aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2016-01-15 16:55:45 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2016-01-15 16:55:45 +0100
commit52cfe0524d896d65254f480bd975554be3f2cb14 (patch)
treec9a363dcc4bb668d0569191b54fc1e7fcaf6e080 /id/server/idserverlib/src/main/java
parent539018744865c4b10f689672f11f9ae0ddf65fef (diff)
parent52a855d948a6c3090b5d696774896deac95b621f (diff)
downloadmoa-id-spss-52cfe0524d896d65254f480bd975554be3f2cb14.tar.gz
moa-id-spss-52cfe0524d896d65254f480bd975554be3f2cb14.tar.bz2
moa-id-spss-52cfe0524d896d65254f480bd975554be3f2cb14.zip
Merge branch 'multiple_IDP_publicURLPrefixes' into moa-id-3.0.0-snapshot
Conflicts: id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
Diffstat (limited to 'id/server/idserverlib/src/main/java')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateInterfedeartionRequestTask.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java16
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java49
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java19
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java15
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java14
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java90
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java26
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java33
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java12
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java29
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java47
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java17
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java12
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java16
29 files changed, 355 insertions, 112 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
index 899b0fd15..d4350f97b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
@@ -95,6 +95,9 @@ public class DataURLBuilder {
// dataURL = individualDataURLPrefix + authServletName;
// } else
+ if (!authBaseURL.endsWith("/"))
+ authBaseURL += "/";
+
dataURL = authBaseURL + authServletName;
dataURL = addParameter(dataURL, MOAIDAuthConstants.PARAM_SESSIONID, sessionID);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java
index 02aaac8cb..d14910319 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java
@@ -147,6 +147,9 @@ public class SendAssertionFormBuilder {
value = value.replace(ACTION, action);
value = value.replace(ID, id);
value = value.replace(OANAME, oaParam.getFriendlyName());
+
+ if (contextpath.endsWith("/"))
+ contextpath = contextpath.substring(0, contextpath.length() - 1);
value = value.replace(CONTEXTPATH, contextpath);
value = FormBuildUtils.customiceLayoutBKUSelection(value,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateInterfedeartionRequestTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateInterfedeartionRequestTask.java
index 8429baf23..4a6ecd56a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateInterfedeartionRequestTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateInterfedeartionRequestTask.java
@@ -152,8 +152,7 @@ public class CreateInterfedeartionRequestTask extends AbstractAuthServletTask {
authReq.setAssertionConsumerServiceIndex(0);
authReq.setIssueInstant(new DateTime());
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath();
- issuer.setValue(serviceURL);
+ issuer.setValue(pendingReq.getAuthURLWithOutSlash());
issuer.setFormat(NameIDType.ENTITY);
authReq.setIssuer(issuer);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
index 004961116..e659c9447 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
@@ -56,7 +56,8 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
String ccc,
String module,
String action,
- HttpServletRequest req) throws WrongParametersException, MOAIDException {
+ HttpServletRequest req,
+ IRequest protocolReq) throws WrongParametersException, MOAIDException {
String targetFriendlyName = null;
@@ -223,20 +224,15 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
throw new WrongParametersException("StartAuthentication",
PARAM_OA, "auth.05");
moasession.setOAURLRequested(oaURL);
-
+
//check AuthURL
- String authURL = req.getScheme() + "://" + req.getServerName();
- if ((req.getScheme().equalsIgnoreCase("https") && req.getServerPort()!=443) || (req.getScheme().equalsIgnoreCase("http") && req.getServerPort()!=80)) {
- authURL = authURL.concat(":" + req.getServerPort());
- }
- authURL = authURL.concat(req.getContextPath() + "/");
-
+ String authURL = protocolReq.getAuthURL();
if (!authURL.startsWith("https:") && !AuthConfigurationProviderFactory.getInstance().isHTTPAuthAllowed())
throw new AuthenticationException("auth.07",
new Object[] { authURL + "*" });
//set Auth URL from configuration
- moasession.setAuthURL(AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() + "/");
+ moasession.setAuthURL(authURL);
//check and set SourceID
if (oaParam.getSAML1Parameter() != null) {
@@ -318,7 +314,7 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
oaURL = request.getOAURL();
target = request.getTarget();
- parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, modul, action, req);
+ parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, modul, action, req, request);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
index c1e084a59..53187088e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
@@ -60,6 +60,7 @@ import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
import at.gv.egovernment.moa.id.moduls.RequestStorage;
import at.gv.egovernment.moa.id.moduls.SSOManager;
import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -85,14 +86,14 @@ public class LogOutServlet extends AuthServlet {
if (MiscUtil.isEmpty(redirectUrl)) {
//set default redirect Target
Logger.debug("Set default RedirectURL back to MOA-ID-Auth");
- redirectUrl = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ redirectUrl = HTTPUtils.extractAuthURLFromRequest(req);
} else {
//return an error if RedirectURL is not a active Online-Applikation
OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(redirectUrl);
if (oa == null) {
Logger.info("RedirctURL does not match to OA configuration. Set default RedirectURL back to MOA-ID-Auth");
- redirectUrl = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ redirectUrl = HTTPUtils.extractAuthURLFromRequest(req);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
index 7dd8645c6..a914659b0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
@@ -36,6 +36,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.moduls.SSOManager;
import at.gv.egovernment.moa.id.util.FormBuildUtils;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moa.util.URLEncoder;
@@ -64,8 +65,10 @@ public class RedirectServlet extends AuthServlet{
OAAuthParameter oa = null;
String redirectTarget = DEFAULT_REDIRECTTARGET;
try {
- oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(url);
- if (oa == null && !url.startsWith(AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix())) {
+ oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(url);
+ String authURL = HTTPUtils.extractAuthURLFromRequest(req);
+
+ if (oa == null && !AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix().contains(authURL)) {
resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid");
return;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java
index c98a7d537..47abf78db 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java
@@ -81,7 +81,13 @@ public interface AuthConfiguration extends ConfigurationProvider{
public boolean isAdvancedLoggingActive();
- public String getPublicURLPrefix();
+ /**
+ * Returns the PublicURLPrefix.
+ *
+ * @return the PublicURLPrefix (one or more) of this IDP instance. All publicURLPrefix URLs are ends without /
+ * @throws ConfigurationException if no PublicURLPrefix is found.
+ */
+ public List<String> getPublicURLPrefix() throws ConfigurationException;
public boolean isPVP2AssertionEncryptionActive();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
index 645831479..d3c26cdbe 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
@@ -6,6 +6,7 @@ import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
+import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
@@ -23,6 +24,7 @@ import org.springframework.context.support.ClassPathXmlApplicationContext;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
import at.gv.egovernment.moa.id.commons.config.persistence.MOAIDConfiguration;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.ConfigurationProviderImpl;
import at.gv.egovernment.moa.id.config.ConfigurationUtils;
@@ -791,20 +793,47 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
return Boolean.valueOf(prop);
}
- /**
- * Returns the PublicURLPrefix. NOTE: returns {@code null} if no PublicURLPrefix is set.
- *
- * @return the PublicURLPrefix or {@code null}
- */
- public String getPublicURLPrefix() {
- try {
- return configuration.getStringValue(
- MOAIDConfigurationConstants.GENERAL_PUBLICURLPREFIX);
+ public List<String> getPublicURLPrefix() throws ConfigurationException{
+ try {
+ String publicURLPrefixList = configuration.getStringValue(
+ MOAIDConfigurationConstants.GENERAL_PUBLICURLPREFIX);
+ List<String> returnValues = new ArrayList<String>();
+ if (publicURLPrefixList != null) {
+ publicURLPrefixList = KeyValueUtils.normalizeCSVValueString(publicURLPrefixList);
+ List<String> publicURLPrefixArray = Arrays.asList(publicURLPrefixList.split(","));
+ Logger.trace("Found " + publicURLPrefixArray.size() + " PublicURLPrefix in configuration.");
+
+
+ for (String el : publicURLPrefixArray) {
+ try {
+ new URL(el);
+ if (el.endsWith("/"))
+ returnValues.add(el.substring(0, el.length()-1));
+ else
+ returnValues.add(el);
+
+ } catch (MalformedURLException e) {
+ Logger.warn("IDP PublicURLPrefix URL " + el + " is not a valid URL", e);
+ }
+ }
+ }
+
+ if (returnValues.size() > 0)
+ return returnValues;
+
+ else {
+ Logger.warn("MOA-ID PublicURLPrefix is not found in configuration.");
+ throw new ConfigurationException("config.08", new Object[]{"IDP PublicURLPrefix"});
+
+ }
+
} catch (at.gv.egiz.components.configuration.api.ConfigurationException e) {
Logger.warn("MOA-ID PublicURLPrefix can not be read from configuration.", e);
- return null;
+ throw new ConfigurationException("config.08", new Object[]{"IDP PublicURLPrefix"}, e);
+
}
+
}
/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java
index d1e04e107..a4bba8b19 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java
@@ -75,6 +75,7 @@ public class SLOInformationContainer implements Serializable {
if (sloDesc.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI))
activeBackChannelOAs.put(oa.getOaurlprefix(),
new SLOInformationImpl(
+ oa.getAuthURL(),
oa.getAssertionSessionID(),
oa.getUserNameID(),
oa.getUserNameIDFormat(),
@@ -84,6 +85,7 @@ public class SLOInformationContainer implements Serializable {
else
activeFrontChannalOAs.put(oa.getOaurlprefix(),
new SLOInformationImpl(
+ oa.getAuthURL(),
oa.getAssertionSessionID(),
oa.getUserNameID(),
oa.getUserNameIDFormat(),
@@ -123,6 +125,7 @@ public class SLOInformationContainer implements Serializable {
activeFrontChannalOAs.put(el.getIdpurlprefix(),
new SLOInformationImpl(
+ el.getAuthURL(),
el.getSessionIndex(),
el.getUserNameID(),
NameID.TRANSIENT,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java
index 55b213702..55a56056d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java
@@ -39,17 +39,23 @@ public class SLOInformationImpl implements SLOInformationInterface, Serializable
private String nameIDFormat = null;
private String binding = null;
private String serviceURL = null;
+ private String authURL = null;
- public SLOInformationImpl(String sessionID, String nameID, String nameIDFormat, String protocolType) {
- new SLOInformationImpl(sessionID, nameID, nameIDFormat, protocolType, null);
+ public SLOInformationImpl(String authURL, String sessionID, String nameID, String nameIDFormat, String protocolType) {
+ new SLOInformationImpl(authURL, sessionID, nameID, nameIDFormat, protocolType, null);
}
- public SLOInformationImpl(String sessionID, String nameID, String nameIDFormat, String protocolType, SingleLogoutService sloService) {
+ public SLOInformationImpl(String authURL, String sessionID, String nameID, String nameIDFormat, String protocolType, SingleLogoutService sloService) {
this.sessionIndex = sessionID;
this.nameID = nameID;
this.nameIDFormat = nameIDFormat;
this.protocolType = protocolType;
+ if (authURL.endsWith("/"))
+ this.authURL = authURL.substring(0, authURL.length()-1);
+ else
+ this.authURL = authURL;
+
if (sloService != null) {
this.binding = sloService.getBinding();
this.serviceURL = sloService.getLocation();
@@ -148,6 +154,13 @@ public class SLOInformationImpl implements SLOInformationInterface, Serializable
public String getServiceURL() {
return serviceURL;
}
+
+ /**
+ * @return the authURL from requested IDP without ending /
+ */
+ public String getAuthURL() {
+ return authURL;
+ }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
index 771c9a35e..1f4612dca 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
@@ -46,6 +46,7 @@ import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
import at.gv.egovernment.moa.id.auth.servlet.AuthServlet;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
@@ -364,7 +365,10 @@ public class DispatcherServlet extends AuthServlet{
} catch (AuthnRequestValidatorException e) {
//log Error Message
StatisticLogger logger = StatisticLogger.getInstance();
- logger.logErrorOperation(e, e.getErrorRequest());
+ logger.logErrorOperation(e, e.getErrorRequest());
+
+ //TODO: maybe add some error message handling???
+
return;
}catch (InvalidProtocolRequestException e) {
@@ -377,6 +381,13 @@ public class DispatcherServlet extends AuthServlet{
"(Errorcode=" + code +
" | Description=" + descr + ")");
return;
+ } catch (ConfigurationException e) {
+ resp.setContentType("text/html;charset=UTF-8");
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!" +
+ "(Errorcode=9199"
+ +" | Description="+ e.getMessage() + ")");
+ return;
+
} catch (MOAIDException e) {
Logger.error("Failed to generate a valid protocol request!");
resp.setContentType("text/html;charset=UTF-8");
@@ -544,7 +555,7 @@ public class DispatcherServlet extends AuthServlet{
try {
//Store OA specific SSO session information
AuthenticationSessionStoreage.addSSOInformation(moasessionID,
- newSSOSessionId, assertionID, protocolRequest.getOAURL());
+ newSSOSessionId, assertionID, protocolRequest);
} catch (AuthenticationException e) {
Logger.warn("SSO Session information can not be stored -> SSO is not enabled!");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 39cb5b9c8..b29220af2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -195,7 +195,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
} catch (MOADatabaseException e) {
Logger.warn("Delete MOASession FAILED.");
- sloContainer.putFailedOA(AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix());
+ sloContainer.putFailedOA(pvpReq.getAuthURL());
}
@@ -258,8 +258,8 @@ public class AuthenticationManager extends MOAIDAuthConstants {
AssertionStorage.getInstance().put(relayState, sloContainer);
- String timeOutURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix()
- + "/idpSingleLogout"
+ String timeOutURL = pvpReq
+ + "idpSingleLogout"
+ "?restart=" + relayState;
VelocityContext context = new VelocityContext();
@@ -381,7 +381,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
String form = SendAssertionFormBuilder.buildForm(target.requestedModule(),
target.requestedAction(), target.getRequestID(), oaParam,
- AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix());
+ target.getAuthURL());
MOAReversionLogger.getInstance().logEvent(target.getOnlineApplicationConfiguration(),
target, MOAIDEventConstants.AUTHPROCESS_SSO_ASK_USER_START);
@@ -450,7 +450,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
authReq.setAssertionConsumerServiceIndex(0);
authReq.setIssueInstant(new DateTime());
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath();
+ String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath().get(0);
issuer.setValue(serviceURL);
issuer.setFormat(NameIDType.ENTITY);
@@ -692,7 +692,9 @@ public class AuthenticationManager extends MOAIDAuthConstants {
//Build authentication form
- String publicURLPreFix = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ String publicURLPreFix = target.getAuthURL();
+ if (publicURLPreFix.endsWith("/"))
+ publicURLPreFix = publicURLPreFix.substring(0, publicURLPreFix.length() - 1);
String loginForm = LoginFormBuilder.buildLoginForm(target.requestedModule(),
target.requestedAction(), oaParam, publicURLPreFix, moasession.getSessionID());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
index 6f43b3ee7..4ae271bbc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
@@ -49,5 +49,13 @@ public interface IRequest {
public List<Attribute> getRequestedAttributes();
public IOAAuthParameters getOnlineApplicationConfiguration();
+ /**
+ * get the IDP URL PreFix, which was used for authentication request
+ *
+ * @return IDP URL PreFix <String>. The URL prefix always ends without /
+ */
+ public String getAuthURL();
+ public String getAuthURLWithOutSlash();
+
//public void setTarget();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
index 26fb7bd29..c9482967f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
@@ -23,15 +23,25 @@
package at.gv.egovernment.moa.id.moduls;
import java.io.Serializable;
+import java.net.MalformedURLException;
+import java.net.URL;
import java.util.List;
+import javax.servlet.http.HttpServletRequest;
+
import org.opensaml.saml2.core.Attribute;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.ConfigurationProvider;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
public abstract class RequestImpl implements IRequest, Serializable{
-
+
private static final long serialVersionUID = 1L;
private String oaURL;
@@ -44,12 +54,67 @@ public abstract class RequestImpl implements IRequest, Serializable{
private String requestID;
private String sessionIdentifier;
private IOAAuthParameters OAConfiguration = null;
+ private String authURL = null;
//MOA-ID interfederation
private String requestedIDP = null;
private MOAResponse response = null;
/**
+ * @throws ConfigurationException
+ *
+ */
+ public RequestImpl(HttpServletRequest req) throws ConfigurationException {
+ String authURLString = HTTPUtils.extractAuthURLFromRequest(req);
+ URL authURL;
+ try {
+ authURL = new URL(authURLString);
+
+ } catch (MalformedURLException e) {
+ Logger.error("IDP AuthenticationServiceURL Prefix is not a valid URL." + authURLString, e);
+ throw new ConfigurationException("1299", null, e);
+
+ }
+
+ List<String> configuredPublicURLPrefix =
+ AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+
+ if (MiscUtil.isEmpty(authURLString)) {
+ Logger.info("AuthenticationServiceURL extraction FAILED. Use default IDP PublicURLPrefix from configuration: " + configuredPublicURLPrefix.get(0));
+ this.authURL = configuredPublicURLPrefix.get(0);
+
+ } else {
+ Logger.debug("Extract AuthenticationServiceURL: " + authURLString);
+ URL resultURL = null;
+
+ for (String el : configuredPublicURLPrefix) {
+ try {
+ URL configuredURL = new URL(el);
+ if (configuredURL.getHost().equals(authURL.getHost()) &&
+ configuredURL.getPath().equals(authURL.getPath())) {
+ Logger.debug("Select configurated PublicURLPrefix: " + configuredURL
+ + " for authURL: " + authURLString);
+ resultURL = configuredURL;
+ }
+
+ } catch (MalformedURLException e) {
+ Logger.error("Configurated IDP PublicURLPrefix is not a valid URL." + el);
+
+ }
+ }
+
+ if (resultURL == null) {
+ Logger.warn("Extract AuthenticationServiceURL: " + authURL + " is NOT found in configuration.");
+ throw new ConfigurationException("config.25", new Object[]{authURLString});
+
+ } else {
+ this.authURL = resultURL.toExternalForm();
+
+ }
+ }
+ }
+
+ /**
* This method map the protocol specific requested attributes to PVP 2.1 attributes.
*
* @return List of PVP 2.1 attributes with maps all protocol specific attributes
@@ -169,4 +234,27 @@ public abstract class RequestImpl implements IRequest, Serializable{
this.OAConfiguration = oaConfig;
}
+
+ /**
+ * @return the authURL
+ */
+ public String getAuthURL() {
+ return authURL;
+ }
+
+ public String getAuthURLWithOutSlash() {
+ if (authURL.endsWith("/"))
+ return authURL.substring(0, authURL.length()-1);
+ else
+ return authURL;
+
+ }
+
+// /**
+// * @param authURL the authURL to set
+// */
+// public void setAuthURL(String authURL) {
+// this.authURL = authURL;
+// }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
index 9f8b6610f..9327cabd7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
@@ -102,10 +102,10 @@ public class AttributQueryAction implements IAction {
List<String> attrList = addDefaultAttributes(attrQuery, authData);
//build PVP 2.1 assertion
- Assertion assertion = PVP2AssertionBuilder.buildAssertion(attrQuery, attrList, authData, date, authData.getSessionIndex());
+ Assertion assertion = PVP2AssertionBuilder.buildAssertion(req.getAuthURL(), attrQuery, attrList, authData, date, authData.getSessionIndex());
//build PVP 2.1 response
- Response authResponse = AuthResponseBuilder.buildResponse(attrQuery, date, assertion);
+ Response authResponse = AuthResponseBuilder.buildResponse(req.getAuthURL(), attrQuery, date, assertion);
try {
SoapBinding decoder = new SoapBinding();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
index 1b187d82e..50f91df44 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
@@ -110,7 +110,7 @@ public class MetadataAction implements IAction {
// .setEntityID(PVPConfiguration.getInstance().getIDPSSOMetadataService());
idpEntityDescriptor
- .setEntityID(PVPConfiguration.getInstance().getIDPPublicPath());
+ .setEntityID(req.getAuthURLWithOutSlash());
idpEntityDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_HOURS));
@@ -139,10 +139,10 @@ public class MetadataAction implements IAction {
idpEntitiesDescriptor.setSignature(signature);
//set IDP metadata
- idpEntityDescriptor.getRoleDescriptors().add(generateIDPMetadata(keyInfoGenerator));
+ idpEntityDescriptor.getRoleDescriptors().add(generateIDPMetadata(req, keyInfoGenerator));
//set SP metadata for interfederation
- idpEntityDescriptor.getRoleDescriptors().add(generateSPMetadata(keyInfoGenerator));
+ idpEntityDescriptor.getRoleDescriptors().add(generateSPMetadata(req, keyInfoGenerator));
DocumentBuilder builder;
DocumentBuilderFactory factory = DocumentBuilderFactory
@@ -190,7 +190,7 @@ public class MetadataAction implements IAction {
return (PVP2XProtocol.METADATA);
}
- private RoleDescriptor generateSPMetadata(KeyInfoGenerator keyInfoGenerator) throws CredentialsNotAvailableException, SecurityException, ConfigurationException {
+ private RoleDescriptor generateSPMetadata(IRequest req, KeyInfoGenerator keyInfoGenerator) throws CredentialsNotAvailableException, SecurityException, ConfigurationException {
Logger.debug("Set SP Metadata key information");
@@ -248,7 +248,7 @@ public class MetadataAction implements IAction {
postassertionConsumerService.setIndex(0);
postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
postassertionConsumerService.setLocation(PVPConfiguration
- .getInstance().getSPSSOPostService());
+ .getInstance().getSPSSOPostService(req.getAuthURL()));
postassertionConsumerService.setIsDefault(true);
spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService);
@@ -257,7 +257,7 @@ public class MetadataAction implements IAction {
redirectassertionConsumerService.setIndex(1);
redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
redirectassertionConsumerService.setLocation(PVPConfiguration
- .getInstance().getSPSSORedirectService());
+ .getInstance().getSPSSORedirectService(req.getAuthURL()));
spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService);
@@ -273,7 +273,7 @@ public class MetadataAction implements IAction {
SingleLogoutService redirectSLOService =
SAML2Utils.createSAMLObject(SingleLogoutService.class);
redirectSLOService.setLocation(PVPConfiguration
- .getInstance().getSPSSORedirectService());
+ .getInstance().getSPSSORedirectService(req.getAuthURL()));
redirectSLOService
.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
spSSODescriptor.getSingleLogoutServices().add(redirectSLOService);
@@ -293,7 +293,7 @@ public class MetadataAction implements IAction {
return spSSODescriptor;
}
- private IDPSSODescriptor generateIDPMetadata(KeyInfoGenerator keyInfoGenerator) throws ConfigurationException, CredentialsNotAvailableException, SecurityException {
+ private IDPSSODescriptor generateIDPMetadata(IRequest req, KeyInfoGenerator keyInfoGenerator) throws ConfigurationException, CredentialsNotAvailableException, SecurityException {
// //set SignatureMethode
@@ -325,12 +325,12 @@ public class MetadataAction implements IAction {
idpSSODescriptor.setWantAuthnRequestsSigned(true);
- if (PVPConfiguration.getInstance().getIDPSSOPostService() != null) {
+ if (PVPConfiguration.getInstance().getIDPSSOPostService(req.getAuthURL()) != null) {
//add SSO descriptor
SingleSignOnService postSingleSignOnService = SAML2Utils
.createSAMLObject(SingleSignOnService.class);
postSingleSignOnService.setLocation(PVPConfiguration
- .getInstance().getIDPSSOPostService());
+ .getInstance().getIDPSSOPostService(req.getAuthURL()));
postSingleSignOnService
.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
idpSSODescriptor.getSingleSignOnServices().add(
@@ -347,12 +347,12 @@ public class MetadataAction implements IAction {
}
- if (PVPConfiguration.getInstance().getIDPSSORedirectService() != null) {
+ if (PVPConfiguration.getInstance().getIDPSSORedirectService(req.getAuthURL()) != null) {
//add SSO descriptor
SingleSignOnService redirectSingleSignOnService = SAML2Utils
.createSAMLObject(SingleSignOnService.class);
redirectSingleSignOnService.setLocation(PVPConfiguration
- .getInstance().getIDPSSORedirectService());
+ .getInstance().getIDPSSORedirectService(req.getAuthURL()));
redirectSingleSignOnService
.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
idpSSODescriptor.getSingleSignOnServices().add(
@@ -362,7 +362,7 @@ public class MetadataAction implements IAction {
SingleLogoutService redirectSLOService =
SAML2Utils.createSAMLObject(SingleLogoutService.class);
redirectSLOService.setLocation(PVPConfiguration
- .getInstance().getIDPSSORedirectService());
+ .getInstance().getIDPSSORedirectService(req.getAuthURL()));
redirectSLOService
.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
idpSSODescriptor.getSingleLogoutServices().add(redirectSLOService);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 0c7502003..544fd9925 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -98,6 +98,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.validation.AuthnRequestValidator
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.id.util.ErrorResponseUtils;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
import at.gv.egovernment.moa.id.util.VelocityLogAdapter;
import at.gv.egovernment.moa.logging.Logger;
@@ -210,7 +211,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
if(METADATA.equals(action)) {
- return new PVPTargetConfiguration();
+ return new PVPTargetConfiguration(request);
}
@@ -387,7 +388,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
samlResponse.setIssueInstant(new DateTime());
Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
- nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ nissuer.setValue(pvpRequest.getAuthURLWithOutSlash());
nissuer.setFormat(NameID.ENTITY);
samlResponse.setIssuer(nissuer);
@@ -460,7 +461,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
HttpServletResponse response, InboundMessage inMsg,
String sessionId, String transactionId) throws MOAIDException {
- PVPTargetConfiguration config = new PVPTargetConfiguration();
+ PVPTargetConfiguration config = new PVPTargetConfiguration(request);
MOARequest msg;
if (inMsg instanceof MOARequest &&
@@ -496,13 +497,24 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
Logger.debug("PreProcess SLO Response from " + resp.getIssuer());
- if (!resp.getDestination().startsWith(
- PVPConfiguration.getInstance().getIDPPublicPath())) {
+ List<String> allowedPublicURLPrefix =
+ AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ boolean isAllowedDestination = false;
+
+ for (String prefix : allowedPublicURLPrefix) {
+ if (!resp.getDestination().startsWith(
+ prefix)) {
+ isAllowedDestination = true;
+ break;
+ }
+ }
+
+ if (!isAllowedDestination) {
Logger.warn("PVP 2.1 single logout response destination does not match to IDP URL");
throw new AssertionValidationExeption("PVP 2.1 single logout response destination does not match to IDP URL", null);
}
-
+
//TODO: check if relayState exists
inMsg.getRelayState();
@@ -533,7 +545,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
//validate destination
String destinaten = attrQuery.getDestination();
- if (!PVPConfiguration.getInstance().getIDPAttributeQueryService().equals(destinaten)) {
+ if (!PVPConfiguration.getInstance().getIDPAttributeQueryService(HTTPUtils.extractAuthURLFromRequest(request)).equals(destinaten)) {
Logger.warn("AttributeQuery destination does not match IDP AttributeQueryService URL");
throw new AttributQueryException("AttributeQuery destination does not match IDP AttributeQueryService URL", null);
@@ -558,7 +570,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
}
- PVPTargetConfiguration config = new PVPTargetConfiguration();
+ PVPTargetConfiguration config = new PVPTargetConfiguration(request);
config.setRequest(moaRequest);
config.setOAURL(moaRequest.getEntityID());
config.setOnlineApplicationConfiguration(oa);
@@ -586,7 +598,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
if(!(samlReq instanceof AuthnRequest)) {
throw new MOAIDException("Unsupported request", new Object[] {});
}
-
+
EntityDescriptor metadata = moaRequest.getEntityMetadata();
if(metadata == null) {
throw new NoMetadataInformationException();
@@ -607,6 +619,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
}
+
//parse AssertionConsumerService
AssertionConsumerService consumerService = null;
if (MiscUtil.isNotEmpty(authnRequest.getAssertionConsumerServiceURL()) &&
@@ -669,7 +682,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
Logger.info("Dispatch PVP2 AuthnRequest: OAURL=" + oaURL + " Binding=" + consumerService.getBinding());
- PVPTargetConfiguration config = new PVPTargetConfiguration();
+ PVPTargetConfiguration config = new PVPTargetConfiguration(request);
config.setOAURL(oaURL);
config.setOnlineApplicationConfiguration(oa);
config.setBinding(consumerService.getBinding());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
index 74b20356e..0b402a0fd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
@@ -26,6 +26,8 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
+
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.impl.AuthnRequestImpl;
@@ -46,6 +48,16 @@ import at.gv.egovernment.moa.logging.Logger;
public class PVPTargetConfiguration extends RequestImpl {
+ /**
+ * @param req
+ * @throws ConfigurationException
+ */
+ public PVPTargetConfiguration(HttpServletRequest req)
+ throws ConfigurationException {
+ super(req);
+
+ }
+
private static final long serialVersionUID = 4889919265919638188L;
InboundMessage request;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 5402e3dce..1e0a9cf32 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -60,6 +60,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.id.util.VelocityProvider;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -151,11 +152,11 @@ public class PostBinding implements IDecoder, IEncoder {
//set metadata descriptor type
if (isSPEndPoint) {
messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
- decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService()));
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService(HTTPUtils.extractAuthURLFromRequest(req))));
} else {
messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
- decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService()));
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService(HTTPUtils.extractAuthURLFromRequest(req))));
}
} catch (ConfigurationException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 81863f48f..0a459a9be 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -60,6 +60,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -141,11 +142,11 @@ public class RedirectBinding implements IDecoder, IEncoder {
//set metadata descriptor type
if (isSPEndPoint) {
messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
- decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService()));
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService(HTTPUtils.extractAuthURLFromRequest(req))));
} else {
messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
- decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService()));
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService(HTTPUtils.extractAuthURLFromRequest(req))));
}
} catch (ConfigurationException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
index 91888df5c..ebbafd4e3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
@@ -127,7 +127,7 @@ public class AttributQueryBuilder {
query.setIssueInstant(now);
Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
- nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath().get(0));
nissuer.setFormat(NameID.ENTITY);
query.setIssuer(nissuer);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java
index 4959df16c..24c2626e3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java
@@ -66,13 +66,15 @@ import at.gv.egovernment.moa.logging.Logger;
*/
public class AuthResponseBuilder {
- public static Response buildResponse(RequestAbstractType req, DateTime date, Assertion assertion) throws InvalidAssertionEncryptionException, ConfigurationException {
+ public static Response buildResponse(String authURL, RequestAbstractType req, DateTime date, Assertion assertion) throws InvalidAssertionEncryptionException, ConfigurationException {
Response authResponse = SAML2Utils.createSAMLObject(Response.class);
Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
//change to entity value from entity name to IDP EntityID (URL)
- nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ if (authURL.endsWith("/"))
+ authURL = authURL.substring(0, authURL.length()-1);
+ nissuer.setValue(authURL);
nissuer.setFormat(NameID.ENTITY);
authResponse.setIssuer(nissuer);
authResponse.setInResponseTo(req.getID());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
index 50f42d928..df68a1029 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
@@ -215,8 +215,8 @@ public class SingleLogOutBuilder {
}
DateTime now = new DateTime();
- Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
+ issuer.setValue(sloInfo.getAuthURL());
issuer.setFormat(NameID.ENTITY);
sloReq.setIssuer(issuer);
sloReq.setIssueInstant(now);
@@ -277,7 +277,7 @@ public class SingleLogOutBuilder {
private static LogoutResponse buildBasicResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException {
LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class);
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ issuer.setValue(spRequest.getAuthURLWithOutSlash());
issuer.setFormat(NameID.ENTITY);
sloResp.setIssuer(issuer);
sloResp.setIssueInstant(new DateTime());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index d80ddba25..065118e2b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -90,7 +90,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
public class PVP2AssertionBuilder implements PVPConstants {
- public static Assertion buildAssertion(AttributeQuery attrQuery,
+ public static Assertion buildAssertion(String authURL, AttributeQuery attrQuery,
List<String> reqAttributes, IAuthData authData, DateTime date, String sessionIndex) throws ConfigurationException {
@@ -136,12 +136,12 @@ public class PVP2AssertionBuilder implements PVPConstants {
SubjectConfirmationData subjectConfirmationData = null;
- return buildGenericAssertion(attrQuery.getIssuer().getValue(), date,
+ return buildGenericAssertion(authURL, attrQuery.getIssuer().getValue(), date,
authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex,
new DateTime(authData.getSsoSessionValidTo().getTime()));
}
- public static Assertion buildAssertion(AuthnRequest authnRequest,
+ public static Assertion buildAssertion(String authURL, AuthnRequest authnRequest,
IAuthData authData, EntityDescriptor peerEntity, DateTime date,
AssertionConsumerService assertionConsumerService, SLOInformationImpl sloInformation)
throws MOAIDException {
@@ -416,10 +416,25 @@ public class PVP2AssertionBuilder implements PVPConstants {
sloInformation.setNameIDFormat(subjectNameID.getFormat());
sloInformation.setSessionIndex(sessionIndex);
- return buildGenericAssertion(peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter());
+ return buildGenericAssertion(authURL, peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter());
}
- public static Assertion buildGenericAssertion(String entityID, DateTime date,
+ /**
+ *
+ * @param authURL IDP PublicURL PreFix
+ * @param entityID Service Provider EntityID
+ * @param date
+ * @param authnContextClassRef
+ * @param attrList
+ * @param subjectNameID
+ * @param subjectConfirmationData
+ * @param sessionIndex
+ * @param isValidTo
+ * @return
+ * @throws ConfigurationException
+ */
+
+ private static Assertion buildGenericAssertion(String authURL, String entityID, DateTime date,
AuthnContextClassRef authnContextClassRef, List<Attribute> attrList,
NameID subjectNameID, SubjectConfirmationData subjectConfirmationData,
String sessionIndex, DateTime isValidTo) throws ConfigurationException {
@@ -471,7 +486,9 @@ public class PVP2AssertionBuilder implements PVPConstants {
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ if (authURL.endsWith("/"))
+ authURL = authURL.substring(0, authURL.length()-1);
+ issuer.setValue(authURL);
issuer.setFormat(NameID.ENTITY);
assertion.setIssuer(issuer);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
index dc3b787e4..47d7a29b3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
@@ -121,43 +121,46 @@ public class PVPConfiguration {
}
}
- public String getIDPPublicPath() throws ConfigurationException {
- String publicPath = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
- if(publicPath != null) {
- if(publicPath.endsWith("/")) {
- int length = publicPath.length();
- publicPath = publicPath.substring(0, length-1);
- }
+ public List<String> getIDPPublicPath() throws ConfigurationException {
+ List<String> publicPath = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ List<String> returnvalue = new ArrayList<String>();
+ for (String el : publicPath) {
+ if(el.endsWith("/")) {
+ int length = el.length();
+ returnvalue.add(el.substring(0, length-1));
+
+ } else
+ returnvalue.add(el);
}
- return publicPath;
+ return returnvalue;
}
- public String getSPSSOPostService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_SP_POST;
+ public String getSPSSOPostService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_SP_POST;
}
- public String getSPSSORedirectService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_SP_REDIRECT;
+ public String getSPSSORedirectService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_SP_REDIRECT;
}
- public String getIDPSSOPostService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_IDP_POST;
+ public String getIDPSSOPostService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_IDP_POST;
}
- public String getIDPSSORedirectService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_IDP_REDIRECT;
+ public String getIDPSSORedirectService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_IDP_REDIRECT;
}
- public String getIDPSSOSOAPService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_IDP_SOAP;
+ public String getIDPSSOSOAPService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_IDP_SOAP;
}
- public String getIDPAttributeQueryService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_IDP_ATTRIBUTEQUERY;
+ public String getIDPAttributeQueryService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_IDP_ATTRIBUTEQUERY;
}
- public String getIDPSSOMetadataService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_METADATA;
+ public String getIDPSSOMetadataService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_METADATA;
}
public String getIDPKeyStoreFilename() {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
index a31258784..059e68865 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
@@ -82,10 +82,10 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
SLOInformationImpl sloInformation = new SLOInformationImpl();
//build Assertion
- Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authData,
+ Assertion assertion = PVP2AssertionBuilder.buildAssertion(obj.getAuthURL(), authnRequest, authData,
peerEntity, date, consumerService, sloInformation);
- Response authResponse = AuthResponseBuilder.buildResponse(authnRequest, date, assertion);
+ Response authResponse = AuthResponseBuilder.buildResponse(obj.getAuthURL(), authnRequest, date, assertion);
IEncoder binding = null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index 70b778c49..2e5f78611 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -61,6 +61,7 @@ import org.xml.sax.SAXException;
import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException;
@@ -175,10 +176,20 @@ public class SAMLVerificationEngine {
if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
- if (validateDestination && !samlResp.getDestination().startsWith(
- PVPConfiguration.getInstance().getIDPPublicPath())) {
+ List<String> allowedPublicURLPrefix =
+ AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ boolean isValidDestination = false;
+ for (String allowedPreFix : allowedPublicURLPrefix) {
+ if (validateDestination && samlResp.getDestination().startsWith(
+ allowedPreFix)) {
+ isValidDestination = true;
+ break;
+
+ }
+ }
+ if (!isValidDestination) {
Logger.warn("PVP 2.1 assertion destination does not match to IDP URL");
- throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);
+ throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
index d1582b883..9dee39fe8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
@@ -377,7 +377,7 @@ public class AuthenticationSessionStoreage {
}
public static void addSSOInformation(String moaSessionID, String SSOSessionID,
- SLOInformationInterface SLOInfo, String OAUrl) throws AuthenticationException {
+ SLOInformationInterface SLOInfo, IRequest protocolRequest) throws AuthenticationException {
AuthenticatedSessionStore dbsession;
Transaction tx = null;
@@ -412,7 +412,7 @@ public class AuthenticationSessionStoreage {
//check if OA already has an active OA session
if (dbsession.getActiveOAsessions() != null) {
for (OASessionStore el : dbsession.getActiveOAsessions()) {
- if (el.getOaurlprefix().equals(OAUrl))
+ if (el.getOaurlprefix().equals(protocolRequest.getOAURL()))
activeOA = el;
}
}
@@ -421,7 +421,7 @@ public class AuthenticationSessionStoreage {
activeOA = new OASessionStore();
//set active OA applications
- activeOA.setOaurlprefix(OAUrl);
+ activeOA.setOaurlprefix(protocolRequest.getOAURL());
activeOA.setMoasession(dbsession);
activeOA.setCreated(new Date());
@@ -432,6 +432,7 @@ public class AuthenticationSessionStoreage {
activeOA.setUserNameIDFormat(SLOInfo.getUserNameIDFormat());
activeOA.setProtocolType(SLOInfo.getProtocolType());
activeOA.setAttributeQueryUsed(false);
+ activeOA.setAuthURL(protocolRequest.getAuthURL());
}
@@ -463,10 +464,10 @@ public class AuthenticationSessionStoreage {
tx.commit();
if (SLOInfo != null)
- Logger.info("Add SSO-Session login information for OA: " + OAUrl
+ Logger.info("Add SSO-Session login information for OA: " + protocolRequest.getOAURL()
+ " and AssertionID: " + SLOInfo.getSessionIndex());
else
- Logger.info("Add SSO-Session login information for OA: " + OAUrl);
+ Logger.info("Add SSO-Session login information for OA: " + protocolRequest.getOAURL());
}
@@ -887,6 +888,7 @@ public class AuthenticationSessionStoreage {
idp = new InterfederationSessionStore();
idp.setCreated(now);
idp.setIdpurlprefix(req.getInterfederationResponse().getEntityID());
+ idp.setAuthURL(req.getAuthURL());
try {
OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java
index 1f08d9019..2aceb833c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java
@@ -156,5 +156,21 @@ public class HTTPUtils {
return buffer.toString();
}
+
+ /**
+ * Extract the IDP PublicURLPrefix from authrequest
+ *
+ * @param req HttpServletRequest
+ * @return PublicURLPrefix <String> which ends always without /
+ */
+ public static String extractAuthURLFromRequest(HttpServletRequest req) {
+ String authURL = req.getScheme() + "://" + req.getServerName();
+ if ((req.getScheme().equalsIgnoreCase("https") && req.getServerPort()!=443) || (req.getScheme().equalsIgnoreCase("http") && req.getServerPort()!=80)) {
+ authURL = authURL.concat(":" + req.getServerPort());
+ }
+ authURL = authURL.concat(req.getContextPath());
+ return authURL;
+
+ }
}