aboutsummaryrefslogtreecommitdiff
path: root/id/ConfigWebTool/src/main/java/at/gv/egovernment
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2014-06-06 13:47:48 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2014-06-06 13:47:48 +0200
commitc1f3b45adb46f2a7a2c93df278d2b8189eb2fc91 (patch)
treebb2ead1fb89a5c73b963125d37fb3a51e216309f /id/ConfigWebTool/src/main/java/at/gv/egovernment
parent5677982c24ada5c0a56e11588b5839bc2a75b83e (diff)
downloadmoa-id-spss-c1f3b45adb46f2a7a2c93df278d2b8189eb2fc91.tar.gz
moa-id-spss-c1f3b45adb46f2a7a2c93df278d2b8189eb2fc91.tar.bz2
moa-id-spss-c1f3b45adb46f2a7a2c93df278d2b8189eb2fc91.zip
solve some SLO bugs
Diffstat (limited to 'id/ConfigWebTool/src/main/java/at/gv/egovernment')
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java36
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/BuildMetadata.java8
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java1
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java8
4 files changed, 31 insertions, 22 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java
index 5032222d0..3d66a4b19 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java
@@ -63,6 +63,7 @@ import org.opensaml.xml.security.keyinfo.KeyInfoProvider;
import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider;
import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;
+import org.opensaml.xml.security.trust.TrustedCredentialTrustEngine;
import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.AbstractSignableXMLObject;
@@ -164,29 +165,34 @@ public class PVP2Utils {
}
}
+ public static ExplicitKeySignatureTrustEngine getTrustEngine(ConfigurationProvider configuration) {
+ //Verify Signature
+ List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();
+ keyInfoProvider.add(new DSAKeyValueProvider());
+ keyInfoProvider.add(new RSAKeyValueProvider());
+ keyInfoProvider.add(new InlineX509DataProvider());
+
+ KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
+ keyInfoProvider);
+
+ MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory();
+ MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(configuration.getMetaDataProvier());
+
+ return new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver);
+
+ }
+
public static void validateSignature(SignableXMLObject msg, ConfigurationProvider configuration) throws SecurityException, ValidationException {
//Validate Signature
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
profileValidator.validate(msg.getSignature());
-
- //Verify Signature
- List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();
- keyInfoProvider.add(new DSAKeyValueProvider());
- keyInfoProvider.add(new RSAKeyValueProvider());
- keyInfoProvider.add(new InlineX509DataProvider());
-
- KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
- keyInfoProvider);
-
- MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory();
- MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(configuration.getMetaDataProvier());
-
+
CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));
criteriaSet.add(new EntityIDCriteria(configuration.getPVP2IDPMetadataEntityName()));
criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
-
- ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver);
+
+ ExplicitKeySignatureTrustEngine trustEngine = getTrustEngine(configuration);
trustEngine.validate(msg.getSignature(), criteriaSet);
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/BuildMetadata.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/BuildMetadata.java
index 5265aed86..f121babc6 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/BuildMetadata.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/BuildMetadata.java
@@ -242,10 +242,10 @@ public class BuildMetadata extends HttpServlet {
redirectBindingService.setLocation(serviceURL + Constants.SERVLET_SLO_FRONT);
spSSODescriptor.getSingleLogoutServices().add(redirectBindingService);
- SingleLogoutService soapBindingService = SAML2Utils.createSAMLObject(SingleLogoutService.class);
- soapBindingService.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI);
- soapBindingService.setLocation(serviceURL + Constants.SERVLET_SLO_BACK);
- spSSODescriptor.getSingleLogoutServices().add(soapBindingService);
+// SingleLogoutService soapBindingService = SAML2Utils.createSAMLObject(SingleLogoutService.class);
+// soapBindingService.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI);
+// soapBindingService.setLocation(serviceURL + Constants.SERVLET_SLO_BACK);
+// spSSODescriptor.getSingleLogoutServices().add(soapBindingService);
spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java
index 69adcc661..38c858918 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java
@@ -78,7 +78,6 @@ public class SLOBasicServlet extends HttpServlet {
LogoutRequest sloReq = SAML2Utils.createSAMLObject(LogoutRequest.class);
SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
sloReq.setID(gen.generateIdentifier());
- request.getSession().setAttribute(Constants.SESSION_PVP2REQUESTID, sloReq.getID());
sloReq.setIssueInstant(new DateTime());
NameID name = SAML2Utils.createSAMLObject(NameID.class);
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java
index eb5752982..67921c689 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java
@@ -120,6 +120,8 @@ public class SLOFrontChannelServlet extends SLOBasicServlet {
//build SLO request to IDP
LogoutRequest sloReq = createLogOutRequest(nameID, nameIDFormat, request);
+ request.getSession().setAttribute(Constants.SESSION_PVP2REQUESTID, sloReq.getID());
+
//send message
sendMessage(request, response, sloReq, null);
@@ -132,7 +134,7 @@ public class SLOFrontChannelServlet extends SLOBasicServlet {
messageContext.setMetadataProvider(getConfig().getMetaDataProvier());
SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
- TrustEngineFactory.getSignatureKnownKeysTrustEngine());
+ PVP2Utils.getTrustEngine(getConfig()));
SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();
BasicSecurityPolicy policy = new BasicSecurityPolicy();
policy.getPolicyRules().add(signatureRule);
@@ -141,9 +143,11 @@ public class SLOFrontChannelServlet extends SLOBasicServlet {
policy);
messageContext.setSecurityPolicyResolver(resolver);
messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
+
+ decode.decode(messageContext);
signatureRule.evaluate(messageContext);
- decode.decode(messageContext);
+
processMessage(request, response,
messageContext.getInboundMessage(), messageContext.getRelayState());