diff options
| author | kstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d> | 2012-02-09 21:11:31 +0000 |
|---|---|---|
| committer | kstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d> | 2012-02-09 21:11:31 +0000 |
| commit | 4af2a06ad0d4dc021277b115d15bbeeede3c23b7 (patch) | |
| tree | 3deede68bee4e609ebaef22d92a96fb8f650afcc | |
| parent | 453bd7f12223fe4e58049bb8f2f40d80d80bccd7 (diff) | |
| download | moa-id-spss-4af2a06ad0d4dc021277b115d15bbeeede3c23b7.tar.gz moa-id-spss-4af2a06ad0d4dc021277b115d15bbeeede3c23b7.tar.bz2 moa-id-spss-4af2a06ad0d4dc021277b115d15bbeeede3c23b7.zip | |
Update MOA-SPSS-Konfig Schema (Blacklists)
MOASecurityManager für Blacklists
git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1236 d688527b-c9ab-4aba-bd8d-4036d912da1d
16 files changed, 776 insertions, 138 deletions
diff --git a/common/src/main/java/at/gv/egovernment/moa/util/Constants.java b/common/src/main/java/at/gv/egovernment/moa/util/Constants.java index ed76c4ac7..769b651f9 100644 --- a/common/src/main/java/at/gv/egovernment/moa/util/Constants.java +++ b/common/src/main/java/at/gv/egovernment/moa/util/Constants.java @@ -101,7 +101,7 @@ public interface Constants { /** Local location of the MOA configuration XML schema definition. */ public static final String MOA_CONFIG_SCHEMA_LOCATION = - SCHEMA_ROOT + "MOA-SPSS-config-1.4.7.xsd"; + SCHEMA_ROOT + "MOA-SPSS-config-1.5.1.xsd"; /** Local location of the MOA ID configuration XML schema definition. */ public static final String MOA_ID_CONFIG_SCHEMA_LOCATION = diff --git a/common/src/main/resources/resources/schemas/MOA-SPSS-config-1.5.1.xsd b/common/src/main/resources/resources/schemas/MOA-SPSS-config-1.5.1.xsd new file mode 100644 index 000000000..d91f8f46e --- /dev/null +++ b/common/src/main/resources/resources/schemas/MOA-SPSS-config-1.5.1.xsd @@ -0,0 +1,282 @@ +<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ MOA SP/SS 1.5.1 Configuration Schema
+-->
+<xs:schema xmlns:config="http://reference.e-government.gv.at/namespace/moaconfig/20021122#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://reference.e-government.gv.at/namespace/moaconfig/20021122#" elementFormDefault="qualified" attributeFormDefault="unqualified">
+ <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
+ <xs:element name="MOAConfiguration">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Common" minOccurs="0">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="HardwareCryptoModule" minOccurs="0" maxOccurs="unbounded">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Name" type="xs:string"/>
+ <xs:element name="SlotId" type="xs:string" minOccurs="0"/>
+ <xs:element name="UserPIN" type="xs:string"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="PermitExternalUris" minOccurs="0">
+ <xs:complexType>
+ <xs:sequence minOccurs="0" maxOccurs="unbounded">
+ <xs:element name="BlackListUri">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Host" type="xs:anyURI"/>
+ <xs:element name="Port" type="xs:int" minOccurs="0"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="SignatureCreation" minOccurs="0">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="KeyModules">
+ <xs:complexType>
+ <xs:choice maxOccurs="unbounded">
+ <xs:element name="HardwareKeyModule">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Id" type="xs:token"/>
+ <xs:element name="Name" type="xs:string"/>
+ <xs:element name="SlotId" type="xs:string" minOccurs="0"/>
+ <xs:element name="UserPIN" type="xs:string"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="SoftwareKeyModule">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Id" type="xs:token"/>
+ <xs:element name="FileName" type="xs:string"/>
+ <xs:element name="Password" type="xs:string" minOccurs="0"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:choice>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="KeyGroup" maxOccurs="unbounded">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Id" type="xs:token"/>
+ <xs:sequence maxOccurs="unbounded">
+ <xs:element name="Key">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="KeyModuleId" type="xs:token"/>
+ <xs:element name="KeyCertIssuerSerial" type="dsig:X509IssuerSerialType"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="KeyGroupMapping" maxOccurs="unbounded">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="CustomerId" type="dsig:X509IssuerSerialType" minOccurs="0"/>
+ <xs:element name="KeyGroupId" type="xs:token" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="XMLDSig">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="CanonicalizationAlgorithm" type="xs:anyURI" minOccurs="0"/>
+ <xs:element name="DigestMethodAlgorithm" type="xs:anyURI" minOccurs="0"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="CreateTransformsInfoProfile" type="config:ProfileType" minOccurs="0" maxOccurs="unbounded"/>
+ <xs:element name="CreateSignatureEnvironmentProfile" type="config:ProfileType" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="SignatureVerification" minOccurs="0">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="CertificateValidation">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="PathConstruction">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="AutoAddCertificates" type="xs:boolean"/>
+ <xs:element name="UseAuthorityInformationAccess" type="xs:boolean"/>
+ <xs:element name="CertificateStore">
+ <xs:complexType>
+ <xs:choice>
+ <xs:element name="DirectoryStore">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Location" type="xs:token"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:choice>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="PathValidation">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="ChainingMode">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="DefaultMode" type="config:ChainingModeType"/>
+ <xs:element name="TrustAnchor" minOccurs="0" maxOccurs="unbounded">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Identification" type="dsig:X509IssuerSerialType"/>
+ <xs:element name="Mode" type="config:ChainingModeType"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="TrustProfile" maxOccurs="unbounded">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Id" type="xs:token"/>
+ <xs:element name="TrustAnchorsLocation" type="xs:anyURI"/>
+ <xs:element name="SignerCertsLocation" type="xs:anyURI" minOccurs="0"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="RevocationChecking">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="EnableChecking" type="xs:boolean"/>
+ <xs:element name="MaxRevocationAge" type="xs:integer"/>
+ <xs:element name="ServiceOrder" minOccurs="0">
+ <xs:complexType>
+ <xs:sequence maxOccurs="2">
+ <xs:element name="Service">
+ <xs:simpleType>
+ <xs:restriction base="xs:token">
+ <xs:enumeration value="OCSP"/>
+ <xs:enumeration value="CRL"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="Archiving">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="EnableArchiving" type="xs:boolean"/>
+ <xs:element name="ArchiveDuration" type="xs:nonNegativeInteger" minOccurs="0"/>
+ <xs:element name="Archive" minOccurs="0">
+ <xs:complexType>
+ <xs:choice>
+ <xs:element name="DatabaseArchive">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="JDBCURL" type="xs:anyURI"/>
+ <xs:element name="JDBCDriverClassName" type="xs:token"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:choice>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="DistributionPoint" minOccurs="0" maxOccurs="unbounded">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="CAIssuerDN" type="xs:token"/>
+ <xs:choice maxOccurs="unbounded">
+ <xs:element name="CRLDP">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Location" type="xs:anyURI"/>
+ <xs:element name="ReasonCode" minOccurs="0" maxOccurs="unbounded">
+ <xs:simpleType>
+ <xs:restriction base="xs:token">
+ <xs:enumeration value="unused"/>
+ <xs:enumeration value="keyCompromise"/>
+ <xs:enumeration value="cACompromise"/>
+ <xs:enumeration value="affiliationChanged"/>
+ <xs:enumeration value="superseded"/>
+ <xs:enumeration value="cessationOfOperation"/>
+ <xs:enumeration value="certificateHold"/>
+ <xs:enumeration value="privilegeWithdrawn"/>
+ <xs:enumeration value="aACompromise"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="OCSPDP">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="Location" type="xs:anyURI"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:choice>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="CrlRetentionIntervals" minOccurs="0">
+ <xs:complexType>
+ <xs:sequence maxOccurs="unbounded">
+ <xs:element name="CA">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="X509IssuerName" type="xs:string"/>
+ <xs:element name="Interval" type="xs:integer"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="VerifyTransformsInfoProfile" type="config:ProfileType" minOccurs="0" maxOccurs="unbounded"/>
+ <xs:element name="SupplementProfile" type="config:ProfileType" minOccurs="0" maxOccurs="unbounded"/>
+ <xs:element name="PermitFileURIs" type="xs:boolean" default="false" minOccurs="0"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:simpleType name="ChainingModeType">
+ <xs:restriction base="xs:string">
+ <xs:enumeration value="chaining"/>
+ <xs:enumeration value="pkix"/>
+ </xs:restriction>
+ </xs:simpleType>
+ <xs:complexType name="ProfileType">
+ <xs:sequence>
+ <xs:element name="Id" type="xs:token"/>
+ <xs:element name="Location" type="xs:anyURI"/>
+ </xs:sequence>
+ </xs:complexType>
+</xs:schema>
diff --git a/id/server/auth/src/main/webapp/iframeHandyBKU.html b/id/server/auth/src/main/webapp/iframeHandyBKU.html index 0f6e1e282..a7e541b85 100644 --- a/id/server/auth/src/main/webapp/iframeHandyBKU.html +++ b/id/server/auth/src/main/webapp/iframeHandyBKU.html @@ -8,11 +8,13 @@ <script type="text/javascript">
// [MUSS] Geben Sie hier die URL zum Aufruf von MOA-ID an
// z.B.: https://yoururl.at/moa-id-auth/StartAuthentication?Target=IT&OA=https://youronlineapplication.at
- var MOA_ID_STARTAUTHENTICATION = "[MOA_ID_STARTAUTHENTICATION]";
+ // var MOA_ID_STARTAUTHENTICATION = "[MOA_ID_STARTAUTHENTICATION]";
+ var MOA_ID_STARTAUTHENTICATION = "https://localhost:8443/moa-id-auth/StartAuthentication?Target=ZU&OA=https://localhost:8443/TestMOAID_OA/LoginServletExample";
// [MUSS] Geben Sie hier die URL zum MOA-ID Template fuer die Handy Signatur an -->
<!-- z.B.: value="https://yoururl.at/moa-id-auth/template_handyBKU.html"-->
- var URL_TO_HANDYSIGNATUR_TEMPLATE = "[URL_TO_HANDYSIGNATUR_TEMPLATE]";
+ //var URL_TO_HANDYSIGNATUR_TEMPLATE = "[URL_TO_HANDYSIGNATUR_TEMPLATE]";
+ var URL_TO_HANDYSIGNATUR_TEMPLATE = "https://localhost:8443/moa-id-auth/template_handyBKU.html";
window.onload=function() {
@@ -45,13 +47,17 @@ </script>
</head>
- <body>
- Bitte warten...
- <form name="moaidform" method="post" id="moaidform">
+ <body>
+
+ Bitte warten...
+
+ <FORM name="moaidform" method="post" id="moaidform">
<input type="hidden" name="Template" id="Template">
<input type="hidden" name="bkuURI" value="https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx">
<input type="hidden" name="useMandate" id="useMandate">
- </form>
+ </FORM>
+
+
<hr>
</body>
</html>
\ No newline at end of file diff --git a/id/server/auth/src/main/webapp/iframeOnlineBKU.html b/id/server/auth/src/main/webapp/iframeOnlineBKU.html index a039005e0..bb69bb5d6 100644 --- a/id/server/auth/src/main/webapp/iframeOnlineBKU.html +++ b/id/server/auth/src/main/webapp/iframeOnlineBKU.html @@ -8,16 +8,20 @@ <script type="text/javascript">
// [MUSS] Geben Sie hier die URL zum Aufruf von MOA-ID an
// z.B.: https://yoururl.at/moa-id-auth/StartAuthentication?Target=IT&OA=https://youronlineapplication.at
- var MOA_ID_STARTAUTHENTICATION = "[MOA_ID_STARTAUTHENTICATION]";
+ // var MOA_ID_STARTAUTHENTICATION = "[MOA_ID_STARTAUTHENTICATION]";
+ var MOA_ID_STARTAUTHENTICATION = "https://localhost:8443/moa-id-auth/StartAuthentication?Target=ZU&OA=https://localhost:8443/TestMOAID_OA/LoginServletExample&sourceID=ABC123-_ABC123";
+ //var MOA_ID_STARTAUTHENTICATION = "https://localhost:8443/moa-id-auth/StartAuthentication?Target=ZU&OA=https://localhost:8443/TestMOAID_OA/LoginServletExample";
// [MUSS] Geben Sie hier die URL zum MOA-ID Template fuer die Online BKU an
// z.B.: "https://yoururl.at/moa-id-auth/template_onlineBKU.html"
- var URL_TO_ONLINEBKU_TEMPLATE = "[URL_TO_ONLINEBKU_TEMPLATE]";
-
+ //var URL_TO_ONLINEBKU_TEMPLATE = "[URL_TO_ONLINEBKU_TEMPLATE]";
+ var URL_TO_ONLINEBKU_TEMPLATE = "https://localhost:8443/moa-id-auth/template_onlineBKU.html";
+
// [MUSS] Geben Sie hier die URL zur Online BKU an
// z.B.: value="https://yoururl.at/bkuonline/https-security-layer-request"
// Hinweis: Diese URL muss auch bei den vertrauenswürdigen BKUs in der MOA-ID Konfiguration angegeben werden (siehe Element MOA-IDConfiguration/TrustedBKUs/BKUURL)
- var URL_TO_ONLINEBKU = "[URL_TO_ONLINEBKU]";
+ //var URL_TO_ONLINEBKU = "[URL_TO_ONLINEBKU]";
+ var URL_TO_ONLINEBKU = "https://localhost:8444/bkuonline/https-security-layer-request";
window.onload=function() {
document.getElementById('moaidform').action = MOA_ID_STARTAUTHENTICATION;
@@ -48,12 +52,14 @@ </script>
</head>
<body>
- Bitte warten...
+ Bitte warten...
+
<form method="POST" name="moaidform" id="moaidform">
<input type="hidden" name="Template" id="Template">
<input type="hidden" name="bkuURI" id="bkuURI">
<input type="hidden" name="useMandate" id="useMandate">
- </form>
+ </form>
+
<hr>
</body>
</html>
\ No newline at end of file diff --git a/id/server/auth/src/main/webapp/index.html b/id/server/auth/src/main/webapp/index.html index 533f2830a..d78f01f2a 100644 --- a/id/server/auth/src/main/webapp/index.html +++ b/id/server/auth/src/main/webapp/index.html @@ -11,11 +11,13 @@ <script type="text/javascript">
// [MUSS] Geben Sie hier die URL zum Aufruf von MOA-ID an
// z.B.: https://yoururl.at/moa-id-auth/StartAuthentication?Target=IT&OA=https://youronlineapplication.at
- var MOA_ID_STARTAUTHENTICATION = "[MOA_ID_STARTAUTHENTICATION]";
+ // var MOA_ID_STARTAUTHENTICATION = "[MOA_ID_STARTAUTHENTICATION]";
+ var MOA_ID_STARTAUTHENTICATION = "https://localhost:8443/moa-id-auth/StartAuthentication?Target=ZU&OA=https://localhost:8443/TestMOAID_OA/LoginServletExample";
// [MUSS] Geben Sie hier die URL zum MOA-ID Template fuer die lokale BKU an
// z.B.: https://yoururl.at/moa-id-auth/template_localBKU.html
- var URL_TO_LOKALBKU_TEMPLATE = "[URL_TO_LOKALBKU_TEMPLATE]";
+ //var URL_TO_LOKALBKU_TEMPLATE = "[URL_TO_LOKALBKU_TEMPLATE]";
+ var URL_TO_LOKALBKU_TEMPLATE = "https://localhost:8443/moa-id-auth/template_localBKU.html";
window.onload=function() {
@@ -95,9 +97,15 @@ <!-- [OPTIONAL] Aendern Sie hier die Titelueberschrift der Seite) -->
<div id="bannerleft">
<h1>MOA-Template zur Bürgerkartenauswahl (Musterseite)</h1>
- </div>
+ <!-- Meldung im Browser, wenn JavaScript nicht aktiviert -->
+ <noscript>
+ <p>
+ Bitte aktivieren Sie JavaScript.
+ </p>
+ </noscript>
+ </div>
<!-- [OPTIONAL] Aendern Sie hier das Logo der Seite (und Alternativtext fuer das Bild) -->
- <div id="bannerright">
+ <div id="bannerright">
<img src="img/logo.jpg" alt="Logo">
</div>
</div>
@@ -107,70 +115,21 @@ Login mit Bürgerkarte
</h2>
<div id="bkulogin" class="hell">
- <!-- No-Script Variante, wenn im Browser JavaScript deaktiviert ist -->
- <!-- Defaulteinstellung: No-Script Variante mit Anmeldung via lokaler BKU oder Handysignatur ohne Vollmacht -->
- <noscript>
- Kein JavaScript aktiviert!
-
- <!-- [OPTIONAL] kommentieren sie folgende entsprechenden Blöcke aus, wenn Sie keine No-Script Variante anbieten möchten oder nur bestimmte BKU/Vollmachten Varianten anzeigen möchten -->
-
- <!-- Block "KARTE": Anmeldung mit lokaler BKU *ohne* Vollmacht (No-Script Variante) -->
- <!-- [MUSS] Geben Sie hier die URL zum Aufruf von MOA-ID an (inkl. Template-URL, bkuURI und useMandate Parameter!) -->
- <!-- z.B.: https://yoururl.at/moa-id-auth/StartAuthentication?Target=IT&OA=https://youronlineapplication.at&Template=https://yoururl.at/moa-id-auth/template_localBKU.html&bkuURI=https://127.0.0.1:3496/https-security-layer-request&useMandate=false -->
- <a href="[MOA_ID_STARTAUTHENTICATION]&Template=[URL_TO_LOKALBKU_TEMPLATE]&bkuURI=https://127.0.0.1:3496/https-security-layer-request&useMandate=false">
- <div id="bkukarte" class="hell">
- <button name="bkuButton" type="button">KARTE</button>
- </div>
- </a>
-
- <!-- Block "KARTE+Vollmacht": Anmeldung mit lokaler BKU *mit* Vollmacht (No-Script Variante) -->
- <!-- [MUSS] Geben Sie hier die URL zum Aufruf von MOA-ID an (inkl. Template-URL, bkuURI und useMandate Parameter!) -->
- <!-- z.B.: https://yoururl.at/moa-id-auth/StartAuthentication?Target=IT&OA=https://youronlineapplication.at&Template=https://yoururl.at/moa-id-auth/template_localBKU.html&bkuURI=https://127.0.0.1:3496/https-security-layer-request&useMandate=true -->
- <!-- <a href="[MOA_ID_STARTAUTHENTICATION]&Template=[URL_TO_LOKALBKU_TEMPLATE]&bkuURI=https://127.0.0.1:3496/https-security-layer-request&useMandate=true">
- <div id="bkukarte" class="hell">
- <button name="bkuButton" type="button">KARTE+<br>Vollmacht</button>
- </div>
- </a> -->
-
-
- <!-- Block "HANDY": Anmeldung mit Handysignatur *ohne* Vollmacht (No-Script Variante) -->
- <!-- [MUSS] Geben Sie hier die URL zum Aufruf von MOA-ID an (inkl. Template-URL, bkuURI und useMandate Parameter!) -->
- <!-- z.B.: https://yoururl.at/moa-id-auth/StartAuthentication?Target=IT&OA=https://youronlineapplication.at&Template=https://yoururl.at/moa-id-auth/template_handyBKU.html&bkuURI=https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx&useMandate=false -->
- <a href="[MOA_ID_STARTAUTHENTICATION]&Template=[URL_TO_HANDYSIGNATUR_TEMPLATE]&bkuURI=https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx&useMandate=false">
- <div id="bkuhandy" class="hell">
- <button name="bkuButton" type="button">HANDY</button>
- </div>
- </a>
+ <!-- [OPTIONAL] Um die Online BKU auszublenden, kommentieren sie das folgende div (bkukarte) aus -->
+ <div id="bkukarte" class="hell">
+ <button name="bkuButton" type="button" onClick="bkuOnlineClicked();">KARTE</button>
+ </div>
+ <!-- [OPTIONAL] Um die Mobile BKU auszublenden, kommentieren sie das folgende div (bkukhandy) aus -->
+ <div id="bkuhandy" class="hell">
+ <button name="bkuButton" type="button" onClick="bkuHandyClicked();">HANDY</button>
+ </div>
- <!-- Block "HANDY+Vollnacht": Anmeldung mit Handysignatur *mit* Vollmacht (No-Script Variante) -->
- <!-- [MUSS] Geben Sie hier die URL zum Aufruf von MOA-ID an (inkl. Template-URL, bkuURI und useMandate Parameter!) -->
- <!-- z.B.: https://yoururl.at/moa-id-auth/StartAuthentication?Target=IT&OA=https://youronlineapplication.at&Template=https://yoururl.at/moa-id-auth/template_handyBKU.html&bkuURI=https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx&useMandate=true -->
- <!-- <a href="[MOA_ID_STARTAUTHENTICATION]&Template=[URL_TO_HANDYSIGNATUR_TEMPLATE]&bkuURI=https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx&useMandate=true">
- <div id="bkuhandy" class="hell">
- <button name="bkuButton" type="button">HANDY</button>
- </div>
- </a> -->
-
- </noscript>
-
- <script>
- <!-- [OPTIONAL] Um die Online BKU auszublenden, kommentieren sie folgende drei Zeilen aus aus -->
- document.write("<div id=\"bkukarte\" class=\"hell\">");
- document.write("<button name=\"bkuButton\" type=\"button\" onClick=\"bkuOnlineClicked();\">KARTE</button>");
- document.write("</div>");
-
- <!-- [OPTIONAL] Um die Handysignatur auszublenden, kommentieren sie folgende drei Zeilen aus aus -->
- document.write("<div id=\"bkuhandy\" class=\"hell\">");
- document.write("<button name=\"bkuButton\" type=\"button\" onClick=\"bkuHandyClicked();\">HANDY</button>");
- document.write("</div>");
-
- <!-- [OPTIONAL] Um die Anmeldung mit Vollmachten auszublenden, kommentieren Sie folgende fünf Zeilen aus -->
- document.write("<div id=\"mandate\">");
- document.write("<input type=\"checkbox\" name=\"Mandate\" style=\"vertical-align: middle; margin-right: 5px;\" id=\"mandateCheckBox\">");
- document.write("<label>in Vertretung anmelden</label>");
- document.write(" <a href=\"info_mandates.html\" target=\"_blank\" class=\"infobutton\" style=\"color:#FFF\">i</a>");
- document.write("</div> ");
- </script>
+ <!-- [OPTIONAL] Um die Anmeldung mit Vollmachten auszublenden, kommentieren Sie das folgende div (mandate) aus -->
+ <div id="mandate">
+ <input type="checkbox" name="Mandate" style="vertical-align: middle; margin-right: 5px;" id="mandateCheckBox">
+ <label>in Vertretung anmelden</label>
+ <a href="info_mandates.html" target="_blank" class="infobutton" style="color:#FFF">i</a>
+ </div>
</div>
@@ -178,10 +137,14 @@ <div id="localBKU" style="display:none" class="hell">
<hr>
+ <!-- [MUSS] Geben Sie hier die URL zum Aufruf von MOA-ID an -->
+ <!-- z.B.: action="https://yoururl.at/moa-id-auth/StartAuthentication?Target=IT&OA=https://youronlineapplication.at"-->
<form method="post" id="moaidform">
<input type="hidden" name="show" value="false">
+ <!-- [MUSS] Geben Sie hier die URL zum MOA-ID Template fuer die lokale BKU an -->
+ <!-- z.B.: value="https://yoururl.at/moa-id-auth/template_localBKU.html"-->
<input type="hidden" name="Template" id="Template">
- <input type="hidden" name="bkuURI" value="https://127.0.0.1:3496/https-security-layer-request">
+ <input type="hidden" name="bkuURI" value="https://localhost:3496/https-security-layer-request">
<input type="hidden" name="useMandate" id="useMandate">
<input type="submit" size="400" value="Lokale BKU" class="sendButton">
</form>
@@ -197,11 +160,9 @@ <div id="navlist" class="hell">
<ul>
<li>
- <a href="http://www.buergerkarte.at" target="_blank">Bürgerkarte.at</a>
- </li>
+ <a href="http://www.buergerkarte.at" target="_blank">Bürgerkarte.at</a> </li>
<li>
- <a href="http://www.digitales.oesterreich.gv.at/" target="_blank">Digitales Österreich</a>
- </li>
+ <a href="http://www.digitales.oesterreich.gv.at/" target="_blank">Digitales Österreich</a> </li>
<li>
<a href="http://www.a-sit.at/" target="_blank">A-SIT</a>
</li>
@@ -217,7 +178,10 @@ <div id="rightcontent">
<p>
- <a href="http://www.buergerkarte.at/aktivieren.de.php" target="_blank"><img src="img/bk_aktivieren.jpg" border="0" alt="B6uuml;rgerkarte aktivieren" width="210"></a>
+ <a href="http://www.buergerkarte.at/de/aktivieren/online.html" target="_blank"><img src="img/ecard_aktivieren.jpg" border="0" alt="eCard online aktivieren" width="210"></a>
+ </p>
+ <p>
+ <a href="http://www.buergerkarte.at/de/aktivieren/mobil.html" target="_blank"><img src="img/mobilsig_aktivieren.jpg" border="0" alt="Mobile Signatur aktivieren" width="210"></a>
</p>
</div>
diff --git a/id/server/auth/src/main/webapp/info_bk.html b/id/server/auth/src/main/webapp/info_bk.html index 59aea64cb..f15501a80 100644 --- a/id/server/auth/src/main/webapp/info_bk.html +++ b/id/server/auth/src/main/webapp/info_bk.html @@ -42,42 +42,38 @@ </p>
<ul>
<li>
- eine Chipkarte, die für die Verwendung als Bürgerkarte geeignet ist, wie zum Beispiel Ihre e-card, Bankomatkarte oder Signaturkarte von A-Trust
- </li>
+ eine Chipkarte, die für die Verwendung als Bürgerkarte geeignet ist, wie zum Beispiel Ihre e-card, Bankomatkarte oder Signaturkarte von a-trust oder ein Mobiltelefon, das zur Nutzung als Handy BKU (Bürgerkartenumgebung) registriert ist.
+ </li>
<li>
einen Kartenleser mit den dazugehörigen Treibern
</li>
<li>
eine Bürgerkartensoftware (BKU)
</li>
- </ul>
- <p> </p>
- <p>oder</p>
- <ul>
- <li>
- ein Mobiltelefon, das zur Nutzung als Handysignatur registriert ist.
- </li>
</ul>
-<p>
- </p>
-<p>Als Bürgerkartensoftware stehen Ihnen folgende drei Varianten zur Verfügung:
- </p>
+ <p>
+ Als Bürgerkartensoftware stehen folgende drei Varianten zur Verfügung:
+ </p>
<ul>
- <li><i>Lokale BKU</i>: Diese Software wird lokal auf Ihrem Computer installiert. Die Software finden sie unter <a href="http://www.buergerkarte.at/download.de.php" target="_blank">http://www.buergerkarte.at/download.de.php</a>
+ <li><i>Lokale BKU</i>: Diese Software wird lokal auf Ihrem Computer installiert. Die Software finden sie unter <a href="http://www.buergerkarte.at/de/voraussetzungen/software.html" target="_blank">http://www.buergerkarte.at/de/voraussetzungen/software.html</a>
</li>
- <li><i>Online BKU</i>: Mit der Online BKU wird keine lokale Bürgerkartensoftware am PC benötigt. Über JAVA Technologien werden die benötigten Funktionen als Applet im Browser ausgeführt. Einzige Voraussetzung ist eine aktuelle JAVA Version (ab Java 6).
- </li>
- <li><i>Handysignatur</i>: Mit der Handysignatur können Sie sich mittels ihres Mobiltelefons anmelden. Voraussetzung ist eine vorherige Registrierung. Mehr Informationen hierzu finden Sie auf: <a href="https://www.handy-signatur.at/" target="_blank">https://www.handy-signatur.at/</a><br>
- <br>
- <b>Informationen zur Bürgerkarte finden Sie hier:</b>
+ <li><i>Online-BKU</i>: Mit der Online-BKU wird keine lokale Bürgerkartensoftware am PC benötigt. Über JAVA Technologien werden die benötigten Funktionen als Applet im Browser ausgeführt. Einzige Voraussetzung ist eine aktuelle JAVA Version (ab Java 6).
</li>
+ <li><i>Mobile BKU</i>: Mit der mobilen BKU können sie mittels ihres Mobiltelefons. Voraussetzung ist eine vorherige Registrierung. Mehr Informationen hierzu finden Sie auf <a href="http://www.a-trust.at/mobile/" target="_blank">http://www.a-trust.at/mobile/</a><br>
+ <b>Hinweis:</b><br>
+ Wenn das JAVA-Applet nicht funktioniert (bei einer älteren JAVA Version als Java 6 oder bei einem nicht unterstützten Browser), müssen Sie die lokale BKU installieren und dann über die Button "Login mit Bürgerkarte" und "Lokale BKU" einsteigen.
+ </li>
</ul>
+ <p>
+ <br>
+ <b>Informationen zur Bürgerkarte finden Sie hier:</b>
+ </p>
<ul>
- <li>
+ <li>
<a href="http://www.digitales.oesterreich.gv.at" target="_blank">Digitales Österreich</a>: Informationen rund um E-Government
</li>
<li>
- <a href="http://www.buergerkarte.at" target="_blank">Bürgerkarte</a>: Informationen zur Bürgerkarte
+ <a href="http://www.buergerkarte.at" target="_blank">Bürgerkarte</a>: Einfach verständliche Informationen zur Bürgerkarte
</li>
</ul>
<p>
diff --git a/id/server/auth/src/main/webapp/template_handyBKU.html b/id/server/auth/src/main/webapp/template_handyBKU.html index 0ad73a6f3..6ccd295b2 100644 --- a/id/server/auth/src/main/webapp/template_handyBKU.html +++ b/id/server/auth/src/main/webapp/template_handyBKU.html @@ -10,10 +10,9 @@ }
</script>
</head>
- <body onLoad="onAnmeldeSubmit()">
- <form name="CustomizedForm" action="<BKU>" method="post" enctype="multipart/form-data<>">
- Falls Sie nicht automatisch weitergeleitet werden klicken Sie bitte hier:
- <input class="button" type="submit" value="Starte Anmeldung" name="Senden">
+ <body onLoad="onAnmeldeSubmit()">
+ <form name="CustomizedForm" action="<BKU>" method="post" enctype="multipart/form-data<>">
+ <input class="button" type="hidden" value="Starte Authentisierung" name="Senden">
<input type="hidden" name="XMLRequest" value="<XMLRequest>">
<input type="hidden" name="DataURL" value="<DataURL>">
<input type="hidden" name="PushInfobox" value="<PushInfobox>">
diff --git a/id/server/auth/src/main/webapp/template_localBKU.html b/id/server/auth/src/main/webapp/template_localBKU.html index f197d2c5c..e07ba5d52 100644 --- a/id/server/auth/src/main/webapp/template_localBKU.html +++ b/id/server/auth/src/main/webapp/template_localBKU.html @@ -10,10 +10,9 @@ }
</script>
</head>
- <body onLoad="onAnmeldeSubmit()">
+ <body onLoad="onAnmeldeSubmit()">
<form name="CustomizedForm" action="<BKU>" method="post" enctype="multipart/form-data<>">
- Falls Sie nicht automatisch weitergeleitet werden klicken Sie bitte hier:
- <input class="button" type="submit" value="Starte Anmeldung" name="Senden">
+ <input class="button" type="submit" value="Starte Authentisierung" name="Senden">
<input type="hidden" name="XMLRequest" value="<XMLRequest>">
<input type="hidden" name="DataURL" value="<DataURL>">
<input type="hidden" name="PushInfobox" value="<PushInfobox>">
diff --git a/id/server/auth/src/main/webapp/template_onlineBKU.html b/id/server/auth/src/main/webapp/template_onlineBKU.html index 565955538..1bb2ac236 100644 --- a/id/server/auth/src/main/webapp/template_onlineBKU.html +++ b/id/server/auth/src/main/webapp/template_onlineBKU.html @@ -10,10 +10,9 @@ }
</script>
</head>
- <body onLoad="onAnmeldeSubmit()">
+ <body onLoad="onAnmeldeSubmit()">
<form name="CustomizedForm" action="<BKU>" method="post" enctype="multipart/form-data<>">
- Falls Sie nicht automatisch weitergeleitet werden klicken Sie bitte hier:
- <input class="button" type="hidden" value="Starte Anmeldung" name="Senden">
+ <input class="button" type="hidden" value="Starte Authentisierung" name="Senden">
<input type="hidden" name="XMLRequest" value="<XMLRequest>">
<input type="hidden" name="DataURL" value="<DataURL>">
<input type="hidden" name="PushInfobox" value="<PushInfobox>">
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index a68dca65a..b8fa4f412 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -501,16 +501,19 @@ public class AuthenticationServer implements MOAIDAuthConstants { // check if an identity link was found // Errorcode 2911 von Trustdesk BKU (nicht spezifikationskonform (SL1.2)) - CharSequence se = "ErrorCode>2911".substring(0); - boolean b = xmlInfoboxReadResponse.contains(se); - if (b) { // no identity link found + //CharSequence se = "ErrorCode>2911".substring(0); + //boolean b = xmlInfoboxReadResponse.contains(se); + String se = "ErrorCode>2911"; + int b = xmlInfoboxReadResponse.indexOf(se); + if (b!=-1) { // no identity link found Logger.info("Es konnte keine Personenbindung auf der Karte gefunden werden. Versuche Anmeldung als ausländische eID."); return null; } // spezifikationsgemäßer (SL1.2) Errorcode se = "ErrorCode>4002"; - b = xmlInfoboxReadResponse.contains(se); - if (b) { // Unbekannter Infoboxbezeichner + //b = xmlInfoboxReadResponse.contains(se); + b = xmlInfoboxReadResponse.indexOf(se); + if (b!=-1) { // Unbekannter Infoboxbezeichner Logger.info("Unbekannter Infoboxbezeichner. Versuche Anmeldung als ausländische eID."); return null; } @@ -1659,6 +1662,12 @@ public class AuthenticationServer implements MOAIDAuthConstants { Element mandatePerson = tempIdentityLink.getPrPerson(); + try { + System.out.println("MANDATE: " + DOMUtils.serializeNode(mandatePerson)); + } + catch(Exception e) { + e.printStackTrace(); + } String mandateData = null; try { OAAuthParameter oaParam = diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java index 2e20f483c..cb3ed5ad9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java @@ -251,8 +251,8 @@ public class IdentityLinkAssertionParser { String familyname = XPathUtils.getElementValue(assertionElem, PERSON_FAMILY_NAME_XPATH, ""); // replace ' in name with ' - givenname = givenname.replace("'", "'"); - familyname = familyname.replace("'", "'"); + givenname = givenname.replaceAll("'", "'"); + familyname = familyname.replaceAll("'", "'"); identityLink.setGivenName(givenname); identityLink.setFamilyName(familyname); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 49105b306..dfad29e50 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -97,7 +97,7 @@ public class CreateXMLSignatureResponseValidator { throw new ValidateException("validator.32", null); } // replace ' in name with ' - issuer = issuer.replace("'", "'"); + issuer = issuer.replaceAll("'", "'"); String issueInstant = samlAssertion.getAttribute("IssueInstant"); if (!issueInstant.equals(session.getIssueInstant())) { diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerExtended.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerExtended.java new file mode 100644 index 000000000..ab9c01daa --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerExtended.java @@ -0,0 +1,111 @@ +package at.gv.egovernment.moa.spss;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.Iterator;
+import java.util.List;
+
+import at.gv.egovernment.moa.logging.Logger;
+
+
+public class MOASecurityManagerExtended extends SecurityManager {
+
+ private List blacklist;
+ private boolean allowExternalUris;
+
+ public MOASecurityManagerExtended(boolean allowExternalUris, List blacklist) {
+ this.blacklist = blacklist;
+ this.allowExternalUris = allowExternalUris;
+ }
+
+
+ /**
+ * Overwrite checkConnect methods with blacklist check
+ */
+
+ public void checkConnect(String host, int port, Object context) {
+ Logger.debug("checkConnect: " + host + ":" + port);
+ if (!checkURI(host, port))
+ throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
+ else {
+ Logger.debug("Perform checkConnect of given SecurityManager");
+ super.checkConnect(host, port, context);
+ }
+ }
+
+ public void checkConnect(String host, int port) {
+ Logger.debug("checkConnect: " + host + ":" + port);
+ if (!checkURI(host, port))
+ throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
+ else {
+ Logger.debug("Perform checkConnect of given SecurityManager");
+ super.checkConnect(host, port);
+ }
+ }
+
+ private boolean checkURI(String host, int port) {
+ if (allowExternalUris) {
+ Iterator it = blacklist.iterator();
+ while (it.hasNext()) {
+ String[] array = (String[])it.next();
+ String bhost = array[0];
+ String bport = array[1];
+ if (bport == null) {
+ // check only host
+ if (bhost.equalsIgnoreCase(host)) {
+ Logger.debug("Security check: " + host + " blacklisted");
+ return false;
+ }
+ }
+ else {
+ // check host and port
+ int iport = new Integer(bport).intValue();
+ if (bhost.equalsIgnoreCase(host) && (iport == port)) {
+ Logger.debug("Security check: " + host + ":" + port + " blacklisted");
+ return false;
+ }
+
+ }
+ }
+
+ Logger.debug("Security check: " + host + ":" + port + " allowed");
+ return true;
+ }
+ else {
+ String localhost = getLocalhostName();
+ if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) {
+ Logger.debug("Security check: localhost name allowed");
+ return true;
+ }
+
+ Logger.debug("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)");
+ return false;
+ }
+ }
+ private String getLocalhostName() {
+ try {
+ // save current SecurityManager
+ SecurityManager sm = System.getSecurityManager();
+ // set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop)
+ System.setSecurityManager(null);
+
+ InetAddress localhostaddress = InetAddress.getLocalHost();
+ String localhost = localhostaddress.getHostName();
+
+ // set previously saved SecurityManager
+ System.setSecurityManager(sm);
+
+ return localhost;
+
+ }
+ catch (UnknownHostException e) {
+ Logger.debug("UnknownHostExeption: Returns \"localhost\" as name for localhost");
+ return "localhost";
+ }
+ }
+
+
+ /**
+ * Don't overwrite other methods
+ */
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerSimple.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerSimple.java new file mode 100644 index 000000000..361a75e4c --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOASecurityManagerSimple.java @@ -0,0 +1,165 @@ +package at.gv.egovernment.moa.spss;
+
+import java.io.FileDescriptor;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.security.Permission;
+import java.util.Iterator;
+import java.util.List;
+
+import at.gv.egovernment.moa.logging.Logger;
+
+public class MOASecurityManagerSimple extends SecurityManager {
+
+ private List blacklist;
+ private boolean allowExternalUris;
+
+
+ public MOASecurityManagerSimple(boolean allowExternalUris, List blacklist) {
+ this.blacklist = blacklist;
+ this.allowExternalUris = allowExternalUris;
+ }
+
+ /**
+ * Overwrite checkConnect methods with blacklist check
+ */
+
+ public void checkConnect(String host, int port, Object context) {
+ //Logger.debug("checkConnect: " + host + ":" + port);
+ if (!checkURI(host, port))
+ throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
+ }
+
+ public void checkConnect(String host, int port) {
+ //Logger.debug("checkConnect: " + host + ":" + port);
+ if (!checkURI(host, port))
+ throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
+ }
+
+ private boolean checkURI(String host, int port) {
+ if (allowExternalUris) {
+ Iterator it = blacklist.iterator();
+ while (it.hasNext()) {
+ String[] array = (String[])it.next();
+ String bhost = array[0];
+ String bport = array[1];
+ if (bport == null) {
+ // check only host
+ if (bhost.equalsIgnoreCase(host)) {
+ //Logger.debug("Security check: " + host + " blacklisted");
+ return false;
+ }
+ }
+ else {
+ // check host and port
+ int iport = new Integer(bport).intValue();
+ if (bhost.equalsIgnoreCase(host) && (iport == port)) {
+ //Logger.debug("Security check: " + host + ":" + port + " blacklisted");
+ return false;
+ }
+
+ }
+ }
+
+ //Logger.debug("Security check: " + host + ":" + port + " allowed");
+ return true;
+ }
+ else {
+ String localhost = getLocalhostName();
+ if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) {
+ //Logger.debug("Security check: localhost name allowed");
+ return true;
+ }
+
+ //Logger.debug("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)");
+ return false;
+ }
+ }
+
+ private String getLocalhostName() {
+ try {
+ // save current SecurityManager
+ SecurityManager sm = System.getSecurityManager();
+ // set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop)
+ System.setSecurityManager(null);
+
+ InetAddress localhostaddress = InetAddress.getLocalHost();
+ String localhost = localhostaddress.getHostName();
+
+ // set previously saved SecurityManager
+ System.setSecurityManager(sm);
+
+ return localhost;
+
+ }
+ catch (UnknownHostException e) {
+ //Logger.debug("UnknownHostExeption: Returns \"localhost\" as name for localhost");
+ return "localhost";
+ }
+ }
+
+
+ /**
+ * Overwrite all other methods by doing nothing (as no SecurityManager is set initially)
+ */
+
+ public void checkAccept(String host, int port) {
+ }
+ public void checkAccess(Thread t) {
+ }
+ public void checkAccess(ThreadGroup g) {
+ }
+ public void checkAwtEventQueueAccess() {
+ }
+ public void checkCreateClassLoader() {
+ }
+ public void checkDelete(String file) {
+ }
+ public void checkExec(String cmd) {
+ }
+ public void checkExit(int status) {
+ }
+ public void checkLink(String lib) {
+ }
+ public void checkListen(int port) {
+ }
+ public void checkMemberAccess(Class arg0, int arg1) {
+ }
+ public void checkMulticast(InetAddress maddr, byte ttl) {
+ }
+ public void checkMulticast(InetAddress maddr) {
+ }
+ public void checkPackageAccess(String pkg) {
+ }
+ public void checkPackageDefinition(String pkg) {
+ }
+ public void checkPermission(Permission perm, Object context) {
+ }
+ public void checkPermission(Permission perm) {
+ }
+ public void checkPrintJobAccess() {
+ }
+ public void checkPropertiesAccess() {
+ }
+ public void checkPropertyAccess(String key) {
+ }
+ public void checkRead(FileDescriptor fd) {
+ }
+ public void checkRead(String file, Object context) {
+ }
+ public void checkRead(String file) {
+ }
+ public void checkSecurityAccess(String target) {
+ }
+ public void checkSetFactory() {
+ }
+ public void checkSystemClipboardAccess() {
+ }
+ public void checkWrite(FileDescriptor fd) {
+ }
+ public void checkWrite(String file) {
+ }
+
+
+
+}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 9078ecbfa..abc781303 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -24,6 +24,14 @@ package at.gv.egovernment.moa.spss.server.config; +import iaik.asn1.structures.Name; +import iaik.ixsil.exceptions.URIException; +import iaik.ixsil.util.URI; +import iaik.pki.pathvalidation.ChainingModes; +import iaik.pki.revocation.RevocationSourceTypes; +import iaik.utils.RFC2253NameParser; +import iaik.utils.RFC2253NameParserException; + import java.io.File; import java.io.FileInputStream; import java.io.IOException; @@ -45,25 +53,15 @@ import javax.xml.parsers.ParserConfigurationException; import org.w3c.dom.Attr; import org.w3c.dom.Element; import org.w3c.dom.traversal.NodeIterator; - import org.xml.sax.SAXException; -import iaik.asn1.structures.Name; -import iaik.ixsil.exceptions.URIException; -import iaik.ixsil.util.URI; -import iaik.pki.pathvalidation.ChainingModes; -import iaik.pki.revocation.RevocationSourceTypes; -import iaik.utils.RFC2253NameParser; -import iaik.utils.RFC2253NameParserException; - import at.gv.egovernment.moa.logging.LogMsg; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.util.MessageProvider; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.XPathUtils; -import at.gv.egovernment.moa.spss.util.MessageProvider; - /** * A class that builds configuration data from a DOM based representation. * @@ -103,6 +101,14 @@ public class ConfigurationPartsBuilder { private static final String HARDWARE_CRYPTO_MODULE_XPATH = ROOT + CONF + "Common/" + CONF + "HardwareCryptoModule"; + private static final String PERMIT_EXTERNAL_URIS_XPATH = + ROOT + CONF + "Common/" + + CONF + "PermitExternalUris"; + private static final String BLACK_LIST_URIS_XPATH = + ROOT + CONF + "Common/" + + CONF + "PermitExternalUris/" + + CONF + "BlackListUri"; + private static final String HARDWARE_KEY_XPATH = ROOT + CONF + "SignatureCreation/" + CONF + "KeyModules/" @@ -370,6 +376,52 @@ public class ConfigurationPartsBuilder { return modules; } + + /** + * + * @return + */ + public boolean allowExternalUris() { + Element permitExtUris = (Element)XPathUtils.selectSingleNode(getConfigElem(), PERMIT_EXTERNAL_URIS_XPATH); + + // if PermitExternalUris element does not exist - don't allow external uris + if (permitExtUris == null) + return false; + else + return true; + + } + + /** + * + * @return + */ + public List buildPermitExternalUris() { + if (!allowExternalUris()) + return null; + + List blacklist = new ArrayList(); + + NodeIterator permitExtIter = XPathUtils.selectNodeIterator( + getConfigElem(), + BLACK_LIST_URIS_XPATH); + + Element permitExtElem = null; + while ((permitExtElem = (Element) permitExtIter.nextNode()) != null) { + String host = getElementValue(permitExtElem, CONF + "Host", null); + String port = getElementValue(permitExtElem, CONF + "Port", null); + + //System.out.println("Host:Port = " + host + ":" + port); + + String array[] = new String[2]; + array[0] = host; + array[1] = port; + blacklist.add(array); + + } + + return blacklist; + } /** * Build the configured hardware keys. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 51ddf0811..9e0a7fd53 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -33,7 +33,9 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.math.BigInteger; +import java.net.InetAddress; import java.net.URL; +import java.net.UnknownHostException; import java.security.Principal; import java.security.cert.X509Certificate; import java.util.ArrayList; @@ -46,6 +48,8 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.logging.LogMsg; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.MOASecurityManagerExtended; +import at.gv.egovernment.moa.spss.MOASecurityManagerSimple; import at.gv.egovernment.moa.spss.util.MessageProvider; import at.gv.egovernment.moa.util.DOMUtils; @@ -240,6 +244,16 @@ public class ConfigurationProvider private Map crlRetentionIntervals; /** + * Indicates wether external URIs are allowed or not + */ + private boolean allowExternalUris_; + + /** + * A <code>List</code> of black listed URIs (host and port) + */ + private List blackListedUris_; + + /** * Return the single instance of configuration data. * * @return MOAConfigurationProvider The current configuration data. @@ -354,6 +368,13 @@ public class ConfigurationProvider warnings = new ArrayList(builder.getWarnings()); permitFileURIs = builder.getPermitFileURIs(); crlRetentionIntervals = builder.getCrlRetentionIntervals(); + + allowExternalUris_= builder.allowExternalUris(); + + if (allowExternalUris_) + blackListedUris_ = builder.buildPermitExternalUris(); + else + blackListedUris_ = null; // Set set = crlRetentionIntervals.entrySet(); // Iterator i = set.iterator(); @@ -361,8 +382,37 @@ public class ConfigurationProvider // Map.Entry me = (Map.Entry)i.next(); // System.out.println("Key: " + me.getKey() + " - Value: " + me.getValue() ); // } + + + // set SecurityManager for permitting/disallowing external URIs + SecurityManager sm = System.getSecurityManager(); + if (sm == null) { + // no security manager exists - create a new one + //Logger.debug(new LogMsg("Create new MOASecurityManagerSimple")); + sm = new MOASecurityManagerSimple(allowExternalUris_, blackListedUris_); + + + //Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple")); + System.setSecurityManager(sm); + + } + else { + String classname = sm.getClass().getName(); + if (!classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.MOASecurityManagerSimple") && + !classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.MOASecurityManagerExtended")) { + // if SecurityManager is not already a MOASecurityManager + + // Logger.debug(new LogMsg("Create new MOASecurityManagerExtended (including existing SecurityManager)")); + sm = new MOASecurityManagerExtended(allowExternalUris_, blackListedUris_); + + //Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple")); + System.setSecurityManager(sm); + } + //Logger.debug(new LogMsg("No new MOASecurityManager instantiated")); + } + } catch (Throwable t) { throw new ConfigurationException("config.11", null, t); } finally { @@ -637,8 +687,8 @@ public class ConfigurationProvider MessageProvider msg = MessageProvider.getInstance(); Logger.info(new LogMsg(msg.getMessage(messageId, parameters))); } - - /** + + /** * Log a warning. * * @param messageId The message ID. |