diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2013-07-19 11:50:19 +0200 |
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2013-07-19 11:50:19 +0200 |
| commit | 71da4a9bc7e2ff79b2fb4cf8903d15fd75372859 (patch) | |
| tree | a2a5841c65ebb4bda12d703378fc41b3cec69fb4 /id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth | |
| parent | 49acb697426d3c313ad047449ea62ac1bf3f4fd0 (diff) | |
| download | moa-id-spss-71da4a9bc7e2ff79b2fb4cf8903d15fd75372859.tar.gz moa-id-spss-71da4a9bc7e2ff79b2fb4cf8903d15fd75372859.tar.bz2 moa-id-spss-71da4a9bc7e2ff79b2fb4cf8903d15fd75372859.zip | |
SSO and Configuration updated
TODO:
--PVP2 from configuration
--UseIFrame for OAs
--SSO with mandates
--Resign IdentityLink
--Encrypted MOASession in Database
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth')
13 files changed, 592 insertions, 233 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 214a1df7d..a127dc6b5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -57,6 +57,7 @@ import org.opensaml.xml.util.Base64; import org.opensaml.xml.util.XMLHelper; import org.w3c.dom.Document; import org.w3c.dom.Element; +import org.w3c.dom.Node; import org.w3c.dom.NodeList; import org.xml.sax.SAXException; @@ -87,6 +88,7 @@ import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; import at.gv.egovernment.moa.id.auth.parser.CreateXMLSignatureResponseParser; import at.gv.egovernment.moa.id.auth.parser.ExtendedInfoboxReadResponseParser; +import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.auth.parser.InfoboxReadResponseParser; import at.gv.egovernment.moa.id.auth.parser.SAMLArtifactParser; import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; @@ -104,6 +106,7 @@ import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.CreateIdentity import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClient; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants; +import at.gv.egovernment.moa.id.commons.db.dao.config.IdentificationNumber; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.ConfigurationProvider; @@ -131,7 +134,9 @@ import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.DateTimeUtils; import at.gv.egovernment.moa.util.FileUtils; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; +import at.gv.egovernment.moa.util.XPathUtils; import eu.stork.mw.messages.saml.STORKAuthnRequest; import eu.stork.vidp.messages.builder.STORKMessagesBuilder; import eu.stork.vidp.messages.common.STORKConstants; @@ -419,10 +424,29 @@ public class AuthenticationServer implements MOAIDAuthConstants { } } - //build ReadInfobox request - String infoboxReadRequest = new InfoboxReadRequestBuilder().build( - oaParam.isSlVersion12(), oaParam.getBusinessService(), oaParam + String infoboxReadRequest = ""; + + if (session.isSsoRequested()) { + //load identityLink with SSO Target + boolean isbuisness = false; + String domainIdentifier = ""; + IdentificationNumber ssobusiness = AuthConfigurationProvider.getInstance().getSSOBusinessService(); + if (ssobusiness != null) { + isbuisness = true; + domainIdentifier = ssobusiness.getValue(); + } + + //build ReadInfobox request + infoboxReadRequest = new InfoboxReadRequestBuilder().build( + oaParam.isSlVersion12(), isbuisness, domainIdentifier); + + } else { + //build ReadInfobox request + infoboxReadRequest = new InfoboxReadRequestBuilder().build( + oaParam.isSlVersion12(), oaParam.getBusinessService(), oaParam .getIdentityLinkDomainIdentifier()); + } + String dataURL = new DataURLBuilder().buildDataURL( session.getAuthURL(), REQ_VERIFY_IDENTITY_LINK, session @@ -798,12 +822,14 @@ public class AuthenticationServer implements MOAIDAuthConstants { identityLink.setIdentificationType(null); } else { - String bpkBase64 = new BPKBuilder().buildBPK(identityLink - .getIdentificationValue(), session.getTarget()); - identityLink.setIdentificationValue(bpkBase64); - - //TODO: insert correct Type!!!! - identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget()); + + //TODO: check correctness!!! bpk calcultion is done during Assertion generation +// String bpkBase64 = new BPKBuilder().buildBPK(identityLink +// .getIdentificationValue(), session.getTarget()); +// identityLink.setIdentificationValue(bpkBase64); +// +// //TODO: insert correct Type!!!! +// identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget()); } } // ..BZ @@ -1022,11 +1048,18 @@ public class AuthenticationServer implements MOAIDAuthConstants { Constants.URN_PREFIX_BASEID)) { // only compute bPK if online application is a public service and we // have the Stammzahl - String bpkBase64 = new BPKBuilder().buildBPK(identityLink - .getIdentificationValue(), session.getTarget()); - identificationValue = bpkBase64; - identificationType = Constants.URN_PREFIX_CDID + "+" + session.getTarget(); + + if (session.isSsoRequested()) { + identificationType = ""; + identificationValue = ""; + + } else { + String bpkBase64 = new BPKBuilder().buildBPK(identityLink + .getIdentificationValue(), session.getTarget()); + identificationValue = bpkBase64; + identificationType = Constants.URN_PREFIX_CDID + "+" + session.getTarget(); + } // identityLink.setIdentificationValue(bpkBase64); // identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget()); @@ -1045,17 +1078,41 @@ public class AuthenticationServer implements MOAIDAuthConstants { // Bug #485 // (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105) // String oaURL = session.getPublicOAURLPrefix(); - String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&"); + List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); - String authBlock = new AuthenticationBlockAssertionBuilder() + + + if (session.isSsoRequested()) { + String oaURL =new String(); + try { + oaURL = AuthConfigurationProvider.getInstance().getSSOPublicUrl(); + + if (MiscUtil.isNotEmpty(oaURL)) + oaURL = oaURL.replaceAll("&", "&"); + + } catch (ConfigurationException e) { + } + String authBlock = new AuthenticationBlockAssertionBuilder() + .buildAuthBlockSSO(issuer, issueInstant, authURL, target, + targetFriendlyName, identificationValue, + identificationType, oaURL, gebDat, + extendedSAMLAttributes, session, oaParam); + return authBlock; + + } else { + String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&"); + String authBlock = new AuthenticationBlockAssertionBuilder() .buildAuthBlock(issuer, issueInstant, authURL, target, targetFriendlyName, identificationValue, identificationType, oaURL, gebDat, - extendedSAMLAttributes, session); + extendedSAMLAttributes, session, oaParam); + return authBlock; + } + - return authBlock; + } /** @@ -1107,7 +1164,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { .buildAuthBlock(issuer, issueInstant, authURL, target, targetFriendlyName, identificationValue, identificationType, oaURL, gebDat, - extendedSAMLAttributes, session); + extendedSAMLAttributes, session, oaParam); return authBlock; } @@ -1807,7 +1864,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE }); } // validates <CreateXMLSignatureResponse> - new CreateXMLSignatureResponseValidator().validate(csresp, session); + if (session.isSsoRequested()) + new CreateXMLSignatureResponseValidator().validateSSO(csresp, session); + else + new CreateXMLSignatureResponseValidator().validate(csresp, session); + // builds a <VerifyXMLSignatureRequest> for a MOA-SPSS call List<String> vtids = authConf.getMoaSpAuthBlockVerifyTransformsInfoIDs(); String tpid = authConf.getMoaSpAuthBlockTrustProfileID(); @@ -2191,13 +2252,9 @@ public class AuthenticationServer implements MOAIDAuthConstants { IdentityLink identityLink = session.getIdentityLink(); AuthenticationData authData = new AuthenticationData(); - -// OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() -// .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - + VerifyXMLSignatureResponse verifyXMLSigResp = session.getXMLVerifySignatureResponse(); - boolean useUTC = oaParam.getUseUTC(); - boolean isForeigner = session.isForeigner(); + boolean useUTC = oaParam.getUseUTC(); boolean businessService = oaParam.getBusinessService(); authData.setMajorVersion(1); @@ -2206,7 +2263,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { authData.setIssuer(session.getAuthURL()); authData.setIssueInstant(DateTimeUtils.buildDateTime(Calendar .getInstance(), useUTC)); + + //baseID or wbpk in case of BusinessService without SSO or BusinessService SSO + authData.setIdentificationValue(identityLink.getIdentificationValue()); authData.setIdentificationType(identityLink.getIdentificationType()); + authData.setGivenName(identityLink.getGivenName()); authData.setFamilyName(identityLink.getFamilyName()); authData.setDateOfBirth(identityLink.getDateOfBirth()); @@ -2218,105 +2279,58 @@ public class AuthenticationServer implements MOAIDAuthConstants { authData.setBkuURL(session.getBkuURL()); authData.setUseUTC(oaParam.getUseUTC()); - //TODO: check correctness -// boolean provideStammzahl = oaParam.getProvideStammzahl(); -// if (provideStammzahl) { -// authData.setIdentificationValue(identityLink -// .getIdentificationValue()); -// } - -// String prPerson = new PersonDataBuilder().build(identityLink, -// provideStammzahl); - try { -// String signerCertificateBase64 = ""; -// if (oaParam.getProvideCertifcate()) { -// X509Certificate signerCertificate = verifyXMLSigResp -// .getX509certificate(); -// if (signerCertificate != null) { -// signerCertificateBase64 = Base64Utils -// .encode(signerCertificate.getEncoded()); -// } else { -// Logger -// .info("\"provideCertificate\" is \"true\", but no signer certificate available"); -// } -// } -// authData.setSignerCertificate(signerCertificateBase64); - if(!isForeigner) { - //we have Austrian citizen - if (businessService) { - authData.setBPK(identityLink.getIdentificationValue()); - authData.setBPKType(identityLink.getIdentificationType()); - - } else { - - // OLD! BZ.., calculation of bPK already before sending AUTHBlock - //TL: identitylLink holds the BASEID, bPK is only calculated for AUTHBlock - //authData.setBPK(identityLink.getIdentificationValue()); - - // only compute bPK if online application is a public service and we have the Stammzahl - if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - String bpkBase64 = new BPKBuilder().buildBPK( - identityLink.getIdentificationValue(), target); - authData.setBPK(bpkBase64); - authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); - } - } - } else { - //we have foreigner, thus we have to calculate bPK and wbPK now (after receiving identity link from SZR-GW - if (businessService) { - //since we have foreigner, wbPK is not calculated in BKU - if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + //TODO: resign the IdentityLink!!! + + if (businessService) { + //since we have foreigner, wbPK is not calculated in BKU + if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); - - if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) { - // If domainIdentifier starts with prefix - // "urn:publicid:gv.at:wbpk+"; remove this prefix - registerAndOrdNr = registerAndOrdNr - .substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); - Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " - + registerAndOrdNr); - } + String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); + + if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) { + // If domainIdentifier starts with prefix + // "urn:publicid:gv.at:wbpk+"; remove this prefix + registerAndOrdNr = registerAndOrdNr + .substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); + Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " + + registerAndOrdNr); + } - String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr); - authData.setBPK(wbpkBase64); - authData.setBPKType( Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr); - } + String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr); + authData.setBPK(wbpkBase64); + authData.setBPKType( Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr); } else { + authData.setBPK(identityLink.getIdentificationValue()); + authData.setBPKType(identityLink.getIdentificationType()); + } + + Element idlassertion = session.getIdentityLink().getSamlAssertion(); + //set bpk/wpbk; + Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); + prIdentification.getFirstChild().setNodeValue(authData.getBPK()); + //set bkp/wpbk type + Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); + prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType()); + + IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); + IdentityLink idl = idlparser.parseIdentityLink(); + authData.setIdentityLink(idl); + + } else { - if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - // only compute bPK if online application is a public service and we have the Stammzahl - String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target); - authData.setBPK(bpkBase64); - authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); - } - - + if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + // only compute bPK if online application is a public service and we have the Stammzahl + String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target); + authData.setBPK(bpkBase64); + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); } + authData.setIdentityLink(identityLink); } -// String ilAssertion = oaParam.getProvideIdentityLink() ? identityLink -// .getSerializedSamlAssertion() -// : ""; -// if (!oaParam.getProvideStammzahl()) { -// ilAssertion = StringUtils.replaceAll(ilAssertion, identityLink -// .getIdentificationValue(), ""); -// } -// String authBlock = oaParam.getProvideAuthBlock() ? session -// .getAuthBlock() : ""; - - - //TODO: check, if this elements are in use!!!! -// session.setAssertionAuthBlock(authBlock); -// session.setAssertionAuthData(authData); -// session.setAssertionBusinessService(businessService); -// session.setAssertionIlAssertion(ilAssertion); -// session.setAssertionPrPerson(prPerson); -// session.setAssertionSignerCertificateBase64(signerCertificateBase64); - + return authData; } catch (Throwable ex) { @@ -2326,27 +2340,6 @@ public class AuthenticationServer implements MOAIDAuthConstants { } /** - * Creates a new session and puts it into the session store. - * - * @param id - * Session ID - * @return AuthenticationSession created - * @exception AuthenticationException - * thrown when an <code>AuthenticationSession</code> is - * running already for the given session ID - */ - private static AuthenticationSession newSession() - throws AuthenticationException { - - try { - return AuthenticationSessionStoreage.createSession(); - - } catch (MOADatabaseException e) { - throw new AuthenticationException("", null); - } - } - - /** * Retrieves a session from the session store. * * @param id @@ -2633,6 +2626,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { } } + + //TODO: check Target in case of SSO!! String spSector = StringUtils.isEmpty(moasession.getTarget()) ? "Business" : moasession.getTarget(); String spInstitution = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "UNKNOWN" : oaParam.getFriendlyName(); String spApplication = spInstitution; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index 47bf61db4..e1552a5a6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -48,6 +48,7 @@ public interface MOAIDAuthConstants { public static final String PARAM_BKU = "bkuURI"; public static final String PARAM_MODUL = "MODUL"; public static final String PARAM_ACTION = "ACTION"; + public static final String PARAM_SSO = "SSO"; /** servlet parameter "sourceID" */ public static final String PARAM_SOURCEID = "sourceID"; /** servlet parameter "BKUSelectionTemplate" */ diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index fb45e517d..abb33203c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -59,6 +59,7 @@ import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; /** @@ -120,6 +121,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion * The number of SAML attributes included in this AUTH-Block (without the extended SAML attributes). */ public static final int NUM_OF_SAML_ATTRIBUTES = 4; + public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 3; /** * Constructor for AuthenticationBlockAssertionBuilder. @@ -168,23 +170,14 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion String oaURL, String gebDat, List extendedSAMLAttributes, - AuthenticationSession session) + AuthenticationSession session, + OAAuthParameter oaParam) throws BuildException { session.setSAMLAttributeGebeORwbpk(true); String gebeORwbpk = ""; String wbpkNSDeclaration = ""; - - //reading OA parameters - OAAuthParameter oaParam; - try { - oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( - session.getPublicOAURLPrefix()); - } catch (ConfigurationException e) { - Logger.error("Error on building AUTH-Block: " + e.getMessage()); - throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); - } - + if (target == null) { // OA is a business application if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) { @@ -216,7 +209,6 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion //no business service, adding bPK - System.out.println("identityLinkValue: " + identityLinkValue); if (identityLinkValue != null) { Element bpkSamlValueElement; try { @@ -264,9 +256,15 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion extendedSAMLAttributes.add(oaFriendlyNameAttribute); - //TODO: load special text from OAconfig - //String text = "Hiermit bestätige ich, #NAME#, die Übernahme sämtlicher eingelangter Zustellstücke zum #DATE# um #TIME#."; String text = ""; + try { + OAAuthParameter oaparam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix()); + if (MiscUtil.isNotEmpty(text = oaparam.getAditionalAuthBlockText())) + Logger.info("Use addional AuthBlock Text from OA=" + oaparam.getPublicURLPrefix()); + } catch (ConfigurationException e) { + Logger.warn("Addional AuthBlock Text can not loaded from OA!", e); + } + String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, @@ -406,9 +404,14 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion extendedSAMLAttributes.add(oaFriendlyNameAttribute); //..BZ - //TODO: load special text from OAconfig - //String text = "Hiermit bestätige ich, #NAME#, die Übernahme sämtlicher eingelangter Zustellstücke zum #DATE# um #TIME#."; String text = ""; + try { + OAAuthParameter oaparam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix()); + if (MiscUtil.isNotEmpty(text = oaparam.getAditionalAuthBlockText())) + Logger.info("Use addional AuthBlock Text from OA=" + oaparam.getPublicURLPrefix()); + } catch (ConfigurationException e) { + Logger.warn("Addional AuthBlock Text can not loaded from OA!", e); + } String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, new Object[] { generateSpecialText(text, issuer, issueInstant) }); @@ -464,4 +467,92 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion return null; } + public String buildAuthBlockSSO( + String issuer, + String issueInstant, + String authURL, + String target, + String targetFriendlyName, + String identityLinkValue, + String identityLinkType, + String oaURL, + String gebDat, + List extendedSAMLAttributes, + AuthenticationSession session, + OAAuthParameter oaParam) + throws BuildException + { + session.setSAMLAttributeGebeORwbpk(true); + String gebeORwbpk = ""; + String wbpkNSDeclaration = ""; + + if (target != null) { + + boolean useMandate = session.getUseMandate(); + if (useMandate) { + String mandateReferenceValue = Random.nextRandom(); + // remove leading "-" + if (mandateReferenceValue.startsWith("-")) + mandateReferenceValue = mandateReferenceValue.substring(1); + + session.setMandateReferenceValue(mandateReferenceValue); + + ExtendedSAMLAttribute mandateReferenceValueAttribute = + new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); + + extendedSAMLAttributes.add(mandateReferenceValueAttribute); + } + } + + //adding friendly name of OA + String friendlyname; + try { + friendlyname = AuthConfigurationProvider.getInstance().getSSOFriendlyName(); + + ExtendedSAMLAttribute oaFriendlyNameAttribute = + new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + + extendedSAMLAttributes.add(oaFriendlyNameAttribute); + + + String text = AuthConfigurationProvider.getInstance().getSSOSpecialText(); + + if (MiscUtil.isEmpty(text)) + text=""; + String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, + new Object[] { generateSpecialText(text, issuer, issueInstant) }); + + + + + String assertion; + + assertion = MessageFormat.format( + AUTH_BLOCK, new Object[] { + wbpkNSDeclaration, + issuer, + issueInstant, + authURL, + gebeORwbpk, + oaURL, + gebDat, + specialText, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + + return assertion; + + } catch (ParseException e) { + Logger.error("Error on building AUTH-Block: " + e.getMessage()); + throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); + + } catch (ConfigurationException e) { + Logger.error("Error on building AUTH-Block: " + e.getMessage()); + throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); + } + + + + } + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index 6a9a5b765..023b36d83 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -92,7 +92,12 @@ public class BPKBuilder { identificationValue + ",Register+Registernummer=" + registerAndOrdNr}); } - String basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr; + String basisbegriff; + if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+" )) + basisbegriff = identificationValue + "+" + registerAndOrdNr; + else + basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr; + try { MessageDigest md = MessageDigest.getInstance("SHA-1"); byte[] hash = md.digest(basisbegriff.getBytes("ISO-8859-1")); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java index 913b12d49..0a526ebbe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java @@ -59,52 +59,52 @@ public class InfoboxValidatorParamsBuilder { * * @return Parameters for validating an infobox token. */ - public static InfoboxValidatorParams buildInfoboxValidatorParams( - AuthenticationSession session, - VerifyInfoboxParameter verifyInfoboxParameter, - List infoboxTokenList, - OAAuthParameter oaParam) - { - InfoboxValidatorParamsImpl infoboxValidatorParams = new InfoboxValidatorParamsImpl(); - IdentityLink identityLink = session.getIdentityLink(); - - // the infobox token to validate - infoboxValidatorParams.setInfoboxTokenList(infoboxTokenList); - // configuration parameters - infoboxValidatorParams.setTrustProfileID(verifyInfoboxParameter.getTrustProfileID()); - infoboxValidatorParams.setSchemaLocations(verifyInfoboxParameter.getSchemaLocations()); - infoboxValidatorParams.setApplicationSpecificParams(verifyInfoboxParameter.getApplicationSpecificParams()); - // authentication session parameters - infoboxValidatorParams.setBkuURL(session.getBkuURL()); - infoboxValidatorParams.setTarget(session.getTarget()); - infoboxValidatorParams.setDomainIdentifier(oaParam.getIdentityLinkDomainIdentifier()); - infoboxValidatorParams.setBusinessApplication(session.getBusinessService()); - // parameters from the identity link - infoboxValidatorParams.setFamilyName(identityLink.getFamilyName()); - infoboxValidatorParams.setGivenName(identityLink.getGivenName()); - infoboxValidatorParams.setDateOfBirth(identityLink.getDateOfBirth()); - if (verifyInfoboxParameter.getProvideStammzahl()) { - infoboxValidatorParams.setIdentificationValue(identityLink.getIdentificationValue()); - } - infoboxValidatorParams.setIdentificationType(identityLink.getIdentificationType()); - infoboxValidatorParams.setPublicKeys(identityLink.getPublicKey()); - if (verifyInfoboxParameter.getProvideIdentityLink()) { - Element identityLinkElem = (Element)identityLink.getSamlAssertion().cloneNode(true); - if (!verifyInfoboxParameter.getProvideStammzahl()) { - Element identificationValueElem = - (Element)XPathUtils.selectSingleNode(identityLinkElem, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); - if (identificationValueElem != null) { - identificationValueElem.getFirstChild().setNodeValue(""); - } - } - infoboxValidatorParams.setIdentityLink(identityLinkElem); - } - - //TODO: check if this is Protocol specific - //infoboxValidatorParams.setHideStammzahl(!oaParam.getProvideStammzahl()); - infoboxValidatorParams.setHideStammzahl(true); - - return infoboxValidatorParams; - } +// public static InfoboxValidatorParams buildInfoboxValidatorParams( +// AuthenticationSession session, +// VerifyInfoboxParameter verifyInfoboxParameter, +// List infoboxTokenList, +// OAAuthParameter oaParam) +// { +// InfoboxValidatorParamsImpl infoboxValidatorParams = new InfoboxValidatorParamsImpl(); +// IdentityLink identityLink = session.getIdentityLink(); +// +// // the infobox token to validate +// infoboxValidatorParams.setInfoboxTokenList(infoboxTokenList); +// // configuration parameters +// infoboxValidatorParams.setTrustProfileID(verifyInfoboxParameter.getTrustProfileID()); +// infoboxValidatorParams.setSchemaLocations(verifyInfoboxParameter.getSchemaLocations()); +// infoboxValidatorParams.setApplicationSpecificParams(verifyInfoboxParameter.getApplicationSpecificParams()); +// // authentication session parameters +// infoboxValidatorParams.setBkuURL(session.getBkuURL()); +// infoboxValidatorParams.setTarget(session.getTarget()); +// infoboxValidatorParams.setDomainIdentifier(oaParam.getIdentityLinkDomainIdentifier()); +// infoboxValidatorParams.setBusinessApplication(session.getBusinessService()); +// // parameters from the identity link +// infoboxValidatorParams.setFamilyName(identityLink.getFamilyName()); +// infoboxValidatorParams.setGivenName(identityLink.getGivenName()); +// infoboxValidatorParams.setDateOfBirth(identityLink.getDateOfBirth()); +// if (verifyInfoboxParameter.getProvideStammzahl()) { +// infoboxValidatorParams.setIdentificationValue(identityLink.getIdentificationValue()); +// } +// infoboxValidatorParams.setIdentificationType(identityLink.getIdentificationType()); +// infoboxValidatorParams.setPublicKeys(identityLink.getPublicKey()); +// if (verifyInfoboxParameter.getProvideIdentityLink()) { +// Element identityLinkElem = (Element)identityLink.getSamlAssertion().cloneNode(true); +// if (!verifyInfoboxParameter.getProvideStammzahl()) { +// Element identificationValueElem = +// (Element)XPathUtils.selectSingleNode(identityLinkElem, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); +// if (identificationValueElem != null) { +// identificationValueElem.getFirstChild().setNodeValue(""); +// } +// } +// infoboxValidatorParams.setIdentityLink(identityLinkElem); +// } +// +// //TODO: check if this is Protocol specific +// //infoboxValidatorParams.setHideStammzahl(!oaParam.getProvideStammzahl()); +// infoboxValidatorParams.setHideStammzahl(true); +// +// return infoboxValidatorParams; +// } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java index ed55d660c..5f100d5fe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java @@ -12,8 +12,6 @@ import at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol; import at.gv.egovernment.moa.logging.Logger; public class LoginFormBuilder { - - private static String SERVLET = "./GenerateIframeTemplate"; private static String AUTH_URL = "#AUTH_URL#"; private static String MODUL = "#MODUL#"; @@ -22,6 +20,9 @@ public class LoginFormBuilder { private static String BKU_ONLINE = "#ONLINE#"; private static String BKU_HANDY = "#HANDY#"; private static String BKU_LOCAL = "#LOCAL#"; + private static String CONTEXTPATH = "#CONTEXTPATH#"; + + private static String SERVLET = CONTEXTPATH+"/GenerateIframeTemplate"; private static String template; @@ -48,7 +49,7 @@ public class LoginFormBuilder { return template; } - public static String buildLoginForm(String modul, String action, String oaname) { + public static String buildLoginForm(String modul, String action, String oaname, String contextpath) { String value = getTemplate(); if(value != null) { @@ -61,6 +62,7 @@ public class LoginFormBuilder { value = value.replace(MODUL, modul); value = value.replace(ACTION, action); value = value.replace(OANAME, oaname); + value = value.replace(CONTEXTPATH, contextpath); } return value; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index ffe938d89..94a41a21f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -145,8 +145,6 @@ public class AuthenticationSession implements Serializable { */ private String misSessionID; - private String mandateData; - //store Identitylink /** * identity link read from smartcard @@ -231,6 +229,7 @@ public class AuthenticationSession implements Serializable { private boolean authenticated; private boolean authenticatedUsed = false; + private boolean ssoRequested = false; // /** // * Indicates if target from configuration is used or not @@ -294,15 +293,6 @@ public class AuthenticationSession implements Serializable { public void setAction(String action) { this.action = action; } - - public String getMandateData() { - return mandateData; - } - - public void setMandateData(String mandateData) { - this.mandateData = mandateData; - } - // public AuthenticationData getAuthData() { // return authData; @@ -1106,8 +1096,23 @@ public class AuthenticationSession implements Serializable { }catch (Throwable e) { Logger.warn("Mandate content could not be generated from MISMandate."); return null; - } - - + } } + + /** + * @return the ssoRequested + */ + + //TODO: SSO only allowed without mandates, actually + public boolean isSsoRequested() { + return ssoRequested && !useMandate; + } + + /** + * @param ssoRequested the ssoRequested to set + */ + public void setSsoRequested(boolean ssoRequested) { + this.ssoRequested = ssoRequested; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java index cb3ed5ad9..a468caf73 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java @@ -122,7 +122,7 @@ public class IdentityLinkAssertionParser { + "Value"; /** Xpath expression to the Identification Value element */ - private static final String PERSON_IDENT_TYPE_XPATH = + public static final String PERSON_IDENT_TYPE_XPATH = PERSON_XPATH + "/" + PDATA diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index b0a4f2f8a..3f82c2a4c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -36,6 +36,8 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ String targetFriendlyName = null; + String sso = req.getParameter(PARAM_SSO); + // escape parameter strings //TODO: use URLEncoder.encode!! target = StringEscapeUtils.escapeHtml(target); @@ -44,7 +46,8 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ templateURL = StringEscapeUtils.escapeHtml(templateURL); useMandate = StringEscapeUtils.escapeHtml(useMandate); ccc = StringEscapeUtils.escapeHtml(ccc); - + sso = StringEscapeUtils.escapeHtml(sso); + // check parameter if (!ParamValidatorUtils.isValidOA(oaURL)) throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); @@ -52,7 +55,9 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12"); if (!ParamValidatorUtils.isValidCCC(ccc)) throw new WrongParametersException("StartAuthentication", PARAM_CCC, "auth.12"); - + if (!ParamValidatorUtils.isValidUseMandate(sso)) + throw new WrongParametersException("StartAuthentication", PARAM_SSO, "auth.12"); + //check UseMandate flag String useMandateString = null; boolean useMandateBoolean = false; @@ -68,7 +73,23 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ useMandateBoolean = false; moasession.setUseMandate(useMandateString); - + + + //check useSSO flag + String useSSOString = null; + boolean useSSOBoolean = false; + if ((sso != null) && (sso.compareTo("") != 0)) { + useSSOString = sso; + } else { + useSSOString = "false"; + } + + if (useSSOString.compareToIgnoreCase("true") == 0) + useSSOBoolean = true; + else + useSSOBoolean = false; + moasession.setSsoRequested(useSSOBoolean); + //load OnlineApplication configuration OAAuthParameter oaParam; if (moasession.getPublicOAURLPrefix() != null) { @@ -126,9 +147,11 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ } moasession.setPublicOAURLPrefix(oaParam.getPublicURLPrefix()); + + //TODO: check for SSO moasession.setTarget(target); - moasession.setTargetFriendlyName(targetFriendlyName); moasession.setBusinessService(oaParam.getBusinessService()); + moasession.setTargetFriendlyName(targetFriendlyName); moasession.setDomainIdentifier(oaParam.getIdentityLinkDomainIdentifier()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java index 310f3509c..5a0bd33bf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java @@ -9,6 +9,8 @@ import javax.servlet.http.HttpServletResponse; import at.gv.egovernment.moa.id.auth.builder.RedirectFormBuilder; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.egovernment.moa.util.URLEncoder; @@ -16,16 +18,31 @@ public class RedirectServlet extends AuthServlet{ private static final long serialVersionUID = 1L; - public static final String REDIRCT_GETPARAM = "redirecturl"; + public static final String REDIRCT_PARAM_URL = "redirecturl"; + protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { Logger.info("Receive " + RedirectServlet.class + " Request"); - String url = req.getParameter(REDIRCT_GETPARAM); + String url = req.getParameter(REDIRCT_PARAM_URL); + String target = req.getParameter(PARAM_TARGET); + String artifact = req.getParameter(PARAM_SAMLARTIFACT); Logger.info("Redirect to " + url); + if (MiscUtil.isNotEmpty(target)) { +// redirectURL = addURLParameter(redirectURL, PARAM_TARGET, +// URLEncoder.encode(session.getTarget(), "UTF-8")); + url = addURLParameter(url, PARAM_TARGET, + URLEncoder.encode(target, "UTF-8")); + + + } + url = addURLParameter(url, PARAM_SAMLARTIFACT, + URLEncoder.encode(artifact, "UTF-8")); + url = resp.encodeRedirectURL(url); + String redirect_form = RedirectFormBuilder.buildLoginForm(url); resp.setContentType("text/html;charset=UTF-8"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java index f8a828f6f..adef74370 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java @@ -207,13 +207,17 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { String mandateReferenceValue = session.getMandateReferenceValue(); byte[] cert = session.getEncodedSignerCertificate(); - String targetType = null; - - if(session.getBusinessService()) { - targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+session.getDomainIdentifier(); + //TODO: check in case of SSO!!! + String targetType = null; + if(oaParam.getBusinessService()) { + String id = oaParam.getIdentityLinkDomainIdentifier(); + if (id.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) + targetType = id; + else + targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+session.getDomainIdentifier(); } else { - targetType = AuthenticationSession.TARGET_PREFIX_ + session.getTarget(); + targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java index 8eaa8341c..2f12c7ae6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java @@ -229,7 +229,8 @@ public class VerifyIdentityLinkServlet extends AuthServlet { AuthenticationSessionStoreage.storeSession(session); } catch (MOADatabaseException e) { - throw new AuthenticationException("", null); + Logger.info("No valid MOA session found. Authentification process is abourted."); + throw new AuthenticationException("auth.20", null); } } catch (ParseException ex) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index ba7893412..d0fb1f87f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -35,9 +35,13 @@ import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.SAMLAttribute; +import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; import at.gv.egovernment.moa.util.XPathUtils; @@ -243,9 +247,15 @@ public class CreateXMLSignatureResponseValidator { if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { String samlSpecialText = (String)samlAttribute.getValue(); - //TODO:load Text from OA config - //String text = "Hiermit bestätige ich, #NAME#, die Übernahme sämtlicher eingelangter Zustellstücke zum #DATE# um #TIME#."; - String text = ""; + String text = ""; + try { + OAAuthParameter oaparam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix()); + if (MiscUtil.isNotEmpty(text = oaparam.getAditionalAuthBlockText())) + Logger.info("Use addional AuthBlock Text from OA=" + oaparam.getPublicURLPrefix()); + } catch (ConfigurationException e) { + Logger.warn("Addional AuthBlock Text can not loaded from OA!", e); + } + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, issueInstant); if (!samlSpecialText.equals(specialText)) { @@ -333,6 +343,211 @@ public class CreateXMLSignatureResponseValidator { } } + /** + * The Method validate is used for validating an explicit {@link CreateXMLSignatureResponse} + * @param createXMLSignatureResponse + * @param session + * @throws ValidateException + */ + public void validateSSO(CreateXMLSignatureResponse createXMLSignatureResponse, AuthenticationSession session) + throws ValidateException { + + // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier + + String oaURL; + try { + oaURL = AuthConfigurationProvider.getInstance().getSSOPublicUrl(); + } catch (ConfigurationException e1) { + oaURL = new String(); + } + + IdentityLink identityLink = session.getIdentityLink(); + + Element samlAssertion = createXMLSignatureResponse.getSamlAssertion(); + String issuer = samlAssertion.getAttribute("Issuer"); + if (issuer == null) { + // should not happen, because parser would dedect this + throw new ValidateException("validator.32", null); + } + // replace ' in name with ' + issuer = issuer.replaceAll("'", "'"); + + String issueInstant = samlAssertion.getAttribute("IssueInstant"); + if (!issueInstant.equals(session.getIssueInstant())) { + throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()}); + } + + String name = identityLink.getName(); + + if (!issuer.equals(name)) { + throw new ValidateException("validator.33", new Object[] {issuer, name}); + } + + SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes(); + + boolean foundOA = false; + boolean foundGB = false; + boolean foundWBPK = false; + int offset = 0; + + // check number of SAML aatributes + List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); + int extendedSAMLAttributesNum = 0; + if (extendedSAMLAttributes != null) { + extendedSAMLAttributesNum = extendedSAMLAttributes.size(); + } + int expectedSAMLAttributeNumber = + AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + extendedSAMLAttributesNum; + if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--; + int actualSAMLAttributeNumber = samlAttributes.length; + if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) { + Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + + expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber); + throw new ValidateException( + "validator.36", + new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)}); + } + + SAMLAttribute samlAttribute; + if (!session.getSAMLAttributeGebeORwbpk()) { + offset--; + } + + // check the first attribute (must be "OA") + samlAttribute = samlAttributes[0 + offset]; + if (!samlAttribute.getName().equals("OA")) { + throw new ValidateException( + "validator.37", + new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)}); + } + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundOA = true; + if (!oaURL.equals((String)samlAttribute.getValue())) { // CHECKS für die AttributeVALUES fehlen noch + throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); + } + } else { + throw new ValidateException("validator.15", null); + } + + // check the third attribute (must be "Geburtsdatum") + samlAttribute = samlAttributes[1 + offset]; + if (!samlAttribute.getName().equals("Geburtsdatum")) { + throw new ValidateException( + "validator.37", + new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)}); + } + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String samlDateOfBirth = (String)samlAttribute.getValue(); + String dateOfBirth = identityLink.getDateOfBirth(); + if (!samlDateOfBirth.equals(dateOfBirth)) { + throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth}); + } + } else { + throw new ValidateException("validator.35", null); + } + + // check four attribute could be a special text + samlAttribute = samlAttributes[2 + offset]; + if (!samlAttribute.getName().equals("SpecialText")) { + throw new ValidateException( + "validator.37", + new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(3)}); + } + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String samlSpecialText = (String)samlAttribute.getValue(); + + String text = ""; + try { + if (MiscUtil.isNotEmpty(text = AuthConfigurationProvider.getInstance().getSSOSpecialText())) + Logger.info("Use addional AuthBlock Text from SSO=" +text); + else + text = new String(); + } catch (ConfigurationException e) { + Logger.warn("Addional AuthBlock Text can not loaded from SSO!", e); + } + + + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, issueInstant); + if (!samlSpecialText.equals(specialText)) { + throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); + } + } else { + throw new ValidateException("validator.35", null); + } + + // now check the extended SAML attributes + int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + offset; + if (extendedSAMLAttributes != null) { + Iterator it = extendedSAMLAttributes.iterator(); + while (it.hasNext()) { + ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next(); + samlAttribute = samlAttributes[i]; + String actualName = samlAttribute.getName(); + String expectedName = extendedSAMLAttribute.getName(); + if (!actualName.equals(expectedName)) { + throw new ValidateException( + "validator.38", + new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName }); + } + String actualNamespace = samlAttribute.getNamespace(); + String expectedNamespace = extendedSAMLAttribute.getNameSpace(); + if (!actualNamespace.equals(expectedNamespace)) { + throw new ValidateException( + "validator.38", + new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, }); + } + Object expectedValue = extendedSAMLAttribute.getValue(); + Object actualValue = samlAttribute.getValue(); + try { + if (expectedValue instanceof String) { + // replace \r\n because text might be base64-encoded + String expValue = StringUtils.replaceAll((String)expectedValue,"\r",""); + expValue = StringUtils.replaceAll(expValue,"\n",""); + String actValue = StringUtils.replaceAll((String)actualValue,"\r",""); + actValue = StringUtils.replaceAll(actValue,"\n",""); + if (!expValue.equals(actValue)) { + throw new ValidateException( + "validator.38", + new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue }); + } + } else if (expectedValue instanceof Element) { + // only check the name of the element + String actualElementName = ((Element)actualValue).getNodeName(); + String expectedElementName = ((Element)expectedValue).getNodeName(); + if (!(expectedElementName.equals(actualElementName))){ + throw new ValidateException( + "validator.38", + new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName}); + } + } else { + // should not happen + throw new ValidateException( + "validator.38", + new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()}); + } + } catch (ClassCastException e) { + throw new ValidateException( + "validator.38", + new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()}); + } + i++; + } + } + + + if (!foundOA) throw new ValidateException("validator.14", null); + + //Check if dsig:Signature exists +// NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); +// if (nl.getLength() != 1) { +// throw new ValidateException("validator.05", null); +// } + Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH); + if (dsigSignature == null) { + throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ; + } + } + public void validateSigningDateTime( CreateXMLSignatureResponse csresp) throws ValidateException { //TODO: insert Time validation!!!! |