aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at
diff options
context:
space:
mode:
authorkstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d>2011-10-06 19:15:53 +0000
committerkstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d>2011-10-06 19:15:53 +0000
commit77c3560745fcba9e3975472dd77cb928924fb35f (patch)
treeee75d828e3eccf084c9518ed97055dca9ee86e44 /id/server/idserverlib/src/main/java/at
parentddd1125b3d9570dec334bd2965ec5a9387585906 (diff)
downloadmoa-id-spss-77c3560745fcba9e3975472dd77cb928924fb35f.tar.gz
moa-id-spss-77c3560745fcba9e3975472dd77cb928924fb35f.tar.bz2
moa-id-spss-77c3560745fcba9e3975472dd77cb928924fb35f.zip
MOA-ID:
- Fixed Bug #556 (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=556&group_id=6&atid=105) - Update Einbindung Online-Vollmachten (Vor Auswahl der Vollmacht werden die Signaturdaten signiert) - Update Transformationen (für Online-Vollmachten) - Änderung der Konfiguration für Online-Vollmachten (keine Templates mehr für Online-Vollmachten; Attribute provideMandatorDate in OA-Konfiguration) - sampleTemplates in Standard-Konfiguration gelöscht - Update der Standard-Konfigurationen MOA-SPSS: - Library aktualisiert: Axis - Version 1.0_IAIK (gepatchte Variante von Axis 1.0 zur Vermeidung von XXE Attacken) - axis-1.0_IAIK.jar zu repository hinzugefügt git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1217 d688527b-c9ab-4aba-bd8d-4036d912da1d
Diffstat (limited to 'id/server/idserverlib/src/main/java/at')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java432
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java47
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java123
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java10
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java173
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java68
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java24
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java111
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java30
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java19
11 files changed, 669 insertions, 370 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 94fd4f28e..9e15e04dd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -550,7 +550,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
// now validate the extended infoboxes
verifyInfoboxes(session, infoboxReadResponseParameters, !oaParam.getProvideStammzahl());
- return getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam, false);
+ return getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam);
}
@@ -571,7 +571,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* the BKU including the <code>&lt;InfoboxReadResponse&gt;</code>
* @return String representation of the <code>&lt;CreateXMLSignatureRequest&gt;</code>
*/
- public String verifyMandate(String sessionID, MISMandate mandate)
+ public void verifyMandate(String sessionID, MISMandate mandate)
throws
AuthenticationException,
BuildException,
@@ -591,28 +591,25 @@ public class AuthenticationServer implements MOAIDAuthConstants {
AuthenticationSession session = getSession(sessionID);
- AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
-
-
OAAuthParameter oaParam =
AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
session.getPublicOAURLPrefix());
- try {
- // set extended SAML attributes
- setExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService());
- } catch (SAXException e) {
- throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e);
- } catch (IOException e) {
- throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e);
- } catch (ParserConfigurationException e) {
- throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e);
- } catch (TransformerException e) {
- throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e);
+ if (oaParam.getProvideFullMandatorData()) {
+ try {
+ // set extended SAML attributes if provideMandatorData is true
+ setExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService());
+ } catch (SAXException e) {
+ throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e);
+ } catch (IOException e) {
+ throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e);
+ } catch (ParserConfigurationException e) {
+ throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e);
+ } catch (TransformerException e) {
+ throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e);
+ }
}
-
-
- return getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam, true);
+
}
/**
@@ -625,7 +622,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* @throws BuildException
* @throws ValidateException
*/
- public String getCreateXMLSignatureRequestAuthBlockOrRedirect(AuthenticationSession session, AuthConfigurationProvider authConf, OAAuthParameter oaParam, boolean fromMandate)
+ public String getCreateXMLSignatureRequestAuthBlockOrRedirect(AuthenticationSession session, AuthConfigurationProvider authConf, OAAuthParameter oaParam)
throws
ConfigurationException,
BuildException,
@@ -638,7 +635,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
if (oaParam==null) oaParam = AuthConfigurationProvider.getInstance().
getOnlineApplicationParameter(session.getPublicOAURLPrefix());
- if (!fromMandate) {
+// if (!fromMandate) {
//BZ.., calculate bPK for signing to be already present in AuthBlock
IdentityLink identityLink = session.getIdentityLink();
if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
@@ -649,11 +646,11 @@ public class AuthenticationServer implements MOAIDAuthConstants {
identityLink.setIdentificationValue(bpkBase64);
}
//..BZ
- }
+// }
// builds the AUTH-block
- String authBlock = buildAuthenticationBlock(session, fromMandate);
+ String authBlock = buildAuthenticationBlock(session);
// session.setAuthBlock(authBlock);
// builds the <CreateXMLSignatureRequest>
@@ -837,7 +834,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* @throws BuildException If an error occurs on serializing an extended SAML attribute
* to be appended to the AUTH-Block.
*/
- private String buildAuthenticationBlock(AuthenticationSession session, boolean fromMandate) throws BuildException {
+ private String buildAuthenticationBlock(AuthenticationSession session) throws BuildException {
IdentityLink identityLink = session.getIdentityLink();
String issuer = identityLink.getName();
String gebDat = identityLink.getDateOfBirth();
@@ -862,8 +859,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
oaURL,
gebDat,
extendedSAMLAttributes,
- session,
- fromMandate);
+ session);
return authBlock;
}
@@ -949,7 +945,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
throw new ValidateException("validator.43", new Object[] {friendlyName});
}
// set compatibility mode for mandates infobox and all infoboxes (it is possible to be a parep infobox)
- session.setMandateCompatibilityMode(ParepConfiguration.isMandateCompatibilityMode(verifyInfoboxParameter.getApplicationSpecificParams()));
+ //session.setMandateCompatibilityMode(ParepConfiguration.isMandateCompatibilityMode(verifyInfoboxParameter.getApplicationSpecificParams()));
// check for party representation in mandates infobox
if (Constants.INFOBOXIDENTIFIER_MANDATES.equalsIgnoreCase(identifier) && !((infoboxTokenList == null || infoboxTokenList.size() == 0))){
//We need app specific parameters
@@ -1187,6 +1183,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
Vector extendedSamlAttributes = new Vector();
+
extendedSamlAttributes.clear();
//extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(ParepValidator.EXT_SAML_MANDATE_RAW, mandate, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK));
@@ -1404,72 +1401,189 @@ public class AuthenticationServer implements MOAIDAuthConstants {
}
- // Exchange person data information by a mandate if needed
- boolean mandateMode = session.getUseMandate();
+ // builds authentication data and stores it together with a SAML artifact
+ AuthenticationData authData = buildAuthenticationData(session, vsresp);
- List oaAttributes = session.getExtendedSAMLAttributesOA();
- IdentityLink replacementIdentityLink = null;
+ if (session.getUseMandate()) {
+ // mandate mode
+ return null;
+ }
+ else {
+
+ String samlAssertion =
+ new AuthenticationDataAssertionBuilder().build(
+ authData,
+ session.getAssertionPrPerson(),
+ session.getAssertionAuthBlock(),
+ session.getAssertionIlAssertion(),
+ session.getBkuURL(),
+ session.getAssertionSignerCertificateBase64(),
+ session.getAssertionBusinessService(),
+ session.getExtendedSAMLAttributesOA());
+ authData.setSamlAssertion(samlAssertion);
+
+ String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile");
+ if (!ParepUtils.isEmpty(assertionFile))
+ try {
+ ParepUtils.saveStringToFile(samlAssertion, new File(assertionFile));
+ } catch (IOException e) {
+ throw new BuildException(
+ "builder.00",
+ new Object[] { "AuthenticationData", e.toString()},
+ e);
+ }
+
+ String samlArtifact =
+ new SAMLArtifactBuilder().build(session.getAuthURL(), session.getSessionID());
+ storeAuthenticationData(samlArtifact, authData);
+
+ // invalidates the authentication session
+ sessionStore.remove(sessionID);
+ Logger.info(
+ "Anmeldedaten zu MOASession " + sessionID + " angelegt, SAML Artifakt " + samlArtifact);
+ return samlArtifact;
+
+ }
+
+
+
+
+ }
+
+ /**
+ * Processes a <code>&lt;CreateXMLSignatureResponse&gt;</code> sent by the
+ * security layer implementation.<br>
+ * <ul>
+ * <li>Validates given <code>&lt;CreateXMLSignatureResponse&gt;</code></li>
+ * <li>Parses <code>&lt;CreateXMLSignatureResponse&gt;</code> for error codes</li>
+ * <li>Parses authentication block enclosed in
+ * <code>&lt;CreateXMLSignatureResponse&gt;</code></li>
+ * <li>Verifies authentication block by calling the MOA SP component</li>
+ * <li>Creates authentication data</li>
+ * <li>Creates a corresponding SAML artifact</li>
+ * <li>Stores authentication data in the authentication data store
+ * indexed by the SAML artifact</li>
+ * <li>Deletes authentication session</li>
+ * <li>Returns the SAML artifact, encoded BASE64</li>
+ * </ul>
+ *
+ * @param sessionID session ID of the running authentication session
+ * @param xmlCreateXMLSignatureReadResponse String representation of the
+ * <code>&lt;CreateXMLSignatureResponse&gt;</code>
+ * @return SAML artifact needed for retrieving authentication data, encoded BASE64
+ */
+ public String verifyAuthenticationBlockMandate(
+ String sessionID,
+ Element mandate)
+ throws
+ AuthenticationException,
+ BuildException,
+ ParseException,
+ ConfigurationException,
+ ServiceException,
+ ValidateException {
+
+ if (isEmpty(sessionID))
+ throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID});
+ AuthenticationSession session = getSession(sessionID);
+ //AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
-// if (mandateMode) {
-// Iterator it = oaAttributes.iterator();
-// //ExtendedSAMLAttribute samlAttribute = (ExtendedSAMLAttribute)it.next();
-// Element mandate = session.getMandateElem();
-// replacementIdentityLink = new IdentityLink();
-// Element mandator = ParepUtils.extractMandator(mandate);
-// String dateOfBirth = "";
-// Element prPerson = null;
-// String familyName = "";
-// String givenName = "";
-// String identificationType = "";
-// String identificationValue = "";
-// if (mandator != null) {
-// boolean physical = ParepUtils.isPhysicalPerson(mandator);
-// if (physical) {
-// familyName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:FamilyName/text()");
-// givenName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:GivenName/text()");
-// dateOfBirth = ParepUtils.extractMandatorDateOfBirth(mandator);
-// } else {
-// familyName = ParepUtils.extractMandatorFullName(mandator);
-// }
-// identificationType = ParepUtils.getIdentification(mandator, "Type");
-// identificationValue = ParepUtils.extractMandatorWbpk(mandator);
-// prPerson = ParepUtils.extractPrPersonOfMandate(mandate);
-// if (physical && session.getBusinessService() && identificationType!=null && Constants.URN_PREFIX_BASEID.equals(identificationType)) {
-// // now we calculate the wbPK and do so if we got it from the BKU
-// identificationType = Constants.URN_PREFIX_WBPK + "+" + session.getDomainIdentifier();
-// identificationValue = new BPKBuilder().buildWBPK(identificationValue, session.getDomainIdentifier());
-// ParepUtils.HideStammZahlen(prPerson, true, null, null, true);
-// }
-//
-//
-// replacementIdentityLink.setDateOfBirth(dateOfBirth);
-// replacementIdentityLink.setFamilyName(familyName);
-// replacementIdentityLink.setGivenName(givenName);
-// replacementIdentityLink.setIdentificationType(identificationType);
-// replacementIdentityLink.setIdentificationValue(identificationValue);
-// replacementIdentityLink.setPrPerson(prPerson);
-// try {
-// replacementIdentityLink.setSamlAssertion(session.getIdentityLink().getSamlAssertion());
-// } catch (Exception e) {
-// throw new ValidateException("validator.64", null);
-// }
-//
-// }
-//
-// }
+
+ IdentityLink tempIdentityLink = null;
+
+ if (session.getUseMandate()) {
+ tempIdentityLink = new IdentityLink();
+ Element mandator = ParepUtils.extractMandator(mandate);
+ String dateOfBirth = "";
+ Element prPerson = null;
+ String familyName = "";
+ String givenName = "";
+ String identificationType = "";
+ String identificationValue = "";
+ if (mandator != null) {
+ boolean physical = ParepUtils.isPhysicalPerson(mandator);
+ if (physical) {
+ familyName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:FamilyName/text()");
+ givenName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:GivenName/text()");
+ dateOfBirth = ParepUtils.extractMandatorDateOfBirth(mandator);
+ } else {
+ familyName = ParepUtils.extractMandatorFullName(mandator);
+ }
+ identificationType = ParepUtils.getIdentification(mandator, "Type");
+ identificationValue = ParepUtils.extractMandatorWbpk(mandator);
+ prPerson = ParepUtils.extractPrPersonOfMandate(mandate);
+ if (physical && session.getBusinessService() && identificationType!=null && Constants.URN_PREFIX_BASEID.equals(identificationType)) {
+ // now we calculate the wbPK and do so if we got it from the BKU
+ identificationType = Constants.URN_PREFIX_WBPK + "+" + session.getDomainIdentifier();
+ identificationValue = new BPKBuilder().buildWBPK(identificationValue, session.getDomainIdentifier());
+ ParepUtils.HideStammZahlen(prPerson, true, null, null, true);
+ }
+
+
+ tempIdentityLink.setDateOfBirth(dateOfBirth);
+ tempIdentityLink.setFamilyName(familyName);
+ tempIdentityLink.setGivenName(givenName);
+ tempIdentityLink.setIdentificationType(identificationType);
+ tempIdentityLink.setIdentificationValue(identificationValue);
+ tempIdentityLink.setPrPerson(prPerson);
+ try {
+ tempIdentityLink.setSamlAssertion(session.getIdentityLink().getSamlAssertion());
+ } catch (Exception e) {
+ throw new ValidateException("validator.64", null);
+ }
+
+ }
+
+ }
// builds authentication data and stores it together with a SAML artifact
- AuthenticationData authData = buildAuthenticationData(session, vsresp, replacementIdentityLink);
- String samlArtifact =
- new SAMLArtifactBuilder().build(session.getAuthURL(), session.getSessionID());
- storeAuthenticationData(samlArtifact, authData);
+ AuthenticationData authData = session.getAssertionAuthData(); //buildAuthenticationData(session, vsresp, replacementIdentityLink);
- // invalidates the authentication session
- sessionStore.remove(sessionID);
- Logger.info(
- "Anmeldedaten zu MOASession " + sessionID + " angelegt, SAML Artifakt " + samlArtifact);
- return samlArtifact;
+ Element mandatePerson = tempIdentityLink.getPrPerson();
+ String mandateData = null;
+ try {
+ mandateData = DOMUtils.serializeNode(mandatePerson);
+ } catch (TransformerException e1) {
+ throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID});
+ } catch (IOException e1) {
+ throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID});
+ }
+
+ String samlAssertion =
+ new AuthenticationDataAssertionBuilder().buildMandate(
+ authData,
+ session.getAssertionPrPerson(),
+ mandateData,
+ session.getAssertionAuthBlock(),
+ session.getAssertionIlAssertion(),
+ session.getBkuURL(),
+ session.getAssertionSignerCertificateBase64(),
+ session.getAssertionBusinessService(),
+ session.getExtendedSAMLAttributesOA());
+ authData.setSamlAssertion(samlAssertion);
+
+ String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile");
+ if (!ParepUtils.isEmpty(assertionFile))
+ try {
+ ParepUtils.saveStringToFile(samlAssertion, new File(assertionFile));
+ } catch (IOException e) {
+ throw new BuildException(
+ "builder.00",
+ new Object[] { "AuthenticationData", e.toString()},
+ e);
+ }
+
+ String samlArtifact =
+ new SAMLArtifactBuilder().build(session.getAuthURL(), session.getSessionID());
+ storeAuthenticationData(samlArtifact, authData);
+
+ // invalidates the authentication session
+ sessionStore.remove(sessionID);
+ Logger.info(
+ "Anmeldedaten zu MOASession " + sessionID + " angelegt, SAML Artifakt " + samlArtifact);
+ return samlArtifact;
+
}
/**
@@ -1540,79 +1654,45 @@ public class AuthenticationServer implements MOAIDAuthConstants {
}
}
- // Exchange person data information by a mandate if needed
- List oaAttributes = session.getExtendedSAMLAttributesOA();
- IdentityLink replacementIdentityLink = null;
- if (session.isMandateCompatibilityMode() && oaAttributes != null && oaAttributes.size()>0) {
- // look if we have a mandate
- boolean foundMandate = false;
- Iterator it = oaAttributes.iterator();
- while (!foundMandate && it.hasNext()) {
- ExtendedSAMLAttribute samlAttribute = (ExtendedSAMLAttribute)it.next();
- if (ParepValidator.EXT_SAML_MANDATE_RAW.equals(samlAttribute.getName())) {
- Object value = samlAttribute.getValue();
- if (value instanceof Element) {
- Element mandate = (Element) value;
- replacementIdentityLink = new IdentityLink();
- Element mandator = ParepUtils.extractMandator(mandate);
- String dateOfBirth = "";
- Element prPerson = null;
- String familyName = "";
- String givenName = "";
- String identificationType = "";
- String identificationValue = "";
- if (mandator != null) {
- boolean physical = ParepUtils.isPhysicalPerson(mandator);
- if (physical) {
- familyName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:FamilyName/text()");
- givenName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:GivenName/text()");
- dateOfBirth = ParepUtils.extractMandatorDateOfBirth(mandator);
- } else {
- familyName = ParepUtils.extractMandatorFullName(mandator);
- }
- identificationType = ParepUtils.getIdentification(mandator, "Type");
- identificationValue = ParepUtils.extractMandatorWbpk(mandator);
- prPerson = ParepUtils.extractPrPersonOfMandate(mandate);
- if (physical && session.getBusinessService() && identificationType!=null && Constants.URN_PREFIX_BASEID.equals(identificationType)) {
- // now we calculate the wbPK and do so if we got it from the BKU
- identificationType = Constants.URN_PREFIX_WBPK + "+" + session.getDomainIdentifier();
- identificationValue = new BPKBuilder().buildWBPK(identificationValue, session.getDomainIdentifier());
- ParepUtils.HideStammZahlen(prPerson, true, null, null, true);
- }
-
- }
- replacementIdentityLink.setDateOfBirth(dateOfBirth);
- replacementIdentityLink.setFamilyName(familyName);
- replacementIdentityLink.setGivenName(givenName);
- replacementIdentityLink.setIdentificationType(identificationType);
- replacementIdentityLink.setIdentificationValue(identificationValue);
- replacementIdentityLink.setPrPerson(prPerson);
- try {
- replacementIdentityLink.setSamlAssertion(session.getIdentityLink().getSamlAssertion());
- } catch (Exception e) {
- throw new ValidateException("validator.64", null);
- }
- } else {
- Logger.info("The type of Mandate SAML-Attribute is not \"org.w3c.dom.Element\"");
- throw new ValidateException("validator.64", null);
- }
- }
- }
- }
-
VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponse();
X509Certificate cert = session.getForeignSignerCertificate();
vsresp.setX509certificate(cert);
- AuthenticationData authData = buildAuthenticationData(session, vsresp, replacementIdentityLink);
- String samlArtifact =
- new SAMLArtifactBuilder().build(session.getAuthURL(), session.getSessionID());
- storeAuthenticationData(samlArtifact, authData);
-
- // invalidates the authentication session
- sessionStore.remove(sessionID);
- Logger.info(
- "Anmeldedaten zu MOASession " + sessionID + " angelegt, SAML Artifakt " + samlArtifact);
- return samlArtifact;
+ AuthenticationData authData = buildAuthenticationData(session, vsresp);
+
+
+ String samlAssertion =
+ new AuthenticationDataAssertionBuilder().build(
+ authData,
+ session.getAssertionPrPerson(),
+ session.getAssertionAuthBlock(),
+ session.getAssertionIlAssertion(),
+ session.getBkuURL(),
+ session.getAssertionSignerCertificateBase64(),
+ session.getAssertionBusinessService(),
+ session.getExtendedSAMLAttributesOA());
+ authData.setSamlAssertion(samlAssertion);
+
+ String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile");
+ if (!ParepUtils.isEmpty(assertionFile))
+ try {
+ ParepUtils.saveStringToFile(samlAssertion, new File(assertionFile));
+ } catch (IOException e) {
+ throw new BuildException(
+ "builder.00",
+ new Object[] { "AuthenticationData", e.toString()},
+ e);
+ }
+
+ String samlArtifact =
+ new SAMLArtifactBuilder().build(session.getAuthURL(), session.getSessionID());
+ storeAuthenticationData(samlArtifact, authData);
+
+ // invalidates the authentication session
+ sessionStore.remove(sessionID);
+ Logger.info(
+ "Anmeldedaten zu MOASession " + sessionID + " angelegt, SAML Artifakt " + samlArtifact);
+
+ return samlArtifact;
}
/**
@@ -1626,18 +1706,10 @@ public class AuthenticationServer implements MOAIDAuthConstants {
*/
private AuthenticationData buildAuthenticationData(
AuthenticationSession session,
- VerifyXMLSignatureResponse verifyXMLSigResp,
- IdentityLink replacementIdentityLink)
+ VerifyXMLSignatureResponse verifyXMLSigResp)
throws ConfigurationException, BuildException {
- IdentityLink identityLink;
- if (replacementIdentityLink == null) {
- identityLink = session.getIdentityLink();
- } else {
- // We have got data form a mandate we need now to use to stay compatible with applications
- identityLink = replacementIdentityLink;
- }
-
+ IdentityLink identityLink = session.getIdentityLink();
AuthenticationData authData = new AuthenticationData();
OAAuthParameter oaParam =
AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
@@ -1661,6 +1733,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
authData.setIdentificationValue(identityLink.getIdentificationValue());
}
String prPerson = new PersonDataBuilder().build(identityLink, provideStammzahl);
+
try {
String signerCertificateBase64 = "";
if (oaParam.getProvideCertifcate()) {
@@ -1696,22 +1769,17 @@ public class AuthenticationServer implements MOAIDAuthConstants {
ilAssertion = StringUtils.replaceAll(ilAssertion, identityLink.getIdentificationValue(), "");
}
String authBlock = oaParam.getProvideAuthBlock() ? session.getAuthBlock() : "";
- String samlAssertion =
- new AuthenticationDataAssertionBuilder().build(
- authData,
- prPerson,
- authBlock,
- ilAssertion,
- session.getBkuURL(),
- signerCertificateBase64,
- businessService,
- session.getExtendedSAMLAttributesOA());
- authData.setSamlAssertion(samlAssertion);
- String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile");
- if (!ParepUtils.isEmpty(assertionFile)) ParepUtils.saveStringToFile(samlAssertion, new File(assertionFile)); //Ex: "c:/saml_assertion.xml"
-
+ session.setAssertionAuthBlock(authBlock);
+ session.setAssertionAuthData(authData);
+ session.setAssertionBusinessService(businessService);
+ session.setAssertionIlAssertion(ilAssertion);
+ session.setAssertionPrPerson(prPerson);
+ session.setAssertionSignerCertificateBase64(signerCertificateBase64);
+
return authData;
+
+
} catch (Throwable ex) {
throw new BuildException(
"builder.00",
@@ -1735,7 +1803,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
}
AuthenticationData authData = null;
synchronized (authenticationDataStore) {
- System.out.println("assertionHandle: " + assertionHandle);
+ //System.out.println("assertionHandle: " + assertionHandle);
authData = (AuthenticationData) authenticationDataStore.get(assertionHandle);
if (authData == null) {
Logger.error("Assertion not found for SAML Artifact: " + samlArtifact);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
index d48054e4b..35c4244c6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
@@ -49,6 +49,7 @@ import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.util.Random;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
@@ -154,15 +155,14 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
String oaURL,
String gebDat,
List extendedSAMLAttributes,
- AuthenticationSession session,
- boolean fromMandate)
+ AuthenticationSession session)
throws BuildException
{
session.setSAMLAttributeGebeORwbpk(true);
String gebeORwbpk = "";
String wbpkNSDeclaration = "";
- //BZ.., reading OA parameters
+ //reading OA parameters
OAAuthParameter oaParam;
try {
oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
@@ -171,7 +171,6 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
Logger.error("Error on building AUTH-Block: " + e.getMessage());
throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
}
- //..BZ
if (target == null) {
@@ -181,12 +180,11 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
- //BZ.., adding type of wbPK domain identifier
+ //adding type of wbPK domain identifier
ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute =
new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute);
- //..BZ
} else {
// We do not have a wbPK, therefore no SAML-Attribute is provided
@@ -194,13 +192,11 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
}
} else {
// OA is a govermental application
- //BZ..
String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);
//gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target });
gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" });
- //..BZ
- //BZ.., no business service, adding bPK
+ //no business service, adding bPK
Element bpkSamlValueElement;
try {
@@ -213,34 +209,41 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
// String s = xmlToString(bpkSamlValueElement);
// System.out.println("bpkSamlValueElement: " + s);
-
- if (!fromMandate) {
- ExtendedSAMLAttribute bpkAttribute =
- new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-
- //System.out.println("extendedSAMLAttributes: " + extendedSAMLAttributes.size());
-
- extendedSAMLAttributes.add(bpkAttribute);
- }
+ ExtendedSAMLAttribute bpkAttribute =
+ new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
+ extendedSAMLAttributes.add(bpkAttribute);
+
+ boolean useMandate = session.getUseMandate();
+ if (useMandate) {
+ String mandateReferenceValue = Random.nextRandom();
+ // remove leading "-"
+ if (mandateReferenceValue.startsWith("-"))
+ mandateReferenceValue = mandateReferenceValue.substring(1);
+
+ session.setMandateReferenceValue(mandateReferenceValue);
+
+ ExtendedSAMLAttribute mandateReferenceValueAttribute =
+ new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK);
+
+ extendedSAMLAttributes.add(mandateReferenceValueAttribute);
+ }
//gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
- //..BZ
}
- //BZ.., adding friendly name of OA
+ //adding friendly name of OA
String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName();
ExtendedSAMLAttribute oaFriendlyNameAttribute =
new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
extendedSAMLAttributes.add(oaFriendlyNameAttribute);
- //..BZ
String assertion;
- try {
+ try {
assertion = MessageFormat.format(
AUTH_BLOCK, new Object[] {
wbpkNSDeclaration,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java
index 640c60e49..367116c73 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java
@@ -74,6 +74,40 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB
"{12}" +
" </saml:AttributeStatement>" + NL +
"</saml:Assertion>";
+
+ /**
+ * XML template for the <code>&lt;saml:Assertion&gt;</code> to be built
+ */
+ private static final String AUTH_DATA_MANDATE =
+ "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>" + NL +
+ "<saml:Assertion xmlns:saml=''" + SAML_NS_URI + "'' xmlns:pr=''" + PD_NS_URI + "'' xmlns:xsi=''" + XSI_NS_URI + "''" +
+ " xmlns:si=''" + XSI_NS_URI + "''" +
+ " MajorVersion=''1'' MinorVersion=''0'' AssertionID=''{0}'' Issuer=''{1}'' IssueInstant=''{2}''>" + NL +
+ " <saml:AttributeStatement>" + NL +
+ " <saml:Subject>" + NL +
+ " <saml:NameIdentifier NameQualifier=''{3}''>{4}</saml:NameIdentifier>" + NL +
+ " <saml:SubjectConfirmation>" + NL +
+ " <saml:ConfirmationMethod>" + MOA_NS_URI + "cm</saml:ConfirmationMethod>" + NL +
+ " <saml:SubjectConfirmationData>{5}{6}</saml:SubjectConfirmationData>" + NL +
+ " </saml:SubjectConfirmation>" + NL +
+ " </saml:Subject>" + NL +
+ " <saml:Attribute AttributeName=''PersonData'' AttributeNamespace=''" + PD_NS_URI + "''>" + NL +
+ " <saml:AttributeValue>{7}</saml:AttributeValue>" + NL +
+ " </saml:Attribute>" + NL +
+ " <saml:Attribute AttributeName=''MandateData'' AttributeNamespace=''" + PD_NS_URI + "''>" + NL +
+ " <saml:AttributeValue>{8}</saml:AttributeValue>" + NL +
+ " </saml:Attribute>" + NL +
+ " <saml:Attribute AttributeName=''isQualifiedCertificate'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL +
+ " <saml:AttributeValue>{9}</saml:AttributeValue>" + NL +
+ " </saml:Attribute>" + NL +
+ " <saml:Attribute AttributeName=''bkuURL'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL +
+ " <saml:AttributeValue>{10}</saml:AttributeValue>" + NL +
+ " </saml:Attribute>" + NL +
+ "{11}" +
+ "{12}" +
+ "{13}" +
+ " </saml:AttributeStatement>" + NL +
+ "</saml:Assertion>";
/**
* XML template for the <code>&lt;saml:Attribute&gt;</code> named <code>"isPublicAuthority"</code>,
* to be inserted into the <code>&lt;saml:Assertion&gt;</code>
@@ -181,5 +215,94 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB
}
return assertion;
}
+
+ /**
+ * Builds the authentication data <code>&lt;saml:Assertion&gt;</code>.
+ *
+ * @param authData the <code>AuthenticationData</code> to build the
+ * <code>&lt;saml:Assertion&gt;</code> from
+ * @param xmlPersonData <code>lt;pr:Person&gt;</code> element as a String
+ * @param xmlAuthBlock authentication block to be included in a
+ * <code>lt;saml:SubjectConfirmationData&gt;</code> element; may include
+ * the <code>"Stammzahl"</code> or not; may be empty
+ * @param xmlIdentityLink the IdentityLink
+ * @param signerCertificateBase64 Base64 encoded certificate of the signer. Maybe
+ * an empty string if the signer certificate should not be provided.
+ * Will be ignored if the <code>businessService</code> parameter is
+ * set to <code>false</code>.
+ * @param businessService <code>true</code> if the online application is a
+ * business service, otherwise <code>false</code>
+ * @return the <code>&lt;saml:Assertion&gt;</code>
+ * @throws BuildException if an error occurs during the build process
+ */
+ public String buildMandate(
+ AuthenticationData authData,
+ String xmlPersonData,
+ String xmlMandateData,
+ String xmlAuthBlock,
+ String xmlIdentityLink,
+ String bkuURL,
+ String signerCertificateBase64,
+ boolean businessService,
+ List extendedSAMLAttributes)
+ throws BuildException
+ {
+
+ String isQualifiedCertificate = authData.isQualifiedCertificate() ? "true" : "false";
+ String publicAuthorityAttribute = "";
+ if (authData.isPublicAuthority()) {
+ String publicAuthorityIdentification = authData.getPublicAuthorityCode();
+ if (publicAuthorityIdentification == null)
+ publicAuthorityIdentification = "True";
+ publicAuthorityAttribute = MessageFormat.format(
+ PUBLIC_AUTHORITY_ATT, new Object[] { publicAuthorityIdentification });
+ }
+
+
+ String signerCertificateAttribute = "";
+ if (signerCertificateBase64 != "") {
+ signerCertificateAttribute = MessageFormat.format(
+ SIGNER_CERTIFICATE_ATT, new Object[] { signerCertificateBase64 });
+ }
+
+ String pkType;
+ String pkValue;
+ if (businessService) {
+ pkType = authData.getIdentificationType();
+ pkValue = authData.getWBPK();
+
+ } else {
+ // <saml:NameIdentifier NameQualifier> always has the bPK as type/value
+ pkType = URN_PREFIX_BPK;
+ pkValue = authData.getBPK();
+ }
+
+// System.out.println("pkType; " + pkType);
+// System.out.println("pkValue; " + pkValue);
+
+ String assertion;
+ try {
+
+ assertion = MessageFormat.format(AUTH_DATA_MANDATE, new Object[] {
+ authData.getAssertionID(),
+ authData.getIssuer(),
+ authData.getIssueInstant(),
+ pkType,
+ pkValue,
+ StringUtils.removeXMLDeclaration(xmlAuthBlock),
+ StringUtils.removeXMLDeclaration(xmlIdentityLink),
+ StringUtils.removeXMLDeclaration(xmlPersonData),
+ StringUtils.removeXMLDeclaration(xmlMandateData),
+ isQualifiedCertificate,
+ bkuURL,
+ publicAuthorityAttribute,
+ signerCertificateAttribute,
+ buildExtendedSAMLAttributes(extendedSAMLAttributes)});
+ } catch (ParseException e) {
+ Logger.error("Error on building Authentication Data Assertion: " + e.getMessage());
+ throw new BuildException("builder.00", new Object[] { "Authentication Data Assertion", e.toString()});
+ }
+ return assertion;
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java
index 556b0cb6a..41e4cd37d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java
@@ -74,8 +74,8 @@ public class SAMLArtifactBuilder {
// alternative sourceId
String alternativeSourceID = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter(GENERIC_CONFIG_PARAM_SOURCEID);
- System.out.println("alternativeSourceID: " + alternativeSourceID);
- System.out.println("authURL: " + authURL);
+ //System.out.println("alternativeSourceID: " + alternativeSourceID);
+ //System.out.println("authURL: " + authURL);
if (!ParepUtils.isEmpty(alternativeSourceID)) {
// if generic config parameter "AuthenticationServer.SourceID" is given, use that sourceID instead of authURL;
@@ -85,7 +85,7 @@ public class SAMLArtifactBuilder {
sourceID = md.digest(authURL.getBytes());
}
- System.out.println("sourceID: " + new String(sourceID));
+ //System.out.println("sourceID: " + new String(sourceID));
byte[] assertionHandle = md.digest(sessionID.getBytes());
ByteArrayOutputStream out = new ByteArrayOutputStream(42);
@@ -94,9 +94,9 @@ public class SAMLArtifactBuilder {
out.write(sourceID, 0, 20);
out.write(assertionHandle, 0, 20);
byte[] samlArtifact = out.toByteArray();
- System.out.println("samlArtifact: " + new String(samlArtifact));
+ //System.out.println("samlArtifact: " + new String(samlArtifact));
String samlArtifactBase64 = Base64Utils.encode(samlArtifact);
- System.out.println("samlArtifact Base64: " + samlArtifactBase64);
+ //System.out.println("samlArtifact Base64: " + samlArtifactBase64);
return samlArtifactBase64;
}
catch (Throwable ex) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
index bae95c2a6..61e4cd28b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
@@ -36,6 +36,7 @@ import org.w3c.dom.Element;
import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator;
import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils;
+import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
@@ -87,25 +88,41 @@ public class AuthenticationSession {
private boolean useMandate;
/**
- * Selected mandate
+ * Reference value for mandate
*/
- private Element mandateElem;
+ private String mandateReferenceValue;
/**
- * @return the mandateElem
- */
- public Element getMandateElem() {
- return mandateElem;
- }
-
- /**
- * @param mandateElem the mandateElem to set
- */
- public void setMandateElem(Element mandateElem) {
- this.mandateElem = mandateElem;
- }
-
- /**
+ * Authentication data for the assertion
+ */
+ private AuthenticationData assertionAuthData;
+
+ /**
+ * Persondata for the assertion
+ */
+ private String assertionPrPerson;
+
+ /**
+ * Authblock for the assertion
+ */
+ private String assertionAuthBlock;
+
+ /**
+ * Identitylink assertion for the (MOA) assertion
+ */
+ private String assertionIlAssertion;
+
+ /**
+ * Signer certificate (base64 encoded) for the assertion
+ */
+ private String assertionSignerCertificateBase64;
+
+ /**
+ * bussiness service for the assertion
+ */
+ boolean assertionBusinessService;
+
+ /**
* SessionID for MIS
*/
private String misSessionID;
@@ -176,14 +193,7 @@ public class AuthenticationSession {
*/
private String pushInfobox;
- /**
- * AppSpecificConfiguration entry of then mandates infobox-validator. Tells
- * whether person data from the representative have to be exchanged by data
- * from the mandate
- */
- private boolean mandateCompatibilityMode = false;
-
-
+
/**
* Constructor for AuthenticationSession.
@@ -563,20 +573,6 @@ public class AuthenticationSession {
}
/**
- * @return the mandateCompatibilityMode
- */
- public boolean isMandateCompatibilityMode() {
- return mandateCompatibilityMode;
- }
-
- /**
- * @param mandateCompatibilityMode the mandateCompatibilityMode to set
- */
- public void setMandateCompatibilityMode(boolean mandateCompatibilityMode) {
- this.mandateCompatibilityMode = mandateCompatibilityMode;
- }
-
- /**
* Returns domain identifier (the register and number in the register parameter).
* <code>null</code> in the case of not a business service.
*
@@ -660,4 +656,105 @@ public class AuthenticationSession {
public String getMISSessionID() {
return this.misSessionID;
}
+
+ /**
+ * @return the assertionAuthData
+ */
+ public AuthenticationData getAssertionAuthData() {
+ return assertionAuthData;
+ }
+
+ /**
+ * @param assertionAuthData the assertionAuthData to set
+ */
+ public void setAssertionAuthData(AuthenticationData assertionAuthData) {
+ this.assertionAuthData = assertionAuthData;
+ }
+
+ /**
+ * @return the assertionPrPerson
+ */
+ public String getAssertionPrPerson() {
+ return assertionPrPerson;
+ }
+
+ /**
+ * @param assertionPrPerson the assertionPrPerson to set
+ */
+ public void setAssertionPrPerson(String assertionPrPerson) {
+ this.assertionPrPerson = assertionPrPerson;
+ }
+
+ /**
+ * @return the assertionAuthBlock
+ */
+ public String getAssertionAuthBlock() {
+ return assertionAuthBlock;
+ }
+
+ /**
+ * @param assertionAuthBlock the assertionAuthBlock to set
+ */
+ public void setAssertionAuthBlock(String assertionAuthBlock) {
+ this.assertionAuthBlock = assertionAuthBlock;
+ }
+
+ /**
+ * @return the assertionIlAssertion
+ */
+ public String getAssertionIlAssertion() {
+ return assertionIlAssertion;
+ }
+
+ /**
+ * @param assertionIlAssertion the assertionIlAssertion to set
+ */
+ public void setAssertionIlAssertion(String assertionIlAssertion) {
+ this.assertionIlAssertion = assertionIlAssertion;
+ }
+
+ /**
+ * @return the assertionSignerCertificateBase64
+ */
+ public String getAssertionSignerCertificateBase64() {
+ return assertionSignerCertificateBase64;
+ }
+
+ /**
+ * @param assertionSignerCertificateBase64 the assertionSignerCertificateBase64 to set
+ */
+ public void setAssertionSignerCertificateBase64(String assertionSignerCertificateBase64) {
+ this.assertionSignerCertificateBase64 = assertionSignerCertificateBase64;
+ }
+
+ /**
+ * @return the assertionBusinessService
+ */
+ public boolean getAssertionBusinessService() {
+ return assertionBusinessService;
+ }
+
+ /**
+ * @param assertionBusinessService the assertionBusinessService to set
+ */
+ public void setAssertionBusinessService(boolean assertionBusinessService) {
+ this.assertionBusinessService = assertionBusinessService;
+ }
+
+ /**
+ * @return the mandateReferenceValue
+ */
+ public String getMandateReferenceValue() {
+ return mandateReferenceValue;
+ }
+
+ /**
+ * @param mandateReferenceValue the mandateReferenceValue to set
+ */
+ public void setMandateReferenceValue(String mandateReferenceValue) {
+ this.mandateReferenceValue = mandateReferenceValue;
+ }
+
+
}
+
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
index b1ae12084..977784a6b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
@@ -27,7 +27,6 @@ package at.gv.egovernment.moa.id.auth.servlet;
import iaik.pki.PKIException;
import java.io.IOException;
-import java.io.PrintWriter;
import java.security.GeneralSecurityException;
import java.util.List;
@@ -38,16 +37,14 @@ import javax.servlet.http.HttpServletResponse;
import javax.xml.parsers.ParserConfigurationException;
import org.apache.commons.lang.StringEscapeUtils;
-import org.w3c.dom.Document;
+import org.w3c.dom.Element;
import org.xml.sax.SAXException;
-import at.gv.egovernment.moa.id.BuildException;
import at.gv.egovernment.moa.id.MOAIDException;
import at.gv.egovernment.moa.id.auth.AuthenticationServer;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.WrongParametersException;
import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
-import at.gv.egovernment.moa.id.auth.builder.GetIdentityLinkFormBuilder;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.config.ConnectionParameter;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
@@ -58,6 +55,7 @@ import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient;
import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClientException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.URLEncoder;
/**
* Servlet requested for getting the foreign eID
@@ -139,8 +137,6 @@ public class GetMISSessionIDServlet extends AuthServlet {
String misSessionID = session.getMISSessionID();
- //System.out.println("MIS Session ID (GetMISServlet): " + misSessionID);
-
AuthConfigurationProvider authConf= AuthConfigurationProvider.getInstance();
ConnectionParameter connectionParameters = authConf.getOnlineMandatesConnectionParameter();
SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters);
@@ -158,31 +154,36 @@ public class GetMISSessionIDServlet extends AuthServlet {
// for now: list contains only one element
MISMandate mandate = (MISMandate)list.get(0);
-
+
// verify mandate signature
- String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().verifyMandate(sessionID, mandate);
+ AuthenticationServer.getInstance().verifyMandate(sessionID, mandate);
byte[] byteMandate = mandate.getMandate();
String stringMandate = new String(byteMandate);
- Document mandateDoc = DOMUtils.parseDocument(stringMandate, false, null, null);
- session.setMandateElem(mandateDoc.getDocumentElement());
- //System.out.println("stringMandate: " + stringMandate);
+ Element mandateDoc = DOMUtils.parseDocument(stringMandate, false, null, null).getDocumentElement();
+ //session.setMandateElem(mandateDoc.getDocumentElement());
- String dataurl =
- new DataURLBuilder().buildDataURL(
- session.getAuthURL(),
- REQ_VERIFY_AUTH_BLOCK,
- session.getSessionID());
-
- Logger.debug(createXMLSignatureRequestOrRedirect);
-
- //String request = getHTMLForm(createXMLSignatureRequestOrRedirect, session.getBkuURL(), dataurl, session.getPublicOAURLPrefix());
- String request = null;
- resp.setContentType("text/html;charset=UTF-8");
- PrintWriter out = new PrintWriter(resp.getOutputStream());
- out.print(request);
- out.flush();
-
+ String redirectURL = null;
+ String samlArtifactBase64 =
+ AuthenticationServer.getInstance().verifyAuthenticationBlockMandate(sessionID, mandateDoc);
+
+
+ if (!samlArtifactBase64.equals("Redirect to Input Processor")) {
+ redirectURL = session.getOAURLRequested();
+ if (!session.getBusinessService()) {
+ redirectURL = addURLParameter(redirectURL, PARAM_TARGET, URLEncoder.encode(session.getTarget(), "UTF-8"));
+ }
+ redirectURL = addURLParameter(redirectURL, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8"));
+ redirectURL = resp.encodeRedirectURL(redirectURL);
+ } else {
+ redirectURL = new DataURLBuilder().buildDataURL(session.getAuthURL(), AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, session.getSessionID());
+ }
+ resp.setContentType("text/html");
+ resp.setStatus(302);
+
+ resp.addHeader("Location", redirectURL);
+ Logger.debug("REDIRECT TO: " + redirectURL);
+
}
catch (MOAIDException ex) {
@@ -198,6 +199,21 @@ public class GetMISSessionIDServlet extends AuthServlet {
} catch (ParserConfigurationException e) {
handleError(null, e, req, resp);
}
+ }
+
+ /**
+ * Adds a parameter to a URL.
+ * @param url the URL
+ * @param paramname parameter name
+ * @param paramvalue parameter value
+ * @return the URL with parameter added
+ */
+ private static String addURLParameter(String url, String paramname, String paramvalue) {
+ String param = paramname + "=" + paramvalue;
+ if (url.indexOf("?") < 0)
+ return url + "?" + param;
+ else
+ return url + "&" + param;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java
index 1dfc266a9..b5c57d5cf 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java
@@ -175,7 +175,7 @@ public class ProcessValidatorInputServlet extends AuthServlet {
AuthenticationSession session = AuthenticationServer.getSession(sessionID);
AuthenticationServer.processInput(session, parameters);
- String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().getCreateXMLSignatureRequestAuthBlockOrRedirect(session, null, null, false);
+ String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().getCreateXMLSignatureRequestAuthBlockOrRedirect(session, null, null);
if (!createXMLSignatureRequestOrRedirect.startsWith("Redirect")) {
// Now sign the AUTH Block
String dataURL = new DataURLBuilder().buildDataURL(
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java
index 5b9995709..f7f9d8fed 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java
@@ -39,8 +39,10 @@ import at.gv.egovernment.moa.id.auth.AuthenticationServer;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.WrongParametersException;
import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilderCertificate;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+import at.gv.egovernment.moa.id.util.ServletUtils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.URLEncoder;
@@ -140,6 +142,28 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet {
AuthenticationSession session = AuthenticationServer.getSession(sessionID);
String samlArtifactBase64 =
AuthenticationServer.getInstance().verifyAuthenticationBlock(sessionID, createXMLSignatureResponse);
+
+ if (samlArtifactBase64 == null) {
+ //mandate Mode
+
+ Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate.");
+
+ String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
+
+ // build dataurl
+ String dataurl =
+ new DataURLBuilder().buildDataURL(
+ session.getAuthURL(),
+ REQ_VERIFY_CERTIFICATE,
+ session.getSessionID());
+
+
+ //Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)");
+ //ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+ Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)");
+ ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+
+ }
if (!samlArtifactBase64.equals("Redirect to Input Processor")) {
redirectURL = session.getOAURLRequested();
if (!session.getBusinessService()) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
index c9f9491bb..181c46bf9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
@@ -150,7 +150,9 @@ public class VerifyCertificateServlet extends AuthServlet {
throw new AuthenticationException("auth.14", null);
}
- boolean useMandate = session.getUseMandate();
+ boolean useMandate = session.getUseMandate();
+
+
if (useMandate) {
// Mandate Modus
// make request to MIS
@@ -162,8 +164,6 @@ public class VerifyCertificateServlet extends AuthServlet {
// get identitity link as byte[]
Element elem = session.getIdentityLink().getSamlAssertion();
String s = DOMUtils.serializeNode(elem);
-// byte[] idl = DOMUtils.nodeToByteArray(elem);
-// String s = new String(idl);
byte[] idl = s.getBytes();
// redirect url
@@ -187,8 +187,10 @@ public class VerifyCertificateServlet extends AuthServlet {
for(int i = 0; i < profilesArray.length; i++) {
profilesArray[i] = profilesArray[i].trim();
}
-
- MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(connectionParameters.getUrl(), idl, cert.getEncoded(), redirectURL, profilesArray, sslFactory);
+
+ String oaFriendlyName = oaParam.getFriendlyName();
+ String mandateReferenceValue = session.getMandateReferenceValue();
+ MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(connectionParameters.getUrl(), idl, cert.getEncoded(), oaFriendlyName, redirectURL, mandateReferenceValue, profilesArray, sslFactory);
String redirectMISGUI = misSessionID.getRedirectURL();
if (misSessionID == null) {
@@ -236,21 +238,6 @@ public class VerifyCertificateServlet extends AuthServlet {
}
/**
- * Adds a parameter to a URL.
- * @param url the URL
- * @param paramname parameter name
- * @param paramvalue parameter value
- * @return the URL with parameter added
- */
- private static String addURLParameter(String url, String paramname, String paramvalue) {
- String param = paramname + "=" + paramvalue;
- if (url.indexOf("?") < 0)
- return url + "?" + param;
- else
- return url + "&" + param;
- }
-
- /**
* Does the request to the SZR-GW
* @param givenname
* @param familyname
@@ -312,50 +299,42 @@ public class VerifyCertificateServlet extends AuthServlet {
//
// }
- /**
- * Builds the szrgw:GetIdentityLinkRequest für the SZR-GW
- * @param givenname
- * @param familyname
- * @param birthday
- * @return
- */
- private static Document buildGetIdentityLinkRequest(X509Certificate cert) {
-
- try {
- byte[] certbyte = cert.getEncoded();
- String certstring = Base64.encode(certbyte);
-
- DocumentBuilderFactory factory =DocumentBuilderFactory.newInstance();
- factory.setNamespaceAware(true);
- DocumentBuilder builder = factory.newDocumentBuilder();
- Document doc = builder.newDocument();
-
- Element getIdentityLink = doc.createElementNS(SZRGWConstants.SZRGW_REQUEST_NS, "szrgw:GetIdentityLinkRequest");
- getIdentityLink.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:szrgw", SZRGWConstants.SZRGW_REQUEST_NS);
- doc.appendChild(getIdentityLink);
-
- Element x509certificate = doc.createElementNS(SZRGWConstants.SZRGW_REQUEST_NS, "szrgw:X509Certificate");
- getIdentityLink.appendChild(x509certificate);
- Text certbase64 = doc.createTextNode(certstring);
- x509certificate.appendChild(certbase64);
-
- return doc;
- } catch (ParserConfigurationException e) {
- e.printStackTrace();
- } catch (CertificateEncodingException e) {
- e.printStackTrace();
- }
- return null;
-
- }
-
- /**
- * Checks a parameter.
- * @param param parameter
- * @return true if the parameter is null or empty
- */
- private boolean isEmpty(String param) {
- return param == null || param.length() == 0;
- }
-
+// /**
+// * Builds the szrgw:GetIdentityLinkRequest für the SZR-GW
+// * @param givenname
+// * @param familyname
+// * @param birthday
+// * @return
+// */
+// private static Document buildGetIdentityLinkRequest(X509Certificate cert) {
+//
+// try {
+// byte[] certbyte = cert.getEncoded();
+// String certstring = Base64.encode(certbyte);
+//
+// DocumentBuilderFactory factory =DocumentBuilderFactory.newInstance();
+// factory.setNamespaceAware(true);
+// DocumentBuilder builder = factory.newDocumentBuilder();
+// Document doc = builder.newDocument();
+//
+// Element getIdentityLink = doc.createElementNS(SZRGWConstants.SZRGW_REQUEST_NS, "szrgw:GetIdentityLinkRequest");
+// getIdentityLink.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:szrgw", SZRGWConstants.SZRGW_REQUEST_NS);
+// doc.appendChild(getIdentityLink);
+//
+// Element x509certificate = doc.createElementNS(SZRGWConstants.SZRGW_REQUEST_NS, "szrgw:X509Certificate");
+// getIdentityLink.appendChild(x509certificate);
+// Text certbase64 = doc.createTextNode(certstring);
+// x509certificate.appendChild(certbase64);
+//
+// return doc;
+// } catch (ParserConfigurationException e) {
+// e.printStackTrace();
+// } catch (CertificateEncodingException e) {
+// e.printStackTrace();
+// }
+// return null;
+//
+// }
+//
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
index 99ae497ba..df5abe4f5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
@@ -171,33 +171,9 @@ public class VerifyIdentityLinkServlet extends AuthServlet {
}
}
-// else {
-// boolean useMandate = session.getUseMandate();
-// if (useMandate) { // Mandate modus
-// // read certificate and set dataurl to VerifyCertificateServlet
-//
-// Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate.");
-//
-// String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
-//
-// // build dataurl
-// String dataurl =
-// new DataURLBuilder().buildDataURL(
-// session.getAuthURL(),
-// REQ_VERIFY_CERTIFICATE,
-// session.getSessionID());
-//
-//
-// //Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)");
-// //ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
-// Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)");
-// ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
-//
-// }
- else {
- ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink");
- }
-// }
+ else {
+ ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink");
+ }
}
catch (ParseException ex) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
index 3b8caca4c..60678fe22 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
@@ -56,6 +56,7 @@ import org.xml.sax.SAXNotSupportedException;
import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWSecureSocketFactory;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.StringUtils;
public class MISSimpleClient {
@@ -134,7 +135,7 @@ public class MISSimpleClient {
}
}
- public static MISSessionId sendSessionIdRequest(String webServiceURL, byte[] idl, byte[] cert, String redirectURL, String mandateIdentifier[], SSLSocketFactory sSLSocketFactory) throws MISSimpleClientException {
+ public static MISSessionId sendSessionIdRequest(String webServiceURL, byte[] idl, byte[] cert, String oaFriendlyName, String redirectURL, String referenceValue, String mandateIdentifier[], SSLSocketFactory sSLSocketFactory) throws MISSimpleClientException {
if (webServiceURL == null) {
throw new NullPointerException("Argument webServiceURL must not be null.");
}
@@ -165,10 +166,22 @@ public class MISSimpleClient {
//certElement.appendChild(doc.createTextNode(Base64.encodeBase64(cert)));
// certElement.appendChild(doc.createTextNode(new String(Base64.encodeBase64(cert))));
mirElement.appendChild(certElement);
- }
+ }
+
+ if (!StringUtils.isEmpty(oaFriendlyName)) {
+ Element oaFriendlyNameElement = doc.createElementNS(MIS_NS, "OAFriendlyName");
+ oaFriendlyNameElement.appendChild(doc.createTextNode(oaFriendlyName));
+ mirElement.appendChild(oaFriendlyNameElement);
+ }
+
Element redirectElement = doc.createElementNS(MIS_NS, "RedirectURL");
redirectElement.appendChild(doc.createTextNode(redirectURL));
- mirElement.appendChild(redirectElement);
+ mirElement.appendChild(redirectElement);
+
+ Element referenceValueElement = doc.createElementNS(MIS_NS, "ReferenceValue");
+ referenceValueElement.appendChild(doc.createTextNode(referenceValue));
+ mirElement.appendChild(referenceValueElement);
+
if (mandateIdentifier != null && mandateIdentifier.length > 0) {
Element filtersElement = doc.createElementNS(MIS_NS, "Filters");
Element mandateIdentifiersElement = doc.createElementNS(MIS_NS, "MandateIdentifiers");