aboutsummaryrefslogtreecommitdiff
path: root/id.server/src/at/gv/egovernment
diff options
context:
space:
mode:
authorharald.bratko <harald.bratko@d688527b-c9ab-4aba-bd8d-4036d912da1d>2005-07-22 15:11:48 +0000
committerharald.bratko <harald.bratko@d688527b-c9ab-4aba-bd8d-4036d912da1d>2005-07-22 15:11:48 +0000
commitc8223bd5aaf9466fb6c72fe8a5a13b1b105b7c17 (patch)
treeb5ecda8d6df344cb3ebe245c24ccb012686d175d /id.server/src/at/gv/egovernment
parent44a961d0df8d9721b1bdb8185e3a68df762c5ba6 (diff)
downloadmoa-id-spss-c8223bd5aaf9466fb6c72fe8a5a13b1b105b7c17.tar.gz
moa-id-spss-c8223bd5aaf9466fb6c72fe8a5a13b1b105b7c17.tar.bz2
moa-id-spss-c8223bd5aaf9466fb6c72fe8a5a13b1b105b7c17.zip
updated for wbPK
git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@398 d688527b-c9ab-4aba-bd8d-4036d912da1d
Diffstat (limited to 'id.server/src/at/gv/egovernment')
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java171
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java2
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java96
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java65
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java54
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java72
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java8
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/builder/InfoboxReadRequestBuilder.java71
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java49
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/data/SAMLAttribute.java109
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java65
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java37
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java38
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java1
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java3
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java7
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java98
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java21
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java164
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java48
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java122
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/config/proxy/OAConfiguration.java26
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/config/proxy/OAProxyParameter.java41
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/data/AuthenticationData.java60
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/proxy/parser/AuthenticationDataAssertionParser.java14
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java3
26 files changed, 1099 insertions, 346 deletions
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 4c44e807c..8cb71402f 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -1,6 +1,7 @@
package at.gv.egovernment.moa.id.auth;
import iaik.pki.PKIException;
+import iaik.x509.X509Certificate;
import java.io.IOException;
import java.security.GeneralSecurityException;
@@ -12,6 +13,8 @@ import java.util.Iterator;
import java.util.Map;
import java.util.Set;
+import javax.xml.transform.TransformerException;
+
import org.w3c.dom.Element;
import at.gv.egovernment.moa.id.AuthenticationException;
@@ -47,6 +50,7 @@ import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidat
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.ConfigurationProvider;
import at.gv.egovernment.moa.id.config.ConnectionParameter;
+import at.gv.egovernment.moa.id.config.OAParameter;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.AuthenticationData;
@@ -55,7 +59,9 @@ import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
import at.gv.egovernment.moa.id.util.Random;
import at.gv.egovernment.moa.id.util.SSLUtils;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.BoolUtils;
+import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.DateTimeUtils;
import at.gv.egovernment.moa.util.FileUtils;
@@ -139,8 +145,6 @@ public class AuthenticationServer implements MOAIDAuthConstants {
throw new AuthenticationException("auth.07", new Object[] { authURL + "*" });
if (isEmpty(authURL))
throw new WrongParametersException("StartAuthentication", "AuthURL");
- if (isEmpty(target))
- throw new WrongParametersException("StartAuthentication", PARAM_TARGET);
if (isEmpty(oaURL))
throw new WrongParametersException("StartAuthentication", PARAM_OA);
@@ -154,6 +158,17 @@ public class AuthenticationServer implements MOAIDAuthConstants {
AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oaURL);
if (oaParam == null)
throw new AuthenticationException("auth.00", new Object[] { oaURL });
+
+ if (!oaParam.getBusinessService()) {
+ if (isEmpty(target))
+ throw new WrongParametersException("StartAuthentication", PARAM_TARGET);
+ } else {
+ if (!isEmpty(target)) {
+ Logger.info("Ignoring target parameter thus application type is \"businessService\"");
+ }
+ target = null;
+ }
+
AuthenticationSession session = newSession();
Logger.info("MOASession " + session.getSessionID() + " angelegt");
session.setTarget(target);
@@ -161,6 +176,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
session.setPublicOAURLPrefix(oaParam.getPublicURLPrefix());
session.setAuthURL(authURL);
session.setTemplateURL(templateURL);
+ session.setBusinessService(oaParam.getBusinessService());
String returnURL =
new DataURLBuilder().buildDataURL(authURL, REQ_START_AUTHENTICATION, session.getSessionID());
String bkuSelectionType = AuthConfigurationProvider.getInstance().getBKUSelectionType();
@@ -258,28 +274,45 @@ public class AuthenticationServer implements MOAIDAuthConstants {
AuthConfigurationProvider.FRONTEND_SERVLETS_ENABLE_HTTP_CONNECTION_PROPERTY);
if ((!authURL.startsWith("https:")) && (false == BoolUtils.valueOf(boolStr)))
throw new AuthenticationException("auth.07", new Object[] { authURL + "*" });
- if (isEmpty(target))
- throw new WrongParametersException("StartAuthentication", PARAM_TARGET);
if (isEmpty(oaURL))
throw new WrongParametersException("StartAuthentication", PARAM_OA);
}
AuthenticationSession session;
- if (sessionID != null)
+ OAAuthParameter oaParam;
+ if (sessionID != null) {
session = getSession(sessionID);
- else {
- OAAuthParameter oaParam =
+ oaParam =
+ AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
+ session.getPublicOAURLPrefix());
+ } else {
+ oaParam =
AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oaURL);
if (oaParam == null)
throw new AuthenticationException("auth.00", new Object[] { oaURL });
+ if (!oaParam.getBusinessService()) {
+ if (isEmpty(target))
+ throw new WrongParametersException("StartAuthentication", PARAM_TARGET);
+ } else {
+ target = null;
+ }
session = newSession();
Logger.info("MOASession " + session.getSessionID() + " angelegt");
session.setTarget(target);
session.setOAURLRequested(oaURL);
session.setPublicOAURLPrefix(oaParam.getPublicURLPrefix());
session.setAuthURL(authURL);
- session.setTemplateURL(templateURL);
+ session.setTemplateURL(templateURL);
+ session.setBusinessService(oaParam.getBusinessService());
+ }
+ // BKU URL has not been set yet, even if session already exists
+ if (bkuURL == null) {
+ bkuURL = DEFAULT_BKU;
}
- String infoboxReadRequest = new InfoboxReadRequestBuilder().build();
+ session.setBkuURL(bkuURL);
+ String infoboxReadRequest =
+ new InfoboxReadRequestBuilder().build(oaParam.getSlVersion12(),
+ oaParam.getBusinessService(),
+ oaParam.getIdentityLinkDomainIdentifier());
String dataURL =
new DataURLBuilder().buildDataURL(
session.getAuthURL(),
@@ -296,7 +329,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
ex);
}
}
- String certInfoRequest = new CertInfoVerifyXMLSignatureRequestBuilder().build();
+ String certInfoRequest = new CertInfoVerifyXMLSignatureRequestBuilder().build(oaParam.getSlVersion12());
String certInfoDataURL =
new DataURLBuilder().buildDataURL(
session.getAuthURL(),
@@ -371,25 +404,38 @@ public class AuthenticationServer implements MOAIDAuthConstants {
// debug output
if(null != domVerifyXMLSignatureResponse)
OutputXML2File.debugOutputXML2File("VerifyIdentityLinkResponse.xml", domVerifyXMLSignatureResponse, DEBUG_OUTPUT_HIERARCHY);
+ if (identityLink.getIdentificationType().equalsIgnoreCase(Constants.URN_PREFIX_BASEID)) {
+ }
+
+ OAAuthParameter oaParam =
+ AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
+ session.getPublicOAURLPrefix());
+
+ // if OA is type is business service the manifest validation result has to be ignored
+ boolean ignoreManifestValidationResult = oaParam.getBusinessService() ? true : false;
+
// validates the <VerifyXMLSignatureResponse>
VerifyXMLSignatureResponseValidator.getInstance().validate(
verifyXMLSignatureResponse,
authConf.getIdentityLinkX509SubjectNames(),
- VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK);
+ VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK,
+ ignoreManifestValidationResult);
session.setIdentityLink(identityLink);
// builds the AUTH-block
String authBlock = buildAuthenticationBlock(session);
- session.setAuthBlock(authBlock);
+// session.setAuthBlock(authBlock);
// builds the <CreateXMLSignatureRequest>
- String[] transformInfos = authConf.getTransformsInfos();
-
- OAAuthParameter oaParam =
- AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
- session.getPublicOAURLPrefix());
-
+ String[] transformsInfos = oaParam.getTransformsInfos();
+ if ((transformsInfos == null) || (transformsInfos.length == 0)) {
+ // no OA specific transforms specified, use default ones
+ transformsInfos = authConf.getTransformsInfos();
+ }
String createXMLSignatureRequest =
- new CreateXMLSignatureRequestBuilder().build(authBlock, oaParam.getKeyBoxIdentifier(), transformInfos);
+ new CreateXMLSignatureRequestBuilder().build(authBlock,
+ oaParam.getKeyBoxIdentifier(),
+ transformsInfos,
+ oaParam.getSlVersion12());
return createXMLSignatureRequest;
}
/**
@@ -401,12 +447,21 @@ public class AuthenticationServer implements MOAIDAuthConstants {
IdentityLink identityLink = session.getIdentityLink();
String issuer = identityLink.getGivenName() + " " + identityLink.getFamilyName();
String gebDat = identityLink.getDateOfBirth();
+ String identificationValue = identityLink.getIdentificationValue();
+ String identificationType = identityLink.getIdentificationType();
String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance());
String authURL = session.getAuthURL();
String target = session.getTarget();
String oaURL = session.getPublicOAURLPrefix();
- String authBlock =
- new AuthenticationBlockAssertionBuilder().build(issuer, issueInstant, authURL, target, oaURL, gebDat);
+ String authBlock = new AuthenticationBlockAssertionBuilder().buildAuthBlock(issuer,
+ issueInstant,
+ authURL,
+ target,
+ identificationValue,
+ identificationType,
+ oaURL,
+ gebDat);
+
return authBlock;
}
/**
@@ -450,13 +505,18 @@ public class AuthenticationServer implements MOAIDAuthConstants {
AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
// parses <CreateXMLSignatureResponse>
CreateXMLSignatureResponse csresp =
- new CreateXMLSignatureResponseParser(xmlCreateXMLSignatureReadResponse).parseResponse();
+ new CreateXMLSignatureResponseParser(xmlCreateXMLSignatureReadResponse).parseResponse();
+ try {
+ String serializedAssertion = DOMUtils.serializeNode(csresp.getSamlAssertion());
+ session.setAuthBlock(serializedAssertion);
+ } catch (TransformerException e) {
+ throw new ParseException("parser.04", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE});
+ } catch (IOException e) {
+ throw new ParseException("parser.04", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE});
+ }
// validates <CreateXMLSignatureResponse>
- new CreateXMLSignatureResponseValidator().validate(
- csresp,
- session.getTarget(),
- session.getPublicOAURLPrefix());
- // builds a <VerifyXMLSignatureRequest> for a MOA-SPSS call
+ new CreateXMLSignatureResponseValidator().validate(csresp, session);
+ // builds a <VerifyXMLSignatureRequest> for a MOA-SPSS call
String[] vtids = authConf.getMoaSpAuthBlockVerifyTransformsInfoIDs();
String tpid = authConf.getMoaSpAuthBlockTrustProfileID();
Element domVsreq = new VerifyXMLSignatureRequestBuilder().build(csresp, vtids, tpid);
@@ -474,7 +534,8 @@ public class AuthenticationServer implements MOAIDAuthConstants {
VerifyXMLSignatureResponseValidator.getInstance().validate(
vsresp,
null,
- VerifyXMLSignatureResponseValidator.CHECK_AUTH_BLOCK);
+ VerifyXMLSignatureResponseValidator.CHECK_AUTH_BLOCK,
+ true);
// compares the public keys from the identityLink with the AuthBlock
VerifyXMLSignatureResponseValidator.getInstance().validateCertificate(
vsresp,
@@ -507,36 +568,64 @@ public class AuthenticationServer implements MOAIDAuthConstants {
IdentityLink identityLink = session.getIdentityLink();
AuthenticationData authData = new AuthenticationData();
+ OAAuthParameter oaParam =
+ AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
+ session.getPublicOAURLPrefix());
+ boolean businessService = oaParam.getBusinessService();
authData.setMajorVersion(1);
authData.setMinorVersion(0);
authData.setAssertionID(Random.nextRandom());
authData.setIssuer(session.getAuthURL());
authData.setIssueInstant(DateTimeUtils.buildDateTime(Calendar.getInstance()));
- String bpkBase64 =
- new BPKBuilder().buildBPK(
- identityLink.getIdentificationValue(),
- session.getTarget());
- authData.setIdentificationType(identityLink.getIdentificationType());
- authData.setPBK(bpkBase64);
+
+ authData.setIdentificationType(identityLink.getIdentificationType());
authData.setGivenName(identityLink.getGivenName());
authData.setFamilyName(identityLink.getFamilyName());
authData.setDateOfBirth(identityLink.getDateOfBirth());
authData.setQualifiedCertificate(verifyXMLSigResp.isQualifiedCertificate());
authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority());
authData.setPublicAuthorityCode(verifyXMLSigResp.getPublicAuthorityCode());
- OAAuthParameter oaParam =
- AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
- session.getPublicOAURLPrefix());
- String prPerson = new PersonDataBuilder().build(identityLink, oaParam.getProvideStammzahl());
-
- try {
+ authData.setBkuURL(session.getBkuURL());
+ boolean provideStammzahl = oaParam.getProvideStammzahl();
+ if (provideStammzahl) {
+ authData.setIdentificationValue(identityLink.getIdentificationValue());
+ }
+ String prPerson = new PersonDataBuilder().build(identityLink, provideStammzahl);
+
+ try {
+ String signerCertificateBase64 = "";
+ if (oaParam.getProvideCertifcate()) {
+ X509Certificate signerCertificate = verifyXMLSigResp.getX509certificate();
+ if (signerCertificate != null) {
+ signerCertificateBase64 = Base64Utils.encode(signerCertificate.getEncoded());
+ } else {
+ Logger.info("\"provideCertificate\" is \"true\", but no signer certificate available");
+ }
+ }
+ authData.setSignerCertificate(signerCertificateBase64);
+ if (businessService) {
+ authData.setWPBK(identityLink.getIdentificationValue());
+ } else {
+ // only compute bPK if online applcation is a public service
+ String bpkBase64 =
+ new BPKBuilder().buildBPK(
+ identityLink.getIdentificationValue(),
+ session.getTarget());
+ authData.setPBK(bpkBase64);
+ }
String ilAssertion =
oaParam.getProvideIdentityLink()
? DOMUtils.serializeNode(identityLink.getSamlAssertion())
: "";
String authBlock = oaParam.getProvideAuthBlock() ? session.getAuthBlock() : "";
String samlAssertion =
- new AuthenticationDataAssertionBuilder().build(authData, prPerson, authBlock, ilAssertion);
+ new AuthenticationDataAssertionBuilder().build(authData,
+ prPerson,
+ authBlock,
+ ilAssertion,
+ session.getBkuURL(),
+ signerCertificateBase64,
+ businessService);
authData.setSamlAssertion(samlAssertion);
return authData;
} catch (Throwable ex) {
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
index ddba20049..15d21b4b9 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
@@ -16,6 +16,8 @@ public interface MOAIDAuthConstants {
public static final String PARAM_BKU = "bkuURI";
/** servlet parameter &quot;BKUSelectionTemplate&quot; */
public static final String PARAM_BKUTEMPLATE = "BKUSelectionTemplate";
+ /** default BKU URL */
+ public static final String DEFAULT_BKU = "http://localhost:3495/http-security-layer-request";
/** servlet parameter &quot;returnURI&quot; */
public static final String PARAM_RETURN = "returnURI";
/** servlet parameter &quot;Template&quot; */
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
index 41f439d04..ec412deb3 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
@@ -12,26 +12,39 @@ import at.gv.egovernment.moa.util.Constants;
* @version $Id$
*/
public class AuthenticationBlockAssertionBuilder implements Constants {
- /** private static String nl contains the NewLine representation in Java*/
+ /** the NewLine representation in Java*/
private static String nl = "\n";
- /** private static String AUTH_BLOCK contains an XML-Auth-Block-Template */
+ /** template for the Auth-Block */
private static String AUTH_BLOCK =
- "<saml:Assertion xmlns:saml=''" + SAML_NS_URI + "'' MajorVersion=''1'' MinorVersion=''0'' AssertionID=''any'' Issuer=''{0}'' IssueInstant=''{1}''>" + nl +
- " <saml:AttributeStatement>" + nl +
- " <saml:Subject>" + nl +
- " <saml:NameIdentifier>{2}</saml:NameIdentifier>" + nl +
- " </saml:Subject>" + nl +
- " <saml:Attribute AttributeName=''Geschaeftsbereich'' AttributeNamespace=''" + MOA_NS_URI + "''>" + nl +
- " <saml:AttributeValue>{3}</saml:AttributeValue>" + nl +
- " </saml:Attribute>" + nl +
- " <saml:Attribute AttributeName=''OA'' AttributeNamespace=''" + MOA_NS_URI + "''>" + nl +
- " <saml:AttributeValue>{4}</saml:AttributeValue>" + nl +
- " </saml:Attribute>" + nl +
- " <saml:Attribute AttributeName=''Geburtsdatum'' AttributeNamespace=''" + MOA_NS_URI + "''>" + nl +
- " <saml:AttributeValue>{5}</saml:AttributeValue>" + nl +
- " </saml:Attribute>" + nl +
- " </saml:AttributeStatement>" + nl +
- "</saml:Assertion>";
+ "<saml:Assertion xmlns:saml=''" + SAML_NS_URI + "''{0} MajorVersion=''1'' MinorVersion=''0'' AssertionID=''any'' Issuer=''{1}'' IssueInstant=''{2}''>" + nl +
+ " <saml:AttributeStatement>" + nl +
+ " <saml:Subject>" + nl +
+ " <saml:NameIdentifier>{3}</saml:NameIdentifier>" + nl +
+ " </saml:Subject>" + nl +
+ "{4}" +
+ " <saml:Attribute AttributeName=''OA'' AttributeNamespace=''" + MOA_NS_URI + "''>" + nl +
+ " <saml:AttributeValue>{5}</saml:AttributeValue>" + nl +
+ " </saml:Attribute>" + nl +
+ " <saml:Attribute AttributeName=''Geburtsdatum'' AttributeNamespace=''" + MOA_NS_URI + "''>" + nl +
+ " <saml:AttributeValue>{6}</saml:AttributeValue>" + nl +
+ " </saml:Attribute>" + nl +
+ " </saml:AttributeStatement>" + nl +
+ "</saml:Assertion>";
+
+ private static String GESCHAEFTS_BEREICH_ATTRIBUTE =
+ " <saml:Attribute AttributeName=''Geschaeftsbereich'' AttributeNamespace=''" + MOA_NS_URI + "''>" + nl +
+ " <saml:AttributeValue>{0}</saml:AttributeValue>" + nl +
+ " </saml:Attribute>" + nl;
+
+ private static String WBPK_ATTRIBUTE =
+ " <saml:Attribute AttributeName=''wbPK'' AttributeNamespace=''" + MOA_NS_URI + "''>" + nl +
+ " <saml:AttributeValue>" + nl +
+ " <pr:Identification>" + nl +
+ " <pr:Value>{0}</pr:Value>" + nl +
+ " <pr:Type>{1}</pr:Type>" + nl +
+ " </pr:Identification>" + nl +
+ " </saml:AttributeValue>" + nl +
+ " </saml:Attribute>" + nl;
/**
* Constructor for AuthenticationBlockAssertionBuilder.
@@ -39,21 +52,56 @@ public class AuthenticationBlockAssertionBuilder implements Constants {
public AuthenticationBlockAssertionBuilder() {
super();
}
+
/**
- * Builds the authentication block <code>&lt;saml:Assertion&gt;</code>.
+ * Builds the authentication block <code>&lt;saml:Assertion&gt;</code>
*
* @param issuer authentication block issuer; <code>"GivenName FamilyName"</code>
* @param issueInstant current timestamp
* @param authURL URL of MOA-ID authentication component
- * @param target "Gesch&auml;ftsbereich"
+ * @param target "Gesch&auml;ftsbereich"; maybe <code>null</code> if the application
+ * is a business application
+ * @param identityLinkValue the content of the <code>&lt;pr:Value&gt;</code>
+ * child element of the <code>&lt;pr:Identification&gt;</code>
+ * element derived from the Identitylink; this is the
+ * value of the <code>wbPK</code>;
+ * maybe <code>null</code> if the application is a public service
+ * @param identiyLinkType the content of the <code>&lt;pr:Type&gt;</code>
+ * child element of the <code>&lt;pr:Identification&gt;</code>
+ * element derived from the Identitylink; this includes the
+ * URN prefix and the identification number of the business
+ * application used as input for wbPK computation;
+ * maybe <code>null</code> if the application is a public service
* @param oaURL public URL of online application requested
* @return String representation of authentication block
* <code>&lt;saml:Assertion&gt;</code> built
*/
- public String build(String issuer, String issueInstant, String authURL, String target, String oaURL, String GebDat) {
- String assertion = MessageFormat.format(
- AUTH_BLOCK, new Object[] { issuer, issueInstant, authURL, target, oaURL, GebDat});
- return assertion;
+ public String buildAuthBlock(String issuer,
+ String issueInstant,
+ String authURL,
+ String target,
+ String identityLinkValue,
+ String identityLinkType,
+ String oaURL,
+ String GebDat)
+ {
+
+ String gebeORwbpk = "";
+ String wbpkNSDeclaration = "";
+ if (target == null) {
+ // OA is a business application
+ gebeORwbpk = MessageFormat.format(
+ WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
+ wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\" xmlns:si=\"" + PD_NS_URI + "\"";
+ } else {
+ gebeORwbpk = MessageFormat.format(
+ GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target });
+ }
+
+ String assertion = MessageFormat.format(
+ AUTH_BLOCK, new Object[] { wbpkNSDeclaration, issuer, issueInstant, authURL, gebeORwbpk, oaURL, GebDat});
+ return assertion;
+
}
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java
index eaf9aa0ae..cdb660010 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java
@@ -26,19 +26,23 @@ public class AuthenticationDataAssertionBuilder implements Constants {
" MajorVersion=''1'' MinorVersion=''0'' AssertionID=''{0}'' Issuer=''{1}'' IssueInstant=''{2}''>" + NL +
" <saml:AttributeStatement>" + NL +
" <saml:Subject>" + NL +
- " <saml:NameIdentifier NameQualifier=''urn:publicid:gv.at:cdid+bPK''>{3}</saml:NameIdentifier>" + NL +
+ " <saml:NameIdentifier NameQualifier=''{3}''>{4}</saml:NameIdentifier>" + NL +
" <saml:SubjectConfirmation>" + NL +
" <saml:ConfirmationMethod>" + MOA_NS_URI + "cm</saml:ConfirmationMethod>" + NL +
- " <saml:SubjectConfirmationData>{4}{5}</saml:SubjectConfirmationData>" + NL +
+ " <saml:SubjectConfirmationData>{5}{6}</saml:SubjectConfirmationData>" + NL +
" </saml:SubjectConfirmation>" + NL +
" </saml:Subject>" + NL +
" <saml:Attribute AttributeName=''PersonData'' AttributeNamespace=''" + PD_NS_URI + "''>" + NL +
- " <saml:AttributeValue>{6}</saml:AttributeValue>" + NL +
+ " <saml:AttributeValue>{7}</saml:AttributeValue>" + NL +
" </saml:Attribute>" + NL +
" <saml:Attribute AttributeName=''isQualifiedCertificate'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL +
- " <saml:AttributeValue>{7}</saml:AttributeValue>" + NL +
+ " <saml:AttributeValue>{8}</saml:AttributeValue>" + NL +
" </saml:Attribute>" + NL +
- "{8}" +
+ " <saml:Attribute AttributeName=''bkuURL'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL +
+ " <saml:AttributeValue>{9}</saml:AttributeValue>" + NL +
+ " </saml:Attribute>" + NL +
+ "{10}" +
+ "{11}" +
" </saml:AttributeStatement>" + NL +
"</saml:Assertion>";
/**
@@ -49,6 +53,11 @@ public class AuthenticationDataAssertionBuilder implements Constants {
" <saml:Attribute AttributeName=''isPublicAuthority'' AttributeNamespace=''urn:oid:1.2.40.0.10.1.1.1''>" + NL +
" <saml:AttributeValue>{0}</saml:AttributeValue>" + NL +
" </saml:Attribute>" + NL;
+
+ private static final String SIGNER_CERTIFICATE_ATT =
+ " <saml:Attribute AttributeName=''SignerCertificate'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL +
+ " <saml:AttributeValue>{0}</saml:AttributeValue>" + NL +
+ " </saml:Attribute>" + NL;
/**
* Constructor for AuthenticationDataAssertionBuilder.
@@ -67,6 +76,12 @@ public class AuthenticationDataAssertionBuilder implements Constants {
* <code>lt;saml:SubjectConfirmationData&gt;</code> element; may include
* the <code>"Stammzahl"</code> or not; may be empty
* @param xmlIdentityLink the IdentityLink
+ * @param signerCertificateBase64 Base64 encoded certificate of the signer. Maybe
+ * an empty string if the signer certificate should not be provided.
+ * Will be ignored if the <code>businessService</code> parameter is
+ * set to <code>false</code>.
+ * @param businessService <code>true</code> if the online application is a
+ * business service, otherwise <code>false</code>
* @return the <code>&lt;saml:Assertion&gt;</code>
* @throws BuildException if an error occurs during the build process
*/
@@ -74,7 +89,10 @@ public class AuthenticationDataAssertionBuilder implements Constants {
AuthenticationData authData,
String xmlPersonData,
String xmlAuthBlock,
- String xmlIdentityLink) throws BuildException {
+ String xmlIdentityLink,
+ String bkuURL,
+ String signerCertificateBase64,
+ boolean businessService) throws BuildException {
String isQualifiedCertificate = authData.isQualifiedCertificate() ? "true" : "false";
String publicAuthorityAttribute = "";
@@ -85,17 +103,38 @@ public class AuthenticationDataAssertionBuilder implements Constants {
publicAuthorityAttribute = MessageFormat.format(
PUBLIC_AUTHORITY_ATT, new Object[] { publicAuthorityIdentification });
}
-
+
+
+ String signerCertificateAttribute = "";
+ if (signerCertificateBase64 != "") {
+ signerCertificateAttribute = MessageFormat.format(
+ SIGNER_CERTIFICATE_ATT, new Object[] { signerCertificateBase64 });
+ }
+
+ String pkType;
+ String pkValue;
+ if (businessService) {
+ pkType = authData.getIdentificationType();
+ pkValue = authData.getWPBK();
+
+ } else {
+ pkType = URN_PREFIX_BPK;
+ pkValue = authData.getPBK();
+ }
+
String assertion = MessageFormat.format(AUTH_DATA, new Object[] {
- authData.getAssertionID(),
+ authData.getAssertionID(),
authData.getIssuer(),
authData.getIssueInstant(),
- authData.getPBK(),
- removeXMLDeclaration(xmlAuthBlock),
- removeXMLDeclaration(xmlIdentityLink),
+ pkType,
+ pkValue,
+ removeXMLDeclaration(xmlAuthBlock),
+ removeXMLDeclaration(xmlIdentityLink),
removeXMLDeclaration(xmlPersonData),
- isQualifiedCertificate,
- publicAuthorityAttribute});
+ isQualifiedCertificate,
+ bkuURL,
+ publicAuthorityAttribute,
+ signerCertificateAttribute});
return assertion;
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java
index 5ceb1d1c0..cb6c8b31b 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java
@@ -1,9 +1,13 @@
package at.gv.egovernment.moa.id.auth.builder;
+import java.io.File;
import java.io.IOException;
+import java.text.MessageFormat;
import at.gv.egovernment.moa.id.BuildException;
+import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.FileUtils;
+import at.gv.egovernment.moa.util.StringUtils;
/**
* Builder for the <code>&lt;VerifyXMLSignatureRequest&gt;</code> structure
@@ -12,10 +16,26 @@ import at.gv.egovernment.moa.util.FileUtils;
* @author Paul Ivancsics
* @version $Id$
*/
-public class CertInfoVerifyXMLSignatureRequestBuilder extends Builder {
+public class CertInfoVerifyXMLSignatureRequestBuilder extends Builder implements Constants {
/** special tag in the VerifyXMLRequest template to be substituted for a <code>&lt;dsig:Signature&gt;</code> */
private static final String SIGNATURE_TAG = "<dsig:Signature/>";
+
+ /** private static String nl contains the NewLine representation in Java*/
+ private static final String nl = "\n";
+ /**
+ * XML template for the CertInfoVerifyXMLSignatureRequest to be built
+ */
+ static final String CERTINFO_REQUEST =
+ "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + nl +
+ "<{0}:VerifyXMLSignatureRequest {2} xmlns:xml=\"" + XML_NS_URI + "\" xmlns:dsig=\"" + DSIG_NS_URI + "\">" + nl +
+ " <{0}:SignatureInfo>" + nl +
+ " <{0}:SignatureEnvironment>" + nl +
+ " <{1}:XMLContent xml:space=\"preserve\"><dsig:Signature/></{1}:XMLContent>" + nl +
+ " </{0}:SignatureEnvironment>" + nl +
+ " <{0}:SignatureLocation>//dsig:Signature</{0}:SignatureLocation>" + nl +
+ " </{0}:SignatureInfo>" + nl +
+ "</{0}:VerifyXMLSignatureRequest>";
/**
* Constructor
@@ -28,16 +48,30 @@ public class CertInfoVerifyXMLSignatureRequestBuilder extends Builder {
* @return the XML structure
* @throws BuildException
*/
- public String build() throws BuildException {
- String resCertInfoRequest = "resources/xmldata/CertInfoVerifyXMLSignatureRequest.xml";
- String resDsigSignature = "resources/xmldata/CertInfoDsigSignature.xml";
- String certInfoRequest;
- try {
- certInfoRequest = FileUtils.readResource(resCertInfoRequest, "UTF-8");
- }
- catch (IOException ex) {
- throw new BuildException("auth.04", new Object[] {resCertInfoRequest, ex.toString()});
+ public String build(boolean slVersion12) throws BuildException {
+
+ String sl10Prefix;
+ String sl11Prefix;
+ String slNsDeclaration;
+
+ if (slVersion12) {
+
+ sl10Prefix = SL12_PREFIX;
+ sl11Prefix = SL12_PREFIX;
+ slNsDeclaration = "xmlns:" + SL12_PREFIX + "=\"" + SL12_NS_URI + "\"";
+
+ } else {
+
+ sl10Prefix = SL10_PREFIX;
+ sl11Prefix = SL11_PREFIX;
+ slNsDeclaration = "xmlns:" + sl11Prefix + "=\"" + SL11_NS_URI + "\" xmlns:" + sl10Prefix + "=\"" + SL10_NS_URI + "\"";
+
}
+
+ String certInfoRequest = MessageFormat.format(CERTINFO_REQUEST, new Object[] {sl11Prefix, sl10Prefix, slNsDeclaration});
+ String resDsigSignature = "resources/xmldata/CertInfoDsigSignature.xml";
+
+
try {
String dsigSignature = FileUtils.readResource(resDsigSignature, "UTF-8");
certInfoRequest = replaceTag(certInfoRequest, SIGNATURE_TAG, dsigSignature);
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java
index 48320c4f5..51429251e 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java
@@ -3,6 +3,7 @@ package at.gv.egovernment.moa.id.auth.builder;
import java.text.MessageFormat;
import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.StringUtils;
/**
* Builder for the <code>&lt;CreateXMLSignatureRequest&gt;</code> structure
@@ -17,22 +18,23 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
private static final String nl = "\n";
/**
* XML template for the <code>&lt;moa:CreateXMLSignatureRequest&gt;</code> to be built
- */
+ */
private static final String CREATE_XML_SIGNATURE_REQUEST =
- "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>" + nl +
- "<sl11:CreateXMLSignatureRequest xmlns:dsig=''" + DSIG_NS_URI + "'' xmlns:sl10=''" + SL10_NS_URI + "'' xmlns:sl11=''" + SL11_NS_URI + "''>" + nl +
- " <sl11:KeyboxIdentifier>{1}</sl11:KeyboxIdentifier>" + nl +
- " <sl11:DataObjectInfo Structure=''detached''>" + nl +
- " <sl10:DataObject Reference=''''/>" + nl +
- "{2}" +
- " </sl11:DataObjectInfo>" + nl +
- " <sl11:SignatureInfo>" + nl +
- " <sl11:SignatureEnvironment>" + nl +
- " <sl10:XMLContent>{0}</sl10:XMLContent>" + nl +
- " </sl11:SignatureEnvironment>" + nl +
- " <sl11:SignatureLocation Index=''2''>/saml:Assertion</sl11:SignatureLocation>" + nl +
- " </sl11:SignatureInfo>" + nl +
- "</sl11:CreateXMLSignatureRequest>";
+ "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>" + nl +
+ "<{3}:CreateXMLSignatureRequest xmlns:dsig=''" + DSIG_NS_URI + "'' {5}>" + nl +
+ " <{3}:KeyboxIdentifier>{1}</{3}:KeyboxIdentifier>" + nl +
+ " <{3}:DataObjectInfo Structure=''detached''>" + nl +
+ " <{4}:DataObject Reference=''''/>" + nl +
+ "{2}" +
+ " </{3}:DataObjectInfo>" + nl +
+ " <{3}:SignatureInfo>" + nl +
+ " <{3}:SignatureEnvironment>" + nl +
+ " <{4}:XMLContent>{0}</{4}:XMLContent>" + nl +
+ " </{3}:SignatureEnvironment>" + nl +
+ " <{3}:SignatureLocation Index=''2''>/saml:Assertion</{3}:SignatureLocation>" + nl +
+ " </{3}:SignatureInfo>" + nl +
+ "</{3}:CreateXMLSignatureRequest>";
+
/**
* Constructor for CreateXMLSignatureRequestBuilder.
@@ -46,14 +48,46 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
*
* @param authBlock String representation of XML authentication block
* @param keyBoxIdentfier the key box identifier which will be used (e.g. CertifiedKeypair)
+ * @param slVersion12 specifies whether the Security Layer version number is 1.2 or not
* @return String representation of <code>&lt;CreateXMLSignatureRequest&gt;</code>
*/
- public String build(String authBlock, String keyBoxIdentifier, String[] dsigTransformInfos) {
- String dsigTransformInfosString = "";
- for (int i = 0; i < dsigTransformInfos.length; i++)
+ public String build(String authBlock, String keyBoxIdentifier, String[] dsigTransformInfos, boolean slVersion12) {
+
+ String sl10Prefix;
+ String sl11Prefix;
+ String slNsDeclaration;
+
+ String dsigTransformInfosString = "";
+ for (int i = 0; i < dsigTransformInfos.length; i++) {
dsigTransformInfosString += dsigTransformInfos[i];
+ }
+
+ if (slVersion12) {
+
+ // replace the SecurityLayer namespace prefixes and URIs within the transforms
+ dsigTransformInfosString = StringUtils.changeSLVersion(dsigTransformInfosString,
+ SL10_PREFIX, SL12_PREFIX,
+ SL10_NS_URI, SL12_NS_URI);
+ sl10Prefix = SL12_PREFIX;
+ sl11Prefix = SL12_PREFIX;
+ slNsDeclaration = "xmlns:" + SL12_PREFIX + "='" + SL12_NS_URI + "'";
+
+ } else {
+
+ sl10Prefix = SL10_PREFIX;
+ sl11Prefix = SL11_PREFIX;
+ slNsDeclaration = "xmlns:" + sl10Prefix + "='" + SL10_NS_URI + "' xmlns:" + sl11Prefix + "='" + SL11_NS_URI + "'";
+
+ }
+
String request = MessageFormat.format(
- CREATE_XML_SIGNATURE_REQUEST, new Object[] { authBlock, keyBoxIdentifier, dsigTransformInfosString });
+ CREATE_XML_SIGNATURE_REQUEST, new Object[] { authBlock,
+ keyBoxIdentifier,
+ dsigTransformInfosString,
+ sl11Prefix,
+ sl10Prefix,
+ slNsDeclaration });
+
return request;
}
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java
index dbc14804d..4fb5b0837 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java
@@ -27,8 +27,6 @@ public class GetIdentityLinkFormBuilder extends Builder {
/** special tag in the HTML template to be substituted for the certificate info data URL */
private static final String CERTINFO_DATAURL_TAG = "<CertInfoDataURL>";
- /** default BKU URL */
- private static final String DEFAULT_BKU = "http://localhost:3495/http-security-layer-request";
/** default HTML template */
private static final String DEFAULT_HTML_TEMPLATE =
"<meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\">" + nl +
@@ -84,11 +82,11 @@ public class GetIdentityLinkFormBuilder extends Builder {
throws BuildException {
String htmlForm = htmlTemplate == null ? DEFAULT_HTML_TEMPLATE : htmlTemplate;
- String bku = bkuURL == null ? DEFAULT_BKU : bkuURL;
- htmlForm = replaceTag(htmlForm, BKU_TAG, bku);
+// String bku = bkuURL == null ? DEFAULT_BKU : bkuURL;
+ htmlForm = replaceTag(htmlForm, BKU_TAG, bkuURL);
htmlForm = replaceTag(htmlForm, XMLREQUEST_TAG, encodeParameter(xmlRequest));
htmlForm = replaceTag(htmlForm, DATAURL_TAG, dataURL);
- htmlForm = replaceTag(htmlForm, BKU_TAG, bku);
+ htmlForm = replaceTag(htmlForm, BKU_TAG, bkuURL);
htmlForm = replaceTag(htmlForm, CERTINFO_XMLREQUEST_TAG, encodeParameter(certInfoXMLRequest));
htmlForm = replaceTag(htmlForm, CERTINFO_DATAURL_TAG, certInfoDataURL);
return htmlForm;
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/InfoboxReadRequestBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/InfoboxReadRequestBuilder.java
index d3e100671..c2bafe43b 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/InfoboxReadRequestBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/InfoboxReadRequestBuilder.java
@@ -11,29 +11,76 @@ import at.gv.egovernment.moa.util.Constants;
*/
public class InfoboxReadRequestBuilder implements Constants {
- /**
- * XML template for the <code>&lt;sl10:InfoboxReadRequest&gt;</code> to be built
- */
- String INFOBOX_READ_REQUEST =
- "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>" +
- "<sl10:InfoboxReadRequest xmlns:sl10=\"" + SL10_NS_URI + "\">" +
- "<sl10:InfoboxIdentifier>IdentityLink</sl10:InfoboxIdentifier>" +
- "<sl10:BinaryFileParameters ContentIsXMLEntity=\"true\"/>" +
- "</sl10:InfoboxReadRequest>";
/**
* Constructor for InfoboxReadRequestBuilder.
*/
public InfoboxReadRequestBuilder() {
}
+
+
/**
* Builds an <code>&lt;InfoboxReadRequest&gt;</code>.
*
+ * @param slVersion12 specifies whether the Security Layer version is
+ * version 1.2 or not
+ * @param businessService specifies whether the online application is a
+ * business service or not
+ * @param identityLinkDomainIdentifier the identification number of the business
+ * company; maybe <code>null</code> if the OA
+ * is a public service; must not be <code>null</code>
+ * if the OA is a business service
+ *
* @return <code>&lt;InfoboxReadRequest&gt;</code> as String
*/
- public String build() {
- String request = INFOBOX_READ_REQUEST;
- return request;
+ public String build(boolean slVersion12, boolean businessService, String identityLinkDomainIdentifier) {
+
+ String slPrefix;
+ String slNsDeclaration;
+
+ if (slVersion12) {
+ slPrefix = SL12_PREFIX;
+ slNsDeclaration = SL12_NS_URI;
+ } else {
+ slPrefix = SL10_PREFIX;
+ slNsDeclaration = SL10_NS_URI;
+ }
+
+ StringBuffer sb = new StringBuffer("<?xml version=\"1.0\" encoding=\"UTF-8\" ?>");
+ sb.append("<");
+ sb.append(slPrefix);
+ sb.append(":InfoboxReadRequest xmlns:");
+ sb.append(slPrefix);
+ sb.append("=\"");
+ sb.append(slNsDeclaration);
+ sb.append("\">");
+ sb.append("<");
+ sb.append(slPrefix);
+ sb.append(":InfoboxIdentifier>IdentityLink</");
+ sb.append(slPrefix);
+ sb.append(":InfoboxIdentifier>");
+ sb.append("<");
+ sb.append(slPrefix);
+ sb.append(":BinaryFileParameters ContentIsXMLEntity=\"true\"/>");
+ if (businessService) {
+ sb.append("<");
+ sb.append(slPrefix);
+ sb.append(":BoxSpecificParameters>");
+ sb.append("<");
+ sb.append(slPrefix);
+ sb.append(":IdentityLinkDomainIdentifier>");
+ sb.append(identityLinkDomainIdentifier);
+ sb.append("</sl:IdentityLinkDomainIdentifier>");
+ sb.append("</");
+ sb.append(slPrefix);
+ sb.append(":BoxSpecificParameters>");
+ }
+ sb.append("</");
+ sb.append(slPrefix);
+ sb.append(":InfoboxReadRequest>");
+
+ return sb.toString();
+
}
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
index ba4a9e367..27d91bf1f 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
@@ -15,7 +15,8 @@ public class AuthenticationSession {
*/
private String sessionID;
/**
- * "Gesch&auml;ftsbereich" the online application belongs to
+ * "Gesch&auml;ftsbereich" the online application belongs to; maybe <code>null</code>
+ * if the online application is a business application
*/
private String target;
/**
@@ -34,6 +35,10 @@ public class AuthenticationSession {
* HTML template URL
*/
private String templateURL;
+ /**
+ * URL of the BKU
+ */
+ private String bkuURL;
/**
* identity link read from smartcard
*/
@@ -49,8 +54,13 @@ public class AuthenticationSession {
/**
* timestamp logging when identity link has been received
*/
- private Date timestampIdentityLink;
-
+ private Date timestampIdentityLink;
+ /**
+ * Indicates whether the corresponding online application is a business
+ * service or not
+ */
+ private boolean businessService;
+
/**
* Constructor for AuthenticationSession.
*
@@ -108,6 +118,14 @@ public class AuthenticationSession {
public String getPublicOAURLPrefix() {
return oaPublicURLPrefix;
}
+
+ /**
+ * Returns the BKU URL.
+ * @return String
+ */
+ public String getBkuURL() {
+ return bkuURL;
+ }
/**
* Returns the target.
@@ -132,6 +150,14 @@ public class AuthenticationSession {
public void setPublicOAURLPrefix(String url) {
this.oaPublicURLPrefix = url;
}
+
+ /**
+ * Sets the bkuURL
+ * @param url The BKU URL to set
+ */
+ public void setBkuURL(String url) {
+ this.bkuURL = url;
+ }
/**
* Sets the target.
@@ -180,6 +206,23 @@ public class AuthenticationSession {
public Date getTimestampIdentityLink() {
return timestampIdentityLink;
}
+
+ /**
+ * Returns the businessService.
+ * @return <code>true</code> if the corresponding online application is
+ * a business application, otherwise <code>false</code>
+ */
+ public boolean getBusinessService() {
+ return businessService;
+ }
+
+ /**
+ * Sets the businessService variable.
+ * @param businessService the value for setting the businessService variable.
+ */
+ public void setBusinessService(boolean businessService) {
+ this.businessService = businessService;
+ }
/**
* Returns the timestampStart.
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/SAMLAttribute.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/SAMLAttribute.java
index c787b2a81..76ba6366d 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/data/SAMLAttribute.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/SAMLAttribute.java
@@ -9,17 +9,18 @@ package at.gv.egovernment.moa.id.auth.data;
*
*/
public class SAMLAttribute {
-/** the name to be stored */
-private String name;
-/** the namespace to be stored */
-private String namespace;
-/** the value to be stored */
-private String value;
+
+ /** the name to be stored */
+ private String name;
+ /** the namespace to be stored */
+ private String namespace;
+ /** the value to be stored */
+ private Object value;
/**
* Constructor for SAMLAttribute.
*/
- public SAMLAttribute(String name, String namespace, String value) {
+ public SAMLAttribute(String name, String namespace, Object value) {
this.name = name;
this.namespace = namespace;
@@ -27,52 +28,52 @@ private String value;
}
-/**
- * Returns the name.
- * @return String
- */
-public String getName() {
- return name;
-}
-
-/**
- * Returns the namespace.
- * @return String
- */
-public String getNamespace() {
- return namespace;
-}
-
-/**
- * Returns the value.
- * @return String
- */
-public String getValue() {
- return value;
-}
-
-/**
- * Sets the name.
- * @param name The name to set
- */
-public void setName(String name) {
- this.name = name;
-}
-
-/**
- * Sets the namespace.
- * @param namespace The namespace to set
- */
-public void setNamespace(String namespace) {
- this.namespace = namespace;
-}
-
-/**
- * Sets the value.
- * @param value The value to set
- */
-public void setValue(String value) {
- this.value = value;
-}
+ /**
+ * Returns the name.
+ * @return String
+ */
+ public String getName() {
+ return name;
+ }
+
+ /**
+ * Returns the namespace.
+ * @return String
+ */
+ public String getNamespace() {
+ return namespace;
+ }
+
+ /**
+ * Returns the value.
+ * @return String
+ */
+ public Object getValue() {
+ return value;
+ }
+
+ /**
+ * Sets the name.
+ * @param name The name to set
+ */
+ public void setName(String name) {
+ this.name = name;
+ }
+
+ /**
+ * Sets the namespace.
+ * @param namespace The namespace to set
+ */
+ public void setNamespace(String namespace) {
+ this.namespace = namespace;
+ }
+
+ /**
+ * Sets the value.
+ * @param value The value to set
+ */
+ public void setValue(Object value) {
+ this.value = value;
+ }
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java
index 1079a48de..094fa091f 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java
@@ -6,9 +6,11 @@ import java.util.ArrayList;
import java.util.List;
import org.w3c.dom.Element;
+import org.w3c.dom.Node;
import org.w3c.dom.traversal.NodeIterator;
-import at.gv.egovernment.moa.id.*;
+import at.gv.egovernment.moa.id.AuthenticationException;
+import at.gv.egovernment.moa.id.ParseException;
import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
import at.gv.egovernment.moa.id.auth.data.SAMLAttribute;
import at.gv.egovernment.moa.util.Constants;
@@ -27,16 +29,13 @@ public class CreateXMLSignatureResponseParser {
//
// XPath namespace prefix shortcuts
//
- /** Xpath prefix for reaching SecurityLayer 1.0 Namespaces */
- private static final String SL10 = Constants.SL10_PREFIX + ":";
- /** Xpath prefix for reaching SecurityLayer 1.1 Namespaces */
- private static final String SL11 = Constants.SL11_PREFIX + ":";
+
/** Xpath prefix for reaching SAML Namespaces */
private static final String SAML = Constants.SAML_PREFIX + ":";
/** Xpath prefix for reaching XML-DSIG Namespaces */
private static final String DSIG = Constants.DSIG_PREFIX + ":";
/** Xpath expression to the root element */
- private static final String ROOT = "/" + SL11 + "CreateXMLSignatureResponse/";
+ private static final String ROOT = ":CreateXMLSignatureResponse/";
/** Xpath expression to the SAML:Assertion element */
private static final String SAML_ASSERTION_XPATH = ROOT + SAML + "Assertion";
/** Xpath expression to the SAML:NameIdentifier element */
@@ -45,7 +44,8 @@ public class CreateXMLSignatureResponseParser {
private static final String SAML_ATTRIBUTE_XPATH = SAML_ASSERTION_XPATH + "/" + SAML + "AttributeStatement/" + SAML + "Attribute";
/** Xpath expression to the AttributeValue element */
private static final String SAML_ATTRIBUTE_VALUE_XPATH = SAML + "AttributeValue";
-
+
+
/** This is the root element of the XML-Document provided by the Security Layer Card */
private Element sigResponse;
@@ -89,6 +89,7 @@ public class CreateXMLSignatureResponseParser {
try {
sigResponse = DOMUtils.parseXmlValidating(is);
+
}
catch (Throwable t) {
throw new ParseException("parser.01", new Object[] { t.toString()}, t);
@@ -114,17 +115,23 @@ public class CreateXMLSignatureResponseParser {
public CreateXMLSignatureResponse parseResponse() throws ParseException {
CreateXMLSignatureResponse cResp;
try {
-
cResp = new CreateXMLSignatureResponse();
- cResp.setSamlNameIdentifier(XPathUtils.getElementValue(sigResponse, SAML_SUBJECT_NAME_IDENTIFIER_XPATH, null));
- cResp.setSamlAssertion((Element) XPathUtils.selectSingleNode(sigResponse, SAML_ASSERTION_XPATH));
- NodeIterator attrIter = XPathUtils.selectNodeIterator(sigResponse, SAML_ATTRIBUTE_XPATH);
+ String slPrefix = sigResponse.getPrefix();
+ cResp.setSamlNameIdentifier(XPathUtils.getElementValue(sigResponse, "/" + slPrefix + SAML_SUBJECT_NAME_IDENTIFIER_XPATH, null));
+ cResp.setSamlAssertion((Element) XPathUtils.selectSingleNode(sigResponse, "/" + slPrefix + SAML_ASSERTION_XPATH));
+ NodeIterator attrIter = XPathUtils.selectNodeIterator(sigResponse, "/" + slPrefix + SAML_ATTRIBUTE_XPATH);
Element samlAttr;
List samlAttributes = new ArrayList();
while ((samlAttr = (Element) attrIter.nextNode()) != null) {
String attrName = XPathUtils.getAttributeValue(samlAttr, "@AttributeName", "");
String attrNamespace = XPathUtils.getAttributeValue(samlAttr, "@AttributeNamespace", "");
- String attrValue = XPathUtils.getElementValue(samlAttr, SAML_ATTRIBUTE_VALUE_XPATH, "");
+ Object attrValue;
+ if ("wbPK".equals(attrName)) {
+ Element attrValueElem = (Element)XPathUtils.selectSingleNode(samlAttr, SAML_ATTRIBUTE_VALUE_XPATH);
+ attrValue = DOMUtils.getElementFromNodeList(attrValueElem.getChildNodes());
+ } else {
+ attrValue = XPathUtils.getElementValue(samlAttr, SAML_ATTRIBUTE_VALUE_XPATH, "");
+ }
samlAttributes.add(new SAMLAttribute(attrName, attrNamespace, attrValue));
}
SAMLAttribute[] result = new SAMLAttribute[samlAttributes.size()];
@@ -136,5 +143,37 @@ public class CreateXMLSignatureResponseParser {
}
return cResp;
}
-
+
+// public CreateXMLSignatureResponse parseResponse1() throws ParseException {
+// CreateXMLSignatureResponse cResp;
+// try {
+// cResp = new CreateXMLSignatureResponse();
+// Element samlAssertion = (Element)sigResponse.getElementsByTagNameNS(Constants.SAML_NS_URI, "Assertion").item(0);
+// cResp.setSamlAssertion(samlAssertion);
+// Element samlAttributeStatement = (Element)samlAssertion.getElementsByTagNameNS(Constants.SAML_NS_URI, "AttributeStatement").item(0);
+// Element samlSubject = (Element)samlAttributeStatement.getElementsByTagNameNS(Constants.SAML_NS_URI, "Subject").item(0);
+// Element samlNameIdentifier = (Element)samlSubject.getElementsByTagNameNS(Constants.SAML_NS_URI, "NameIdentifier").item(0);
+// cResp.setSamlNameIdentifier(samlNameIdentifier.getFirstChild().getNodeValue());
+// NodeList nl = samlAttributeStatement.getElementsByTagNameNS(Constants.SAML_NS_URI, "Attribute");
+// List samlAttributes = new ArrayList();
+// for (int i=0; i<nl.getLength(); i++) {
+// Element samlAttribute = (Element)nl.item(i);
+// String attrName = samlAttribute.getAttribute("AttributeName");
+// String attrNamespace = samlAttribute.getAttribute("AttributeNamespace");
+// String attrValue = ((Element)samlAttribute.getElementsByTagNameNS(Constants.SAML_NS_URI, "AttributeValue").item(0)).getFirstChild().getNodeValue();
+// samlAttributes.add(new SAMLAttribute(attrName, attrNamespace, attrValue));
+// }
+// SAMLAttribute[] result = new SAMLAttribute[samlAttributes.size()];
+// samlAttributes.toArray(result);
+// cResp.setSamlAttributes(result);
+// }
+// catch (Throwable t) {
+// throw new ParseException("parser.01", new Object[] { t.toString()}, t);
+// }
+// return cResp;
+// }
+
+
+
+
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java
index 4fbc58977..a952b2066 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java
@@ -6,7 +6,6 @@ import java.io.InputStream;
import org.w3c.dom.Element;
import at.gv.egovernment.moa.id.ParseException;
-import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.XPathUtils;
@@ -18,20 +17,6 @@ import at.gv.egovernment.moa.util.XPathUtils;
*/
public class ErrorResponseParser {
- //
- // XPath namespace prefix shortcuts
- //
- /** Xpath prefix for reaching SecurityLayer 1.0 Namespaces */
- private static final String SL10 = Constants.SL10_PREFIX + ":";
- /** Xpath expression to the root element */
- private static final String ROOT = "/" + SL10 + "ErrorResponse/";
- /** Xpath expression to the ErrorCode element */
- private static final String ERROR_CODE_XPATH =
- ROOT + SL10 + "ErrorCode";
- /** Xpath expression to the Info element */
- private static final String ERROR_INFO_XPATH =
- ROOT + SL10 + "Info";
-
/** This is the root element of the XML-Document provided by the Security Layer Card */
private Element errorElement;
@@ -72,8 +57,16 @@ public class ErrorResponseParser {
* @return String
*/
public String getErrorCode() {
-
- return XPathUtils.getElementValue(errorElement,ERROR_CODE_XPATH,null);
+
+ String slPrefix = errorElement.getPrefix();
+ StringBuffer sb = new StringBuffer("/");
+ sb.append(slPrefix);
+ sb.append(":ErrorResponse/");
+ sb.append(slPrefix);
+ sb.append(":ErrorCode");
+ String errorCodeXPath = sb.toString();
+ return XPathUtils.getElementValue(errorElement,errorCodeXPath,null);
+
}
/**
@@ -82,7 +75,15 @@ public class ErrorResponseParser {
*/
public String getErrorInfo() {
- return XPathUtils.getElementValue(errorElement,ERROR_INFO_XPATH,null);
+ String slPrefix = errorElement.getPrefix();
+ StringBuffer sb = new StringBuffer("/");
+ sb.append(slPrefix);
+ sb.append(":ErrorResponse/");
+ sb.append(slPrefix);
+ sb.append(":Info");
+ String errorInfoXPath = sb.toString();
+ return XPathUtils.getElementValue(errorElement,errorInfoXPath,null);
+
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java
index 012a5b559..05272a695 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java
@@ -19,17 +19,17 @@ import at.gv.egovernment.moa.util.XPathUtils;
*/
public class InfoboxReadResponseParser {
- //
- // XPath namespace prefix shortcuts
- //
- /** Xpath prefix for reaching SecurityLayer 1.0 Namespaces */
- private static final String SL10 = Constants.SL10_PREFIX + ":";
- /** Xpath prefix for reaching SAML Namespaces */
- private static final String SAML = Constants.SAML_PREFIX + ":";
- /** Xpath expression to the root element */
- private static final String ROOT = "/" + SL10 + "InfoboxReadResponse/";
- /** Xpath expression to the SAML:Assertion element */
- private static final String SAML_ASSERTION_XPATH = ROOT + SL10 + "BinaryFileData/" + SL10 + "XMLContent/" + SAML + "Assertion";
+// //
+// // XPath namespace prefix shortcuts
+// //
+// /** Xpath prefix for reaching SecurityLayer 1.0 Namespaces */
+// private static final String SL10 = Constants.SL10_PREFIX + ":";
+// /** Xpath prefix for reaching SAML Namespaces */
+// private static final String SAML = Constants.SAML_PREFIX + ":";
+// /** Xpath expression to the root element */
+// private static final String ROOT = "/" + SL10 + "InfoboxReadResponse/";
+// /** Xpath expression to the SAML:Assertion element */
+// private static final String SAML_ASSERTION_XPATH = ROOT + SL10 + "BinaryFileData/" + SL10 + "XMLContent/" + SAML + "Assertion";
/** This is the root element of the XML-Document provided by the Security Layer Card*/
private Element infoBoxElem;
@@ -86,8 +86,21 @@ public class InfoboxReadResponseParser {
*/
public String parseSAMLAssertion() throws ParseException {
try {
- Element samlAssertion = (Element) XPathUtils.selectSingleNode(infoBoxElem, SAML_ASSERTION_XPATH);
+
+ String slPrefix = infoBoxElem.getPrefix();
+ StringBuffer sb = new StringBuffer("/");
+ sb.append(slPrefix);
+ sb.append(":InfoboxReadResponse/");
+ sb.append(slPrefix);
+ sb.append(":BinaryFileData/");
+ sb.append(slPrefix);
+ sb.append(":XMLContent/");
+ sb.append(Constants.SAML_PREFIX);
+ sb.append(":Assertion");
+ String samlAssertionXPath = sb.toString();
+ Element samlAssertion = (Element) XPathUtils.selectSingleNode(infoBoxElem, samlAssertionXPath);
return DOMUtils.serializeNode(samlAssertion);
+
}
catch (Throwable t) {
throw new ParseException("parser.01", new Object[] { t.toString()}, t);
@@ -105,5 +118,6 @@ public class InfoboxReadResponseParser {
IdentityLinkAssertionParser ilParser = new IdentityLinkAssertionParser(samlAssertionString);
return ilParser.parseIdentityLink();
}
+
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
index e628cb997..e0f3fcaff 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java
@@ -121,6 +121,7 @@ public class VerifyXMLSignatureResponseParser {
*/
public VerifyXMLSignatureResponse parseData() throws ParseException {
+
VerifyXMLSignatureResponse respData=new VerifyXMLSignatureResponse();
try {
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java b/id.server/src/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java
index 50d3225d2..4dc69c70b 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java
@@ -78,8 +78,7 @@ public class SelectBKUServlet extends AuthServlet {
resp.setContentType("text/html");
resp.sendRedirect(redirectURL);
Logger.info("REDIRECT TO: " + redirectURL);
- }
- else {
+ } else {
// bkuSelectionType==HTMLSelect
String htmlForm = returnValue;
resp.setContentType("text/html;charset=UTF-8");
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java
index 89748da3f..d0f11c3bf 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java
@@ -58,7 +58,8 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet {
* <ul>
* <li>Status: <code>302</code></li>
* <li>Header <code>"Location"</code>: URL of the online application requested, with
- * parameters <code>"Target"</code> and <code>"SAMLArtifact"</code> added</li>
+ * parameters <code>"Target"</code>(only if the online application is
+ * a public service) and <code>"SAMLArtifact"</code> added</li>
* <li>Error status: <code>500</code>
* </ul>
* @see AuthenticationServer#verifyAuthenticationBlock
@@ -80,7 +81,9 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet {
String samlArtifactBase64 =
AuthenticationServer.getInstance().verifyAuthenticationBlock(sessionID, createXMLSignatureResponse);
String redirectURL = session.getOAURLRequested();
- redirectURL = addURLParameter(redirectURL, PARAM_TARGET, session.getTarget());
+ if (!session.getBusinessService()) {
+ redirectURL = addURLParameter(redirectURL, PARAM_TARGET, session.getTarget());
+ }
redirectURL = addURLParameter(redirectURL, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8"));
redirectURL = resp.encodeRedirectURL(redirectURL);
resp.setContentType("text/html");
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index 3c15b9ec4..2eafaa297 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -2,6 +2,7 @@ package at.gv.egovernment.moa.id.auth.validator;
import org.w3c.dom.Element;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
import at.gv.egovernment.moa.id.auth.data.SAMLAttribute;
import at.gv.egovernment.moa.util.Constants;
@@ -17,7 +18,7 @@ import at.gv.egovernment.moa.util.XPathUtils;
*/
public class CreateXMLSignatureResponseValidator {
- /** Xpath prefix for reaching SecurityLayer 1.0 Namespaces */
+ /** Xpath prefix for reaching SAML Namespaces */
private static final String SAML = Constants.SAML_PREFIX + ":";
/** Xpath prefix for reaching XML-DSIG Namespaces */
private static final String DSIG = Constants.DSIG_PREFIX + ":";
@@ -59,45 +60,78 @@ public class CreateXMLSignatureResponseValidator {
* @param oaURL
* @throws ValidateException
*/
- public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, String gbTarget, String oaURL)
+ public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, AuthenticationSession session)
throws ValidateException {
// A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
-
-
- XPathUtils.selectNodeList(createXMLSignatureResponse.getSamlAssertion(),SAML_SUBJECT_NAME_IDENTIFIER_XPATH);
+
+ String gbTarget = session.getTarget();
+ String oaURL = session.getPublicOAURLPrefix();
+ boolean businessService = session.getBusinessService();
+
+// XPathUtils.selectNodeList(createXMLSignatureResponse.getSamlAssertion(),SAML_SUBJECT_NAME_IDENTIFIER_XPATH);
- SAMLAttribute[] samlattributes = createXMLSignatureResponse.getSamlAttributes();
+ SAMLAttribute[] samlattributes = createXMLSignatureResponse.getSamlAttributes();
- boolean foundOA = false;
- boolean foundGB = false;
- for (int i = 0; i < samlattributes.length; i++)
- {
- if (samlattributes[i].getName().equals("Geschaeftsbereich"))
- if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#"))
-
- {
- foundGB = true;
- if (!gbTarget.equals(samlattributes[i].getValue()))
- {
- throw new ValidateException("validator.13", null);
- }
+ boolean foundOA = false;
+ boolean foundGB = false;
+ boolean foundWBPK = false;
+
+ for (int i = 0; i < samlattributes.length; i++) {
+ if (samlattributes[i].getName().equals("Geschaeftsbereich")) {
+ if (businessService) {
+ throw new ValidateException("validator.26", null);
+ }
+ if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundGB = true;
+ if (!gbTarget.equals((String)samlattributes[i].getValue())) {
+ throw new ValidateException("validator.13", null);
+ }
+ } else {
+ throw new ValidateException("validator.12", null);
+ }
+ }
+ if (samlattributes[i].getName().equals("OA")) {
+ if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundOA = true;
+ if (!oaURL.equals((String)samlattributes[i].getValue())) { // CHECKS für die AttributeVALUES fehlen noch
+ throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlattributes[i].getValue()});
+ }
+ } else {
+ throw new ValidateException("validator.15", null);
+ }
+ }
+ if (samlattributes[i].getName().equals("wbPK")) {
+ if (!businessService) {
+ throw new ValidateException("validator.27", null);
+ }
+ if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundWBPK = true;
+ try {
+ Element attrValue = (Element)samlattributes[i].getValue();
+ String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
+ String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
+ if (!value.equals(session.getIdentityLink().getIdentificationValue())) {
+ throw new ValidateException("validator.28", null);
}
- else throw new ValidateException("validator.12", null);
- if (samlattributes[i].getName().equals("OA"))
- if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#"))
- {
- foundOA = true;
- if (!oaURL.equals(samlattributes[i].getValue())) // CHECKS für die AttributeVALUES fehlen noch
- {
- throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlattributes[i].getValue()});
- }
-
+ if (!type.equals(session.getIdentityLink().getIdentificationType())) {
+ throw new ValidateException("validator.28", null);
}
- else throw new ValidateException("validator.15", null);
- }
- if (!foundOA) throw new ValidateException("validator.14", null);
+ } catch (Exception ex) {
+ throw new ValidateException("validator.29", null);
+ }
+ } else {
+ throw new ValidateException("validator.30", null);
+ }
+ }
+ }
+
+ if (!foundOA) throw new ValidateException("validator.14", null);
+ if (businessService) {
+ if (!foundWBPK) throw new ValidateException("validator.31", null);
+ } else {
if (!foundGB) throw new ValidateException("validator.11", null);
+ }
//Check if dsig:Signature exists
Element dsigSignature = (Element) XPathUtils.selectSingleNode(createXMLSignatureResponse.getSamlAssertion(),DSIG + "Signature");
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
index 5adbc5b3d..1127b3f43 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
@@ -11,6 +11,7 @@ import iaik.x509.X509Certificate;
import at.gv.egovernment.moa.id.auth.data.IdentityLink;
import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
+import at.gv.egovernment.moa.logging.Logger;
/**
* This class is used to validate an {@link VerifyXMLSignatureResponse}
@@ -46,11 +47,15 @@ public class VerifyXMLSignatureResponseValidator {
* @param verifyXMLSignatureResponse the <code>&lt;VerifyXMLSignatureResponse&gt;</code>
* @param identityLinkSignersSubjectDNNames subject names configured
* @param whatToCheck is used to identify whether the identityLink or the Auth-Block is validated
+ * @param ignoreManifestValidationResult specifies whether the validation result of the
+ * manifest has to be ignored (identityLink validation if
+ * the OA is a business service) or not
* @throws ValidateException on any validation error
*/
- public void validate(
- VerifyXMLSignatureResponse verifyXMLSignatureResponse,
- String[] identityLinkSignersSubjectDNNames, String whatToCheck)
+ public void validate(VerifyXMLSignatureResponse verifyXMLSignatureResponse,
+ String[] identityLinkSignersSubjectDNNames,
+ String whatToCheck,
+ boolean ignoreManifestValidationResult)
throws ValidateException {
if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0)
@@ -74,9 +79,13 @@ public class VerifyXMLSignatureResponseValidator {
else
throw new ValidateException("validator.19", new Object[] { checkFailedReason } );
}
- if (verifyXMLSignatureResponse.isXmlDSIGManigest())
- if (verifyXMLSignatureResponse.getXmlDSIGManifestCheckCode() != 0)
- throw new ValidateException("validator.08", null);
+ if (ignoreManifestValidationResult) {
+ Logger.debug("OA type is business service, thus ignoring DSIG manifest validation result");
+ } else {
+ if (verifyXMLSignatureResponse.isXmlDSIGManigest())
+ if (verifyXMLSignatureResponse.getXmlDSIGManifestCheckCode() != 0)
+ throw new ValidateException("validator.08", null);
+ }
//Check whether the returned X509 SubjectName is in the MOA-ID configuration or not
if (identityLinkSignersSubjectDNNames != null) {
String subjectDN = "";
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
index 53f763630..c399b72b7 100644
--- a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
@@ -14,6 +14,7 @@ import java.util.Map;
import org.w3c.dom.Attr;
import org.w3c.dom.Element;
+import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.w3c.dom.traversal.NodeIterator;
@@ -27,6 +28,8 @@ import at.gv.egovernment.moa.util.BoolUtils;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.FileUtils;
+import at.gv.egovernment.moa.util.StringUtils;
+import at.gv.egovernment.moa.util.XPathException;
import at.gv.egovernment.moa.util.XPathUtils;
/**
@@ -73,7 +76,7 @@ public class ConfigurationBuilder {
private static final String AUTH_BKU_XPATH =
ROOT + CONF + "AuthComponent/" + CONF + "BKUSelection";
/** an XPATH-Expression */
- private static final String AUTH_SECLAYER_TRANSFORMS_INFO_FILENAME_XPATH =
+ public static final String AUTH_SECLAYER_TRANSFORMS_INFO_FILENAME_XPATH =
ROOT + CONF + "AuthComponent/" + CONF + "SecurityLayer/" + CONF + "TransformsInfo/@filename";
/** an XPATH-Expression */
private static final String AUTH_MOA_SP_XPATH =
@@ -102,6 +105,10 @@ public class ConfigurationBuilder {
/** an XPATH-Expression */
private static final String OA_AUTH_COMPONENT_XPATH = CONF + "AuthComponent";
/** an XPATH-Expression */
+ private static final String OA_AUTH_COMPONENT_IDENT_NUMBER_XPATH = CONF + "IdentificationNumber";
+ /** an XPATH-Expression */
+ private static final String OA_AUTH_COMPONENT_TRANSFORMS_INFO_FILENAME_XPATH = CONF + "TransformsInfo/@filename";
+ /** an XPATH-Expression */
private static final String OA_PROXY_COMPONENT_XPATH = CONF + "ProxyComponent";
/** an XPATH-Expression */
private static final String OA_PROXY_COMPONENT_ABSOLUTE_XPATH = ROOT + CONF + "OnlineApplication/" + CONF + "ProxyComponent";
@@ -134,6 +141,9 @@ public class ConfigurationBuilder {
private static final String OACONF_LOGIN_TYPE_XPATH =
ROOTOA + CONF + "LoginType";
/** an XPATH-Expression */
+ private static final String OACONF_BINDING_TYPE_XPATH =
+ ROOTOA + CONF + "Binding";
+ /** an XPATH-Expression */
private static final String OACONF_PARAM_AUTH_PARAMETER_XPATH =
ROOTOA + CONF + "ParamAuth/" + CONF + "Parameter";
/** an XPATH-Expression */
@@ -219,26 +229,50 @@ public class ConfigurationBuilder {
/**
* Build a string array with all filenames leading
* to the Transforms Information for the Security Layer
- * @return String[] of filenames to the Security Layer Transforms Information
+ * @param businessService <code>true</code> if the application is a
+ * business application, otherwise <code>false</code>
+ * @return String[] of filenames to the Security Layer Transforms Information
+ * or <code>null</code> if no transforms are included
*/
- public String[] buildTransformsInfoFileNames() {
-
+ public String[] buildTransformsInfoFileNames(Node contextNode, String xpathExpr) {
+
List transformsInfoFileNames = new ArrayList();
- NodeIterator tiIter =
- XPathUtils.selectNodeIterator(
- getConfigElem(),
- AUTH_SECLAYER_TRANSFORMS_INFO_FILENAME_XPATH);
- Attr tiElem;
-
- while ((tiElem = (Attr) tiIter.nextNode()) != null) {
-
- String tiFileName = tiElem.getNodeValue();
- transformsInfoFileNames.add(tiFileName);
+
+ try {
+ NodeIterator tiIter = XPathUtils.selectNodeIterator(contextNode, xpathExpr);
+
+ Attr tiElem;
+ while ((tiElem = (Attr) tiIter.nextNode()) != null) {
+ String tiFileName = tiElem.getNodeValue();
+ transformsInfoFileNames.add(tiFileName);
+ }
+
+ String[] result = new String[transformsInfoFileNames.size()];
+ transformsInfoFileNames.toArray(result);
+
+ return result;
+ } catch (XPathException xpe) {
+ return new String[0];
}
- String[] result = new String[transformsInfoFileNames.size()];
- transformsInfoFileNames.toArray(result);
-
- return result;
+ }
+
+
+ /**
+ * Loads the <code>transformsInfos</code> from files.
+ * @throws Exception on any exception thrown
+ */
+ public String[] loadTransformsInfos(String[] transformsInfoFileNames) throws Exception {
+
+ String[] transformsInfos = new String[transformsInfoFileNames.length];
+ for (int i = 0; i < transformsInfoFileNames.length; i++) {
+ String fileURL = transformsInfoFileNames[i];
+
+ //if fileURL is relative to rootConfigFileDir make it absolute
+ fileURL = FileUtils.makeAbsoluteURL(fileURL, rootConfigFileDir);
+ String transformsInfo = FileUtils.readURL(fileURL, DEFAULT_ENCODING);
+ transformsInfos[i] = transformsInfo;
+ }
+ return transformsInfos;
}
/**
@@ -311,6 +345,7 @@ public class ConfigurationBuilder {
return result;
}
+
/**
* Return a string array containing all X509 Subject Names
* of the Identity Link Signers
@@ -343,7 +378,7 @@ public class ConfigurationBuilder {
* with all relevant information for the authentication component of the online
* application
*/
- public OAAuthParameter[] buildOnlineApplicationAuthParameters() {
+ public OAAuthParameter[] buildOnlineApplicationAuthParameters() throws ConfigurationException {
List OA_set = new ArrayList();
NodeList OAIter = XPathUtils.selectNodeList(getConfigElem(), OA_XPATH);
@@ -354,16 +389,60 @@ public class ConfigurationBuilder {
(Element) XPathUtils.selectSingleNode(oAElem, OA_AUTH_COMPONENT_XPATH);
OAAuthParameter oap = new OAAuthParameter();
- oap.setPublicURLPrefix(oAElem.getAttribute("publicURLPrefix"));
+ String publicURLPrefix = oAElem.getAttribute("publicURLPrefix");
+ oap.setPublicURLPrefix(publicURLPrefix);
oap.setKeyBoxIdentier(oAElem.getAttribute("keyBoxIdentifier"));
+ // get the type of the online application
+ String oaType = oAElem.getAttribute("type");
+ oap.setOaType(oaType);
+ String slVersion = "1.1";
+ if ("businessService".equalsIgnoreCase(oaType)) {
+ if (authComponent==null) {
+ Logger.error("Missing \"AuthComponent\" for OA of type \"businessService\"");
+ throw new ConfigurationException("config.02", null);
+ }
+ Element identificationNumberElem =
+ (Element) XPathUtils.selectSingleNode(authComponent, OA_AUTH_COMPONENT_IDENT_NUMBER_XPATH);
+ if (identificationNumberElem==null) {
+ Logger.error("Missing \"IdentificationNumber\" for OA of type \"businessService\"");
+ throw new ConfigurationException("config.02", null);
+ }
+ Element identificationNumberChild = DOMUtils.getElementFromNodeList(identificationNumberElem.getChildNodes());
+ if (identificationNumberChild == null) {
+ Logger.error("Missing \"IdentificationNumber\" for OA of type \"businessService\"");
+ throw new ConfigurationException("config.02", null);
+ }
+ oap.setIdentityLinkDomainIdentifier(buildIdentityLinkDomainIdentifier(identificationNumberChild));
+
+ // if OA type is "businessSErvice" set slVersion to 1.2 and ignore parameter in config file
+ Logger.info("OA type is \"businessService\"; setting Security Layer version to 1.2");
+ slVersion = "1.2";
+
+ } else {
+
+ if (authComponent!=null) {
+ slVersion = authComponent.getAttribute("slVersion");
+ }
+
+ }
+ oap.setSlVersion(slVersion);
//Check if there is an Auth-Block to read from configuration
+
if (authComponent!=null)
{
oap.setProvideStammzahl(BoolUtils.valueOf(authComponent.getAttribute("provideStammzahl")));
oap.setProvideAuthBlock(BoolUtils.valueOf(authComponent.getAttribute("provideAUTHBlock")));
oap.setProvideIdentityLink(BoolUtils.valueOf(authComponent.getAttribute("provideIdentityLink")));
- }
+ oap.setProvideCertificate(BoolUtils.valueOf(authComponent.getAttribute("provideCertificate")));
+ // load OA specific transforms if present
+ String[] transformsInfoFileNames = buildTransformsInfoFileNames(authComponent, OA_AUTH_COMPONENT_TRANSFORMS_INFO_FILENAME_XPATH);
+ try {
+ oap.setTransformsInfos(loadTransformsInfos(transformsInfoFileNames));
+ } catch (Exception ex) {
+ Logger.error("Error loading transforms specified for OA \"" + publicURLPrefix + "\"; using default transforms.");
+ }
+ }
OA_set.add(oap);
}
OAAuthParameter[] result =
@@ -438,6 +517,7 @@ public class ConfigurationBuilder {
OAProxyParameter oap = new OAProxyParameter();
oap.setPublicURLPrefix(oAElem.getAttribute("publicURLPrefix"));
+ oap.setOaType(oAElem.getAttribute("type"));
Element proxyComponentElem = (Element) XPathUtils.selectSingleNode(oAElem,OA_PROXY_COMPONENT_XPATH);
if (proxyComponentElem != null) {
oap.setConfigFileURL(XPathUtils.getAttributeValue(oAElem, OA_PROXY_URL_XPATH, null));
@@ -503,8 +583,12 @@ public class ConfigurationBuilder {
OAConfiguration oaConfiguration = new OAConfiguration();
//The LoginType hast to be "stateless" or "stateful" to be valid
+
oaConfiguration.setLoginType(
XPathUtils.getElementValue(root, OACONF_LOGIN_TYPE_XPATH, null));
+
+ oaConfiguration.setBinding(
+ XPathUtils.getElementValue(root, OACONF_BINDING_TYPE_XPATH, OAConfiguration.BINDUNG_FULL));
//Try to build the Parameter Auth Parameters
NodeIterator paramAuthIter =
@@ -672,6 +756,44 @@ public class ConfigurationBuilder {
return ChainingModes.CHAIN_MODE;
}
}
+
+ /**
+ * Builds the IdentityLinkDomainIdentifier as needed for providing it to the
+ * SecurityLayer for computation of the wbPK.
+ * <p>e.g.:<br>
+ * input element:
+ * <br>
+ * <code>&lt;pr:Firmenbuchnummer shortForm="FN"&gt;000468 i&lt;/pr:Firmenbuchnummer&gt;</code>
+ * <p>
+ * return value: <code>urn:publicid:gv.at+wbpk+FN468i</code>
+ *
+ * @param number The element holding the identification number of the business
+ * company.
+ * @return
+ */
+ private String buildIdentityLinkDomainIdentifier(Element number) {
+ if (number == null) {
+ return null;
+ }
+ String identificationNumber = number.getFirstChild().getNodeValue();
+ // remove all blanks
+ identificationNumber = StringUtils.removeBlanks(identificationNumber);
+ if (number.getLocalName().equals("Firmenbuchnummer")) {
+ // delete zeros from the beginning of the number
+ identificationNumber = StringUtils.deleteLeadingZeros(identificationNumber);
+ // remove hyphens
+ identificationNumber = StringUtils.removeToken(identificationNumber, "-");
+ }
+ StringBuffer identityLinkDomainIdentifier = new StringBuffer(Constants.URN_PREFIX_WBPK);
+ identityLinkDomainIdentifier.append("+");
+ String shortForm = number.getAttribute("ShortForm");
+ if (!identificationNumber.startsWith(shortForm)) {
+ identityLinkDomainIdentifier.append(shortForm);
+ }
+ identityLinkDomainIdentifier.append("+");
+ identityLinkDomainIdentifier.append(identificationNumber);
+ return identityLinkDomainIdentifier.toString();
+ }
/**
* Method warn.
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index a722868e0..d354ba910 100644
--- a/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -88,12 +88,14 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
* multiple files can be given for different mime types
*/
private String[] transformsInfoFileNames;
+
/**
* transformations for rendering in the secure viewer of the security layer implementation,
* read from {@link transformsInfoFileNames};
* multiple transformation can be given for different mime types
*/
private String[] transformsInfos;
+
/**
* parameters for connection to MOA SP component
*/
@@ -218,8 +220,8 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
bKUSelectable = (bKUConnectionParameter!=null);
bKUSelectionType = builder.buildAuthBKUSelectionType();
genericConfiguration = builder.buildGenericConfiguration();
- transformsInfoFileNames = builder.buildTransformsInfoFileNames();
- loadTransformsInfos();
+ transformsInfoFileNames = builder.buildTransformsInfoFileNames(builder.getConfigElem(), ConfigurationBuilder.AUTH_SECLAYER_TRANSFORMS_INFO_FILENAME_XPATH);
+ transformsInfos = builder.loadTransformsInfos(transformsInfoFileNames);
moaSpConnectionParameter = builder.buildMoaSpConnectionParameter();
moaSpIdentityLinkTrustProfileID = builder.getMoaSpIdentityLinkTrustProfileID();
moaSpAuthBlockTrustProfileID = builder.getMoaSpAuthBlockTrustProfileID();
@@ -229,9 +231,9 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
defaultChainingMode = builder.getDefaultChainingMode();
chainingModes = builder.buildChainingModes();
trustedCACertificates = builder.getTrustedCACertificates();
- trustedCACertificates = FileUtils.makeAbsoluteURL(trustedCACertificates, rootConfigFileDir); }
+ trustedCACertificates = FileUtils.makeAbsoluteURL(trustedCACertificates, rootConfigFileDir);
- catch (Throwable t) {
+ } catch (Throwable t) {
throw new ConfigurationException("config.02", null, t);
}
}
@@ -240,17 +242,35 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
* Loads the <code>transformsInfos</code> from files.
* @throws Exception on any exception thrown
*/
- private void loadTransformsInfos() throws Exception {
-
- transformsInfos = new String[transformsInfoFileNames.length];
- for (int i = 0; i < transformsInfoFileNames.length; i++) {
- String fileURL = transformsInfoFileNames[i];
+// private void loadTransformsInfos() throws Exception {
+//
+// transformsInfos = new String[transformsInfoFileNames.length];
+// for (int i = 0; i < transformsInfoFileNames.length; i++) {
+// String fileURL = transformsInfoFileNames[i];
+//
+// //if fileURL is relative to rootConfigFileDir make it absolute
+// fileURL = FileUtils.makeAbsoluteURL(fileURL, rootConfigFileDir);
+// String transformsInfo = FileUtils.readURL(fileURL, DEFAULT_ENCODING);
+// transformsInfos[i] = transformsInfo;
+// }
+// }
+
+ /**
+ * Loads the <code>transformsInfos</code> from files.
+ * @throws Exception on any exception thrown
+ */
+ private String[] loadTransformsInfos(String[] transformsInfoFileNames) throws Exception {
+
+ String[] transformsInfos = new String[transformsInfoFileNames.length];
+ for (int i = 0; i < transformsInfoFileNames.length; i++) {
+ String fileURL = transformsInfoFileNames[i];
- //if fileURL is relative to rootConfigFileDir make it absolute
- fileURL = FileUtils.makeAbsoluteURL(fileURL, rootConfigFileDir);
- String transformsInfo = FileUtils.readURL(fileURL, DEFAULT_ENCODING);
- transformsInfos[i] = transformsInfo;
- }
+ //if fileURL is relative to rootConfigFileDir make it absolute
+ fileURL = FileUtils.makeAbsoluteURL(fileURL, rootConfigFileDir);
+ String transformsInfo = FileUtils.readURL(fileURL, DEFAULT_ENCODING);
+ transformsInfos[i] = transformsInfo;
+ }
+ return transformsInfos;
}
/**
* Return a string array with all filenames leading
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id.server/src/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index 223abc632..ad4dd4b62 100644
--- a/id.server/src/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id.server/src/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -1,5 +1,7 @@
package at.gv.egovernment.moa.id.config.auth;
+import at.gv.egovernment.moa.id.config.OAParameter;
+
/**
* Configuration parameters belonging to an online application,
* to use with the MOA ID Auth component.
@@ -7,17 +9,32 @@ package at.gv.egovernment.moa.id.config.auth;
* @author Stefan Knirsch
* @version $Id$
*/
-public class OAAuthParameter {
-
- /**
- * public URL prefix of the online application
- */
- private String publicURLPrefix;
-
+public class OAAuthParameter extends OAParameter {
+ /**
+ * Sercurity Layer version
+ */
+ private String slVersion;
+ /**
+ * true, if the Security Layer version is version 1.2, otherwise false
+ */
+ private boolean slVersion12;
+ /**
+ * identityLinkDomainIdentifier
+ * (e.g <code>urn:publicid:gv.at+wbpk+FN468i</code> for a "Firmenbuchnummer")
+ * <br>
+ * only used within a business application context for providing it to the
+ * security layer as input for wbPK computation
+ */
+ private String identityLinkDomainIdentifier;
/**
* key box Identifier (e.g. CertifiedKeypair, SecureSignatureKeypair)
*/
private String keyBoxIdentifier;
+ /**
+ * transformations for rendering in the secure viewer of the security layer
+ * implementation; multiple transformation can be given for different mime types
+ */
+ private String[] transformsInfos;
/**
* determines whether "Stammzahl" is to be included in the authentication data
*/
@@ -30,7 +47,45 @@ public class OAAuthParameter {
* determines whether identity link is to be included in the authentication data
*/
private boolean provideIdentityLink;
-
+ /**
+ * determines whether the certificate is to be included in the authentication data
+ */
+ private boolean provideCertificate;
+
+ /**
+ * Returns <code>true</code> if the Security Layer version is version 1.2,
+ * otherwise <code>false</code>.
+ * @return <code>true</code> if the Security Layer version is version 1.2,
+ * otherwise <code>false</code>
+ */
+ public boolean getSlVersion12() {
+ return slVersion12;
+ }
+
+ /**
+ * Returns the security layer version.
+ * @return the security layer version.
+ */
+ public String getSlVersion() {
+ return slVersion;
+ }
+
+ /**
+ * Returns the identityLinkDomainIdentifier.
+ * @return the identityLinkDomainIdentifier.
+ */
+ public String getIdentityLinkDomainIdentifier() {
+ return identityLinkDomainIdentifier;
+ }
+
+ /**
+ * Returns the transformsInfos.
+ * @return the transformsInfos.
+ */
+ public String[] getTransformsInfos() {
+ return transformsInfos;
+ }
+
/**
* Returns the provideAuthBlock.
* @return String
@@ -54,15 +109,17 @@ public class OAAuthParameter {
public boolean getProvideStammzahl() {
return provideStammzahl;
}
-
+
/**
- * Returns the publicURLPrefix.
- * @return String
+ * Returns <code>true</code> if the certificate should be provided within the
+ * authentication data, otherwise <code>false</code>.
+ * @return <code>true</code> if the certificate should be provided,
+ * otherwise <code>false</code>
*/
- public String getPublicURLPrefix() {
- return publicURLPrefix;
+ public boolean getProvideCertifcate() {
+ return provideCertificate;
}
-
+
/**
* Returns the key box identifier.
* @return String
@@ -70,7 +127,32 @@ public class OAAuthParameter {
public String getKeyBoxIdentifier() {
return keyBoxIdentifier;
}
-
+ /**
+ * Sets the security layer version.
+ * Also sets {@link slVersion12} to <code>true</code> if the Security Layer
+ * version is 1.2.
+ * @param the security layer version to be used.
+ */
+ public void setSlVersion(String slVersion) {
+ this.slVersion = slVersion;
+ if ("1.2".equals(slVersion)) {
+ this.slVersion12 = true;
+ }
+ }
+ /**
+ * Sets the IdentityLinkDomainIdentifier.
+ * @param the IdentityLinkDomainIdentifiern number of the online application.
+ */
+ public void setIdentityLinkDomainIdentifier(String identityLinkDomainIdentifier) {
+ this.identityLinkDomainIdentifier = identityLinkDomainIdentifier;
+ }
+ /**
+ * Sets the transformsInfos.
+ * @param the transformsInfos to be used.
+ */
+ public void setTransformsInfos(String[] transformsInfos) {
+ this.transformsInfos = transformsInfos;
+ }
/**
* Sets the provideAuthBlock.
* @param provideAuthBlock The provideAuthBlock to set
@@ -94,13 +176,13 @@ public class OAAuthParameter {
public void setProvideStammzahl(boolean provideStammzahl) {
this.provideStammzahl = provideStammzahl;
}
-
+
/**
- * Sets the publicURLPrefix.
- * @param publicURLPrefix The publicURLPrefix to set
+ * Sets the provideCertificate variable.
+ * @param provideCertificate The provideCertificate value to set
*/
- public void setPublicURLPrefix(String publicURLPrefix) {
- this.publicURLPrefix = publicURLPrefix;
+ public void setProvideCertificate(boolean provideCertificate) {
+ this.provideCertificate = provideCertificate;
}
/**
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/proxy/OAConfiguration.java b/id.server/src/at/gv/egovernment/moa/id/config/proxy/OAConfiguration.java
index c9a13fee5..ef7c7e323 100644
--- a/id.server/src/at/gv/egovernment/moa/id/config/proxy/OAConfiguration.java
+++ b/id.server/src/at/gv/egovernment/moa/id/config/proxy/OAConfiguration.java
@@ -27,6 +27,14 @@ public class OAConfiguration {
/** Constant for an auth method */
public static final String PARAM_AUTH = "param";
+
+ /** Constant for binding */
+ public static final String BINDUNG_USERNAME = "userName";
+ /** Constant for binding */
+ public static final String BINDUNG_FULL = "full";
+ /** Constant for binding */
+ public static final String BINDUNG_NONE = "none";
+
/** login type: stateful or stateless */
String loginType;
/** authentication type: basic, header, or param */
@@ -45,6 +53,8 @@ public class OAConfiguration {
String basicAuthUserIDMapping;
/** mapping for password to be used in case of authentication type <code>"basic-auth"</code> */
String basicAuthPasswordMapping;
+ /** Binding for basic authentication */
+ String binding;
/**
* Returns the basicAuthPasswordMapping.
@@ -87,6 +97,14 @@ public class OAConfiguration {
}
/**
+ * Returns the binding.
+ * @return String
+ */
+ public String getBinding() {
+ return binding;
+ }
+
+ /**
* Sets the basicAuthPasswordMapping.
* @param basicAuthPasswordMapping The basicAuthPasswordMapping to set
*/
@@ -141,5 +159,13 @@ public class OAConfiguration {
public void setAuthType(String authLoginType) {
this.authType = authLoginType;
}
+
+ /**
+ * Sets the binding.
+ * @param binding The binding to be set.
+ */
+ public void setBinding (String binding) {
+ this.binding = binding;
+ }
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/proxy/OAProxyParameter.java b/id.server/src/at/gv/egovernment/moa/id/config/proxy/OAProxyParameter.java
index a16dcfa26..12b16c115 100644
--- a/id.server/src/at/gv/egovernment/moa/id/config/proxy/OAProxyParameter.java
+++ b/id.server/src/at/gv/egovernment/moa/id/config/proxy/OAProxyParameter.java
@@ -1,6 +1,7 @@
package at.gv.egovernment.moa.id.config.proxy;
import at.gv.egovernment.moa.id.config.ConnectionParameter;
+import at.gv.egovernment.moa.id.config.OAParameter;
/**
* Configuration parameters belonging to an online application,
@@ -9,12 +10,12 @@ import at.gv.egovernment.moa.id.config.ConnectionParameter;
* @author Stefan Knirsch
* @version $Id$
*/
-public class OAProxyParameter {
+public class OAProxyParameter extends OAParameter {
- /**
- * public URL prefix of the online application
- */
- private String publicURLPrefix;
+// /**
+// * public URL prefix of the online application
+// */
+// private String publicURLPrefix;
/**
* URL of online application configuration file;
* defaults to relative URL <code>/moaconfig.xml</code>
@@ -100,21 +101,21 @@ public class OAProxyParameter {
this.connectionParameter = proxyConnectionParameter;
}
- /**
- * Returns the publicURLPrefix.
- * @return String
- */
- public String getPublicURLPrefix() {
- return publicURLPrefix;
- }
-
- /**
- * Sets the publicURLPrefix.
- * @param publicURLPrefix The publicURLPrefix to set
- */
- public void setPublicURLPrefix(String url) {
- this.publicURLPrefix = url;
- }
+// /**
+// * Returns the publicURLPrefix.
+// * @return String
+// */
+// public String getPublicURLPrefix() {
+// return publicURLPrefix;
+// }
+//
+// /**
+// * Sets the publicURLPrefix.
+// * @param publicURLPrefix The publicURLPrefix to set
+// */
+// public void setPublicURLPrefix(String url) {
+// this.publicURLPrefix = url;
+// }
/**
* Returns the connectionBuilderImpl.
diff --git a/id.server/src/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id.server/src/at/gv/egovernment/moa/id/data/AuthenticationData.java
index 65fe9047d..8e0f3cbcf 100644
--- a/id.server/src/at/gv/egovernment/moa/id/data/AuthenticationData.java
+++ b/id.server/src/at/gv/egovernment/moa/id/data/AuthenticationData.java
@@ -44,6 +44,10 @@ public class AuthenticationData {
*/
private String bPK;
/**
+ * private sector-specific personal identifier (wbPK)
+ */
+ private String wbPK;
+ /**
* given name of the user
*/
private String givenName;
@@ -68,6 +72,14 @@ public class AuthenticationData {
*/
private String publicAuthorityCode;
/**
+ * The base64 encoded signer certificate.
+ */
+ private String signerCertificate;
+ /**
+ * URL of the BKU
+ */
+ private String bkuURL;
+ /**
* the corresponding <code>lt;saml:Assertion&gt;</code>
*/
private String samlAssertion;
@@ -122,6 +134,14 @@ public class AuthenticationData {
public String getPBK() {
return bPK;
}
+
+ /**
+ * Returns the wbPK.
+ * @return String the wbPK.
+ */
+ public String getWPBK() {
+ return wbPK;
+ }
/**
* Sets the minorVersion.
@@ -162,6 +182,14 @@ public class AuthenticationData {
public void setPBK(String bPK) {
this.bPK = bPK;
}
+
+ /**
+ * Sets the wbPK.
+ * @param wbPK The wbPK to set
+ */
+ public void setWPBK(String wbPK) {
+ this.wbPK = wbPK;
+ }
/**
* Returns the assertionID.
@@ -234,6 +262,22 @@ public class AuthenticationData {
public int getMajorVersion() {
return majorVersion;
}
+
+ /**
+ * Returns the BKU URL.
+ * @return String
+ */
+ public String getBkuURL() {
+ return bkuURL;
+ }
+
+ /**
+ * Returns the signer certificate.
+ * @return String
+ */
+ public String getSignerCertificate() {
+ return signerCertificate;
+ }
/**
* Sets the assertionID.
@@ -306,6 +350,22 @@ public class AuthenticationData {
public void setMajorVersion(int majorVersion) {
this.majorVersion = majorVersion;
}
+
+ /**
+ * Sets the bkuURL
+ * @param url The BKU URL to set
+ */
+ public void setBkuURL(String url) {
+ this.bkuURL = url;
+ }
+
+ /**
+ * Sets the signer certificate
+ * @param url The signer certificate
+ */
+ public void setSignerCertificate(String signerCertificate) {
+ this.signerCertificate = signerCertificate;
+ }
/**
* Returns the samlAssertion.
diff --git a/id.server/src/at/gv/egovernment/moa/id/proxy/parser/AuthenticationDataAssertionParser.java b/id.server/src/at/gv/egovernment/moa/id/proxy/parser/AuthenticationDataAssertionParser.java
index a78a8d587..9bbf13aca 100644
--- a/id.server/src/at/gv/egovernment/moa/id/proxy/parser/AuthenticationDataAssertionParser.java
+++ b/id.server/src/at/gv/egovernment/moa/id/proxy/parser/AuthenticationDataAssertionParser.java
@@ -3,6 +3,7 @@ package at.gv.egovernment.moa.id.proxy.parser;
import org.w3c.dom.Element;
import at.gv.egovernment.moa.id.ParseException;
+import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.util.BoolUtils;
import at.gv.egovernment.moa.util.Constants;
@@ -40,10 +41,12 @@ public class AuthenticationDataAssertionParser implements Constants {
private static String ATTRIBUTESTATEMENT_XPATH =
SAML + "AttributeStatement/";
/** Prefix for Element NameIdentifier in an Xpath-expression */
- private static String BPK_XPATH =
+ private static String PK_XPATH =
ATTRIBUTESTATEMENT_XPATH +
SAML + "Subject/" +
SAML + "NameIdentifier";
+ private static String NAME_QUALIFIER_XPATH =
+ PK_XPATH + "/@NameQualifier";
/** Prefix for Element Person in an Xpath-expression */
private static String PERSONDATA_XPATH =
ATTRIBUTESTATEMENT_XPATH +
@@ -59,7 +62,6 @@ public class AuthenticationDataAssertionParser implements Constants {
PERSONDATA_XPATH +
PR + "Identification/" +
PR + "Type";
-
/** Prefix for Element GivenName in an Xpath-expression */
private static String GIVEN_NAME_XPATH =
PERSONDATA_XPATH +
@@ -117,8 +119,12 @@ public class AuthenticationDataAssertionParser implements Constants {
XPathUtils.getAttributeValue(samlAssertion, ISSUER_XPATH, ""));
authData.setIssueInstant(
XPathUtils.getAttributeValue(samlAssertion, ISSUE_INSTANT_XPATH, ""));
- authData.setPBK(
- XPathUtils.getElementValue(samlAssertion, BPK_XPATH, ""));
+ String pkValue = XPathUtils.getElementValue(samlAssertion, PK_XPATH, "");
+ if (XPathUtils.getAttributeValue(samlAssertion, NAME_QUALIFIER_XPATH, "").equalsIgnoreCase(URN_PREFIX_BPK)) {
+ authData.setPBK(pkValue);
+ } else {
+ authData.setWPBK(pkValue);
+ }
authData.setIdentificationValue(
XPathUtils.getElementValue(samlAssertion, IDENTIFICATION_VALUE_XPATH, ""));
authData.setIdentificationType(
diff --git a/id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java b/id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java
index f82ad93ed..7b077ebd9 100644
--- a/id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java
+++ b/id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java
@@ -79,7 +79,8 @@ public class ProxyServlet extends HttpServlet {
Logger.debug("getRequestURL:" + req.getRequestURL().toString());
try {
- if (req.getParameter(PARAM_SAMLARTIFACT) != null && req.getParameter(PARAM_TARGET) != null) {
+// if (req.getParameter(PARAM_SAMLARTIFACT) != null && req.getParameter(PARAM_TARGET) != null) {
+ if (req.getParameter(PARAM_SAMLARTIFACT) != null) {
// check if SAML Artifact was already used in this session (in case of page reload)
HttpSession session = req.getSession();