aboutsummaryrefslogtreecommitdiff
path: root/id/oa
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2017-09-26 21:33:33 +0200
committerThomas Lenz <thomas.lenz@egiz.gv.at>2017-09-26 21:33:33 +0200
commit27b687ed27fad429e6fbf1b3e69c579a8f2aae16 (patch)
tree3cc65fc88f91073a4aaf2106ff0efade87f4fcb8 /id/oa
parent4bbd3f88211399f41e8210ad3fbe5b0ea8910994 (diff)
parentc498c2812a9f2b97da2356774527aaec0ae1f608 (diff)
downloadmoa-id-spss-27b687ed27fad429e6fbf1b3e69c579a8f2aae16.tar.gz
moa-id-spss-27b687ed27fad429e6fbf1b3e69c579a8f2aae16.tar.bz2
moa-id-spss-27b687ed27fad429e6fbf1b3e69c579a8f2aae16.zip
Merge branch 'eIDAS_node_implementation' of https://gitlab.iaik.tugraz.at/egiz/moa-idspss into eIDAS_node_implementation
Diffstat (limited to 'id/oa')
-rw-r--r--id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java8
-rw-r--r--id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java1
-rw-r--r--id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java119
-rw-r--r--id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java11
-rw-r--r--id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java230
5 files changed, 224 insertions, 145 deletions
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java
index 95347c265..09069ac7f 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java
@@ -174,6 +174,14 @@ public class Configuration {
}
+ public boolean useRedirectBindingRequest() {
+ return Boolean.parseBoolean(props.getProperty("general.login.pvp2.binding.req.redirect", "true"));
+ }
+
+ public boolean useRedirectBindingResponse() {
+ return Boolean.parseBoolean(props.getProperty("general.login.pvp2.binding.resp.redirect", "false"));
+ }
+
public void initializePVP2Login() throws ConfigurationException {
if (!pvp2logininitialzied)
initalPVP2Login();
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java
index d6d2b32da..00e7c3619 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java
@@ -34,4 +34,5 @@ public class Constants {
public static final String SESSION_NAMEID = "pvp2nameID";
public static final String SESSION_NAMEIDFORMAT = "pvp2nameIDFormat";
+
}
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java
index 2641797ed..4c909ff80 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java
@@ -34,11 +34,15 @@ import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
+import org.apache.commons.lang3.RandomUtils;
+import org.apache.velocity.app.VelocityEngine;
+import org.apache.velocity.runtime.RuntimeConstants;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
@@ -107,8 +111,13 @@ public class Authenticate extends HttpServlet {
SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
authReq.setID(gen.generateIdentifier());
+ String relayState = String.valueOf(RandomUtils.nextLong());
- authReq.setAssertionConsumerServiceIndex(0);
+ if (config.useRedirectBindingResponse())
+ authReq.setAssertionConsumerServiceIndex(1);
+ else
+ authReq.setAssertionConsumerServiceIndex(0);
+
authReq.setAttributeConsumingServiceIndex(0);
authReq.setIssueInstant(new DateTime());
@@ -152,17 +161,24 @@ public class Authenticate extends HttpServlet {
for (SingleSignOnService sss :
idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) {
-// //Get the service address for the binding you wish to use
-// if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) {
-// redirectEndpoint = sss;
-// }
+ //Get the service address for the binding you wish to use
+ if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI) && !config.useRedirectBindingRequest()) {
+ redirectEndpoint = sss;
+ }
//Get the service address for the binding you wish to use
- if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
+ if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) && config.useRedirectBindingRequest()) {
redirectEndpoint = sss;
}
}
+
+ if (redirectEndpoint == null) {
+ log.warn("Can not find valid EndPoint for SAML2 response");
+ throw new ConfigurationException("Can not find valid EndPoint for SAML2 response");
+
+ }
+
authReq.setDestination(redirectEndpoint.getLocation());
//authReq.setDestination("http://test.test.test");
@@ -195,49 +211,54 @@ public class Authenticate extends HttpServlet {
signer.setSigningCredential(authcredential);
authReq.setSignature(signer);
- //generate Http-POST Binding message
-// VelocityEngine engine = new VelocityEngine();
-// engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
-// engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
-// engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
-// engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
-// engine.setProperty("classpath.resource.loader.class",
-// "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
-// engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS,
-// "org.apache.velocity.runtime.log.SimpleLog4JLogSystem");
-// engine.init();
-//
-// HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
-// "templates/pvp_postbinding_template.html");
-// HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
-// response, true);
-// BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
-// SingleSignOnService service = new SingleSignOnServiceBuilder()
-// .buildObject();
-// service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
-// service.setLocation(redirectEndpoint.getLocation());;
-//
-// context.setOutboundSAMLMessageSigningCredential(authcredential);
-// context.setPeerEntityEndpoint(service);
-// context.setOutboundSAMLMessage(authReq);
-// context.setOutboundMessageTransport(responseAdapter);
-
- //generate Redirect Binding message
- HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
- HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
- response, true);
- BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
- SingleSignOnService service = new SingleSignOnServiceBuilder()
- .buildObject();
- service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
- service.setLocation(redirectEndpoint.getLocation());
- context.setOutboundSAMLMessageSigningCredential(authcredential);
- context.setPeerEntityEndpoint(service);
- context.setOutboundSAMLMessage(authReq);
- context.setOutboundMessageTransport(responseAdapter);
- //context.setRelayState(relayState);
-
- encoder.encode(context);
+
+ if (!config.useRedirectBindingRequest()) {
+ //generate Http-POST Binding message
+ VelocityEngine engine = new VelocityEngine();
+ engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+ engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
+ engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+ engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
+ engine.setProperty("classpath.resource.loader.class",
+ "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
+ engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS,
+ "org.apache.velocity.runtime.log.SimpleLog4JLogSystem");
+ engine.init();
+
+ HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
+ "templates/pvp_postbinding_template.html");
+ HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
+ response, true);
+ BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+ SingleSignOnService service = new SingleSignOnServiceBuilder()
+ .buildObject();
+ service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
+ service.setLocation(redirectEndpoint.getLocation());;
+ context.setOutboundSAMLMessageSigningCredential(authcredential);
+ context.setPeerEntityEndpoint(service);
+ context.setOutboundSAMLMessage(authReq);
+ context.setOutboundMessageTransport(responseAdapter);
+ context.setRelayState(relayState);
+ encoder.encode(context);
+
+ } else {
+ //generate Redirect Binding message
+ HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
+ HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
+ response, true);
+ BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+ SingleSignOnService service = new SingleSignOnServiceBuilder()
+ .buildObject();
+ service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+ service.setLocation(redirectEndpoint.getLocation());
+ context.setOutboundSAMLMessageSigningCredential(authcredential);
+ context.setPeerEntityEndpoint(service);
+ context.setOutboundSAMLMessage(authReq);
+ context.setOutboundMessageTransport(responseAdapter);
+ context.setRelayState(relayState);
+ encoder.encode(context);
+
+ }
} catch (Exception e) {
log.warn("Authentication Request can not be generated", e);
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
index 75b54cfc4..d28f94fd6 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
@@ -234,13 +234,20 @@ public class BuildMetadata extends HttpServlet {
//set HTTP-POST Binding assertion consumer service
AssertionConsumerService postassertionConsumerService =
- SAML2Utils.createSAMLObject(AssertionConsumerService.class);
-
+ SAML2Utils.createSAMLObject(AssertionConsumerService.class);
postassertionConsumerService.setIndex(0);
postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
postassertionConsumerService.setLocation(serviceURL + Constants.SERVLET_PVP2ASSERTION);
spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService);
+ //set HTTP-Redirect Binding assertion consumer service
+ AssertionConsumerService redirectassertionConsumerService =
+ SAML2Utils.createSAMLObject(AssertionConsumerService.class);
+ redirectassertionConsumerService.setIndex(1);
+ redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+ redirectassertionConsumerService.setLocation(serviceURL + Constants.SERVLET_PVP2ASSERTION);
+ spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService);
+
//set Single Log-Out service
SingleLogoutService sloService = SAML2Utils.createSAMLObject(SingleLogoutService.class);
sloService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java
index cfc170011..93622f828 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java
@@ -38,6 +38,9 @@ import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
+import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;
+import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
+import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.EncryptedAssertion;
@@ -46,10 +49,14 @@ import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.security.MetadataCredentialResolverFactory;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
+import org.opensaml.ws.security.SecurityPolicyResolver;
+import org.opensaml.ws.security.provider.BasicSecurityPolicy;
+import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
@@ -91,6 +98,7 @@ public class DemoApplication extends HttpServlet {
ApplicationBean bean = new ApplicationBean();
+ log.debug("Receive request on secure-area endpoint ...");
String method = request.getMethod();
HttpSession session = request.getSession();
@@ -101,11 +109,44 @@ public class DemoApplication extends HttpServlet {
return;
}
- if (method.equals("POST")) {
-
- try {
- Configuration config = Configuration.getInstance();
+ try {
+ Configuration config = Configuration.getInstance();
+ Response samlResponse = null;
+
+ if (method.equals("GET")) {
+ log.debug("Find possible SAML2 Redirect-Binding response ...");
+ HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(new BasicParserPool());
+ BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
+
+ messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request));
+ messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
+
+ messageContext.setMetadataProvider(config.getMetaDataProvier());
+
+ MetadataCredentialResolver resolver = new MetadataCredentialResolver(config.getMetaDataProvier());
+ List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();
+ keyInfoProvider.add(new DSAKeyValueProvider());
+ keyInfoProvider.add(new RSAKeyValueProvider());
+ keyInfoProvider.add(new InlineX509DataProvider());
+ KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
+ keyInfoProvider);
+ ExplicitKeySignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine(
+ resolver, keyInfoResolver);
+
+ SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(engine);
+ SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();
+ BasicSecurityPolicy policy = new BasicSecurityPolicy();
+ policy.getPolicyRules().add(signatureRule);
+ policy.getPolicyRules().add(signedRole);
+ SecurityPolicyResolver resolver1 = new StaticSecurityPolicyResolver(policy);
+ messageContext.setSecurityPolicyResolver(resolver1);
+ decode.decode(messageContext);
+
+ log.info("PVP2 Assertion with Redirect-Binding is valid");
+
+ } else if (method.equals("POST")) {
+ log.debug("Find possible SAML2 Post-Binding response ...");
//Decode with HttpPost Binding
HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool());
BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
@@ -114,7 +155,7 @@ public class DemoApplication extends HttpServlet {
request));
decode.decode(messageContext);
- Response samlResponse = (Response) messageContext.getInboundMessage();
+ samlResponse = (Response) messageContext.getInboundMessage();
Signature sign = samlResponse.getSignature();
if (sign == null) {
@@ -148,116 +189,117 @@ public class DemoApplication extends HttpServlet {
ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver);
trustEngine.validate(sign, criteriaSet);
- log.info("PVP2 Assertion is valid");
+ log.info("PVP2 Assertion with POST-Binding is valid");
- //set assertion
- org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse);
- String assertion = DOMUtils.serializeNode(doc);
- bean.setAssertion(assertion);
+ } else {
+ bean.setErrorMessage("Die Demoapplikation unterstützt nur SAML2 POST-Binding.");
+ setAnser(request, response, bean);
+ return;
- if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+ }
- List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
-
- //check encrypted Assertion
- List<EncryptedAssertion> encryAssertionList = samlResponse.getEncryptedAssertions();
- if (encryAssertionList != null && encryAssertionList.size() > 0) {
- //decrypt assertions
-
- log.debug("Found encryped assertion. Start decryption ...");
-
- KeyStore keyStore = config.getPVP2KeyStore();
-
- X509Credential authDecCredential = new KeyStoreX509CredentialAdapter(
- keyStore,
- config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(),
- config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray());
-
-
- StaticKeyInfoCredentialResolver skicr =
- new StaticKeyInfoCredentialResolver(authDecCredential);
-
- ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
- encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
- encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
- encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
-
- Decrypter samlDecrypter =
- new Decrypter(null, skicr, encryptedKeyResolver);
-
- for (EncryptedAssertion encAssertion : encryAssertionList) {
- saml2assertions.add(samlDecrypter.decrypt(encAssertion));
-
- }
-
- log.debug("Assertion decryption finished. ");
-
- } else {
- saml2assertions = samlResponse.getAssertions();
+ //set assertion
+ org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse);
+ String assertion = DOMUtils.serializeNode(doc);
+ bean.setAssertion(assertion);
+
+ if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+
+ List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
- }
+ //check encrypted Assertion
+ List<EncryptedAssertion> encryAssertionList = samlResponse.getEncryptedAssertions();
+ if (encryAssertionList != null && encryAssertionList.size() > 0) {
+ //decrypt assertions
- String givenName = null;
- String familyName = null;
- String birthday = null;
+ log.debug("Found encryped assertion. Start decryption ...");
- for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
-
- //loop through the nodes to get what we want
- List<AttributeStatement> attributeStatements = saml2assertion.getAttributeStatements();
- for (int i = 0; i < attributeStatements.size(); i++)
- {
- List<Attribute> attributes = attributeStatements.get(i).getAttributes();
- for (int x = 0; x < attributes.size(); x++)
- {
- String strAttributeName = attributes.get(x).getDOM().getAttribute("Name");
+ KeyStore keyStore = config.getPVP2KeyStore();
+
+ X509Credential authDecCredential = new KeyStoreX509CredentialAdapter(
+ keyStore,
+ config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(),
+ config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray());
+
+
+ StaticKeyInfoCredentialResolver skicr =
+ new StaticKeyInfoCredentialResolver(authDecCredential);
+
+ ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
+ encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
+ encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
+ encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
+
+ Decrypter samlDecrypter =
+ new Decrypter(null, skicr, encryptedKeyResolver);
+
+ for (EncryptedAssertion encAssertion : encryAssertionList) {
+ saml2assertions.add(samlDecrypter.decrypt(encAssertion));
- if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME))
- familyName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
- if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME))
- givenName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
-
- if (strAttributeName.equals(PVPConstants.BIRTHDATE_NAME)) {
- birthday = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
- }
- }
- }
- request.getSession().setAttribute(Constants.SESSION_NAMEIDFORMAT,
- saml2assertion.getSubject().getNameID().getFormat());
- request.getSession().setAttribute(Constants.SESSION_NAMEID,
- saml2assertion.getSubject().getNameID().getValue());
-
}
-
- bean.setDateOfBirth(birthday);
- bean.setFamilyName(familyName);
- bean.setGivenName(givenName);
- bean.setLogin(true);
-
- setAnser(request, response, bean);
- return;
+ log.debug("Assertion decryption finished. ");
} else {
- bean.setErrorMessage("Der Anmeldevorgang wurde abgebrochen.<br>Eine genaue Beschreibung des Fehlers finden Sie in der darunterliegenden Assertion.");
- setAnser(request, response, bean);
- return;
+ saml2assertions = samlResponse.getAssertions();
+
+ }
+
+ String givenName = null;
+ String familyName = null;
+ String birthday = null;
+
+ for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
+
+ //loop through the nodes to get what we want
+ List<AttributeStatement> attributeStatements = saml2assertion.getAttributeStatements();
+ for (int i = 0; i < attributeStatements.size(); i++)
+ {
+ List<Attribute> attributes = attributeStatements.get(i).getAttributes();
+ for (int x = 0; x < attributes.size(); x++)
+ {
+ String strAttributeName = attributes.get(x).getDOM().getAttribute("Name");
+
+ if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME))
+ familyName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
+ if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME))
+ givenName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
+
+ if (strAttributeName.equals(PVPConstants.BIRTHDATE_NAME)) {
+ birthday = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
+ }
+ }
+ }
+ request.getSession().setAttribute(Constants.SESSION_NAMEIDFORMAT,
+ saml2assertion.getSubject().getNameID().getFormat());
+ request.getSession().setAttribute(Constants.SESSION_NAMEID,
+ saml2assertion.getSubject().getNameID().getValue());
}
+
+ bean.setDateOfBirth(birthday);
+ bean.setFamilyName(familyName);
+ bean.setGivenName(givenName);
+ bean.setLogin(true);
+
+ setAnser(request, response, bean);
+ return;
+
- } catch (Exception e) {
- log.warn(e);
- bean.setErrorMessage("Internal Error: " + e.getMessage());
+ } else {
+ bean.setErrorMessage("Der Anmeldevorgang wurde abgebrochen.<br>Eine genaue Beschreibung des Fehlers finden Sie in der darunterliegenden Assertion.");
setAnser(request, response, bean);
return;
+
}
- } else {
- bean.setErrorMessage("Die Demoapplikation unterstützt nur SAML2 POST-Binding.");
+ } catch (Exception e) {
+ log.warn(e);
+ bean.setErrorMessage("Internal Error: " + e.getMessage());
setAnser(request, response, bean);
return;
-
}
+
}
private void setAnser(HttpServletRequest request, HttpServletResponse response, ApplicationBean answersBean) throws ServletException, IOException {