add specific AuthBlock validation logging

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2018-03-12 13:35:46 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2018-03-12 14:16:17 +0100
commit: b4c009b6d64cc17974e5917c10f92dbe987d826e (patch)
tree: 46e3777b7d62ac2d96110d6428d82706d1720345
parent: a30826d08c748daaf3d6cdc2329f985852822f54 (diff)
download: moa-id-spss-b4c009b6d64cc17974e5917c10f92dbe987d826e.tar.gz
moa-id-spss-b4c009b6d64cc17974e5917c10f92dbe987d826e.tar.bz2
moa-id-spss-b4c009b6d64cc17974e5917c10f92dbe987d826e.zip
6 files changed, 571 insertions, 502 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index 99b4154e0..59bd3893d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -50,11 +50,14 @@ import java.io.IOException;
 import java.io.Serializable;
 import java.security.PrivateKey;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Map.Entry;
 import java.util.Set;
 
 import org.apache.commons.lang.SerializationUtils;
@@ -925,4 +928,11 @@ public boolean isUseAuthBlockTestTestStore() {
 		return false;	
 }
 
+public String toString() {
+	if (oaConfiguration != null)
+		return Arrays.asList(oaConfiguration).toString();
+	
+	return "Object not initialized";
+}
+
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/logging/SpecificTraceLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/logging/SpecificTraceLogger.java
new file mode 100644
index 000000000..c12021f2c
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/logging/SpecificTraceLogger.java
@@ -0,0 +1,18 @@
+package at.gv.egovernment.moa.id.logging;
+
+
+import at.gv.egovernment.moa.logging.Logger;
+
+public class SpecificTraceLogger{
+	
+	/**
+	 * Enables Logging on Trace level for single specific parts
+	 * @param message
+	 */
+	public static void trace(Object message) {
+		if (Logger.isTraceEnabled()) {
+			Logger.traceWithOutEscaption(message);
+			
+		}		
+	}	
+}
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 05f58d5bc..4205f2175 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -161,7 +161,7 @@ validator.09=Die \u00F6ffentlichen Schl\u00FCssel des Identitiy Link stimmen nic
 validator.10=Anzahl der URLs zur Authentisierungskomponente ung\u00FCltig {0}
 validator.11="Gesch\\u00E4ftsbereich" wurde nicht in den SAML-Attributen gefunden {0}
 validator.12=Der Namespace des SAML-Attributs "Gesch\\u00E4ftsbereich" ist ung\u00FCltig {0}
-validator.13=Das Target des 'Gesch\u00E4ftsbereichs' ist ung\u00FCltig {0}
+validator.13=Das Target des 'Gesch\u00E4ftsbereichs' ist ung\u00FCltig. Authblock: {0} , Config: {1}
 validator.14="OA" wurde nicht in den SAML-Attributen gefunden {0}
 validator.15=Der Namespace des SAML-Attributs "OA" ist ung\u00FCltig {0}
 validator.16=Die vorkonfigurierte URL der OnlineApplikation ist fehlerhaft {0}
@@ -179,7 +179,7 @@ validator.25=Eine formal korrekte Zertifikatskette vom Signatorzertifikat zu ein
 
 validator.26=OA Applikation ist eine Wirtschaftsapplikation, trotzdem ist ein SAML-Attribut "Gesch\u00E4ftsbereich" enthalten 
 validator.27=OA Applikation ist keine Wirtschaftsapplikation, trotzdem ist ein SAML-Attribut "wbPK" enthalten
-validator.28=Fehlerhafter Wert im "wbPK" SAML-Attribut {0}
+validator.28=Fehlerhafter Wert im "wbPK" SAML-Attribut. Authblock: {0} , Config: {1}
 validator.29=Fehler beim Auslesen des "wbPK" SAML-Attributs {0}
 validator.30=Der Namespace des SAML-Attributs "wbPK" ist ung\u00FCltig {0}
 validator.31="wbPK" wurde nicht in den SAML-Attributen gefunden {0}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java
index 9152f2549..197247630 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java
@@ -86,12 +86,16 @@ public class Logger {
    * <p>Mainly introduce because the <code>message</code> might be <code>null</code>. 
    *
    * @param message the message
+   * @param escape if this flag is true than the message get escapted before logging
    * @return the string
    */
-  private static String prepareMessage(Object message) {
+  private static String prepareMessage(Object message, boolean escape) {
       if(null == message)
           return "no message given";
-      return StringEscapeUtils.escapeHtml4(message.toString());
+      if (escape)
+    	  return StringEscapeUtils.escapeHtml4(message.toString());
+      else
+    	  return message.toString();
   }
   
   /**
@@ -124,7 +128,17 @@ public class Logger {
    */
   public static void trace(Object message) {
 		org.slf4j.Logger logger = getLogger();
-		logger.trace(prepareMessage(message));
+		logger.trace(prepareMessage(message, true));
+  }
+  
+  /**
+   * Trace a message.
+   * 
+   * @param message The message to trace.
+   */
+  public static void traceWithOutEscaption(Object message) {
+		org.slf4j.Logger logger = getLogger();
+		logger.trace(prepareMessage(message, false));
   }
   
   /**
@@ -157,7 +171,7 @@ public class Logger {
    */
   public static void debug(Object message) {
 		org.slf4j.Logger logger = getLogger();
-		logger.debug(prepareMessage(message));
+		logger.debug(prepareMessage(message, true));
   }
 
 /**
@@ -167,7 +181,7 @@ public class Logger {
    */
   public static void info(Object message) {
 		org.slf4j.Logger logger = getLogger();
-		logger.info(prepareMessage(message));
+		logger.info(prepareMessage(message, true));
   }
   
   /**
@@ -178,7 +192,7 @@ public class Logger {
    */
   public static void info(String message, Object[] args) {
 		org.slf4j.Logger logger = getLogger();
-		logger.info(prepareMessage(message), args);
+		logger.info(prepareMessage(message, true), args);
 	}
   
   /**
@@ -188,7 +202,7 @@ public class Logger {
    */
   public static void warn(Object message) {
 		org.slf4j.Logger logger = getLogger();
-		logger.warn(prepareMessage(message));
+		logger.warn(prepareMessage(message, true));
   }
 
   /**
@@ -199,7 +213,7 @@ public class Logger {
    */
   public static void warn(Object message, Throwable t) {
 		org.slf4j.Logger logger = getLogger();
-		logger.warn(prepareMessage(message), t);
+		logger.warn(prepareMessage(message, true), t);
   }
   
   /**
@@ -209,7 +223,7 @@ public class Logger {
    */
   public static void error(Object message) {
 		org.slf4j.Logger logger = getLogger();
-		logger.error(prepareMessage(message));
+		logger.error(prepareMessage(message, true));
   }
 
   /**
@@ -220,7 +234,7 @@ public class Logger {
    */
   public static void error(Object message, Throwable t) {
 		org.slf4j.Logger logger = getLogger();
-		logger.error(prepareMessage(message), t);
+		logger.error(prepareMessage(message, true), t);
   }
   
   /**
@@ -231,7 +245,7 @@ public class Logger {
    */
   public static void error(Object message, Object[] variables) {
 		org.slf4j.Logger logger = getLogger();
-	  logger.error(prepareMessage(message), variables);
+	  logger.error(prepareMessage(message, true), variables);
   }
   
   /**
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index f7c3db8d1..7c435d0b0 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -66,6 +66,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.data.Pair;
+import at.gv.egovernment.moa.id.logging.SpecificTraceLogger;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Constants;
@@ -445,6 +446,12 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder()
 		.build(authBlock, oaParam.getKeyBoxIdentifier(),
 				transformsInfos);
+		
+		SpecificTraceLogger.trace("Req. Authblock: " + createXMLSignatureRequest);
+		SpecificTraceLogger.trace("OA config: " + pendingReq.getOnlineApplicationConfiguration().toString());
+		SpecificTraceLogger.trace("saml1RequestedTarget: " + pendingReq.getGenericData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class));
+		SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + pendingReq.getGenericData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class));	
+				
 		return createXMLSignatureRequest;
 	}
 
@@ -949,6 +956,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 			throw new ParseException("parser.04", new Object[]{
 					REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE}, e);
 		}
+		
 		// validates <CreateXMLSignatureResponse>
 		if (pendingReq.needSingleSignOnFunctionality())
 			new CreateXMLSignatureResponseValidator().validateSSO(csresp, session, pendingReq);
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index 827690ebd..8e3ccb01b 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -72,6 +72,7 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.data.Pair;
+import at.gv.egovernment.moa.id.logging.SpecificTraceLogger;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Constants;
 import at.gv.egovernment.moa.util.MiscUtil;
@@ -136,7 +137,6 @@ public class CreateXMLSignatureResponseValidator {
    */
   public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq)
    throws ValidateException, BuildException, ConfigurationException {
-      
       // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
     IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
     String oaURL = oaParam.getPublicURLPrefix(); 
@@ -148,283 +148,294 @@ public class CreateXMLSignatureResponseValidator {
 	@Deprecated
 	String saml1RequestedFriendlyName = pendingReq.getGenericData(
 			MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class);
-    
-                
-    Element samlAssertion = createXMLSignatureResponse.getSamlAssertion(); 
-        
-    //validate issuer
-    String issuer = samlAssertion.getAttribute("Issuer");
-    if (issuer == null) {
-      // should not happen, because parser would dedect this
-      throw new ValidateException("validator.32", null);
-    }
-    // replace ' in name with &#39;
-    issuer = issuer.replaceAll("'", "&#39;");    
-    if (!issuer.equals(identityLink.getName()))
-        throw new ValidateException("validator.33", new Object[] {issuer, identityLink.getName()});
-        
-    
-    //validate issuerInstant
-    String issueInstant = samlAssertion.getAttribute("IssueInstant");
-    if (!issueInstant.equals(session.getIssueInstant()))
-    	throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
-    
-    
-    //validate extended attributes            
-    SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();
-
-    boolean foundOA = false;
-    boolean foundGB = false;
-    boolean foundWBPK = false;
-    int offset = 0;
-    
-    // check number of SAML attributes
-    List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
-    int extendedSAMLAttributesNum = 0;
-    if (extendedSAMLAttributes != null) {
-    	extendedSAMLAttributesNum = extendedSAMLAttributes.size();
-    }
-    int expectedSAMLAttributeNumber = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum;
-    
-    //remove one attribute from expected attributes if public SP target or wbPK is not part of AuthBlock
-    if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
-    
-    //check number of attributes in AuthBlock response against expected number of attributes 
-    int actualSAMLAttributeNumber = samlAttributes.length;
-    if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
-    	Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + 
-    			expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
-    	throw new ValidateException("validator.36", 
-    		  new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
-    	
-    }
-    
-    //now check every single attribute
-    SAMLAttribute samlAttribute = null;
-    Pair<String, String> userSectorId = null;
-    if (session.getSAMLAttributeGebeORwbpk()) {      
-    	//check the first attribute ("Geschaeftsbereich" or "wbPK")
-    	samlAttribute = samlAttributes[0];
-    	
-    	//calculate bPK or wbPK as reference value for validation    	
-    	if (MiscUtil.isNotEmpty(saml1RequestedTarget))
-    		userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
-    				identityLink.getIdentificationValue(), identityLink.getIdentificationType(), 
-    				saml1RequestedTarget);
-    	else
-    		userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
-    				identityLink.getIdentificationValue(), identityLink.getIdentificationType(), 
-    				oaParam.getAreaSpecificTargetIdentifier());
-    	
-    	//every sector specific identifier that has not 'urn:publicid:gv.at:cdid+' as prefix
-    	// is internally handled as an AuthBlock with wbPK 
-    	if (!userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
-    		if (!samlAttribute.getName().equals("wbPK")) {
-    			if (samlAttribute.getName().equals("Geschaeftsbereich")) {
-    				throw new ValidateException("validator.26", null);
-    				
-    			} else {
-    				throw new ValidateException("validator.37", 
-    						new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)});
-    			}
-    		}
-    		
-    		if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {          
-    			foundWBPK = true;
-    			try {
-    				Element attrValue = (Element)samlAttribute.getValue();
-    				String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
-    				String type =  ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
-    				if (!value.equals(userSectorId.getFirst()))
-    					throw new ValidateException("validator.28", null); 
-
-    				if (!type.equals(userSectorId.getSecond()))
-    					throw new ValidateException("validator.28", null); 
-    				
-    			} catch (Exception ex) {
-    				throw new ValidateException("validator.29", null);
-    			}
-    			
-    		} else
-    			throw new ValidateException("validator.30", null);
-    		
-    	} else {
-    		if (!samlAttribute.getName().equals("Geschaeftsbereich")) {
-    			if (samlAttribute.getName().equals("wbPK"))
-    				throw new ValidateException("validator.26", null);
-          
-    			else
-    				throw new ValidateException("validator.37", 
-    						new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)});
-    		}
-    	  
-    		if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {          
-    			foundGB = true;
-          
-    			String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(userSectorId.getSecond());
-    			if (StringUtils.isEmpty(sectorName)) {
-    				if (saml1RequestedFriendlyName != null)
-    					sectorName = saml1RequestedFriendlyName;
-    				else 
-    					sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
-    			}
-    			
-    			String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
-    			if (!refValueSector.equals((String)samlAttribute.getValue()))
-    				throw new ValidateException("validator.13", null);             
-    	  
-    		} else
-    			throw new ValidateException("validator.12", null);
-    	  
-      		}
-    	
-    	} else
-    		//check nothing if wbPK or public SP target is not part of AuthBlock
-    		offset--;
-
-    	// check the second attribute (must be "OA")
-    	samlAttribute = samlAttributes[1 + offset];
-    	if (!samlAttribute.getName().equals("OA"))
-    		throw new ValidateException("validator.37", 
-    				new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
-
-    	if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
-    		foundOA = true;            
-    		if (!oaURL.equals((String)samlAttribute.getValue()))             
-    			throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});
-    		
-    	} else
-    		throw new ValidateException("validator.15", null);
-
-      
-    	// check the third attribute (must be "Geburtsdatum")
-    	samlAttribute = samlAttributes[2 + offset];
-    	if (!samlAttribute.getName().equals("Geburtsdatum"))
-    		throw new ValidateException("validator.37", 
-    				new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
-    	
-    	if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
-    		String samlDateOfBirth = (String)samlAttribute.getValue();
-    		String dateOfBirth = identityLink.getDateOfBirth();
-    		if (!samlDateOfBirth.equals(dateOfBirth))
-    			throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
-    		
-    	} else
-    		throw new ValidateException("validator.35", null);
-     
-    	// check four attribute could be a special text
-    	samlAttribute = samlAttributes[3 + offset];
-    	if (!samlAttribute.getName().equals("SpecialText"))
-    		throw new ValidateException("validator.37", 
-    				new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
-   
-    	if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
-    		String samlSpecialText = (String)samlAttribute.getValue();
-    		samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
-      
-    		String text = "";
-    		if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
-    			Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
-    			text = oaParam.getAditionalAuthBlockText();
-    			
-    		}
-            
-    		String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, 
-    				AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
-    						pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
-    		if (!samlSpecialText.equals(specialText))
-    			throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
-    		
-    	} else
-    		throw new ValidateException("validator.35", null);
-      
-        
-    	//check unique AuthBlock tokken
-    	samlAttribute = samlAttributes[4 + offset];
-    	if (!samlAttribute.getName().equals("UniqueTokken"))
-    		throw new ValidateException("validator.37", 
-    				new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
-    	
-    	if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
-    		String uniquetokken = (String)samlAttribute.getValue();
-           
-    		if (!uniquetokken.equals(session.getAuthBlockTokken()))
-    			throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
-    	} else
-    		throw new ValidateException("validator.35", null);
-    
-    	
-    	// now check the extended SAML attributes
-    	int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset;
-    	if (extendedSAMLAttributes != null) {
-    		Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
-    		while (it.hasNext()) {
-    			ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
-    			samlAttribute = samlAttributes[i];
-    			String actualName = samlAttribute.getName();
-    			String expectedName = extendedSAMLAttribute.getName();
-    			if (!actualName.equals(expectedName))
-    				throw new ValidateException("validator.38", 
-    						new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
-
-    			String actualNamespace = samlAttribute.getNamespace();
-    			String expectedNamespace = extendedSAMLAttribute.getNameSpace();
-    			if (!actualNamespace.equals(expectedNamespace))
-    				throw new ValidateException("validator.38", 
-    						new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
-
-    			Object expectedValue = extendedSAMLAttribute.getValue();
-    			Object actualValue = samlAttribute.getValue();
-    			try {
-    				if (expectedValue instanceof String) {
-    					// replace \r\n because text might be base64-encoded
-    					String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
-    					expValue = StringUtils.replaceAll(expValue,"\n","");
-    					String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
-    					actValue = StringUtils.replaceAll(actValue,"\n","");
-    					if (!expValue.equals(actValue))
-    						throw new ValidateException("validator.38", 
-    								new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });
-    					
-    				} else if (expectedValue instanceof Element) {
-    					// only check the name of the element
-    					String actualElementName = ((Element)actualValue).getNodeName();
-    					String expectedElementName = ((Element)expectedValue).getNodeName();
-    					if (!(expectedElementName.equals(actualElementName))) 
-    						throw new ValidateException("validator.38", 
-    								new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});
-    					
-    				} else
-    					// should not happen
-    					throw new ValidateException("validator.38", 
-    							new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
-        
-    			} catch (ClassCastException e) {
-    				throw new ValidateException("validator.38", 
-    						new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
-    			}
-    			
-    			i++;
-    		}
-    	}
-        
-    	if (!foundOA) 
-    		throw new ValidateException("validator.14", null);
-    	
-    	if (userSectorId != null && !userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
-    		if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) 
-    			throw new ValidateException("validator.31", null);
-    	
-    	} else {
-    		if (!foundGB && session.getSAMLAttributeGebeORwbpk()) 
-    			throw new ValidateException("validator.11", null);
-    	}
-  
-    	//Check if dsig:Signature exists
-    	Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
-    	if (dsigSignature == null)    
-    		throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
-    	
+	  
+	  try {	                
+	    Element samlAssertion = createXMLSignatureResponse.getSamlAssertion(); 
+	        
+	    //validate issuer
+	    String issuer = samlAssertion.getAttribute("Issuer");
+	    if (issuer == null) {
+	      // should not happen, because parser would dedect this
+	      throw new ValidateException("validator.32", null);
+	    }
+	    // replace ' in name with &#39;
+	    issuer = issuer.replaceAll("'", "&#39;");    
+	    if (!issuer.equals(identityLink.getName()))
+	        throw new ValidateException("validator.33", new Object[] {issuer, identityLink.getName()});
+	        
+	    
+	    //validate issuerInstant
+	    String issueInstant = samlAssertion.getAttribute("IssueInstant");
+	    if (!issueInstant.equals(session.getIssueInstant()))
+	    	throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
+	    
+	    
+	    //validate extended attributes            
+	    SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();
+	
+	    boolean foundOA = false;
+	    boolean foundGB = false;
+	    boolean foundWBPK = false;
+	    int offset = 0;
+	    
+	    // check number of SAML attributes
+	    List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
+	    int extendedSAMLAttributesNum = 0;
+	    if (extendedSAMLAttributes != null) {
+	    	extendedSAMLAttributesNum = extendedSAMLAttributes.size();
+	    }
+	    int expectedSAMLAttributeNumber = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum;
+	    
+	    //remove one attribute from expected attributes if public SP target or wbPK is not part of AuthBlock
+	    if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
+	    
+	    //check number of attributes in AuthBlock response against expected number of attributes 
+	    int actualSAMLAttributeNumber = samlAttributes.length;
+	    if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
+	    	Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + 
+	    			expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
+	    	throw new ValidateException("validator.36", 
+	    		  new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
+	    	
+	    }
+	    
+	    //now check every single attribute
+	    SAMLAttribute samlAttribute = null;
+	    Pair<String, String> userSectorId = null;
+	    if (session.getSAMLAttributeGebeORwbpk()) {      
+	    	//check the first attribute ("Geschaeftsbereich" or "wbPK")
+	    	samlAttribute = samlAttributes[0];
+	    	
+	    	//calculate bPK or wbPK as reference value for validation    	
+	    	if (MiscUtil.isNotEmpty(saml1RequestedTarget))
+	    		userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+	    				identityLink.getIdentificationValue(), identityLink.getIdentificationType(), 
+	    				saml1RequestedTarget);
+	    	else
+	    		userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+	    				identityLink.getIdentificationValue(), identityLink.getIdentificationType(), 
+	    				oaParam.getAreaSpecificTargetIdentifier());
+	    	
+	    	//every sector specific identifier that has not 'urn:publicid:gv.at:cdid+' as prefix
+	    	// is internally handled as an AuthBlock with wbPK 
+	    	if (!userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+	    		if (!samlAttribute.getName().equals("wbPK")) {
+	    			if (samlAttribute.getName().equals("Geschaeftsbereich")) {
+	    				throw new ValidateException("validator.26", null);
+	    				
+	    			} else {
+	    				throw new ValidateException("validator.37", 
+	    						new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)});
+	    			}
+	    		}
+	    		
+	    		if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {          
+	    			foundWBPK = true;
+	    			try {
+	    				Element attrValue = (Element)samlAttribute.getValue();
+	    				String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
+	    				String type =  ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
+	    				if (!value.equals(userSectorId.getFirst()))
+	    					throw new ValidateException("validator.28", 
+	    							new Object[] {value, userSectorId.getFirst()}); 
+	
+	    				if (!type.equals(userSectorId.getSecond()))
+	    					throw new ValidateException("validator.28", 
+	    							new Object[] {type, userSectorId.getSecond()}); 
+	    				
+	    			} catch (Exception ex) {
+	    				throw new ValidateException("validator.29", null);
+	    			}
+	    			
+	    		} else
+	    			throw new ValidateException("validator.30", null);
+	    		
+	    	} else {
+	    		if (!samlAttribute.getName().equals("Geschaeftsbereich")) {
+	    			if (samlAttribute.getName().equals("wbPK"))
+	    				throw new ValidateException("validator.26", null);
+	          
+	    			else
+	    				throw new ValidateException("validator.37", 
+	    						new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)});
+	    		}
+	    	  
+	    		if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {          
+	    			foundGB = true;
+	          
+	    			String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(userSectorId.getSecond());
+	    			if (StringUtils.isEmpty(sectorName)) {
+	    				if (saml1RequestedFriendlyName != null)
+	    					sectorName = saml1RequestedFriendlyName;
+	    				else 
+	    					sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+	    			}
+	    			
+	    			String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
+	    			if (!refValueSector.equals((String)samlAttribute.getValue()))
+	    				throw new ValidateException("validator.13", new Object[] {(String)samlAttribute.getValue(), refValueSector});             
+	    	  
+	    		} else
+	    			throw new ValidateException("validator.12", null);
+	    	  
+	      		}
+	    	
+	    	} else
+	    		//check nothing if wbPK or public SP target is not part of AuthBlock
+	    		offset--;
+	
+	    	// check the second attribute (must be "OA")
+	    	samlAttribute = samlAttributes[1 + offset];
+	    	if (!samlAttribute.getName().equals("OA"))
+	    		throw new ValidateException("validator.37", 
+	    				new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
+	
+	    	if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+	    		foundOA = true;            
+	    		if (!oaURL.equals((String)samlAttribute.getValue()))             
+	    			throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});
+	    		
+	    	} else
+	    		throw new ValidateException("validator.15", null);
+	
+	      
+	    	// check the third attribute (must be "Geburtsdatum")
+	    	samlAttribute = samlAttributes[2 + offset];
+	    	if (!samlAttribute.getName().equals("Geburtsdatum"))
+	    		throw new ValidateException("validator.37", 
+	    				new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
+	    	
+	    	if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+	    		String samlDateOfBirth = (String)samlAttribute.getValue();
+	    		String dateOfBirth = identityLink.getDateOfBirth();
+	    		if (!samlDateOfBirth.equals(dateOfBirth))
+	    			throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
+	    		
+	    	} else
+	    		throw new ValidateException("validator.35", null);
+	     
+	    	// check four attribute could be a special text
+	    	samlAttribute = samlAttributes[3 + offset];
+	    	if (!samlAttribute.getName().equals("SpecialText"))
+	    		throw new ValidateException("validator.37", 
+	    				new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
+	   
+	    	if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+	    		String samlSpecialText = (String)samlAttribute.getValue();
+	    		samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
+	      
+	    		String text = "";
+	    		if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
+	    			Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
+	    			text = oaParam.getAditionalAuthBlockText();
+	    			
+	    		}
+	            
+	    		String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, 
+	    				AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
+	    						pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
+	    		if (!samlSpecialText.equals(specialText))
+	    			throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
+	    		
+	    	} else
+	    		throw new ValidateException("validator.35", null);
+	      
+	        
+	    	//check unique AuthBlock tokken
+	    	samlAttribute = samlAttributes[4 + offset];
+	    	if (!samlAttribute.getName().equals("UniqueTokken"))
+	    		throw new ValidateException("validator.37", 
+	    				new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
+	    	
+	    	if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+	    		String uniquetokken = (String)samlAttribute.getValue();
+	           
+	    		if (!uniquetokken.equals(session.getAuthBlockTokken()))
+	    			throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
+	    	} else
+	    		throw new ValidateException("validator.35", null);
+	    
+	    	
+	    	// now check the extended SAML attributes
+	    	int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset;
+	    	if (extendedSAMLAttributes != null) {
+	    		Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
+	    		while (it.hasNext()) {
+	    			ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
+	    			samlAttribute = samlAttributes[i];
+	    			String actualName = samlAttribute.getName();
+	    			String expectedName = extendedSAMLAttribute.getName();
+	    			if (!actualName.equals(expectedName))
+	    				throw new ValidateException("validator.38", 
+	    						new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
+	
+	    			String actualNamespace = samlAttribute.getNamespace();
+	    			String expectedNamespace = extendedSAMLAttribute.getNameSpace();
+	    			if (!actualNamespace.equals(expectedNamespace))
+	    				throw new ValidateException("validator.38", 
+	    						new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
+	
+	    			Object expectedValue = extendedSAMLAttribute.getValue();
+	    			Object actualValue = samlAttribute.getValue();
+	    			try {
+	    				if (expectedValue instanceof String) {
+	    					// replace \r\n because text might be base64-encoded
+	    					String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
+	    					expValue = StringUtils.replaceAll(expValue,"\n","");
+	    					String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
+	    					actValue = StringUtils.replaceAll(actValue,"\n","");
+	    					if (!expValue.equals(actValue))
+	    						throw new ValidateException("validator.38", 
+	    								new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });
+	    					
+	    				} else if (expectedValue instanceof Element) {
+	    					// only check the name of the element
+	    					String actualElementName = ((Element)actualValue).getNodeName();
+	    					String expectedElementName = ((Element)expectedValue).getNodeName();
+	    					if (!(expectedElementName.equals(actualElementName))) 
+	    						throw new ValidateException("validator.38", 
+	    								new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});
+	    					
+	    				} else
+	    					// should not happen
+	    					throw new ValidateException("validator.38", 
+	    							new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
+	        
+	    			} catch (ClassCastException e) {
+	    				throw new ValidateException("validator.38", 
+	    						new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
+	    			}
+	    			
+	    			i++;
+	    		}
+	    	}
+	        
+	    	if (!foundOA) 
+	    		throw new ValidateException("validator.14", null);
+	    	
+	    	if (userSectorId != null && !userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+	    		if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) 
+	    			throw new ValidateException("validator.31", null);
+	    	
+	    	} else {
+	    		if (!foundGB && session.getSAMLAttributeGebeORwbpk()) 
+	    			throw new ValidateException("validator.11", null);
+	    	}
+	  
+	    	//Check if dsig:Signature exists
+	    	Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
+	    	if (dsigSignature == null)    
+	    		throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
+	  
+	  } catch (Exception e) {
+		  SpecificTraceLogger.trace("Validate AuthBlock without SSO");
+		  SpecificTraceLogger.trace("Signed AuthBlock: " + session.getAuthBlock());
+		  SpecificTraceLogger.trace("OA config: " + oaParam.toString());
+		  SpecificTraceLogger.trace("saml1RequestedTarget: " + saml1RequestedTarget);
+		  SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + saml1RequestedFriendlyName);		  
+		  throw e;
+		  
+	  }
   }
   
   /**
@@ -436,219 +447,227 @@ public class CreateXMLSignatureResponseValidator {
    */
   public void validateSSO(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq)
    throws ValidateException {
-      
-      // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier    
-	String	oaURL = pendingReq.getAuthURL();
-		
-    IIdentityLink identityLink = session.getIdentityLink();
-    
-    Element samlAssertion = createXMLSignatureResponse.getSamlAssertion(); 
-    String issuer = samlAssertion.getAttribute("Issuer");
-    if (issuer == null) {
-      // should not happen, because parser would dedect this
-      throw new ValidateException("validator.32", null);
-    }
-    // replace ' in name with &#39;
-    issuer = issuer.replaceAll("'", "&#39;");
-    
-    String issueInstant = samlAssertion.getAttribute("IssueInstant");
-    if (!issueInstant.equals(session.getIssueInstant())) {
-      throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
-    }
-    
-    String name = identityLink.getName();
-    
-    if (!issuer.equals(name)) {
-      throw new ValidateException("validator.33", new Object[] {issuer, name});
-    }     
-       
-    SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();
-
-    boolean foundOA = false;
-//    boolean foundGB = false;
-//    boolean foundWBPK = false;
-    int offset = 0;
-    
-    // check number of SAML aatributes
-    List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
-    int extendedSAMLAttributesNum = 0;
-    if (extendedSAMLAttributes != null) {
-      extendedSAMLAttributesNum = extendedSAMLAttributes.size();
-    }
-    int expectedSAMLAttributeNumber = 
-      AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + extendedSAMLAttributesNum;
-    if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
-    int actualSAMLAttributeNumber = samlAttributes.length;
-    if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
-      Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + 
-        expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
-      throw new ValidateException(
-        "validator.36", 
-        new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
-    }
-    
-    SAMLAttribute samlAttribute;
-    if (!session.getSAMLAttributeGebeORwbpk()) {
-      offset--;
-    }
-
-    // check the first attribute (must be "OA")
-    samlAttribute = samlAttributes[0 + offset];
-    if (!samlAttribute.getName().equals("OA")) {
-      throw new ValidateException(
-          "validator.37", 
-          new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
-    }
-    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
-      foundOA = true;            
-      if (!oaURL.equals((String)samlAttribute.getValue())) {  // CHECKS für die AttributeVALUES fehlen noch             
-        throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); 
-      }             
-    } else {
-      throw new ValidateException("validator.15", null);
-    }
-      
-    // check the third attribute (must be "Geburtsdatum")
-    samlAttribute = samlAttributes[1 + offset];
-    if (!samlAttribute.getName().equals("Geburtsdatum")) {
-      throw new ValidateException(
-          "validator.37", 
-          new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
-    }
-    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
-      String samlDateOfBirth = (String)samlAttribute.getValue();
-      String dateOfBirth = identityLink.getDateOfBirth();
-      if (!samlDateOfBirth.equals(dateOfBirth)) {
-        throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
-      }
-    } else {
-      throw new ValidateException("validator.35", null);
-    }
-     
-    // check four attribute could be a special text
-    samlAttribute = samlAttributes[2 + offset];
-    if (!samlAttribute.getName().equals("SpecialText")) {
-      throw new ValidateException(
-          "validator.37", 
-          new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
-    }
-    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
-      String samlSpecialText = (String)samlAttribute.getValue();
-      samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
-      
-      String text = "";
-      try {
-    	 if (MiscUtil.isNotEmpty(AuthConfigurationProviderFactory.getInstance().getSSOSpecialText())) {
-    		text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText();
-			Logger.debug("Use addional AuthBlock Text from SSO=" +text);
-			
-    	 }
-		else
-			text = new String();
-      } catch (ConfigurationException e) {
-    	  Logger.warn("Addional AuthBlock Text can not loaded from SSO!", e);
-      }
-      
-      
-      	String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, 
-      			AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
-						pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
-      	if (!samlSpecialText.equals(specialText)) {
-      		throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
-      	}
-    } else {
-      throw new ValidateException("validator.35", null);
-    }
-    
-    //check unique AuthBlock tokken
-    samlAttribute = samlAttributes[3 + offset];
-    if (!samlAttribute.getName().equals("UniqueTokken")) {
-      throw new ValidateException(
-          "validator.37", 
-          new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
-    }
-    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
-      String uniquetokken = (String)samlAttribute.getValue();
-           
-      if (!uniquetokken.equals(session.getAuthBlockTokken())) {
-        throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
-      }
-    } else {
-      throw new ValidateException("validator.35", null);
-    }
-    
-    
-    // now check the extended SAML attributes
-    int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + offset;
-    if (extendedSAMLAttributes != null) {
-      Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
-      while (it.hasNext()) {
-        ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
-        samlAttribute = samlAttributes[i];
-        String actualName = samlAttribute.getName();
-        String expectedName = extendedSAMLAttribute.getName();
-        if (!actualName.equals(expectedName)) {
-          throw new ValidateException(
-            "validator.38", 
-            new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
-        }
-        String actualNamespace = samlAttribute.getNamespace();
-        String expectedNamespace = extendedSAMLAttribute.getNameSpace();
-        if (!actualNamespace.equals(expectedNamespace)) {
-          throw new ValidateException(
-            "validator.38", 
-            new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
-        }
-        Object expectedValue = extendedSAMLAttribute.getValue();
-        Object actualValue = samlAttribute.getValue();
-        try {
-          if (expectedValue instanceof String) {
-            // replace \r\n because text might be base64-encoded
-            String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
-            expValue = StringUtils.replaceAll(expValue,"\n","");
-            String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
-            actValue = StringUtils.replaceAll(actValue,"\n","");
-            if (!expValue.equals(actValue)) {
-              throw new ValidateException(
-              "validator.38", 
-              new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });          
-            }
-          } else if (expectedValue instanceof Element) {
-            // only check the name of the element
-            String actualElementName = ((Element)actualValue).getNodeName();
-            String expectedElementName = ((Element)expectedValue).getNodeName();
-            if (!(expectedElementName.equals(actualElementName))){
-              throw new ValidateException(
-              "validator.38", 
-              new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});          
-            }
-          } else {
-            // should not happen
-            throw new ValidateException(
-              "validator.38", 
-              new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
-          }
-        } catch (ClassCastException e) {
-          throw new ValidateException(
-              "validator.38", 
-              new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
-        }
-        i++;
-      }
-    }
+     try { 
+	      // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier    
+		String	oaURL = pendingReq.getAuthURL();		
+	    IIdentityLink identityLink = session.getIdentityLink();
+	    
+	    Element samlAssertion = createXMLSignatureResponse.getSamlAssertion(); 
+	    String issuer = samlAssertion.getAttribute("Issuer");
+	    if (issuer == null) {
+	      // should not happen, because parser would dedect this
+	      throw new ValidateException("validator.32", null);
+	    }
+	    // replace ' in name with &#39;
+	    issuer = issuer.replaceAll("'", "&#39;");
+	    
+	    String issueInstant = samlAssertion.getAttribute("IssueInstant");
+	    if (!issueInstant.equals(session.getIssueInstant())) {
+	      throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
+	    }
+	    
+	    String name = identityLink.getName();
+	    
+	    if (!issuer.equals(name)) {
+	      throw new ValidateException("validator.33", new Object[] {issuer, name});
+	    }     
+	       
+	    SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();
+	
+	    boolean foundOA = false;
+	//    boolean foundGB = false;
+	//    boolean foundWBPK = false;
+	    int offset = 0;
+	    
+	    // check number of SAML aatributes
+	    List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
+	    int extendedSAMLAttributesNum = 0;
+	    if (extendedSAMLAttributes != null) {
+	      extendedSAMLAttributesNum = extendedSAMLAttributes.size();
+	    }
+	    int expectedSAMLAttributeNumber = 
+	      AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + extendedSAMLAttributesNum;
+	    if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
+	    int actualSAMLAttributeNumber = samlAttributes.length;
+	    if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
+	      Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + 
+	        expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
+	      throw new ValidateException(
+	        "validator.36", 
+	        new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
+	    }
+	    
+	    SAMLAttribute samlAttribute;
+	    if (!session.getSAMLAttributeGebeORwbpk()) {
+	      offset--;
+	    }
+	
+	    // check the first attribute (must be "OA")
+	    samlAttribute = samlAttributes[0 + offset];
+	    if (!samlAttribute.getName().equals("OA")) {
+	      throw new ValidateException(
+	          "validator.37", 
+	          new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
+	    }
+	    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+	      foundOA = true;            
+	      if (!oaURL.equals((String)samlAttribute.getValue())) {  // CHECKS für die AttributeVALUES fehlen noch             
+	        throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); 
+	      }             
+	    } else {
+	      throw new ValidateException("validator.15", null);
+	    }
+	      
+	    // check the third attribute (must be "Geburtsdatum")
+	    samlAttribute = samlAttributes[1 + offset];
+	    if (!samlAttribute.getName().equals("Geburtsdatum")) {
+	      throw new ValidateException(
+	          "validator.37", 
+	          new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
+	    }
+	    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+	      String samlDateOfBirth = (String)samlAttribute.getValue();
+	      String dateOfBirth = identityLink.getDateOfBirth();
+	      if (!samlDateOfBirth.equals(dateOfBirth)) {
+	        throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
+	      }
+	    } else {
+	      throw new ValidateException("validator.35", null);
+	    }
+	     
+	    // check four attribute could be a special text
+	    samlAttribute = samlAttributes[2 + offset];
+	    if (!samlAttribute.getName().equals("SpecialText")) {
+	      throw new ValidateException(
+	          "validator.37", 
+	          new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
+	    }
+	    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+	      String samlSpecialText = (String)samlAttribute.getValue();
+	      samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
+	      
+	      String text = "";
+	      try {
+	    	 if (MiscUtil.isNotEmpty(AuthConfigurationProviderFactory.getInstance().getSSOSpecialText())) {
+	    		text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText();
+				Logger.debug("Use addional AuthBlock Text from SSO=" +text);
+				
+	    	 }
+			else
+				text = new String();
+	      } catch (ConfigurationException e) {
+	    	  Logger.warn("Addional AuthBlock Text can not loaded from SSO!", e);
+	      }
+	      
+	      
+	      	String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, 
+	      			AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
+							pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
+	      	if (!samlSpecialText.equals(specialText)) {
+	      		throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
+	      	}
+	    } else {
+	      throw new ValidateException("validator.35", null);
+	    }
+	    
+	    //check unique AuthBlock tokken
+	    samlAttribute = samlAttributes[3 + offset];
+	    if (!samlAttribute.getName().equals("UniqueTokken")) {
+	      throw new ValidateException(
+	          "validator.37", 
+	          new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
+	    }
+	    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+	      String uniquetokken = (String)samlAttribute.getValue();
+	           
+	      if (!uniquetokken.equals(session.getAuthBlockTokken())) {
+	        throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
+	      }
+	    } else {
+	      throw new ValidateException("validator.35", null);
+	    }
+	    
+	    
+	    // now check the extended SAML attributes
+	    int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + offset;
+	    if (extendedSAMLAttributes != null) {
+	      Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
+	      while (it.hasNext()) {
+	        ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
+	        samlAttribute = samlAttributes[i];
+	        String actualName = samlAttribute.getName();
+	        String expectedName = extendedSAMLAttribute.getName();
+	        if (!actualName.equals(expectedName)) {
+	          throw new ValidateException(
+	            "validator.38", 
+	            new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
+	        }
+	        String actualNamespace = samlAttribute.getNamespace();
+	        String expectedNamespace = extendedSAMLAttribute.getNameSpace();
+	        if (!actualNamespace.equals(expectedNamespace)) {
+	          throw new ValidateException(
+	            "validator.38", 
+	            new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
+	        }
+	        Object expectedValue = extendedSAMLAttribute.getValue();
+	        Object actualValue = samlAttribute.getValue();
+	        try {
+	          if (expectedValue instanceof String) {
+	            // replace \r\n because text might be base64-encoded
+	            String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
+	            expValue = StringUtils.replaceAll(expValue,"\n","");
+	            String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
+	            actValue = StringUtils.replaceAll(actValue,"\n","");
+	            if (!expValue.equals(actValue)) {
+	              throw new ValidateException(
+	              "validator.38", 
+	              new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });          
+	            }
+	          } else if (expectedValue instanceof Element) {
+	            // only check the name of the element
+	            String actualElementName = ((Element)actualValue).getNodeName();
+	            String expectedElementName = ((Element)expectedValue).getNodeName();
+	            if (!(expectedElementName.equals(actualElementName))){
+	              throw new ValidateException(
+	              "validator.38", 
+	              new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});          
+	            }
+	          } else {
+	            // should not happen
+	            throw new ValidateException(
+	              "validator.38", 
+	              new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
+	          }
+	        } catch (ClassCastException e) {
+	          throw new ValidateException(
+	              "validator.38", 
+	              new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
+	        }
+	        i++;
+	      }
+	    }
+	    
+	    
+	    if (!foundOA) throw new ValidateException("validator.14", null); 
+	  
+	     //Check if dsig:Signature exists
+	//    NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature");
+	//    if (nl.getLength() != 1) {
+	//      throw new ValidateException("validator.05", null);
+	//    }
+	    Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
+	    if (dsigSignature == null) {    
+	      throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
+	    }
     
+	  } catch (Exception e) {
+		  SpecificTraceLogger.trace("Validate AuthBlock with SSO");
+		  SpecificTraceLogger.trace("Signed AuthBlock: " + session.getAuthBlock());
+		  SpecificTraceLogger.trace("OA config: " + pendingReq.getOnlineApplicationConfiguration().toString());		  
+		  throw e;
+		  
+	  }
     
-    if (!foundOA) throw new ValidateException("validator.14", null); 
-  
-     //Check if dsig:Signature exists
-//    NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature");
-//    if (nl.getLength() != 1) {
-//      throw new ValidateException("validator.05", null);
-//    }
-    Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
-    if (dsigSignature == null) {    
-      throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
-    }
   }
   
   public void validateSigningDateTime( CreateXMLSignatureResponse csresp) throws ValidateException {
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2018-03-12 13:35:46 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2018-03-12 14:16:17 +0100
commit	b4c009b6d64cc17974e5917c10f92dbe987d826e (patch)
tree	46e3777b7d62ac2d96110d6428d82706d1720345
parent	a30826d08c748daaf3d6cdc2329f985852822f54 (diff)
download	moa-id-spss-b4c009b6d64cc17974e5917c10f92dbe987d826e.tar.gz moa-id-spss-b4c009b6d64cc17974e5917c10f92dbe987d826e.tar.bz2 moa-id-spss-b4c009b6d64cc17974e5917c10f92dbe987d826e.zip