binding support enhanced

git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@731 d688527b-c9ab-4aba-bd8d-4036d912da1d
author: peter.danner <peter.danner@d688527b-c9ab-4aba-bd8d-4036d912da1d> 2006-11-29 20:57:05 +0000
committer: peter.danner <peter.danner@d688527b-c9ab-4aba-bd8d-4036d912da1d> 2006-11-29 20:57:05 +0000
commit: 9aed84d1b240ccb6c8e460c04dbeeca66d979dc9 (patch)
tree: 50cbec7775f9c937fea596913eefd7fb50ea9919
parent: da960913a9e47c5f0d24dab0f1a1a001aa886e95 (diff)
download: moa-id-spss-9aed84d1b240ccb6c8e460c04dbeeca66d979dc9.tar.gz
moa-id-spss-9aed84d1b240ccb6c8e460c04dbeeca66d979dc9.tar.bz2
moa-id-spss-9aed84d1b240ccb6c8e460c04dbeeca66d979dc9.zip
1 files changed, 71 insertions, 12 deletions
diff --git a/id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java b/id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java
index ff0f3a171..3d5220419 100644
--- a/id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java
+++ b/id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java
@@ -64,6 +64,8 @@ public class ProxyServlet extends HttpServlet {
   /** Name of the Parameter for the SAMLArtifact */  
   private static final String PARAM_SAMLARTIFACT = "SAMLArtifact";
 
+  /** Name of the Attribute for marking the session as authenticated*/  
+  private static final String ATT_AUTHDATAFETCHED = "AuthDataFetched";
   /** Name of the Attribute for the PublicURLPrefix */  
   private static final String ATT_PUBLIC_URLPREFIX = "PublicURLPrefix";
   /** Name of the Attribute for the RealURLPrefix */  
@@ -174,7 +176,8 @@ public class ProxyServlet extends HttpServlet {
 	    } catch (ProxyException ex) {
 				throw new ProxyException("proxy.14", new Object[] {ex.getMessage()}, ex);
 	    }
-	
+	    session.setAttribute(ATT_AUTHDATAFETCHED, "true");
+	    
 	    // read configuration data
 	    ProxyConfigurationProvider proxyConf = ProxyConfigurationProvider.getInstance();
 	    OAProxyParameter oaParam = proxyConf.getOnlineApplicationParameter(urlRequested);
@@ -351,6 +354,7 @@ public class ProxyServlet extends HttpServlet {
 private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map loginHeaders, Map loginParameters, String publicURLPrefix, String realURLPrefix, SSLSocketFactory ssf, String binding)
   throws IOException {
 
+  String originBinding = binding;
   String browserUserID = "";
   String browserPassword = "";
   //URL url = new URL(realURLPrefix); 
@@ -371,10 +375,12 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
 		String plaintextcredentials = new String(bplaintextcredentials);
 		browserUserID = plaintextcredentials.substring(0,plaintextcredentials.indexOf(":"));
 		browserPassword = plaintextcredentials.substring(plaintextcredentials.indexOf(":")+1);
-		//Logger.debug("Analyzing authorization-header from browser: " + headerKeyValue + "gives UN:PW=" + browserUserID + ":" + browserPassword );
+		//deactivate following line for security
+		//if (INTERNAL_DEBUG) Logger.debug("Analyzing authorization-header from browser: " + headerKeyValue + "gives UN:PW=" + browserUserID + ":" + browserPassword );
       }
       if (headerKeyValue.substring(0,9).equalsIgnoreCase("Negotiate")) {
-		//Logger.debug("Analyzing authorization-header from browser: Found NTLM Aut.: " + headerKeyValue + "gives UN:PW=" + browserUserID + ":" + browserPassword );
+  		//deactivate following line for security
+		//if (INTERNAL_DEBUG) Logger.debug("Analyzing authorization-header from browser: Found NTLM Aut.: " + headerKeyValue + "gives UN:PW=" + browserUserID + ":" + browserPassword );
       }
     }
     else 
@@ -390,10 +396,46 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
     }
   }
 
+ 
   // collect login headers, possibly overwriting headers from request
   String authorizationvalue="";
   if (req.getSession().getAttribute(ATT_OA_AUTHORIZATION_HEADER)==null) {
 
+	if (OAConfiguration.BINDUNG_NOMATCH.equals(binding)) {
+	    int loginTry = getLoginTry(req);
+        Logger.debug("Binding: mode = " + OAConfiguration.BINDUNG_NOMATCH + "(try #" + Integer.toString(loginTry) + ")");
+		if (loginTry==1) {
+			binding = OAConfiguration.BINDUNG_FULL;
+		} else {
+			binding = OAConfiguration.BINDUNG_USERNAME;
+		}
+	}
+
+	/* Soll auch bei anderen bindings zuerst ein passwort probiert werden können:
+	//if we have the first Login-Try and we have Binding to Username and a predefined Password we try this one first
+    // full binding will be covered by next block
+    if (loginTry==1 && !OAConfiguration.BINDUNG_FULL.equals(binding)) {
+      //1st try: if we have a password, try this one first
+  	  for (Iterator iter = loginHeaders.keySet().iterator(); iter.hasNext();) {
+  	    String headerKey = (String) iter.next();
+  	    String headerKeyValue = (String) loginHeaders.get(headerKey);
+  	    if (isBasicAuthenticationHeader(headerKey, headerKeyValue)) {
+	  	  String credentials = headerKeyValue.substring(6);
+	  	  byte [] bplaintextcredentials = Base64Utils.decode(credentials, true);
+	      String plaintextcredentials = new String(bplaintextcredentials);
+	      String password = plaintextcredentials.substring(plaintextcredentials.indexOf(":")+1);
+	      if (password!=null && !password.equals("")) {
+      	    Logger.debug("Binding: found predefined password. Trying full binding first");
+  		    binding = OAConfiguration.BINDUNG_FULL;
+  		    break;
+      	  }
+  	    }
+  	  }
+    }
+	 */
+	
+
+    
   	//we have a connection with not having logged on
   	if (loginHeaders != null && (browserPassword.length()!=0 || browserUserID.length()!=0 || OAConfiguration.BINDUNG_FULL.equals(binding))) {
 	  for (Iterator iter = loginHeaders.keySet().iterator(); iter.hasNext();) {
@@ -402,7 +444,7 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
 	    //customize loginheaders if necessary
 	    if (isBasicAuthenticationHeader(headerKey, headerKeyValue)) 
 	    {
-    	  if ( OAConfiguration.BINDUNG_FULL.equals(binding)) {
+    	  if (OAConfiguration.BINDUNG_FULL.equals(binding)) {
     	  	  authorizationvalue = headerKeyValue;
 		      Logger.debug("Binding: full binding to user established");
 		  } else {
@@ -480,7 +522,8 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
 	  String uid = plaintextcredentials.substring(0,plaintextcredentials.indexOf(":"));
 	  String pwd = plaintextcredentials.substring(plaintextcredentials.indexOf(":")+1);
       //Sollte AuthorizationInfo vom HTTPClient benutzt werden:  cb.addBasicAuthorization(publicURLPrefix, uid, pwd);
-      //if (Logger.isDebugEnabled()) LogStr = LogStr + "  >UserID:Password< >" + uid + ":" + pwd + "<";
+      //deactivate following line for security
+      //if (INTERNAL_DEBUG && Logger.isDebugEnabled()) LogStr = LogStr + "  >UserID:Password< >" + uid + ":" + pwd + "<";
     }
     conn.setRequestProperty(headerKey, headerValue);
     if (INTERNAL_DEBUG) Logger.debug(LogStr);
@@ -528,13 +571,13 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
   }
   
   // connect
+  if (INTERNAL_DEBUG) Logger.debug("Connect Request");
   conn.connect();
+  if (INTERNAL_DEBUG) Logger.debug("Connect Response");
 
   // check login tries
   if (conn.getResponseCode()==HttpURLConnection.HTTP_UNAUTHORIZED) {
-    String oa_loginTry = (String) req.getSession().getAttribute(ATT_OA_LOGINTRY);
-    int loginTry = 1;
-    if (oa_loginTry!=null) loginTry = Integer.parseInt(oa_loginTry)+1;
+    int loginTry = getLoginTry(req);
     req.getSession().setAttribute(ATT_OA_LOGINTRY, Integer.toString(loginTry));
     if (loginTry > MAX_OA_LOGINTRY) {    
       Logger.debug("Found 401 UNAUTHORIZED, maximum tries exceeded; leaving...");
@@ -545,7 +588,7 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
   
   
   
-  if (conn.getResponseCode()==HttpURLConnection.HTTP_UNAUTHORIZED && OAConfiguration.BINDUNG_FULL.equals(binding)) {    
+  if (conn.getResponseCode()==HttpURLConnection.HTTP_UNAUTHORIZED && OAConfiguration.BINDUNG_FULL.equals(originBinding)) {    
     Logger.debug("Found 401 UNAUTHORIZED, leaving...");
     cb.disconnect(conn);  
     return conn.getResponseCode();       
@@ -578,8 +621,11 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
     // Überschrift im Browser-Passworteingabedialog setzen (sonst ist der reale host eingetragen)
     if (headerKey.equalsIgnoreCase("WWW-Authenticate") && headerValue.startsWith("Basic realm=\"")) {
       headerValue = "Basic realm=\"" + publicURLPrefix + "\"";
-      if (OAConfiguration.BINDUNG_USERNAME.equals(binding)) headerValue = "Basic realm=\"Bitte Passwort eingeben\"";
-      if (OAConfiguration.BINDUNG_NONE.equals(binding)) headerValue = "Basic realm=\"Bitte Benutzername und Passwort eingeben\"";
+      if (OAConfiguration.BINDUNG_USERNAME.equals(originBinding) || OAConfiguration.BINDUNG_NOMATCH.equals(originBinding)) {
+    	  headerValue = "Basic realm=\"Bitte Passwort eingeben\"";
+      } else if (OAConfiguration.BINDUNG_NONE.equals(originBinding)) {
+    	  headerValue = "Basic realm=\"Bitte Benutzername und Passwort eingeben\"";
+      }
     }	
     String respHeader[] = new String[2];
     if ((conn.getResponseCode()==HttpURLConnection.HTTP_UNAUTHORIZED) && headerKey.equalsIgnoreCase("content-length")) {
@@ -590,7 +636,7 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
     respHeader[0]= headerKey;
     respHeader[1]= headerValue;
       
-    if (!(OAConfiguration.BINDUNG_FULL.equals(binding) && OAConfiguration.LOGINTYPE_STATELESS.equals(loginType) && headerKey.equalsIgnoreCase("WWW-Authenticate") && headerValue.startsWith("Basic realm=\""))) { 
+    if (!(OAConfiguration.BINDUNG_FULL.equals(originBinding) && OAConfiguration.LOGINTYPE_STATELESS.equals(loginType) && headerKey.equalsIgnoreCase("WWW-Authenticate") && headerValue.startsWith("Basic realm=\""))) { 
       respHeaders.add(respHeader);
       if (INTERNAL_DEBUG) Logger.debug("Resp header " + headerKey + ": " + headerValue);
     } else {
@@ -680,6 +726,19 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
   
   return conn.getResponseCode();
 }
+
+/**
+ * Gets the current amount of the login try at the online application
+ * 
+ * @param req the HttpServletRequest
+ * @return the number off the current login try
+ */
+private int getLoginTry(HttpServletRequest req) {
+	String oa_loginTry = (String) req.getSession().getAttribute(ATT_OA_LOGINTRY);
+	int loginTry = 1;
+	if (oa_loginTry!=null) loginTry = Integer.parseInt(oa_loginTry)+1;
+	return loginTry;
+}
 /**
  * Determines whether a HTTP header is a basic authentication header of the kind "Authorization: Basic ..."
  *
author	peter.danner <peter.danner@d688527b-c9ab-4aba-bd8d-4036d912da1d>	2006-11-29 20:57:05 +0000
committer	peter.danner <peter.danner@d688527b-c9ab-4aba-bd8d-4036d912da1d>	2006-11-29 20:57:05 +0000
commit	9aed84d1b240ccb6c8e460c04dbeeca66d979dc9 (patch)
tree	50cbec7775f9c937fea596913eefd7fb50ea9919
parent	da960913a9e47c5f0d24dab0f1a1a001aa886e95 (diff)
download	moa-id-spss-9aed84d1b240ccb6c8e460c04dbeeca66d979dc9.tar.gz moa-id-spss-9aed84d1b240ccb6c8e460c04dbeeca66d979dc9.tar.bz2 moa-id-spss-9aed84d1b240ccb6c8e460c04dbeeca66d979dc9.zip