@PVP2

--also allow a EntityDescriptor element as root element in metadata files --some adjustments in the PVP Assertion to make it SAML2 standard compliant @MOA-ID-Auth --improve SZR-Gateway client error handling
author: Thomas Lenz <tlenz@iaik.tugraz.at> 2013-12-11 15:43:02 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2013-12-11 15:43:02 +0100
commit: c582412bc8d1ffcd9a2428b69fa7e4e8fb1f3c4f (patch)
tree: 36f68cf49fb8a5226cc0619fdb7bbf87a629e2eb /id/server/idserverlib/src/main/java/at/gv
parent: 9b3f7876fe480698d2da970b0b1ca6de0874ec48 (diff)
download: moa-id-spss-c582412bc8d1ffcd9a2428b69fa7e4e8fb1f3c4f.tar.gz
moa-id-spss-c582412bc8d1ffcd9a2428b69fa7e4e8fb1f3c4f.tar.bz2
moa-id-spss-c582412bc8d1ffcd9a2428b69fa7e4e8fb1f3c4f.zip
8 files changed, 91 insertions, 52 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 96fdbef02..014a9ec03 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -1695,37 +1695,36 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 	   * @param signature XMLDSIG signature
 	   * @return Identity link assertion
 	 * @throws SZRGWClientException 
+	 * @throws ConfigurationException 
 	   */
-	     public CreateIdentityLinkResponse getIdentityLink(String PEPSIdentifier, String PEPSFirstname, String PEPSFamilyname, String PEPSDateOfBirth, Element signature) throws SZRGWClientException {
+	     public CreateIdentityLinkResponse getIdentityLink(String PEPSIdentifier, String PEPSFirstname, String PEPSFamilyname, String PEPSDateOfBirth, Element signature) throws SZRGWClientException, ConfigurationException {
 
 		    SZRGWClient client = new SZRGWClient();
 		 
-		    try {
-		    	AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
-		    	ConnectionParameter connectionParameters = authConf.getForeignIDConnectionParameter();
-
-		    	client.setAddress(connectionParameters.getUrl());
-		    	if (connectionParameters.getUrl().toLowerCase().startsWith("https:")) {
-		    		Logger.debug("Initialisiere SSL Verbindung");
-		    		try {
-		    			client.setSSLSocketFactory(SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters));
-		    		} catch (IOException e) {
-		    			Logger.error("Could not initialize SSL Factory", e);
-		    			throw new SZRGWClientException("Could not initialize SSL Factory");
-		    		} catch (GeneralSecurityException e) {
-		    			Logger.error("Could not initialize SSL Factory", e);
-		    			throw new SZRGWClientException("Could not initialize SSL Factory");
-		    		} catch (PKIException e) {
-		    			Logger.error("Could not initialize SSL Factory", e);
-		    			throw new SZRGWClientException("Could not initialize SSL Factory");
-		    		} 
-		    	}
+		   	AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
+		   	ConnectionParameter connectionParameters = authConf.getForeignIDConnectionParameter();
+
+		   	client.setAddress(connectionParameters.getUrl());
+		   	if (connectionParameters.getUrl().toLowerCase().startsWith("https:")) {
+		   		Logger.debug("Initialisiere SSL Verbindung");
+		   		try {
+		   			client.setSSLSocketFactory(SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters));
+		   			
+		   		} catch (IOException e) {
+		   			Logger.error("Could not initialize SSL Factory", e);
+		   			throw new SZRGWClientException("Could not initialize SSL Factory");
+		   			
+		   		} catch (GeneralSecurityException e) {
+		   			Logger.error("Could not initialize SSL Factory", e);
+		   			throw new SZRGWClientException("Could not initialize SSL Factory");
+		   			
+		    	} catch (PKIException e) {
+		    		Logger.error("Could not initialize SSL Factory", e);
+		    		throw new SZRGWClientException("Could not initialize SSL Factory");
+		    	} 
+		   	}
+		   		
 		    	Logger.info("Starte Kommunikation mit dem Stammzahlenregister Gateway(" + connectionParameters.getUrl() + ")...");
-		    }
-		    catch (ConfigurationException e) {
-		    	Logger.warn(e);
-		    	Logger.warn(MOAIDMessageProvider.getInstance().getMessage("config.12", null ));
-		    }
 		    
 		    // create request
 		    CreateIdentityLinkResponse response = null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
index 98ef78d53..eaa6ac1ae 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
@@ -32,16 +32,16 @@ public class GenerateIFrameTemplateServlet extends AuthServlet {
 	private static final long serialVersionUID = 1L;
 
 	public void init(ServletConfig servletConfig) throws ServletException {
-		    try {
+//		    try {
 		      super.init(servletConfig);
-		      MOAIDAuthInitializer.initialize();
-		      Logger.debug("default platform file.encoding: " + System.getProperty("file.encoding"));
-		      Logger.info(MOAIDMessageProvider.getInstance().getMessage("init.00", null));
-		    }
-		    catch (Exception ex) {
-		      Logger.fatal(MOAIDMessageProvider.getInstance().getMessage("init.02", null), ex);
-		      throw new ServletException(ex);
-		    }
+//		      MOAIDAuthInitializer.initialize();
+//		      Logger.debug("default platform file.encoding: " + System.getProperty("file.encoding"));
+//		      Logger.info(MOAIDMessageProvider.getInstance().getMessage("init.00", null));
+//		    }
+//		    catch (Exception ex) {
+//		      Logger.fatal(MOAIDMessageProvider.getInstance().getMessage("init.02", null), ex);
+//		      throw new ServletException(ex);
+//		    }
 		  }
 	  
 	protected void doGet(HttpServletRequest req, HttpServletResponse resp)
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
index 9c72cfff2..ff8265ac3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
@@ -101,15 +101,15 @@ public class LogOutServlet extends AuthServlet {
    * @see javax.servlet.Servlet#init(ServletConfig)
    */
   public void init(ServletConfig servletConfig) throws ServletException {
-  	try {
+//  	try {
       super.init(servletConfig);
-      MOAIDAuthInitializer.initialize();
-  		Logger.info(MOAIDMessageProvider.getInstance().getMessage("init.00", null));
-  	}
-  	catch (Exception ex) {
-  		Logger.fatal(MOAIDMessageProvider.getInstance().getMessage("init.02", null), ex);
-  		throw new ServletException(ex);
-  	}
+//      MOAIDAuthInitializer.initialize();
+//  		Logger.info(MOAIDMessageProvider.getInstance().getMessage("init.00", null));
+//  	}
+//  	catch (Exception ex) {
+//  		Logger.fatal(MOAIDMessageProvider.getInstance().getMessage("init.02", null), ex);
+//  		throw new ServletException(ex);
+//  	}
   }  
 
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
index a87e9a8c0..c0626e84a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
@@ -35,6 +35,7 @@ import at.gv.egovernment.moa.id.auth.exception.ParseException;
 import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
 import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.CreateIdentityLinkResponse;
 import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Constants;
 import at.gv.egovernment.moa.util.DateTimeUtils;
@@ -348,9 +349,14 @@ public class STORKResponseProcessor {
 		} catch (SZRGWClientException e) {
 			Logger.error("Error connecting SZR-Gateway: ", e);
 			throw new STORKException("Error connecting SZR-Gateway: ", e);
+			
 		} catch (ParseException e) {
 			Logger.error("Error parsing IdentityLink received from SZR-Gateway: ", e);
 			throw new STORKException("Error parsing IdentityLink received from SZR-Gateway: ", e);
+			
+		} catch (ConfigurationException e) {
+			Logger.error("Error connecting SZR-Gateway: ", e);
+			throw new STORKException("Error connecting SZR-Gateway: ", e);
 		}
     		    	
     	return identityLink;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index 9c2797c36..3654ae424 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -417,15 +417,17 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
 
   public synchronized void reloadDataBaseConfig() throws ConfigurationException {
 		
-		Logger.info("Read MOA-ID 2.0 configuration from database.");
+		Logger.info("Read MOA-ID 2.x configuration from database.");
 		moaidconfig = ConfigurationDBRead.getMOAIDConfiguration();
-		Logger.info("MOA-ID 2.0 is loaded.");
 		
 		if (moaidconfig == null) {
 			Logger.warn("NO MOA-ID configuration found.");
 			throw new ConfigurationException("config.18", null);
 		}
-						
+
+		Logger.debug("MOA-ID 2.x configuration is loaded from database.");
+		Logger.info("MOA-ID 2.x starts initialization process ...");
+		
 		//build STORK Config	
 		AuthComponentGeneral auth = getAuthComponentGeneral();
 		
@@ -778,6 +780,9 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
  * @throws ConfigurationException 
    */
   public ConnectionParameter getForeignIDConnectionParameter() throws ConfigurationException {
+	  if (ForeignIDConnectionParameter == null)
+		  throw new ConfigurationException("config.20", null);
+	  
 	  return ForeignIDConnectionParameter;
   }
   
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 5e8206739..f21567245 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -21,6 +21,7 @@ import org.opensaml.saml2.core.RequestedAuthnContext;
 import org.opensaml.saml2.core.Subject;
 import org.opensaml.saml2.core.SubjectConfirmation;
 import org.opensaml.saml2.core.SubjectConfirmationData;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
 import org.opensaml.saml2.metadata.AttributeConsumingService;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.NameIDFormat;
@@ -42,6 +43,7 @@ import at.gv.egovernment.moa.id.data.AuthenticationData;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoAuthContextException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException;
@@ -293,7 +295,16 @@ public class PVP2AssertionBuilder implements PVPConstants {
 				.createSAMLObject(SubjectConfirmationData.class);
 		subjectConfirmationData.setInResponseTo(authnRequest.getID());
 		subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(20));
-		subjectConfirmationData.setRecipient(peerEntity.getEntityID());
+		
+		//TL: change from entityID to destination URL 
+		AssertionConsumerService consumerService = spSSODescriptor
+				.getAssertionConsumerServices().get(idx);
+
+		if (consumerService == null) {
+			throw new InvalidAssertionConsumerServiceException(idx);
+		}
+		
+		subjectConfirmationData.setRecipient(consumerService.getLocation());
 
 		subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
 
@@ -303,7 +314,7 @@ public class PVP2AssertionBuilder implements PVPConstants {
 		AudienceRestriction audienceRestriction = SAML2Utils
 				.createSAMLObject(AudienceRestriction.class);
 		Audience audience = SAML2Utils.createSAMLObject(Audience.class);
-
+		
 		audience.setAudienceURI(peerEntity.getEntityID());
 		audienceRestriction.getAudiences().add(audience);
 		conditions.setNotBefore(new DateTime());
@@ -316,8 +327,12 @@ public class PVP2AssertionBuilder implements PVPConstants {
 		assertion.setConditions(conditions);
 
 		Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
-		issuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName());
+		
+		//TODO: check!
+		//change to entity value from entity name to IDP EntityID (URL)
+		issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
 		issuer.setFormat(NameID.ENTITY);
+		
 		assertion.setIssuer(issuer);
 		assertion.setSubject(subject);
 		assertion.setID(SAML2Utils.getSecureIdentifier());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
index 1d494c512..fec21df9e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
@@ -1,8 +1,11 @@
 package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler;
 
+import java.util.Date;
+
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.joda.time.DateTime;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.core.Assertion;
 import org.opensaml.saml2.core.AuthnRequest;
@@ -51,10 +54,19 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
 
 
 		Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
-		nissuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName());
+		
+		//TODO: check!
+		//change to entity value from entity name to IDP EntityID (URL)
+		nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+		//nissuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName());
 		nissuer.setFormat(NameID.ENTITY);
+		
 		authResponse.setIssuer(nissuer);
 		authResponse.setInResponseTo(authnRequest.getID());
+		
+		//SAML2 response required IssueInstant
+		authResponse.setIssueInstant(new DateTime());
+		
 		authResponse.getAssertions().add(assertion);
 		authResponse.setStatus(SAML2Utils.getSuccessStatus());
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
index e9d41b7ee..e85d87aa3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
@@ -91,10 +91,12 @@ public class MetadataSignatureFilter implements MetadataFilter {
 					throw new MOAIDException("Root element of metadata file has to be signed", null);
 				}
 				processEntitiesDescriptor(entitiesDescriptor);
-			} /*else if (metadata instanceof EntityDescriptor) {
+				
+			} else if (metadata instanceof EntityDescriptor) {
 				EntityDescriptor entityDescriptor = (EntityDescriptor) metadata;
 				processEntityDescriptorr(entityDescriptor);
-			} */else {
+				
+			} else {
 				throw new MOAIDException("Invalid Metadata file Root element is no EntitiesDescriptor", null);
 			}
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2013-12-11 15:43:02 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2013-12-11 15:43:02 +0100
commit	c582412bc8d1ffcd9a2428b69fa7e4e8fb1f3c4f (patch)
tree	36f68cf49fb8a5226cc0619fdb7bbf87a629e2eb /id/server/idserverlib/src/main/java/at/gv
parent	9b3f7876fe480698d2da970b0b1ca6de0874ec48 (diff)
download	moa-id-spss-c582412bc8d1ffcd9a2428b69fa7e4e8fb1f3c4f.tar.gz moa-id-spss-c582412bc8d1ffcd9a2428b69fa7e4e8fb1f3c4f.tar.bz2 moa-id-spss-c582412bc8d1ffcd9a2428b69fa7e4e8fb1f3c4f.zip