has been created. */ private static CreateXMLSignatureResponseValidator instance; @@ -331,4 +332,11 @@ public class CreateXMLSignatureResponseValidator { throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ; } } + + public void validateSigningDateTime( CreateXMLSignatureResponse csresp) throws ValidateException { + + //TODO: insert Time validation!!!! + + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index 90282a28c..892607c16 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -35,6 +35,7 @@ import java.security.interfaces.RSAPublicKey; import java.util.List; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; @@ -154,7 +155,7 @@ public class VerifyXMLSignatureResponseValidator { } } - + /** * Method validateCertificate. * @param verifyXMLSignatureResponse The VerifyXMLSignatureResponse diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 244197379..4c5b82db8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -1,5 +1,7 @@ package at.gv.egovernment.moa.id.entrypoints; +import iaik.util.logging.Log; + import java.io.IOException; import java.util.Iterator; @@ -12,6 +14,7 @@ import javax.servlet.http.HttpSession; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; import at.gv.egovernment.moa.id.auth.WrongParametersException; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.moduls.IAction; @@ -20,11 +23,14 @@ import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.ModulStorage; import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException; import at.gv.egovernment.moa.id.moduls.RequestStorage; +import at.gv.egovernment.moa.id.moduls.SSOManager; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.storage.ExceptionStoreImpl; +import at.gv.egovernment.moa.id.util.HTTPSessionUtils; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.logging.Logger; -public class DispatcherServlet extends AuthServlet { +public class DispatcherServlet extends AuthServlet{ /** * @@ -189,7 +195,31 @@ public class DispatcherServlet extends AuthServlet { AuthenticationManager authmanager = AuthenticationManager.getInstance(); + SSOManager ssomanager = SSOManager.getInstance(); + + //get SSO Cookie for Request + String ssoId = ssomanager.getSSOSessionID(req); + if (moduleAction.needAuthentication(protocolRequest, req, resp)) { + + //check SSO session + if (ssoId != null) { + String correspondingMOASession = ssomanager.existsOldSSOSession(ssoId); + + if (correspondingMOASession != null) { + Log.warn("Request sends an old SSO Session ID("+ssoId+")! " + + "Invalidate the corresponding MOASession with ID="+ correspondingMOASession); + + AuthenticationSessionStoreage.destroySession(correspondingMOASession); + ssomanager.deleteSSOSessionID(req, resp); + } + } + + boolean isValidSSOSession = ssomanager.isValidSSOSession(ssoId, req); + + //TODO: load useSSO from config! + boolean useSSOOA = true; + if (protocolRequest.isPassiv() && protocolRequest.forceAuth()) { // conflict! @@ -206,8 +236,7 @@ public class DispatcherServlet extends AuthServlet { } else if (protocolRequest.isPassiv()) { if (authmanager.tryPerformAuthentication(req, resp) - || authmanager.isAuthenticated(req, - resp)) { + || (isValidSSOSession && useSSOOA) ) { // Passive authentication ok! } else { throw new NoPassivAuthenticationException(); @@ -215,8 +244,7 @@ public class DispatcherServlet extends AuthServlet { } else { if (authmanager.tryPerformAuthentication(req, resp) - || authmanager.isAuthenticated(req, - resp)) { + || (isValidSSOSession && useSSOOA) ) { // Is authenticated .. proceed } else { // Start authentication! @@ -226,11 +254,26 @@ public class DispatcherServlet extends AuthServlet { } } } - + moduleAction.processRequest(protocolRequest, req, resp); + //save SSO session usage in Database + String moasessionID = HTTPSessionUtils.getHTTPSessionString(req.getSession(), + AuthenticationManager.MOA_SESSION, null); + + String newSSOSessionId = ssomanager.storeSSOSessionInformations(moasessionID, protocolRequest.getOAURL()); + + if (newSSOSessionId != null) { + ssomanager.setSSOSessionID(req, resp, newSSOSessionId); + + } else { + ssomanager.deleteSSOSessionID(req, resp); + } + RequestStorage.removePendingRequest(httpSession); - authmanager.logout(req, resp); + + + //authmanager.logout(req, resp); } catch (Throwable e) { e.printStackTrace(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 58fec9790..d04c0b3d5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -66,45 +66,45 @@ public class AuthenticationManager extends AuthServlet { return null; } - /** - * Checks if the session is authenticated - * - * @param request - * @param response - * @return - */ - public boolean isAuthenticated(HttpServletRequest request, - HttpServletResponse response) { - Logger.info("Checking authentication"); - - HttpSession session = request.getSession(); - - String moaSessionID = HTTPSessionUtils.getHTTPSessionString(session, MOA_SESSION, null); - - if(moaSessionID == null) { - Logger.info("NO MOA Session to logout"); - return false; - } - -// AuthenticationSession authSession; -// try { -// authSession = AuthenticationSessionStoreage -// .getSession(moaSessionID); -// -// } catch (MOADatabaseException e) { -// Logger.info("NO MOA Authentication data for ID " + moaSessionID); -// return false; -// } +// /** +// * Checks if the session is authenticated +// * +// * @param request +// * @param response +// * @return +// */ +// public boolean isAuthenticated(HttpServletRequest request, +// HttpServletResponse response) { +// Logger.info("Checking authentication"); +// +// HttpSession session = request.getSession(); +// +// String moaSessionID = HTTPSessionUtils.getHTTPSessionString(session, MOA_SESSION, null); // -// if(authSession == null) { -// Logger.info("NO MOA Authentication data for ID " + moaSessionID); +// if(moaSessionID == null) { +// Logger.info("NO MOA Session to logout"); // return false; // } // -// return authSession.isAuthenticated(); - - return AuthenticationSessionStoreage.isAuthenticated(moaSessionID); - } +//// AuthenticationSession authSession; +//// try { +//// authSession = AuthenticationSessionStoreage +//// .getSession(moaSessionID); +//// +//// } catch (MOADatabaseException e) { +//// Logger.info("NO MOA Authentication data for ID " + moaSessionID); +//// return false; +//// } +//// +//// if(authSession == null) { +//// Logger.info("NO MOA Authentication data for ID " + moaSessionID); +//// return false; +//// } +//// +//// return authSession.isAuthenticated(); +// +// return AuthenticationSessionStoreage.isAuthenticated(moaSessionID); +// } /** * Checks if this request can authenticate a MOA Session diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 9dcef5778..3bbb3bd2a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -174,6 +174,8 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); AssertionConsumerService consumerService = spSSODescriptor.getAssertionConsumerServices().get(assertionidx); AttributeConsumingService attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx); + + //TODO: maybe change to getEntityID() String oaURL = consumerService.getLocation(); String binding = consumerService.getBinding(); String entityID = moaRequest.getEntityMetadata().getEntityID(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java index 3634c9983..2c4b7c4c5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java @@ -32,9 +32,6 @@ public class GetArtifactAction implements IAction { AuthenticationManager authmanager = AuthenticationManager.getInstance(); AuthenticationSession session = authmanager.getAuthenticationSession(httpSession); - -// String oaURL = (String) httpReq.getAttribute(PARAM_OA); -// oaURL = StringEscapeUtils.escapeHtml(oaURL); String oaURL = (String) req.getOAURL(); String target = (String) req.getTarget(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 09314ba37..d6cf84d86 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -95,6 +95,8 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { config.setTarget(oaParam.getTarget()); + //TODO: set reauthenticate if OA.useSSO=false + request.getSession().setAttribute(PARAM_OA, oaURL); request.getSession().setAttribute(PARAM_TARGET, oaParam.getTarget()); return config; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 44f0563b1..8ea6a6633 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -13,6 +13,7 @@ import org.apache.commons.lang.SerializationUtils; import org.hibernate.HibernateException; import org.hibernate.Query; import org.hibernate.Session; +import org.hibernate.Transaction; import at.gv.egovernment.moa.id.AuthenticationException; import at.gv.egovernment.moa.id.MOAIDException; @@ -20,6 +21,8 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.commons.db.HibernateUtil; import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; @@ -93,16 +96,48 @@ public class AuthenticationSessionStoreage { public static void destroySession(String moaSessionID) throws MOADatabaseException { - try { - AuthenticatedSessionStore dbsession = searchInDatabase(moaSessionID); - HibernateUtil.delete(dbsession); + Session session = HibernateUtil.getCurrentSession(); + + List result; + + synchronized (session) { + + session.beginTransaction(); + Query query = session.getNamedQuery("getSessionWithID"); + query.setString("sessionid", moaSessionID); + result = query.list(); + + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() != 1) { + Logger.trace("No entries found."); + throw new MOADatabaseException("No session found with this sessionID"); + } + + AuthenticatedSessionStore dbsession = (AuthenticatedSessionStore) result.get(0); - } catch (MOADatabaseException e) { - Logger.warn("MOASession could not be destroyed."); - throw new MOADatabaseException(e); - } +// //delete old SSO Session Ids +// List<OldSSOSessionIDStore> oldssosessionids = dbsession.getOldssosessionids(); +// +// for (OldSSOSessionIDStore oldsssid : oldssosessionids) { +// session.delete(oldsssid); +// } +// +// //delete active OA +// List<OASessionStore> activeOAs = dbsession.getActiveOAsessions(); +// +// for (OASessionStore activeOA : activeOAs) { +// session.delete(activeOA); +// +// } + + //delete MOA Session + session.delete(dbsession); + session.getTransaction().commit(); + } - } // public static void dumpSessionStore() { @@ -141,10 +176,7 @@ public class AuthenticationSessionStoreage { throw new AuthenticationException("TODO!", null); } - - - - + // synchronized (sessionStore) { // if (sessionStore.containsKey(session.getSessionID())) { // AuthenticationSession theSession = sessionStore.get(session @@ -163,6 +195,77 @@ public class AuthenticationSessionStoreage { // throw new AuthenticationException("TODO!", null); } + public static void addSSOInformation(String moaSessionID, String SSOSessionID, + String OAUrl) throws AuthenticationException { + + AuthenticatedSessionStore dbsession; + Transaction tx = null; + + try { + + Session session = HibernateUtil.getCurrentSession(); + List result; + + synchronized (session) { + + tx = session.beginTransaction(); + Query query = session.getNamedQuery("getSessionWithID"); + query.setString("sessionid", moaSessionID); + result = query.list(); + + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() != 1) { + Logger.trace("No entries found."); + throw new MOADatabaseException("No session found with this sessionID"); + } + + dbsession = (AuthenticatedSessionStore) result.get(0); + + //set active OA applications + OASessionStore activeOA = new OASessionStore(); + activeOA.setOaurlprefix(OAUrl); + activeOA.setMoasession(dbsession); + activeOA.setCreated(new Date()); + + List<OASessionStore> activeOAs = dbsession.getActiveOAsessions(); + activeOAs.add(activeOA); + dbsession.setActiveOAsessions(activeOAs); + + + //Store used SSOId + if (dbsession.getSSOsessionid() != null) { + OldSSOSessionIDStore oldSSOId = new OldSSOSessionIDStore(); + oldSSOId.setOldsessionid(dbsession.getSSOsessionid()); + oldSSOId.setMoasession(dbsession); + + List<OldSSOSessionIDStore> oldSSOIds = dbsession.getOldssosessionids(); + oldSSOIds.add(oldSSOId); + } + + dbsession.setSSOSession(true); + dbsession.setSSOsessionid(SSOSessionID); + + //Store MOASession + session.saveOrUpdate(dbsession); + + //send transaction + tx.commit(); + } + + } catch (MOADatabaseException e) { + throw new AuthenticationException("No MOASession found with Id="+moaSessionID, null); + + } catch(HibernateException e) { + Logger.warn("Error during database saveOrUpdate. Rollback.", e); + tx.rollback(); + throw new AuthenticationException("SSO Session information can not be stored! --> SSO is deactivated", null); + } + } + + public static AuthenticationSession getSession(String sessionID) throws MOADatabaseException { try { @@ -181,6 +284,49 @@ public class AuthenticationSessionStoreage { } } + public static boolean isValidSessionWithSSOID(String SSOId, String moaSessionId) { + + MiscUtil.assertNotNull(SSOId, "moasessionID"); + Logger.trace("Get authenticated session with SSOID " + SSOId + " from database."); + Session session = HibernateUtil.getCurrentSession(); + + List<AuthenticatedSessionStore> result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getSessionWithSSOID"); + query.setString("sessionid", SSOId); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() != 1) { + Logger.trace("No entries found."); + return false; + + } else { + AuthenticatedSessionStore dbsession = result.get(0); + + + if (dbsession.getSessionid().equals(moaSessionId) && dbsession.isAuthenticated()) { + Log.info("Found SSO Session Cookie for MOA Session =" + moaSessionId); + return true; + + } else { + Log.warn("Found SSO Session with ID="+ dbsession.getSessionid() + + " but this Session does not match to MOA Sesson ID=" + moaSessionId); + } + + return false; + } + + } + public static void clean(long now, long authDataTimeOut) { Date expioredate = new Date(now - authDataTimeOut); diff --git a/id/server/moa-id-commons/.classpath b/id/server/moa-id-commons/.classpath index 8b5a9fa96..f903134e9 100644 --- a/id/server/moa-id-commons/.classpath +++ b/id/server/moa-id-commons/.classpath @@ -28,5 +28,10 @@ <attribute name="org.eclipse.jst.component.nondependency" value=""/> </attributes> </classpathentry> + <classpathentry excluding="**" kind="src" output="target/test-classes" path="src/test/resources"> + <attributes> + <attribute name="maven.pomderived" value="true"/> + </attributes> + </classpathentry> <classpathentry kind="output" path="target/classes"/> </classpath> diff --git a/id/server/moa-id-commons/pom.xml b/id/server/moa-id-commons/pom.xml index 0abd80602..e2189372b 100644 --- a/id/server/moa-id-commons/pom.xml +++ b/id/server/moa-id-commons/pom.xml @@ -32,6 +32,17 @@ </dependency> <dependency> + <groupId>org.hibernate.javax.persistence</groupId> + <artifactId>hibernate-jpa-2.0-api</artifactId> + <version>1.0.0.Final</version> + </dependency> + <dependency> + <groupId>org.jvnet.hyperjaxb3</groupId> + <artifactId>hyperjaxb3-ejb-runtime</artifactId> + <version>0.5.6</version> + </dependency> + + <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>5.1.25</version> @@ -65,6 +76,34 @@ </execution> </executions> </plugin> + + <plugin> + <groupId>org.jvnet.hyperjaxb3</groupId> + <artifactId>maven-hyperjaxb3-plugin</artifactId> + <version>0.5.6</version> + <executions> + <execution> + <phase>generate-sources</phase> + <goals> + <goal>generate</goal> + </goals> + </execution> + </executions> + <configuration> + <extension>true</extension> + <roundtripTestClassName>RoundtripTest</roundtripTestClassName> + </configuration> + </plugin> + <plugin> + <inherited>true</inherited> + <artifactId>maven-compiler-plugin</artifactId> + <version>2.0.2</version> + <configuration> + <source>1.5</source> + <target>1.5</target> + </configuration> + </plugin> + <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-javadoc-plugin</artifactId> diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java index 01c18062c..4ed42175e 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java @@ -1,14 +1,18 @@ package at.gv.egovernment.moa.id.commons.db.dao.session; import java.io.Serializable; +import java.util.ArrayList; import java.util.Date; +import java.util.List; import java.util.Set; +import javax.persistence.CascadeType; import javax.persistence.Column; import javax.persistence.Entity; import javax.persistence.GeneratedValue; import javax.persistence.GenerationType; import javax.persistence.Id; +import javax.persistence.JoinColumn; import javax.persistence.Lob; import javax.persistence.OneToMany; import javax.persistence.PrePersist; @@ -18,6 +22,7 @@ import javax.persistence.Temporal; import javax.persistence.TemporalType; import org.hibernate.annotations.DynamicUpdate; +import org.hibernate.annotations.IndexColumn; import org.hibernate.annotations.NamedQueries; import org.hibernate.annotations.NamedQuery; @@ -26,6 +31,7 @@ import org.hibernate.annotations.NamedQuery; @Table(name = "authenticatedsessionstore") @NamedQueries({ @NamedQuery(name="getSessionWithID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore where authenticatedsessionstore.sessionid = :sessionid"), + @NamedQuery(name="getSessionWithSSOID", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore where authenticatedsessionstore.SSOsessionid = :sessionid"), @NamedQuery(name="getMOAISessionsWithTimeOut", query = "select authenticatedsessionstore from AuthenticatedSessionStore authenticatedsessionstore where authenticatedsessionstore.created < :timeout") }) @@ -34,13 +40,16 @@ public class AuthenticatedSessionStore implements Serializable{ private static final long serialVersionUID = 1L; @Id - @GeneratedValue(strategy=GenerationType.AUTO) + @GeneratedValue(strategy = GenerationType.IDENTITY) @Column(name = "id", unique=true, nullable=false) - private int id = 0; + private long id; @Column(name = "sessionid", unique=true, nullable=false) private String sessionid; + @Column(name = "SSOsessionid") + private String SSOsessionid; + @Column(name = "session", nullable=false) @Lob private byte [] session; @@ -49,12 +58,6 @@ public class AuthenticatedSessionStore implements Serializable{ @Column(name = "isSSOSession", nullable=false) private boolean isSSOSession = false; - - @OneToMany(mappedBy="ssoidentifier") - private Set<OASessionStore> activeOAsessions; - - @OneToMany(mappedBy="ssoidentifier") - private Set<OldSSOSessionIDStore> oldssosessionids; @Column(name = "created", updatable=false, nullable=false) @Temporal(TemporalType.TIMESTAMP) @@ -63,7 +66,13 @@ public class AuthenticatedSessionStore implements Serializable{ @Column(name = "updated") @Temporal(TemporalType.TIMESTAMP) private Date updated; - + + @OneToMany(mappedBy="moasession", cascade=CascadeType.ALL) + private List<OASessionStore> activeOAsessions = null; + + @OneToMany(mappedBy="moasession", cascade=CascadeType.ALL) + private List<OldSSOSessionIDStore> oldssosessionids = null; + @PrePersist protected void created() { this.updated = this.created = new Date(); @@ -74,12 +83,11 @@ public class AuthenticatedSessionStore implements Serializable{ this.updated = new Date(); } - - public int getId() { + public long getId() { return id; } - public void setId(int id) { + public void setId(long id) { this.id = id; } @@ -91,6 +99,14 @@ public class AuthenticatedSessionStore implements Serializable{ this.sessionid = sessionid; } + public String getSSOsessionid() { + return SSOsessionid; + } + + public void setSSOsessionid(String sSOsessionid) { + SSOsessionid = sSOsessionid; + } + public byte[] getSession() { return session; } @@ -107,30 +123,51 @@ public class AuthenticatedSessionStore implements Serializable{ this.isAuthenticated = isAuthenticated; } - public Date getCreated() { - return created; + public boolean isSSOSession() { + return isSSOSession; } - public Date getUpdated() { - return updated; + public void setSSOSession(boolean isSSOSession) { + this.isSSOSession = isSSOSession; + } + + public Date getCreated() { + return created; } public void setCreated(Date created) { this.created = created; } + public Date getUpdated() { + return updated; + } + public void setUpdated(Date updated) { this.updated = updated; } - public boolean isSSOSession() { - return isSSOSession; + public List<OASessionStore> getActiveOAsessions() { + return activeOAsessions; } - public void setSSOSession(boolean isSSOSession) { - this.isSSOSession = isSSOSession; + public void setActiveOAsessions(List<OASessionStore> activeOAsessions) { + if (activeOAsessions == null) { + this.activeOAsessions = new ArrayList<OASessionStore>(); + } + + this.activeOAsessions = activeOAsessions; } + public List<OldSSOSessionIDStore> getOldssosessionids() { + return oldssosessionids; + } + public void setOldssosessionids(List<OldSSOSessionIDStore> oldssosessionids) { + this.oldssosessionids = oldssosessionids; + } + + + } diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java index 597c275b7..c7672f9ba 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java @@ -5,6 +5,7 @@ import java.util.Date; import javax.persistence.Column; import javax.persistence.Entity; +import javax.persistence.FetchType; import javax.persistence.GeneratedValue; import javax.persistence.GenerationType; import javax.persistence.Id; @@ -23,49 +24,38 @@ import org.hibernate.annotations.NamedQuery; @DynamicUpdate(value=true) @Table(name = "oasessionstore") -@NamedQueries({ - @NamedQuery(name="getOAsWithSSOID", query = "select oasessionstore from OASessionStore oasessionstore where oasessionstore.ssoidentifier = :ssoidentifier") -}) - public class OASessionStore implements Serializable{ private static final long serialVersionUID = 1L; @Id - @GeneratedValue(strategy=GenerationType.AUTO) + @GeneratedValue(strategy = GenerationType.IDENTITY) @Column(name = "idOASession", unique=true, nullable=false) - private int idOASession = 0; - - @ManyToOne - @JoinColumn(name = "id") - private AuthenticatedSessionStore ssoidentifier; - + private long idOASession; + @Column(name = "oaurlprefix", unique=false, nullable=false) private String oaurlprefix; @Column(name = "created", updatable=false, nullable=false) - @Temporal(TemporalType.TIMESTAMP) +// @Temporal(TemporalType.TIMESTAMP) private Date created; - @PrePersist - protected void created() { - this.created = new Date(); - } +// @PrePersist +// protected void created() { +// this.created = new Date(); +// } - public int getId() { - return idOASession; - } - - public void setId(int id) { - this.idOASession = id; - } + //@ManyToOne(fetch=FetchType.LAZY) + @ManyToOne(fetch=FetchType.LAZY) + @JoinColumn(name = "moasession") + private AuthenticatedSessionStore moasession; - public AuthenticatedSessionStore getSsoidentifier() { - return ssoidentifier; + public long getIdOASession() { + return idOASession; } - public void setSsoidentifier(AuthenticatedSessionStore ssoidentifier) { - this.ssoidentifier = ssoidentifier; + public void setIdOASession(long idOASession) { + this.idOASession = idOASession; } public String getOaurlprefix() { @@ -76,6 +66,14 @@ public class OASessionStore implements Serializable{ this.oaurlprefix = oaurlprefix; } + public AuthenticatedSessionStore getMoasession() { + return moasession; + } + + public void setMoasession(AuthenticatedSessionStore moasession) { + this.moasession = moasession; + } + public Date getCreated() { return created; } @@ -83,6 +81,8 @@ public class OASessionStore implements Serializable{ public void setCreated(Date created) { this.created = created; } + + } diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OldSSOSessionIDStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OldSSOSessionIDStore.java index 571acd094..3ec2babad 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OldSSOSessionIDStore.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OldSSOSessionIDStore.java @@ -4,6 +4,7 @@ import java.io.Serializable; import javax.persistence.Column; import javax.persistence.Entity; +import javax.persistence.FetchType; import javax.persistence.GeneratedValue; import javax.persistence.GenerationType; import javax.persistence.Id; @@ -28,31 +29,24 @@ public class OldSSOSessionIDStore implements Serializable{ private static final long serialVersionUID = 1L; @Id - @GeneratedValue(strategy=GenerationType.AUTO) + @GeneratedValue(strategy = GenerationType.IDENTITY) @Column(name = "idOldSSOSession", unique=true, nullable=false) - private int idOldSSOSession = 0; - - @ManyToOne - @JoinColumn(name = "id") - private AuthenticatedSessionStore ssoidentifier; - + private long idOldSSOSession; + @Column(name = "oldsessionid", unique=true, nullable=false) private String oldsessionid; + + //@ManyToOne(fetch=FetchType.LAZY) + @ManyToOne(fetch=FetchType.LAZY) + @JoinColumn(name = "moasession") + private AuthenticatedSessionStore moasession; - public int getId() { + public long getIdOldSSOSession() { return idOldSSOSession; } - public void setId(int id) { - this.idOldSSOSession = id; - } - - public AuthenticatedSessionStore getSsoidentifier() { - return ssoidentifier; - } - - public void setSsoidentifier(AuthenticatedSessionStore ssoidentifier) { - this.ssoidentifier = ssoidentifier; + public void setIdOldSSOSession(long idOldSSOSession) { + this.idOldSSOSession = idOldSSOSession; } public String getOldsessionid() { @@ -63,11 +57,13 @@ public class OldSSOSessionIDStore implements Serializable{ this.oldsessionid = oldsessionid; } - public String getSessionid() { - return oldsessionid; + public AuthenticatedSessionStore getMoasession() { + return moasession; } - public void setSessionid(String oldsessionid) { - this.oldsessionid = oldsessionid; + public void setMoasession(AuthenticatedSessionStore moasession) { + this.moasession = moasession; } + + } |