- SSO finalized

- SSO Session is not closed if a new single authentication operation is started
- PVP2 Configuration from Database (but without Metadata) --> TODO: change MetaDataProvider
- Add additional UserFrame in case of SSO
- MOASession encryption

TODO: MetaDataProvider, IdentityLink resign, SSO with Mandates, Legacy Template generation

3 files changed, 98 insertions, 68 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 4ec734c41..b6742fb9e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -10,14 +10,17 @@ import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
 import at.gv.egovernment.moa.id.AuthenticationException;
+import at.gv.egovernment.moa.id.BuildException;
 import at.gv.egovernment.moa.id.MOAIDException;
 import at.gv.egovernment.moa.id.auth.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.builder.LoginFormBuilder;
+import at.gv.egovernment.moa.id.auth.builder.SendAssertionFormBuilder;
 import at.gv.egovernment.moa.id.auth.builder.StartAuthenticationBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.parser.StartAuthentificationParameterParser;
 import at.gv.egovernment.moa.id.auth.servlet.AuthServlet;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.config.OAParameter;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
@@ -119,33 +122,40 @@ public class AuthenticationManager extends AuthServlet {
 			try {
 				authSession = AuthenticationSessionStoreage.getSession(sessionID);
 				
-			} catch (MOADatabaseException e) {
-				return false;
-			}
+	
 			
-			if (authSession != null) {
-				Logger.info("MOASession found! A: "
-						+ authSession.isAuthenticated() + ", AU "
-						+ authSession.isAuthenticatedUsed());
-				if (authSession.isAuthenticated()
-						&& !authSession.isAuthenticatedUsed()) {
-					authSession.setAuthenticatedUsed(true);
-					HTTPSessionUtils.setHTTPSessionString(session, MOA_SESSION,
-							sessionID);
-					return true; // got authenticated
+				if (authSession != null) {
+					Logger.info("MOASession found! A: "
+							+ authSession.isAuthenticated() + ", AU "
+							+ authSession.isAuthenticatedUsed());
+					if (authSession.isAuthenticated()
+							&& !authSession.isAuthenticatedUsed()) {
+						authSession.setAuthenticatedUsed(true);
+					
+						AuthenticationSessionStoreage.storeSession(authSession);
+					
+						HTTPSessionUtils.setHTTPSessionString(session, MOA_SESSION,
+								sessionID);
+						return true; // got authenticated
+					}
 				}
+			
+			} catch (MOADatabaseException e) {
+				return false;
+			} catch (BuildException e) {
+				return false;
 			}
 		}
 		return false;
 	}
 	
 	public void logout(HttpServletRequest request,
-			HttpServletResponse response) {
+			HttpServletResponse response, String moaSessionID) {
 		Logger.info("Logout");
 
 		HttpSession session = request.getSession();
 		
-		String moaSessionID = HTTPSessionUtils.getHTTPSessionString(session, MOA_SESSION, null);
+		//String moaSessionID = HTTPSessionUtils.getHTTPSessionString(session, MOA_SESSION, null);
 		
 		if(moaSessionID == null) {
 			moaSessionID = (String) request.getParameter(PARAM_SESSIONID);
@@ -171,7 +181,7 @@ public class AuthenticationManager extends AuthServlet {
 			
 			AuthenticationSessionStoreage.destroySession(moaSessionID);
 			
-			session.invalidate();
+			//session.invalidate();
 		
 		} catch (MOADatabaseException e) {
 			Logger.info("NO MOA Authentication data for ID " + moaSessionID);
@@ -185,14 +195,14 @@ public class AuthenticationManager extends AuthServlet {
 			throws ServletException, IOException, MOAIDException {
 		Logger.info("Starting authentication ...");
 
-		if (!ParamValidatorUtils.isValidOA(target.getOAURL()))
-			throw new WrongParametersException("StartAuthentication", PARAM_OA,
-					"auth.12");
-
-		if (target.getOAURL() == null) {
-			throw new WrongParametersException("StartAuthentication", PARAM_OA,
-					"auth.12");
-		}
+//		if (!ParamValidatorUtils.isValidOA(target.getOAURL()))
+//			throw new WrongParametersException("StartAuthentication", PARAM_OA,
+//					"auth.12");
+//
+//		if (target.getOAURL() == null) {
+//			throw new WrongParametersException("StartAuthentication", PARAM_OA,
+//					"auth.12");
+//		}
 
 		setNoCachingHeadersInHttpRespone(request, response);
 		
@@ -205,12 +215,19 @@ public class AuthenticationManager extends AuthServlet {
 		boolean legacyparamavail = ParamValidatorUtils.areAllLegacyParametersAvailable(request);
 		
 		AuthenticationSession moasession;
+		try {
+			//check if an MOASession exists and if not create an new MOASession
+			//moasession = getORCreateMOASession(request);
+			moasession = AuthenticationSessionStoreage.createSession();
+			
+		} catch (MOADatabaseException e1) {
+			Logger.error("Database Error! MOASession can not be created!");
+			throw new MOAIDException("init.04", new Object[] {});
+		}
+		
 		
 		if (legacyallowed && legacyparamavail) {
 			
-			//check if an MOASession exists and if not create an new MOASession
-			moasession = getORCreateMOASession(request);
-			
 			//parse request parameter into MOASession
 			
 			StartAuthentificationParameterParser.parse(request, response, moasession);
@@ -255,7 +272,7 @@ public class AuthenticationManager extends AuthServlet {
 			else {
 				
 				//check if an MOASession exists and if not create an new MOASession
-				moasession = getORCreateMOASession(request);
+				//moasession = getORCreateMOASession(request);
 
 				//set OnlineApplication configuration in Session
 				moasession.setOAURLRequested(target.getOAURL());
@@ -264,8 +281,10 @@ public class AuthenticationManager extends AuthServlet {
 			}
 						
 			//Build authentication form
+			
+			
 			String loginForm = LoginFormBuilder.buildLoginForm(target.requestedModule(), 
-					target.requestedAction(), oaParam.getFriendlyName(), request.getContextPath());
+					target.requestedAction(), oaParam.getFriendlyName(), request.getContextPath(), oaParam.useIFrame());
 			
 			//store MOASession
 			try {
@@ -286,29 +305,43 @@ public class AuthenticationManager extends AuthServlet {
 		}
 	}
 	
-	private AuthenticationSession getORCreateMOASession(HttpServletRequest request) throws MOAIDException {
+	public void sendTransmitAssertionQuestion(HttpServletRequest request,
+			HttpServletResponse response, IRequest target, OAAuthParameter oaParam)
+			throws ServletException, IOException, MOAIDException { 
 		
-		//String sessionID = request.getParameter(PARAM_SESSIONID); 
-		String sessionID = (String) request.getSession().getAttribute(MOA_SESSION);
-		AuthenticationSession moasession;
-		
-		try {
-			moasession = AuthenticationSessionStoreage.getSession(sessionID);
-			Logger.info("Found existing MOASession with sessionID=" + sessionID 
-					+ ". This session is used for reauthentification.");
-			
-		} catch (MOADatabaseException e) {
-			try {
-				moasession = AuthenticationSessionStoreage.createSession();
-				Logger.info("Create a new MOASession with sessionID=" + moasession.getSessionID() + ".");
-				
-			} catch (MOADatabaseException e1) {
-				Logger.error("Database Error! MOASession are not created.");
-				throw new MOAIDException("init.04", new Object[] {
-						"0"});
-			}
-		}
-		
-		return moasession;
-	}	
+			String form = SendAssertionFormBuilder.buildForm(target.requestedModule(), 
+					target.requestedAction(), oaParam.getFriendlyName(), request.getContextPath(), oaParam.useIFrame());
+						
+			response.setContentType("text/html;charset=UTF-8");
+			PrintWriter out = new PrintWriter(response.getOutputStream()); 
+			out.print(form);
+			out.flush(); 
+	}
+	
+	
+//	private AuthenticationSession getORCreateMOASession(HttpServletRequest request) throws MOAIDException {
+//		
+//		//String sessionID = request.getParameter(PARAM_SESSIONID); 
+//		String sessionID = (String) request.getSession().getAttribute(MOA_SESSION);
+//		AuthenticationSession moasession;
+//		
+//		try {
+//			moasession = AuthenticationSessionStoreage.getSession(sessionID);
+//			Logger.info("Found existing MOASession with sessionID=" + sessionID 
+//					+ ". This session is used for reauthentification.");
+//			
+//		} catch (MOADatabaseException e) {
+//			try {
+//				moasession = AuthenticationSessionStoreage.createSession();
+//				Logger.info("Create a new MOASession with sessionID=" + moasession.getSessionID() + ".");
+//				
+//			} catch (MOADatabaseException e1) {
+//				Logger.error("Database Error! MOASession are not created.");
+//				throw new MOAIDException("init.04", new Object[] {
+//						"0"});
+//			}
+//		}
+//		
+//		return moasession;
+//	}	
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java
index 6630693a6..aa8a8d9a9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java
@@ -5,9 +5,10 @@ import javax.servlet.http.HttpServletResponse;
 
 import at.gv.egovernment.moa.id.MOAIDException;
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 
 public interface IAction extends MOAIDAuthConstants {
-	public void processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) 
+	public void processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession moasession) 
 			throws MOAIDException;
 	public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp);
 	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
index 84817ba7a..82273da83 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
@@ -61,10 +61,15 @@ public class SSOManager {
 		
 		String moaSessionId =HTTPSessionUtils.getHTTPSessionString(httpReq.getSession(),
 				AuthenticationManager.MOA_SESSION, null);
+		
 		return AuthenticationSessionStoreage.isValidSessionWithSSOID(ssoSessionID, moaSessionId);	
 		
 	}
 	
+	public String getMOASession(String ssoSessionID) {
+		return AuthenticationSessionStoreage.getMOASessionID(ssoSessionID);
+	}
+	
 	public String existsOldSSOSession(String ssoId) {
 		
 		  Logger.trace("Check that the SSOID has already been used");
@@ -136,23 +141,14 @@ public class SSOManager {
 		Cookie[] cookies = httpReq.getCookies();
 		
 		if (cookies != null) {
-			for (Cookie cookie : cookies) {
-				if (cookie.getName().equals(SSOCOOKIE)) {
-					cookie.setValue(ssoId);
-					cookie.setMaxAge(sso_timeout);
-					cookie.setSecure(true);
-					httpResp.addCookie(cookie);
-					return;
-				}
-			}
-			
+			deleteSSOSessionID(httpReq, httpResp);	
 		}
+		
 		Cookie cookie = new Cookie(SSOCOOKIE, ssoId);
 		cookie.setMaxAge(sso_timeout);
 		cookie.setSecure(true);
-		httpResp.addCookie(cookie);
-		return;
-		
+		cookie.setPath(httpReq.getContextPath());		
+		httpResp.addCookie(cookie);		
 	}
 		
 	
@@ -165,7 +161,7 @@ public class SSOManager {
 				
 				//TODO: funktioniert nicht, da Cookie seltsamerweise immer unsecure übertragen wird (firefox) 
 				//if (cookie.getName().equals(SSOCOOKIE) && cookie.getSecure()) {
-				
+								
 				if (cookie.getName().equals(SSOCOOKIE)) {
 					return cookie.getValue();
 				}