add PVP2 Demo Application

change SZRGWClient to JAXWs
author: Thomas Lenz <tlenz@iaik.tugraz.at> 2014-01-27 16:27:02 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2014-01-27 16:27:02 +0100
commit: cea2f395ec773b386ec628d60120752cf320f6b6 (patch)
tree: 2145dbbe25f0b4f99c89e60834176ea8fa1d435c /id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet
parent: 653fd79254188db598c0b980640fab912c9e39f7 (diff)
download: moa-id-spss-cea2f395ec773b386ec628d60120752cf320f6b6.tar.gz
moa-id-spss-cea2f395ec773b386ec628d60120752cf320f6b6.tar.bz2
moa-id-spss-cea2f395ec773b386ec628d60120752cf320f6b6.zip
3 files changed, 765 insertions, 0 deletions
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java
new file mode 100644
index 000000000..68fef277b
--- /dev/null
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java
@@ -0,0 +1,222 @@
+package at.gv.egovernment.moa.id.demoOA.servlet.pvp2;
+
+import java.io.IOException;
+import java.security.KeyStore;
+import java.util.Map;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.velocity.app.VelocityEngine;
+import org.apache.velocity.runtime.RuntimeConstants;
+import org.joda.time.DateTime;
+import org.opensaml.common.SAMLObject;
+import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
+import org.opensaml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.Issuer;
+import org.opensaml.saml2.core.NameID;
+import org.opensaml.saml2.core.NameIDPolicy;
+import org.opensaml.saml2.core.NameIDType;
+import org.opensaml.saml2.core.RequestedAuthnContext;
+import org.opensaml.saml2.core.Subject;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.SingleSignOnService;
+import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
+import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
+import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureConstants;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import at.gv.egovernment.moa.id.demoOA.Configuration;
+import at.gv.egovernment.moa.id.demoOA.Constants;
+import at.gv.egovernment.moa.id.demoOA.exception.ConfigurationException;
+import at.gv.egovernment.moa.id.demoOA.utils.SAML2Utils;
+import at.iaik.commons.util.MiscUtil;
+
+
+/**
+ * Servlet implementation class Authenticate
+ */
+public class Authenticate extends HttpServlet {
+	private static final long serialVersionUID = 1L;
+	
+	private static final Logger log = LoggerFactory
+			.getLogger(Authenticate.class);	
+	
+	/**
+	 * @see HttpServlet#HttpServlet()
+	 */
+	public Authenticate() {
+		super();
+		DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+		factory.setNamespaceAware(true);
+		try {
+			builder = factory.newDocumentBuilder();
+			
+		} catch (ParserConfigurationException e) {
+			log.warn("PVP2 AuthenticationServlet can not be initialized.", e);
+		}
+	}
+
+	DocumentBuilder builder;
+
+
+	protected void process(HttpServletRequest request,
+			HttpServletResponse response, Map<String,String> legacyParameter) throws ServletException, IOException {
+		try {
+			
+			Configuration config = Configuration.getInstance();
+			config.initializePVP2Login();
+			
+			AuthnRequest authReq = SAML2Utils
+					.createSAMLObject(AuthnRequest.class);
+			SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
+			authReq.setID(gen.generateIdentifier());
+			
+			HttpSession session = request.getSession();
+			if (session != null) {
+				session.setAttribute(Constants.SESSION_PVP2REQUESTID, authReq.getID());
+			}
+			
+			authReq.setAssertionConsumerServiceIndex(0);
+			authReq.setAttributeConsumingServiceIndex(0);
+			authReq.setIssueInstant(new DateTime());
+			Subject subject = SAML2Utils.createSAMLObject(Subject.class);
+			NameID name = SAML2Utils.createSAMLObject(NameID.class);
+			Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
+			
+			String serviceURL = config.getPublicUrlPreFix(request);
+			if (!serviceURL.endsWith("/"))
+				serviceURL = serviceURL + "/";
+			name.setValue(serviceURL);
+			issuer.setValue(serviceURL);
+
+			subject.setNameID(name);
+			authReq.setSubject(subject);
+			issuer.setFormat(NameIDType.ENTITY);
+			authReq.setIssuer(issuer);
+			NameIDPolicy policy = SAML2Utils
+					.createSAMLObject(NameIDPolicy.class);
+			policy.setAllowCreate(true);
+			policy.setFormat(NameID.PERSISTENT);
+			authReq.setNameIDPolicy(policy);
+			
+			String entityname = config.getPVP2IDPMetadataEntityName();
+			if (MiscUtil.isEmpty(entityname)) {
+				log.info("No IDP EntityName configurated");
+				throw new ConfigurationException("No IDP EntityName configurated");
+			}
+			
+			HTTPMetadataProvider idpmetadata = config.getMetaDataProvier();
+			EntityDescriptor idpEntity = idpmetadata.getEntityDescriptor(entityname);
+			if (idpEntity == null) {
+				log.info("IDP EntityName is not found in IDP Metadata");
+				throw new ConfigurationException("IDP EntityName is not found in IDP Metadata");
+			}
+			
+			SingleSignOnService redirectEndpoint = null;  
+			for (SingleSignOnService sss : 
+					idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) {
+				
+				//Get the service address for the binding you wish to use
+				if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { 
+					redirectEndpoint = sss;  
+				}  
+			}
+			
+			authReq.setDestination(redirectEndpoint.getLocation());
+			
+			RequestedAuthnContext reqAuthContext = 
+					SAML2Utils.createSAMLObject(RequestedAuthnContext.class);
+			
+			AuthnContextClassRef authnClassRef = 
+					SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
+			
+			authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4");
+
+			reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);
+			
+			reqAuthContext.getAuthnContextClassRefs().add(authnClassRef);
+			
+			authReq.setRequestedAuthnContext(reqAuthContext);
+			
+			KeyStore keyStore = config.getPVP2KeyStore();
+
+			X509Credential authcredential = new KeyStoreX509CredentialAdapter(
+					keyStore, 
+					config.getPVP2KeystoreAuthRequestKeyAlias(), 
+					config.getPVP2KeystoreAuthRequestKeyPassword().toCharArray());
+
+			Signature signer = SAML2Utils.createSAMLObject(Signature.class);
+			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
+			signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+			signer.setSigningCredential(authcredential);
+
+			authReq.setSignature(signer);
+
+			VelocityEngine engine = new VelocityEngine();
+			engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+			engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
+			engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+			engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
+			engine.setProperty("classpath.resource.loader.class",
+					"org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
+			engine.init();
+
+			HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
+					"templates/pvp_postbinding_template.html");
+			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
+					response, true);
+			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+			SingleSignOnService service = new SingleSignOnServiceBuilder()
+					.buildObject();
+			service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
+			service.setLocation(redirectEndpoint.getLocation());;
+			
+			context.setOutboundSAMLMessageSigningCredential(authcredential);
+			context.setPeerEntityEndpoint(service);
+			context.setOutboundSAMLMessage(authReq);
+			context.setOutboundMessageTransport(responseAdapter);
+
+			encoder.encode(context);
+
+		} catch (Exception e) {
+			log.warn("Authentication Request can not be generated", e);
+			throw new ServletException("Authentication Request can not be generated.", e);
+		}
+	}
+
+	/**
+	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
+	 *      response)
+	 */
+	protected void doGet(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+				
+		process(request, response, null);
+	}
+
+	/**
+	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
+	 *      response)
+	 */
+	protected void doPost(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+		process(request, response, null);
+	}
+
+}
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
new file mode 100644
index 000000000..f3821374a
--- /dev/null
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
@@ -0,0 +1,279 @@
+package at.gv.egovernment.moa.id.demoOA.servlet.pvp2;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.TransformerFactoryConfigurationError;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+
+import org.apache.log4j.Logger;
+import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.core.NameIDType;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml2.metadata.AttributeConsumingService;
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.KeyDescriptor;
+import org.opensaml.saml2.metadata.LocalizedString;
+import org.opensaml.saml2.metadata.NameIDFormat;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.ServiceName;
+import org.opensaml.xml.io.Marshaller;
+import org.opensaml.xml.security.credential.Credential;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
+import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
+import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureConstants;
+import org.opensaml.xml.signature.Signer;
+import org.w3c.dom.Document;
+
+import at.gv.egovernment.moa.id.demoOA.Configuration;
+import at.gv.egovernment.moa.id.demoOA.Constants;
+import at.gv.egovernment.moa.id.demoOA.exception.ConfigurationException;
+import at.gv.egovernment.moa.id.demoOA.utils.AttributeListBuilder;
+import at.gv.egovernment.moa.id.demoOA.utils.SAML2Utils;
+import at.iaik.commons.util.MiscUtil;
+
+public class BuildMetadata extends HttpServlet {
+	private static final long serialVersionUID = 1L;
+	
+	private static final Logger log = Logger.getLogger(BuildMetadata.class);
+
+	/**
+	 * @see HttpServlet#HttpServlet()
+	 */
+	public BuildMetadata() {
+		super();
+	}
+
+	protected static Signature getSignature(Credential credentials) {
+		Signature signer = SAML2Utils.createSAMLObject(Signature.class);
+		signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+		signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+		signer.setSigningCredential(credentials);
+		return signer;
+	}
+	
+	/**
+	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
+	 *      response)
+	 */
+	protected void doGet(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+		try {
+			Configuration config = Configuration.getInstance();
+						
+			SecureRandomIdentifierGenerator idGen = new SecureRandomIdentifierGenerator();
+			
+			EntitiesDescriptor spEntitiesDescriptor = SAML2Utils.
+					createSAMLObject(EntitiesDescriptor.class);
+			
+			String name = config.getPVP2MetadataEntitiesName();
+			if (MiscUtil.isEmpty(name)) {
+				log.info("NO Metadata EntitiesName configurated");
+				throw new ConfigurationException("NO Metadata EntitiesName configurated");
+			}
+			
+			spEntitiesDescriptor.setName(name);
+			spEntitiesDescriptor.setID(idGen.generateIdentifier());
+			
+			EntityDescriptor spEntityDescriptor = SAML2Utils
+					.createSAMLObject(EntityDescriptor.class);
+
+			spEntitiesDescriptor.getEntityDescriptors().add(spEntityDescriptor);
+			
+			String serviceURL = config.getPublicUrlPreFix(request);
+			if (!serviceURL.endsWith("/"))
+				serviceURL = serviceURL + "/";
+			
+			log.debug("Set OnlineApplicationURL to " + serviceURL);
+			spEntityDescriptor.setEntityID(serviceURL);
+
+			SPSSODescriptor spSSODescriptor = SAML2Utils
+					.createSAMLObject(SPSSODescriptor.class);
+
+			spSSODescriptor.setAuthnRequestsSigned(true);
+			spSSODescriptor.setWantAssertionsSigned(true);
+
+			X509KeyInfoGeneratorFactory keyInfoFactory = new X509KeyInfoGeneratorFactory();
+			keyInfoFactory.setEmitEntityCertificate(true);
+			KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance();
+
+			
+			KeyStore keyStore = config.getPVP2KeyStore();
+
+			X509Credential signingcredential = new KeyStoreX509CredentialAdapter(
+					keyStore, 
+					config.getPVP2KeystoreMetadataKeyAlias(), 
+					config.getPVP2KeystoreMetadataKeyPassword().toCharArray());
+
+			
+			log.debug("Set Metadata key information");
+			//Set MetaData Signing key
+			KeyDescriptor entitiesSignKeyDescriptor = SAML2Utils
+					.createSAMLObject(KeyDescriptor.class);
+			entitiesSignKeyDescriptor.setUse(UsageType.SIGNING);
+			entitiesSignKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(signingcredential));
+			Signature entitiesSignature = getSignature(signingcredential);
+			spEntitiesDescriptor.setSignature(entitiesSignature);
+
+			
+			//Set AuthRequest Signing certificate
+			X509Credential authcredential = new KeyStoreX509CredentialAdapter(
+					keyStore, 
+					config.getPVP2KeystoreAuthRequestKeyAlias(), 
+					config.getPVP2KeystoreAuthRequestKeyPassword().toCharArray());			
+			KeyDescriptor signKeyDescriptor = SAML2Utils
+					.createSAMLObject(KeyDescriptor.class);
+			signKeyDescriptor.setUse(UsageType.SIGNING);
+			signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential));	
+			spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
+			
+			
+			//set AuthRequest encryption certificate
+			if (MiscUtil.isNotEmpty(config.getPVP2KeystoreAuthRequestEncryptionKeyAlias()) ||
+					MiscUtil.isNotEmpty(config.getPVP2KeystoreAuthRequestEncryptionKeyPassword())) {
+				X509Credential authEncCredential = new KeyStoreX509CredentialAdapter(
+						keyStore, 
+						config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(), 
+						config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray());			
+				KeyDescriptor encryKeyDescriptor = SAML2Utils
+						.createSAMLObject(KeyDescriptor.class);
+				encryKeyDescriptor.setUse(UsageType.ENCRYPTION);
+				encryKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authEncCredential));	
+				spSSODescriptor.getKeyDescriptors().add(encryKeyDescriptor);
+				
+			} else {
+				log.warn("No Assertion Encryption-Key defined. This setting is not recommended!");
+				
+			}
+			
+			
+			NameIDFormat persistentnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
+			persistentnameIDFormat.setFormat(NameIDType.PERSISTENT);
+			
+			spSSODescriptor.getNameIDFormats().add(persistentnameIDFormat);
+			
+			NameIDFormat transientnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
+			transientnameIDFormat.setFormat(NameIDType.TRANSIENT);
+			
+			spSSODescriptor.getNameIDFormats().add(transientnameIDFormat);
+			
+			NameIDFormat unspecifiednameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
+			unspecifiednameIDFormat.setFormat(NameIDType.UNSPECIFIED);
+			
+			spSSODescriptor.getNameIDFormats().add(unspecifiednameIDFormat);
+						
+			AssertionConsumerService postassertionConsumerService = 
+					SAML2Utils.createSAMLObject(AssertionConsumerService.class);
+			
+			postassertionConsumerService.setIndex(0);
+			postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
+			postassertionConsumerService.setLocation(serviceURL + Constants.SERVLET_PVP2ASSERTION);
+			
+			spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService);
+			
+			spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
+			
+			spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
+			
+			spSSODescriptor.setWantAssertionsSigned(true);
+			spSSODescriptor.setAuthnRequestsSigned(true);
+			
+			AttributeConsumingService attributeService = 
+					SAML2Utils.createSAMLObject(AttributeConsumingService.class);
+			
+			attributeService.setIndex(0);
+			attributeService.setIsDefault(true);
+			ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class);
+			serviceName.setName(new LocalizedString("Default Service", "de"));
+			attributeService.getNames().add(serviceName);
+			
+			attributeService.getRequestAttributes().addAll(AttributeListBuilder.getRequestedAttributes());
+			
+			spSSODescriptor.getAttributeConsumingServices().add(attributeService);
+
+			DocumentBuilder builder;
+			DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+			
+			builder = factory.newDocumentBuilder();
+			Document document = builder.newDocument();
+			Marshaller out = org.opensaml.Configuration.getMarshallerFactory().getMarshaller(spEntitiesDescriptor);
+			out.marshall(spEntitiesDescriptor, document);
+			
+			Signer.signObject(entitiesSignature);
+			
+			Transformer transformer = TransformerFactory.newInstance().newTransformer();
+			
+			StringWriter sw = new StringWriter();
+			StreamResult sr = new StreamResult(sw);
+			DOMSource source  = new DOMSource(document);
+			transformer.transform(source, sr);
+			sw.close();
+			
+			String metadataXML = sw.toString();
+						
+			response.setContentType("text/xml");
+			response.getOutputStream().write(metadataXML.getBytes());
+			
+			response.getOutputStream().close();
+			
+		} catch (ConfigurationException e) {
+			log.warn("Configuration can not be loaded.", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (NoSuchAlgorithmException e) {
+			log.warn("Requested Algorithm could not found.", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+							
+		} catch (ParserConfigurationException e) {
+			log.warn("PVP2 Metadata createn error", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+							
+		} catch (TransformerConfigurationException e) {
+			log.warn("PVP2 Metadata createn error", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (TransformerFactoryConfigurationError e) {
+			log.warn("PVP2 Metadata createn error", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (TransformerException e) {
+			log.warn("PVP2 Metadata createn error", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+		}
+		
+		catch (Exception e) {
+			log.warn("Unspecific PVP2 Metadata createn error", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+		}
+
+	}
+
+	/**
+	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
+	 *      response)
+	 */
+	protected void doPost(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+	}
+
+}
+\ No newline at end of file
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java
new file mode 100644
index 000000000..2d32ce9af
--- /dev/null
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java
@@ -0,0 +1,264 @@
+package at.gv.egovernment.moa.id.demoOA.servlet.pvp2;
+
+import java.io.IOException;
+import java.security.KeyStore;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import org.apache.log4j.Logger;
+import org.opensaml.common.SAMLObject;
+import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.AttributeStatement;
+import org.opensaml.saml2.core.EncryptedAssertion;
+import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.StatusCode;
+import org.opensaml.saml2.encryption.Decrypter;
+import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
+import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.security.MetadataCredentialResolver;
+import org.opensaml.security.MetadataCredentialResolverFactory;
+import org.opensaml.security.MetadataCriteria;
+import org.opensaml.security.SAMLSignatureProfileValidator;
+import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
+import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
+import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
+import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
+import org.opensaml.xml.parse.BasicParserPool;
+import org.opensaml.xml.security.CriteriaSet;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.criteria.EntityIDCriteria;
+import org.opensaml.xml.security.criteria.UsageCriteria;
+import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
+import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
+import org.opensaml.xml.security.keyinfo.KeyInfoProvider;
+import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
+import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider;
+import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
+import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;
+import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
+import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
+
+import at.gv.egovernment.moa.id.demoOA.Configuration;
+import at.gv.egovernment.moa.id.demoOA.PVPConstants;
+import at.gv.egovernment.moa.id.demoOA.utils.ApplicationBean;
+import at.gv.egovernment.moa.id.demoOA.utils.SAML2Utils;
+import at.gv.egovernment.moa.util.DOMUtils;
+
+
+public class DemoApplication extends HttpServlet {
+
+	private static final long serialVersionUID = -2129228304760706063L;
+	private static final Logger log = Logger.getLogger(DemoApplication.class);
+	
+	
+	
+	private void process(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+
+		
+		ApplicationBean bean = new ApplicationBean();
+		
+		
+		String method = request.getMethod();
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("NO HTTP Session");
+			bean.setErrorMessage("NO HTTP session");
+			setAnser(request, response, bean);
+			return;
+		}
+		
+		if (method.equals("POST")) {
+		
+			try {
+				Configuration config = Configuration.getInstance();
+				
+				//Decode with HttpPost Binding
+				HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool());
+				BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
+				messageContext
+					.setInboundMessageTransport(new HttpServletRequestAdapter(
+							request));
+				decode.decode(messageContext);
+				
+				Response samlResponse = (Response) messageContext.getInboundMessage();
+			
+				Signature sign = samlResponse.getSignature();
+				if (sign == null) {
+					log.info("Only http POST Requests can be used");
+					bean.setErrorMessage("Only http POST Requests can be used");
+					setAnser(request, response, bean);
+					return;
+				}
+				
+				//Validate Signature
+				SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
+				profileValidator.validate(sign);
+				
+				//Verify Signature
+				List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();
+				keyInfoProvider.add(new DSAKeyValueProvider());
+				keyInfoProvider.add(new RSAKeyValueProvider());
+				keyInfoProvider.add(new InlineX509DataProvider());
+
+				KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
+						keyInfoProvider);
+				
+				MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory();    
+				MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(config.getMetaDataProvier());  
+				  
+				CriteriaSet criteriaSet = new CriteriaSet();  
+				criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));  
+				criteriaSet.add(new EntityIDCriteria(config.getPVP2IDPMetadataEntityName()));
+				criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
+				  				
+				ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver);
+				trustEngine.validate(sign, criteriaSet);
+				
+				log.info("PVP2 Assertion is valid");
+				
+				if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+			
+					List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
+					
+					//check encrypted Assertion
+					List<EncryptedAssertion> encryAssertionList = samlResponse.getEncryptedAssertions();
+					if (encryAssertionList != null && encryAssertionList.size() > 0) {
+						//decrypt assertions
+						
+						log.debug("Found encryped assertion. Start decryption ...");
+						
+						KeyStore keyStore = config.getPVP2KeyStore();
+						
+						X509Credential authDecCredential = new KeyStoreX509CredentialAdapter(
+								keyStore, 
+								config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(), 
+								config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray());
+						
+						
+						StaticKeyInfoCredentialResolver skicr =
+								  new StaticKeyInfoCredentialResolver(authDecCredential);
+						
+						ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
+						encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
+						encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
+						encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
+						
+						Decrypter samlDecrypter =
+								  new Decrypter(null, skicr, encryptedKeyResolver);
+						
+						for (EncryptedAssertion encAssertion : encryAssertionList) {							
+							saml2assertions.add(samlDecrypter.decrypt(encAssertion));
+
+						}
+						
+						log.debug("Assertion decryption finished. ");
+						
+					} else {
+						saml2assertions = samlResponse.getAssertions();
+				
+					}
+					
+					String givenName = null;
+					String familyName = null;
+					String birthday = null;
+					
+					for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
+						
+						//loop through the nodes to get what we want
+						List<AttributeStatement> attributeStatements = saml2assertion.getAttributeStatements();
+						for (int i = 0; i < attributeStatements.size(); i++)
+						{
+							List<Attribute> attributes = attributeStatements.get(i).getAttributes();
+							for (int x = 0; x < attributes.size(); x++)
+							{
+								String strAttributeName = attributes.get(x).getDOM().getAttribute("Name");
+
+								if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME))
+									familyName = attributes.get(x).getAttributeValues().get(0).getDOM().getTextContent();
+								
+								if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME))
+									givenName = attributes.get(x).getAttributeValues().get(0).getDOM().getTextContent();
+								
+								if (strAttributeName.equals(PVPConstants.BIRTHDATE_NAME)) {
+									birthday = attributes.get(x).getAttributeValues().get(0).getDOM().getTextContent();
+								}								
+							}
+						}
+					}
+					
+					org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse);
+					String assertion = DOMUtils.serializeNode(doc);
+					
+					bean.setAssertion(assertion);
+					bean.setDateOfBirth(birthday);
+					bean.setFamilyName(familyName);
+					bean.setGivenName(givenName);
+					bean.setLogin(true);
+					
+					setAnser(request, response, bean);
+					return;
+					
+					
+				} else {
+					bean.setErrorMessage("Der Anmeldevorgang wurde abgebrochen.<br>Eine genaue Beschreibung des Fehlers finden Sie in der darunterliegenden Assertion.");
+					setAnser(request, response, bean);
+					return;
+					
+				}
+				
+			} catch (Exception e) {
+				log.warn(e);
+				bean.setErrorMessage("Internal Error: " + e.getMessage());
+				setAnser(request, response, bean);
+				return;
+			}
+			
+		} else {
+			bean.setErrorMessage("Die Demoapplikation unterstützt nur SAML2 POST-Binding.");
+			setAnser(request, response, bean);
+			return;
+			
+		}
+	}	
+	
+	private void setAnser(HttpServletRequest request, HttpServletResponse response, ApplicationBean answersBean) throws ServletException, IOException {
+        // store bean in session
+        request.setAttribute("answers", answersBean);
+
+        // you now can forward to some view, for example some results.jsp
+        request.getRequestDispatcher("demoapp.jsp").forward(request, response);
+		
+	}
+	
+	/**
+	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
+	 *      response)
+	 */
+	protected void doGet(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+				
+		process(request, response);
+	}
+
+
+	/**
+	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
+	 *      response)
+	 */
+	protected void doPost(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+		process(request, response);
+	}
+}
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2014-01-27 16:27:02 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2014-01-27 16:27:02 +0100
commit	cea2f395ec773b386ec628d60120752cf320f6b6 (patch)
tree	2145dbbe25f0b4f99c89e60834176ea8fa1d435c /id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet
parent	653fd79254188db598c0b980640fab912c9e39f7 (diff)
download	moa-id-spss-cea2f395ec773b386ec628d60120752cf320f6b6.tar.gz moa-id-spss-cea2f395ec773b386ec628d60120752cf320f6b6.tar.bz2 moa-id-spss-cea2f395ec773b386ec628d60120752cf320f6b6.zip