add PVP2 Demo Application

change SZRGWClient to JAXWs

1 files changed, 264 insertions, 0 deletions

diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java
new file mode 100644
index 000000000..2d32ce9af
--- /dev/null
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java
@@ -0,0 +1,264 @@
+package at.gv.egovernment.moa.id.demoOA.servlet.pvp2;
+
+import java.io.IOException;
+import java.security.KeyStore;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import org.apache.log4j.Logger;
+import org.opensaml.common.SAMLObject;
+import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.AttributeStatement;
+import org.opensaml.saml2.core.EncryptedAssertion;
+import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.StatusCode;
+import org.opensaml.saml2.encryption.Decrypter;
+import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
+import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.security.MetadataCredentialResolver;
+import org.opensaml.security.MetadataCredentialResolverFactory;
+import org.opensaml.security.MetadataCriteria;
+import org.opensaml.security.SAMLSignatureProfileValidator;
+import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
+import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
+import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
+import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
+import org.opensaml.xml.parse.BasicParserPool;
+import org.opensaml.xml.security.CriteriaSet;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.criteria.EntityIDCriteria;
+import org.opensaml.xml.security.criteria.UsageCriteria;
+import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
+import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
+import org.opensaml.xml.security.keyinfo.KeyInfoProvider;
+import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
+import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider;
+import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
+import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;
+import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
+import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
+
+import at.gv.egovernment.moa.id.demoOA.Configuration;
+import at.gv.egovernment.moa.id.demoOA.PVPConstants;
+import at.gv.egovernment.moa.id.demoOA.utils.ApplicationBean;
+import at.gv.egovernment.moa.id.demoOA.utils.SAML2Utils;
+import at.gv.egovernment.moa.util.DOMUtils;
+
+
+public class DemoApplication extends HttpServlet {
+
+	private static final long serialVersionUID = -2129228304760706063L;
+	private static final Logger log = Logger.getLogger(DemoApplication.class);
+	
+	
+	
+	private void process(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+
+		
+		ApplicationBean bean = new ApplicationBean();
+		
+		
+		String method = request.getMethod();
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("NO HTTP Session");
+			bean.setErrorMessage("NO HTTP session");
+			setAnser(request, response, bean);
+			return;
+		}
+		
+		if (method.equals("POST")) {
+		
+			try {
+				Configuration config = Configuration.getInstance();
+				
+				//Decode with HttpPost Binding
+				HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool());
+				BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
+				messageContext
+					.setInboundMessageTransport(new HttpServletRequestAdapter(
+							request));
+				decode.decode(messageContext);
+				
+				Response samlResponse = (Response) messageContext.getInboundMessage();
+			
+				Signature sign = samlResponse.getSignature();
+				if (sign == null) {
+					log.info("Only http POST Requests can be used");
+					bean.setErrorMessage("Only http POST Requests can be used");
+					setAnser(request, response, bean);
+					return;
+				}
+				
+				//Validate Signature
+				SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
+				profileValidator.validate(sign);
+				
+				//Verify Signature
+				List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();
+				keyInfoProvider.add(new DSAKeyValueProvider());
+				keyInfoProvider.add(new RSAKeyValueProvider());
+				keyInfoProvider.add(new InlineX509DataProvider());
+
+				KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
+						keyInfoProvider);
+				
+				MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory();    
+				MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(config.getMetaDataProvier());  
+				  
+				CriteriaSet criteriaSet = new CriteriaSet();  
+				criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));  
+				criteriaSet.add(new EntityIDCriteria(config.getPVP2IDPMetadataEntityName()));
+				criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
+				  				
+				ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver);
+				trustEngine.validate(sign, criteriaSet);
+				
+				log.info("PVP2 Assertion is valid");
+				
+				if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+			
+					List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
+					
+					//check encrypted Assertion
+					List<EncryptedAssertion> encryAssertionList = samlResponse.getEncryptedAssertions();
+					if (encryAssertionList != null && encryAssertionList.size() > 0) {
+						//decrypt assertions
+						
+						log.debug("Found encryped assertion. Start decryption ...");
+						
+						KeyStore keyStore = config.getPVP2KeyStore();
+						
+						X509Credential authDecCredential = new KeyStoreX509CredentialAdapter(
+								keyStore, 
+								config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(), 
+								config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray());
+						
+						
+						StaticKeyInfoCredentialResolver skicr =
+								  new StaticKeyInfoCredentialResolver(authDecCredential);
+						
+						ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
+						encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
+						encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
+						encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
+						
+						Decrypter samlDecrypter =
+								  new Decrypter(null, skicr, encryptedKeyResolver);
+						
+						for (EncryptedAssertion encAssertion : encryAssertionList) {							
+							saml2assertions.add(samlDecrypter.decrypt(encAssertion));
+
+						}
+						
+						log.debug("Assertion decryption finished. ");
+						
+					} else {
+						saml2assertions = samlResponse.getAssertions();
+				
+					}
+					
+					String givenName = null;
+					String familyName = null;
+					String birthday = null;
+					
+					for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
+						
+						//loop through the nodes to get what we want
+						List<AttributeStatement> attributeStatements = saml2assertion.getAttributeStatements();
+						for (int i = 0; i < attributeStatements.size(); i++)
+						{
+							List<Attribute> attributes = attributeStatements.get(i).getAttributes();
+							for (int x = 0; x < attributes.size(); x++)
+							{
+								String strAttributeName = attributes.get(x).getDOM().getAttribute("Name");
+
+								if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME))
+									familyName = attributes.get(x).getAttributeValues().get(0).getDOM().getTextContent();
+								
+								if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME))
+									givenName = attributes.get(x).getAttributeValues().get(0).getDOM().getTextContent();
+								
+								if (strAttributeName.equals(PVPConstants.BIRTHDATE_NAME)) {
+									birthday = attributes.get(x).getAttributeValues().get(0).getDOM().getTextContent();
+								}								
+							}
+						}
+					}
+					
+					org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse);
+					String assertion = DOMUtils.serializeNode(doc);
+					
+					bean.setAssertion(assertion);
+					bean.setDateOfBirth(birthday);
+					bean.setFamilyName(familyName);
+					bean.setGivenName(givenName);
+					bean.setLogin(true);
+					
+					setAnser(request, response, bean);
+					return;
+					
+					
+				} else {
+					bean.setErrorMessage("Der Anmeldevorgang wurde abgebrochen.<br>Eine genaue Beschreibung des Fehlers finden Sie in der darunterliegenden Assertion.");
+					setAnser(request, response, bean);
+					return;
+					
+				}
+				
+			} catch (Exception e) {
+				log.warn(e);
+				bean.setErrorMessage("Internal Error: " + e.getMessage());
+				setAnser(request, response, bean);
+				return;
+			}
+			
+		} else {
+			bean.setErrorMessage("Die Demoapplikation unterstützt nur SAML2 POST-Binding.");
+			setAnser(request, response, bean);
+			return;
+			
+		}
+	}	
+	
+	private void setAnser(HttpServletRequest request, HttpServletResponse response, ApplicationBean answersBean) throws ServletException, IOException {
+        // store bean in session
+        request.setAttribute("answers", answersBean);
+
+        // you now can forward to some view, for example some results.jsp
+        request.getRequestDispatcher("demoapp.jsp").forward(request, response);
+		
+	}
+	
+	/**
+	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
+	 *      response)
+	 */
+	protected void doGet(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+				
+		process(request, response);
+	}
+
+
+	/**
+	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
+	 *      response)
+	 */
+	protected void doPost(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+		process(request, response);
+	}
+}