MOA-ID version 1.1 (initial)

git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@19 d688527b-c9ab-4aba-bd8d-4036d912da1d

12 files changed, 369 insertions, 0 deletions

diff --git a/id.server/doc/moa_id/examples/BKUSelectionTemplate.html b/id.server/doc/moa_id/examples/BKUSelectionTemplate.html
new file mode 100644
index 000000000..11c9352d2
--- /dev/null
+++ b/id.server/doc/moa_id/examples/BKUSelectionTemplate.html
@@ -0,0 +1,4 @@
+<form name="CustomizedForm" method="post" action="<StartAuth>">
+<BKUSelect>
+<input type="submit" value="Ausw&auml;hlen"/>
+</form>
diff --git a/id.server/doc/moa_id/examples/ChainingModes.txt b/id.server/doc/moa_id/examples/ChainingModes.txt
new file mode 100644
index 000000000..820b60d06
--- /dev/null
+++ b/id.server/doc/moa_id/examples/ChainingModes.txt
@@ -0,0 +1,6 @@
+	<ChainingModes systemDefaultMode="pkix">
+		<TrustAnchor mode="chaining">
+			<dsig:X509IssuerName>CN=A-Trust-nQual-0,OU=A-Trust-nQual-0,O=A-Trust,C=AT</dsig:X509IssuerName>
+			<dsig:X509SerialNumber>536</dsig:X509SerialNumber>
+		</TrustAnchor>
+	</ChainingModes>
diff --git a/id.server/doc/moa_id/examples/IdentityLinkSigners.txt b/id.server/doc/moa_id/examples/IdentityLinkSigners.txt
new file mode 100644
index 000000000..faed15030
--- /dev/null
+++ b/id.server/doc/moa_id/examples/IdentityLinkSigners.txt
@@ -0,0 +1,3 @@
+		<IdentityLinkSigners>
+			<X509SubjectName>CN=zmr,OU=BMI-IV-2,O=BMI,C=AT</X509SubjectName>
+		</IdentityLinkSigners>
diff --git a/id.server/doc/moa_id/examples/LoginServletExample.txt b/id.server/doc/moa_id/examples/LoginServletExample.txt
new file mode 100644
index 000000000..e085e4126
--- /dev/null
+++ b/id.server/doc/moa_id/examples/LoginServletExample.txt
@@ -0,0 +1,171 @@
+import java.io.IOException;
+import java.util.Vector;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import javax.xml.namespace.QName;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.rpc.Call;
+import javax.xml.rpc.Service;
+import javax.xml.rpc.ServiceFactory;
+
+import org.apache.axis.message.SOAPBodyElement;
+import org.apache.xml.serialize.LineSeparator;
+import org.apache.xml.serialize.OutputFormat;
+import org.apache.xml.serialize.XMLSerializer;
+import org.jaxen.JaxenException;
+import org.jaxen.SimpleNamespaceContext;
+import org.jaxen.dom.DOMXPath;
+import org.w3c.dom.Attr;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+
+/**
+ * Beispiel für ein Login-Servlet, das von MOA-ID-AUTH über einen Redirect aufgerufen wird.
+ * Es werden demonstriert:
+ * - Parameterübergabe von MOA-ID-AUTH
+ * - Aufruf des MOA-ID-AUTH Web Service zum Abholen der Anmeldedaten über das Apache Axis Framework
+ * - Parsen der Anmeldedaten mittels der XPath Engine "Jaxen"
+ * - Speichern der Anmeldedaten in der HTTPSession
+ * - Redirect auf die eigentliche Startseite der OA
+ * 
+ * @author Paul Ivancsics
+ */
+public class LoginServletExample extends HttpServlet {
+
+  // Web Service QName und Endpoint
+  private static final QName SERVICE_QNAME = new QName("GetAuthenticationData");
+  private static final String ENDPOINT =
+    "http://localhost:8080/moa-id-auth/services/GetAuthenticationData";
+  // NamespaceContext für Jaxen
+  private static SimpleNamespaceContext NS_CONTEXT;
+  static {
+    NS_CONTEXT = new SimpleNamespaceContext();
+    NS_CONTEXT.addNamespace("saml", "urn:oasis:names:tc:SAML:1.0:assertion");
+    NS_CONTEXT.addNamespace("samlp", "urn:oasis:names:tc:SAML:1.0:protocol");
+    NS_CONTEXT.addNamespace("pr", "http://reference.e-government.gv.at/namespace/persondata/20020228#");
+  }
+  
+  /**
+   * Servlet wird von MOA-ID-AUTH nach erfolgter Authentisierung über ein Redirect aufgerufen.
+   */
+  protected void doGet(HttpServletRequest req, HttpServletResponse resp)
+    throws ServletException, IOException {
+
+    // Parameter "Target" und "SAMLArtifact" aus dem Redirect von MOA-ID-AUTH lesen
+    String target = req.getParameter("Target");
+    String samlArtifact = req.getParameter("SAMLArtifact");
+    
+    try {
+      // DOMBuilder instanzieren
+      DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+      factory.setNamespaceAware(true);
+      DocumentBuilder builder = factory.newDocumentBuilder();
+  
+      // <samlp:Request> zusammenstellen und in einen DOM-Baum umwandeln
+      String samlRequest =
+        "<?xml version=\"1.0\" encoding=\"UTF-8\"?><samlp:Request IssueInstant=\"2003-01-01T00:00:00+02:00\" MajorVersion=\"1\" MinorVersion=\"0\" RequestID=\"12345678901234567890\" xmlns:samlp=\"urn:oasis:names:tc:SAML:1.0:protocol\"><samlp:AssertionArtifact>"
+          + samlArtifact
+          + "</samlp:AssertionArtifact></samlp:Request>";
+      Document root_request = builder.parse(samlRequest);
+  
+      // Neues SOAPBodyElement anlegen und mit dem DOM-Baum füllen
+      SOAPBodyElement body = new SOAPBodyElement(root_request.getDocumentElement());
+      SOAPBodyElement[] params = new SOAPBodyElement[] { body };
+  
+      // AXIS-Service für Aufruf von MOA-ID-AUTH instanzieren
+      Service service = ServiceFactory.newInstance().createService(SERVICE_QNAME);
+
+      // Axis-Call erzeugen und mit Endpoint verknüpfen
+      Call call = service.createCall();
+      call.setTargetEndpointAddress(ENDPOINT);
+  
+      // Call aufrufen und die Antwort speichern
+      System.out.println("Calling MOA-ID-AUTH ...");
+      Vector responses = (Vector) call.invoke(params);
+  
+      // erstes BodyElement auslesen
+      SOAPBodyElement response = (SOAPBodyElement) responses.get(0);
+  
+      // <samlp:Response> als DOM-Baum holen
+      Document responseDocument = response.getAsDocument();
+      Element samlResponse = responseDocument.getDocumentElement();
+  
+      // <samlp:Response> auf System.out ausgeben
+      System.out.println("Response received:");
+      OutputFormat format = new OutputFormat((Document) responseDocument);
+      format.setLineSeparator(LineSeparator.Windows);
+      format.setIndenting(true);
+      format.setLineWidth(0);
+      XMLSerializer serializer = new XMLSerializer(System.out, format);
+      serializer.asDOMSerializer();
+      serializer.serialize(responseDocument);
+
+      // <samlp:StatusCode> auslesen
+      Attr statusCodeAttr = (Attr)getNode(samlResponse, "/samlp:Response/samlp:Status/samlp:StatusCode/@Value");
+      String samlStatusCode = statusCodeAttr.getValue();
+      System.out.println("StatusCode: " + samlStatusCode);
+      
+      // <saml:Assertion> auslesen
+      if ("samlp:Success".equals(samlStatusCode)) {
+        Element samlAssertion = (Element)getNode(samlResponse, "/samlp:Response/saml:Assertion");
+        
+        // FamilyName aus der <saml:Assertion> parsen 
+        Node familyNameNode = getNode(samlAssertion, "//saml:AttributeStatement/saml:Attribute[@AttributeName=\"PersonData\"]/saml:AttributeValue/pr:Person/pr:Name/pr:FamilyName");
+        String familyName = getText(familyNameNode);
+        System.out.println("Family name: " + familyName);
+        
+        // weitere Anmeldedaten aus der <saml:Assertion> parsen 
+        // ...
+        
+        // Anmeldedaten und Target in der HTTPSession speichern
+        HttpSession session = req.getSession();
+        session.setAttribute("UserFamilyName", familyName);
+        session.setAttribute("Geschaeftsbereich", target);
+
+        // weitere Anmeldedaten in der HTTPSession speichern
+        // ...
+        
+        // Redirect auf die eigentliche Startseite
+        resp.sendRedirect("/index.jsp");
+      }
+    }
+    catch (Exception ex) {
+      ex.printStackTrace();
+    }
+  }
+  /** Returns the first node matching an XPath expression. */
+  private static Node getNode(Node contextNode, String xpathExpression) throws JaxenException {
+    DOMXPath xpath = new DOMXPath(xpathExpression);
+    xpath.setNamespaceContext(NS_CONTEXT);
+    return (Node) xpath.selectSingleNode(contextNode);
+  }
+  /** Returns the text that a node contains. */
+  public static String getText(Node node) {
+    if (!node.hasChildNodes()) {
+      return "";
+    }
+
+    StringBuffer result = new StringBuffer();
+    NodeList list = node.getChildNodes();
+    for (int i = 0; i < list.getLength(); i++) {
+      Node subnode = list.item(i);
+      if (subnode.getNodeType() == Node.TEXT_NODE) {
+        result.append(subnode.getNodeValue());
+      } else if (subnode.getNodeType() == Node.CDATA_SECTION_NODE) {
+        result.append(subnode.getNodeValue());
+      } else if (subnode.getNodeType() == Node.ENTITY_REFERENCE_NODE) {
+        // Recurse into the subtree for text
+        // (and ignore comments)
+        result.append(getText(subnode));
+      }
+    }
+    return result.toString();
+  }
+}
diff --git a/id.server/doc/moa_id/examples/Template.html b/id.server/doc/moa_id/examples/Template.html
new file mode 100644
index 000000000..97e54c6af
--- /dev/null
+++ b/id.server/doc/moa_id/examples/Template.html
@@ -0,0 +1,23 @@
+<form name="CustomizedForm"
+ action="<BKU>"
+ method="post">
+ <input type="hidden"
+        name="XMLRequest"
+        value="<XMLRequest>"/>
+ <input type="hidden"
+        name="DataURL"
+        value="<DataURL>"/>
+ <input type="submit" value="B&uuml;rgerkarte lesen"/>
+</form>
+<form name="CustomizedInfoForm"
+ action="<BKU>"
+ method="post">
+ <input type="hidden"
+        name="XMLRequest"
+        value="<CertInfoXMLRequest>"/>
+ <input type="hidden"
+        name="DataURL"
+        value="<CertInfoDataURL>"/>
+ Hier finden Sie weitere Informationen zur &Uuml;berpr&uuml;fung der Zertifikate.<br/>
+ <input type="submit" value="Weitere Info"/>
+</form>
\ No newline at end of file
diff --git a/id.server/doc/moa_id/examples/TransformsInfoAuthBlock.txt b/id.server/doc/moa_id/examples/TransformsInfoAuthBlock.txt
new file mode 100644
index 000000000..396d0faea
--- /dev/null
+++ b/id.server/doc/moa_id/examples/TransformsInfoAuthBlock.txt
@@ -0,0 +1,63 @@
+<sl10:TransformsInfo>
+	<dsig:Transforms>
+		<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+		<dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">
+			<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
+				<xsl:template match="/" xmlns="http://www.w3.org/1999/xhtml">
+					<html>
+						<body>
+Bitte bestätigen Sie mit Ihrer Unterschrift folgende Angaben:
+<br/>
+							<table border="1">
+								<tr>
+									<td>
+										<b>Name:</b>
+									</td>
+									<td>
+										<xsl:value-of select="//@Issuer"/>
+									</td>
+								</tr>
+								<tr>
+									<td>
+										<b>Zeit:</b>
+									</td>
+									<td>
+										<xsl:value-of select="substring(//@IssueInstant,9,2)"/>.<xsl:value-of select="substring(//@IssueInstant,6,2)"/>.<xsl:value-of select="substring(//@IssueInstant,1,4)"/>, <xsl:value-of select="substring(//@IssueInstant,12,2)"/>:<xsl:value-of select="substring(//@IssueInstant,15,2)"/>:<xsl:value-of select="substring(//@IssueInstant,18,2)"/>
+									</td>
+								</tr>
+								<tr>
+									<td>
+										<b>Applikation:</b>
+									</td>
+									<td>
+										<xsl:value-of select="//saml:Attribute[@AttributeName='OA']/saml:AttributeValue"/>
+									</td>
+								</tr>
+								<tr>
+									<td>
+										<b>Geschäftsbereich:</b>
+									</td>
+									<td>
+										<xsl:value-of select="//saml:Attribute[@AttributeName='Geschäftsbereich']/saml:AttributeValue"/>
+									</td>
+								</tr>
+								<tr>
+									<td>
+										<b>Anmeldeserver:</b>
+									</td>
+									<td>
+										<xsl:value-of select="//saml:NameIdentifier"/>
+									</td>
+								</tr>
+							</table>
+						</body>
+					</html>
+				</xsl:template>
+			</xsl:stylesheet>
+		</dsig:Transform>
+		<dsig:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
+	</dsig:Transforms>
+	<sl10:FinalDataMetaInfo>
+		<sl10:MimeType>text/html</sl10:MimeType>
+	</sl10:FinalDataMetaInfo>
+</sl10:TransformsInfo>
diff --git a/id.server/doc/moa_id/examples/conf/MOA-ID-Configuration.xml b/id.server/doc/moa_id/examples/conf/MOA-ID-Configuration.xml
new file mode 100644
index 000000000..6ce00228c
--- /dev/null
+++ b/id.server/doc/moa_id/examples/conf/MOA-ID-Configuration.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- edited with XMLSPY v5 rel. 3 U (http://www.xmlspy.com) by Stephan G (Comp) -->
+<MOA-IDConfiguration xmlns="http://www.buergerkarte.at/namespaces/moaconfig#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:sl10="http://www.buergerkarte.at/namespaces/securitylayer/20020225#" xmlns:sl11="http://www.buergerkarte.at/namespaces/securitylayer/20020831#">
+	<AuthComponent>
+		<BKUSelection>
+			<ConnectionParameter URL="http://10.16.46.108:18080/oa/getBKUSelectTag.jsp"/>
+		</BKUSelection>
+		<SecurityLayer>
+			<TransformsInfo filename="file:/home/moa/id/jakarta-tomcat-4.1.18/conf/moa-id/Transforms/TransformsInfosHTML.xml"/>
+		</SecurityLayer>
+		<MOA-SP>
+			<ConnectionParameter URL="https://10.16.46.108:8443/moa-spss/services/SignatureVerification">
+				<AcceptedServerCertificates>file:/home/moa/id/jakarta-tomcat-4.1.18/conf/moa-id/certs/server-certs</AcceptedServerCertificates>
+				<ClientKeyStore password="Keystore Pass">file:/c:/</ClientKeyStore>
+			</ConnectionParameter>
+			<VerifyIdentityLink>
+				<TrustProfileID>TrustProfile1</TrustProfileID>
+			</VerifyIdentityLink>
+			<VerifyAuthBlock>
+				<TrustProfileID>TrustProfile1</TrustProfileID>
+				<VerifyTransformsInfoProfileID>TransformsInfoProfile1MOAID</VerifyTransformsInfoProfileID>
+			</VerifyAuthBlock>
+		</MOA-SP>
+		<IdentityLinkSigners>
+			<X509SubjectName>CN=Test Signaturdienst Personenbindung,OU=Zentrales Melderegister,O=Bundesministerium f\C3\BCr Inneres,C=AT</X509SubjectName>
+		</IdentityLinkSigners>
+	</AuthComponent>
+	<ProxyComponent>
+		<AuthComponent>
+			<ConnectionParameter URL="http://moatestlinux:18080/moa-id-auth/services/GetAuthenticationData">
+				<AcceptedServerCertificates>http://www.altova.com</AcceptedServerCertificates>
+				<ClientKeyStore password="String">http://www.altova.com</ClientKeyStore>
+			</ConnectionParameter>
+		</AuthComponent>
+	</ProxyComponent>
+	<OnlineApplication publicURLPrefix="https://10.16.126.28:9443/moa-id-proxy/">
+		<AuthComponent provideZMRZahl="false" provideAUTHBlock="false" provideIdentityLink="false"/>
+		<ProxyComponent configFileURL="file:/home/moa/id/jakarta-tomcat-4.1.18/conf/moa-id/oa/OAConf.xml" sessionTimeOut="600">
+			<ConnectionParameter URL="https://moatestlinux:18443/oa/">
+				<AcceptedServerCertificates>file:/home/moa/id/jakarta-tomcat-4.1.18/conf/moa-id/oa/server-certs/tomcat</AcceptedServerCertificates>
+				<ClientKeyStore password="ClientKeystoreOAPAss">URL:toClientKeystoreOA</ClientKeyStore>
+			</ConnectionParameter>
+		</ProxyComponent>
+	</OnlineApplication>
+	<ChainingModes systemDefaultMode="pkix">
+		<TrustAnchor mode="chaining">
+			<dsig:X509IssuerName>CN=A-Trust-nQual-0,OU=A-Trust-nQual-0,O=A-Trust,C=AT</dsig:X509IssuerName>
+			<dsig:X509SerialNumber>536</dsig:X509SerialNumber>
+		</TrustAnchor>
+	</ChainingModes>
+	<GenericConfiguration name="DirectoryCertStoreParameters.RootDir" value="file:/home/moa/id/jakarta-tomcat-4.1.18/conf/moa-id/certs/cert-store-root"/>
+	<GenericConfiguration name="AuthenticationData.TimeOut" value="120"/>
+	<GenericConfiguration name="AuthenticationSession.TimeOut" value="600"/>
+</MOA-IDConfiguration>
diff --git a/id.server/doc/moa_id/examples/conf/OAConfBasicAuth.xml b/id.server/doc/moa_id/examples/conf/OAConfBasicAuth.xml
new file mode 100644
index 000000000..0e4508036
--- /dev/null
+++ b/id.server/doc/moa_id/examples/conf/OAConfBasicAuth.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration xmlns="http://www.buergerkarte.at/namespaces/moaconfig#" xmlns:sl10="http://www.buergerkarte.at/namespaces/securitylayer/20020225#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+	<LoginType>stateful</LoginType>
+	<BasicAuth>
+		<UserID>MOAFamilyName</UserID>
+		<Password>MOADateOfBirth</Password>
+	</BasicAuth>
+</Configuration>
+
+<!-- Example for resulting "UserID:Password" used for basic authentication:
+Mustermann:1985-12-01
+-->
\ No newline at end of file
diff --git a/id.server/doc/moa_id/examples/conf/OAConfHeaderAuth.xml b/id.server/doc/moa_id/examples/conf/OAConfHeaderAuth.xml
new file mode 100644
index 000000000..c1a1964bf
--- /dev/null
+++ b/id.server/doc/moa_id/examples/conf/OAConfHeaderAuth.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration xmlns="http://www.buergerkarte.at/namespaces/moaconfig#" xmlns:sl10="http://www.buergerkarte.at/namespaces/securitylayer/20020225#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+	<LoginType>stateful</LoginType>
+	<HeaderAuth>
+		<Parameter Name="Name" Value="MOAFamilyName"/>
+		<Parameter Name="Vorname" Value="MOAGivenName"/>
+		<Parameter Name="Geburtsdatum" Value="MOADateOfBirth"/>
+		<Parameter Name="VPK" Value="MOAVPK"/>
+	</HeaderAuth>
+</Configuration>
+
+<!-- Example for resulting request headers:
+Name:Mustermann
+Vorname:Hermann
+Geburtsdatum:1985-12-01
+VPK:kp6hOq6LRAkLtrqm6EvDm6bMwJw=
+-->
\ No newline at end of file
diff --git a/id.server/doc/moa_id/examples/conf/OAConfParamAuth.xml b/id.server/doc/moa_id/examples/conf/OAConfParamAuth.xml
new file mode 100644
index 000000000..18e0a109c
--- /dev/null
+++ b/id.server/doc/moa_id/examples/conf/OAConfParamAuth.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration xmlns="http://www.buergerkarte.at/namespaces/moaconfig#" xmlns:sl10="http://www.buergerkarte.at/namespaces/securitylayer/20020225#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+	<LoginType>stateful</LoginType>
+	<ParamAuth>
+		<Parameter Name="Name" Value="MOAFamilyName"/>
+		<Parameter Name="Vorname" Value="MOAGivenName"/>
+		<Parameter Name="Geburtsdatum" Value="MOADateOfBirth"/>
+		<Parameter Name="VPK" Value="MOAVPK"/>
+	</ParamAuth>
+</Configuration>
+
+<!-- Example for resulting request parameters:
+Name=Mustermann&Vorname=Hermann&Geburtsdatum=1985-12-01&VPK=kp6hOq6LRAkLtrqm6EvDm6bMwJw=
+-->
\ No newline at end of file
diff --git a/id.server/doc/moa_id/examples/moa-id-env-linux.txt b/id.server/doc/moa_id/examples/moa-id-env-linux.txt
new file mode 100644
index 000000000..995d0b4d4
--- /dev/null
+++ b/id.server/doc/moa_id/examples/moa-id-env-linux.txt
@@ -0,0 +1 @@
+export CATALINA_OPTS="-Dmoa.id.configuration=/home/moa/jakarta-tomcat-4.1.18/conf/moa-id/MOAIDConfiguration.xml -Dlog4j.configuration=file:/home/moa/jakarta-tomcat-4.1.18/conf/moa-id/log4j.properties"
diff --git a/id.server/doc/moa_id/examples/moa-id-env-windows.txt b/id.server/doc/moa_id/examples/moa-id-env-windows.txt
new file mode 100644
index 000000000..109c196cf
--- /dev/null
+++ b/id.server/doc/moa_id/examples/moa-id-env-windows.txt
@@ -0,0 +1 @@
+set CATALINA_OPTS=-Dmoa.id.configuration=c:\jakarta-tomcat-4.1.18\conf\moa-id\MOAIDConfiguration.xml -Dlog4j.configuration=file:c:\jakarta-tomcat-4.1.18\conf\moa-id\log4j.properties