aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2016-02-22 11:34:32 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2016-02-22 11:34:32 +0100
commitb1235f66ee1e890f9868724f9faedd222541178b (patch)
tree66863e56f36139c008c72c3e8678e5ba26d24d15 /id/server/idserverlib/src/main/java/at/gv
parentca8b83874c03a8719a56816408c8df44d49640f1 (diff)
downloadmoa-id-spss-b1235f66ee1e890f9868724f9faedd222541178b.tar.gz
moa-id-spss-b1235f66ee1e890f9868724f9faedd222541178b.tar.bz2
moa-id-spss-b1235f66ee1e890f9868724f9faedd222541178b.zip
refactor PVP implementation to share code with PVP Service-Provider moduls
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java10
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ISLOInformationContainer.java (renamed from id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ServletInfo.java)80
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java160
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java31
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulStorage.java94
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulUtils.java46
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ServletType.java27
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java526
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java90
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java21
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java29
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java11
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AbstractPVPMetadataBuilder.java649
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java15
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java125
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java49
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java186
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java198
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/IDPCredentialProvider.java150
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java29
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java237
25 files changed, 1674 insertions, 1117 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 2f882f41e..1207439dd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -126,6 +126,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
@Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage;
@Autowired protected AuthConfiguration authConfig;
+ @Autowired private AttributQueryBuilder attributQueryBuilder;
public IAuthData buildAuthenticationData(IRequest protocolRequest,
AuthenticationSession session, List<Attribute> reqAttributes) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException {
@@ -306,7 +307,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
//build attributQuery request
AttributeQuery query =
- AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs);
+ attributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs);
//build SOAP request
List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
@@ -325,7 +326,8 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
SAMLVerificationEngine engine = new SAMLVerificationEngine();
engine.verifyIDPResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine());
- SAMLVerificationEngine.validateAssertion(intfResp, false);
+ //TODO: find better solution
+ //SAMLVerificationEngine.validateAssertion(intfResp, false);
} catch (Exception e) {
Logger.warn("PVP 2.1 assertion validation FAILED.", e);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
index 84a2b69af..307b668b7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
@@ -41,6 +41,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.data.ISLOInformationContainer;
import at.gv.egovernment.moa.id.data.SLOInformationContainer;
import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
import at.gv.egovernment.moa.id.moduls.SSOManager;
@@ -65,6 +66,7 @@ public class IDPSingleLogOutServlet extends AbstractController {
@Autowired SSOManager ssoManager;
@Autowired AuthenticationManager authManager;
@Autowired IAuthenticationSessionStoreage authenicationStorage;
+ @Autowired SingleLogOutBuilder sloBuilder;
@RequestMapping(value = "/idpSingleLogout", method = {RequestMethod.GET})
public void doGet(HttpServletRequest req, HttpServletResponse resp)
@@ -151,16 +153,16 @@ public class IDPSingleLogOutServlet extends AbstractController {
if (MiscUtil.isNotEmpty(restartProcess)) {
Logger.info("Restart Single LogOut process after timeout ... ");
try {
- SLOInformationContainer sloContainer = transactionStorage.get(restartProcess, SLOInformationContainer.class);
+ ISLOInformationContainer sloContainer = transactionStorage.get(restartProcess, SLOInformationContainer.class);
if (sloContainer.hasFrontChannelOA())
sloContainer.putFailedOA("differntent OAs");
String redirectURL = null;
if (sloContainer.getSloRequest() != null) {
//send SLO response to SLO request issuer
- SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(sloContainer.getSloRequest());
- LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, sloContainer.getSloRequest(), sloContainer.getSloFailedOAs());
- redirectURL = SingleLogOutBuilder.getFrontChannelSLOMessageURL(sloService, message, req, resp, sloContainer.getSloRequest().getRequest().getRelayState());
+ SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(sloContainer.getSloRequest());
+ LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, sloContainer.getSloRequest(), sloContainer.getSloFailedOAs());
+ redirectURL = sloBuilder.getFrontChannelSLOMessageURL(sloService, message, req, resp, sloContainer.getSloRequest().getRequest().getRelayState());
} else {
//print SLO information directly
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ServletInfo.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ISLOInformationContainer.java
index 807f789ce..18ffc5c6d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ServletInfo.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ISLOInformationContainer.java
@@ -1,4 +1,4 @@
-/*******************************************************************************
+/*
* Copyright 2014 Federal Chancellery Austria
* MOA-ID has been developed in a cooperation between BRZ, the Federal
* Chancellery Austria - ICT staff unit, and Graz University of Technology.
@@ -19,35 +19,49 @@
* file for details on the various modules and licenses.
* The "NOTICE" text file is part of the distribution. Any derivative works
* that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-package at.gv.egovernment.moa.id.moduls;
-
-import javax.servlet.http.HttpServlet;
-
-
-public class ServletInfo {
- Class<? extends HttpServlet> servletClass;
- String servletTarget;
- ServletType type;
-
- public ServletInfo(Class<? extends HttpServlet> servletClass,
- String servletTarget, ServletType type) {
- super();
- this.servletClass = servletClass;
- this.servletTarget = servletTarget;
- this.type = type;
- }
-
- public HttpServlet getServletInstance()
- throws InstantiationException, IllegalAccessException {
- return servletClass.newInstance();
- }
-
- public String getTarget() {
- return servletTarget;
- }
-
- public ServletType getType() {
- return type;
- }
-}
+ */
+package at.gv.egovernment.moa.id.data;
+
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+import java.util.Map.Entry;
+
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
+
+/**
+ * @author tlenz
+ *
+ */
+public interface ISLOInformationContainer {
+
+ boolean hasFrontChannelOA();
+
+ Set<Entry<String, SLOInformationImpl>> getFrontChannelOASessionDescriptions();
+
+ void removeFrontChannelOA(String oaID);
+
+ Iterator<String> getNextBackChannelOA();
+
+ SLOInformationImpl getBackChannelOASessionDescripten(String oaID);
+
+ void removeBackChannelOA(String oaID);
+
+ /**
+ * @return the sloRequest
+ */
+ PVPTargetConfiguration getSloRequest();
+
+ /**
+ * @param sloRequest the sloRequest to set
+ */
+ void setSloRequest(PVPTargetConfiguration sloRequest);
+
+ /**
+ * @return the sloFailedOAs
+ */
+ List<String> getSloFailedOAs();
+
+ void putFailedOA(String oaID);
+
+} \ No newline at end of file
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java
index a4bba8b19..ba7f33821 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java
@@ -24,30 +24,20 @@ package at.gv.egovernment.moa.id.data;
import java.io.Serializable;
import java.util.ArrayList;
-import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map.Entry;
import java.util.Set;
-import org.opensaml.common.xml.SAMLConstants;
-import org.opensaml.saml2.core.NameID;
-import org.opensaml.saml2.metadata.SingleLogoutService;
-
-import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
-import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
-import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
-import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NOSLOServiceDescriptorException;
/**
* @author tlenz
*
*/
-public class SLOInformationContainer implements Serializable {
-
+public class SLOInformationContainer implements Serializable, ISLOInformationContainer {
+
private static final long serialVersionUID = 7148730740582881862L;
private PVPTargetConfiguration sloRequest = null;
@@ -55,137 +45,111 @@ public class SLOInformationContainer implements Serializable {
private LinkedHashMap<String, SLOInformationImpl> activeBackChannelOAs = null;
private List<String> sloFailedOAs = null;
-
- public void parseActiveOAs(List<OASessionStore> dbOAs, String removeOAID) {
- if (activeBackChannelOAs == null)
- activeBackChannelOAs = new LinkedHashMap<String, SLOInformationImpl>();
- if (activeFrontChannalOAs == null)
- activeFrontChannalOAs = new LinkedHashMap<String, SLOInformationImpl>();
- if (dbOAs != null) {
- for (OASessionStore oa : dbOAs) {
- if (!oa.getOaurlprefix().equals(removeOAID)) {
-
- //Actually only PVP 2.1 support Single LogOut
- if (PVP2XProtocol.PATH.equals(oa.getProtocolType())) {
- SingleLogoutService sloDesc;
- try {
- sloDesc = SingleLogOutBuilder.getRequestSLODescriptor(oa.getOaurlprefix());
-
- if (sloDesc.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI))
- activeBackChannelOAs.put(oa.getOaurlprefix(),
- new SLOInformationImpl(
- oa.getAuthURL(),
- oa.getAssertionSessionID(),
- oa.getUserNameID(),
- oa.getUserNameIDFormat(),
- oa.getProtocolType(),
- sloDesc));
-
- else
- activeFrontChannalOAs.put(oa.getOaurlprefix(),
- new SLOInformationImpl(
- oa.getAuthURL(),
- oa.getAssertionSessionID(),
- oa.getUserNameID(),
- oa.getUserNameIDFormat(),
- oa.getProtocolType(),
- sloDesc));
-
- } catch (NOSLOServiceDescriptorException e) {
- putFailedOA(oa.getOaurlprefix());
-
- }
-
- } else
- putFailedOA(oa.getOaurlprefix());
- }
- }
- }
+ /**
+ * @return the activeFrontChannalOAs
+ */
+ public LinkedHashMap<String, SLOInformationImpl> getActiveFrontChannalOAs() {
+ return activeFrontChannalOAs;
}
/**
- * @param dbIDPs
- * @param value
+ * @param activeFrontChannalOAs the activeFrontChannalOAs to set
*/
- public void parseActiveIDPs(List<InterfederationSessionStore> dbIDPs,
- String removeIDP) {
- if (activeBackChannelOAs == null)
- activeBackChannelOAs = new LinkedHashMap<String, SLOInformationImpl>();
- if (activeFrontChannalOAs == null)
- activeFrontChannalOAs = new LinkedHashMap<String, SLOInformationImpl>();
-
- if (dbIDPs != null) {
- for (InterfederationSessionStore el : dbIDPs) {
- if (!el.getIdpurlprefix().equals(removeIDP)) {
-
- SingleLogoutService sloDesc;
- try {
- sloDesc = SingleLogOutBuilder.getRequestSLODescriptor(el.getIdpurlprefix());
-
- activeFrontChannalOAs.put(el.getIdpurlprefix(),
- new SLOInformationImpl(
- el.getAuthURL(),
- el.getSessionIndex(),
- el.getUserNameID(),
- NameID.TRANSIENT,
- PVP2XProtocol.PATH,
- sloDesc));
-
- } catch (NOSLOServiceDescriptorException e) {
- putFailedOA(el.getIdpurlprefix());
-
- }
- }
- }
- }
+ public void setActiveFrontChannalOAs(LinkedHashMap<String, SLOInformationImpl> activeFrontChannalOAs) {
+ this.activeFrontChannalOAs = activeFrontChannalOAs;
}
-
+
+ /**
+ * @return the activeBackChannelOAs
+ */
+ public LinkedHashMap<String, SLOInformationImpl> getActiveBackChannelOAs() {
+ return activeBackChannelOAs;
+ }
+
+ /**
+ * @param activeBackChannelOAs the activeBackChannelOAs to set
+ */
+ public void setActiveBackChannelOAs(LinkedHashMap<String, SLOInformationImpl> activeBackChannelOAs) {
+ this.activeBackChannelOAs = activeBackChannelOAs;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#hasFrontChannelOA()
+ */
+ @Override
public boolean hasFrontChannelOA() {
return !activeFrontChannalOAs.isEmpty();
}
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#getFrontChannelOASessionDescriptions()
+ */
+ @Override
public Set<Entry<String, SLOInformationImpl>> getFrontChannelOASessionDescriptions() {
return activeFrontChannalOAs.entrySet();
}
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#removeFrontChannelOA(java.lang.String)
+ */
+ @Override
public void removeFrontChannelOA(String oaID) {
activeFrontChannalOAs.remove(oaID);
}
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#getNextBackChannelOA()
+ */
+ @Override
public Iterator<String> getNextBackChannelOA() {
return activeBackChannelOAs.keySet().iterator();
}
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#getBackChannelOASessionDescripten(java.lang.String)
+ */
+ @Override
public SLOInformationImpl getBackChannelOASessionDescripten(String oaID) {
return activeBackChannelOAs.get(oaID);
}
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#removeBackChannelOA(java.lang.String)
+ */
+ @Override
public void removeBackChannelOA(String oaID) {
activeBackChannelOAs.remove(oaID);
}
- /**
- * @return the sloRequest
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#getSloRequest()
*/
+ @Override
public PVPTargetConfiguration getSloRequest() {
return sloRequest;
}
- /**
- * @param sloRequest the sloRequest to set
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#setSloRequest(at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration)
*/
+ @Override
public void setSloRequest(PVPTargetConfiguration sloRequest) {
this.sloRequest = sloRequest;
}
- /**
- * @return the sloFailedOAs
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#getSloFailedOAs()
*/
+ @Override
public List<String> getSloFailedOAs() {
return sloFailedOAs;
}
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#putFailedOA(java.lang.String)
+ */
+ @Override
public void putFailedOA(String oaID) {
if (sloFailedOAs == null)
sloFailedOAs = new ArrayList<String>();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index f77042bc5..39106dc3b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -98,10 +98,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
@Autowired private IAuthenticationSessionStoreage authenticatedSessionStore;
@Autowired private MOAReversionLogger revisionsLogger;
@Autowired protected AuthConfiguration authConfig;
-
- public AuthenticationManager() {
-
- }
+ @Autowired private SingleLogOutBuilder sloBuilder;
public void performSingleLogOut(HttpServletRequest httpReq,
HttpServletResponse httpResp, AuthenticationSession session, PVPTargetConfiguration pvpReq) throws MOAIDException {
@@ -452,9 +449,9 @@ public class AuthenticationManager extends MOAIDAuthConstants {
List<OASessionStore> dbOAs = authenticatedSessionStore.getAllActiveOAFromMOASession(session);
List<InterfederationSessionStore> dbIDPs = authenticatedSessionStore.getAllActiveIDPsFromMOASession(session);
SLOInformationContainer sloContainer = new SLOInformationContainer();
- sloContainer.setSloRequest(pvpReq);
- sloContainer.parseActiveIDPs(dbIDPs, pvpSLOIssuer);
- sloContainer.parseActiveOAs(dbOAs, pvpSLOIssuer);
+ sloContainer.setSloRequest(pvpReq);
+ sloBuilder.parseActiveIDPs(sloContainer, dbIDPs, pvpSLOIssuer);
+ sloBuilder.parseActiveOAs(sloContainer, dbOAs, pvpSLOIssuer);
//terminate MOASession
try {
@@ -471,7 +468,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
Iterator<String> nextOAInterator = sloContainer.getNextBackChannelOA();
while (nextOAInterator.hasNext()) {
SLOInformationImpl sloDescr = sloContainer.getBackChannelOASessionDescripten(nextOAInterator.next());
- LogoutRequest sloReq = SingleLogOutBuilder.buildSLORequestMessage(sloDescr);
+ LogoutRequest sloReq = sloBuilder.buildSLORequestMessage(sloDescr);
try {
List<XMLObject> soapResp = MOASAMLSOAPClient.send(sloDescr.getServiceURL(), sloReq);
@@ -494,7 +491,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
}
- SingleLogOutBuilder.checkStatusCode(sloContainer, sloResp);
+ sloBuilder.checkStatusCode(sloContainer, sloResp);
} catch (SOAPException e) {
Logger.warn("Single LogOut for OA " + sloReq.getIssuer().getValue()
@@ -517,9 +514,9 @@ public class AuthenticationManager extends MOAIDAuthConstants {
Collection<Entry<String, SLOInformationImpl>> sloDescr = sloContainer.getFrontChannelOASessionDescriptions();
List<String> sloReqList = new ArrayList<String>();
for (Entry<String, SLOInformationImpl> el : sloDescr) {
- LogoutRequest sloReq = SingleLogOutBuilder.buildSLORequestMessage(el.getValue());
+ LogoutRequest sloReq = sloBuilder.buildSLORequestMessage(el.getValue());
try {
- sloReqList.add(SingleLogOutBuilder.getFrontChannelSLOMessageURL(el.getValue().getServiceURL(), el.getValue().getBinding(),
+ sloReqList.add(sloBuilder.getFrontChannelSLOMessageURL(el.getValue().getServiceURL(), el.getValue().getBinding(),
sloReq, httpReq, httpResp, relayState));
} catch (Exception e) {
@@ -549,9 +546,9 @@ public class AuthenticationManager extends MOAIDAuthConstants {
} else {
if (pvpReq != null) {
//send SLO response to SLO request issuer
- SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq);
- LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs());
- SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);
+ SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq);
+ LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs());
+ sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);
} else {
//print SLO information directly
@@ -572,9 +569,9 @@ public class AuthenticationManager extends MOAIDAuthConstants {
} catch (MOADatabaseException e) {
Logger.error("MOA AssertionDatabase ERROR", e);
if (pvpReq != null) {
- SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq);
- LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
- SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);
+ SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq);
+ LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
+ sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);
}else {
//print SLO information directly
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulStorage.java
deleted file mode 100644
index e65d77326..000000000
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulStorage.java
+++ /dev/null
@@ -1,94 +0,0 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-package at.gv.egovernment.moa.id.moduls;
-
-import java.util.ArrayList;
-import java.util.Iterator;
-import java.util.List;
-import java.util.ServiceLoader;
-
-import at.gv.egovernment.moa.logging.Logger;
-
-public class ModulStorage {
-
-// private static final String[] modulClasses = new String[]{
-//// "at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol",
-// "at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol",
-// "at.gv.egovernment.moa.id.protocols.stork2.STORKProtocol",
-// "at.gv.egovernment.moa.id.protocols.oauth20.protocol.OAuth20Protocol"
-// };
-
- private static ServiceLoader<IModulInfo> protocolModuleLoader =
- ServiceLoader.load(IModulInfo.class);
- private static List<IModulInfo> registeredModules = new ArrayList<IModulInfo>();
-
-
- public static List<IModulInfo> getAllModules() {
- return registeredModules;
- }
-
- public static IModulInfo getModuleByPath(String modname) {
- Iterator<IModulInfo> it = registeredModules.iterator();
- while (it.hasNext()) {
- IModulInfo info = it.next();
- if (info.getPath().equals(modname)) {
- return info;
- }
- }
- return null;
- }
-
- static {
- Logger.info("Loading protocol modules:");
- if (protocolModuleLoader != null ) {
- Iterator<IModulInfo> moduleLoaderInterator = protocolModuleLoader.iterator();
- while (moduleLoaderInterator.hasNext()) {
- try {
- IModulInfo modul = moduleLoaderInterator.next();
- Logger.info("Loading Modul Information: " + modul.getName());
- registeredModules.add(modul);
-
- } catch(Throwable e) {
- Logger.error("Check configuration! " + "Some protocol modul" +
- " is not a valid IModulInfo", e);
- }
- }
- }
-
-// for(int i = 0; i < modulClasses.length; i++) {
-// String modulClassName = modulClasses[i];
-// try {
-// @SuppressWarnings("unchecked")
-// Class<IModulInfo> moduleClass = (Class<IModulInfo>)Class.forName(modulClassName);
-// IModulInfo module = moduleClass.newInstance();
-// Logger.info("Loading Modul Information: " + module.getName());
-// registeredModules.add(module);
-// } catch(Throwable e) {
-// Logger.error("Check configuration! " + modulClassName +
-// " is not a valid IModulInfo", e);
-// }
-// }
- Logger.info("Loading modules done");
- }
-
-}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulUtils.java
deleted file mode 100644
index 13768a343..000000000
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulUtils.java
+++ /dev/null
@@ -1,46 +0,0 @@
-///*******************************************************************************
-// * Copyright 2014 Federal Chancellery Austria
-// * MOA-ID has been developed in a cooperation between BRZ, the Federal
-// * Chancellery Austria - ICT staff unit, and Graz University of Technology.
-// *
-// * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
-// * the European Commission - subsequent versions of the EUPL (the "Licence");
-// * You may not use this work except in compliance with the Licence.
-// * You may obtain a copy of the Licence at:
-// * http://www.osor.eu/eupl/
-// *
-// * Unless required by applicable law or agreed to in writing, software
-// * distributed under the Licence is distributed on an "AS IS" basis,
-// * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// * See the Licence for the specific language governing permissions and
-// * limitations under the Licence.
-// *
-// * This product combines work with different licenses. See the "NOTICE" text
-// * file for details on the various modules and licenses.
-// * The "NOTICE" text file is part of the distribution. Any derivative works
-// * that you distribute must include a readable copy of the "NOTICE" text file.
-// *******************************************************************************/
-//package at.gv.egovernment.moa.id.moduls;
-//
-//import at.gv.egovernment.moa.id.entrypoints.DispatcherServlet;
-//
-//
-//public class ModulUtils {
-//
-// public static final String UNAUTHDISPATCHER = "dispatcher";
-// public static final String AUTHDISPATCHER = "dispatcher";
-//
-// public static String buildUnauthURL(String modul, String action, String pendingRequestID) {
-// return UNAUTHDISPATCHER + "?" +
-// DispatcherServlet.PARAM_TARGET_MODULE + "=" + modul + "&" +
-// DispatcherServlet.PARAM_TARGET_ACTION + "=" + action + "&" +
-// DispatcherServlet.PARAM_TARGET_PENDINGREQUESTID + "=" + pendingRequestID;
-// }
-//
-// public static String buildAuthURL(String modul, String action, String pendingRequestID) {
-// return AUTHDISPATCHER +
-// "?" + DispatcherServlet.PARAM_TARGET_MODULE + "=" + modul + "&" +
-// DispatcherServlet.PARAM_TARGET_ACTION + "=" + action + "&" +
-// DispatcherServlet.PARAM_TARGET_PENDINGREQUESTID + "=" + pendingRequestID;
-// }
-//}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
index bba9f66ae..a1a814e95 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
@@ -32,6 +32,7 @@ import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.opensaml.saml2.core.Attribute;
+import org.springframework.beans.factory.annotation.Autowired;
import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException;
@@ -40,6 +41,7 @@ import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.id.util.Random;
import at.gv.egovernment.moa.logging.Logger;
@@ -78,11 +80,13 @@ public abstract class RequestImpl implements IRequest, Serializable{
private Map<String, Object> genericDataStorage = new HashMap<String, Object>();
+ @Autowired protected AttributQueryBuilder attributQueryBuilder;
+
/**
* @throws ConfigurationException
*
*/
- public RequestImpl(HttpServletRequest req) throws ConfigurationException {
+ public final void initialize(HttpServletRequest req) throws ConfigurationException {
//set requestID
requestID = Random.nextRandom();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ServletType.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ServletType.java
deleted file mode 100644
index c8fbfb558..000000000
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ServletType.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-package at.gv.egovernment.moa.id.moduls;
-
-public enum ServletType {
- UNAUTH, AUTH, NONE
-}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
index 5c1c60dc8..d48603a7c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
@@ -22,49 +22,20 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x;
-import java.io.StringWriter;
+import java.util.Arrays;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.dom.DOMSource;
-import javax.xml.transform.stream.StreamResult;
-
-import org.joda.time.DateTime;
-import org.opensaml.Configuration;
-import org.opensaml.common.xml.SAMLConstants;
+
+import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.NameIDType;
-import org.opensaml.saml2.metadata.AssertionConsumerService;
-import org.opensaml.saml2.metadata.AttributeConsumingService;
import org.opensaml.saml2.metadata.ContactPerson;
-import org.opensaml.saml2.metadata.EntitiesDescriptor;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.IDPSSODescriptor;
-import org.opensaml.saml2.metadata.KeyDescriptor;
-import org.opensaml.saml2.metadata.LocalizedString;
-import org.opensaml.saml2.metadata.NameIDFormat;
-import org.opensaml.saml2.metadata.RoleDescriptor;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.opensaml.saml2.metadata.ServiceName;
-import org.opensaml.saml2.metadata.SingleLogoutService;
-import org.opensaml.saml2.metadata.SingleSignOnService;
-import org.opensaml.xml.io.Marshaller;
-import org.opensaml.xml.security.SecurityException;
-import org.opensaml.xml.security.SecurityHelper;
+import org.opensaml.saml2.metadata.Organization;
+import org.opensaml.saml2.metadata.RequestedAttribute;
import org.opensaml.xml.security.credential.Credential;
-import org.opensaml.xml.security.credential.UsageType;
-import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
-import org.opensaml.xml.security.x509.X509Credential;
-import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
-import org.opensaml.xml.signature.Signature;
-import org.opensaml.xml.signature.Signer;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
-import org.w3c.dom.Document;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
@@ -74,103 +45,28 @@ import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.data.SLOInformationInterface;
import at.gv.egovernment.moa.id.moduls.IAction;
import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
-import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
-import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.logging.Logger;
@Service("pvpMetadataService")
-public class MetadataAction implements IAction {
+public class MetadataAction extends AbstractPVPMetadataBuilder implements IAction {
private static final int VALIDUNTIL_IN_HOURS = 24;
@Autowired private MOAReversionLogger revisionsLogger;
+ @Autowired private IDPCredentialProvider credentialProvider;
public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq,
HttpServletResponse httpResp, IAuthData authData) throws MOAIDException {
try {
-
revisionsLogger.logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_PVP_METADATA);
- EntitiesDescriptor idpEntitiesDescriptor =
- SAML2Utils.createSAMLObject(EntitiesDescriptor.class);
-
- idpEntitiesDescriptor.setName(PVPConfiguration.getInstance().getIDPIssuerName());
-
- idpEntitiesDescriptor.setID(SAML2Utils.getSecureIdentifier());
-
- DateTime date = new DateTime();
-
- idpEntitiesDescriptor.setValidUntil(date.plusHours(VALIDUNTIL_IN_HOURS));
-
- EntityDescriptor idpEntityDescriptor = SAML2Utils
- .createSAMLObject(EntityDescriptor.class);
-
- idpEntitiesDescriptor.getEntityDescriptors().add(idpEntityDescriptor);
-
- //TODO: maybe change EntityID to Metadata URL
- //idpEntityDescriptor
- // .setEntityID(PVPConfiguration.getInstance().getIDPSSOMetadataService());
-
- idpEntityDescriptor
- .setEntityID(req.getAuthURLWithOutSlash());
-
- idpEntityDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_HOURS));
-
- List<ContactPerson> persons = PVPConfiguration.getInstance()
- .getIDPContacts();
-
- idpEntityDescriptor.getContactPersons().addAll(persons);
-
- idpEntityDescriptor.setOrganization(PVPConfiguration.getInstance()
- .getIDPOrganisation());
-
- X509KeyInfoGeneratorFactory keyInfoFactory = new X509KeyInfoGeneratorFactory();
- //keyInfoFactory.setEmitPublicKeyValue(true);
- keyInfoFactory.setEmitEntityIDAsKeyName(true);
- keyInfoFactory.setEmitEntityCertificate(true);
-
- KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance();
-
- Credential metadataSigningCredential = CredentialProvider.getIDPMetaDataSigningCredential();
- Signature signature = CredentialProvider
- .getIDPSignature(metadataSigningCredential);
-
- //set KeyInfo Element
- SecurityHelper.prepareSignatureParams(signature, metadataSigningCredential, null, null);
-
- idpEntitiesDescriptor.setSignature(signature);
-
- //set IDP metadata
- idpEntityDescriptor.getRoleDescriptors().add(generateIDPMetadata(req, keyInfoGenerator));
-
- //set SP metadata for interfederation
- idpEntityDescriptor.getRoleDescriptors().add(generateSPMetadata(req, keyInfoGenerator));
-
- DocumentBuilder builder;
- DocumentBuilderFactory factory = DocumentBuilderFactory
- .newInstance();
-
- builder = factory.newDocumentBuilder();
- Document document = builder.newDocument();
- Marshaller out = Configuration.getMarshallerFactory()
- .getMarshaller(idpEntitiesDescriptor);
- out.marshall(idpEntitiesDescriptor, document);
-
- Signer.signObject(signature);
-
- Transformer transformer = TransformerFactory.newInstance()
- .newTransformer();
-
- StringWriter sw = new StringWriter();
- StreamResult sr = new StreamResult(sw);
- DOMSource source = new DOMSource(document);
- transformer.transform(source, sr);
- sw.close();
-
- String metadataXML = sw.toString();
+ //build metadata
+ String metadataXML = buildPVPMetadata(req.getAuthURLWithOutSlash());
Logger.debug("METADATA: " + metadataXML);
httpResp.setContentType("text/xml");
@@ -195,228 +91,232 @@ public class MetadataAction implements IAction {
return (PVP2XProtocol.METADATA);
}
- private RoleDescriptor generateSPMetadata(IRequest req, KeyInfoGenerator keyInfoGenerator) throws CredentialsNotAvailableException, SecurityException, ConfigurationException {
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataValidUntil()
+ */
+ @Override
+ public int getMetadataValidUntil() {
+ return VALIDUNTIL_IN_HOURS;
+ }
- Logger.debug("Set SP Metadata key information");
-
- SPSSODescriptor spSSODescriptor = SAML2Utils
- .createSAMLObject(SPSSODescriptor.class);
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildEntitiesDescriptorAsRootElement()
+ */
+ @Override
+ public boolean buildEntitiesDescriptorAsRootElement() {
+ return true;
+ }
- spSSODescriptor.setAuthnRequestsSigned(true);
- spSSODescriptor.setWantAssertionsSigned(false);
-
-
- //Set AuthRequest Signing certificate
- X509Credential authcredential = CredentialProvider.getIDPAssertionSigningCredential();
-
- KeyDescriptor signKeyDescriptor = SAML2Utils
- .createSAMLObject(KeyDescriptor.class);
- signKeyDescriptor.setUse(UsageType.SIGNING);
- signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential));
- spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
-
-
- //set AuthRequest encryption certificate
-
- X509Credential authEncCredential = CredentialProvider.getIDPAssertionEncryptionCredential();
-
- if (authEncCredential != null) {
- KeyDescriptor encryKeyDescriptor = SAML2Utils
- .createSAMLObject(KeyDescriptor.class);
- encryKeyDescriptor.setUse(UsageType.ENCRYPTION);
- encryKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authEncCredential));
- spSSODescriptor.getKeyDescriptors().add(encryKeyDescriptor);
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildIDPSSODescriptor()
+ */
+ @Override
+ public boolean buildIDPSSODescriptor() {
+ return true;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildSPSSODescriptor()
+ */
+ @Override
+ public boolean buildSPSSODescriptor() {
+ return false;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityID()
+ */
+ @Override
+ public String getEntityIDPostfix() {
+ //TODO: maybe change EntityID to Metadata URL
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityFriendlyName()
+ */
+ @Override
+ public String getEntityFriendlyName() {
+ try {
+ return PVPConfiguration.getInstance().getIDPIssuerName();
- } else {
- Logger.warn("No Assertion Encryption-Key defined. This setting is not recommended!");
+ } catch (ConfigurationException e) {
+ Logger.error("Can not load Metadata entry: EntityID friendlyName.", e);
+ return null;
}
-
- NameIDFormat persistentnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
- persistentnameIDFormat.setFormat(NameIDType.PERSISTENT);
-
- spSSODescriptor.getNameIDFormats().add(persistentnameIDFormat);
-
- NameIDFormat transientnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
- transientnameIDFormat.setFormat(NameIDType.TRANSIENT);
-
- spSSODescriptor.getNameIDFormats().add(transientnameIDFormat);
-
- NameIDFormat unspecifiednameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
- unspecifiednameIDFormat.setFormat(NameIDType.UNSPECIFIED);
-
- spSSODescriptor.getNameIDFormats().add(unspecifiednameIDFormat);
-
- //add assertion consumer services
- AssertionConsumerService postassertionConsumerService =
- SAML2Utils.createSAMLObject(AssertionConsumerService.class);
- postassertionConsumerService.setIndex(0);
- postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
- postassertionConsumerService.setLocation(PVPConfiguration
- .getInstance().getSPSSOPostService(req.getAuthURL()));
- postassertionConsumerService.setIsDefault(true);
- spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService);
-
- AssertionConsumerService redirectassertionConsumerService =
- SAML2Utils.createSAMLObject(AssertionConsumerService.class);
- redirectassertionConsumerService.setIndex(1);
- redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
- redirectassertionConsumerService.setLocation(PVPConfiguration
- .getInstance().getSPSSORedirectService(req.getAuthURL()));
- spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService);
-
-
- //add SLO descriptor
-// SingleLogoutService postSLOService =
-// SAML2Utils.createSAMLObject(SingleLogoutService.class);
-// postSLOService.setLocation(PVPConfiguration
-// .getInstance().getIDPSSOPostService());
-// postSLOService
-// .setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
-// spSSODescriptor.getSingleLogoutServices().add(postSLOService);
-
- SingleLogoutService redirectSLOService =
- SAML2Utils.createSAMLObject(SingleLogoutService.class);
- redirectSLOService.setLocation(PVPConfiguration
- .getInstance().getSPSSORedirectService(req.getAuthURL()));
- redirectSLOService
- .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
- spSSODescriptor.getSingleLogoutServices().add(redirectSLOService);
-
-
- spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
-
- AttributeConsumingService attributeService =
- SAML2Utils.createSAMLObject(AttributeConsumingService.class);
- attributeService.setIndex(0);
- attributeService.setIsDefault(true);
- ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class);
- serviceName.setName(new LocalizedString("Default Service", "de"));
- attributeService.getNames().add(serviceName);
-
- return spSSODescriptor;
}
-
- private IDPSSODescriptor generateIDPMetadata(IRequest req, KeyInfoGenerator keyInfoGenerator) throws ConfigurationException, CredentialsNotAvailableException, SecurityException {
-
-
-// //set SignatureMethode
-// signature.setSignatureAlgorithm(PVPConstants.DEFAULT_SIGNING_METHODE);
-//
-// //set DigestMethode
-// List<ContentReference> contentList = signature.getContentReferences();
-// for (ContentReference content : contentList) {
-//
-// if (content instanceof SAMLObjectContentReference) {
-//
-// SAMLObjectContentReference el = (SAMLObjectContentReference) content;
-// el.setDigestAlgorithm(PVPConstants.DEFAULT_DIGESTMETHODE);
-//
-// }
-// }
-
-
-// KeyInfoBuilder metadataKeyInfoBuilder = new KeyInfoBuilder();
-// KeyInfo metadataKeyInfo = metadataKeyInfoBuilder.buildObject();
-// //KeyInfoHelper.addCertificate(metadataKeyInfo, metadataSigningCredential.);
-// signature.setKeyInfo(metadataKeyInfo );
-
-
- IDPSSODescriptor idpSSODescriptor = SAML2Utils
- .createSAMLObject(IDPSSODescriptor.class);
- idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
-
- idpSSODescriptor.setWantAuthnRequestsSigned(true);
-
- if (PVPConfiguration.getInstance().getIDPSSOPostService(req.getAuthURL()) != null) {
- //add SSO descriptor
- SingleSignOnService postSingleSignOnService = SAML2Utils
- .createSAMLObject(SingleSignOnService.class);
- postSingleSignOnService.setLocation(PVPConfiguration
- .getInstance().getIDPSSOPostService(req.getAuthURL()));
- postSingleSignOnService
- .setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
- idpSSODescriptor.getSingleSignOnServices().add(
- postSingleSignOnService);
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getContactPersonInformation()
+ */
+ @Override
+ public List<ContactPerson> getContactPersonInformation() {
+ try {
+ return PVPConfiguration.getInstance().getIDPContacts();
- //add SLO descriptor
-// SingleLogoutService postSLOService =
-// SAML2Utils.createSAMLObject(SingleLogoutService.class);
-// postSLOService.setLocation(PVPConfiguration
-// .getInstance().getIDPSSOPostService());
-// postSLOService
-// .setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
-// idpSSODescriptor.getSingleLogoutServices().add(postSLOService);
+ } catch (ConfigurationException e) {
+ Logger.warn("Can not load Metadata entry: Contect Person", e);
+ return null;
}
+
+ }
- if (PVPConfiguration.getInstance().getIDPSSORedirectService(req.getAuthURL()) != null) {
- //add SSO descriptor
- SingleSignOnService redirectSingleSignOnService = SAML2Utils
- .createSAMLObject(SingleSignOnService.class);
- redirectSingleSignOnService.setLocation(PVPConfiguration
- .getInstance().getIDPSSORedirectService(req.getAuthURL()));
- redirectSingleSignOnService
- .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
- idpSSODescriptor.getSingleSignOnServices().add(
- redirectSingleSignOnService);
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getOrgansiationInformation()
+ */
+ @Override
+ public Organization getOrgansiationInformation() {
+ try {
+ return PVPConfiguration.getInstance().getIDPOrganisation();
+
+ } catch (ConfigurationException e) {
+ Logger.warn("Can not load Metadata entry: Organisation", e);
+ return null;
- //add SLO descriptor
- SingleLogoutService redirectSLOService =
- SAML2Utils.createSAMLObject(SingleLogoutService.class);
- redirectSLOService.setLocation(PVPConfiguration
- .getInstance().getIDPSSORedirectService(req.getAuthURL()));
- redirectSLOService
- .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
- idpSSODescriptor.getSingleLogoutServices().add(redirectSLOService);
}
+ }
- /*if (PVPConfiguration.getInstance().getIDPResolveSOAPService() != null) {
- ArtifactResolutionService artifactResolutionService = SAML2Utils
- .createSAMLObject(ArtifactResolutionService.class);
-
- artifactResolutionService
- .setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI);
- artifactResolutionService.setLocation(PVPConfiguration
- .getInstance().getIDPResolveSOAPService());
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataSigningCredentials()
+ */
+ @Override
+ public Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException {
+ return credentialProvider.getIDPMetaDataSigningCredential();
+ }
- artifactResolutionService.setIndex(0);
-
- idpSSODescriptor.getArtifactResolutionServices().add(
- artifactResolutionService);
- }*/
-
- //set assertion signing key
- Credential assertionSigingCredential = CredentialProvider
- .getIDPAssertionSigningCredential();
-
- KeyDescriptor signKeyDescriptor = SAML2Utils
- .createSAMLObject(KeyDescriptor.class);
- signKeyDescriptor.setUse(UsageType.SIGNING);
- signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(assertionSigingCredential));
- idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
-
- idpSSODescriptor.getAttributes().addAll(PVPAttributeBuilder.buildSupportedEmptyAttributes());
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getRequestorResponseSigningCredentials()
+ */
+ @Override
+ public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException {
+ return credentialProvider.getIDPAssertionSigningCredential();
- NameIDFormat persistenNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
- persistenNameIDFormat.setFormat(NameIDType.PERSISTENT);
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEncryptionCredentials()
+ */
+ @Override
+ public Credential getEncryptionCredentials() throws CredentialsNotAvailableException {
+ return credentialProvider.getIDPAssertionEncryptionCredential();
- idpSSODescriptor.getNameIDFormats().add(persistenNameIDFormat);
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSOPostBindingURL()
+ */
+ @Override
+ public String getIDPWebSSOPostBindingURL() {
+ return PVPConfiguration.PVP2_IDP_POST;
- NameIDFormat transientNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
- transientNameIDFormat.setFormat(NameIDType.TRANSIENT);
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSORedirectBindingURL()
+ */
+ @Override
+ public String getIDPWebSSORedirectBindingURL() {
+ return PVPConfiguration.PVP2_IDP_REDIRECT;
- idpSSODescriptor.getNameIDFormats().add(transientNameIDFormat);
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLOPostBindingURL()
+ */
+ @Override
+ public String getIDPSLOPostBindingURL() {
+ return PVPConfiguration.PVP2_IDP_POST;
- NameIDFormat unspecifiedNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
- unspecifiedNameIDFormat.setFormat(NameIDType.UNSPECIFIED);
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLORedirectBindingURL()
+ */
+ @Override
+ public String getIDPSLORedirectBindingURL() {
+ return PVPConfiguration.PVP2_IDP_REDIRECT;
- idpSSODescriptor.getNameIDFormats().add(unspecifiedNameIDFormat);
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServicePostBindingURL()
+ */
+ @Override
+ public String getSPAssertionConsumerServicePostBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServiceRedirectBindingURL()
+ */
+ @Override
+ public String getSPAssertionConsumerServiceRedirectBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOPostBindingURL()
+ */
+ @Override
+ public String getSPSLOPostBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLORedirectBindingURL()
+ */
+ @Override
+ public String getSPSLORedirectBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOSOAPBindingURL()
+ */
+ @Override
+ public String getSPSLOSOAPBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleAttributes()
+ */
+ @Override
+ public List<Attribute> getIDPPossibleAttributes() {
+ return PVPAttributeBuilder.buildSupportedEmptyAttributes();
- return idpSSODescriptor;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleNameITTypes()
+ */
+ @Override
+ public List<String> getIDPPossibleNameITTypes() {
+ return Arrays.asList(NameIDType.PERSISTENT,
+ NameIDType.TRANSIENT,
+ NameIDType.UNSPECIFIED);
}
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPRequiredAttributes()
+ */
+ @Override
+ public List<RequestedAttribute> getSPRequiredAttributes() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAllowedNameITTypes()
+ */
+ @Override
+ public List<String> getSPAllowedNameITTypes() {
+ return null;
+ }
+
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 6fb03a37d..88f0e3b74 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -22,13 +22,11 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x;
-import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import javax.xml.transform.TransformerException;
import org.apache.commons.lang.StringEscapeUtils;
import org.joda.time.DateTime;
@@ -49,7 +47,6 @@ import org.opensaml.saml2.metadata.AttributeConsumingService;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.ws.security.SecurityPolicyException;
-import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.signature.SignableXMLObject;
import org.springframework.stereotype.Controller;
@@ -145,7 +142,8 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
}
//create pendingRequest object
- PVPTargetConfiguration pendingReq = new PVPTargetConfiguration(req);
+ PVPTargetConfiguration pendingReq = applicationContext.getBean(PVPTargetConfiguration.class);
+ pendingReq.initialize(req);
pendingReq.setModule(NAME);
revisionsLogger.logEvent(
@@ -155,7 +153,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
req.getRemoteAddr());
MetadataAction metadataAction = applicationContext.getBean(MetadataAction.class);
- metadataAction.processRequest(new PVPTargetConfiguration(req),
+ metadataAction.processRequest(pendingReq,
req, resp, null);
}
@@ -171,7 +169,8 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
try {
//create pendingRequest object
- PVPTargetConfiguration pendingReq = new PVPTargetConfiguration(req);
+ PVPTargetConfiguration pendingReq = applicationContext.getBean(PVPTargetConfiguration.class);
+ pendingReq.initialize(req);
pendingReq.setModule(NAME);
revisionsLogger.logEvent(MOAIDEventConstants.SESSION_CREATED, pendingReq.getUniqueSessionIdentifier());
@@ -219,7 +218,8 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
try {
//create pendingRequest object
- PVPTargetConfiguration pendingReq = new PVPTargetConfiguration(req);
+ PVPTargetConfiguration pendingReq = applicationContext.getBean(PVPTargetConfiguration.class);
+ pendingReq.initialize(req);
pendingReq.setModule(NAME);
revisionsLogger.logEvent(MOAIDEventConstants.SESSION_CREATED, pendingReq.getUniqueSessionIdentifier());
@@ -732,42 +732,42 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
}
- /**
- * PreProcess AuthResponse and Assertion
- * @param msg
- */
- private MOAResponse preProcessAuthResponse(MOAResponse msg) {
- Logger.debug("Start PVP21 assertion processing... ");
- Response samlResp = (Response) msg.getResponse();
-
- try {
- if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
-
- //validate PVP 2.1 assertion
- SAMLVerificationEngine.validateAssertion(samlResp, true);
-
- msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement());
- return msg;
-
- } else {
- Logger.debug("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue()
- + " from interfederated IDP.");
-
- }
-
- } catch (IOException e) {
- Logger.warn("Interfederation response marshaling FAILED.", e);
-
- } catch (MarshallingException e) {
- Logger.warn("Interfederation response marshaling FAILED.", e);
-
- } catch (TransformerException e) {
- Logger.warn("Interfederation response marshaling FAILED.", e);
-
- } catch (AssertionValidationExeption e) {
- //error is already logged, to nothing
- }
-
- return null;
- }
+// /**
+// * PreProcess AuthResponse and Assertion
+// * @param msg
+// */
+// private MOAResponse preProcessAuthResponse(MOAResponse msg) {
+// Logger.debug("Start PVP21 assertion processing... ");
+// Response samlResp = (Response) msg.getResponse();
+//
+// try {
+// if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+//
+// //validate PVP 2.1 assertion
+// SAMLVerificationEngine.validateAssertion(samlResp, true);
+//
+// msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement());
+// return msg;
+//
+// } else {
+// Logger.debug("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue()
+// + " from interfederated IDP.");
+//
+// }
+//
+// } catch (IOException e) {
+// Logger.warn("Interfederation response marshaling FAILED.", e);
+//
+// } catch (MarshallingException e) {
+// Logger.warn("Interfederation response marshaling FAILED.", e);
+//
+// } catch (TransformerException e) {
+// Logger.warn("Interfederation response marshaling FAILED.", e);
+//
+// } catch (AssertionValidationExeption e) {
+// //error is already logged, to nothing
+// }
+//
+// return null;
+// }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
index 181e89806..800728bbd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
@@ -26,35 +26,26 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import javax.servlet.http.HttpServletRequest;
-
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.impl.AuthnRequestImpl;
import org.opensaml.saml2.metadata.AttributeConsumingService;
import org.opensaml.saml2.metadata.RequestedAttribute;
import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.context.annotation.Scope;
+import org.springframework.stereotype.Component;
-import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.moduls.RequestImpl;
-import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.logging.Logger;
+@Component("PVPTargetConfiguration")
+@Scope(value = BeanDefinition.SCOPE_PROTOTYPE)
public class PVPTargetConfiguration extends RequestImpl {
- /**
- * @param req
- * @throws ConfigurationException
- */
- public PVPTargetConfiguration(HttpServletRequest req)
- throws ConfigurationException {
- super(req);
-
- }
-
private static final long serialVersionUID = 4889919265919638188L;
InboundMessage request;
@@ -132,7 +123,7 @@ public class PVPTargetConfiguration extends RequestImpl {
reqAttr.put(attr.getName(), "");
}
- return AttributQueryBuilder.buildSAML2AttributeList(this.getOnlineApplicationConfiguration(), reqAttr.keySet().iterator());
+ return attributQueryBuilder.buildSAML2AttributeList(this.getOnlineApplicationConfiguration(), reqAttr.keySet().iterator());
} catch (NoMetadataInformationException e) {
Logger.warn("NO metadata found for Entity " + getRequest().getEntityID());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
index 8928aaeca..5afa10a72 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
@@ -49,6 +49,7 @@ import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils;
import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.ISLOInformationContainer;
import at.gv.egovernment.moa.id.data.SLOInformationContainer;
import at.gv.egovernment.moa.id.data.SLOInformationInterface;
import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
@@ -77,6 +78,8 @@ public class SingleLogOutAction implements IAction {
@Autowired private AuthenticationManager authManager;
@Autowired private IAuthenticationSessionStoreage authenticationSessionStorage;
@Autowired private ITransactionStorage transactionStorage;
+ @Autowired private SingleLogOutBuilder sloBuilder;
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.moduls.IAction#processRequest(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.data.IAuthData)
@@ -107,11 +110,11 @@ public class SingleLogOutAction implements IAction {
String ssoID = ssomanager.getSSOSessionID(httpReq);
if (MiscUtil.isEmpty(ssoID)) {
Logger.info("Can not find active Session. Single LogOut not possible!");
- SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq);
- //LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
- LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, pvpReq, null);
+ SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq);
+ //LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
+ LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, null);
Logger.info("Sending SLO success message to requester ...");
- SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());
+ sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());
return null;
} else {
@@ -121,11 +124,11 @@ public class SingleLogOutAction implements IAction {
} catch (MOADatabaseException e) {
Logger.info("Can not find active Session. Single LogOut not possible!");
- SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq);
- //LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
- LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, pvpReq, null);
+ SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq);
+ //LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
+ LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, null);
Logger.info("Sending SLO success message to requester ...");
- SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());
+ sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());
return null;
}
@@ -175,10 +178,10 @@ public class SingleLogOutAction implements IAction {
Object data = SerializationUtils.deserialize(element.getAssertion());
if (data instanceof SLOInformationContainer) {
- SLOInformationContainer sloContainer = (SLOInformationContainer) data;
+ ISLOInformationContainer sloContainer = (ISLOInformationContainer) data;
//check status
- SingleLogOutBuilder.checkStatusCode(sloContainer, logOutResp);
+ sloBuilder.checkStatusCode(sloContainer, logOutResp);
if (sloContainer.hasFrontChannelOA()) {
try {
@@ -224,9 +227,9 @@ public class SingleLogOutAction implements IAction {
String redirectURL = null;
if (sloContainer.getSloRequest() != null) {
//send SLO response to SLO request issuer
- SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(sloContainer.getSloRequest());
- LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, sloContainer.getSloRequest(), sloContainer.getSloFailedOAs());
- redirectURL = SingleLogOutBuilder.getFrontChannelSLOMessageURL(sloService, message, httpReq, httpResp, sloContainer.getSloRequest().getRequest().getRelayState());
+ SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(sloContainer.getSloRequest());
+ LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, sloContainer.getSloRequest(), sloContainer.getSloFailedOAs());
+ redirectURL = sloBuilder.getFrontChannelSLOMessageURL(sloService, message, httpReq, httpResp, sloContainer.getSloRequest().getRequest().getRelayState());
} else {
//print SLO information directly
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 9e176f724..24bdf4c3c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -47,6 +47,7 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.x509.X509Credential;
+import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.config.ConfigurationException;
@@ -58,8 +59,8 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
-import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.validation.MOAPVPSignedRequestPolicyRule;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.id.util.HTTPUtils;
@@ -69,13 +70,15 @@ import at.gv.egovernment.moa.util.MiscUtil;
@Service("PVPPostBindingCoder")
public class PostBinding implements IDecoder, IEncoder {
-
+
+ @Autowired private IDPCredentialProvider credentialProvider;
+
public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
RequestAbstractType request, String targetLocation, String relayState)
throws MessageEncodingException, SecurityException {
try {
- X509Credential credentials = CredentialProvider
+ X509Credential credentials = credentialProvider
.getIDPAssertionSigningCredential();
//load default PVP security configurations
@@ -113,7 +116,7 @@ public class PostBinding implements IDecoder, IEncoder {
throws MessageEncodingException, SecurityException {
try {
- X509Credential credentials = CredentialProvider
+ X509Credential credentials = credentialProvider
.getIDPAssertionSigningCredential();
//load default PVP security configurations
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 08aa76e58..7167d8b7d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -48,6 +48,7 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.x509.X509Credential;
+import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.config.ConfigurationException;
@@ -59,8 +60,8 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
-import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.logging.Logger;
@@ -69,12 +70,14 @@ import at.gv.egovernment.moa.util.MiscUtil;
@Service("PVPRedirectBindingCoder")
public class RedirectBinding implements IDecoder, IEncoder {
+ @Autowired private IDPCredentialProvider credentialProvider;
+
public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
RequestAbstractType request, String targetLocation, String relayState)
throws MessageEncodingException, SecurityException {
try {
- X509Credential credentials = CredentialProvider
+ X509Credential credentials = credentialProvider
.getIDPAssertionSigningCredential();
//load default PVP security configurations
@@ -107,7 +110,7 @@ public class RedirectBinding implements IDecoder, IEncoder {
StatusResponseType response, String targetLocation, String relayState)
throws MessageEncodingException, SecurityException {
try {
- X509Credential credentials = CredentialProvider
+ X509Credential credentials = credentialProvider
.getIDPAssertionSigningCredential();
//load default PVP security configurations
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
index d42d91105..bd60b7a13 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
@@ -45,6 +45,7 @@ import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.signature.SignableXMLObject;
+import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
@@ -54,14 +55,16 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
-import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@Service("PVPSOAPBindingCoder")
public class SoapBinding implements IDecoder, IEncoder {
+ @Autowired private IDPCredentialProvider credentialProvider;
+
public InboundMessageInterface decode(HttpServletRequest req,
HttpServletResponse resp, boolean isSPEndPoint) throws MessageDecodingException,
SecurityException, PVP2Exception {
@@ -142,7 +145,7 @@ public class SoapBinding implements IDecoder, IEncoder {
StatusResponseType response, String targetLocation, String relayState)
throws MessageEncodingException, SecurityException, PVP2Exception {
try {
- Credential credentials = CredentialProvider
+ Credential credentials = credentialProvider
.getIDPAssertionSigningCredential();
//load default PVP security configurations
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AbstractPVPMetadataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AbstractPVPMetadataBuilder.java
new file mode 100644
index 000000000..23870806a
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AbstractPVPMetadataBuilder.java
@@ -0,0 +1,649 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.security.PrivateKey;
+import java.security.interfaces.RSAPrivateKey;
+import java.util.List;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.TransformerFactoryConfigurationError;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+
+import org.joda.time.DateTime;
+import org.opensaml.Configuration;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml2.metadata.AttributeConsumingService;
+import org.opensaml.saml2.metadata.ContactPerson;
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml2.metadata.KeyDescriptor;
+import org.opensaml.saml2.metadata.LocalizedString;
+import org.opensaml.saml2.metadata.NameIDFormat;
+import org.opensaml.saml2.metadata.Organization;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+import org.opensaml.saml2.metadata.RoleDescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.ServiceName;
+import org.opensaml.saml2.metadata.SingleLogoutService;
+import org.opensaml.saml2.metadata.SingleSignOnService;
+import org.opensaml.xml.io.Marshaller;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.security.SecurityException;
+import org.opensaml.xml.security.SecurityHelper;
+import org.opensaml.xml.security.credential.Credential;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
+import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureConstants;
+import org.opensaml.xml.signature.SignatureException;
+import org.opensaml.xml.signature.Signer;
+import org.w3c.dom.Document;
+
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+
+public abstract class AbstractPVPMetadataBuilder {
+
+ X509KeyInfoGeneratorFactory keyInfoFactory = null;
+
+ /**
+ *
+ */
+ public AbstractPVPMetadataBuilder() {
+ keyInfoFactory = new X509KeyInfoGeneratorFactory();
+ keyInfoFactory.setEmitEntityIDAsKeyName(true);
+ keyInfoFactory.setEmitEntityCertificate(true);
+
+ }
+
+
+ /**
+ * Set metadata valid area
+ *
+ * @return valid until in hours [h]
+ */
+ public abstract int getMetadataValidUntil();
+
+ /**
+ * Build a SAML2 Entities element as metadata root element
+ *
+ * @return true, if the metadata should start with entities element
+ */
+ public abstract boolean buildEntitiesDescriptorAsRootElement();
+
+ /**
+ *
+ *
+ * @return true, if an IDP SSO-descriptor element should be generated
+ */
+ public abstract boolean buildIDPSSODescriptor();
+
+ /**
+ *
+ *
+ * @return true, if an SP SSO-descriptor element should be generated
+ */
+ public abstract boolean buildSPSSODescriptor();
+
+ /**
+ * Set the PVP entityID for this SAML2 metadata.
+ * The entityID must be a URL and is public-URL prefix of the server, as minimum.
+ * If this is null or a empty String, the EntityID is the public-url prefix
+ *
+ * @return PVP entityID postfix as String
+ */
+ public abstract String getEntityIDPostfix();
+
+ /**
+ * Set a friendlyName for this PVP entity
+ *
+ * @return
+ */
+ public abstract String getEntityFriendlyName();
+
+ /**
+ * Set the contact information for this metadata entity
+ *
+ * @return
+ */
+ public abstract List<ContactPerson> getContactPersonInformation();
+
+ /**
+ * Set organisation information for this metadata entity
+ *
+ * @return
+ */
+ public abstract Organization getOrgansiationInformation();
+
+
+ /**
+ * Set the credential for metadata signing
+ *
+ * @return
+ * @throws CredentialsNotAvailableException
+ */
+ public abstract Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException;
+
+ /**
+ * Set the credential for request/response signing
+ * IDP metadata: this credential is used for SAML2 response signing
+ * SP metadata: this credential is used for SAML2 response signing
+ *
+ * @return
+ * @throws CredentialsNotAvailableException
+ */
+ public abstract Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException;
+
+ /**
+ * Set the credential for response encryption
+ *
+ * @return
+ * @throws CredentialsNotAvailableException
+ */
+ public abstract Credential getEncryptionCredentials() throws CredentialsNotAvailableException;
+
+ /**
+ * Set the IDP Post-Binding URL-postfix for WebSSO
+ *
+ * @return
+ */
+ public abstract String getIDPWebSSOPostBindingURL();
+
+ /**
+ * Set the IDP Redirect-Binding URL-postfix for WebSSO
+ *
+ * @return
+ */
+ public abstract String getIDPWebSSORedirectBindingURL();
+
+ /**
+ * Set the IDP Post-Binding URL-postfix for Single LogOut
+ *
+ * @return
+ */
+ public abstract String getIDPSLOPostBindingURL();
+
+ /**
+ * Set the IDP Redirect-Binding URL-postfix for Single LogOut
+ *
+ * @return
+ */
+ public abstract String getIDPSLORedirectBindingURL();
+
+ /**
+ * Set the SP Post-Binding URL-postfix for for the Assertion-Consumer Service
+ *
+ * @return
+ */
+ public abstract String getSPAssertionConsumerServicePostBindingURL();
+
+ /**
+ * Set the SP Redirect-Binding URL-postfix for the Assertion-Consumer Service
+ *
+ * @return
+ */
+ public abstract String getSPAssertionConsumerServiceRedirectBindingURL();
+
+ /**
+ * Set the SP Post-Binding URL-postfix for Single LogOut
+ *
+ * @return
+ */
+ public abstract String getSPSLOPostBindingURL();
+
+ /**
+ * Set the SP Redirect-Binding URL-postfix for Single LogOut
+ *
+ * @return
+ */
+ public abstract String getSPSLORedirectBindingURL();
+
+ /**
+ * Set the SP SOAP-Binding URL-postfix for Single LogOut
+ *
+ * @return
+ */
+ public abstract String getSPSLOSOAPBindingURL();
+
+
+ /**
+ * Set all SAML2 attributes which could be provided by this IDP
+ *
+ * @return
+ */
+ public abstract List<Attribute> getIDPPossibleAttributes();
+
+ /**
+ * Set all nameID types which could be provided by this IDP
+ *
+ * @return a List of SAML2 nameID types
+ */
+ public abstract List<String> getIDPPossibleNameITTypes();
+
+ /**
+ * Set all SAML2 attributes which are required by the SP
+ *
+ * @return
+ */
+ public abstract List<RequestedAttribute> getSPRequiredAttributes();
+
+ /**
+ * Set all nameID types which allowed from the SP
+ *
+ * @return a List of SAML2 nameID types
+ */
+ public abstract List<String> getSPAllowedNameITTypes();
+
+ /**
+ *
+ * Build PVP 2.1 conform SAML2 metadata
+ *
+ * @param instancePublicURLPrefix
+ * Public-URL prefix which should be used to generate URLs.
+ * The URL String must by without trailing /
+ *
+ * @return PVP metadata as XML String
+ * @throws SecurityException
+ * @throws ConfigurationException
+ * @throws CredentialsNotAvailableException
+ * @throws TransformerFactoryConfigurationError
+ * @throws MarshallingException
+ * @throws TransformerException
+ * @throws ParserConfigurationException
+ * @throws IOException
+ * @throws SignatureException
+ */
+ public String buildPVPMetadata(String instancePublicURLPrefix) throws CredentialsNotAvailableException, ConfigurationException, SecurityException, TransformerFactoryConfigurationError, MarshallingException, TransformerException, ParserConfigurationException, IOException, SignatureException {
+ if (MiscUtil.isEmpty(instancePublicURLPrefix)) {
+ Logger.error("Metadata generation FAILED! --> PublicURL Prefix is null or empty");
+ throw new NullPointerException("PublicURL Prefix is null or empty");
+
+ }
+
+ //remove trailing slash
+ if (instancePublicURLPrefix.endsWith("/"))
+ instancePublicURLPrefix.substring(0, instancePublicURLPrefix.length()-1);
+
+ DateTime date = new DateTime();
+ EntityDescriptor entityDescriptor = SAML2Utils
+ .createSAMLObject(EntityDescriptor.class);
+
+ //set entityID
+ if (MiscUtil.isNotEmpty(getEntityIDPostfix()))
+ entityDescriptor.setEntityID(instancePublicURLPrefix + getEntityIDPostfix());
+ else
+ entityDescriptor.setEntityID(instancePublicURLPrefix);
+
+ //set contact and organisation information
+ List<ContactPerson> contactPersons = getContactPersonInformation();
+ if (contactPersons != null)
+ entityDescriptor.getContactPersons().addAll(contactPersons);
+
+ Organization organisation = getOrgansiationInformation();
+ if (organisation != null)
+ entityDescriptor.setOrganization(organisation);
+
+ //set IDP metadata
+ if (buildIDPSSODescriptor()) {
+ RoleDescriptor idpSSODesc = generateIDPMetadata(instancePublicURLPrefix);
+ if (idpSSODesc != null)
+ entityDescriptor.getRoleDescriptors().add(idpSSODesc);
+
+ }
+
+ //set SP metadata for interfederation
+ if (buildSPSSODescriptor()) {
+ RoleDescriptor spSSODesc = generateSPMetadata(instancePublicURLPrefix);
+ if (spSSODesc != null)
+ entityDescriptor.getRoleDescriptors().add(spSSODesc);
+
+ }
+
+ //set metadata signature parameters
+ Credential metadataSignCred = getMetadataSigningCredentials();
+ Signature signature = getIDPSignature(metadataSignCred);
+ SecurityHelper.prepareSignatureParams(signature, metadataSignCred, null, null);
+
+
+ //initialize XML document builder
+ DocumentBuilder builder;
+ DocumentBuilderFactory factory = DocumentBuilderFactory
+ .newInstance();
+
+ builder = factory.newDocumentBuilder();
+ Document document = builder.newDocument();
+
+
+ //build entities descriptor
+ if (buildEntitiesDescriptorAsRootElement()) {
+ EntitiesDescriptor entitiesDescriptor =
+ SAML2Utils.createSAMLObject(EntitiesDescriptor.class);
+ entitiesDescriptor.setName(getEntityFriendlyName());
+ entitiesDescriptor.setID(SAML2Utils.getSecureIdentifier());
+ entitiesDescriptor.setValidUntil(date.plusHours(getMetadataValidUntil()));
+ entitiesDescriptor.getEntityDescriptors().add(entityDescriptor);
+
+ entitiesDescriptor.setSignature(signature);
+
+ //marshall document
+ Marshaller out = Configuration.getMarshallerFactory()
+ .getMarshaller(entitiesDescriptor);
+ out.marshall(entitiesDescriptor, document);
+
+ } else {
+ entityDescriptor.setValidUntil(date.plusHours(getMetadataValidUntil()));
+
+ entityDescriptor.setSignature(signature);
+
+ //marshall document
+ Marshaller out = Configuration.getMarshallerFactory()
+ .getMarshaller(entityDescriptor);
+ out.marshall(entityDescriptor, document);
+
+ }
+
+ //sign metadata
+ Signer.signObject(signature);
+
+ //transform metadata object to XML string
+ Transformer transformer = TransformerFactory.newInstance()
+ .newTransformer();
+
+ StringWriter sw = new StringWriter();
+ StreamResult sr = new StreamResult(sw);
+ DOMSource source = new DOMSource(document);
+ transformer.transform(source, sr);
+ sw.close();
+
+ return sw.toString();
+ }
+
+
+ private RoleDescriptor generateSPMetadata(String instancePublicURLPrefix) throws CredentialsNotAvailableException, SecurityException, ConfigurationException {
+ SPSSODescriptor spSSODescriptor = SAML2Utils.createSAMLObject(SPSSODescriptor.class);
+ spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
+ spSSODescriptor.setAuthnRequestsSigned(true);
+ spSSODescriptor.setWantAssertionsSigned(false);
+
+ KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance();
+
+ //Set AuthRequest Signing certificate
+ Credential authcredential = getRequestorResponseSigningCredentials();
+ if (authcredential == null) {
+ Logger.warn("SP Metadata generation FAILED! --> Builder has NO request signing-credential. ");
+ return null;
+
+ } else {
+ KeyDescriptor signKeyDescriptor = SAML2Utils
+ .createSAMLObject(KeyDescriptor.class);
+ signKeyDescriptor.setUse(UsageType.SIGNING);
+ signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential));
+ spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
+
+ }
+
+ //Set assertion encryption credentials
+ Credential authEncCredential = getEncryptionCredentials();
+
+ if (authEncCredential != null) {
+ KeyDescriptor encryKeyDescriptor = SAML2Utils
+ .createSAMLObject(KeyDescriptor.class);
+ encryKeyDescriptor.setUse(UsageType.ENCRYPTION);
+ encryKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authEncCredential));
+ spSSODescriptor.getKeyDescriptors().add(encryKeyDescriptor);
+
+ } else {
+ Logger.warn("No Assertion Encryption-Key defined. This setting is not recommended!");
+
+ }
+
+ //check nameID formates
+ if (getIDPPossibleNameITTypes() == null || getIDPPossibleNameITTypes().size() == 0) {
+ Logger.warn("SP Metadata generation FAILED! --> Builder has NO provideable SAML2 nameIDFormats. ");
+ return null;
+
+ } else {
+ for (String format : getSPAllowedNameITTypes()) {
+ NameIDFormat nameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
+ nameIDFormat.setFormat(format);
+ spSSODescriptor.getNameIDFormats().add(nameIDFormat);
+
+ }
+ }
+
+
+ //add POST-Binding assertion consumer services
+ if (MiscUtil.isNotEmpty(getSPAssertionConsumerServicePostBindingURL())) {
+ AssertionConsumerService postassertionConsumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class);
+ postassertionConsumerService.setIndex(0);
+ postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
+ postassertionConsumerService.setLocation(instancePublicURLPrefix + getSPAssertionConsumerServicePostBindingURL());
+ postassertionConsumerService.setIsDefault(true);
+ spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService);
+
+ }
+
+ //add POST-Binding assertion consumer services
+ if (MiscUtil.isNotEmpty(getSPAssertionConsumerServiceRedirectBindingURL())) {
+ AssertionConsumerService redirectassertionConsumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class);
+ redirectassertionConsumerService.setIndex(1);
+ redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+ redirectassertionConsumerService.setLocation(instancePublicURLPrefix + getSPAssertionConsumerServiceRedirectBindingURL());
+ spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService);
+
+ }
+
+ //validate WebSSO endpoints
+ if (spSSODescriptor.getAssertionConsumerServices().size() == 0) {
+ Logger.warn("SP Metadata generation FAILED! --> NO SAML2 AssertionConsumerService endpoint found. ");
+ return null;
+
+ }
+
+ //add POST-Binding SLO descriptor
+ if (MiscUtil.isNotEmpty(getSPSLOPostBindingURL())) {
+ SingleLogoutService postSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class);
+ postSLOService.setLocation(instancePublicURLPrefix + getSPSLOPostBindingURL());
+ postSLOService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
+ spSSODescriptor.getSingleLogoutServices().add(postSLOService);
+
+ }
+
+ //add POST-Binding SLO descriptor
+ if (MiscUtil.isNotEmpty(getSPSLORedirectBindingURL())) {
+ SingleLogoutService redirectSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class);
+ redirectSLOService.setLocation(instancePublicURLPrefix + getSPSLORedirectBindingURL());
+ redirectSLOService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+ spSSODescriptor.getSingleLogoutServices().add(redirectSLOService);
+
+ }
+
+ //add POST-Binding SLO descriptor
+ if (MiscUtil.isNotEmpty(getSPSLOSOAPBindingURL())) {
+ SingleLogoutService soapSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class);
+ soapSLOService.setLocation(instancePublicURLPrefix + getSPSLOSOAPBindingURL());
+ soapSLOService.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI);
+ spSSODescriptor.getSingleLogoutServices().add(soapSLOService);
+
+ }
+
+
+ //add required attributes
+ List<RequestedAttribute> reqSPAttr = getSPRequiredAttributes();
+ AttributeConsumingService attributeService = SAML2Utils.createSAMLObject(AttributeConsumingService.class);
+
+ attributeService.setIndex(0);
+ attributeService.setIsDefault(true);
+ ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class);
+ serviceName.setName(new LocalizedString("Default Service", "en"));
+ attributeService.getNames().add(serviceName);
+
+ if (reqSPAttr != null && reqSPAttr.size() > 0) {
+ Logger.debug("Add " + reqSPAttr.size() + " attributes to SP metadata");
+ attributeService.getRequestAttributes().addAll(reqSPAttr);
+
+ } else {
+ Logger.debug("SP metadata contains NO requested attributes.");
+
+ }
+
+ spSSODescriptor.getAttributeConsumingServices().add(attributeService);
+
+ return spSSODescriptor;
+ }
+
+ private IDPSSODescriptor generateIDPMetadata(String instancePublicURLPrefix) throws ConfigurationException, CredentialsNotAvailableException, SecurityException {
+ //check response signing credential
+ Credential responseSignCred = getRequestorResponseSigningCredentials();
+ if (responseSignCred == null) {
+ Logger.warn("IDP Metadata generation FAILED! --> Builder has NO Response signing credential. ");
+ return null;
+
+ }
+
+ //check nameID formates
+ if (getIDPPossibleNameITTypes() == null || getIDPPossibleNameITTypes().size() == 0) {
+ Logger.warn("IDP Metadata generation FAILED! --> Builder has NO provideable SAML2 nameIDFormats. ");
+ return null;
+
+ }
+
+ // build SAML2 IDP-SSO descriptor element
+ IDPSSODescriptor idpSSODescriptor = SAML2Utils
+ .createSAMLObject(IDPSSODescriptor.class);
+
+ idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
+
+ //set ass default value, because PVP 2.x specification defines this feature as MUST
+ idpSSODescriptor.setWantAuthnRequestsSigned(true);
+
+ // add WebSSO descriptor for POST-Binding
+ if (MiscUtil.isNotEmpty(getIDPWebSSOPostBindingURL())) {
+ SingleSignOnService postSingleSignOnService = SAML2Utils.createSAMLObject(SingleSignOnService.class);
+ postSingleSignOnService.setLocation(instancePublicURLPrefix + getIDPWebSSOPostBindingURL());
+ postSingleSignOnService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
+ idpSSODescriptor.getSingleSignOnServices().add(postSingleSignOnService);
+
+ }
+
+ // add WebSSO descriptor for Redirect-Binding
+ if (MiscUtil.isNotEmpty(getIDPWebSSORedirectBindingURL())) {
+ SingleSignOnService postSingleSignOnService = SAML2Utils.createSAMLObject(SingleSignOnService.class);
+ postSingleSignOnService.setLocation(instancePublicURLPrefix + getIDPWebSSORedirectBindingURL());
+ postSingleSignOnService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+ idpSSODescriptor.getSingleSignOnServices().add(postSingleSignOnService);
+
+ }
+
+ //add Single LogOut POST-Binding endpoing
+ if (MiscUtil.isNotEmpty(getIDPSLOPostBindingURL())) {
+ SingleLogoutService postSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class);
+ postSLOService.setLocation(instancePublicURLPrefix + getIDPSLOPostBindingURL());
+ postSLOService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
+ idpSSODescriptor.getSingleLogoutServices().add(postSLOService);
+
+ }
+
+ //add Single LogOut Redirect-Binding endpoing
+ if (MiscUtil.isNotEmpty(getIDPSLORedirectBindingURL())) {
+ SingleLogoutService redirectSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class);
+ redirectSLOService.setLocation(instancePublicURLPrefix + getIDPSLORedirectBindingURL());
+ redirectSLOService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+ idpSSODescriptor.getSingleLogoutServices().add(redirectSLOService);
+
+ }
+
+ //validate WebSSO endpoints
+ if (idpSSODescriptor.getSingleSignOnServices().size() == 0) {
+ Logger.warn("IDP Metadata generation FAILED! --> NO SAML2 SingleSignOnService endpoint found. ");
+ return null;
+
+ }
+
+ //set assertion signing key
+ KeyDescriptor signKeyDescriptor = SAML2Utils
+ .createSAMLObject(KeyDescriptor.class);
+ signKeyDescriptor.setUse(UsageType.SIGNING);
+ KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance();
+ signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(getRequestorResponseSigningCredentials()));
+ idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
+
+ //set IDP attribute set
+ idpSSODescriptor.getAttributes().addAll(getIDPPossibleAttributes());
+
+ //set providable nameID formats
+ for (String format : getIDPPossibleNameITTypes()) {
+ NameIDFormat nameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
+ nameIDFormat.setFormat(format);
+ idpSSODescriptor.getNameIDFormats().add(nameIDFormat);
+
+ }
+
+ return idpSSODescriptor;
+
+ }
+
+ private Signature getIDPSignature(Credential credentials) {
+ PrivateKey privatekey = credentials.getPrivateKey();
+ Signature signer = SAML2Utils.createSAMLObject(Signature.class);
+
+ if (privatekey instanceof RSAPrivateKey) {
+ signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+
+ } else if (privatekey instanceof iaik.security.ecc.ecdsa.ECPrivateKey) {
+ signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1);
+
+ } else {
+ Logger.warn("Could NOT evaluate the Private-Key type from " + credentials.getEntityId() + " credential.");
+
+
+ }
+
+ signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+ signer.setSigningCredential(credentials);
+ return signer;
+
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
index ebbafd4e3..9c097780b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
@@ -25,7 +25,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
-import java.util.Set;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -46,17 +45,18 @@ import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureConstants;
import org.opensaml.xml.signature.SignatureException;
import org.opensaml.xml.signature.Signer;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
import org.w3c.dom.Document;
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.SamlAttributeGenerator;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
-import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
@@ -65,9 +65,12 @@ import at.gv.egovernment.moa.util.Constants;
* @author tlenz
*
*/
+@Service("AttributQueryBuilder")
public class AttributQueryBuilder {
- public static List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) {
+ @Autowired IDPCredentialProvider credentialProvider;
+
+ public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) {
Logger.debug("Build OA specific Attributes for AttributQuery request");
@@ -103,7 +106,7 @@ public class AttributQueryBuilder {
}
- public static AttributeQuery buildAttributQueryRequest(String nameID,
+ public AttributeQuery buildAttributQueryRequest(String nameID,
String endpoint, List<Attribute> requestedAttributes) throws AttributQueryException {
@@ -136,7 +139,7 @@ public class AttributQueryBuilder {
query.setDestination(endpoint);
- X509Credential idpSigningCredential = CredentialProvider.getIDPAssertionSigningCredential();
+ X509Credential idpSigningCredential = credentialProvider.getIDPAssertionSigningCredential();
Signature signer = SAML2Utils.createSAMLObject(Signature.class);
signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
index dbbc21ec9..959fc7d2d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
@@ -23,6 +23,7 @@
package at.gv.egovernment.moa.id.protocols.pvp2x.builder;
import java.security.NoSuchAlgorithmException;
+import java.util.LinkedHashMap;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
@@ -57,14 +58,20 @@ import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureConstants;
import org.opensaml.xml.signature.Signer;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
import org.w3c.dom.Document;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
+import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.data.ISLOInformationContainer;
import at.gv.egovernment.moa.id.data.SLOInformationContainer;
import at.gv.egovernment.moa.id.data.SLOInformationImpl;
import at.gv.egovernment.moa.id.opemsaml.MOAStringRedirectDeflateEncoder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
@@ -74,7 +81,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NOSLOServiceDescripto
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
-import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
import at.gv.egovernment.moa.logging.Logger;
@@ -83,9 +90,12 @@ import at.gv.egovernment.moa.logging.Logger;
* @author tlenz
*
*/
+@Service("PVP_SingleLogOutBuilder")
public class SingleLogOutBuilder {
- public static void checkStatusCode(SLOInformationContainer sloContainer, LogoutResponse logOutResp) {
+ @Autowired private IDPCredentialProvider credentialProvider;
+
+ public void checkStatusCode(ISLOInformationContainer sloContainer, LogoutResponse logOutResp) {
Status status = logOutResp.getStatus();
if (!status.getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
String message = " Message: ";
@@ -111,12 +121,12 @@ public class SingleLogOutBuilder {
* @param relayState
* @return
*/
- public static String getFrontChannelSLOMessageURL(String serviceURL, String bindingType,
+ public String getFrontChannelSLOMessageURL(String serviceURL, String bindingType,
RequestAbstractType sloReq, HttpServletRequest httpReq,
HttpServletResponse httpResp, String relayState) throws MOAIDException {
try {
- X509Credential credentials = CredentialProvider
+ X509Credential credentials = credentialProvider
.getIDPAssertionSigningCredential();
Logger.debug("create SAML RedirectBinding response");
@@ -143,12 +153,12 @@ public class SingleLogOutBuilder {
}
}
- public static String getFrontChannelSLOMessageURL(SingleLogoutService service,
+ public String getFrontChannelSLOMessageURL(SingleLogoutService service,
StatusResponseType sloResp, HttpServletRequest httpReq,
HttpServletResponse httpResp, String relayState) throws MOAIDException {
try {
- X509Credential credentials = CredentialProvider
+ X509Credential credentials = credentialProvider
.getIDPAssertionSigningCredential();
Logger.debug("create SAML RedirectBinding response");
@@ -171,7 +181,7 @@ public class SingleLogOutBuilder {
}
}
- public static void sendFrontChannelSLOMessage(SingleLogoutService consumerService,
+ public void sendFrontChannelSLOMessage(SingleLogoutService consumerService,
LogoutResponse sloResp, HttpServletRequest req, HttpServletResponse resp,
String relayState) throws MOAIDException {
IEncoder binding = null;
@@ -205,7 +215,7 @@ public class SingleLogOutBuilder {
}
- public static LogoutRequest buildSLORequestMessage(SLOInformationImpl sloInfo) throws ConfigurationException, MOAIDException {
+ public LogoutRequest buildSLORequestMessage(SLOInformationImpl sloInfo) throws ConfigurationException, MOAIDException {
LogoutRequest sloReq = SAML2Utils.createSAMLObject(LogoutRequest.class);
SecureRandomIdentifierGenerator gen;
@@ -236,7 +246,7 @@ public class SingleLogOutBuilder {
//sign message
try {
- X509Credential idpSigningCredential = CredentialProvider.getIDPAssertionSigningCredential();
+ X509Credential idpSigningCredential = credentialProvider.getIDPAssertionSigningCredential();
Signature signer = SAML2Utils.createSAMLObject(Signature.class);
signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
@@ -265,7 +275,7 @@ public class SingleLogOutBuilder {
return sloReq;
}
- public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest, String firstLevelStatusCode) throws ConfigurationException, MOAIDException {
+ public LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest, String firstLevelStatusCode) throws ConfigurationException, MOAIDException {
LogoutResponse sloResp = buildBasicResponse(sloService, spRequest);
Status status = SAML2Utils.createSAMLObject(Status.class);
@@ -282,7 +292,7 @@ public class SingleLogOutBuilder {
return sloResp;
}
- public static LogoutResponse buildSLOResponseMessage(SingleLogoutService sloService, PVPTargetConfiguration spRequest, List<String> failedOAs) throws MOAIDException {
+ public LogoutResponse buildSLOResponseMessage(SingleLogoutService sloService, PVPTargetConfiguration spRequest, List<String> failedOAs) throws MOAIDException {
LogoutResponse sloResp = buildBasicResponse(sloService, spRequest);
Status status;
@@ -307,7 +317,7 @@ public class SingleLogOutBuilder {
}
- private static LogoutResponse buildBasicResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException {
+ private LogoutResponse buildBasicResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException {
LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class);
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
issuer.setValue(spRequest.getAuthURLWithOutSlash());
@@ -338,7 +348,7 @@ public class SingleLogOutBuilder {
}
- public static SingleLogoutService getRequestSLODescriptor(String entityID) throws NOSLOServiceDescriptorException {
+ public SingleLogoutService getRequestSLODescriptor(String entityID) throws NOSLOServiceDescriptorException {
try {
EntityDescriptor entity = MOAMetadataProvider.getInstance().getEntityDescriptor(entityID);
SSODescriptor spsso = entity.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
@@ -379,7 +389,7 @@ public class SingleLogOutBuilder {
}
- public static SingleLogoutService getResponseSLODescriptor(PVPTargetConfiguration spRequest) throws NoMetadataInformationException, NOSLOServiceDescriptorException {
+ public SingleLogoutService getResponseSLODescriptor(PVPTargetConfiguration spRequest) throws NoMetadataInformationException, NOSLOServiceDescriptorException {
MOARequest moaReq = (MOARequest) spRequest.getRequest();
EntityDescriptor metadata = moaReq.getEntityMetadata();
SSODescriptor ssodesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
@@ -415,4 +425,91 @@ public class SingleLogOutBuilder {
return sloService;
}
+ public void parseActiveOAs(SLOInformationContainer container,
+ List<OASessionStore> dbOAs, String removeOAID) {
+ if (container.getActiveBackChannelOAs() == null)
+ container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationImpl>());
+ if (container.getActiveFrontChannalOAs() == null)
+ container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationImpl>());
+
+
+ if (dbOAs != null) {
+ for (OASessionStore oa : dbOAs) {
+ if (!oa.getOaurlprefix().equals(removeOAID)) {
+
+ //Actually only PVP 2.1 support Single LogOut
+ if (PVP2XProtocol.PATH.equals(oa.getProtocolType())) {
+ SingleLogoutService sloDesc;
+ try {
+ sloDesc = getRequestSLODescriptor(oa.getOaurlprefix());
+
+ if (sloDesc.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI))
+ container.getActiveBackChannelOAs().put(oa.getOaurlprefix(),
+ new SLOInformationImpl(
+ oa.getAuthURL(),
+ oa.getAssertionSessionID(),
+ oa.getUserNameID(),
+ oa.getUserNameIDFormat(),
+ oa.getProtocolType(),
+ sloDesc));
+
+ else
+ container.getActiveFrontChannalOAs().put(oa.getOaurlprefix(),
+ new SLOInformationImpl(
+ oa.getAuthURL(),
+ oa.getAssertionSessionID(),
+ oa.getUserNameID(),
+ oa.getUserNameIDFormat(),
+ oa.getProtocolType(),
+ sloDesc));
+
+ } catch (NOSLOServiceDescriptorException e) {
+ container.putFailedOA(oa.getOaurlprefix());
+
+ }
+
+ } else
+ container.putFailedOA(oa.getOaurlprefix());
+ }
+ }
+ }
+ }
+
+ /**
+ * @param dbIDPs
+ * @param value
+ */
+ public void parseActiveIDPs(SLOInformationContainer container,
+ List<InterfederationSessionStore> dbIDPs, String removeIDP) {
+ if (container.getActiveBackChannelOAs() == null)
+ container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationImpl>());
+ if (container.getActiveFrontChannalOAs() == null)
+ container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationImpl>());
+
+ if (dbIDPs != null) {
+ for (InterfederationSessionStore el : dbIDPs) {
+ if (!el.getIdpurlprefix().equals(removeIDP)) {
+
+ SingleLogoutService sloDesc;
+ try {
+ sloDesc = getRequestSLODescriptor(el.getIdpurlprefix());
+
+ container.getActiveFrontChannalOAs().put(el.getIdpurlprefix(),
+ new SLOInformationImpl(
+ el.getAuthURL(),
+ el.getSessionIndex(),
+ el.getUserNameID(),
+ NameID.TRANSIENT,
+ PVP2XProtocol.PATH,
+ sloDesc));
+
+ } catch (NOSLOServiceDescriptorException e) {
+ container.putFailedOA(el.getIdpurlprefix());
+
+ }
+ }
+ }
+ }
+ }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
index 47d7a29b3..bbf395a6f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
@@ -22,8 +22,6 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x.config;
-import iaik.x509.X509Certificate;
-
import java.io.IOException;
import java.net.URL;
import java.security.cert.CertificateException;
@@ -51,12 +49,11 @@ import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
-import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
-import at.gv.egovernment.moa.util.FileUtils;
import at.gv.egovernment.moa.util.MiscUtil;
+import iaik.x509.X509Certificate;
public class PVPConfiguration {
@@ -79,18 +76,6 @@ public class PVPConfiguration {
public static final String PVP_CONFIG_FILE = "pvp2config.properties";
- public static final String IDP_JAVAKEYSTORE = "idp.ks.file";
- public static final String IDP_KS_PASS = "idp.ks.kspassword";
-
- public static final String IDP_KEYALIASMETADATA = "idp.ks.metadata.alias";
- public static final String IDP_KEY_PASSMETADATA = "idp.ks.metadata.keypassword";
-
- public static final String IDP_KEYALIASASSERTION = "idp.ks.assertion.sign.alias";
- public static final String IDP_KEY_PASSASSERTION = "idp.ks.assertion.sign.keypassword";
-
- public static final String IDP_KEYALIASENCRYTPION = "sp.ks.assertion.encryption.alias";
- public static final String IDP_KEY_PASSENCRYTPION = "sp.ks.assertion.encryption.keypassword";
-
public static final String IDP_ISSUER_NAME = "servicename";
public static final String IDP_ORG_NAME = "name.short";
@@ -162,38 +147,6 @@ public class PVPConfiguration {
public String getIDPSSOMetadataService(String publicURLPrefix) throws ConfigurationException {
return publicURLPrefix + PVP2_METADATA;
}
-
- public String getIDPKeyStoreFilename() {
- return FileUtils.makeAbsoluteURL(props.getProperty(IDP_JAVAKEYSTORE), rootDir);
- }
-
- public String getIDPKeyStorePassword() {
- return props.getProperty(IDP_KS_PASS).trim();
- }
-
- public String getIDPKeyAliasMetadata() {
- return props.getProperty(IDP_KEYALIASMETADATA).trim();
- }
-
- public String getIDPKeyPasswordMetadata() {
- return props.getProperty(IDP_KEY_PASSMETADATA).trim();
- }
-
- public String getIDPKeyAliasAssertionSign() {
- return props.getProperty(IDP_KEYALIASASSERTION).trim();
- }
-
- public String getIDPKeyPasswordAssertionSign() {
- return props.getProperty(IDP_KEY_PASSASSERTION).trim();
- }
-
- public String getIDPKeyAliasAssertionEncryption() {
- return props.getProperty(IDP_KEYALIASASSERTION).trim();
- }
-
- public String getIDPKeyPasswordAssertionEncryption() {
- return props.getProperty(IDP_KEY_PASSASSERTION).trim();
- }
public String getIDPIssuerName() throws ConfigurationException {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java
new file mode 100644
index 000000000..e7df23d61
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java
@@ -0,0 +1,186 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.pvp2x.signer;
+
+import java.security.KeyStore;
+
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.x509.X509Credential;
+
+import at.gv.egovernment.moa.id.opemsaml.MOAKeyStoreX509CredentialAdapter;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.KeyStoreUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+public abstract class AbstractCredentialProvider {
+
+ private static KeyStore keyStore = null;
+
+ /**
+ * Get a friendlyName for this keyStore implementation
+ * This friendlyName is used for logging
+ *
+ * @return keyStore friendlyName
+ */
+ public abstract String getFriendlyName();
+
+ /**
+ * Get KeyStore
+ *
+ * @return URL to the keyStore
+ */
+ public abstract String getKeyStoreFilePath();
+
+ /**
+ * Get keyStore password
+ *
+ * @return Password of the keyStore
+ */
+ public abstract String getKeyStorePassword();
+
+ /**
+ * Get alias of key for metadata signing
+ *
+ * @return key alias
+ */
+ public abstract String getMetadataKeyAlias();
+
+ /**
+ * Get password of key for metadata signing
+ *
+ * @return key password
+ */
+ public abstract String getMetadataKeyPassword();
+
+ /**
+ * Get alias of key for request/response signing
+ *
+ * @return key alias
+ */
+ public abstract String getSignatureKeyAlias();
+
+ /**
+ * Get password of key for request/response signing
+ *
+ * @return key password
+ */
+ public abstract String getSignatureKeyPassword();
+
+ /**
+ * Get alias of key for IDP response encryption
+ *
+ * @return key alias
+ */
+ public abstract String getEncryptionKeyAlias();
+
+ /**
+ * Get password of key for IDP response encryption
+ *
+ * @return key password
+ */
+ public abstract String getEncryptionKeyPassword();
+
+
+ public X509Credential getIDPMetaDataSigningCredential()
+ throws CredentialsNotAvailableException {
+ try {
+
+ if (keyStore == null)
+ keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(),
+ getKeyStorePassword());
+
+ MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter(
+ keyStore, getMetadataKeyAlias(), getMetadataKeyPassword().toCharArray());
+
+ credentials.setUsageType(UsageType.SIGNING);
+ if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) {
+ Logger.error(getFriendlyName() + " Metadata Signing credentials is not found or contains no PrivateKey.");
+ throw new CredentialsNotAvailableException(getFriendlyName() + " Assertion Signing credentials (Alias: "
+ + getMetadataKeyAlias() + ") is not found or contains no PrivateKey.", null);
+
+ }
+ return credentials;
+ } catch (Exception e) {
+ Logger.error("Failed to generate " + getFriendlyName() + " Metadata Signing credentials");
+ e.printStackTrace();
+ throw new CredentialsNotAvailableException(e.getMessage(), null);
+ }
+ }
+
+ public X509Credential getIDPAssertionSigningCredential()
+ throws CredentialsNotAvailableException {
+ try {
+ if (keyStore == null)
+ keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(),
+ getKeyStorePassword());
+
+ MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter(
+ keyStore, getSignatureKeyAlias(), getSignatureKeyPassword().toCharArray());
+
+ credentials.setUsageType(UsageType.SIGNING);
+ if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) {
+ Logger.error(getFriendlyName() + " Assertion Signing credentials is not found or contains no PrivateKey.");
+ throw new CredentialsNotAvailableException(getFriendlyName() + " Assertion Signing credentials (Alias: "
+ + getSignatureKeyAlias() + ") is not found or contains no PrivateKey.", null);
+
+ }
+
+ return (X509Credential) credentials;
+ } catch (Exception e) {
+ Logger.error("Failed to generate " + getFriendlyName() + " Assertion Signing credentials");
+ e.printStackTrace();
+ throw new CredentialsNotAvailableException(e.getMessage(), null);
+ }
+ }
+
+ public X509Credential getIDPAssertionEncryptionCredential()
+ throws CredentialsNotAvailableException {
+ try {
+ if (keyStore == null)
+ keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(),
+ getKeyStorePassword());
+
+ //if no encryption key is configured return null
+ if (MiscUtil.isEmpty(getEncryptionKeyAlias()))
+ return null;
+
+ MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter(
+ keyStore, getEncryptionKeyAlias(), getEncryptionKeyPassword().toCharArray());
+
+ credentials.setUsageType(UsageType.ENCRYPTION);
+
+ if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) {
+ Logger.error(getFriendlyName() + " Assertion Encryption credentials is not found or contains no PrivateKey.");
+ throw new CredentialsNotAvailableException(getFriendlyName() + " Assertion Encryption credentials (Alias: "
+ + getEncryptionKeyAlias() + ") is not found or contains no PrivateKey.", null);
+
+ }
+
+ return (X509Credential) credentials;
+ } catch (Exception e) {
+ Logger.error("Failed to generate " + getFriendlyName() + " Assertion Encryption credentials");
+ e.printStackTrace();
+ throw new CredentialsNotAvailableException(e.getMessage(), null);
+ }
+ }
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java
deleted file mode 100644
index d76e6c2f1..000000000
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java
+++ /dev/null
@@ -1,198 +0,0 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-package at.gv.egovernment.moa.id.protocols.pvp2x.signer;
-
-import java.security.KeyStore;
-import java.security.PrivateKey;
-import java.security.interfaces.RSAPrivateKey;
-
-import org.opensaml.xml.security.credential.Credential;
-import org.opensaml.xml.security.credential.UsageType;
-import org.opensaml.xml.security.x509.BasicX509Credential;
-import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
-import org.opensaml.xml.security.x509.X509Credential;
-import org.opensaml.xml.signature.Signature;
-import org.opensaml.xml.signature.SignatureConstants;
-
-import at.gv.egovernment.moa.id.opemsaml.MOAKeyStoreX509CredentialAdapter;
-import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
-import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
-import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.KeyStoreUtils;
-import at.gv.egovernment.moa.util.MiscUtil;
-
-public class CredentialProvider {
-
- private static KeyStore keyStore = null;
-
- public static X509Credential getIDPMetaDataSigningCredential()
- throws CredentialsNotAvailableException {
- PVPConfiguration config = PVPConfiguration.getInstance();
- try {
-
- if (keyStore == null)
- keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(),
- config.getIDPKeyStorePassword());
-
- MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter(
- keyStore, config.getIDPKeyAliasMetadata(), config
- .getIDPKeyPasswordMetadata().toCharArray());
-
- credentials.setUsageType(UsageType.SIGNING);
- if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) {
- Logger.error("IDP Metadata Signing credentials is not found or contains no PrivateKey.");
- throw new CredentialsNotAvailableException("IDP Assertion Signing credentials (Alias: "
- + config.getIDPKeyAliasMetadata() + ") is not found or contains no PrivateKey.", null);
-
- }
- return credentials;
- } catch (Exception e) {
- Logger.error("Failed to generate IDP Metadata Signing credentials");
- e.printStackTrace();
- throw new CredentialsNotAvailableException(e.getMessage(), null);
- }
- }
-
- public static X509Credential getIDPAssertionSigningCredential()
- throws CredentialsNotAvailableException {
- PVPConfiguration config = PVPConfiguration.getInstance();
- try {
- if (keyStore == null)
- keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(),
- config.getIDPKeyStorePassword());
-
- MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter(
- keyStore, config.getIDPKeyAliasAssertionSign(), config
- .getIDPKeyPasswordAssertionSign().toCharArray());
-
- credentials.setUsageType(UsageType.SIGNING);
- if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) {
- Logger.error("IDP Assertion Signing credentials is not found or contains no PrivateKey.");
- throw new CredentialsNotAvailableException("IDP Assertion Signing credentials (Alias: "
- + config.getIDPKeyAliasAssertionSign() + ") is not found or contains no PrivateKey.", null);
-
- }
-
- return (X509Credential) credentials;
- } catch (Exception e) {
- Logger.error("Failed to generate IDP Assertion Signing credentials");
- e.printStackTrace();
- throw new CredentialsNotAvailableException(e.getMessage(), null);
- }
- }
-
- public static X509Credential getIDPAssertionEncryptionCredential()
- throws CredentialsNotAvailableException {
- PVPConfiguration config = PVPConfiguration.getInstance();
- try {
- if (keyStore == null)
- keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(),
- config.getIDPKeyStorePassword());
-
- //if no encryption key is configured return null
- if (MiscUtil.isEmpty(config.getIDPKeyAliasAssertionEncryption()))
- return null;
-
- MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter(
- keyStore, config.getIDPKeyAliasAssertionEncryption(), config
- .getIDPKeyPasswordAssertionEncryption().toCharArray());
-
- credentials.setUsageType(UsageType.ENCRYPTION);
-
- if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) {
- Logger.error("IDP Assertion Encryption credentials is not found or contains no PrivateKey.");
- throw new CredentialsNotAvailableException("IDP Assertion Encryption credentials (Alias: "
- + config.getIDPKeyAliasAssertionEncryption() + ") is not found or contains no PrivateKey.", null);
-
- }
-
- return (X509Credential) credentials;
- } catch (Exception e) {
- Logger.error("Failed to generate IDP Assertion Encryption credentials");
- e.printStackTrace();
- throw new CredentialsNotAvailableException(e.getMessage(), null);
- }
- }
-
- public static Signature getIDPSignature(Credential credentials) {
-
- PrivateKey privatekey = credentials.getPrivateKey();
-
- Signature signer = SAML2Utils.createSAMLObject(Signature.class);
-
- if (privatekey instanceof RSAPrivateKey) {
- signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
-
- } else if (privatekey instanceof iaik.security.ecc.ecdsa.ECPrivateKey) {
- signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1);
-
- } else {
- Logger.warn("Could NOT evaluate the Private-Key type from PVP credential.");
-
- }
-
- signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
- signer.setSigningCredential(credentials);
- return signer;
-
- }
-
- public static Credential getSPTrustedCredential(String entityID)
- throws CredentialsNotAvailableException {
-
- iaik.x509.X509Certificate cert = PVPConfiguration.getInstance()
- .getTrustEntityCertificate(entityID);
-
- if (cert == null) {
- throw new CredentialsNotAvailableException("ServiceProvider Certificate can not be loaded from Database", null);
- }
-
- BasicX509Credential credential = new BasicX509Credential();
- credential.setEntityId(entityID);
- credential.setUsageType(UsageType.SIGNING);
- credential.setPublicKey(cert.getPublicKey());
-
- return credential;
- }
- /*
- * public static Credential getTrustedCredential() throws
- * CredentialsNotAvailableException { String filename =
- * PVPConfiguration.getInstance().getTrustEntityCertificate("sp.crt");
- *
- * iaik.x509.X509Certificate cert; try { cert = new X509Certificate(new
- * FileInputStream(new File(filename))); } catch (CertificateException e) {
- * e.printStackTrace(); throw new
- * CredentialsNotAvailableException(e.getMessage(), null); } catch
- * (FileNotFoundException e) { e.printStackTrace(); throw new
- * CredentialsNotAvailableException(e.getMessage(), null); } catch
- * (IOException e) { e.printStackTrace(); throw new
- * CredentialsNotAvailableException(e.getMessage(), null); }
- *
- * BasicX509Credential credential = new BasicX509Credential();
- * credential.setEntityId("sp.crt");
- * credential.setUsageType(UsageType.SIGNING);
- * credential.setPublicKey(cert.getPublicKey());
- *
- * return credential; }
- */
-}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/IDPCredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/IDPCredentialProvider.java
new file mode 100644
index 000000000..8fb4ec3cf
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/IDPCredentialProvider.java
@@ -0,0 +1,150 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.signer;
+
+import java.util.Properties;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
+import at.gv.egovernment.moa.util.FileUtils;
+
+@Service("IDPCredentialProvider")
+public class IDPCredentialProvider extends AbstractCredentialProvider {
+ public static final String IDP_JAVAKEYSTORE = "idp.ks.file";
+ public static final String IDP_KS_PASS = "idp.ks.kspassword";
+
+ public static final String IDP_KEYALIASMETADATA = "idp.ks.metadata.alias";
+ public static final String IDP_KEY_PASSMETADATA = "idp.ks.metadata.keypassword";
+
+ public static final String IDP_KEYALIASASSERTION = "idp.ks.assertion.sign.alias";
+ public static final String IDP_KEY_PASSASSERTION = "idp.ks.assertion.sign.keypassword";
+
+ public static final String IDP_KEYALIASENCRYTPION = "sp.ks.assertion.encryption.alias";
+ public static final String IDP_KEY_PASSENCRYTPION = "sp.ks.assertion.encryption.keypassword";
+
+
+ private @Autowired AuthConfiguration authConfig;
+ private Properties props = null;
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStoreFilePath()
+ */
+ @Override
+ public String getKeyStoreFilePath() {
+ if (props == null)
+ props = authConfig.getGeneralPVP2ProperiesConfig();
+
+ return FileUtils.makeAbsoluteURL(
+ props.getProperty(IDP_JAVAKEYSTORE),
+ authConfig.getRootConfigFileDir());
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStorePassword()
+ */
+ @Override
+ public String getKeyStorePassword() {
+ if (props == null)
+ props = authConfig.getGeneralPVP2ProperiesConfig();
+
+ return props.getProperty(IDP_KS_PASS).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyAlias()
+ */
+ @Override
+ public String getMetadataKeyAlias() {
+ if (props == null)
+ props = authConfig.getGeneralPVP2ProperiesConfig();
+
+ return props.getProperty(IDP_KEYALIASMETADATA).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyPassword()
+ */
+ @Override
+ public String getMetadataKeyPassword() {
+ if (props == null)
+ props = authConfig.getGeneralPVP2ProperiesConfig();
+
+ return props.getProperty(IDP_KEY_PASSMETADATA).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyAlias()
+ */
+ @Override
+ public String getSignatureKeyAlias() {
+ if (props == null)
+ props = authConfig.getGeneralPVP2ProperiesConfig();
+
+ return props.getProperty(IDP_KEYALIASASSERTION).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyPassword()
+ */
+ @Override
+ public String getSignatureKeyPassword() {
+ if (props == null)
+ props = authConfig.getGeneralPVP2ProperiesConfig();
+
+ return props.getProperty(IDP_KEY_PASSASSERTION).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyAlias()
+ */
+ @Override
+ public String getEncryptionKeyAlias() {
+ if (props == null)
+ props = authConfig.getGeneralPVP2ProperiesConfig();
+
+ return props.getProperty(IDP_KEYALIASENCRYTPION).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyPassword()
+ */
+ @Override
+ public String getEncryptionKeyPassword() {
+ if (props == null)
+ props = authConfig.getGeneralPVP2ProperiesConfig();
+
+ return props.getProperty(IDP_KEYALIASENCRYTPION).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getCredentialName()
+ */
+ @Override
+ public String getFriendlyName() {
+ return "IDP";
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
index 69c760f19..4650327b4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
@@ -29,6 +29,8 @@ import org.opensaml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.security.credential.Credential;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
@@ -37,9 +39,10 @@ import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSignedException;
-import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -83,8 +86,7 @@ public class EntityVerifier {
throw new SAMLRequestNotSignedException(e);
}
- Credential credential = CredentialProvider
- .getSPTrustedCredential(entityDescriptor.getEntityID());
+ Credential credential = getSPTrustedCredential(entityDescriptor.getEntityID());
if (credential == null) {
throw new NoCredentialsException(entityDescriptor.getEntityID());
}
@@ -171,8 +173,7 @@ public class EntityVerifier {
+ " entryID is used to select the certificate to perform Metadata verification.");
}
- Credential credential = CredentialProvider
- .getSPTrustedCredential(entities.get(0).getEntityID());
+ Credential credential = getSPTrustedCredential(entities.get(0).getEntityID());
if (credential == null) {
throw new NoCredentialsException("moaID IDP");
@@ -188,5 +189,23 @@ public class EntityVerifier {
}
}
}
+
+ public static Credential getSPTrustedCredential(String entityID)
+ throws CredentialsNotAvailableException {
+
+ iaik.x509.X509Certificate cert = PVPConfiguration.getInstance()
+ .getTrustEntityCertificate(entityID);
+
+ if (cert == null) {
+ throw new CredentialsNotAvailableException("ServiceProvider Certificate can not be loaded from Database", null);
+ }
+
+ BasicX509Credential credential = new BasicX509Credential();
+ credential.setEntityId(entityID);
+ credential.setUsageType(UsageType.SIGNING);
+ credential.setPublicKey(cert.getPublicKey());
+
+ return credential;
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index 812e27a36..cc7afa842 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -22,55 +22,34 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x.verification;
-import java.util.ArrayList;
-import java.util.List;
-
import javax.xml.namespace.QName;
import javax.xml.transform.dom.DOMSource;
import javax.xml.validation.Schema;
import javax.xml.validation.Validator;
-import org.joda.time.DateTime;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.common.xml.SAMLSchemaBuilder;
-import org.opensaml.saml2.core.Conditions;
-import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.RequestAbstractType;
-import org.opensaml.saml2.core.Response;
-import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusResponseType;
-import org.opensaml.saml2.encryption.Decrypter;
-import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
-import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
-import org.opensaml.xml.encryption.DecryptionException;
-import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
-import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
-import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
-import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.SignatureTrustEngine;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;
import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
-import at.gv.egovernment.moa.id.config.ConfigurationException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
-import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
-import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -179,114 +158,114 @@ public class SAMLVerificationEngine {
}
}
- public static void validateAssertion(Response samlResp, boolean validateDestination) throws AssertionValidationExeption {
- try {
- if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
- List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
-
- List<String> allowedPublicURLPrefix =
- AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
- boolean isValidDestination = false;
- for (String allowedPreFix : allowedPublicURLPrefix) {
- if (validateDestination && samlResp.getDestination().startsWith(
- allowedPreFix)) {
- isValidDestination = true;
- break;
-
- }
- }
- if (!isValidDestination) {
- Logger.warn("PVP 2.1 assertion destination does not match to IDP URL");
- throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);
-
- }
-
- //check encrypted Assertion
- List<EncryptedAssertion> encryAssertionList = samlResp.getEncryptedAssertions();
- if (encryAssertionList != null && encryAssertionList.size() > 0) {
- //decrypt assertions
-
- Logger.debug("Found encryped assertion. Start decryption ...");
-
- X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential();
-
- StaticKeyInfoCredentialResolver skicr =
- new StaticKeyInfoCredentialResolver(authDecCredential);
-
- ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
- encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
- encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
- encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
-
- Decrypter samlDecrypter =
- new Decrypter(null, skicr, encryptedKeyResolver);
-
- for (EncryptedAssertion encAssertion : encryAssertionList) {
- saml2assertions.add(samlDecrypter.decrypt(encAssertion));
-
- }
-
- Logger.debug("Assertion decryption finished. ");
-
- } else {
- saml2assertions.addAll(samlResp.getAssertions());
-
- }
-
- List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
- for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
-
- try {
- performSchemaValidation(saml2assertion.getDOM());
-
- Conditions conditions = saml2assertion.getConditions();
- DateTime notbefore = conditions.getNotBefore().minusMinutes(5);
- DateTime notafter = conditions.getNotOnOrAfter();
- if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) {
- Logger.warn("PVP2 Assertion is out of Date. "
- + "{ Current : " + new DateTime()
- + " NotBefore: " + notbefore
- + " NotAfter : " + notafter
- + " }");;
-
- } else {
- validatedassertions.add(saml2assertion);
-
- }
-
- } catch (SchemaValidationException e) {
-
- }
- }
-
- if (validatedassertions.isEmpty()) {
- Logger.info("No valid PVP 2.1 assertion received.");
- throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null);
- }
-
- samlResp.getAssertions().clear();
- samlResp.getEncryptedAssertions().clear();
- samlResp.getAssertions().addAll(validatedassertions);
-
- } else {
- Logger.info("PVP 2.1 assertion includes an error. Receive errorcode "
- + samlResp.getStatus().getStatusCode().getValue());
- throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode "
- + samlResp.getStatus().getStatusCode().getValue(), null);
- }
-
- } catch (CredentialsNotAvailableException e) {
- Logger.warn("Assertion decrypt FAILED - No Credentials", e);
- throw new AssertionValidationExeption("Assertion decrypt FAILED - No Credentials", null, e);
-
- } catch (DecryptionException e) {
- Logger.warn("Assertion decrypt FAILED.", e);
- throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e);
-
- } catch (ConfigurationException e) {
- throw new AssertionValidationExeption("pvp.12", null, e);
- }
- }
+// public static void validateAssertion(Response samlResp, boolean validateDestination) throws AssertionValidationExeption {
+// try {
+// if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+// List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
+//
+// List<String> allowedPublicURLPrefix =
+// AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+// boolean isValidDestination = false;
+// for (String allowedPreFix : allowedPublicURLPrefix) {
+// if (validateDestination && samlResp.getDestination().startsWith(
+// allowedPreFix)) {
+// isValidDestination = true;
+// break;
+//
+// }
+// }
+// if (!isValidDestination) {
+// Logger.warn("PVP 2.1 assertion destination does not match to IDP URL");
+// throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);
+//
+// }
+//
+// //check encrypted Assertion
+// List<EncryptedAssertion> encryAssertionList = samlResp.getEncryptedAssertions();
+// if (encryAssertionList != null && encryAssertionList.size() > 0) {
+// //decrypt assertions
+//
+// Logger.debug("Found encryped assertion. Start decryption ...");
+//
+// X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential();
+//
+// StaticKeyInfoCredentialResolver skicr =
+// new StaticKeyInfoCredentialResolver(authDecCredential);
+//
+// ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
+// encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
+// encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
+// encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
+//
+// Decrypter samlDecrypter =
+// new Decrypter(null, skicr, encryptedKeyResolver);
+//
+// for (EncryptedAssertion encAssertion : encryAssertionList) {
+// saml2assertions.add(samlDecrypter.decrypt(encAssertion));
+//
+// }
+//
+// Logger.debug("Assertion decryption finished. ");
+//
+// } else {
+// saml2assertions.addAll(samlResp.getAssertions());
+//
+// }
+//
+// List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
+// for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
+//
+// try {
+// performSchemaValidation(saml2assertion.getDOM());
+//
+// Conditions conditions = saml2assertion.getConditions();
+// DateTime notbefore = conditions.getNotBefore().minusMinutes(5);
+// DateTime notafter = conditions.getNotOnOrAfter();
+// if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) {
+// Logger.warn("PVP2 Assertion is out of Date. "
+// + "{ Current : " + new DateTime()
+// + " NotBefore: " + notbefore
+// + " NotAfter : " + notafter
+// + " }");;
+//
+// } else {
+// validatedassertions.add(saml2assertion);
+//
+// }
+//
+// } catch (SchemaValidationException e) {
+//
+// }
+// }
+//
+// if (validatedassertions.isEmpty()) {
+// Logger.info("No valid PVP 2.1 assertion received.");
+// throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null);
+// }
+//
+// samlResp.getAssertions().clear();
+// samlResp.getEncryptedAssertions().clear();
+// samlResp.getAssertions().addAll(validatedassertions);
+//
+// } else {
+// Logger.info("PVP 2.1 assertion includes an error. Receive errorcode "
+// + samlResp.getStatus().getStatusCode().getValue());
+// throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode "
+// + samlResp.getStatus().getStatusCode().getValue(), null);
+// }
+//
+// } catch (CredentialsNotAvailableException e) {
+// Logger.warn("Assertion decrypt FAILED - No Credentials", e);
+// throw new AssertionValidationExeption("Assertion decrypt FAILED - No Credentials", null, e);
+//
+// } catch (DecryptionException e) {
+// Logger.warn("Assertion decrypt FAILED.", e);
+// throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e);
+//
+// } catch (ConfigurationException e) {
+// throw new AssertionValidationExeption("pvp.12", null, e);
+// }
+// }
private static void performSchemaValidation(Element source) throws SchemaValidationException {