aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2013-12-11 15:43:02 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2013-12-11 15:43:02 +0100
commitc582412bc8d1ffcd9a2428b69fa7e4e8fb1f3c4f (patch)
tree36f68cf49fb8a5226cc0619fdb7bbf87a629e2eb /id/server/idserverlib/src/main/java/at/gv
parent9b3f7876fe480698d2da970b0b1ca6de0874ec48 (diff)
downloadmoa-id-spss-c582412bc8d1ffcd9a2428b69fa7e4e8fb1f3c4f.tar.gz
moa-id-spss-c582412bc8d1ffcd9a2428b69fa7e4e8fb1f3c4f.tar.bz2
moa-id-spss-c582412bc8d1ffcd9a2428b69fa7e4e8fb1f3c4f.zip
@PVP2
--also allow a EntityDescriptor element as root element in metadata files --some adjustments in the PVP Assertion to make it SAML2 standard compliant @MOA-ID-Auth --improve SZR-Gateway client error handling
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java51
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java18
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java16
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java11
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java21
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java14
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java6
8 files changed, 91 insertions, 52 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 96fdbef02..014a9ec03 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -1695,37 +1695,36 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* @param signature XMLDSIG signature
* @return Identity link assertion
* @throws SZRGWClientException
+ * @throws ConfigurationException
*/
- public CreateIdentityLinkResponse getIdentityLink(String PEPSIdentifier, String PEPSFirstname, String PEPSFamilyname, String PEPSDateOfBirth, Element signature) throws SZRGWClientException {
+ public CreateIdentityLinkResponse getIdentityLink(String PEPSIdentifier, String PEPSFirstname, String PEPSFamilyname, String PEPSDateOfBirth, Element signature) throws SZRGWClientException, ConfigurationException {
SZRGWClient client = new SZRGWClient();
- try {
- AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
- ConnectionParameter connectionParameters = authConf.getForeignIDConnectionParameter();
-
- client.setAddress(connectionParameters.getUrl());
- if (connectionParameters.getUrl().toLowerCase().startsWith("https:")) {
- Logger.debug("Initialisiere SSL Verbindung");
- try {
- client.setSSLSocketFactory(SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters));
- } catch (IOException e) {
- Logger.error("Could not initialize SSL Factory", e);
- throw new SZRGWClientException("Could not initialize SSL Factory");
- } catch (GeneralSecurityException e) {
- Logger.error("Could not initialize SSL Factory", e);
- throw new SZRGWClientException("Could not initialize SSL Factory");
- } catch (PKIException e) {
- Logger.error("Could not initialize SSL Factory", e);
- throw new SZRGWClientException("Could not initialize SSL Factory");
- }
- }
+ AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
+ ConnectionParameter connectionParameters = authConf.getForeignIDConnectionParameter();
+
+ client.setAddress(connectionParameters.getUrl());
+ if (connectionParameters.getUrl().toLowerCase().startsWith("https:")) {
+ Logger.debug("Initialisiere SSL Verbindung");
+ try {
+ client.setSSLSocketFactory(SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters));
+
+ } catch (IOException e) {
+ Logger.error("Could not initialize SSL Factory", e);
+ throw new SZRGWClientException("Could not initialize SSL Factory");
+
+ } catch (GeneralSecurityException e) {
+ Logger.error("Could not initialize SSL Factory", e);
+ throw new SZRGWClientException("Could not initialize SSL Factory");
+
+ } catch (PKIException e) {
+ Logger.error("Could not initialize SSL Factory", e);
+ throw new SZRGWClientException("Could not initialize SSL Factory");
+ }
+ }
+
Logger.info("Starte Kommunikation mit dem Stammzahlenregister Gateway(" + connectionParameters.getUrl() + ")...");
- }
- catch (ConfigurationException e) {
- Logger.warn(e);
- Logger.warn(MOAIDMessageProvider.getInstance().getMessage("config.12", null ));
- }
// create request
CreateIdentityLinkResponse response = null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
index 98ef78d53..eaa6ac1ae 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
@@ -32,16 +32,16 @@ public class GenerateIFrameTemplateServlet extends AuthServlet {
private static final long serialVersionUID = 1L;
public void init(ServletConfig servletConfig) throws ServletException {
- try {
+// try {
super.init(servletConfig);
- MOAIDAuthInitializer.initialize();
- Logger.debug("default platform file.encoding: " + System.getProperty("file.encoding"));
- Logger.info(MOAIDMessageProvider.getInstance().getMessage("init.00", null));
- }
- catch (Exception ex) {
- Logger.fatal(MOAIDMessageProvider.getInstance().getMessage("init.02", null), ex);
- throw new ServletException(ex);
- }
+// MOAIDAuthInitializer.initialize();
+// Logger.debug("default platform file.encoding: " + System.getProperty("file.encoding"));
+// Logger.info(MOAIDMessageProvider.getInstance().getMessage("init.00", null));
+// }
+// catch (Exception ex) {
+// Logger.fatal(MOAIDMessageProvider.getInstance().getMessage("init.02", null), ex);
+// throw new ServletException(ex);
+// }
}
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
index 9c72cfff2..ff8265ac3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
@@ -101,15 +101,15 @@ public class LogOutServlet extends AuthServlet {
* @see javax.servlet.Servlet#init(ServletConfig)
*/
public void init(ServletConfig servletConfig) throws ServletException {
- try {
+// try {
super.init(servletConfig);
- MOAIDAuthInitializer.initialize();
- Logger.info(MOAIDMessageProvider.getInstance().getMessage("init.00", null));
- }
- catch (Exception ex) {
- Logger.fatal(MOAIDMessageProvider.getInstance().getMessage("init.02", null), ex);
- throw new ServletException(ex);
- }
+// MOAIDAuthInitializer.initialize();
+// Logger.info(MOAIDMessageProvider.getInstance().getMessage("init.00", null));
+// }
+// catch (Exception ex) {
+// Logger.fatal(MOAIDMessageProvider.getInstance().getMessage("init.02", null), ex);
+// throw new ServletException(ex);
+// }
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
index a87e9a8c0..c0626e84a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
@@ -35,6 +35,7 @@ import at.gv.egovernment.moa.id.auth.exception.ParseException;
import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.CreateIdentityLinkResponse;
import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DateTimeUtils;
@@ -348,9 +349,14 @@ public class STORKResponseProcessor {
} catch (SZRGWClientException e) {
Logger.error("Error connecting SZR-Gateway: ", e);
throw new STORKException("Error connecting SZR-Gateway: ", e);
+
} catch (ParseException e) {
Logger.error("Error parsing IdentityLink received from SZR-Gateway: ", e);
throw new STORKException("Error parsing IdentityLink received from SZR-Gateway: ", e);
+
+ } catch (ConfigurationException e) {
+ Logger.error("Error connecting SZR-Gateway: ", e);
+ throw new STORKException("Error connecting SZR-Gateway: ", e);
}
return identityLink;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index 9c2797c36..3654ae424 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -417,15 +417,17 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
public synchronized void reloadDataBaseConfig() throws ConfigurationException {
- Logger.info("Read MOA-ID 2.0 configuration from database.");
+ Logger.info("Read MOA-ID 2.x configuration from database.");
moaidconfig = ConfigurationDBRead.getMOAIDConfiguration();
- Logger.info("MOA-ID 2.0 is loaded.");
if (moaidconfig == null) {
Logger.warn("NO MOA-ID configuration found.");
throw new ConfigurationException("config.18", null);
}
-
+
+ Logger.debug("MOA-ID 2.x configuration is loaded from database.");
+ Logger.info("MOA-ID 2.x starts initialization process ...");
+
//build STORK Config
AuthComponentGeneral auth = getAuthComponentGeneral();
@@ -778,6 +780,9 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
* @throws ConfigurationException
*/
public ConnectionParameter getForeignIDConnectionParameter() throws ConfigurationException {
+ if (ForeignIDConnectionParameter == null)
+ throw new ConfigurationException("config.20", null);
+
return ForeignIDConnectionParameter;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 5e8206739..f21567245 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -21,6 +21,7 @@ import org.opensaml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.AttributeConsumingService;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.NameIDFormat;
@@ -42,6 +43,7 @@ import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoAuthContextException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException;
@@ -293,7 +295,16 @@ public class PVP2AssertionBuilder implements PVPConstants {
.createSAMLObject(SubjectConfirmationData.class);
subjectConfirmationData.setInResponseTo(authnRequest.getID());
subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(20));
- subjectConfirmationData.setRecipient(peerEntity.getEntityID());
+
+ //TL: change from entityID to destination URL
+ AssertionConsumerService consumerService = spSSODescriptor
+ .getAssertionConsumerServices().get(idx);
+
+ if (consumerService == null) {
+ throw new InvalidAssertionConsumerServiceException(idx);
+ }
+
+ subjectConfirmationData.setRecipient(consumerService.getLocation());
subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
@@ -303,7 +314,7 @@ public class PVP2AssertionBuilder implements PVPConstants {
AudienceRestriction audienceRestriction = SAML2Utils
.createSAMLObject(AudienceRestriction.class);
Audience audience = SAML2Utils.createSAMLObject(Audience.class);
-
+
audience.setAudienceURI(peerEntity.getEntityID());
audienceRestriction.getAudiences().add(audience);
conditions.setNotBefore(new DateTime());
@@ -316,8 +327,12 @@ public class PVP2AssertionBuilder implements PVPConstants {
assertion.setConditions(conditions);
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- issuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName());
+
+ //TODO: check!
+ //change to entity value from entity name to IDP EntityID (URL)
+ issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
issuer.setFormat(NameID.ENTITY);
+
assertion.setIssuer(issuer);
assertion.setSubject(subject);
assertion.setID(SAML2Utils.getSecureIdentifier());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
index 1d494c512..fec21df9e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
@@ -1,8 +1,11 @@
package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler;
+import java.util.Date;
+
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.joda.time.DateTime;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.AuthnRequest;
@@ -51,10 +54,19 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
- nissuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName());
+
+ //TODO: check!
+ //change to entity value from entity name to IDP EntityID (URL)
+ nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ //nissuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName());
nissuer.setFormat(NameID.ENTITY);
+
authResponse.setIssuer(nissuer);
authResponse.setInResponseTo(authnRequest.getID());
+
+ //SAML2 response required IssueInstant
+ authResponse.setIssueInstant(new DateTime());
+
authResponse.getAssertions().add(assertion);
authResponse.setStatus(SAML2Utils.getSuccessStatus());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
index e9d41b7ee..e85d87aa3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
@@ -91,10 +91,12 @@ public class MetadataSignatureFilter implements MetadataFilter {
throw new MOAIDException("Root element of metadata file has to be signed", null);
}
processEntitiesDescriptor(entitiesDescriptor);
- } /*else if (metadata instanceof EntityDescriptor) {
+
+ } else if (metadata instanceof EntityDescriptor) {
EntityDescriptor entityDescriptor = (EntityDescriptor) metadata;
processEntityDescriptorr(entityDescriptor);
- } */else {
+
+ } else {
throw new MOAIDException("Invalid Metadata file Root element is no EntitiesDescriptor", null);
}