aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2015-08-26 14:03:58 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2015-08-26 14:03:58 +0200
commit52a855d948a6c3090b5d696774896deac95b621f (patch)
tree34975c9f9c151a82efd8b5e23330eb9bbcf4c284 /id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x
parentbb21974ea69b1705ef574569980a82640ca1de69 (diff)
downloadmoa-id-spss-52a855d948a6c3090b5d696774896deac95b621f.tar.gz
moa-id-spss-52a855d948a6c3090b5d696774896deac95b621f.tar.bz2
moa-id-spss-52a855d948a6c3090b5d696774896deac95b621f.zip
Allow multiple alias domains
- Every alias domain is a own EntityID which is the configured PublicURLPrefix
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java26
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java34
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java12
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java29
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java47
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java17
13 files changed, 129 insertions, 68 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
index 9f8b6610f..9327cabd7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
@@ -102,10 +102,10 @@ public class AttributQueryAction implements IAction {
List<String> attrList = addDefaultAttributes(attrQuery, authData);
//build PVP 2.1 assertion
- Assertion assertion = PVP2AssertionBuilder.buildAssertion(attrQuery, attrList, authData, date, authData.getSessionIndex());
+ Assertion assertion = PVP2AssertionBuilder.buildAssertion(req.getAuthURL(), attrQuery, attrList, authData, date, authData.getSessionIndex());
//build PVP 2.1 response
- Response authResponse = AuthResponseBuilder.buildResponse(attrQuery, date, assertion);
+ Response authResponse = AuthResponseBuilder.buildResponse(req.getAuthURL(), attrQuery, date, assertion);
try {
SoapBinding decoder = new SoapBinding();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
index 1b187d82e..50f91df44 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
@@ -110,7 +110,7 @@ public class MetadataAction implements IAction {
// .setEntityID(PVPConfiguration.getInstance().getIDPSSOMetadataService());
idpEntityDescriptor
- .setEntityID(PVPConfiguration.getInstance().getIDPPublicPath());
+ .setEntityID(req.getAuthURLWithOutSlash());
idpEntityDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_HOURS));
@@ -139,10 +139,10 @@ public class MetadataAction implements IAction {
idpEntitiesDescriptor.setSignature(signature);
//set IDP metadata
- idpEntityDescriptor.getRoleDescriptors().add(generateIDPMetadata(keyInfoGenerator));
+ idpEntityDescriptor.getRoleDescriptors().add(generateIDPMetadata(req, keyInfoGenerator));
//set SP metadata for interfederation
- idpEntityDescriptor.getRoleDescriptors().add(generateSPMetadata(keyInfoGenerator));
+ idpEntityDescriptor.getRoleDescriptors().add(generateSPMetadata(req, keyInfoGenerator));
DocumentBuilder builder;
DocumentBuilderFactory factory = DocumentBuilderFactory
@@ -190,7 +190,7 @@ public class MetadataAction implements IAction {
return (PVP2XProtocol.METADATA);
}
- private RoleDescriptor generateSPMetadata(KeyInfoGenerator keyInfoGenerator) throws CredentialsNotAvailableException, SecurityException, ConfigurationException {
+ private RoleDescriptor generateSPMetadata(IRequest req, KeyInfoGenerator keyInfoGenerator) throws CredentialsNotAvailableException, SecurityException, ConfigurationException {
Logger.debug("Set SP Metadata key information");
@@ -248,7 +248,7 @@ public class MetadataAction implements IAction {
postassertionConsumerService.setIndex(0);
postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
postassertionConsumerService.setLocation(PVPConfiguration
- .getInstance().getSPSSOPostService());
+ .getInstance().getSPSSOPostService(req.getAuthURL()));
postassertionConsumerService.setIsDefault(true);
spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService);
@@ -257,7 +257,7 @@ public class MetadataAction implements IAction {
redirectassertionConsumerService.setIndex(1);
redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
redirectassertionConsumerService.setLocation(PVPConfiguration
- .getInstance().getSPSSORedirectService());
+ .getInstance().getSPSSORedirectService(req.getAuthURL()));
spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService);
@@ -273,7 +273,7 @@ public class MetadataAction implements IAction {
SingleLogoutService redirectSLOService =
SAML2Utils.createSAMLObject(SingleLogoutService.class);
redirectSLOService.setLocation(PVPConfiguration
- .getInstance().getSPSSORedirectService());
+ .getInstance().getSPSSORedirectService(req.getAuthURL()));
redirectSLOService
.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
spSSODescriptor.getSingleLogoutServices().add(redirectSLOService);
@@ -293,7 +293,7 @@ public class MetadataAction implements IAction {
return spSSODescriptor;
}
- private IDPSSODescriptor generateIDPMetadata(KeyInfoGenerator keyInfoGenerator) throws ConfigurationException, CredentialsNotAvailableException, SecurityException {
+ private IDPSSODescriptor generateIDPMetadata(IRequest req, KeyInfoGenerator keyInfoGenerator) throws ConfigurationException, CredentialsNotAvailableException, SecurityException {
// //set SignatureMethode
@@ -325,12 +325,12 @@ public class MetadataAction implements IAction {
idpSSODescriptor.setWantAuthnRequestsSigned(true);
- if (PVPConfiguration.getInstance().getIDPSSOPostService() != null) {
+ if (PVPConfiguration.getInstance().getIDPSSOPostService(req.getAuthURL()) != null) {
//add SSO descriptor
SingleSignOnService postSingleSignOnService = SAML2Utils
.createSAMLObject(SingleSignOnService.class);
postSingleSignOnService.setLocation(PVPConfiguration
- .getInstance().getIDPSSOPostService());
+ .getInstance().getIDPSSOPostService(req.getAuthURL()));
postSingleSignOnService
.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
idpSSODescriptor.getSingleSignOnServices().add(
@@ -347,12 +347,12 @@ public class MetadataAction implements IAction {
}
- if (PVPConfiguration.getInstance().getIDPSSORedirectService() != null) {
+ if (PVPConfiguration.getInstance().getIDPSSORedirectService(req.getAuthURL()) != null) {
//add SSO descriptor
SingleSignOnService redirectSingleSignOnService = SAML2Utils
.createSAMLObject(SingleSignOnService.class);
redirectSingleSignOnService.setLocation(PVPConfiguration
- .getInstance().getIDPSSORedirectService());
+ .getInstance().getIDPSSORedirectService(req.getAuthURL()));
redirectSingleSignOnService
.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
idpSSODescriptor.getSingleSignOnServices().add(
@@ -362,7 +362,7 @@ public class MetadataAction implements IAction {
SingleLogoutService redirectSLOService =
SAML2Utils.createSAMLObject(SingleLogoutService.class);
redirectSLOService.setLocation(PVPConfiguration
- .getInstance().getIDPSSORedirectService());
+ .getInstance().getIDPSSORedirectService(req.getAuthURL()));
redirectSLOService
.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
idpSSODescriptor.getSingleLogoutServices().add(redirectSLOService);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index a8349f0ef..544fd9925 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -85,6 +85,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestValidatorException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException;
@@ -97,6 +98,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.validation.AuthnRequestValidator
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.id.util.ErrorResponseUtils;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
import at.gv.egovernment.moa.id.util.VelocityLogAdapter;
import at.gv.egovernment.moa.logging.Logger;
@@ -209,7 +211,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
if(METADATA.equals(action)) {
- return new PVPTargetConfiguration();
+ return new PVPTargetConfiguration(request);
}
@@ -386,7 +388,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
samlResponse.setIssueInstant(new DateTime());
Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
- nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ nissuer.setValue(pvpRequest.getAuthURLWithOutSlash());
nissuer.setFormat(NameID.ENTITY);
samlResponse.setIssuer(nissuer);
@@ -459,7 +461,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
HttpServletResponse response, InboundMessage inMsg,
String sessionId, String transactionId) throws MOAIDException {
- PVPTargetConfiguration config = new PVPTargetConfiguration();
+ PVPTargetConfiguration config = new PVPTargetConfiguration(request);
MOARequest msg;
if (inMsg instanceof MOARequest &&
@@ -495,13 +497,24 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
Logger.debug("PreProcess SLO Response from " + resp.getIssuer());
- if (!resp.getDestination().startsWith(
- PVPConfiguration.getInstance().getIDPPublicPath())) {
+ List<String> allowedPublicURLPrefix =
+ AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ boolean isAllowedDestination = false;
+
+ for (String prefix : allowedPublicURLPrefix) {
+ if (!resp.getDestination().startsWith(
+ prefix)) {
+ isAllowedDestination = true;
+ break;
+ }
+ }
+
+ if (!isAllowedDestination) {
Logger.warn("PVP 2.1 single logout response destination does not match to IDP URL");
throw new AssertionValidationExeption("PVP 2.1 single logout response destination does not match to IDP URL", null);
}
-
+
//TODO: check if relayState exists
inMsg.getRelayState();
@@ -532,7 +545,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
//validate destination
String destinaten = attrQuery.getDestination();
- if (!PVPConfiguration.getInstance().getIDPAttributeQueryService().equals(destinaten)) {
+ if (!PVPConfiguration.getInstance().getIDPAttributeQueryService(HTTPUtils.extractAuthURLFromRequest(request)).equals(destinaten)) {
Logger.warn("AttributeQuery destination does not match IDP AttributeQueryService URL");
throw new AttributQueryException("AttributeQuery destination does not match IDP AttributeQueryService URL", null);
@@ -557,7 +570,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
}
- PVPTargetConfiguration config = new PVPTargetConfiguration();
+ PVPTargetConfiguration config = new PVPTargetConfiguration(request);
config.setRequest(moaRequest);
config.setOAURL(moaRequest.getEntityID());
config.setOnlineApplicationConfiguration(oa);
@@ -585,7 +598,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
if(!(samlReq instanceof AuthnRequest)) {
throw new MOAIDException("Unsupported request", new Object[] {});
}
-
+
EntityDescriptor metadata = moaRequest.getEntityMetadata();
if(metadata == null) {
throw new NoMetadataInformationException();
@@ -606,6 +619,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
}
+
//parse AssertionConsumerService
AssertionConsumerService consumerService = null;
if (MiscUtil.isNotEmpty(authnRequest.getAssertionConsumerServiceURL()) &&
@@ -668,7 +682,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
Logger.info("Dispatch PVP2 AuthnRequest: OAURL=" + oaURL + " Binding=" + consumerService.getBinding());
- PVPTargetConfiguration config = new PVPTargetConfiguration();
+ PVPTargetConfiguration config = new PVPTargetConfiguration(request);
config.setOAURL(oaURL);
config.setOnlineApplicationConfiguration(oa);
config.setBinding(consumerService.getBinding());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
index 74b20356e..0b402a0fd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
@@ -26,6 +26,8 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
+
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.impl.AuthnRequestImpl;
@@ -46,6 +48,16 @@ import at.gv.egovernment.moa.logging.Logger;
public class PVPTargetConfiguration extends RequestImpl {
+ /**
+ * @param req
+ * @throws ConfigurationException
+ */
+ public PVPTargetConfiguration(HttpServletRequest req)
+ throws ConfigurationException {
+ super(req);
+
+ }
+
private static final long serialVersionUID = 4889919265919638188L;
InboundMessage request;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 5402e3dce..1e0a9cf32 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -60,6 +60,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.id.util.VelocityProvider;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -151,11 +152,11 @@ public class PostBinding implements IDecoder, IEncoder {
//set metadata descriptor type
if (isSPEndPoint) {
messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
- decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService()));
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService(HTTPUtils.extractAuthURLFromRequest(req))));
} else {
messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
- decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService()));
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService(HTTPUtils.extractAuthURLFromRequest(req))));
}
} catch (ConfigurationException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 81863f48f..0a459a9be 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -60,6 +60,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -141,11 +142,11 @@ public class RedirectBinding implements IDecoder, IEncoder {
//set metadata descriptor type
if (isSPEndPoint) {
messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
- decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService()));
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService(HTTPUtils.extractAuthURLFromRequest(req))));
} else {
messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
- decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService()));
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService(HTTPUtils.extractAuthURLFromRequest(req))));
}
} catch (ConfigurationException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
index 91888df5c..ebbafd4e3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
@@ -127,7 +127,7 @@ public class AttributQueryBuilder {
query.setIssueInstant(now);
Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
- nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath().get(0));
nissuer.setFormat(NameID.ENTITY);
query.setIssuer(nissuer);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java
index 4959df16c..24c2626e3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java
@@ -66,13 +66,15 @@ import at.gv.egovernment.moa.logging.Logger;
*/
public class AuthResponseBuilder {
- public static Response buildResponse(RequestAbstractType req, DateTime date, Assertion assertion) throws InvalidAssertionEncryptionException, ConfigurationException {
+ public static Response buildResponse(String authURL, RequestAbstractType req, DateTime date, Assertion assertion) throws InvalidAssertionEncryptionException, ConfigurationException {
Response authResponse = SAML2Utils.createSAMLObject(Response.class);
Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
//change to entity value from entity name to IDP EntityID (URL)
- nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ if (authURL.endsWith("/"))
+ authURL = authURL.substring(0, authURL.length()-1);
+ nissuer.setValue(authURL);
nissuer.setFormat(NameID.ENTITY);
authResponse.setIssuer(nissuer);
authResponse.setInResponseTo(req.getID());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
index 50f42d928..df68a1029 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
@@ -215,8 +215,8 @@ public class SingleLogOutBuilder {
}
DateTime now = new DateTime();
- Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
+ issuer.setValue(sloInfo.getAuthURL());
issuer.setFormat(NameID.ENTITY);
sloReq.setIssuer(issuer);
sloReq.setIssueInstant(now);
@@ -277,7 +277,7 @@ public class SingleLogOutBuilder {
private static LogoutResponse buildBasicResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException {
LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class);
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ issuer.setValue(spRequest.getAuthURLWithOutSlash());
issuer.setFormat(NameID.ENTITY);
sloResp.setIssuer(issuer);
sloResp.setIssueInstant(new DateTime());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 61bc51565..065118e2b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -90,7 +90,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
public class PVP2AssertionBuilder implements PVPConstants {
- public static Assertion buildAssertion(AttributeQuery attrQuery,
+ public static Assertion buildAssertion(String authURL, AttributeQuery attrQuery,
List<String> reqAttributes, IAuthData authData, DateTime date, String sessionIndex) throws ConfigurationException {
@@ -136,12 +136,12 @@ public class PVP2AssertionBuilder implements PVPConstants {
SubjectConfirmationData subjectConfirmationData = null;
- return buildGenericAssertion(attrQuery.getIssuer().getValue(), date,
+ return buildGenericAssertion(authURL, attrQuery.getIssuer().getValue(), date,
authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex,
new DateTime(authData.getSsoSessionValidTo().getTime()));
}
- public static Assertion buildAssertion(AuthnRequest authnRequest,
+ public static Assertion buildAssertion(String authURL, AuthnRequest authnRequest,
IAuthData authData, EntityDescriptor peerEntity, DateTime date,
AssertionConsumerService assertionConsumerService, SLOInformationImpl sloInformation)
throws MOAIDException {
@@ -416,10 +416,25 @@ public class PVP2AssertionBuilder implements PVPConstants {
sloInformation.setNameIDFormat(subjectNameID.getFormat());
sloInformation.setSessionIndex(sessionIndex);
- return buildGenericAssertion(peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter());
+ return buildGenericAssertion(authURL, peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter());
}
- private static Assertion buildGenericAssertion(String entityID, DateTime date,
+ /**
+ *
+ * @param authURL IDP PublicURL PreFix
+ * @param entityID Service Provider EntityID
+ * @param date
+ * @param authnContextClassRef
+ * @param attrList
+ * @param subjectNameID
+ * @param subjectConfirmationData
+ * @param sessionIndex
+ * @param isValidTo
+ * @return
+ * @throws ConfigurationException
+ */
+
+ private static Assertion buildGenericAssertion(String authURL, String entityID, DateTime date,
AuthnContextClassRef authnContextClassRef, List<Attribute> attrList,
NameID subjectNameID, SubjectConfirmationData subjectConfirmationData,
String sessionIndex, DateTime isValidTo) throws ConfigurationException {
@@ -471,7 +486,9 @@ public class PVP2AssertionBuilder implements PVPConstants {
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ if (authURL.endsWith("/"))
+ authURL = authURL.substring(0, authURL.length()-1);
+ issuer.setValue(authURL);
issuer.setFormat(NameID.ENTITY);
assertion.setIssuer(issuer);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
index dc3b787e4..47d7a29b3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
@@ -121,43 +121,46 @@ public class PVPConfiguration {
}
}
- public String getIDPPublicPath() throws ConfigurationException {
- String publicPath = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
- if(publicPath != null) {
- if(publicPath.endsWith("/")) {
- int length = publicPath.length();
- publicPath = publicPath.substring(0, length-1);
- }
+ public List<String> getIDPPublicPath() throws ConfigurationException {
+ List<String> publicPath = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ List<String> returnvalue = new ArrayList<String>();
+ for (String el : publicPath) {
+ if(el.endsWith("/")) {
+ int length = el.length();
+ returnvalue.add(el.substring(0, length-1));
+
+ } else
+ returnvalue.add(el);
}
- return publicPath;
+ return returnvalue;
}
- public String getSPSSOPostService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_SP_POST;
+ public String getSPSSOPostService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_SP_POST;
}
- public String getSPSSORedirectService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_SP_REDIRECT;
+ public String getSPSSORedirectService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_SP_REDIRECT;
}
- public String getIDPSSOPostService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_IDP_POST;
+ public String getIDPSSOPostService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_IDP_POST;
}
- public String getIDPSSORedirectService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_IDP_REDIRECT;
+ public String getIDPSSORedirectService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_IDP_REDIRECT;
}
- public String getIDPSSOSOAPService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_IDP_SOAP;
+ public String getIDPSSOSOAPService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_IDP_SOAP;
}
- public String getIDPAttributeQueryService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_IDP_ATTRIBUTEQUERY;
+ public String getIDPAttributeQueryService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_IDP_ATTRIBUTEQUERY;
}
- public String getIDPSSOMetadataService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_METADATA;
+ public String getIDPSSOMetadataService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_METADATA;
}
public String getIDPKeyStoreFilename() {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
index a31258784..059e68865 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
@@ -82,10 +82,10 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
SLOInformationImpl sloInformation = new SLOInformationImpl();
//build Assertion
- Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authData,
+ Assertion assertion = PVP2AssertionBuilder.buildAssertion(obj.getAuthURL(), authnRequest, authData,
peerEntity, date, consumerService, sloInformation);
- Response authResponse = AuthResponseBuilder.buildResponse(authnRequest, date, assertion);
+ Response authResponse = AuthResponseBuilder.buildResponse(obj.getAuthURL(), authnRequest, date, assertion);
IEncoder binding = null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index 70b778c49..2e5f78611 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -61,6 +61,7 @@ import org.xml.sax.SAXException;
import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException;
@@ -175,10 +176,20 @@ public class SAMLVerificationEngine {
if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
- if (validateDestination && !samlResp.getDestination().startsWith(
- PVPConfiguration.getInstance().getIDPPublicPath())) {
+ List<String> allowedPublicURLPrefix =
+ AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ boolean isValidDestination = false;
+ for (String allowedPreFix : allowedPublicURLPrefix) {
+ if (validateDestination && samlResp.getDestination().startsWith(
+ allowedPreFix)) {
+ isValidDestination = true;
+ break;
+
+ }
+ }
+ if (!isValidDestination) {
Logger.warn("PVP 2.1 assertion destination does not match to IDP URL");
- throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);
+ throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-30 06:50:14 +0000