aboutsummaryrefslogtreecommitdiff
path: root/id.server/src/at
diff options
context:
space:
mode:
authorpeter.danner <peter.danner@d688527b-c9ab-4aba-bd8d-4036d912da1d>2006-11-29 20:57:05 +0000
committerpeter.danner <peter.danner@d688527b-c9ab-4aba-bd8d-4036d912da1d>2006-11-29 20:57:05 +0000
commit9aed84d1b240ccb6c8e460c04dbeeca66d979dc9 (patch)
tree50cbec7775f9c937fea596913eefd7fb50ea9919 /id.server/src/at
parentda960913a9e47c5f0d24dab0f1a1a001aa886e95 (diff)
downloadmoa-id-spss-9aed84d1b240ccb6c8e460c04dbeeca66d979dc9.tar.gz
moa-id-spss-9aed84d1b240ccb6c8e460c04dbeeca66d979dc9.tar.bz2
moa-id-spss-9aed84d1b240ccb6c8e460c04dbeeca66d979dc9.zip
binding support enhanced
git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@731 d688527b-c9ab-4aba-bd8d-4036d912da1d
Diffstat (limited to 'id.server/src/at')
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java83
1 files changed, 71 insertions, 12 deletions
diff --git a/id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java b/id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java
index ff0f3a171..3d5220419 100644
--- a/id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java
+++ b/id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java
@@ -64,6 +64,8 @@ public class ProxyServlet extends HttpServlet {
/** Name of the Parameter for the SAMLArtifact */
private static final String PARAM_SAMLARTIFACT = "SAMLArtifact";
+ /** Name of the Attribute for marking the session as authenticated*/
+ private static final String ATT_AUTHDATAFETCHED = "AuthDataFetched";
/** Name of the Attribute for the PublicURLPrefix */
private static final String ATT_PUBLIC_URLPREFIX = "PublicURLPrefix";
/** Name of the Attribute for the RealURLPrefix */
@@ -174,7 +176,8 @@ public class ProxyServlet extends HttpServlet {
} catch (ProxyException ex) {
throw new ProxyException("proxy.14", new Object[] {ex.getMessage()}, ex);
}
-
+ session.setAttribute(ATT_AUTHDATAFETCHED, "true");
+
// read configuration data
ProxyConfigurationProvider proxyConf = ProxyConfigurationProvider.getInstance();
OAProxyParameter oaParam = proxyConf.getOnlineApplicationParameter(urlRequested);
@@ -351,6 +354,7 @@ public class ProxyServlet extends HttpServlet {
private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map loginHeaders, Map loginParameters, String publicURLPrefix, String realURLPrefix, SSLSocketFactory ssf, String binding)
throws IOException {
+ String originBinding = binding;
String browserUserID = "";
String browserPassword = "";
//URL url = new URL(realURLPrefix);
@@ -371,10 +375,12 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
String plaintextcredentials = new String(bplaintextcredentials);
browserUserID = plaintextcredentials.substring(0,plaintextcredentials.indexOf(":"));
browserPassword = plaintextcredentials.substring(plaintextcredentials.indexOf(":")+1);
- //Logger.debug("Analyzing authorization-header from browser: " + headerKeyValue + "gives UN:PW=" + browserUserID + ":" + browserPassword );
+ //deactivate following line for security
+ //if (INTERNAL_DEBUG) Logger.debug("Analyzing authorization-header from browser: " + headerKeyValue + "gives UN:PW=" + browserUserID + ":" + browserPassword );
}
if (headerKeyValue.substring(0,9).equalsIgnoreCase("Negotiate")) {
- //Logger.debug("Analyzing authorization-header from browser: Found NTLM Aut.: " + headerKeyValue + "gives UN:PW=" + browserUserID + ":" + browserPassword );
+ //deactivate following line for security
+ //if (INTERNAL_DEBUG) Logger.debug("Analyzing authorization-header from browser: Found NTLM Aut.: " + headerKeyValue + "gives UN:PW=" + browserUserID + ":" + browserPassword );
}
}
else
@@ -390,10 +396,46 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
}
}
+
// collect login headers, possibly overwriting headers from request
String authorizationvalue="";
if (req.getSession().getAttribute(ATT_OA_AUTHORIZATION_HEADER)==null) {
+ if (OAConfiguration.BINDUNG_NOMATCH.equals(binding)) {
+ int loginTry = getLoginTry(req);
+ Logger.debug("Binding: mode = " + OAConfiguration.BINDUNG_NOMATCH + "(try #" + Integer.toString(loginTry) + ")");
+ if (loginTry==1) {
+ binding = OAConfiguration.BINDUNG_FULL;
+ } else {
+ binding = OAConfiguration.BINDUNG_USERNAME;
+ }
+ }
+
+ /* Soll auch bei anderen bindings zuerst ein passwort probiert werden können:
+ //if we have the first Login-Try and we have Binding to Username and a predefined Password we try this one first
+ // full binding will be covered by next block
+ if (loginTry==1 && !OAConfiguration.BINDUNG_FULL.equals(binding)) {
+ //1st try: if we have a password, try this one first
+ for (Iterator iter = loginHeaders.keySet().iterator(); iter.hasNext();) {
+ String headerKey = (String) iter.next();
+ String headerKeyValue = (String) loginHeaders.get(headerKey);
+ if (isBasicAuthenticationHeader(headerKey, headerKeyValue)) {
+ String credentials = headerKeyValue.substring(6);
+ byte [] bplaintextcredentials = Base64Utils.decode(credentials, true);
+ String plaintextcredentials = new String(bplaintextcredentials);
+ String password = plaintextcredentials.substring(plaintextcredentials.indexOf(":")+1);
+ if (password!=null && !password.equals("")) {
+ Logger.debug("Binding: found predefined password. Trying full binding first");
+ binding = OAConfiguration.BINDUNG_FULL;
+ break;
+ }
+ }
+ }
+ }
+ */
+
+
+
//we have a connection with not having logged on
if (loginHeaders != null && (browserPassword.length()!=0 || browserUserID.length()!=0 || OAConfiguration.BINDUNG_FULL.equals(binding))) {
for (Iterator iter = loginHeaders.keySet().iterator(); iter.hasNext();) {
@@ -402,7 +444,7 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
//customize loginheaders if necessary
if (isBasicAuthenticationHeader(headerKey, headerKeyValue))
{
- if ( OAConfiguration.BINDUNG_FULL.equals(binding)) {
+ if (OAConfiguration.BINDUNG_FULL.equals(binding)) {
authorizationvalue = headerKeyValue;
Logger.debug("Binding: full binding to user established");
} else {
@@ -480,7 +522,8 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
String uid = plaintextcredentials.substring(0,plaintextcredentials.indexOf(":"));
String pwd = plaintextcredentials.substring(plaintextcredentials.indexOf(":")+1);
//Sollte AuthorizationInfo vom HTTPClient benutzt werden: cb.addBasicAuthorization(publicURLPrefix, uid, pwd);
- //if (Logger.isDebugEnabled()) LogStr = LogStr + " >UserID:Password< >" + uid + ":" + pwd + "<";
+ //deactivate following line for security
+ //if (INTERNAL_DEBUG && Logger.isDebugEnabled()) LogStr = LogStr + " >UserID:Password< >" + uid + ":" + pwd + "<";
}
conn.setRequestProperty(headerKey, headerValue);
if (INTERNAL_DEBUG) Logger.debug(LogStr);
@@ -528,13 +571,13 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
}
// connect
+ if (INTERNAL_DEBUG) Logger.debug("Connect Request");
conn.connect();
+ if (INTERNAL_DEBUG) Logger.debug("Connect Response");
// check login tries
if (conn.getResponseCode()==HttpURLConnection.HTTP_UNAUTHORIZED) {
- String oa_loginTry = (String) req.getSession().getAttribute(ATT_OA_LOGINTRY);
- int loginTry = 1;
- if (oa_loginTry!=null) loginTry = Integer.parseInt(oa_loginTry)+1;
+ int loginTry = getLoginTry(req);
req.getSession().setAttribute(ATT_OA_LOGINTRY, Integer.toString(loginTry));
if (loginTry > MAX_OA_LOGINTRY) {
Logger.debug("Found 401 UNAUTHORIZED, maximum tries exceeded; leaving...");
@@ -545,7 +588,7 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
- if (conn.getResponseCode()==HttpURLConnection.HTTP_UNAUTHORIZED && OAConfiguration.BINDUNG_FULL.equals(binding)) {
+ if (conn.getResponseCode()==HttpURLConnection.HTTP_UNAUTHORIZED && OAConfiguration.BINDUNG_FULL.equals(originBinding)) {
Logger.debug("Found 401 UNAUTHORIZED, leaving...");
cb.disconnect(conn);
return conn.getResponseCode();
@@ -578,8 +621,11 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
// Überschrift im Browser-Passworteingabedialog setzen (sonst ist der reale host eingetragen)
if (headerKey.equalsIgnoreCase("WWW-Authenticate") && headerValue.startsWith("Basic realm=\"")) {
headerValue = "Basic realm=\"" + publicURLPrefix + "\"";
- if (OAConfiguration.BINDUNG_USERNAME.equals(binding)) headerValue = "Basic realm=\"Bitte Passwort eingeben\"";
- if (OAConfiguration.BINDUNG_NONE.equals(binding)) headerValue = "Basic realm=\"Bitte Benutzername und Passwort eingeben\"";
+ if (OAConfiguration.BINDUNG_USERNAME.equals(originBinding) || OAConfiguration.BINDUNG_NOMATCH.equals(originBinding)) {
+ headerValue = "Basic realm=\"Bitte Passwort eingeben\"";
+ } else if (OAConfiguration.BINDUNG_NONE.equals(originBinding)) {
+ headerValue = "Basic realm=\"Bitte Benutzername und Passwort eingeben\"";
+ }
}
String respHeader[] = new String[2];
if ((conn.getResponseCode()==HttpURLConnection.HTTP_UNAUTHORIZED) && headerKey.equalsIgnoreCase("content-length")) {
@@ -590,7 +636,7 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
respHeader[0]= headerKey;
respHeader[1]= headerValue;
- if (!(OAConfiguration.BINDUNG_FULL.equals(binding) && OAConfiguration.LOGINTYPE_STATELESS.equals(loginType) && headerKey.equalsIgnoreCase("WWW-Authenticate") && headerValue.startsWith("Basic realm=\""))) {
+ if (!(OAConfiguration.BINDUNG_FULL.equals(originBinding) && OAConfiguration.LOGINTYPE_STATELESS.equals(loginType) && headerKey.equalsIgnoreCase("WWW-Authenticate") && headerValue.startsWith("Basic realm=\""))) {
respHeaders.add(respHeader);
if (INTERNAL_DEBUG) Logger.debug("Resp header " + headerKey + ": " + headerValue);
} else {
@@ -680,6 +726,19 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
return conn.getResponseCode();
}
+
+/**
+ * Gets the current amount of the login try at the online application
+ *
+ * @param req the HttpServletRequest
+ * @return the number off the current login try
+ */
+private int getLoginTry(HttpServletRequest req) {
+ String oa_loginTry = (String) req.getSession().getAttribute(ATT_OA_LOGINTRY);
+ int loginTry = 1;
+ if (oa_loginTry!=null) loginTry = Integer.parseInt(oa_loginTry)+1;
+ return loginTry;
+}
/**
* Determines whether a HTTP header is a basic authentication header of the kind "Authorization: Basic ..."
*