diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-01-21 18:00:41 +0100 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-01-21 18:00:41 +0100 |
commit | dd4a77caa66368ca257fcf5a1f87d0dab90477f5 (patch) | |
tree | e80c411a9eab2b993fc60f1026145a5b1388dff1 /id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java | |
parent | 51c45b375485399d36e33f1ab4cf76e9273222e3 (diff) | |
download | moa-id-spss-dd4a77caa66368ca257fcf5a1f87d0dab90477f5.tar.gz moa-id-spss-dd4a77caa66368ca257fcf5a1f87d0dab90477f5.tar.bz2 moa-id-spss-dd4a77caa66368ca257fcf5a1f87d0dab90477f5.zip |
BUGFIX: RedirectBinding validate signatures which exists, but signature is not required
changes for WKO:
Allow Metadata with no AttributeConsumerService
Allow AuthnRequest with no RequestedAuthnContext
Allow AuthnRequest with no AssertionConsumerServiceIndex
Use Metadata->AssertionConsumerService->isDefaut flag
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java | 122 |
1 files changed, 64 insertions, 58 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index eaa570ab1..d1d79373c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -64,46 +64,48 @@ public class PVP2AssertionBuilder implements PVPConstants { RequestedAuthnContext reqAuthnContext = authnRequest .getRequestedAuthnContext(); - if (reqAuthnContext == null) { - throw new NoAuthContextException(); - } - - boolean stork_qaa_1_4_found = false; - AuthnContextClassRef authnContextClassRef = SAML2Utils .createSAMLObject(AuthnContextClassRef.class); - - List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext - .getAuthnContextClassRefs(); - if (reqAuthnContextClassRefIt.size() == 0) { - stork_qaa_1_4_found = true; + if (reqAuthnContext == null) { authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); - - } else { - for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) { - String qaa_uri = authnClassRef.getAuthnContextClassRef(); - if (qaa_uri.trim().equals(STORK_QAA_1_4) - || qaa_uri.trim().equals(STORK_QAA_1_3) - || qaa_uri.trim().equals(STORK_QAA_1_2) - || qaa_uri.trim().equals(STORK_QAA_1_1)) { - - if (authSession.isForeigner()) { - //TODO: insert QAA check - - stork_qaa_1_4_found = false; - - } else { - stork_qaa_1_4_found = true; - authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); + + } else { + + boolean stork_qaa_1_4_found = false; + + List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext + .getAuthnContextClassRefs(); + + if (reqAuthnContextClassRefIt.size() == 0) { + stork_qaa_1_4_found = true; + authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); + + } else { + for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) { + String qaa_uri = authnClassRef.getAuthnContextClassRef(); + if (qaa_uri.trim().equals(STORK_QAA_1_4) + || qaa_uri.trim().equals(STORK_QAA_1_3) + || qaa_uri.trim().equals(STORK_QAA_1_2) + || qaa_uri.trim().equals(STORK_QAA_1_1)) { + + if (authSession.isForeigner()) { + //TODO: insert QAA check + + stork_qaa_1_4_found = false; + + } else { + stork_qaa_1_4_found = true; + authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); + } + break; } - break; } } - } - - if (!stork_qaa_1_4_found) { - throw new QAANotSupportedException(STORK_QAA_1_4); + + if (!stork_qaa_1_4_found) { + throw new QAANotSupportedException(STORK_QAA_1_4); + } } // reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs() @@ -150,10 +152,8 @@ public class PVP2AssertionBuilder implements PVPConstants { if (aIdx != null) { idx = aIdx.intValue(); - } - - AttributeConsumingService attributeConsumingService = spSSODescriptor - .getAttributeConsumingServices().get(idx); + + } AttributeStatement attributeStatement = SAML2Utils .createSAMLObject(AttributeStatement.class); @@ -197,32 +197,38 @@ public class PVP2AssertionBuilder implements PVPConstants { .buildAuthenticationData(authSession, oaParam, oaParam.getTarget()); - Iterator<RequestedAttribute> it = attributeConsumingService - .getRequestAttributes().iterator(); - while (it.hasNext()) { - RequestedAttribute reqAttribut = it.next(); - try { - Attribute attr = PVPAttributeBuilder.buildAttribute( - reqAttribut.getName(), authSession, oaParam, authData); - if (attr == null) { + if (spSSODescriptor.getAttributeConsumingServices() != null && + spSSODescriptor.getAttributeConsumingServices().size() > 0) { + + AttributeConsumingService attributeConsumingService = spSSODescriptor + .getAttributeConsumingServices().get(idx); + + Iterator<RequestedAttribute> it = attributeConsumingService + .getRequestAttributes().iterator(); + while (it.hasNext()) { + RequestedAttribute reqAttribut = it.next(); + try { + Attribute attr = PVPAttributeBuilder.buildAttribute( + reqAttribut.getName(), authSession, oaParam, authData); + if (attr == null) { + if (reqAttribut.isRequired()) { + throw new UnprovideableAttributeException( + reqAttribut.getName()); + } + } else { + attributeStatement.getAttributes().add(attr); + } + } catch (PVP2Exception e) { + Logger.error( + "Attribute generation failed! for " + + reqAttribut.getFriendlyName(), e); if (reqAttribut.isRequired()) { throw new UnprovideableAttributeException( reqAttribut.getName()); } - } else { - attributeStatement.getAttributes().add(attr); - } - } catch (PVP2Exception e) { - Logger.error( - "Attribute generation failed! for " - + reqAttribut.getFriendlyName(), e); - if (reqAttribut.isRequired()) { - throw new UnprovideableAttributeException( - reqAttribut.getName()); } } } - if (attributeStatement.getAttributes().size() > 0) { assertion.getAttributeStatements().add(attributeStatement); } @@ -294,7 +300,7 @@ public class PVP2AssertionBuilder implements PVPConstants { SubjectConfirmationData subjectConfirmationData = SAML2Utils .createSAMLObject(SubjectConfirmationData.class); subjectConfirmationData.setInResponseTo(authnRequest.getID()); - subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(20)); + subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(5)); //TL: change from entityID to destination URL AssertionConsumerService consumerService = spSSODescriptor @@ -319,7 +325,7 @@ public class PVP2AssertionBuilder implements PVPConstants { audienceRestriction.getAudiences().add(audience); conditions.setNotBefore(new DateTime()); - conditions.setNotOnOrAfter(new DateTime().plusMinutes(20)); + conditions.setNotOnOrAfter(new DateTime().plusMinutes(5)); // conditions.setNotOnOrAfter(new DateTime()); conditions.getAudienceRestrictions().add(audienceRestriction); |