aboutsummaryrefslogtreecommitdiff
path: root/id/ConfigWebTool/src
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2014-05-07 16:01:44 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2014-05-07 16:01:44 +0200
commit44cb2c6299c247a9836150c68ba45b206c6499aa (patch)
treea73c592add1bd440b7ac130271c979fcc3d36ddf /id/ConfigWebTool/src
parent5e78c0a4ecfc75b2e42c079c08cff8247845e293 (diff)
downloadmoa-id-spss-44cb2c6299c247a9836150c68ba45b206c6499aa.tar.gz
moa-id-spss-44cb2c6299c247a9836150c68ba45b206c6499aa.tar.bz2
moa-id-spss-44cb2c6299c247a9836150c68ba45b206c6499aa.zip
add extended SAML2 metadata validation
Diffstat (limited to 'id/ConfigWebTool/src')
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAPVP2Config.java2
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java125
2 files changed, 91 insertions, 36 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAPVP2Config.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAPVP2Config.java
index c2a92c9fc..bcac63a5f 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAPVP2Config.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAPVP2Config.java
@@ -117,7 +117,7 @@ public class OAPVP2Config implements IOnlineApplicationData{
@Override
public List<String> validate(OAGeneralConfig general,
AuthenticatedUser authUser, HttpServletRequest request) {
- return new OAPVP2ConfigValidation().validate(this, request);
+ return new OAPVP2ConfigValidation().validate(this, general.getIdentifier(), request);
}
/* (non-Javadoc)
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
index 7da3eb0b7..98d500526 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
@@ -22,31 +22,67 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.configuration.validation.oa;
+import iaik.x509.X509Certificate;
+
import java.io.IOException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.List;
+import java.util.Timer;
import javax.servlet.http.HttpServletRequest;
+import org.apache.commons.httpclient.MOAHttpClient;
import org.apache.log4j.Logger;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.xml.parse.BasicParserPool;
+import org.opensaml.xml.security.x509.BasicX509Credential;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType;
+import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
+import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
+import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
import at.gv.egovernment.moa.id.commons.validation.ValidationHelper;
+import at.gv.egovernment.moa.id.configuration.auth.pvp2.MetaDataVerificationFilter;
+import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
import at.gv.egovernment.moa.id.configuration.data.oa.OAPVP2Config;
+import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper;
-import at.gv.egovernment.moa.util.FileUtils;
import at.gv.egovernment.moa.util.MiscUtil;
public class OAPVP2ConfigValidation {
private static final Logger log = Logger.getLogger(OAPVP2ConfigValidation.class);
- public List<String> validate(OAPVP2Config form, HttpServletRequest request) {
+ public List<String> validate(OAPVP2Config form, String oaID, HttpServletRequest request) {
+
+ Timer timer = null;
+ MOAHttpClient httpClient = null;
+ HTTPMetadataProvider httpProvider = null;
List<String> errors = new ArrayList<String>();
try {
- byte[] metadata = null;
-// byte[] cert = null;
+ byte[] certSerialized = null;
+ if (form.getFileUpload() != null)
+ certSerialized = form.getCertificate();
+ else {
+ OnlineApplication oa = ConfigurationDBRead.getOnlineApplication(oaID);
+ if (oa != null &&
+ oa.getAuthComponentOA() != null &&
+ oa.getAuthComponentOA().getOAPVP2() != null) {
+ certSerialized = oa.getAuthComponentOA().getOAPVP2().getCertificate();
+ }
+ }
+
+ if (certSerialized == null) {
+ log.info("No certificate for metadata validation");
+ errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound", request));
+ }
+
String check = form.getMetaDataURL();
if (MiscUtil.isNotEmpty(check)) {
@@ -55,37 +91,48 @@ public class OAPVP2ConfigValidation {
errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.valid", request));
} else {
- metadata = FileUtils.readURL(check);
- if (MiscUtil.isEmpty(metadata)) {
- log.info("Filecontent can not be read form MetaDataURL.");
- errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.read", request));
+
+ if (certSerialized != null) {
+ X509Certificate cert = new X509Certificate(certSerialized);
+ BasicX509Credential credential = new BasicX509Credential();
+ credential.setEntityCertificate(cert);
+
+ timer = new Timer();
+ httpClient = new MOAHttpClient();
+
+ if (form.getMetaDataURL().startsWith("https:"))
+ try {
+ MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
+ "MOAMetaDataProvider",
+ ConfigurationProvider.getInstance().getCertStoreDirectory(),
+ ConfigurationProvider.getInstance().getTrustStoreDirectory(),
+ null,
+ ChainingModeType.PKIX,
+ true);
+
+ httpClient.setCustomSSLTrustStore(
+ form.getMetaDataURL(),
+ protoSocketFactory);
+
+ } catch (MOAHttpProtocolSocketFactoryException e) {
+ log.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.");
+
+ } catch (ConfigurationException e) {
+ log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.");
+
+ }
+
+ httpProvider =
+ new HTTPMetadataProvider(timer, httpClient, form.getMetaDataURL());
+ httpProvider.setParserPool(new BasicParserPool());
+ httpProvider.setRequireValidMetadata(true);
+ MetadataFilter filter = new MetaDataVerificationFilter(credential);
+ httpProvider.setMetadataFilter(filter);
+ httpProvider.initialize();
}
}
}
-
- if (form.getFileUpload() != null)
- form.getCertificate();
-
-// else {
-// if (metadata != null) {
-// log.info("No certificate to verify the Metadata defined.");
-// errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound"));
-// }
-// }
-
-// if (cert != null && metadata != null) {
-// HTTPMetadataProvider httpProvider = new HTTPMetadataProvider(
-// check, 20000);
-// httpProvider.setParserPool(new BasicParserPool());
-// httpProvider.setRequireValidMetadata(true);
-// MetadataFilter filter = new MetadataSignatureFilter(
-// check, cert);
-// httpProvider.setMetadataFilter(filter);
-// httpProvider.initialize();
-//
-// }
-
-
+
} catch (CertificateException e) {
log.info("Uploaded Certificate can not be found", e);
errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound", request));
@@ -94,9 +141,17 @@ public class OAPVP2ConfigValidation {
log.info("Metadata can not be loaded from URL", e);
errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.read", request));
-// } catch (MetadataProviderException e) {
-// log.info("MetaDate verification failed");
-// errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify"));
+ } catch (MetadataProviderException e) {
+ log.info("MetaDate verification failed");
+ errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify", request));
+
+ } finally {
+ if (httpProvider != null)
+ httpProvider.destroy();
+
+ if (timer != null)
+ timer.cancel();
+
}
return errors;