aboutsummaryrefslogtreecommitdiff
path: root/id.server/src/at/gv/egovernment/moa
diff options
context:
space:
mode:
authorharald.bratko <harald.bratko@d688527b-c9ab-4aba-bd8d-4036d912da1d>2007-01-10 15:37:52 +0000
committerharald.bratko <harald.bratko@d688527b-c9ab-4aba-bd8d-4036d912da1d>2007-01-10 15:37:52 +0000
commit7bba49753c8a44fade100d3676ab0a62372d44e1 (patch)
tree2bb52651b46ea2e85ad7f08ad0759180a2057a9f /id.server/src/at/gv/egovernment/moa
parent006abfa4f5064a905b14618708768e3aa295f264 (diff)
downloadmoa-id-spss-7bba49753c8a44fade100d3676ab0a62372d44e1.tar.gz
moa-id-spss-7bba49753c8a44fade100d3676ab0a62372d44e1.tar.bz2
moa-id-spss-7bba49753c8a44fade100d3676ab0a62372d44e1.zip
Adapted for MOA-ID 1.4 (validating additional infoboxes).
git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@769 d688527b-c9ab-4aba-bd8d-4036d912da1d
Diffstat (limited to 'id.server/src/at/gv/egovernment/moa')
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java261
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java88
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java107
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java74
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java2
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java28
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java78
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/builder/SelectBKUFormBuilder.java4
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/builder/VerifyXMLSignatureRequestBuilder.java8
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java81
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttribute.java73
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttributeImpl.java137
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxToken.java65
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxTokenImpl.java129
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParams.java159
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParamsImpl.java326
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/data/Schema.java26
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/data/SchemaImpl.java63
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java9
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/parser/ExtendedInfoboxReadResponseParser.java157
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java2
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java2
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java40
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java2
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java71
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java235
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java58
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java25
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/config/auth/VerifyInfoboxParameter.java362
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/config/auth/VerifyInfoboxParameters.java135
30 files changed, 2644 insertions, 163 deletions
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 8359623b1..cd4b26df3 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -10,8 +10,10 @@ import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
+import java.util.List;
import java.util.Map;
import java.util.Set;
+import java.util.Vector;
import javax.xml.transform.TransformerException;
@@ -23,36 +25,42 @@ import at.gv.egovernment.moa.id.ParseException;
import at.gv.egovernment.moa.id.ServiceException;
import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder;
import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder;
+import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
import at.gv.egovernment.moa.id.auth.builder.CertInfoVerifyXMLSignatureRequestBuilder;
import at.gv.egovernment.moa.id.auth.builder.CreateXMLSignatureRequestBuilder;
import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
import at.gv.egovernment.moa.id.auth.builder.GetIdentityLinkFormBuilder;
import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilder;
+import at.gv.egovernment.moa.id.auth.builder.InfoboxValidatorParamsBuilder;
import at.gv.egovernment.moa.id.auth.builder.PersonDataBuilder;
import at.gv.egovernment.moa.id.auth.builder.SAMLArtifactBuilder;
import at.gv.egovernment.moa.id.auth.builder.SelectBKUFormBuilder;
-import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
+import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
import at.gv.egovernment.moa.id.auth.data.IdentityLink;
+import at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams;
import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;
import at.gv.egovernment.moa.id.auth.parser.CreateXMLSignatureResponseParser;
+import at.gv.egovernment.moa.id.auth.parser.ExtendedInfoboxReadResponseParser;
import at.gv.egovernment.moa.id.auth.parser.InfoboxReadResponseParser;
import at.gv.egovernment.moa.id.auth.parser.SAMLArtifactParser;
import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser;
import at.gv.egovernment.moa.id.auth.servlet.AuthServlet;
import at.gv.egovernment.moa.id.auth.validator.CreateXMLSignatureResponseValidator;
import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator;
+import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator;
import at.gv.egovernment.moa.id.auth.validator.ValidateException;
import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator;
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.ConfigurationProvider;
import at.gv.egovernment.moa.id.config.ConnectionParameter;
-import at.gv.egovernment.moa.id.config.OAParameter;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameter;
+import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameters;
import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
@@ -65,7 +73,6 @@ import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.DateTimeUtils;
import at.gv.egovernment.moa.util.FileUtils;
-import at.gv.egovernment.moa.util.OutputXML2File;
import at.gv.egovernment.moa.util.StringUtils;
/**
@@ -338,6 +345,11 @@ public class AuthenticationServer implements MOAIDAuthConstants {
ex);
}
}
+ String pushInfobox = "";
+ VerifyInfoboxParameters verifyInfoboxParameters = oaParam.getVerifyInfoboxParameters();
+ if (verifyInfoboxParameters != null) {
+ pushInfobox = verifyInfoboxParameters.getPushInfobox();
+ }
String certInfoRequest = new CertInfoVerifyXMLSignatureRequestBuilder().build(oaParam.getSlVersion12());
String certInfoDataURL =
new DataURLBuilder().buildDataURL(
@@ -351,7 +363,8 @@ public class AuthenticationServer implements MOAIDAuthConstants {
infoboxReadRequest,
dataURL,
certInfoRequest,
- certInfoDataURL);
+ certInfoDataURL,
+ pushInfobox);
return htmlForm;
}
/**
@@ -363,6 +376,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* <li>Verifies identity link by calling the MOA SP component</li>
* <li>Checks certificate authority of identity link</li>
* <li>Stores identity link in the session</li>
+ * <li>Verifies all additional infoboxes returned from the BKU</li>
* <li>Creates an authentication block to be signed by the user</li>
* <li>Creates and returns a <code>&lt;CreateXMLSignatureRequest&gt;</code>
* containg the authentication block, meant to be returned to the
@@ -370,13 +384,14 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* </ul>
*
* @param sessionID ID of associated authentication session data
- * @param xmlInfoboxReadResponse String representation of the
- * <code>&lt;InfoboxReadResponse&gt;</code>
+ * @param infoboxReadResponseParameters The parameters from the response returned from
+ * the BKU including the <code>&lt;InfoboxReadResponse&gt;</code>
* @return String representation of the <code>&lt;CreateXMLSignatureRequest&gt;</code>
*/
- public String verifyIdentityLink(String sessionID, String xmlInfoboxReadResponse)
+ public String verifyIdentityLink(String sessionID, Map infoboxReadResponseParameters)
throws
AuthenticationException,
+ BuildException,
ParseException,
ConfigurationException,
ValidateException,
@@ -384,8 +399,11 @@ public class AuthenticationServer implements MOAIDAuthConstants {
if (isEmpty(sessionID))
throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_IDENTITY_LINK, PARAM_SESSIONID});
+
+ String xmlInfoboxReadResponse = (String)infoboxReadResponseParameters.get(PARAM_XMLRESPONSE);
if (isEmpty(xmlInfoboxReadResponse))
throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_IDENTITY_LINK, PARAM_XMLRESPONSE});
+
AuthenticationSession session = getSession(sessionID);
if (session.getTimestampIdentityLink() != null)
throw new AuthenticationException("auth.01", new Object[] { sessionID });
@@ -427,6 +445,8 @@ public class AuthenticationServer implements MOAIDAuthConstants {
ignoreManifestValidationResult);
session.setIdentityLink(identityLink);
+ // now validate the extended infoboxes
+ verifyInfoboxes(session, infoboxReadResponseParameters);
// builds the AUTH-block
String authBlock = buildAuthenticationBlock(session);
// session.setAuthBlock(authBlock);
@@ -446,29 +466,222 @@ public class AuthenticationServer implements MOAIDAuthConstants {
/**
* Builds an authentication block <code>&lt;saml:Assertion&gt;</code> from given session data.
* @param session authentication session
+ *
* @return <code>&lt;saml:Assertion&gt;</code> as a String
+ *
+ * @throws BuildException If an error occurs on serializing an extended SAML attribute
+ * to be appended to the AUTH-Block.
*/
- private String buildAuthenticationBlock(AuthenticationSession session) {
+ private String buildAuthenticationBlock(AuthenticationSession session) throws BuildException {
IdentityLink identityLink = session.getIdentityLink();
String issuer = identityLink.getName();
String gebDat = identityLink.getDateOfBirth();
String identificationValue = identityLink.getIdentificationValue();
String identificationType = identityLink.getIdentificationType();
String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance());
+ session.setIssueInstant(issueInstant);
String authURL = session.getAuthURL();
String target = session.getTarget();
String oaURL = session.getPublicOAURLPrefix();
- String authBlock = new AuthenticationBlockAssertionBuilder().buildAuthBlock(issuer,
- issueInstant,
- authURL,
- target,
- identificationValue,
- identificationType,
- oaURL,
- gebDat);
+ List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
+ String authBlock = new AuthenticationBlockAssertionBuilder().buildAuthBlock(
+ issuer,
+ issueInstant,
+ authURL,
+ target,
+ identificationValue,
+ identificationType,
+ oaURL,
+ gebDat,
+ extendedSAMLAttributes);
return authBlock;
}
+
+ /**
+ * Verifies the infoboxes (except of the identity link infobox) returned by the BKU by
+ * calling appropriate validator classes.
+ *
+ * @param session The actual authentication session.
+ * @param infoboxReadResponseParams The parameters returned from the BKU as response
+ * to an infobox read request (including the infobox
+ * tokens to be verified).
+ *
+ * @throws AuthenticationException If the verification of at least one infobox fails.
+ * @throws ConfigurationException If the OAuthParameter cannot be extracted.
+ */
+ private void verifyInfoboxes(
+ AuthenticationSession session, Map infoboxReadResponseParams)
+ throws ValidateException, ConfigurationException
+ {
+
+ AuthConfigurationProvider authConfigurationProvider = AuthConfigurationProvider.getInstance();
+ // get the default VerifyInfobox parameters
+ Map defaultInfoboxParameters = null;
+ VerifyInfoboxParameters defaultVerifyInfoboxParameters =
+ authConfigurationProvider.getDefaultVerifyInfoboxParameters();
+ if (defaultVerifyInfoboxParameters != null) {
+ defaultInfoboxParameters = defaultVerifyInfoboxParameters.getInfoboxParameters();
+ }
+ // get the OA specific VerifyInfobox parameters
+ Map infoboxParameters = null;
+ OAAuthParameter oaParam =
+ authConfigurationProvider.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
+ VerifyInfoboxParameters verifyInfoboxParameters = oaParam.getVerifyInfoboxParameters();
+ if (verifyInfoboxParameters != null) {
+ Vector authAttributes = new Vector();
+ Vector oaAttributes = new Vector();
+ infoboxParameters = verifyInfoboxParameters.getInfoboxParameters();
+ // get the list of infobox identifiers
+ List identifiers = verifyInfoboxParameters.getIdentifiers();
+ if (identifiers != null) {
+ // step through the identifiers and verify the infoboxes
+ Iterator it = identifiers.iterator();
+ while (it.hasNext()) {
+ String identifier = (String)it.next();
+ // get the infobox read response from the map of parameters
+ String infoboxReadResponse = (String)infoboxReadResponseParams.get(identifier);
+ // get the configuration parameters
+ VerifyInfoboxParameter verifyInfoboxParameter = null;
+ Object object = infoboxParameters.get(identifier);
+ // if not present, use default
+ if ((object == null) && (defaultInfoboxParameters != null)) {
+ object = defaultInfoboxParameters.get(identifier);
+ }
+ if (object != null) {
+ verifyInfoboxParameter = (VerifyInfoboxParameter)object;
+ }
+ if (infoboxReadResponse != null) {
+ if (verifyInfoboxParameter == null) {
+ // should not happen because of the pushinfobox mechanism; check it anyway
+ Logger.error("No validator for verifying \"" + identifier + "\"-infobox configured.");
+ throw new ValidateException("validator.41", new Object[] {identifier});
+ } else {
+ String friendlyName = verifyInfoboxParameter.getFriendlyName();
+ // get the class for validating the infobox
+ InfoboxValidator infoboxValidator = null;
+ try {
+ Class validatorClass = Class.forName(verifyInfoboxParameter.getValidatorClassName());
+ infoboxValidator = (InfoboxValidator) validatorClass.newInstance();
+ } catch (Exception e) {
+ Logger.error("Could not load validator class \"" + verifyInfoboxParameter.getValidatorClassName() +
+ "\" for \"" + identifier + "\"-infobox: " + e.getMessage());
+ throw new ValidateException("validator.42", new Object[] {friendlyName});
+ }
+ Logger.debug("Successfully loaded validator class \"" + verifyInfoboxParameter.getValidatorClassName() +
+ "\" for \"" + identifier + "\"-infobox.");
+ // parse the infobox read reponse
+ List infoboxTokenList = null;
+ try {
+ infoboxTokenList =
+ ExtendedInfoboxReadResponseParser.parseInfoboxReadResponse(infoboxReadResponse, friendlyName);
+ } catch (ParseException e) {
+ Logger.error("InfoboxReadResponse for \"" + identifier +
+ "\"-infobox could not be parsed successfully: " + e.getMessage());
+ throw new ValidateException("validator.43", new Object[] {friendlyName});
+ }
+ // build the parameters for validating the infobox
+ InfoboxValidatorParams infoboxValidatorParams =
+ InfoboxValidatorParamsBuilder.buildInfoboxValidatorParams(
+ session, verifyInfoboxParameter, infoboxTokenList);
+ // now validate the infobox
+ boolean infoboxValid = false;
+ try {
+ infoboxValid = infoboxValidator.validate(infoboxValidatorParams);
+ } catch (ValidateException e) {
+ Logger.error("Error validating " + identifier + " infobox:" + e.getMessage());
+ throw new ValidateException(
+ "validator.44", new Object[] {friendlyName});
+ }
+ if (!infoboxValid) {
+ Logger.info("Validation of " + identifier + " infobox failed.");
+ throw new ValidateException(
+ "validator.40", new Object[] {friendlyName, infoboxValidator.getErrorMessage()});
+ }
+
+ Logger.info(identifier + " infobox successfully validated.");
+
+ // get the SAML attributes to be appended to the AUTHBlock or to the final
+ // SAML Assertion
+ ExtendedSAMLAttribute[] extendedSAMLAttributes = infoboxValidator.getExtendedSamlAttributes();
+ if (extendedSAMLAttributes != null) {
+ int length = extendedSAMLAttributes.length;
+ for (int i=0; i<length; i++) {
+ ExtendedSAMLAttribute samlAttribute = extendedSAMLAttributes[i];
+ String name = samlAttribute.getName();
+ if (name == null) {
+ Logger.info("The name of SAML-Attribute number " + (i+1) + " returned from " +
+ identifier + "-infobox validator is null.");
+ throw new ValidateException(
+ "validator.45", new Object[] {friendlyName, "Name", String.valueOf((i+1)), "null"});
+ }
+ if (name == "") {
+ Logger.info("The name of SAML-Attribute number " + (i+1) + " returned from " +
+ identifier + "-infobox validator is empty.");
+ throw new ValidateException(
+ "validator.45", new Object[] {friendlyName, "Name", String.valueOf((i+1)), "leer"});
+ }
+ if (samlAttribute.getNameSpace() == null) {
+ Logger.info("The namespace of SAML-Attribute number " + (i+1) + " returned from " +
+ identifier + "-infobox validator is null.");
+ throw new ValidateException(
+ "validator.45", new Object[] {friendlyName, "Namespace", String.valueOf((i+1)), "null"});
+ }
+ Object value = samlAttribute.getValue();
+ if (value == null) {
+ Logger.info("The value of SAML-Attribute number " + (i+1) + " returned from " +
+ identifier + "-infobox validator is null.");
+ throw new ValidateException(
+ "validator.45", new Object[] {friendlyName ,"Wert", String.valueOf((i+1)), "null"});
+ }
+ if ((value instanceof String) || (value instanceof Element)) {
+
+ switch (samlAttribute.getAddToAUTHBlock()) {
+ case ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK:
+ authAttributes.add(samlAttribute);
+ oaAttributes.add(samlAttribute);
+ break;
+ case ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY:
+ authAttributes.add(samlAttribute);
+ break;
+ case ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK:
+ oaAttributes.add(samlAttribute);
+ break;
+ default:
+ Logger.info("Invalid return value from method \"getAddToAUTHBlock()\" ("
+ + samlAttribute.getAddToAUTHBlock() + ") in SAML attribute number "
+ + (i+1) + " for infobox " + identifier);
+ throw new ValidateException(
+ "validator.47", new Object[] {friendlyName, String.valueOf((i+1))});
+ }
+ } else {
+ Logger.info("The type of SAML-Attribute number " + (i+1) + " returned from " +
+ identifier + "-infobox validator is not valid. Must be either \"java.Lang.String\"" +
+ " or \"org.w3c.dom.Element\"");
+ throw new ValidateException(
+ "validator.46", new Object[] {identifier, String.valueOf((i+1))});
+
+ }
+ }
+
+ }
+ }
+ } else {
+ if ((verifyInfoboxParameter !=null) && (verifyInfoboxParameter.isRequired())) {
+ Logger.info("Infobox \"" + identifier + "\" is required, but not returned from the BKU");
+ throw new ValidateException(
+ "validator.48", new Object[] {verifyInfoboxParameter.getFriendlyName()});
+
+ }
+ Logger.debug("Infobox \"" + identifier + "\" not returned from BKU.");
+ }
+ }
+ session.setExtendedSAMLAttributesAUTH(authAttributes);
+ session.setExtendedSAMLAttributesOA(oaAttributes);
+ }
+ }
+ }
+
/**
* Processes a <code>&lt;CreateXMLSignatureResponse&gt;</code> sent by the
* security layer implementation.<br>
@@ -630,13 +843,15 @@ public class AuthenticationServer implements MOAIDAuthConstants {
}
String authBlock = oaParam.getProvideAuthBlock() ? session.getAuthBlock() : "";
String samlAssertion =
- new AuthenticationDataAssertionBuilder().build(authData,
- prPerson,
- authBlock,
- ilAssertion,
- session.getBkuURL(),
- signerCertificateBase64,
- businessService);
+ new AuthenticationDataAssertionBuilder().build(
+ authData,
+ prPerson,
+ authBlock,
+ ilAssertion,
+ session.getBkuURL(),
+ signerCertificateBase64,
+ businessService,
+ session.getExtendedSAMLAttributesOA());
authData.setSamlAssertion(samlAssertion);
return authData;
} catch (Throwable ex) {
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java
new file mode 100644
index 000000000..241cf0afc
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java
@@ -0,0 +1,88 @@
+package at.gv.egovernment.moa.id.auth.builder;
+
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Iterator;
+import java.util.List;
+
+import javax.xml.transform.TransformerException;
+
+import org.w3c.dom.Element;
+
+import at.gv.egovernment.moa.id.ParseException;
+import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.StringUtils;
+
+/**
+ * Base class for building authentication the AUTHBlock and final OA data SAML assertions.
+ * Encapsulates methods used by the two specific builders
+ * {@link at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder AuthenticationBlockAssertionBuilder}
+ * and
+ * {@link at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder AuthenticationDataAssertionBuilder}
+ *
+ * @author Harald Bratko
+ */
+public class AuthenticationAssertionBuilder {
+
+ /** the NewLine representation in Java*/
+ protected static String NL = "\n";
+
+ protected static String SAML_ATTRIBUTE =
+ " <saml:Attribute AttributeName=''{0}'' AttributeNamespace=''{1}''>" + NL +
+ " <saml:AttributeValue>{2}</saml:AttributeValue>" + NL +
+ " </saml:Attribute>"+ NL;
+
+ /**
+ * Empty constructor
+ */
+ public AuthenticationAssertionBuilder() {
+ }
+
+ /**
+ * Builds the SAML attributes to be appended to the AUTHBlock or to the SAML assertion
+ * delivered to the online application.
+ * The method traverses through the list of given SAML attribute objects and builds an
+ * XML structure (String representation) for each of the attributes.
+ *
+ * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock or
+ * to the SAML assertion delivered to the online application.
+ * @return A string representation including the XML structures of
+ * the SAML attributes.
+ *
+ * @throws ParseException If an error occurs on serializing an SAML attribute.
+ */
+ protected String buildExtendedSAMLAttributes(List extendedSAMLAttributes) throws ParseException
+ {
+ StringBuffer sb = new StringBuffer();
+ if (extendedSAMLAttributes!=null) {
+ Iterator it = extendedSAMLAttributes.iterator();
+ while (it.hasNext()) {
+ ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
+ Object value = extendedSAMLAttribute.getValue();
+ String name = extendedSAMLAttribute.getName();
+ String namespace = extendedSAMLAttribute.getNameSpace();
+ if (value instanceof String) {
+ sb.append(MessageFormat.format( SAML_ATTRIBUTE, new Object[] {name, namespace, value}));
+ } else if (value instanceof Element) {
+ try {
+ String serializedValue = DOMUtils.serializeNode((Element)(value));
+ serializedValue = StringUtils.removeXMLDeclaration(serializedValue);
+ sb.append(MessageFormat.format( SAML_ATTRIBUTE, new Object[] {name, namespace, serializedValue}));
+ } catch (TransformerException e) {
+ Logger.error("Error on serializing SAML attribute \"" + name +
+ " (namespace: \"" + namespace + "\".");
+ throw new ParseException("parser.05", new Object[] { name, namespace});
+ } catch (IOException e) {
+ Logger.error("Error on serializing SAML attribute \"" + name +
+ " (namespace: \"" + namespace + "\".");
+ throw new ParseException("parser.05", new Object[] { name, namespace});
+ }
+ }
+ }
+ }
+ return sb.toString();
+ }
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
index b1fe0a6df..ef50acb3f 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
@@ -1,7 +1,11 @@
package at.gv.egovernment.moa.id.auth.builder;
import java.text.MessageFormat;
+import java.util.List;
+import at.gv.egovernment.moa.id.BuildException;
+import at.gv.egovernment.moa.id.ParseException;
+import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
/**
@@ -11,41 +15,46 @@ import at.gv.egovernment.moa.util.Constants;
* @author Paul Ivancsics
* @version $Id$
*/
-public class AuthenticationBlockAssertionBuilder implements Constants {
- /** the NewLine representation in Java*/
- private static String nl = "\n";
+public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertionBuilder implements Constants {
+
/** template for the Auth-Block */
private static String AUTH_BLOCK =
- "<saml:Assertion xmlns:saml=''" + SAML_NS_URI + "''{0} MajorVersion=''1'' MinorVersion=''0'' AssertionID=''any'' Issuer=''{1}'' IssueInstant=''{2}''>" + nl +
- " <saml:AttributeStatement>" + nl +
- " <saml:Subject>" + nl +
- " <saml:NameIdentifier>{3}</saml:NameIdentifier>" + nl +
- " </saml:Subject>" + nl +
+ "<saml:Assertion xmlns:saml=''" + SAML_NS_URI + "''{0} MajorVersion=''1'' MinorVersion=''0'' AssertionID=''any'' Issuer=''{1}'' IssueInstant=''{2}''>" + NL +
+ " <saml:AttributeStatement>" + NL +
+ " <saml:Subject>" + NL +
+ " <saml:NameIdentifier>{3}</saml:NameIdentifier>" + NL +
+ " </saml:Subject>" + NL +
"{4}" +
- " <saml:Attribute AttributeName=''OA'' AttributeNamespace=''" + MOA_NS_URI + "''>" + nl +
- " <saml:AttributeValue>{5}</saml:AttributeValue>" + nl +
- " </saml:Attribute>" + nl +
- " <saml:Attribute AttributeName=''Geburtsdatum'' AttributeNamespace=''" + MOA_NS_URI + "''>" + nl +
- " <saml:AttributeValue>{6}</saml:AttributeValue>" + nl +
- " </saml:Attribute>" + nl +
- " </saml:AttributeStatement>" + nl +
+ " <saml:Attribute AttributeName=''OA'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL +
+ " <saml:AttributeValue>{5}</saml:AttributeValue>" + NL +
+ " </saml:Attribute>" + NL +
+ " <saml:Attribute AttributeName=''Geburtsdatum'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL +
+ " <saml:AttributeValue>{6}</saml:AttributeValue>" + NL +
+ " </saml:Attribute>" + NL +
+ "{7}" +
+ " </saml:AttributeStatement>" + NL +
"</saml:Assertion>";
private static String GESCHAEFTS_BEREICH_ATTRIBUTE =
- " <saml:Attribute AttributeName=''Geschaeftsbereich'' AttributeNamespace=''" + MOA_NS_URI + "''>" + nl +
- " <saml:AttributeValue>{0}</saml:AttributeValue>" + nl +
- " </saml:Attribute>" + nl;
+ " <saml:Attribute AttributeName=''Geschaeftsbereich'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL +
+ " <saml:AttributeValue>{0}</saml:AttributeValue>" + NL +
+ " </saml:Attribute>" + NL;
private static String WBPK_ATTRIBUTE =
- " <saml:Attribute AttributeName=''wbPK'' AttributeNamespace=''" + MOA_NS_URI + "''>" + nl +
- " <saml:AttributeValue>" + nl +
- " <pr:Identification>" + nl +
- " <pr:Value>{0}</pr:Value>" + nl +
- " <pr:Type>{1}</pr:Type>" + nl +
- " </pr:Identification>" + nl +
- " </saml:AttributeValue>" + nl +
- " </saml:Attribute>" + nl;
-
+ " <saml:Attribute AttributeName=''wbPK'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL +
+ " <saml:AttributeValue>" + NL +
+ " <pr:Identification>" + NL +
+ " <pr:Value>{0}</pr:Value>" + NL +
+ " <pr:Type>{1}</pr:Type>" + NL +
+ " </pr:Identification>" + NL +
+ " </saml:AttributeValue>" + NL +
+ " </saml:Attribute>" + NL;
+
+ /**
+ * The number of SAML attributes included in this AUTH-Block (without the extended SAML attributes).
+ */
+ public static final int NUM_OF_SAML_ATTRIBUTES = 3;
+
/**
* Constructor for AuthenticationBlockAssertionBuilder.
*/
@@ -73,17 +82,26 @@ public class AuthenticationBlockAssertionBuilder implements Constants {
* application used as input for wbPK computation;
* maybe <code>null</code> if the application is a public service
* @param oaURL public URL of online application requested
+ * @param gebDat The date of birth from the identity link.
+ * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock.
+ *
* @return String representation of authentication block
* <code>&lt;saml:Assertion&gt;</code> built
+ *
+ * @throws BuildException If an error occurs on serializing an extended SAML attribute
+ * to be appended to the AUTH-Block.
*/
- public String buildAuthBlock(String issuer,
- String issueInstant,
- String authURL,
- String target,
- String identityLinkValue,
- String identityLinkType,
- String oaURL,
- String GebDat)
+ public String buildAuthBlock(
+ String issuer,
+ String issueInstant,
+ String authURL,
+ String target,
+ String identityLinkValue,
+ String identityLinkType,
+ String oaURL,
+ String gebDat,
+ List extendedSAMLAttributes)
+ throws BuildException
{
String gebeORwbpk = "";
@@ -97,8 +115,23 @@ public class AuthenticationBlockAssertionBuilder implements Constants {
GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target });
}
- String assertion = MessageFormat.format(
- AUTH_BLOCK, new Object[] { wbpkNSDeclaration, issuer, issueInstant, authURL, gebeORwbpk, oaURL, GebDat});
+ String assertion;
+ try {
+ assertion = MessageFormat.format(
+ AUTH_BLOCK, new Object[] {
+ wbpkNSDeclaration,
+ issuer,
+ issueInstant,
+ authURL,
+ gebeORwbpk,
+ oaURL,
+ gebDat,
+ buildExtendedSAMLAttributes(extendedSAMLAttributes)});
+ } catch (ParseException e) {
+ Logger.error("Error on building AUTH-Block: " + e.getMessage());
+ throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
+ }
+
return assertion;
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java
index 7e866089d..53520c846 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java
@@ -1,10 +1,14 @@
package at.gv.egovernment.moa.id.auth.builder;
import java.text.MessageFormat;
+import java.util.List;
import at.gv.egovernment.moa.id.BuildException;
+import at.gv.egovernment.moa.id.ParseException;
import at.gv.egovernment.moa.id.data.AuthenticationData;
+import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.StringUtils;
/**
* Builder for the authentication data <code>&lt;saml:Assertion&gt;</code>
@@ -13,7 +17,7 @@ import at.gv.egovernment.moa.util.Constants;
* @author Paul Ivancsics
* @version $Id$
*/
-public class AuthenticationDataAssertionBuilder implements Constants {
+public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionBuilder implements Constants {
/** private static String NL contains the NewLine representation in Java*/
private static final String NL = "\n";
/**
@@ -38,11 +42,12 @@ public class AuthenticationDataAssertionBuilder implements Constants {
" <saml:Attribute AttributeName=''isQualifiedCertificate'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL +
" <saml:AttributeValue>{8}</saml:AttributeValue>" + NL +
" </saml:Attribute>" + NL +
- " <saml:Attribute AttributeName=''bkuURL'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL +
- " <saml:AttributeValue>{9}</saml:AttributeValue>" + NL +
- " </saml:Attribute>" + NL +
+ " <saml:Attribute AttributeName=''bkuURL'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL +
+ " <saml:AttributeValue>{9}</saml:AttributeValue>" + NL +
+ " </saml:Attribute>" + NL +
"{10}" +
- "{11}" +
+ "{11}" +
+ "{12}" +
" </saml:AttributeStatement>" + NL +
"</saml:Assertion>";
/**
@@ -54,10 +59,10 @@ public class AuthenticationDataAssertionBuilder implements Constants {
" <saml:AttributeValue>{0}</saml:AttributeValue>" + NL +
" </saml:Attribute>" + NL;
- private static final String SIGNER_CERTIFICATE_ATT =
- " <saml:Attribute AttributeName=''SignerCertificate'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL +
- " <saml:AttributeValue>{0}</saml:AttributeValue>" + NL +
- " </saml:Attribute>" + NL;
+ private static final String SIGNER_CERTIFICATE_ATT =
+ " <saml:Attribute AttributeName=''SignerCertificate'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL +
+ " <saml:AttributeValue>{0}</saml:AttributeValue>" + NL +
+ " </saml:Attribute>" + NL;
/**
* Constructor for AuthenticationDataAssertionBuilder.
@@ -92,7 +97,10 @@ public class AuthenticationDataAssertionBuilder implements Constants {
String xmlIdentityLink,
String bkuURL,
String signerCertificateBase64,
- boolean businessService) throws BuildException {
+ boolean businessService,
+ List extendedSAMLAttributes)
+ throws BuildException
+ {
String isQualifiedCertificate = authData.isQualifiedCertificate() ? "true" : "false";
String publicAuthorityAttribute = "";
@@ -122,33 +130,27 @@ public class AuthenticationDataAssertionBuilder implements Constants {
pkValue = authData.getBPK();
}
- String assertion = MessageFormat.format(AUTH_DATA, new Object[] {
- authData.getAssertionID(),
- authData.getIssuer(),
- authData.getIssueInstant(),
- pkType,
- pkValue,
- removeXMLDeclaration(xmlAuthBlock),
- removeXMLDeclaration(xmlIdentityLink),
- removeXMLDeclaration(xmlPersonData),
- isQualifiedCertificate,
- bkuURL,
- publicAuthorityAttribute,
- signerCertificateAttribute});
+ String assertion;
+ try {
+ assertion = MessageFormat.format(AUTH_DATA, new Object[] {
+ authData.getAssertionID(),
+ authData.getIssuer(),
+ authData.getIssueInstant(),
+ pkType,
+ pkValue,
+ StringUtils.removeXMLDeclaration(xmlAuthBlock),
+ StringUtils.removeXMLDeclaration(xmlIdentityLink),
+ StringUtils.removeXMLDeclaration(xmlPersonData),
+ isQualifiedCertificate,
+ bkuURL,
+ publicAuthorityAttribute,
+ signerCertificateAttribute,
+ buildExtendedSAMLAttributes(extendedSAMLAttributes)});
+ } catch (ParseException e) {
+ Logger.error("Error on building Authentication Data Assertion: " + e.getMessage());
+ throw new BuildException("builder.00", new Object[] { "Authentication Data Assertion", e.toString()});
+ }
return assertion;
}
-
- /**
- * Removes the XML declaration from an XML expression.
- * @param xmlString XML expression as String
- * @return XML expression, XML declaration removed
- */
- private String removeXMLDeclaration(String xmlString) {
- if (xmlString.startsWith("<?xml")) {
- int firstElement = xmlString.indexOf("<", 1);
- return xmlString.substring(firstElement);
- }
- else return xmlString;
- }
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java
index 03895a38e..06c81f49e 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java
@@ -73,7 +73,7 @@ public class CertInfoVerifyXMLSignatureRequestBuilder extends Builder implements
try {
String dsigSignature = FileUtils.readResource(resDsigSignature, "UTF-8");
- certInfoRequest = replaceTag(certInfoRequest, SIGNATURE_TAG, dsigSignature, 1);
+ certInfoRequest = replaceTag(certInfoRequest, SIGNATURE_TAG, dsigSignature, true, 1);
return certInfoRequest;
}
catch (IOException ex) {
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java
index 9baa71612..0d0595b69 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java
@@ -26,6 +26,8 @@ public class GetIdentityLinkFormBuilder extends Builder {
private static final String CERTINFO_XMLREQUEST_TAG = "<CertInfoXMLRequest>";
/** special tag in the HTML template to be substituted for the certificate info data URL */
private static final String CERTINFO_DATAURL_TAG = "<CertInfoDataURL>";
+ /** special tag in the HTML template to be substituted for the infoboxes to be pushed from the BKU */
+ private static final String PUSHINFOBOX_TAG = "<PushInfobox>";
/** private static int all contains the representation to replace all tags*/
private static final int ALL = -1;
@@ -46,6 +48,9 @@ public class GetIdentityLinkFormBuilder extends Builder {
" <input type=\"hidden\" " + nl +
" name=\"DataURL\"" + nl +
" value=\"" + DATAURL_TAG + "\"/>" + nl +
+ " <input type=\"hidden\" " + nl +
+ " name=\"PushInfobox\"" + nl +
+ " value=\"" + PUSHINFOBOX_TAG + "\"/>" + nl +
" <input type=\"submit\" value=\"Anmeldung mit B&uuml;rgerkarte\"/>" + nl +
"</form>" + nl +
"<form name=\"CertificateInfoForm\"" + nl +
@@ -80,17 +85,24 @@ public class GetIdentityLinkFormBuilder extends Builder {
* @param dataURL DataURL to be sent as a parameter in the form
*/
public String build(
- String htmlTemplate, String bkuURL, String xmlRequest, String dataURL, String certInfoXMLRequest, String certInfoDataURL)
- throws BuildException {
-
+ String htmlTemplate,
+ String bkuURL,
+ String xmlRequest,
+ String dataURL,
+ String certInfoXMLRequest,
+ String certInfoDataURL,
+ String pushInfobox)
+ throws BuildException
+ {
String htmlForm = htmlTemplate == null ? DEFAULT_HTML_TEMPLATE : htmlTemplate;
// String bku = bkuURL == null ? DEFAULT_BKU : bkuURL;
- htmlForm = replaceTag(htmlForm, BKU_TAG, bkuURL, ALL);
- htmlForm = replaceTag(htmlForm, XMLREQUEST_TAG, encodeParameter(xmlRequest), ALL);
- htmlForm = replaceTag(htmlForm, DATAURL_TAG, dataURL, ALL);
+ htmlForm = replaceTag(htmlForm, BKU_TAG, bkuURL, true, ALL);
+ htmlForm = replaceTag(htmlForm, XMLREQUEST_TAG, encodeParameter(xmlRequest), true, ALL);
+ htmlForm = replaceTag(htmlForm, DATAURL_TAG, dataURL, true, ALL);
+ htmlForm = replaceTag(htmlForm, PUSHINFOBOX_TAG, pushInfobox, false, ALL);
//new:wird oben mitreplaced htmlForm = replaceTag(htmlForm, BKU_TAG, bkuURL);
- htmlForm = replaceTag(htmlForm, CERTINFO_XMLREQUEST_TAG, encodeParameter(certInfoXMLRequest), ALL);
- htmlForm = replaceTag(htmlForm, CERTINFO_DATAURL_TAG, certInfoDataURL, ALL);
+ htmlForm = replaceTag(htmlForm, CERTINFO_XMLREQUEST_TAG, encodeParameter(certInfoXMLRequest), true, ALL);
+ htmlForm = replaceTag(htmlForm, CERTINFO_DATAURL_TAG, certInfoDataURL, true, ALL);
return htmlForm;
}
/**
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java
new file mode 100644
index 000000000..2d9837f9a
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java
@@ -0,0 +1,78 @@
+package at.gv.egovernment.moa.id.auth.builder;
+
+import java.util.List;
+
+import org.w3c.dom.Element;
+
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.data.IdentityLink;
+import at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams;
+import at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParamsImpl;
+import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
+import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameter;
+import at.gv.egovernment.moa.util.XPathUtils;
+
+/**
+ * This class provides one method for building parameters needed for
+ * validating an infobox token.
+ *
+ * @author Harald Bratko
+ */
+public class InfoboxValidatorParamsBuilder {
+
+ // hide the default constructor
+ private InfoboxValidatorParamsBuilder() {
+ }
+
+ /**
+ * Builds the parameters passed to the validator class for validating an infobox token.
+ *
+ * @param session The actual Authentication session.
+ * @param verifyInfoboxParameter The configuration parameters for the infobox.
+ * @param infoboxTokenList Contains the infobox token to be validated.
+ *
+ * @return Parameters for validating an infobox token.
+ */
+ public static InfoboxValidatorParams buildInfoboxValidatorParams(
+ AuthenticationSession session,
+ VerifyInfoboxParameter verifyInfoboxParameter,
+ List infoboxTokenList)
+ {
+ InfoboxValidatorParamsImpl infoboxValidatorParams = new InfoboxValidatorParamsImpl();
+ IdentityLink identityLink = session.getIdentityLink();
+
+ // the infobox token to validate
+ infoboxValidatorParams.setInfoboxTokenList(infoboxTokenList);
+ // configuration parameters
+ infoboxValidatorParams.setTrustProfileID(verifyInfoboxParameter.getTrustProfileID());
+ infoboxValidatorParams.setSchemaLocations(verifyInfoboxParameter.getSchemaLocations());
+ infoboxValidatorParams.setApplicationSpecificParams(verifyInfoboxParameter.getApplicationSpecificParams());
+ // authentication session parameters
+ infoboxValidatorParams.setBkuURL(session.getBkuURL());
+ infoboxValidatorParams.setTarget(session.getTarget());
+ infoboxValidatorParams.setBusinessApplication(session.getBusinessService());
+ // parameters from the identity link
+ infoboxValidatorParams.setFamilyName(identityLink.getFamilyName());
+ infoboxValidatorParams.setGivenName(identityLink.getGivenName());
+ infoboxValidatorParams.setDateOfBirth(identityLink.getDateOfBirth());
+ if (verifyInfoboxParameter.getProvideStammzahl()) {
+ infoboxValidatorParams.setIdentificationValue(identityLink.getIdentificationValue());
+ }
+ infoboxValidatorParams.setIdentificationType(identityLink.getIdentificationType());
+ infoboxValidatorParams.setPublicKeys(identityLink.getPublicKey());
+ if (verifyInfoboxParameter.getProvideIdentityLink()) {
+ Element identityLinkElem = (Element)identityLink.getSamlAssertion().cloneNode(true);
+ if (!verifyInfoboxParameter.getProvideStammzahl()) {
+ Element identificationValueElem =
+ (Element)XPathUtils.selectSingleNode(identityLinkElem, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
+ if (identificationValueElem != null) {
+ identificationValueElem.getFirstChild().setNodeValue("");
+ }
+ }
+ infoboxValidatorParams.setIdentityLink(identityLinkElem);
+ }
+
+ return infoboxValidatorParams;
+ }
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/SelectBKUFormBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/SelectBKUFormBuilder.java
index 72ecb53af..312179e73 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/SelectBKUFormBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/SelectBKUFormBuilder.java
@@ -55,8 +55,8 @@ public class SelectBKUFormBuilder extends Builder {
throws BuildException {
String htmlForm = htmlTemplate == null ? DEFAULT_HTML_TEMPLATE : htmlTemplate;
- htmlForm = replaceTag(htmlForm, ACTION_TAG, startAuthenticationURL, 1);
- htmlForm = replaceTag(htmlForm, SELECT_TAG, bkuSelectTag, 1);
+ htmlForm = replaceTag(htmlForm, ACTION_TAG, startAuthenticationURL, true, 1);
+ htmlForm = replaceTag(htmlForm, SELECT_TAG, bkuSelectTag, true, 1);
return htmlForm;
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/VerifyXMLSignatureRequestBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/VerifyXMLSignatureRequestBuilder.java
index b98b87dee..e38ccc62a 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/VerifyXMLSignatureRequestBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/VerifyXMLSignatureRequestBuilder.java
@@ -6,7 +6,7 @@ import java.io.InputStream;
import org.w3c.dom.Element;
import org.w3c.dom.Text;
-import at.gv.egovernment.moa.id.*;
+import at.gv.egovernment.moa.id.ParseException;
import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
import at.gv.egovernment.moa.id.auth.data.IdentityLink;
import at.gv.egovernment.moa.util.Base64Utils;
@@ -24,6 +24,8 @@ import at.gv.egovernment.moa.util.XPathUtils;
public class VerifyXMLSignatureRequestBuilder {
/** The MOA-Prefix */
private static final String MOA = Constants.MOA_PREFIX + ":";
+ /** The DSIG-Prefix */
+ private static final String DSIG = Constants.DSIG_PREFIX + ":";
/** the request as string */
private String request;
/** the request as DOM-Element */
@@ -53,7 +55,7 @@ public class VerifyXMLSignatureRequestBuilder {
+ " <Base64Content>"
+ " </Base64Content>"
+ " </VerifySignatureEnvironment>"
- + " <VerifySignatureLocation>//dsig:Signature</VerifySignatureLocation>"
+ + " <VerifySignatureLocation>" + DSIG + "Signature</VerifySignatureLocation>"
+ " </VerifySignatureInfo>"
+ " <SignatureManifestCheckParams ReturnReferenceInputData=\"false\">" // True bei CreateXMLSig Überprüfung
+" <ReferenceInfo>" + " <VerifyTransformsInfoProfile/>"
@@ -160,7 +162,7 @@ public class VerifyXMLSignatureRequestBuilder {
+ " <VerifySignatureEnvironment>"
+ " <XMLContent xml:space=\"preserve\"/>"
+ " </VerifySignatureEnvironment>"
- + " <VerifySignatureLocation>//dsig:Signature</VerifySignatureLocation>"
+ + " <VerifySignatureLocation>" + DSIG + "Signature</VerifySignatureLocation>"
+ " </VerifySignatureInfo>"
+ " <SignatureManifestCheckParams ReturnReferenceInputData=\"true\">"
+ " <ReferenceInfo>";
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
index 74e31e45e..50d15007e 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
@@ -1,6 +1,7 @@
package at.gv.egovernment.moa.id.auth.data;
import java.util.Date;
+import java.util.List;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
@@ -12,6 +13,9 @@ import at.gv.egovernment.moa.util.Constants;
* @version $Id$
*/
public class AuthenticationSession {
+
+ private static String TARGET_PREFIX_ = Constants.URN_PREFIX_CDID + "+";
+
/**
* session ID
*/
@@ -63,7 +67,22 @@ public class AuthenticationSession {
*/
private boolean businessService;
- private static String TARGET_PREFIX_ = Constants.URN_PREFIX_CDID + "+";
+ /**
+ * SAML attributes from an extended infobox validation to be appended
+ * to the SAML assertion delivered to the final online application.
+ */
+ private List extendedSAMLAttributesOA;
+
+ /**
+ * SAML attributes from an extended infobox validation to be appended
+ * to the SAML assertion of the AUTHBlock.
+ */
+ private List extendedSAMLAttributesAUTH;
+
+ /**
+ * The issuing time of the AUTH-Block SAML assertion.
+ */
+ private String issueInstant;
/**
* Constructor for AuthenticationSession.
@@ -273,4 +292,64 @@ public class AuthenticationSession {
templateURL = string;
}
+ /**
+ * Returns the SAML Attributes to be appended to the AUTHBlock. Maybe <code>null</code>.
+ *
+ * @return The SAML Attributes to be appended to the AUTHBlock. Maybe <code>null</code>.
+ */
+ public List getExtendedSAMLAttributesAUTH() {
+ return extendedSAMLAttributesAUTH;
+ }
+
+ /**
+ * Sets the SAML Attributes to be appended to the AUTHBlock.
+ *
+ * @param extendedSAMLAttributesAUTH The SAML Attributes to be appended to the AUTHBlock.
+ */
+ public void setExtendedSAMLAttributesAUTH(
+ List extendedSAMLAttributesAUTH) {
+ this.extendedSAMLAttributesAUTH = extendedSAMLAttributesAUTH;
+ }
+
+ /**
+ * Returns the SAML Attributes to be appended to the SAML assertion
+ * delivered to the online application. Maybe <code>null</code>.
+ *
+ * @return The SAML Attributes to be appended to the SAML assertion
+ * delivered to the online application
+ */
+ public List getExtendedSAMLAttributesOA() {
+ return extendedSAMLAttributesOA;
+ }
+
+ /**
+ * Sets the SAML Attributes to be appended to the SAML assertion
+ * delivered to the online application.
+ *
+ * @param extendedSAMLAttributesOA The SAML Attributes to be appended to the SAML
+ * assertion delivered to the online application.
+ */
+ public void setExtendedSAMLAttributesOA(
+ List extendedSAMLAttributesOA) {
+ this.extendedSAMLAttributesOA = extendedSAMLAttributesOA;
+ }
+
+ /**
+ * Returns the issuing time of the AUTH-Block SAML assertion.
+ *
+ * @return The issuing time of the AUTH-Block SAML assertion.
+ */
+ public String getIssueInstant() {
+ return issueInstant;
+ }
+
+ /**
+ * Sets the issuing time of the AUTH-Block SAML assertion.
+ *
+ * @param issueInstant The issueInstant to set.
+ */
+ public void setIssueInstant(String issueInstant) {
+ this.issueInstant = issueInstant;
+ }
+
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttribute.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttribute.java
new file mode 100644
index 000000000..795079227
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttribute.java
@@ -0,0 +1,73 @@
+package at.gv.egovernment.moa.id.auth.data;
+
+/**
+ * A SAML-Attribute to be appended to the final SAML-Assertion
+ * that will be passed to the online application.
+ */
+public interface ExtendedSAMLAttribute {
+ /**
+ * Add this attribute only to the SAML-Assertion
+ * passed to the online application, but not to
+ * the AUTH-Block.
+ */
+ public final static int NOT_ADD_TO_AUTHBLOCK = 0;
+ /**
+ * Add this attribute to both, the AUTH-Block and the
+ * final SAML-Assertion passed to the online application.
+ */
+ public final static int ADD_TO_AUTHBLOCK = 1;
+ /**
+ * Add this attribute to only the AUTH-Block, but not
+ * to the final SAML-Assertion passed to the online application.
+ */
+ public final static int ADD_TO_AUTHBLOCK_ONLY = 2;
+
+ /**
+ * The value of the SAML-Attribute. This must be either a
+ * <code>org.w3c.Element</code> or a <code>java.lang.String</code>
+ * object. Each other type will be ignored. <br>
+ * If, for example, the type of the actual SAML-Attribute is a
+ * <code>&lt;xsd:boolean&gt;</code> the value must be either the String
+ * <code>&quot;true&quot;</code> or <code>&quot;false&quot;</code>.
+ * Or the <code>&lt;xsd:integer&gt;</code> number <code>273</code>
+ * has to be the String <code>&quot;273&quot;</code>.
+ *
+ * @return The value of the SAML-Attribute. Must not be <code>null</code>.
+ */
+ public Object getValue();
+
+ /**
+ * The name of the SAML-Attribute.
+ *
+ * @return The name of the SAML-Attribute. Must not be <code>null</code>.
+ */
+ public String getName();
+
+ /**
+ * The namespace of the SAML-Attribute.
+ * An application will use the context specific namespace URI for the attribute it returns.
+ * However, if the application cannot explicitely assign a namespace URI, the
+ * {@link at.gv.egovernment.moa.util.Constants#MOA_NS_URI default} MOA namespace URI
+ * should be used.
+ *
+ * @return The namespace of the SAML-Attribute. Must not be <code>null</code>.
+ */
+ public String getNameSpace();
+
+ /**
+ * Specifies if this SAML-Attribute should be added to the AUTH-Block.
+ * <br>
+ * Depending on the returned value, this SAML-Attribute should be only added to the
+ * final SAML-Assertion passed to the online application (0), to both, the final
+ * assertion and the AUTH-Block (1) or to the AUTH-Block only (2).
+ *
+ * @return <ul>
+ * <li>0 - add this SAML-Attribute to the final SAML-Assertion only</li>
+ * <li>1 - add this SAML-Attribute to both, the final SAML-Assertion and the
+ * AUTH-Block</li>
+ * <li>2 - add this SAML-Attribute to the AUTH-Block only
+ * </ul>
+ */
+ public int getAddToAUTHBlock();
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttributeImpl.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttributeImpl.java
new file mode 100644
index 000000000..9aedd86e6
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttributeImpl.java
@@ -0,0 +1,137 @@
+package at.gv.egovernment.moa.id.auth.data;
+
+/**
+ * This class contains SAML attributes to be appended to the SAML assertion delivered to
+ * the Online application.
+ *
+ * @author Harald Bratko
+ */
+public class ExtendedSAMLAttributeImpl implements ExtendedSAMLAttribute {
+
+ /**
+ * The value of this SAML attribute. Must be either of type <code>java.lang.String</code>
+ * or <code>org.w3c.Element</code>.
+ */
+ private Object value_;
+
+ /**
+ * The name of this SAML attribute.
+ */
+ private String name_;
+
+ /**
+ * The namespace URI of this SAML attribute.
+ */
+ private String namespace_;
+
+ /**
+ * Specifies whether this SAML attribute should be appended to AUTH Block.
+ */
+ private int addToAUTHBlock_;
+
+ /**
+ * Sets this ExtendedSAMLAttribute.
+ * @param name The name of this SAML Attribute.
+ * @param value The value of this SAML Attribute. Must be either of type
+ * <code>java.lang.String</code> or <code>org.w3c.dom.Element</code>.
+ * @param namespace The namespace of this SAML Attribute.
+ * @param addToAUTHBlock Specifies if this SAML Attribute should be added to the AUTHBlock.
+ * The following values are allowed:
+ * <ul>
+ * <li>
+ * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#ADD_TO_AUTHBLOCK}
+ * </li>
+ * <li>
+ * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#NOT_ADD_TO_AUTHBLOCK}
+ * </li>
+ * <li>
+ * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#ADD_TO_AUTHBLOCK_ONLY}
+ * </li>
+ * </ul>
+ *
+ */
+ public ExtendedSAMLAttributeImpl(String name, Object value, String namespace, int addToAUTHBlock) {
+ name_ = name;
+ value_ = value;
+ namespace_ = namespace;
+ addToAUTHBlock_ = addToAUTHBlock;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#getValue()
+ */
+ public Object getValue() {
+ return value_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#getName()
+ */
+ public String getName() {
+ return name_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#getNameSpace()
+ */
+ public String getNameSpace() {
+ return namespace_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#getAddToAUTHBlock()
+ */
+ public int getAddToAUTHBlock() {
+ return addToAUTHBlock_;
+ }
+
+ /**
+ * Specifies if this SAML Attribute should be added to the AUTHBlock.
+ *
+ * @param addToAUTHBlock One of the following values:
+ * <ul>
+ * <li>
+ * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#ADD_TO_AUTHBLOCK}
+ * </li>
+ * <li>
+ * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#NOT_ADD_TO_AUTHBLOCK}
+ * </li>
+ * <li>
+ * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#ADD_TO_AUTHBLOCK_ONLY}
+ * </li>
+ * </ul>
+ * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#ADD_TO_AUTHBLOCK)
+ */
+ public void setAddToAUTHBlock(int addToAUTHBlock) {
+ addToAUTHBlock_ = addToAUTHBlock;
+ }
+
+ /**
+ * Sets the name of this SAML attribute.
+ *
+ * @param name The name of this SAML attribute.
+ */
+ public void setName(String name) {
+ name_ = name;
+ }
+
+ /**
+ * Sets the namespace of this SAML attribute.
+ *
+ * @param namespace The namespace to set.
+ */
+ public void setNamespace(String namespace) {
+ namespace_ = namespace;
+ }
+
+ /**
+ * Sets the value of this SAML attribute.
+ *
+ * @param value The value of this SAML Attribute. Must be either of type
+ * <code>java.lang.String</code> or <code>org.w3c.dom.Element</code>.
+ */
+ public void setValue(Object value) {
+ value_ = value;
+ }
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxToken.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxToken.java
new file mode 100644
index 000000000..6b1f24aba
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxToken.java
@@ -0,0 +1,65 @@
+package at.gv.egovernment.moa.id.auth.data;
+
+import org.w3c.dom.Element;
+
+/**
+ * Contains an infobox token included in an <code>InfoboxReadResponse</code>.
+ * Depending on whether the token is extracted from an <code>XMLContent</code> or a
+ * <code>Base64Content</code> it is either returned as DOM element
+ * ({@link #getXMLToken()}) or base64 encoded string ({@link #getBase64Token()}).
+ *
+ * @author Harald Bratko
+ */
+public interface InfoboxToken {
+
+ /**
+ * The key of the corresponding infobox.
+ * This is the value of <code>Key</code> attribute of the <code>&lt;Pair&gt;</code> child
+ * element in an <code>&lt;AssocArrayData&gt;</code> content of an InfoboxReadResponse.
+ * Maybe <code>null</code> if the InfoboxReadResponse conatains <code>BinaryFileData</code>.
+ *
+ *
+ * @return The key identifier of the corresponding infobox.
+ */
+ public String getKey();
+
+ /**
+ * Specifies if this token is the first token (e.g in an array of tokens) included in an
+ * <code>InfoboxReadResponse</code>. If <code>true</code> this token is the token to be
+ * validated by a corresponding
+ * {@link at.gv.egovernment.moa.id.auth.validator.InfoboxValidator InfoboxValidator}.
+ * If <code>false</code> this token maybe needed to validate the primary token.
+ *
+ * @return <code>True</code> if this token is the first token.
+ */
+ public boolean isPrimary();
+
+ /**
+ * Returns the infobox token.
+ * Maybe <code>null</code> if the token is returned by method {@link #getBase64Token()}
+ * as base64 encoded string.
+ * <br>
+ * Note that this token is <code><i><b>not</b></i></code> validated against the
+ * application specific schema (e.g. Mandates schema in the mandates context).
+ * Thus the validating application <code><i><b>has to</b></i></code> validate the token
+ * against the appropriate schema.
+ *
+ * @return The infobox token. If <code>null</code> the token is returned by method
+ * {@link #getBase64Token()} as base64 encoded string.
+ */
+ public Element getXMLToken();
+
+ /**
+ * Returns the infobox token.
+ * Maybe <code>null</code> if the token is returned by method {@link #getXMLToken()}
+ * as a DOM element.
+ * <br>
+ * Note, that the base64 encoded string actually may include more than one infobox
+ * elements.
+ *
+ * @return The infobox token. If <code>null</code> the token is returned by method
+ * {@link #getBase64Token()} as base64 encoded string.
+ */
+ public String getBase64Token();
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxTokenImpl.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxTokenImpl.java
new file mode 100644
index 000000000..f1ff30a8a
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxTokenImpl.java
@@ -0,0 +1,129 @@
+package at.gv.egovernment.moa.id.auth.data;
+
+import org.w3c.dom.Element;
+
+/**
+ * This class contains an infobox token.
+ *
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxToken
+ *
+ * @author Harald Bratko
+ */
+public class InfoboxTokenImpl implements InfoboxToken {
+
+ /**
+ * The key of the infobox token.
+ */
+ private String key_;
+
+ /**
+ * Specifies whether this token is the primary (first in an array) token.
+ */
+ private boolean primary_;
+
+ /**
+ * The infobox token.
+ */
+ private Element xmlToken_;
+
+ /**
+ * The base64 encoded infobox token.
+ */
+ private String base64Token_;
+
+ /**
+ * Sets an XML infobox token.
+ *
+ * @param key The key of the infobox token.
+ * @param primary <code>True</code> this token is the primary (e.g .first in an array)
+ * token, otherwise <code>false</code>
+ * @param xmlToken The infobox token.
+ */
+ public InfoboxTokenImpl(String key, boolean primary, Element xmlToken) {
+ key_ = key;
+ primary_ = primary;
+ xmlToken_ = xmlToken;
+ base64Token_ = null;
+ }
+
+ /**
+ * Sets a base64 encoded infobox token.
+ *
+ * @param key The key of the infobox token.
+ * @param primary <code>True</code> this token is the primary (e.g .first in an array)
+ * token, otherwise <code>false</code>
+ * @param base64Token The base64 encoded infobox token.
+ */
+ public InfoboxTokenImpl(String key, boolean primary, String base64Token) {
+ key_ = key;
+ primary_ = primary;
+ base64Token_ = base64Token;
+ xmlToken_ = null;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxToken#getKey()
+ */
+ public String getKey() {
+ return key_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxToken#isPrimary()
+ */
+ public boolean isPrimary() {
+ return primary_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxToken#getXMLToken()
+ */
+ public Element getXMLToken() {
+ return xmlToken_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxToken#getBase64Token()
+ */
+ public String getBase64Token() {
+ return base64Token_;
+ }
+
+ /**
+ * Sets the key of the infobox token.
+ *
+ * @param key The key of the infobox token.
+ */
+ public void setKey(String key) {
+ key_ = key;
+ }
+
+ /**
+ * Specifies whether this token is the primary (e.g. first in an array) token.
+ *
+ * @param primary <code>True</code> this token is the primary (e.g .first in an array)
+ * token, otherwise <code>false</code>.
+ */
+ public void setPrimary(boolean primary) {
+ primary_ = primary;
+ }
+
+ /**
+ * Sets the base64 encoded token.
+ *
+ * @param base64Token The base64 encoded token.
+ */
+ public void setBase64Token(String base64Token) {
+ base64Token_ = base64Token;
+ }
+
+ /**
+ * Sets the infobox token.
+ *
+ * @param xmlToken The infobox token.
+ */
+ public void setXmlToken(Element xmlToken) {
+ xmlToken_ = xmlToken;
+ }
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParams.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParams.java
new file mode 100644
index 000000000..26070dc51
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParams.java
@@ -0,0 +1,159 @@
+
+package at.gv.egovernment.moa.id.auth.data;
+
+import java.security.PublicKey;
+import java.util.List;
+
+import org.w3c.dom.Element;
+
+/**
+ * Parameters for validating an infobox.
+ *
+ * This interface is used by MOA-ID to provide parameters to an
+ * {link at.gv.egovernment.moa.id.auth.validator.InfoboxValidator
+ * InfoboxValidator}.
+ *
+ * @author Harald Bratko
+ */
+public interface InfoboxValidatorParams {
+
+ /**
+ * Returns a list of {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken}
+ * objects. The first token in this list is the one to be validated. Each further token
+ * maybe needed to validate this first token.
+ *
+ * @return A list of {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken}
+ * objects.
+ */
+ public List getInfoboxTokenList();
+
+ /**
+ * Returns the ID of the trust profile to be used for validating
+ * certificates. Maybe ignored by a validator, if no certificates
+ * has to be validated.
+ *
+ * @return The ID of a trust profile.
+ */
+ public String getTrustProfileID();
+
+ /**
+ * Returns schema location URIs that may be needed by the
+ * validator to parse infobox tokens.
+ * Each entry in the list is a {@link Schema} specifying the location
+ * of an XML schema.
+ *
+ * @return A list of {@link Schema} objects each of them specifying the
+ * location of an XML schema.
+ */
+ public List getSchemaLocations();
+
+ /**
+ * Returns the URL of the BKU.
+ * Maybe needed by a validator.
+ *
+ * @return The url of the BKU.
+ */
+ public String getBkuURL();
+
+ /**
+ * Returns the target parameter.
+ * <code>null</code> in the case of a business service.
+ *
+ * @return The target parameter.
+ */
+ public String getTarget();
+
+ /**
+ * Returns <code>true</code> if the application is a business
+ * service, otherwise <code>false</code>. This may be useful
+ * for the validating application.
+ *
+ * @return <code>True</code> if the application is a business
+ * service, otherwise <code>false</code>
+ */
+ public boolean getBusinessApplication();
+
+ /**
+ * Returns the family name from the identity link.
+ * Maybe needed by a validator.
+ *
+ * @return The family name from the identity link.
+ */
+ public String getFamilyName();
+
+ /**
+ * Returns the given name from the identity link.
+ * Maybe needed by a validator.
+ *
+ * @return The given name from the identity link.
+ */
+ public String getGivenName();
+
+ /**
+ * The date of birth from the identity link.
+ * The method returns the value of the <pr:DateOfBirth>
+ * element from the identity link.
+ * Maybe needed by a validator.
+ *
+ * @return The date of birth from the identity link.
+ */
+ public String getDateOfBirth();
+
+ /**
+ * Returns he identification value from the identity
+ * link. This may be the <code>Stammzahl</code>
+ * in the case of a public application or the
+ * <code>wbPK</code> in the case of a business
+ * application. This parameter is only returned
+ * if specified within the config file.
+ *
+ * @return The identification value from the identity link.
+ */
+ public String getIdentificationValue();
+
+ /**
+ * Returns the type of the identification value
+ * from the identity link. This may be
+ * especially of interest for business
+ * applications.
+ *
+ * @return The type of the identification value
+ * from the identity link.
+ */
+ public String getIdentificationType();
+
+ /**
+ * Returns the public keys from the identity link.
+ * Maybe needed by the application.
+ *
+ * @return PublicKey[] The public keys from the
+ * identity link.
+ */
+ public PublicKey[] getPublicKeys();
+
+ /**
+ * Returns the identity link.
+ * A validator may need other data from the identity link, than
+ * family name, given name, date of birth and identification value.
+ * The identity link element is only returned if specified within the
+ * config file.
+ *
+ * @return The identity link.
+ */
+ public Element getIdentityLink();
+
+ /**
+ * Returns application specific parameters.
+ * Each child element of this element contains
+ * a validating application specific parameter. The
+ * element is passed as specified within the config
+ * file and its up to the implementing class to
+ * parse and interprete its children.
+ *
+ * @return Application specific parameters.
+ */
+ public Element getApplicationSpecificParams();
+
+}
+
+
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParamsImpl.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParamsImpl.java
new file mode 100644
index 000000000..46a67d48b
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParamsImpl.java
@@ -0,0 +1,326 @@
+package at.gv.egovernment.moa.id.auth.data;
+
+import java.security.PublicKey;
+import java.util.List;
+
+import org.w3c.dom.Element;
+
+/**
+ * Parameters for validating an infobox.
+ *
+ * This interface is used by MOA-ID to provide parameters to an
+ * {link at.gv.egovernment.moa.id.auth.validator.InfoboxValidator
+ * InfoboxValidator}.
+ *
+ * @author Harald Bratko
+ */
+public class InfoboxValidatorParamsImpl implements InfoboxValidatorParams {
+
+ /**
+ * A list of {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken} objects.
+ * The first token in this list is the one to be validated. Each further token
+ * maybe needed to validate this first token.
+ */
+ private List infoboxTokenList_;
+
+ /**
+ * The ID of the trust profile used for validating certificates.
+ */
+ private String trustProfileID_;
+
+ /**
+ * The locations of schemas that maybe needed for validating infobox tokens.
+ */
+ private List schemaLocations_;
+
+ /**
+ * The URL of the BKU.
+ */
+ private String bkuURL_;
+
+ /**
+ * Specifies whether the current online application is a business or a public application.
+ */
+ private boolean businessApplication_;
+
+ /**
+ * The target parameter.
+ */
+ private String target_;
+
+ /**
+ * The family name from the identity link.
+ */
+ private String familyName_;
+
+ /**
+ * The given name from the identity link.
+ */
+ private String givenName_;
+
+ /**
+ * The date of birth from the identity link.
+ */
+ private String dateOfBirth_;
+
+ /**
+ * The date of identification value.
+ */
+ private String identificationValue_;
+
+ /**
+ * The identification type.
+ */
+ private String identificationType_;
+
+ /**
+ * The public keys from the identity link.
+ */
+ private PublicKey[] publicKeys_;
+
+ /**
+ * The identity link.
+ */
+ private Element identityLink_;
+
+ /**
+ * Application specific parameters.
+ */
+ private Element applicationSpecificParams_;
+
+ /**
+ * Empty constructor.
+ */
+ public InfoboxValidatorParamsImpl() {
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getInfoboxTokenList()
+ */
+ public List getInfoboxTokenList() {
+ return infoboxTokenList_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getTrustProfileID()
+ */
+ public String getTrustProfileID() {
+ return trustProfileID_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getSchemaLocations()
+ */
+ public List getSchemaLocations() {
+ return schemaLocations_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getBkuURL()
+ */
+ public String getBkuURL() {
+ return bkuURL_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getTarget()
+ */
+ public String getTarget() {
+ return target_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getBusinessApplication()
+ */
+ public boolean getBusinessApplication() {
+ return businessApplication_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getFamilyName()
+ */
+ public String getFamilyName() {
+ return familyName_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getGivenName()
+ */
+ public String getGivenName() {
+ return givenName_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getDateOfBirth()
+ */
+ public String getDateOfBirth() {
+ return dateOfBirth_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getIdentificationValue()
+ */
+ public String getIdentificationValue() {
+ return identificationValue_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getIdentificationType()
+ */
+ public String getIdentificationType() {
+ return identificationType_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getPublicKeys()
+ */
+ public PublicKey[] getPublicKeys() {
+ return publicKeys_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getIdentityLink()
+ */
+ public Element getIdentityLink() {
+ return identityLink_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getApplicationSpecificParams()
+ */
+ public Element getApplicationSpecificParams() {
+ return applicationSpecificParams_;
+ }
+
+ /**
+ * Sets the application specific parameters.
+ *
+ * @param applicationSpecificParams The application specific parameters to set.
+ */
+ public void setApplicationSpecificParams(Element applicationSpecificParams) {
+ applicationSpecificParams_ = applicationSpecificParams;
+ }
+
+ /**
+ * Sets the bku URL.
+ *
+ * @param bkuURL The bku URL to set.
+ */
+ public void setBkuURL(String bkuURL) {
+ bkuURL_ = bkuURL;
+ }
+
+ /**
+ * Sets the business application parameter.
+ *
+ * @param businessApplication The business application parameter to set.
+ * (<code>True</code> if the application is a business
+ * application, otherwies <code>false</code>).
+ */
+ public void setBusinessApplication(boolean businessApplication) {
+ businessApplication_ = businessApplication;
+ }
+
+ /**
+ * Sets the date of birth.
+ *
+ * @param dateOfBirth The date of birth.
+ */
+ public void setDateOfBirth(String dateOfBirth) {
+ dateOfBirth_ = dateOfBirth;
+ }
+
+ /**
+ * Sets the family name.
+ *
+ * @param familyName The family name.
+ */
+ public void setFamilyName(String familyName) {
+ familyName_ = familyName;
+ }
+
+ /**
+ * Sets the given name.
+ *
+ * @param givenName The given name.
+ */
+ public void setGivenName(String givenName) {
+ givenName_ = givenName;
+ }
+
+ /**
+ * Sets the identification type.
+ *
+ * @param identificationType The identification type.
+ */
+ public void setIdentificationType(String identificationType) {
+ identificationType_ = identificationType;
+ }
+
+ /**
+ * Sets the identification value.
+ *
+ * @param identificationValue The identification value.
+ */
+ public void setIdentificationValue(String identificationValue) {
+ identificationValue_ = identificationValue;
+ }
+
+ /**
+ * Sets the identity link.
+ *
+ * @param identityLink The identity link.
+ */
+ public void setIdentityLink(Element identityLink) {
+ identityLink_ = identityLink;
+ }
+
+ /**
+ * Sets the infobox token to be validated.
+ *
+ * @param infoboxTokenList A list {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken}
+ * objects.
+ */
+ public void setInfoboxTokenList(List infoboxTokenList) {
+ infoboxTokenList_ = infoboxTokenList;
+ }
+
+ /**
+ * Sets the public Keys.
+ *
+ * @param publicKeys The public keys.
+ */
+ public void setPublicKeys(PublicKey[] publicKeys) {
+ publicKeys_ = publicKeys;
+ }
+
+ /**
+ * Sets the schema locations.
+ *
+ * @param schemaLocations The schema locations. A list of
+ * {@link Schema} objects.
+ */
+ public void setSchemaLocations(List schemaLocations) {
+ schemaLocations_ = schemaLocations;
+ }
+
+ /**
+ * Sets the target.
+ *
+ * @param target The target.
+ */
+ public void setTarget(String target) {
+ target_ = target;
+ }
+
+
+ /**
+ * Sets the ID of the trust profile used for validating certificates.
+ *
+ * @param trustProfileID the ID of the trust profile used for validating certificates.
+ */
+ public void setTrustProfileID(String trustProfileID) {
+ trustProfileID_ = trustProfileID;
+ }
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/Schema.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/Schema.java
new file mode 100644
index 000000000..c113f16b8
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/Schema.java
@@ -0,0 +1,26 @@
+package at.gv.egovernment.moa.id.auth.data;
+
+/**
+ * Specifies the location of a schema.
+ *
+ * @author Harald Bratko
+ */
+public interface Schema {
+
+ /**
+ * The namespace URI of this schema.
+ *
+ * @return The namespace of this schema.
+ */
+ public String getNamespace();
+
+ /**
+ * The location URI of this schema.
+ * Relative paths have to be interpreted relative to the
+ * location of the MOA-ID config file.
+ *
+ * @return The location URI of this schema.
+ */
+ public String getSchemaLocation();
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/SchemaImpl.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/SchemaImpl.java
new file mode 100644
index 000000000..e6755b58c
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/SchemaImpl.java
@@ -0,0 +1,63 @@
+package at.gv.egovernment.moa.id.auth.data;
+
+/**
+ * This class specifies the location of a schema.
+ *
+ * @author Harald Bratko
+ */
+public class SchemaImpl implements Schema {
+
+ /**
+ * The namespace of this schema.
+ */
+ private String namespace_;
+
+ /**
+ * The location (URI) of this schema;
+ */
+ private String schemaLocation_;
+
+ /**
+ * Sets the namespace and schema location URIS of this schema.
+ *
+ * @param namespace The namespace URI of this schema.
+ * @param schemaLocation The location URI of this schema.
+ */
+ public SchemaImpl(String namespace, String schemaLocation) {
+ namespace_ = namespace;
+ schemaLocation_ = schemaLocation;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.Schema#getNamespace()
+ */
+ public String getNamespace() {
+ return namespace_;
+ }
+
+ /**
+ * @see at.gv.egovernment.moa.id.auth.data.Schema#getSchemaLocation()
+ */
+ public String getSchemaLocation() {
+ return schemaLocation_;
+ }
+
+ /**
+ * Sets the namespace.
+ *
+ * @param namespace The namespace to set.
+ */
+ public void setNamespace(String namespace) {
+ namespace_ = namespace;
+ }
+
+ /**
+ * Sets the location URI of this schema.
+ *
+ * @param schemaLocation The schemaLocation to set.
+ */
+ public void setSchemaLocation(String schemaLocation) {
+ schemaLocation_ = schemaLocation;
+ }
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java
index eb7d76fda..6287c99dd 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java
@@ -137,11 +137,10 @@ public class CreateXMLSignatureResponseParser {
String attrName = XPathUtils.getAttributeValue(samlAttr, "@AttributeName", "");
String attrNamespace = XPathUtils.getAttributeValue(samlAttr, "@AttributeNamespace", "");
Object attrValue;
- if ("wbPK".equals(attrName)) {
- Element attrValueElem = (Element)XPathUtils.selectSingleNode(samlAttr, SAML_ATTRIBUTE_VALUE_XPATH);
- attrValue = DOMUtils.getElementFromNodeList(attrValueElem.getChildNodes());
- } else {
- attrValue = XPathUtils.getElementValue(samlAttr, SAML_ATTRIBUTE_VALUE_XPATH, "");
+ Element attrValueElem = (Element)XPathUtils.selectSingleNode(samlAttr, SAML_ATTRIBUTE_VALUE_XPATH);
+ attrValue = DOMUtils.getElementFromNodeList(attrValueElem.getChildNodes());
+ if (attrValue == null) {
+ attrValue = attrValueElem.getFirstChild().getNodeValue();
}
samlAttributes.add(new SAMLAttribute(attrName, attrNamespace, attrValue));
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/ExtendedInfoboxReadResponseParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/ExtendedInfoboxReadResponseParser.java
new file mode 100644
index 000000000..e493f07fb
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/ExtendedInfoboxReadResponseParser.java
@@ -0,0 +1,157 @@
+package at.gv.egovernment.moa.id.auth.parser;
+
+import java.util.Iterator;
+import java.util.List;
+import java.util.Vector;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import at.gv.egovernment.moa.id.ParseException;
+import at.gv.egovernment.moa.id.auth.data.InfoboxToken;
+import at.gv.egovernment.moa.id.auth.data.InfoboxTokenImpl;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.DOMUtils;
+
+/**
+ * Parses and unmarshales <code>InfoboxReadResponse<code>.
+ * This parser is especially used for parsing additional responses (additional to that
+ * one containing the <code>IdentityLink</code> retuned from the BKU as an answer of
+ * a <code>&lt;PushInfobox&gt;</code> request.
+ */
+public class ExtendedInfoboxReadResponseParser {
+
+ /**
+ * Hide default constructor.
+ */
+ private ExtendedInfoboxReadResponseParser() {
+ }
+
+ /**
+ * Parses and unmarshales the given <code>infoboxReadResponse</code> to a list of
+ * {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken} objects.
+ * The method parses the given <code>infoboxReadResponse</code>
+ *
+ * @param infoboxReadResponse The infobox read response to be unmarshaled.
+ * @param infoboxName The name of the infobox the reponse corresponds to.
+ *
+ * @return A list of {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken}
+ * objects. Maybe empty.
+ *
+ * @throws ParseException If an error occurs on parsing and unmarshaling the response.
+ */
+ public static List parseInfoboxReadResponse(String infoboxReadResponse, String infoboxName)
+ throws ParseException
+ {
+ Element infoboxReadResponseElem = null;
+ try {
+ Document doc =
+ DOMUtils.parseDocument(infoboxReadResponse, true, Constants.ALL_SCHEMA_LOCATIONS, null);
+ infoboxReadResponseElem = doc.getDocumentElement();
+ } catch (Exception e) {
+ Logger.error("InfoboxReadResponse for \"" + infoboxName +
+ "\"-infobox could not be parsed successfully: " + e.getMessage());
+ throw new ParseException("parser.01", new Object[] {infoboxName + "-InfoboxReadResponse"});
+ }
+
+ Vector infoboxTokenList = new Vector();
+
+ if (infoboxReadResponseElem != null) {
+ // avoid using namespace URI or prefix, because it might change within the response
+ // (e.g.: sl11-namespace, some child sl10-namespace
+ List infoboxReadResponseChildren = DOMUtils.getChildElements(infoboxReadResponseElem);
+ String key = null;
+ boolean primary = true;
+ Element infoboxReadResponseChild = (Element)infoboxReadResponseChildren.get(0);
+ String infoboxReadResponseChildName = infoboxReadResponseChild.getLocalName();
+ if (infoboxReadResponseChildName.equals("AssocArrayData")) {
+ // get the <Pair> child elements from the <AssocArrayData> element
+ List assocArrayPairs = DOMUtils.getChildElements(infoboxReadResponseChild);
+ Iterator assocArrayPairIt = assocArrayPairs.iterator();
+ int pairCount = 0;
+ // step through the <Pair> elemnts
+ while (assocArrayPairIt.hasNext()) {
+ Element assocArrayPair = (Element)assocArrayPairIt.next();
+ // check if the element actually a "Pair" element and not only a "key"
+ if (assocArrayPair.getLocalName().equals("Key")) {
+ // do not accept only a Key
+ throw new ParseException("parser.07", new Object[] {infoboxName});
+ }
+ key = assocArrayPair.getAttribute("Key");
+ if (pairCount > 0) {
+ primary = false;
+ }
+ pairCount++;
+ infoboxTokenList.addAll(getTokenFromXMLOrBase64Content(assocArrayPair, infoboxName, key, primary));
+ }
+
+ } else if (infoboxReadResponseChildName.equals("BinaryFileData")) {
+ infoboxTokenList.addAll(getTokenFromXMLOrBase64Content(infoboxReadResponseChild, infoboxName, null, true));
+ }
+ }
+ return infoboxTokenList;
+ }
+
+ /**
+ * Unmarshales the <code>&lt;XMLContent&gt;</code> or
+ * <code>&lt;Base64Content&gt;</code> child of the given element to a list of
+ * infobox token.
+ *
+ * @param contentParent The elment including the <code>&lt;XMLContent&gt;</code> or
+ * <code>&lt;Base64Content&gt;</code> child to unmarshal the
+ * infobox token from.
+ * @param infoboxName The name of the infobox.
+ * @param key The key of an <code>AssocArrayData-Pair</code>.
+ * Maybe <code>null</code>.
+ * @param primary Specifies whether this token is the first (e.g. in an
+ * AssocArrayData) token.
+ *
+ * @return A infobox token list.
+ *
+ * @throws ParseException If the <code>contentParent</code> has no <code>&lt;XMLContent&gt;</code>
+ * or <code>&lt;Base64Content&gt;</code> child or the
+ * <code>&lt;XMLContent&gt;</code> is empty.
+ */
+ public static List getTokenFromXMLOrBase64Content(
+ Element contentParent,
+ String infoboxName,
+ String key,
+ boolean primary)
+ throws ParseException
+ {
+ Vector tokenList = new Vector();
+ // get the <XMLContent> or <Base64Content>
+ List content = DOMUtils.getChildElements(contentParent);
+ if (content.size() == 1) {
+ Element contentElem = (Element)content.get(0);
+ if (contentElem.getLocalName().equals("XMLContent")) {
+ List xmlContentChildren = DOMUtils.getChildElements(contentElem);
+ if (xmlContentChildren.size() == 0) {
+ throw new ParseException("parser.06", new Object[] {infoboxName, "Inhalt", "XMLContent"});
+ }
+ int xmlCount = 0;
+ Iterator contentIt = xmlContentChildren.iterator();
+ while (contentIt.hasNext()) {
+ Element xmlToken = (Element)contentIt.next();
+ if (xmlCount > 0) {
+ primary = false;
+ }
+ InfoboxToken infoboxToken = new InfoboxTokenImpl(key, primary, xmlToken);
+ tokenList.add(infoboxToken);
+ xmlCount++;
+ }
+ } else {
+ String base64Token = contentElem.getFirstChild().getNodeValue();
+ InfoboxToken infoboxToken = new InfoboxTokenImpl(key, primary, base64Token);
+ tokenList.add(infoboxToken);
+ }
+ } else {
+ throw new ParseException("parser.06",
+ new Object[] {infoboxName, "XMLContent oder Base64Content", contentParent.getLocalName()});
+ }
+ return tokenList;
+ }
+
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java
index 092bc68c9..9d8cff6f5 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java
@@ -89,7 +89,7 @@ public class IdentityLinkAssertionParser {
+ "Identification";
/** Xpath expression to the Identification Value element */
- private static final String PERSON_IDENT_VALUE_XPATH =
+ public static final String PERSON_IDENT_VALUE_XPATH =
PERSON_XPATH
+ "/"
+ PDATA
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java b/id.server/src/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
index 70e53d83e..96e8e6dd6 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
@@ -131,7 +131,7 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants {
{
// request is encoded as mulitpart/form-data
FileItemFactory factory = new DiskFileItemFactory();
- ServletFileUpload upload = null;;
+ ServletFileUpload upload = null;
upload = new ServletFileUpload(factory);
List items = null;
items = upload.parseRequest(req);
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
index 9d5c4b191..2134c1444 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
@@ -2,11 +2,14 @@ package at.gv.egovernment.moa.id.auth.servlet;
import java.io.IOException;
import java.io.OutputStream;
+import java.util.Enumeration;
import java.util.Map;
+import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
import org.apache.commons.fileupload.FileUploadException;
@@ -75,29 +78,30 @@ public class VerifyIdentityLinkServlet extends AuthServlet {
throw new IOException(e.getMessage());
}
String sessionID = req.getParameter(PARAM_SESSIONID);
- String infoboxReadResponse = (String)parameters.get(PARAM_XMLRESPONSE);
- try {
- String createXMLSignatureRequest =
- AuthenticationServer.getInstance().verifyIdentityLink(sessionID, infoboxReadResponse);
- AuthenticationSession session = AuthenticationServer.getSession(sessionID);
- resp.setStatus(307);
- String dataURL = new DataURLBuilder().buildDataURL(
- session.getAuthURL(), AuthenticationServer.REQ_VERIFY_AUTH_BLOCK, sessionID);
- resp.addHeader("Location", dataURL);
-
- //TODO test impact of explicit setting charset with older versions of BKUs (HotSign)
- resp.setContentType("text/xml;charset=UTF-8");
+
+ try {
+ AuthenticationSession session = AuthenticationServer.getSession(sessionID);
+
+ String createXMLSignatureRequest =
+ AuthenticationServer.getInstance().verifyIdentityLink(sessionID, parameters);
+ resp.setStatus(307);
+ String dataURL = new DataURLBuilder().buildDataURL(
+ session.getAuthURL(), AuthenticationServer.REQ_VERIFY_AUTH_BLOCK, sessionID);
+ resp.addHeader("Location", dataURL);
+
+ //TODO test impact of explicit setting charset with older versions of BKUs (HotSign)
+ resp.setContentType("text/xml;charset=UTF-8");
OutputStream out = resp.getOutputStream();
out.write(createXMLSignatureRequest.getBytes("UTF-8"));
- out.flush();
+ out.flush();
out.close();
- Logger.debug("Finished POST VerifyIdentityLink");
- }
- catch (MOAIDException ex) {
- handleError(null, ex, req, resp);
- }
+ Logger.debug("Finished POST VerifyIdentityLink");
+ }
+ catch (MOAIDException ex) {
+ handleError(null, ex, req, resp);
+ }
}
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java
index 0bd45e3e9..444f706e4 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java
@@ -153,7 +153,7 @@ public class IdentityLinkValidator implements Constants {
//Check if dsig:Signature exists
Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion,ROOT + DSIG + "Signature");
- if (dsigSignature==null) throw new ValidateException("validator.05", null);
+ if (dsigSignature==null) throw new ValidateException("validator.05", new Object[] {"in der Personenbindung"});
}
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java
new file mode 100644
index 000000000..e17e03a20
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java
@@ -0,0 +1,71 @@
+package at.gv.egovernment.moa.id.auth.validator;
+
+import at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams;
+import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
+
+/**
+ * Validates an InfoboxReadResponse.
+ * An implementing class has to validate the content of the InfoboxReadResponse
+ * according to the type specific rules and guidelines of the underlying
+ * application.
+ * If validation succeeds, the class may provide an array of
+ * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute
+ * ExtendedSAMLAttributes}. Each of these SAML-Attributes will be either appended to the
+ * final SAML-Assertion passed to the online application or to the AUTH-Block,
+ * or to both.
+ * <br>
+ * If validation fails the implementing class has to provide a short error message.
+ */
+public interface InfoboxValidator {
+
+ /**
+ * This method validates an InfoboxReadResponse.
+ * The method validates the content of the passed <code>infoboxReadResponse</code>
+ * according to the type specific rules and guidelines of the underlying
+ * application.
+ * <br>
+ * The method returns <code>true</code> if validation succeeds. In that case
+ * method {@link #getExtendedSamlAttributes()} may provide an array of
+ * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute
+ * ExtendedSAMLAttributes} that should be appended to the final SAML-Assertion or the
+ * AUTH-Block or to both.
+ * <br>
+ * The method returns <code>false</code> if validation fails. In that case
+ * method {@link #getErrorMessage()} has to provide a short error description.
+ *
+ * @param params {@link at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams
+ * Parameters} needed by the validator.
+ *
+ * @return <code>True</code> if validation succeeds,
+ * otherwise <code>false</code>.
+ *
+ * @throws ValidateException If an error occurs on validating the
+ * InfoboxReadResponse.
+ */
+ public boolean validate (InfoboxValidatorParams params)
+ throws ValidateException;
+
+ /**
+ * Returns an array of {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute
+ * ExtendedSAMLAttributes} that should be added to the SAML-Assertion
+ * provided to the online application.
+ * The SAML-Attributes in that array will be added to the final
+ * SAML-Assertion, the AUTH-Block, or both, exactly in the order as they are arranged
+ * in the array this method returns.
+ *
+ * @return An array of {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute
+ * ExtendedSAMLAttributes} that should be added to the SAML-Assertion
+ * provided to the online application, the AUTH-Block, or both. If no attributes should
+ * be added this array maybe <code>null</code> or empty.
+ */
+ public ExtendedSAMLAttribute[] getExtendedSamlAttributes();
+
+ /**
+ * A short error description that should be displayed by MOA-ID if
+ * validation of the InfoBoxReadResponse fails.
+ *
+ * @return An short error message if validation fails.
+ */
+ public String getErrorMessage();
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
index 7d3a6d4ab..6a9aee0ca 100644
--- a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
@@ -9,8 +9,12 @@ import java.math.BigInteger;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
+import java.util.Hashtable;
+import java.util.Iterator;
import java.util.List;
import java.util.Map;
+import java.util.Set;
+import java.util.Vector;
import org.w3c.dom.Attr;
import org.w3c.dom.Element;
@@ -18,7 +22,11 @@ import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.w3c.dom.traversal.NodeIterator;
+import at.gv.egovernment.moa.id.auth.data.Schema;
+import at.gv.egovernment.moa.id.auth.data.SchemaImpl;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameter;
+import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameters;
import at.gv.egovernment.moa.id.config.proxy.OAConfiguration;
import at.gv.egovernment.moa.id.config.proxy.OAProxyParameter;
import at.gv.egovernment.moa.id.data.IssuerAndSerial;
@@ -98,8 +106,13 @@ public class ConfigurationBuilder {
ROOT + CONF + "AuthComponent/" + CONF + "MOA-SP/" + CONF + "VerifyAuthBlock/" + CONF + "VerifyTransformsInfoProfileID";
/** an XPATH-Expression */
- private static final String AUTH_IDENTITY_LINK_X509SUBJECTNAME_XPATH =
+ private static final String AUTH_IDENTITY_LINK_X509SUBJECTNAME_XPATH =
ROOT + CONF + "AuthComponent/" + CONF + "IdentityLinkSigners/" + CONF + "X509SubjectName";
+
+ /** an XPATH-Expression */
+ public static final String AUTH_VERIFY_INFOBOXES_XPATH =
+ ROOT + CONF + "AuthComponent/" + CONF + "VerifyInfoboxes";
+
/** an XPATH-Expression */
private static final String PROXY_AUTH_XPATH =
ROOT + CONF + "ProxyComponent/" + CONF + "AuthComponent";
@@ -121,6 +134,8 @@ public class ConfigurationBuilder {
/** an XPATH-Expression */
private static final String OA_AUTH_COMPONENT_TRANSFORMS_INFO_FILENAME_XPATH = CONF + "TransformsInfo/@filename";
/** an XPATH-Expression */
+ private static final String OA_AUTH_COMPONENT_VERIFY_INFOBOXES_XPATH = CONF + "VerifyInfoboxes";
+ /** an XPATH-Expression */
private static final String OA_PROXY_COMPONENT_XPATH = CONF + "ProxyComponent";
/** an XPATH-Expression */
private static final String OA_PROXY_COMPONENT_ABSOLUTE_XPATH = ROOT + CONF + "OnlineApplication/" + CONF + "ProxyComponent";
@@ -183,6 +198,15 @@ public class ConfigurationBuilder {
/** an XPATH-Expression */
private static final String TRUSTED_CA_CERTIFICATES_XPATH =
ROOT + CONF + "TrustedCACertificates";
+
+ /** an XPATH-Expression */
+ private static final String VERIFY_INFOBOXES_DEFAULT_TRUST_PROFILE_XPATH = CONF + "DefaultTrustProfile";
+ /** an XPATH-Expression */
+ private static final String VERIFY_INFOBOXES_TRUST_PROFILE_ID_XPATH = CONF + "TrustProfileID";
+ /** an XPATH-Expression */
+ private static final String VERIFY_INFOBOXES_INFOBOX_XPATH = CONF + "Infobox";
+
+
/**
@@ -386,16 +410,27 @@ public class ConfigurationBuilder {
/**
* Build an array of the OnlineApplication Parameters containing information
* about the authentication component
+ *
+ * @param defaultVerifyInfoboxParameters Default parameters for verifying additional
+ * infoboxes. Maybe <code>null</code>.
+ * @param moaSpIdentityLinkTrustProfileID The ID of the trust profile used for validating
+ * the identity link signer certificate. Needed for
+ * checking if this ID is not used for validating other
+ * infoboxes.
+ *
* @return An OAProxyParameter array containing beans
* with all relevant information for the authentication component of the online
* application
*/
- public OAAuthParameter[] buildOnlineApplicationAuthParameters() throws ConfigurationException {
+ public OAAuthParameter[] buildOnlineApplicationAuthParameters(
+ VerifyInfoboxParameters defaultVerifyInfoboxParameters, String moaSpIdentityLinkTrustProfileID)
+ throws ConfigurationException
+ {
String bkuSelectionTemplateURL =
- XPathUtils.getAttributeValue(configElem_,AUTH_BKUSELECT_TEMPLATE_XPATH,null);
+ XPathUtils.getAttributeValue(configElem_, AUTH_BKUSELECT_TEMPLATE_XPATH, null);
String templateURL =
- XPathUtils.getAttributeValue(configElem_,AUTH_TEMPLATE_XPATH,null);
+ XPathUtils.getAttributeValue(configElem_, AUTH_TEMPLATE_XPATH, null);
List OA_set = new ArrayList();
NodeList OAIter = XPathUtils.selectNodeList(configElem_, OA_XPATH);
@@ -460,7 +495,10 @@ public class ConfigurationBuilder {
oap.setTransformsInfos(loadTransformsInfos(transformsInfoFileNames));
} catch (Exception ex) {
Logger.error("Error loading transforms specified for OA \"" + publicURLPrefix + "\"; using default transforms.");
- }
+ }
+ Node verifyInfoboxParamtersNode = XPathUtils.selectSingleNode(authComponent, OA_AUTH_COMPONENT_VERIFY_INFOBOXES_XPATH);
+ oap.setVerifyInfoboxParameters(buildVerifyInfoboxParameters(
+ verifyInfoboxParamtersNode, defaultVerifyInfoboxParameters, moaSpIdentityLinkTrustProfileID));
}
OA_set.add(oap);
}
@@ -834,6 +872,190 @@ public class ConfigurationBuilder {
identityLinkDomainIdentifier.append(identificationNumber);
return identityLinkDomainIdentifier.toString();
}
+
+ /**
+ * Builds the parameters for verifying additional infoboxes (additional to the
+ * IdentityLink infobox).
+ *
+ * @param verifyInfoboxesElem The <code>VerifyInfoboxes</code> element from the
+ * config file. This maybe the global element or the
+ * elment from an Online application.
+ * @param defaultVerifyInfoboxParameters Default parameters to be used, if no
+ * <code>VerifyInfoboxes</code> element is present.
+ * This only applies to parameters
+ * of an specific online application and is set to
+ * <code>null</code> when building the global parameters.
+ * @param moaSpIdentityLinkTrustProfileID The ID of the trust profile used for validating
+ * the identity link signer certificate. Needed for
+ * checking if this ID is not used for validating other
+ * infoboxes.
+ *
+ * @return A {@link at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameters VerifyInfoboxParameters}
+ * object needed for verifying additional infoboxes.
+ *
+ * @throws ConfigurationException If the trust profile for validating the identity link
+ * signer certificate is used for validating another infobox.
+ */
+ public VerifyInfoboxParameters buildVerifyInfoboxParameters(
+ Node verifyInfoboxesElem,
+ VerifyInfoboxParameters defaultVerifyInfoboxParameters,
+ String moaSpIdentityLinkTrustProfileID)
+ throws ConfigurationException
+ {
+
+ if ((verifyInfoboxesElem == null) && (defaultVerifyInfoboxParameters == null)) {
+ return null;
+ }
+ Vector identifiers = new Vector();
+ List defaultIdentifiers = null;
+ Map defaultInfoboxParameters = null;
+ if (defaultVerifyInfoboxParameters != null) {
+ defaultIdentifiers = defaultVerifyInfoboxParameters.getIdentifiers();
+ defaultInfoboxParameters = defaultVerifyInfoboxParameters.getInfoboxParameters();
+ }
+ Hashtable infoboxParameters = new Hashtable();
+ if (verifyInfoboxesElem != null) {
+ // get the DefaultTrustProfileID
+ String defaultTrustProfileID = null;
+ Node defaultTrustProfileNode =
+ XPathUtils.selectSingleNode(verifyInfoboxesElem, VERIFY_INFOBOXES_DEFAULT_TRUST_PROFILE_XPATH);
+ if (defaultTrustProfileNode != null) {
+ Node trustProfileIDNode =
+ XPathUtils.selectSingleNode(defaultTrustProfileNode, VERIFY_INFOBOXES_TRUST_PROFILE_ID_XPATH);
+ defaultTrustProfileID = trustProfileIDNode.getFirstChild().getNodeValue();
+ if (defaultTrustProfileID.equals(moaSpIdentityLinkTrustProfileID)) {
+ throw new ConfigurationException("config.15", new Object[] {moaSpIdentityLinkTrustProfileID});
+ }
+ }
+ // get the Infoboxes
+ NodeList infoboxes =
+ XPathUtils.selectNodeList(verifyInfoboxesElem, VERIFY_INFOBOXES_INFOBOX_XPATH);
+ for (int i=0; i<infoboxes.getLength(); i++) {
+ Element infoBoxElem = (Element)infoboxes.item(i);
+ // get the identifier of the infobox
+ String identifier = infoBoxElem.getAttribute("Identifier");
+ identifiers.add(identifier);
+ VerifyInfoboxParameter verifyInfoboxParameter = new VerifyInfoboxParameter(identifier);
+ verifyInfoboxParameter.setFriendlyName(identifier);
+ // get the attributes
+ // (1) required: override global value in any case
+ verifyInfoboxParameter.setRequired(BoolUtils.valueOf(
+ infoBoxElem.getAttribute("required")));
+ // (2) provideStammzahl: override global value in any case
+ verifyInfoboxParameter.setProvideStammzahl(BoolUtils.valueOf(
+ infoBoxElem.getAttribute("provideStammzahl")));
+ // (3) proviedIdentityLink: override global value in any case
+ verifyInfoboxParameter.setProvideIdentityLink(BoolUtils.valueOf(
+ infoBoxElem.getAttribute("provideIdentityLink")));
+ // set default trustprofileID
+ if (defaultTrustProfileID != null) {
+ verifyInfoboxParameter.setTrustProfileID(defaultTrustProfileID);
+ }
+ // get the parameter elements
+ boolean localValidatorClass = false;
+ boolean localFriendlyName = false;
+ List params = DOMUtils.getChildElements(infoBoxElem);
+ Iterator it = params.iterator();
+ while (it.hasNext()) {
+ Element paramElem = (Element)it.next();
+ String paramName = paramElem.getLocalName();
+ if (paramName.equals("FriendlyName")) {
+ verifyInfoboxParameter.setFriendlyName(paramElem.getFirstChild().getNodeValue());
+ localFriendlyName = true;
+ } else if (paramName.equals("TrustProfileID")) {
+ String trustProfileID = paramElem.getFirstChild().getNodeValue();
+ if (trustProfileID != null) {
+ if (trustProfileID.equals(moaSpIdentityLinkTrustProfileID)) {
+ throw new ConfigurationException("config.15", new Object[] {moaSpIdentityLinkTrustProfileID});
+ }
+ verifyInfoboxParameter.setTrustProfileID(trustProfileID);
+ }
+ } else if (paramName.equals("ValidatorClass")) {
+ String validatorClassName = paramElem.getFirstChild().getNodeValue();
+ if (validatorClassName != null) {
+ verifyInfoboxParameter.setValidatorClassName(validatorClassName);
+ localValidatorClass = true;
+ }
+ } else if (paramName.equals("SchemaLocations")) {
+ List schemaElems = DOMUtils.getChildElements(paramElem);
+ List schemaLocations = new Vector(schemaElems.size());
+ Iterator schemaIterator = schemaElems.iterator();
+ while (schemaIterator.hasNext()) {
+ Element schemaElem = (Element)schemaIterator.next();
+ String namespace = schemaElem.getAttribute("namespace");
+ String schemaLocation = schemaElem.getAttribute("schemaLocation");
+ // avoid adding the same schema twice
+ Iterator schemaLocationIterator = schemaLocations.iterator();
+ boolean add = true;
+ while (schemaLocationIterator.hasNext()) {
+ String existingNamespace = ((Schema)schemaLocationIterator.next()).getNamespace();
+ if (namespace.equals(existingNamespace)) {
+ Logger.warn("Multiple schemas specified for namespace \"" + namespace +
+ "\"; only using the first one.");
+ add = false;
+ break;
+ }
+ }
+ if (add) {
+ schemaLocations.add(new SchemaImpl(namespace, schemaLocation));
+ }
+ }
+ verifyInfoboxParameter.setSchemaLocations(schemaLocations);
+ } else if (paramName.equals("ApplicationSpecificParameters")) {
+ verifyInfoboxParameter.setApplicationSpecificParams(paramElem);
+ }
+ }
+ // use default values for those parameters not yet set by local configuration
+ if (defaultInfoboxParameters != null) {
+ Object defaultVerifyIP = defaultInfoboxParameters.get(identifier);
+ if (defaultVerifyIP != null) {
+ VerifyInfoboxParameter defaultVerifyInfoboxParameter =
+ (VerifyInfoboxParameter)defaultVerifyIP;
+ // if no friendly is set, use default
+ if (!localFriendlyName) {
+ verifyInfoboxParameter.setFriendlyName(
+ defaultVerifyInfoboxParameter.getFriendlyName());
+ }
+ // if no TrustProfileID is set, use default, if available
+ if (verifyInfoboxParameter.getTrustProfileID() == null) {
+ verifyInfoboxParameter.setTrustProfileID(
+ defaultVerifyInfoboxParameter.getTrustProfileID());
+ }
+ // if no local validator class is set, use default
+ if (!localValidatorClass) {
+ verifyInfoboxParameter.setValidatorClassName(
+ defaultVerifyInfoboxParameter.getValidatorClassName());
+ }
+ // if no schema locations set, use default
+ if (verifyInfoboxParameter.getSchemaLocations() == null) {
+ verifyInfoboxParameter.setSchemaLocations(
+ defaultVerifyInfoboxParameter.getSchemaLocations());
+ }
+ // if no application specific parameters set, use default
+ if (verifyInfoboxParameter.getApplicationSpecificParams() == null) {
+ verifyInfoboxParameter.setApplicationSpecificParams(
+ defaultVerifyInfoboxParameter.getApplicationSpecificParams());
+ }
+ }
+ }
+ infoboxParameters.put(identifier, verifyInfoboxParameter);
+ }
+ // add the infobox identifiers not present within the local configuration to the
+ // identifier list
+ if (defaultIdentifiers != null) {
+ Iterator identifierIterator = defaultIdentifiers.iterator();
+ while (identifierIterator.hasNext()) {
+ String defaultIdentifier = (String)identifierIterator.next();
+ if (!identifiers.contains(defaultIdentifier)) {
+ identifiers.add(defaultIdentifier);
+ }
+ }
+ }
+ return new VerifyInfoboxParameters(identifiers, infoboxParameters);
+ } else {
+ return new VerifyInfoboxParameters(defaultIdentifiers, infoboxParameters);
+ }
+ }
/**
* Method warn.
@@ -856,6 +1078,5 @@ public class ConfigurationBuilder {
*/
private static void warn(String messageId, Object[] args, Throwable t) {
Logger.warn(MOAIDMessageProvider.getInstance().getMessage(messageId, args), t);
- }
-
+ }
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index d354ba910..e45d7cba8 100644
--- a/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -7,6 +7,7 @@ import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import org.w3c.dom.Element;
+import org.w3c.dom.Node;
import at.gv.egovernment.moa.id.config.ConfigurationBuilder;
import at.gv.egovernment.moa.id.config.ConfigurationException;
@@ -15,6 +16,7 @@ import at.gv.egovernment.moa.id.config.ConnectionParameter;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.FileUtils;
+import at.gv.egovernment.moa.util.XPathUtils;
/**
* A class providing access to the Auth Part of the MOA-ID configuration data.
@@ -116,6 +118,10 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
* X509 SubjectNames which will be trusted
*/
private String[] identityLinkX509SubjectNames;
+ /**
+ * default parameters for verifying additional infoboxes.
+ */
+ private VerifyInfoboxParameters defaultVerifyInfoboxParameters;
/**
* configuration parameters for online applications
@@ -133,6 +139,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
* the bku Selection Connection Parameters
*/
private ConnectionParameter bKUConnectionParameter;
+
/**
* Return the single instance of configuration data.
*
@@ -214,24 +221,30 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
throw new ConfigurationException("config.03", null, t);
}
- // build the internal datastructures
- builder = new ConfigurationBuilder(configElem, rootConfigFileDir);
- bKUConnectionParameter = builder.buildAuthBKUConnectionParameter();
- bKUSelectable = (bKUConnectionParameter!=null);
- bKUSelectionType = builder.buildAuthBKUSelectionType();
- genericConfiguration = builder.buildGenericConfiguration();
- transformsInfoFileNames = builder.buildTransformsInfoFileNames(builder.getConfigElem(), ConfigurationBuilder.AUTH_SECLAYER_TRANSFORMS_INFO_FILENAME_XPATH);
- transformsInfos = builder.loadTransformsInfos(transformsInfoFileNames);
- moaSpConnectionParameter = builder.buildMoaSpConnectionParameter();
- moaSpIdentityLinkTrustProfileID = builder.getMoaSpIdentityLinkTrustProfileID();
- moaSpAuthBlockTrustProfileID = builder.getMoaSpAuthBlockTrustProfileID();
- moaSpAuthBlockVerifyTransformsInfoIDs = builder.buildMoaSpAuthBlockVerifyTransformsInfoIDs();
- onlineApplicationAuthParameters = builder.buildOnlineApplicationAuthParameters();
- identityLinkX509SubjectNames = builder.getIdentityLink_X509SubjectNames();
- defaultChainingMode = builder.getDefaultChainingMode();
- chainingModes = builder.buildChainingModes();
- trustedCACertificates = builder.getTrustedCACertificates();
- trustedCACertificates = FileUtils.makeAbsoluteURL(trustedCACertificates, rootConfigFileDir);
+ // build the internal datastructures
+ builder = new ConfigurationBuilder(configElem, rootConfigFileDir);
+ bKUConnectionParameter = builder.buildAuthBKUConnectionParameter();
+ bKUSelectable = (bKUConnectionParameter!=null);
+ bKUSelectionType = builder.buildAuthBKUSelectionType();
+ genericConfiguration = builder.buildGenericConfiguration();
+ transformsInfoFileNames = builder.buildTransformsInfoFileNames(builder.getConfigElem(), ConfigurationBuilder.AUTH_SECLAYER_TRANSFORMS_INFO_FILENAME_XPATH);
+ transformsInfos = builder.loadTransformsInfos(transformsInfoFileNames);
+ moaSpConnectionParameter = builder.buildMoaSpConnectionParameter();
+ moaSpIdentityLinkTrustProfileID = builder.getMoaSpIdentityLinkTrustProfileID();
+ moaSpAuthBlockTrustProfileID = builder.getMoaSpAuthBlockTrustProfileID();
+ moaSpAuthBlockVerifyTransformsInfoIDs = builder.buildMoaSpAuthBlockVerifyTransformsInfoIDs();
+ defaultVerifyInfoboxParameters = null;
+ Node defaultVerifyInfoboxParamtersElem = XPathUtils.selectSingleNode(configElem, ConfigurationBuilder.AUTH_VERIFY_INFOBOXES_XPATH);
+ if (defaultVerifyInfoboxParamtersElem != null) {
+ defaultVerifyInfoboxParameters =
+ builder.buildVerifyInfoboxParameters((Element)defaultVerifyInfoboxParamtersElem, null, moaSpIdentityLinkTrustProfileID);
+ }
+ onlineApplicationAuthParameters = builder.buildOnlineApplicationAuthParameters(defaultVerifyInfoboxParameters, moaSpIdentityLinkTrustProfileID);
+ identityLinkX509SubjectNames = builder.getIdentityLink_X509SubjectNames();
+ defaultChainingMode = builder.getDefaultChainingMode();
+ chainingModes = builder.buildChainingModes();
+ trustedCACertificates = builder.getTrustedCACertificates();
+ trustedCACertificates = FileUtils.makeAbsoluteURL(trustedCACertificates, rootConfigFileDir);
} catch (Throwable t) {
throw new ConfigurationException("config.02", null, t);
@@ -387,4 +400,13 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
return bKUSelectionType;
}
+ /**
+ * Returns the defaultVerifyInfoboxParameters.
+ *
+ * @return The defaultVerifyInfoboxParameters.
+ */
+ public VerifyInfoboxParameters getDefaultVerifyInfoboxParameters() {
+ return defaultVerifyInfoboxParameters;
+ }
+
} \ No newline at end of file
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id.server/src/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index 4a41f9e75..abdf13dd1 100644
--- a/id.server/src/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id.server/src/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -64,6 +64,10 @@ public class OAAuthParameter extends OAParameter {
* template for web page "Anmeldung mit B&uuml;rgerkarte"
*/
private String templateURL;
+ /**
+ * Parameters for verifying infoboxes.
+ */
+ private VerifyInfoboxParameters verifyInfoboxParameters;
/**
* Returns <code>true</code> if the Security Layer version is version 1.2,
@@ -157,7 +161,17 @@ public class OAAuthParameter extends OAParameter {
*/
public String getTemplateURL() {
return templateURL;
- }
+ }
+
+ /**
+ * Returns the parameters for verifying additional infoboxes.
+ *
+ * @return The parameters for verifying additional infoboxes.
+ * Maybe <code>null</code>.
+ */
+ public VerifyInfoboxParameters getVerifyInfoboxParameters() {
+ return verifyInfoboxParameters;
+ }
/**
* Sets the security layer version.
@@ -242,4 +256,13 @@ public class OAAuthParameter extends OAParameter {
public void setTemplateURL(String templateURL) {
this.templateURL = templateURL;
}
+
+ /**
+ * Sets the parameters for verifying additonal (to the identitylink infobox) infoboxes.
+ *
+ * @param verifyInfoboxParameters The verifyInfoboxParameters to set.
+ */
+ public void setVerifyInfoboxParameters(VerifyInfoboxParameters verifyInfoboxParameters) {
+ this.verifyInfoboxParameters = verifyInfoboxParameters;
+ }
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/auth/VerifyInfoboxParameter.java b/id.server/src/at/gv/egovernment/moa/id/config/auth/VerifyInfoboxParameter.java
new file mode 100644
index 000000000..9caa9519e
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/config/auth/VerifyInfoboxParameter.java
@@ -0,0 +1,362 @@
+package at.gv.egovernment.moa.id.config.auth;
+
+import java.io.IOException;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import javax.xml.transform.TransformerException;
+
+import org.w3c.dom.Element;
+
+import at.gv.egovernment.moa.id.auth.data.Schema;
+import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.StringUtils;
+
+/**
+ * This class is a container for parameters that maybe needed for verifying an infobox.
+ *
+ * @author Harald Bratko
+ */
+public class VerifyInfoboxParameter {
+
+ /**
+ * The default package name (first part) of a infobox validator class.
+ */
+ public static final String DEFAULT_PACKAGE_TRUNK = "at.gv.egovernment.moa.id.auth.validator.";
+
+ /**
+ * The identifier of the infobox to be verified. This identifier must exactly the
+ * identifier of the infobox returned by BKU.
+ */
+ private String identifier_;
+
+ /**
+ * The friendly name of the infobox.
+ * This name is used within browser messages, thus it should be the german equivalent of
+ * the {@link #identifier_ infobox identifier} (e.g. &quot;<code>Stellvertretungen</code>&quot;
+ * for &quot;<code>Mandates</code>&quot; or &quot;<code>GDAToken</code>&quot; for
+ * &quot;<code>EHSPToken</code>&quot;.
+ * <br>If not specified within the config file the {@link #identifier_ infobox identifier}
+ * will be used.
+ */
+ private String friendlyName_;
+
+ /**
+ * The Id of the TrustProfile to be used for validating certificates.
+ */
+ private String trustProfileID_;
+
+ /**
+ * The full name of the class to be used for verifying the infobox.
+ */
+ private String validatorClassName_;
+
+ /**
+ * Schema location URIs that may be needed by the
+ * validator to parse infobox tokens.
+ * Each entry in the list is a {@link at.gv.egovernment.moa.id.auth.data.Schema Schema}
+ * specifying the location of an XML schema.
+ */
+ private List schemaLocations_;
+
+ /**
+ * Application specific parameters that may be needed for verifying an infobox.
+ */
+ private Element applicationSpecificParams_;
+
+ /**
+ * Specifies if the infobox is be required to be returned by the BKU.
+ */
+ private boolean required_;
+
+ /**
+ * Specifies whether the <code>Stammzahl</code> should be passed to the verifying
+ * application or not.
+ */
+ private boolean provideStammzahl_;
+
+ /**
+ * Specifies whether the <code>identity link</code> should be passed to the verifying
+ * application or not.
+ */
+ private boolean provideIdentityLink_;
+
+ /**
+ * Initializes this VerifiyInfoboxParamater with the given identifier and a default
+ * validator class name.
+ *
+ * @param identifier The identifier of the infobox to be verified.
+ */
+ public VerifyInfoboxParameter(String identifier) {
+ identifier_ = identifier;
+ StringBuffer sb = new StringBuffer(DEFAULT_PACKAGE_TRUNK);
+ sb.append(identifier.toLowerCase());
+ sb.append(".");
+ sb.append(identifier.substring(0, 1).toUpperCase());
+ sb.append(identifier.substring(1));
+ sb.append("Validator");
+ validatorClassName_ = sb.toString();
+ }
+
+ /**
+ * Returns application specific parameters.
+ * Each child element of this element contains a verifying application specific parameter.
+ *
+ * @see #applicationSpecificParams_
+ *
+ * @return Application specific parameters.
+ */
+ public Element getApplicationSpecificParams() {
+ return applicationSpecificParams_;
+ }
+
+ /**
+ * Sets the application specific parameters.
+ *
+ * @see #applicationSpecificParams_
+ *
+ * @param applicationSpecificParams The application specific parameters to set.
+ */
+ public void setApplicationSpecificParams(Element applicationSpecificParams) {
+ applicationSpecificParams_ = applicationSpecificParams;
+ }
+
+ /**
+ * Returns the friendly name.
+ *
+ * @see #friendlyName_
+ *
+ * @return The friendly name.
+ */
+ public String getFriendlyName() {
+ return friendlyName_;
+ }
+
+ /**
+ * Sets the friendly name.
+ *
+ * @param friendlyName The friendly name to set.
+ */
+ public void setFriendlyName(String friendlyName) {
+ friendlyName_ = friendlyName;
+ }
+
+ /**
+ * Returns the infobox identifier.
+ *
+ * @see #identifier_
+ *
+ * @return The infobox identifier.
+ */
+ public String getIdentifier() {
+ return identifier_;
+ }
+
+ /**
+ * Sets the the infobox identifier.
+ *
+ * @see #identifier_
+ *
+ * @param identifier The infobox identifier to set.
+ */
+ public void setIdentifier(String identifier) {
+ identifier_ = identifier;
+ }
+
+ /**
+ * Specifies whether the identity link should be passed to the verifying application
+ * or not.
+ *
+ * @return <code>True</code> if the identity link should be passed to the verifying
+ * application, otherwise <code>false</code>.
+ */
+ public boolean getProvideIdentityLink() {
+ return provideIdentityLink_;
+ }
+
+ /**
+ * Sets the {@link #provideIdentityLink_} parameter.
+ *
+ * @param provideIdentityLink <code>True</code> if the identity link should be passed to
+ * the verifying application, otherwise <code>false</code>.
+ */
+ public void setProvideIdentityLink(boolean provideIdentityLink) {
+ provideIdentityLink_ = provideIdentityLink;
+ }
+
+ /**
+ * Specifies whether the <code>Stammzahl</code> should be passed to the verifying
+ * application or not.
+ *
+ * @return <code>True</code> if the <code>Stammzahl</code> should be passed to the
+ * verifying application, otherwise <code>false</code>.
+ */
+ public boolean getProvideStammzahl() {
+ return provideStammzahl_;
+ }
+
+ /**
+ * Sets the {@link provideStammzahl_} parameter.
+ *
+ * @param provideStammzahl <code>True</code> if the <code>Stammzahl</code> should be
+ * passed to the verifying application, otherwise <code>false</code>.
+ */
+ public void setProvideStammzahl(boolean provideStammzahl) {
+ provideStammzahl_ = provideStammzahl;
+ }
+
+ /**
+ * Specifies whether the infobox is required or not.
+ *
+ * @return <code>True</code> if the infobox is required to be returned by the BKU,
+ * otherwise <code>false</code>.
+ */
+ public boolean isRequired() {
+ return required_;
+ }
+
+ /**
+ * Sets the {@link required_} parameter.
+ *
+ * @param required <code>True</code> if the infobox is required to be returned by the
+ * BKU, otherwise <code>false</code>.
+ */
+ public void setRequired(boolean required) {
+ required_ = required;
+ }
+
+ /**
+ * Schema location URIs that may be needed by the
+ * validator to parse infobox tokens.
+ * Each entry in the list is a {@link at.gv.egovernment.moa.id.auth.data.Schema Schema}
+ * specifying the location of an XML schema.
+ *
+ * @return A list of {@link at.gv.egovernment.moa.id.auth.data.Schema Schema} objects
+ * each of them specifying the location of an XML schema.
+ */
+ public List getSchemaLocations() {
+ return schemaLocations_;
+ }
+
+ /**
+ * Sets the schema locations.
+ *
+ * @see #schemaLocations_
+ *
+ * @param schemaLocations The schema location list to be set.
+ */
+ public void setSchemaLocations(List schemaLocations) {
+ schemaLocations_ = schemaLocations;
+ }
+
+ /**
+ * Returns the ID of the trust profile to be used for verifying certificates.
+ *
+ * @return The ID of the trust profile to be used for verifying certificates.
+ * Maybe <code>null</code>.
+ */
+ public String getTrustProfileID() {
+ return trustProfileID_;
+ }
+
+ /**
+ * Sets the ID of the trust profile to be used for verifying certificates.
+ *
+ * @param trustProfileID The ID of the trust profile to be used for verifying certificates.
+ */
+ public void setTrustProfileID(String trustProfileID) {
+ trustProfileID_ = trustProfileID;
+ }
+
+ /**
+ * Returns the name of the class to be used for verifying this infobox.
+ *
+ * @return The name of the class to be used for verifying this infobox.
+ */
+ public String getValidatorClassName() {
+ return validatorClassName_;
+ }
+
+ /**
+ * Sets the name of the class to be used for verifying this infobox.
+ *
+ * @param validatorClassName The name of the class to be used for verifying this infobox.
+ */
+ public void setValidatorClassName(String validatorClassName) {
+ validatorClassName_ = validatorClassName;
+ }
+
+ /**
+ * Get a string representation of this object.
+ * This method is for debugging purposes only.
+ *
+ * @return A string representation of this object.
+ */
+ public String toString() {
+
+ StringBuffer buffer = new StringBuffer(1024);
+
+ buffer.append(" <Infobox Identifier=\"");
+ buffer.append(identifier_);
+ buffer.append("\" required=\"");
+ buffer.append(required_);
+ buffer.append("\" provideStammzahl=\"");
+ buffer.append(provideStammzahl_);
+ buffer.append("\" provideIdentityLink=\"");
+ buffer.append(provideIdentityLink_);
+ buffer.append("\">");
+ buffer.append("\n");
+ if (friendlyName_ != null) {
+ buffer.append(" <FriendlyName>");
+ buffer.append(friendlyName_);
+ buffer.append("</FriendlyName>");
+ buffer.append("\n");
+ }
+ if (trustProfileID_ != null) {
+ buffer.append(" <TrustProfileID>");
+ buffer.append(trustProfileID_);
+ buffer.append("</TrustProfileID>");
+ buffer.append("\n");
+ }
+ if (validatorClassName_ != null) {
+ buffer.append(" <ValidatorClass>");
+ buffer.append(validatorClassName_);
+ buffer.append("</ValidatorClass>");
+ buffer.append("\n");
+ }
+ if (schemaLocations_ != null) {
+ buffer.append(" <SchemaLocations>");
+ buffer.append("\n");
+ Iterator it = schemaLocations_.iterator();
+ while (it.hasNext()) {
+ buffer.append(" <Schema namespace=\"");
+ Schema schema = (Schema)it.next();
+ buffer.append(schema.getNamespace());
+ buffer.append("\" schemaLocation=\"");
+ buffer.append(schema.getSchemaLocation());
+ buffer.append("\"/>\n");
+ }
+ buffer.append(" </SchemaLocations>");
+ buffer.append("\n");
+ }
+ if (applicationSpecificParams_ != null) {
+ try {
+ String applicationSpecificParams = DOMUtils.serializeNode(applicationSpecificParams_);
+ buffer.append(" ");
+ buffer.append(StringUtils.removeXMLDeclaration(applicationSpecificParams));
+ buffer.append("\n");
+ } catch (TransformerException e) {
+ // do nothing
+ } catch (IOException e) {
+ // do nothing
+ }
+ }
+ buffer.append(" </Infobox>");
+
+
+ return buffer.toString() ;
+ }
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/auth/VerifyInfoboxParameters.java b/id.server/src/at/gv/egovernment/moa/id/config/auth/VerifyInfoboxParameters.java
new file mode 100644
index 000000000..b9f669196
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/config/auth/VerifyInfoboxParameters.java
@@ -0,0 +1,135 @@
+package at.gv.egovernment.moa.id.config.auth;
+
+import java.util.Hashtable;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * This class contains the parameters for verifying all the infoboxes configured for an
+ * online application.
+ *
+ * @author Harald Bratko
+ */
+public class VerifyInfoboxParameters {
+
+ /**
+ * A map of {@link VerifyInfoboxParameter} objects.
+ * Each of these objects contains parameters that maybe needed for validating an
+ * infobox.
+ */
+ private Map infoboxParameters_;
+
+ /**
+ * A list of the identifiers of the infoboxes supported by this
+ * VerifyInfoboxParameters;
+ */
+ private List identifiers_;
+
+ /**
+ * Holds the (comma separated) identifiers of those infoboxes MOA-IF is able to validate
+ * in the context of the actual online application.
+ * The string will be added as value of the <code>PushInfobox</code> parameter in the
+ * HTML form used for reading the infoboxes from the BKU.
+ */
+ private String pushInfobox_;
+
+ /**
+ * Initializes this VerifyInfoboxParameters with an empty {@link #infoboxParameters_}
+ * map.
+ */
+ public VerifyInfoboxParameters() {
+ infoboxParameters_ = new Hashtable();
+ pushInfobox_ = "";
+ }
+
+ /**
+ * Initializes this VerifyInfoboxParameters with the given
+ * <code>infoboxParameters</code> map and builds the {@link #pushInfobox_} string
+ * from the keys of the given map.
+ */
+ public VerifyInfoboxParameters(List identifiers, Map infoboxParameters) {
+ identifiers_ = identifiers;
+ infoboxParameters_ = infoboxParameters;
+ // build the pushInfobox string
+ if ((identifiers != null) && (!identifiers.isEmpty())) {
+ StringBuffer identifiersSB = new StringBuffer();
+ int identifiersNum = identifiers.size();
+ int i = 1;
+ Iterator it = identifiers.iterator();
+ while (it.hasNext()) {
+ identifiersSB.append((String)it.next());
+ if (i != identifiersNum) {
+ identifiersSB.append(",");
+ }
+ i++;
+ }
+ pushInfobox_ = identifiersSB.toString();
+ } else {
+ pushInfobox_ = "";
+ }
+ }
+
+ /**
+ * Returns the (comma separated) identifiers of the infoboxes configured for the actual
+ * online application.
+ *
+ * @see #pushInfobox_
+ *
+ * @return The (comma separated) identifiers of the infoboxes configured for the actual
+ * online application.
+ */
+ public String getPushInfobox() {
+ return pushInfobox_;
+ }
+
+ /**
+ * Sets the {@link #pushInfobox_} string.
+ *
+ * @param pushInfobox The pushInfobox string to be set.
+ */
+ public void setPushInfobox(String pushInfobox) {
+ pushInfobox_ = pushInfobox;
+ }
+
+ /**
+ * Returns map of {@link VerifyInfoboxParameter} objects.
+ * Each of these objects contains parameters that maybe needed for validating an
+ * infobox.
+ *
+ * @return The map of {@link VerifyInfoboxParameter} objects.
+ */
+ public Map getInfoboxParameters() {
+ return infoboxParameters_;
+ }
+
+ /**
+ * Sets the map of {@link VerifyInfoboxParameter} objects.
+ *
+ * @see #infoboxParameters_
+ *
+ * @param infoboxParameters The infoboxParameters to set.
+ */
+ public void setInfoboxParameters(Map infoboxParameters) {
+ infoboxParameters_ = infoboxParameters;
+ }
+
+ /**
+ * Returns the identifiers of the supported infoboxes.
+ *
+ * @return The identifiers.
+ */
+ public List getIdentifiers() {
+ return identifiers_;
+ }
+
+ /**
+ * Sets the identifiers.
+ *
+ * @param identifiers The identifiers to set.
+ */
+ public void setIdentifiers(List identifiers) {
+ identifiers_ = identifiers;
+ }
+
+}