aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2014-04-18 09:56:19 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2014-04-18 09:56:19 +0200
commita184de09bda4327441c214aa84d77e57500b28ca (patch)
treee7e8129ac11388d3e24dc1d90ce37c5fa0ce35d5 /id/server/idserverlib/src/main/java/at/gv
parente71dc9f4f38fc762dad0ce5e0c0cbb8bd5884685 (diff)
downloadmoa-id-spss-a184de09bda4327441c214aa84d77e57500b28ca.tar.gz
moa-id-spss-a184de09bda4327441c214aa84d77e57500b28ca.tar.bz2
moa-id-spss-a184de09bda4327441c214aa84d77e57500b28ca.zip
Finish PVP21 interfederation assertion preprocessing
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java15
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java111
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java85
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java50
6 files changed, 186 insertions, 91 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java
index 31b88263b..b2bcd443f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java
@@ -68,6 +68,7 @@ public class OAParameter {
this.oAuth20Config = oa.getAuthComponentOA().getOAOAUTH20();
+ this.isInderfederationIDP = oa.isIsInterfederationIDP();
}
@@ -104,6 +105,8 @@ public class OAParameter {
private boolean removePBKFromAuthblock;
+ private Boolean isInderfederationIDP;
+
/**
* Contains the oAuth 2.0 configuration (client id, secret and redirect uri)
*/
@@ -141,4 +144,16 @@ public class OAParameter {
return oAuth20Config;
}
+ /**
+ * @return the isInderfederationIDP
+ */
+ public boolean isInderfederationIDP() {
+ if (isInderfederationIDP == null)
+ return false;
+
+ return isInderfederationIDP;
+ }
+
+
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
index 31e19ee46..2f4bbbcf4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
@@ -41,6 +41,7 @@ import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
import at.gv.egovernment.moa.id.auth.servlet.AuthServlet;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
@@ -262,9 +263,12 @@ public class DispatcherServlet extends AuthServlet{
Logger.debug(DispatcherServlet.class.getName()+": Create PendingRequest with ID " + protocolRequestID + ".");
} else if (protocolRequest != null &&
- protocolRequest.getInterfederationResponse() != null ) {
+ protocolRequest.getInterfederationResponse() != null ) {
+ Logger.debug("Create new interfederated MOA-Session and add to HTTPRequest");
+ String sessionID = AuthenticationSessionStoreage.createInterfederatedSession(protocolRequest, true);
+ req.getParameterMap().put(PARAM_SESSIONID, sessionID);
Logger.info("PreProcessing of SSO interfederation response complete. ");
-
+
} else {
Logger.error("Failed to generate a valid protocol request!");
resp.setContentType("text/html;charset=UTF-8");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 3ab4dd74c..639b8672b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -187,20 +187,20 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
IRequest obj = RequestStorage.getPendingRequest(msg.getRelayState());
if (obj instanceof RequestImpl) {
- RequestImpl iReq = (RequestImpl) obj;
+ RequestImpl iReqSP = (RequestImpl) obj;
MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg);
if ( processedMsg != null ) {
- iReq.setInterfederationResponse((MOAResponse) msg);
+ iReqSP.setInterfederationResponse((MOAResponse) msg);
} else {
Logger.info("Receive NO valid SSO session from " + msg.getEntityID()
+". Switch to local authentication process ...");
- iReq.setRequestedIDP(null);
+ iReqSP.setRequestedIDP(null);
}
- return iReq;
+ return iReqSP;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
new file mode 100644
index 000000000..61b481447
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
@@ -0,0 +1,111 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.pvp2x.utils;
+
+import java.util.List;
+
+import org.opensaml.saml2.core.Assertion;
+import org.opensaml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml2.core.AuthnStatement;
+import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.Subject;
+
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+public class AssertionAttributeExtractor {
+
+ private Assertion assertion = null;
+
+ public AssertionAttributeExtractor(Response samlResponse) throws AssertionAttributeExtractorExeption {
+ if (samlResponse != null) {
+ if (samlResponse.getAssertions().size() == 0)
+ throw new AssertionAttributeExtractorExeption("Assertion");
+
+ else if (samlResponse.getAssertions().size() > 1)
+ Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used.");
+
+ assertion = samlResponse.getAssertions().get(0);
+
+ } else
+ throw new AssertionAttributeExtractorExeption();
+ }
+
+ public String getNameID() throws AssertionAttributeExtractorExeption {
+ if (assertion.getSubject() != null) {
+ Subject subject = assertion.getSubject();
+
+ if (subject.getNameID() != null) {
+ if (MiscUtil.isNotEmpty(subject.getNameID().getValue()))
+ return subject.getNameID().getValue();
+
+ else
+ Logger.error("SAML2 NameID Element is empty.");
+ }
+ }
+
+ throw new AssertionAttributeExtractorExeption("nameID");
+ }
+
+ public String getSessionIndex() throws AssertionAttributeExtractorExeption {
+ AuthnStatement authn = getAuthnStatement();
+
+ if (MiscUtil.isNotEmpty(authn.getSessionIndex()))
+ return authn.getSessionIndex();
+
+ else
+ throw new AssertionAttributeExtractorExeption("SessionIndex");
+ }
+
+ /**
+ * @return
+ * @throws AssertionAttributeExtractorExeption
+ */
+ public String getQAALevel() throws AssertionAttributeExtractorExeption {
+ AuthnStatement authn = getAuthnStatement();
+ if (authn.getAuthnContext() != null && authn.getAuthnContext().getAuthnContextClassRef() != null) {
+ AuthnContextClassRef qaaClass = authn.getAuthnContext().getAuthnContextClassRef();
+
+ if (MiscUtil.isNotEmpty(qaaClass.getAuthnContextClassRef()))
+ return qaaClass.getAuthnContextClassRef();
+
+ else
+ throw new AssertionAttributeExtractorExeption("AuthnContextClassRef (QAALevel)");
+ }
+
+ throw new AssertionAttributeExtractorExeption("AuthnContextClassRef");
+ }
+
+ private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption {
+ List<AuthnStatement> authnList = assertion.getAuthnStatements();
+ if (authnList.size() == 0)
+ throw new AssertionAttributeExtractorExeption("AuthnStatement");
+
+ else if (authnList.size() > 1)
+ Logger.warn("Found more then ONE AuthnStatements in PVP2.1 assertions. Only the First is used.");
+
+ return authnList.get(0);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java
deleted file mode 100644
index 666bfab3c..000000000
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java
+++ /dev/null
@@ -1,85 +0,0 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-package at.gv.egovernment.moa.id.protocols.pvp2x.utils;
-
-import java.util.Iterator;
-import java.util.List;
-
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
-import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
-
-public class AttributeExtractor {
-
- public static String extractSAMLAttributeOA(String name,
- AuthenticationSession authSession) {
- List<ExtendedSAMLAttribute> extAttributes = authSession.getExtendedSAMLAttributesOA();
- if(extAttributes == null) {
- return null;
- }
- Iterator<ExtendedSAMLAttribute> extAttributesIt = extAttributes.iterator();
- while(extAttributesIt.hasNext()) {
- Object attr = extAttributesIt.next();
- if(attr instanceof ExtendedSAMLAttribute) {
- ExtendedSAMLAttribute extAttribute = (ExtendedSAMLAttribute) attr;
- if(extAttribute.getName().equals(name)) {
- if(extAttribute.getValue() instanceof String) {
- return extAttribute.getValue().toString();
- }
- break;
- }
- }
- }
- return null;
- }
-
- public static String extractSAMLAttributeAUTH(String name,
- AuthenticationSession authSession) {
- List<ExtendedSAMLAttribute> extAttributes = authSession.getExtendedSAMLAttributesAUTH();
- if(extAttributes == null) {
- return null;
- }
- Iterator<ExtendedSAMLAttribute> extAttributesIt = extAttributes.iterator();
- while(extAttributesIt.hasNext()) {
- Object attr = extAttributesIt.next();
- if(attr instanceof ExtendedSAMLAttribute) {
- ExtendedSAMLAttribute extAttribute = (ExtendedSAMLAttribute) attr;
- if(extAttribute.getName().equals(name)) {
- if(extAttribute.getValue() instanceof String) {
- return extAttribute.getValue().toString();
- }
- break;
- }
- }
- }
- return null;
- }
-
- public static String extractSAMLAttributeBOTH(String name,
- AuthenticationSession authSession) {
- String value = extractSAMLAttributeOA(name, authSession);
- if(value == null) {
- value = extractSAMLAttributeAUTH(name, authSession);
- }
- return value;
- }
-}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
index ca5cb9226..69167c75d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
@@ -22,6 +22,7 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.storage;
+import java.util.ArrayList;
import java.util.Date;
import java.util.List;
@@ -36,11 +37,15 @@ import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils;
import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore;
+import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.data.EncryptedData;
import at.gv.egovernment.moa.id.data.SLOInformationInterface;
+import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
import at.gv.egovernment.moa.id.util.Random;
import at.gv.egovernment.moa.id.util.SessionEncrytionUtil;
import at.gv.egovernment.moa.logging.Logger;
@@ -105,6 +110,51 @@ public class AuthenticationSessionStoreage {
return session;
}
+ public static String createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption {
+ String id = Random.nextRandom();
+ AuthenticationSession session = new AuthenticationSession(id);
+
+ AuthenticatedSessionStore dbsession = new AuthenticatedSessionStore();
+ dbsession.setSessionid(id);
+ dbsession.setAuthenticated(isAuthenticated);
+
+ //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1
+ Date now = new Date();
+ dbsession.setCreated(now);
+ dbsession.setUpdated(now);
+
+ dbsession.setSession(SerializationUtils.serialize(session));
+
+ //add interfederation information
+ List<InterfederationSessionStore> idpList = dbsession.getInderfederation();
+ if (idpList == null)
+ idpList = new ArrayList<InterfederationSessionStore>();
+
+ InterfederationSessionStore idp = new InterfederationSessionStore();
+ idp.setCreated(now);
+ idp.setIdpurlprefix(req.getInterfederationResponse().getEntityID());
+
+ AssertionAttributeExtractor extract = new AssertionAttributeExtractor(req.getInterfederationResponse().getResponse());
+ idp.setSessionIndex(extract.getSessionIndex());
+ idp.setUserNameID(extract.getNameID());
+ idp.setAttributesRequested(false);
+ idp.setQAALevel(extract.getQAALevel());
+ idpList.add(idp);
+
+ //store AssertionStore element to Database
+ try {
+ MOASessionDBUtils.saveOrUpdate(dbsession);
+ Logger.info("MOASession with sessionID=" + id + " is stored in Database");
+
+ } catch (MOADatabaseException e) {
+ Logger.warn("MOASession could not be created.");
+ throw new MOADatabaseException(e);
+ }
+
+ return id;
+ }
+
+
public static void storeSession(AuthenticationSession session) throws MOADatabaseException, BuildException {
try {