diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2016-01-19 16:08:12 +0100 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2016-01-19 16:08:12 +0100 |
commit | ee54508b4bc802587c59d67548b20a770110262c (patch) | |
tree | 89e25c70242f0ece888ebc6990a1b4f27db3169b /id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java | |
parent | a6bdd89c393ca777b484ab2385975db740096c56 (diff) | |
download | moa-id-spss-ee54508b4bc802587c59d67548b20a770110262c.tar.gz moa-id-spss-ee54508b4bc802587c59d67548b20a770110262c.tar.bz2 moa-id-spss-ee54508b4bc802587c59d67548b20a770110262c.zip |
add Single LogOut request signature validation to moa-id-configuration
Diffstat (limited to 'id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java')
-rw-r--r-- | id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java | 64 |
1 files changed, 39 insertions, 25 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java index cff08740b..17d3d9e50 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java @@ -40,6 +40,7 @@ import org.opensaml.saml2.core.LogoutRequest; import org.opensaml.saml2.core.LogoutResponse; import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.ws.soap.client.BasicSOAPMessageContext; import org.opensaml.ws.soap.soap11.Envelope; import org.opensaml.ws.soap.soap11.decoder.http.HTTPSOAP11Decoder; import org.opensaml.ws.transport.http.HttpServletRequestAdapter; @@ -49,10 +50,12 @@ import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; import org.opensaml.xml.security.x509.X509Credential; +import org.opensaml.xml.validation.ValidationException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException; +import at.gv.egovernment.moa.id.configuration.auth.pvp2.PVP2Utils; /** * @author tlenz @@ -77,25 +80,44 @@ public class SLOBackChannelServlet extends SLOBasicServlet { try { HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder(new BasicParserPool()); - BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = - new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); - messageContext - .setInboundMessageTransport(new HttpServletRequestAdapter( - request)); + + BasicSOAPMessageContext messageContext = new BasicSOAPMessageContext(); + +// BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = +// new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); + + messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request)); + + //messageContext.setMetadataProvider(getConfig().getMetaDataProvier()); + + //set trustPolicy +// BasicSecurityPolicy policy = new BasicSecurityPolicy(); +// policy.getPolicyRules().add( +// new PVPSOAPRequestSecurityPolicy( +// PVP2Utils.getTrustEngine(getConfig()), +// IDPSSODescriptor.DEFAULT_ELEMENT_NAME)); +// SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver( +// policy); +// messageContext.setSecurityPolicyResolver(resolver); soapDecoder.decode(messageContext); - + Envelope inboundMessage = (Envelope) messageContext .getInboundMessage(); + LogoutResponse sloResp = null; + if (inboundMessage.getBody() != null) { List<XMLObject> xmlElemList = inboundMessage.getBody().getUnknownXMLObjects(); - - LogoutResponse sloResp; + if (!xmlElemList.isEmpty() && xmlElemList.get(0) instanceof LogoutRequest) { LogoutRequest sloReq = (LogoutRequest) xmlElemList.get(0); - sloResp = processLogOutRequest(sloReq, request); + //validate request signature + PVP2Utils.validateSignature(sloReq, getConfig()); + + sloResp = processLogOutRequest(sloReq, request); + KeyStore keyStore = getConfig().getPVP2KeyStore(); X509Credential authcredential = new KeyStoreX509CredentialAdapter( keyStore, @@ -111,24 +133,17 @@ public class SLOBackChannelServlet extends SLOBasicServlet { context.setOutboundMessageTransport(responseAdapter); encoder.encode(context); - + } else { log.warn("Received request ist not of type LogOutRequest"); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); + return; } } - } catch (MessageDecodingException e) { - log.error("SLO message processing FAILED." , e); - response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); - - } catch (SecurityException e) { - log.error("SLO message processing FAILED." , e); - response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); - - } catch (NoSuchAlgorithmException e) { - log.error("SLO message processing FAILED." , e); + } catch (MessageDecodingException | SecurityException | NoSuchAlgorithmException | ConfigurationException | ValidationException e) { + log.error("SLO message processing FAILED." , e); response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); } catch (CertificateException e) { @@ -139,15 +154,14 @@ public class SLOBackChannelServlet extends SLOBasicServlet { log.error("SLO message processing FAILED." , e); response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); - } catch (ConfigurationException e) { - log.error("SLO message processing FAILED." , e); - response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); - } catch (MessageEncodingException e) { log.error("SLO message processing FAILED." , e); response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); - } + } + + + } protected void doGet(HttpServletRequest request, |