add Single LogOut request signature validation to moa-id-configuration

1 files changed, 39 insertions, 25 deletions

diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java
index cff08740b..17d3d9e50 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java
@@ -40,6 +40,7 @@ import org.opensaml.saml2.core.LogoutRequest;
 import org.opensaml.saml2.core.LogoutResponse;
 import org.opensaml.ws.message.decoder.MessageDecodingException;
 import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.ws.soap.client.BasicSOAPMessageContext;
 import org.opensaml.ws.soap.soap11.Envelope;
 import org.opensaml.ws.soap.soap11.decoder.http.HTTPSOAP11Decoder;
 import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
@@ -49,10 +50,12 @@ import org.opensaml.xml.parse.BasicParserPool;
 import org.opensaml.xml.security.SecurityException;
 import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
 import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.validation.ValidationException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException;
+import at.gv.egovernment.moa.id.configuration.auth.pvp2.PVP2Utils;
 
 /**
  * @author tlenz
@@ -77,25 +80,44 @@ public class SLOBackChannelServlet extends SLOBasicServlet {
 		
 		try {
 			HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder(new BasicParserPool());
-			BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = 
-					new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
-			messageContext
-			.setInboundMessageTransport(new HttpServletRequestAdapter(
-						request));
+			
+			BasicSOAPMessageContext messageContext = new BasicSOAPMessageContext();
+			
+//			BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = 
+//					new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+			
+			messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request));
+
+			//messageContext.setMetadataProvider(getConfig().getMetaDataProvier());
+			
+			//set trustPolicy
+//			BasicSecurityPolicy policy = new BasicSecurityPolicy();
+//			policy.getPolicyRules().add(
+//					new PVPSOAPRequestSecurityPolicy(
+//							PVP2Utils.getTrustEngine(getConfig()),
+//							IDPSSODescriptor.DEFAULT_ELEMENT_NAME));		
+//			SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(
+//					policy);			
+//			messageContext.setSecurityPolicyResolver(resolver);
 			
 			soapDecoder.decode(messageContext);
-		
+		 
 			Envelope inboundMessage = (Envelope) messageContext
 					.getInboundMessage();
 			
+			LogoutResponse sloResp = null;
+			
 			if (inboundMessage.getBody() != null) {		
 				List<XMLObject> xmlElemList = inboundMessage.getBody().getUnknownXMLObjects();
-			
-				LogoutResponse sloResp;
+						
 				if (!xmlElemList.isEmpty() && xmlElemList.get(0) instanceof LogoutRequest) {
 					LogoutRequest sloReq = (LogoutRequest) xmlElemList.get(0);
-					sloResp = processLogOutRequest(sloReq, request);
 					
+					//validate request signature
+					PVP2Utils.validateSignature(sloReq, getConfig());
+					
+					sloResp = processLogOutRequest(sloReq, request);
+
 					KeyStore keyStore = getConfig().getPVP2KeyStore();
 					X509Credential authcredential = new KeyStoreX509CredentialAdapter(
 							keyStore, 
@@ -111,24 +133,17 @@ public class SLOBackChannelServlet extends SLOBasicServlet {
 					context.setOutboundMessageTransport(responseAdapter);
 					
 					encoder.encode(context);
-												
+					
 				} else {
 					log.warn("Received request ist not of type LogOutRequest");
 					response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+					return;
 					
 				}
 			}
 		
-		} catch (MessageDecodingException e) {
-			log.error("SLO message processing FAILED." , e);
-			response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
-			
-		} catch (SecurityException e) {
-			log.error("SLO message processing FAILED." , e);
-			response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
-			
-		} catch (NoSuchAlgorithmException e) {
-			log.error("SLO message processing FAILED." , e);
+		} catch (MessageDecodingException | SecurityException | NoSuchAlgorithmException | ConfigurationException | ValidationException e) {
+			log.error("SLO message processing FAILED." , e);			
 			response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
 			
 		} catch (CertificateException e) {
@@ -139,15 +154,14 @@ public class SLOBackChannelServlet extends SLOBasicServlet {
 			log.error("SLO message processing FAILED." , e);
 			response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
 			
-		} catch (ConfigurationException e) {
-			log.error("SLO message processing FAILED." , e);
-			response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
-			
 		} catch (MessageEncodingException e) {
 			log.error("SLO message processing FAILED." , e);
 			response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
 			
-		}		
+		}
+		
+		
+		
 	}
 	
 	protected void doGet(HttpServletRequest request,