next parts of new federated authentication implementation

author: Thomas Lenz <thomas.lenz@egiz.gv.at> 2016-03-02 22:10:36 +0100
committer: Thomas Lenz <thomas.lenz@egiz.gv.at> 2016-03-02 22:10:36 +0100
commit: da937437e46e06365072820aa555d4cb3f9f9110 (patch)
tree: 3c9f062ab6f8c87abc063db44d8828a4065329ba /id/server/idserverlib/src/main
parent: 48fd33725c53136fe505067b93390b39e19c41b7 (diff)
download: moa-id-spss-da937437e46e06365072820aa555d4cb3f9f9110.tar.gz
moa-id-spss-da937437e46e06365072820aa555d4cb3f9f9110.tar.bz2
moa-id-spss-da937437e46e06365072820aa555d4cb3f9f9110.zip
10 files changed, 189 insertions, 306 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 999f289e0..8b9918eab 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -32,6 +32,7 @@ import java.util.Arrays;
 import java.util.Date;
 import java.util.Iterator;
 import java.util.List;
+import java.util.Set;
 import java.util.Map.Entry;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -45,6 +46,9 @@ import javax.xml.bind.Marshaller;
 import org.opensaml.saml2.core.Attribute;
 import org.opensaml.saml2.core.AttributeQuery;
 import org.opensaml.saml2.core.AuthnStatement;
+import org.opensaml.saml2.core.Response;
+import org.opensaml.ws.soap.common.SOAPException;
+import org.opensaml.xml.XMLObject;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.w3c.dom.Element;
@@ -77,7 +81,9 @@ import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.data.AuthenticationData;
 import at.gv.egovernment.moa.id.data.AuthenticationRoleFactory;
 import at.gv.egovernment.moa.id.data.IAuthData;
@@ -86,13 +92,16 @@ import at.gv.egovernment.moa.id.moduls.IRequest;
 import at.gv.egovernment.moa.id.moduls.RequestImpl;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
 import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.IdentityLinkReSigner;
@@ -118,9 +127,11 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 
 	@Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage;
 	@Autowired protected AuthConfiguration authConfig;
+	@Autowired private AttributQueryBuilder attributQueryBuilder;
+	@Autowired private SAMLVerificationEngine samlVerificationEngine;
 	
 	public IAuthData buildAuthenticationDataForAttributQuery(IRequest pendingReq, 
-            AuthenticationSession session, List<Attribute> reqAttributes) {
+            AuthenticationSession session, List<Attribute> reqAttributes, InterfederationSessionStore nextIDPInformation) throws MOAIDException {
 		AuthenticationData authdata = new AuthenticationData();
 		
 		try {
@@ -146,134 +157,147 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 					}				
 				}
 			}
-		
-			getAuthDataFromInterfederation(authdata, session, spConfig, pendingReq, interfIDP, idp,  reqAttributes);
-			
-			
-			
-			
 			
+			//build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) and configuration
+			IOAAuthParameters spConfig = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(reqAttributes);
 			
-			//mark attribute request as used 				
-			try {
-				interfIDP.setAttributesRequested(true);
-				MOASessionDBUtils.saveOrUpdate(interfIDP);
-														
-			} catch (MOADatabaseException e) {
-				Logger.error("MOASession interfederation information can not stored to database.", e);
+			//search federated IDP information for this MOASession
+			if (nextIDPInformation != null) {				
+				Logger.info("Find active federated IDP information."
+					+ ". --> Request next IDP:" + nextIDPInformation.getIdpurlprefix() 
+					+ " for authentication information.");
+	
+				//load configuration of next IDP
+				OAAuthParameter idp = authConfig.getOnlineApplicationParameter(nextIDPInformation.getIdpurlprefix());
+				if (idp == null) {
+					Logger.warn("Configuration for federated IDP:" + nextIDPInformation.getIdpurlprefix() 
+						+ "is not loadable.");
+					throw new MOAIDException("auth.32", new Object[]{nextIDPInformation.getIdpurlprefix()});
+					
+				}
+
+				//check if next IDP config allows inbound messages
+				if (!idp.isInboundSSOInterfederationAllowed()) {
+					Logger.warn("Configuration for federated IDP:" + nextIDPInformation.getIdpurlprefix() 
+					+ "disallow inbound authentication messages.");
+					throw new MOAIDException("auth.33", new Object[]{nextIDPInformation.getIdpurlprefix()});
+					
+				}
+				
+				//check next IDP service area policy. BusinessService IDPs can only request wbPKs 
+				if (!spConfig.getBusinessService() && !idp.isIDPPublicService()) {
+					Logger.error("Interfederated IDP " + idp.getPublicURLPrefix() 
+							+ " has a BusinessService-IDP but requests PublicService attributes.");
+					throw new MOAIDException("auth.34", new Object[]{nextIDPInformation.getIdpurlprefix()});
+					
+				}	
+				
+				//validation complete --> start AttributeQuery Request
+				getAuthDataFromInterfederation(authdata, reqAttributes, nextIDPInformation, idp);
+												
+			} else {
+				Logger.debug("Build authData for AttributQuery from local MOASession.");
+				buildAuthDataFormMOASession(authdata, session, spConfig, pendingReq);
 				
 			}
-			
-		
+
 			return authdata;
-			
-		} catch (DynamicOABuildException e) {
-			//TODO:
-			
+						
+		} catch (MOAIDException e) {
+			throw e;
 		}
 	}
 	
 	
 	private void getAuthDataFromInterfederation(
-			AuthenticationData authdata, AuthenticationSession session,
-			IOAAuthParameters oaParam, IRequest req,
-			InterfederationSessionStore interfIDP, OAAuthParameter idp, List<Attribute> reqQueryAttr) throws BuildException, ConfigurationException{
+			AuthenticationData authdata, List<Attribute> reqQueryAttr,
+			InterfederationSessionStore nextIDPInfo, OAAuthParameter nextIDPConfig ) throws MOAIDException{
+		String idpEnityID = nextIDPConfig.getPublicURLPrefix();
 		
+		AssertionAttributeExtractor extractor;
 		try {		
-			List<Attribute> attributs = null;
-						
-			//IDP is a chained interfederated IDP and request is of type AttributQuery
-			if (oaParam.isInderfederationIDP() && req instanceof PVPTargetConfiguration &&
-					(((PVPTargetConfiguration)req).getRequest() instanceof AttributeQuery) &&
-				reqQueryAttr != null) {
-				attributs = reqQueryAttr;
-				
-			//IDP is a service provider IDP and request interfederated IDP to collect attributes				
-			} else {												
-				//get PVP 2.1 attributes from protocol specific requested attributes
-				attributs = (List<Attribute>) req.getGenericData(RequestImpl.DATAID_REQUESTED_ATTRIBUTES);
+			Logger.debug("Starting AttributeQuery process ...");
+			//collect attributes by using BackChannel communication
+			String endpoint = nextIDPConfig.getIDPAttributQueryServiceURL();			
+			if (MiscUtil.isEmpty(endpoint)) {
+				Logger.error("No AttributeQueryURL for interfederationIDP " + idpEnityID);
+				throw new ConfigurationException("config.26", new Object[]{idpEnityID});
 				
 			}
-
-			//get SAML2 Response from federated IDP 
-			Response intfResp = 
-					(Response) req.getGenericData(
-							RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, MOAResponse.class).getResponse();
-			
-			//initialize Attribute extractor
-			AssertionAttributeExtractor extractor = new AssertionAttributeExtractor(intfResp);			
-
-			//check if SAML2 Assertion contains already all required attributes
-			if (!extractor.containsAllRequiredAttributes()) {
-				Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ...");
-				//collect attributes by using BackChannel communication
-				String endpoint = idp.getIDPAttributQueryServiceURL();			
-				if (MiscUtil.isEmpty(endpoint)) {
-					Logger.error("No AttributeQueryURL for interfederationIDP " + idp.getPublicURLPrefix());
-					throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + idp.getPublicURLPrefix(), null);
-				}
 				
-				//build attributQuery request
-				AttributeQuery query = 
-						attributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs);
+			//build attributQuery request
+			AttributeQuery query = attributQueryBuilder.buildAttributQueryRequest(nextIDPInfo.getUserNameID(), endpoint, reqQueryAttr);
 			
-				//build SOAP request				
-				List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
+			//build SOAP request				
+			List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
+		
+			if (xmlObjects.size() == 0) {
+				Logger.error("Receive emptry AttributeQuery response-body.");
+				throw new AttributQueryException("auth.27", 
+						new Object[]{idpEnityID, "Receive emptry AttributeQuery response-body."});
 			
-				if (xmlObjects.size() == 0) {
-					Logger.error("Receive emptry AttributeQuery response-body.");
-					throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null);
-				
-				}
+			}
+		
+			Response intfResp;
+			if (xmlObjects.get(0) instanceof Response) {
+				intfResp = (Response) xmlObjects.get(0);
 			
-				if (xmlObjects.get(0) instanceof Response) {
-					intfResp = (Response) xmlObjects.get(0);
-				
-					//validate PVP 2.1 response
-					try {
-						samlVerificationEngine.verifyIDPResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine());
-				
-						//TODO: find better solution
-						//SAMLVerificationEngine.validateAssertion(intfResp, false);
-					
-					} catch (Exception e) {
-						Logger.warn("PVP 2.1 assertion validation FAILED.", e);
-						throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e);
+				//validate PVP 2.1 response
+				try {
+					samlVerificationEngine.verifyIDPResponse(intfResp, 
+							TrustEngineFactory.getSignatureKnownKeysTrustEngine(
+									MOAMetadataProvider.getInstance()));
+			
+					//create assertion attribute extractor from AttributeQuery response
+					extractor = new AssertionAttributeExtractor(intfResp);
+										
+					//copy attributes into authData object
+					Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames();
+					for (String el : includedAttrNames) {
+						authdata.setGenericData(el, extractor.getSingleAttributeValue(el));
+						Logger.debug("Add PVP-attribute " + el + " into authData objext");
+						
 					}
-												
-				} else {
-					Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response");
-					throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null);
-				
+					
+					
+				} catch (Exception e) {
+					Logger.warn("PVP 2.1 assertion validation FAILED.", e);
+					throw new AssertionValidationExeption("auth.27", 
+							new Object[]{idpEnityID, e.getMessage()}, e);
 				}
-				
-				//create assertion attribute extractor from AttributeQuery response
-				extractor = new AssertionAttributeExtractor(intfResp);
-				
+											
 			} else {
-				Logger.info("Interfedation response include all attributes with are required. Skip AttributQuery request step. ");
+				Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response");
+				throw new AttributQueryException("auth.27", 
+						new Object[]{idpEnityID, "Receive AttributeQuery response-body include no PVP 2.1 response"});
+			
+			}
+				 				
+			try {
+					//mark attribute request as used
+				if (nextIDPInfo.isStoreSSOInformation()) {
+					nextIDPInfo.setAttributesRequested(true);
+					MOASessionDBUtils.saveOrUpdate(nextIDPInfo);
+
+					//delete federated IDP from Session
+				} else {
+					MOASessionDBUtils.delete(nextIDPInfo);
+					
+				}
+														
+			} catch (MOADatabaseException e) {
+				Logger.error("MOASession interfederation information can not stored to database.", e);
 				
 			}
-			//parse response information to authData
-			buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam, req);			
-			
+						
 		} catch (SOAPException e) {
 			throw new BuildException("builder.06", null, e);
 			
 		} catch (SecurityException e) {
 			throw new BuildException("builder.06", null, e);
-			
-		} catch (AttributQueryException e) {
-			throw new BuildException("builder.06", null, e);
-			
-		} catch (BuildException e) {
-			throw new BuildException("builder.06", null, e);
-			
-		} catch (AssertionValidationExeption e) {
-			throw new BuildException("builder.06", null, e);
-			
-		} catch (AssertionAttributeExtractorExeption e) {
-			throw new BuildException("builder.06", null, e);
+					
+		} catch (org.opensaml.xml.security.SecurityException e1) {
+			throw new BuildException("builder.06", null, e1);
 			
 		}
 	}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
index ab43f2f79..8c0de1121 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
@@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.moduls.IRequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * @author tlenz
@@ -45,65 +46,35 @@ import at.gv.egovernment.moa.util.Constants;
  */
 public class DynamicOAAuthParameterBuilder {
 
-	public static IOAAuthParameters buildFromAttributeQuery(OAAuthParameter oa, List<Attribute> reqAttributes, InterfederationSessionStore interfIDP) throws DynamicOABuildException {
+	public static IOAAuthParameters buildFromAttributeQuery(List<Attribute> reqAttributes) throws DynamicOABuildException {
 
 		Logger.debug("Build dynamic OAConfiguration from AttributeQuery and interfederation information");
 		
-		try {
-			DynamicOAAuthParameters dynamicOA = new DynamicOAAuthParameters();
-					
-			for (Attribute attr : reqAttributes) {				
-				//get Target or BusinessService from request 
-				if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
-					String attrValue = attr.getAttributeValues().get(0).getDOM().getTextContent();
-					if (attrValue.startsWith(Constants.URN_PREFIX_CDID)) {
-						dynamicOA.setBusinessService(false);
-						dynamicOA.setTarget(attrValue.substring((Constants.URN_PREFIX_CDID + "+").length()));
-						
-					} else if( attrValue.startsWith(Constants.URN_PREFIX_WBPK) || 
-							attrValue.startsWith(Constants.URN_PREFIX_STORK) ) {
-						dynamicOA.setBusinessService(true);
-						dynamicOA.setTarget(attrValue);
-						 					
-					} else {
-						Logger.error("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea");
-						throw new DynamicOABuildException("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea", null);
-						
-					}
-					
-				}
+		DynamicOAAuthParameters dynamicOA = new DynamicOAAuthParameters();
 				
-			}
-			
-			if (interfIDP != null) {
-				//load interfederated IDP informations
-				OAAuthParameter idp = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(interfIDP.getIdpurlprefix());
-				if (idp == null) {
-					Logger.warn("Interfederated IDP configuration is not loadable.");
-					throw new DynamicOABuildException("Interfederated IDP configuration is not loadable.", null);
+		for (Attribute attr : reqAttributes) {				
+			//get Target or BusinessService from request 
+			if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
+				String attrValue = attr.getAttributeValues().get(0).getDOM().getTextContent();
+				if (attrValue.startsWith(Constants.URN_PREFIX_CDID)) {
+					dynamicOA.setBusinessService(false);
+					dynamicOA.setTarget(attrValue.substring((Constants.URN_PREFIX_CDID + "+").length()));
+					
+				} else if( attrValue.startsWith(Constants.URN_PREFIX_WBPK) || 
+						attrValue.startsWith(Constants.URN_PREFIX_STORK) ) {
+					dynamicOA.setBusinessService(true);
+					dynamicOA.setTarget(attrValue);
+					 					
+				} else {
+					Logger.error("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea");
+					throw new DynamicOABuildException("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea", null);
 					
 				}
-			
-				dynamicOA.setApplicationID(idp.getPublicURLPrefix());
-				dynamicOA.setInderfederatedIDP(idp.isInderfederationIDP());
-				dynamicOA.setIDPQueryURL(idp.getIDPAttributQueryServiceURL());
 				
-				//check if IDP service area policy. BusinessService IDPs can only request wbPKs 
-				if (!dynamicOA.getBusinessService() && !idp.isIDPPublicService()) {
-					Logger.error("Interfederated IDP " + idp.getPublicURLPrefix() 
-							+ " has a BusinessService-IDP but requests PublicService attributes.");
-					throw new DynamicOABuildException("Interfederated IDP " + idp.getPublicURLPrefix() 
-							+ " has a BusinessService-IDP but requests PublicService attributes.", null);
-					
-				}				
 			}
 			
-			return dynamicOA;
-
-		} catch (ConfigurationException e) {
-			Logger.warn("Internel server errror. Basic configuration load failed.", e);
-			throw new DynamicOABuildException("Basic configuration load failed.", null);
-		}
+		}			
+		return dynamicOA;
 
 		
 		
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java
deleted file mode 100644
index 9af247714..000000000
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java
+++ /dev/null
@@ -1,125 +0,0 @@
-/*
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-package at.gv.egovernment.moa.id.data;
-
-import java.io.Serializable;
-
-import at.gv.egovernment.moa.id.util.Random;
-
-/**
- * @author tlenz
- *
- */
-public class FederatedAuthenticatenContainer implements Serializable {
-
-	/**
-	 * 
-	 */
-	private static final long serialVersionUID = 6075571915585105988L;
-	
-	private String id;
-	private String moaSessionID;
-	
-	private String idpEntityID;
-	private String userNameID;
-	private String userQAALevel;
-	
-	/**
-	 * Build a new data-container for federated authentication with Attribute-Query
-	 * 
-	 */
-	public FederatedAuthenticatenContainer() {
-		this.id = Random.nextRandom();
-		
-	}
-	
-	/**
-	 * Get the identifier of this container
-	 * 
-	 * @return the identifier of this container, but never null
-	 */
-	public String getId() {
-		return id;
-	}
-	
-	/**
-	 * Get the MOASessionID, of the corresponding MOASession
-	 * 
-	 * @return the moaSessionID, or null if no MOASession exists 
-	 */
-	public String getMoaSessionID() {
-		return moaSessionID;
-	}
-	/**
-	 * @param moaSessionID the moaSessionID to set
-	 */
-	public void setMoaSessionID(String moaSessionID) {
-		this.moaSessionID = moaSessionID;
-	}
-	/**
-	 * Get the Entity of the federated IDP, which has the authentication data
-	 * 
-	 * @return the idpEntityID, but never null
-	 */
-	public String getIdpEntityID() {
-		return idpEntityID;
-	}
-	/**
-	 * @param idpEntityID the idpEntityID to set
-	 */
-	public void setIdpEntityID(String idpEntityID) {
-		this.idpEntityID = idpEntityID;
-	}
-	/**
-	 * Get the SAML2 NameID of the user, which is used to identify the user on the federated IDP 
-	 * 
-	 * @return the SAML2 NameID, but never null
-	 */
-	public String getUserNameID() {
-		return userNameID;
-	}
-	/**
-	 * @param userNameID the userNameID to set
-	 */
-	public void setUserNameID(String userNameID) {
-		this.userNameID = userNameID;
-	}
-	/**
-	 * Get the SAML2 QAA-level, which should be send to the federated IDP
-	 * 
-	 * @return the userQAALevel, but never null
-	 */
-	public String getUserQAALevel() {
-		return userQAALevel;
-	}
-	/**
-	 * @param userQAALevel the userQAALevel to set
-	 */
-	public void setUserQAALevel(String userQAALevel) {
-		this.userQAALevel = userQAALevel;
-	}
-	
-	
-	
-
-}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
index c733e662a..042eeeed8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
@@ -41,8 +41,13 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
+import at.gv.egovernment.moa.id.auth.builder.DynamicOAAuthParameterBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
+import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
+import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
+import at.gv.egovernment.moa.id.data.FederatedAuthenticatenContainer;
 import at.gv.egovernment.moa.id.data.IAuthData;
 import at.gv.egovernment.moa.id.data.SLOInformationInterface;
 import at.gv.egovernment.moa.id.moduls.IAction;
@@ -53,7 +58,9 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionB
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
 import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage;
+import at.gv.egovernment.moa.id.storage.ITransactionStorage;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * @author tlenz
@@ -62,9 +69,10 @@ import at.gv.egovernment.moa.logging.Logger;
 @Service("AttributQueryAction")
 public class AttributQueryAction implements IAction {
 
-	@Autowired IAuthenticationSessionStoreage authenticationSessionStorage;
+	@Autowired private IAuthenticationSessionStoreage authenticationSessionStorage;
 	@Autowired private AuthenticationDataBuilder authDataBuilder;
 	@Autowired private IDPCredentialProvider pvpCredentials;
+	@Autowired private ITransactionStorage transactionStorage;
 	
 	private final static List<String> DEFAULTSTORKATTRIBUTES = Arrays.asList(
 			new String[]{PVPConstants.EID_STORK_TOKEN_NAME});	
@@ -90,16 +98,22 @@ public class AttributQueryAction implements IAction {
 			//set time reference
 			DateTime date = new DateTime();
 			
-			//load session and request information
-			AuthenticationSession moaSession = 
-					pendingReq.getGenericData(PVPTargetConfiguration.DATAID_MOASESSION, AuthenticationSession.class);
-			
+			//get Single Sign-On information for the Service-Provider
+			// which sends the Attribute-Query request
+			AuthenticationSession moaSession = authenticationSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+			if (moaSession == null) {
+				Logger.warn("No MOASession with ID:" + pendingReq.getMOASessionIdentifier() + " FOUND.");
+				throw new MOAIDException("auth.02", new Object[]{pendingReq.getMOASessionIdentifier()});
+			}
+												
+			InterfederationSessionStore nextIDPInformation = 
+					authenticationSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(moaSession.getSessionID());
+		
 			AttributeQuery attrQuery = 
 					(AttributeQuery)((MOARequest)((PVPTargetConfiguration) pendingReq).getRequest()).getSamlRequest();
-			
-			
+												
 			//generate authData for AttributQueryRequest
-			authData = authDataBuilder.buildAuthenticationDataForAttributQuery(pendingReq, moaSession, attrQuery.getAttributes());
+			authData = authDataBuilder.buildAuthenticationDataForAttributQuery(pendingReq, moaSession, attrQuery.getAttributes(), nextIDPInformation);
 
 			
 			//add default attributes in case of mandates or STORK is in use
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 57c1aa8af..4dbc35041 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -593,23 +593,14 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController  {
 		AuthenticationSession session = authenticatedSessionStorage.getSessionWithUserNameID(nameID);
 		if (session == null) {
 			Logger.warn("AttributeQuery nameID does not match to an active single sign-on session.");
-			throw new AttributQueryException("AttributeQuery nameID does not match to an active single sign-on session.", null);
+			throw new AttributQueryException("auth.31", null);
 			
 		}
 		
-		//search federated IDP information for this MOASession
-		
-		
-		InterfederationSessionStore interfIDP = 
-				authenticatedSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session);
-	
-		//build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) and configuration
-		IOAAuthParameters spConfig = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(oa, attrQuery.getAttributes(), interfIDP);
-
 		//set preProcessed information into pending-request
 		pendingReq.setRequest(moaRequest);
 		pendingReq.setOAURL(moaRequest.getEntityID());
-		pendingReq.setOnlineApplicationConfiguration(spConfig);
+		pendingReq.setOnlineApplicationConfiguration(oa);
 		pendingReq.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI);
 		
 		//Attribute-Query Request needs authentication, because session MUST be already authenticated 
@@ -619,8 +610,8 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController  {
 		pendingReq.setAction(AttributQueryAction.class.getName());
 
 		//add moasession
-		pendingReq.setGenericDataToSession(PVPTargetConfiguration.DATAID_MOASESSION, session);
-		
+		pendingReq.setMOASessionIdentifier(session.getSessionID());
+				
 		//write revisionslog entry
 		revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_ATTRIBUTQUERY);
 		
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
index a8e02c317..b8ced1198 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
@@ -46,11 +46,9 @@ import at.gv.egovernment.moa.logging.Logger;
 @Scope(value = BeanDefinition.SCOPE_PROTOTYPE)
 public class PVPTargetConfiguration extends RequestImpl {
 
-	public static final String DATAID_MOASESSION = "moasession";
 	public static final String DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP = "useMinimalFrontChannelResponse";
 	public static final String DATAID_INTERFEDERATION_NAMEID = "federatedNameID";
 	public static final String DATAID_INTERFEDERATION_QAALEVEL = "federatedQAALevel";	
-	public static final String DATAID_INTERFEDERATION_ATTRQUERYCONTAINERID = "attrQueryContainerID";
 	
 	private static final long serialVersionUID = 4889919265919638188L;
 	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java
index c190ad779..316ca2177 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java
@@ -832,9 +832,9 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
 	}
 	
 	@Override
-	public InterfederationSessionStore searchInterfederatedIDPFORAttributeQueryWithSessionID(AuthenticationSession moaSession) {
-		  MiscUtil.assertNotNull(moaSession, "MOASession");	  
-		  Logger.trace("Get interfederated IDP for AttributeQuery with sessionID " + moaSession.getSessionID() + " from database.");
+	public InterfederationSessionStore searchInterfederatedIDPFORAttributeQueryWithSessionID(String moaSessionID) {
+		  MiscUtil.assertNotNull(moaSessionID, "MOASessionID");	  
+		  Logger.trace("Get interfederated IDP for AttributeQuery with sessionID " + moaSessionID + " from database.");
 		  Session session = MOASessionDBUtils.getCurrentSession();
 		  
 		  List<AuthenticatedSessionStore> result;
@@ -843,7 +843,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
 			  synchronized (session) {
 				  tx = session.beginTransaction();
 				  Query query = session.getNamedQuery("getInterfederatedIDPForAttributeQueryWithSessionID");
-				  query.setParameter("sessionID", moaSession.getSessionID());
+				  query.setParameter("sessionID", moaSessionID);
 				  result = query.list();
 				  
 				  //send transaction
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java
index aaa54fbb9..666511425 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java
@@ -253,10 +253,10 @@ public interface IAuthenticationSessionStoreage {
 	/**
 	 * Search an active federation IDP which could be used for federated Single Sign-On by using an AttributeQuery
 	 * 
-	 * @param moaSession MOASession data object
+	 * @param moaSessionID ID of a active MOASession
 	 * @return Information of the federated IDP, or null if no active federated IDP is found
 	 */
-	public InterfederationSessionStore searchInterfederatedIDPFORAttributeQueryWithSessionID(AuthenticationSession moaSession);
+	public InterfederationSessionStore searchInterfederatedIDPFORAttributeQueryWithSessionID(String moaSessionID);
 	
 	/**
 	 * Remove an active federation IDP from MOASession
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index a94b90931..cf2e9d6d5 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -44,10 +44,14 @@ auth.23=Das BKU-Selektion Template entspricht nicht der Spezifikation von MOA-ID
 auth.24=Das Send-Assertion Template entspricht nicht der Spezifikation von MOA-ID 2.x.
 auth.25=Fehler beim validieren der SZR-Gateway Response.
 auth.26=SessionID unbekannt.
-auth.27=Federated authentication FAILED! Assertion from {0} IDP is not valid. 
+auth.27=Federated authentication FAILED! Assertion from {0} IDP is not valid. (Msg:{1}) 
 auth.28=Transaktion {0} kann nicht weitergef\u00FChrt werden. Wahrscheinlich wurde ein TimeOut erreicht.
 auth.29=Federated authentication FAILED! Can not build authentication request for IDP {0} 
 auth.30=No valid Single Sign-On session found. Authentication process is aborted.
+auth.31=Federated authentication FAILED. No information for AttributeQuery, maybe a timeout occures. 
+auth.32=Federated authentication FAILED. No configuration for IDP {0}
+auth.33=Federated authentication FAILED. Configuration of IDP {0} does not allow inbound messages. 
+auth.34=Federated authentication FAILED. Configuration of IDP {0} is marked as BusinessService-IDP, but Public-Service attributes are requested.
 
 init.00=MOA ID Authentisierung wurde erfolgreich gestartet
 init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m\u00F6glicherweise nicht verf\u00FCgbar
@@ -82,6 +86,7 @@ config.22=F\u00FCr den Interfederation-Gateway mit der ID {0} ist kein Endpunkt
 config.23=Fehler beim initialisieren von OpenSAML
 config.24=MOA-ID-Auth Configfile {1} does not start with {0} prefix.
 config.25=Der verwendete IDP PublicURLPrefix {0} ist nicht erlaubt. 
+config.26=Federated IDP {0} contains no AttributeQuery URL.
 
 parser.00=Leichter Fehler beim Parsen: {0}
 parser.01=Fehler beim Parsen: {0}
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index 4e36e2cbf..2aed7d47d 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -28,6 +28,10 @@ auth.27=4401
 auth.28=1100
 auth.29=4401
 auth.30=1110
+auth.31=TODO
+auth.32=TODO
+auth.33=TODO
+auth.34=TODO
 
 init.00=9199
 init.01=9199
@@ -62,6 +66,7 @@ config.22=9008
 config.23=9199
 config.24=9199
 config.25=9199
+config.26=TODO
 
 parser.00=1101
 parser.01=1101
author	Thomas Lenz <thomas.lenz@egiz.gv.at>	2016-03-02 22:10:36 +0100
committer	Thomas Lenz <thomas.lenz@egiz.gv.at>	2016-03-02 22:10:36 +0100
commit	da937437e46e06365072820aa555d4cb3f9f9110 (patch)
tree	3c9f062ab6f8c87abc063db44d8828a4065329ba /id/server/idserverlib/src/main
parent	48fd33725c53136fe505067b93390b39e19c41b7 (diff)
download	moa-id-spss-da937437e46e06365072820aa555d4cb3f9f9110.tar.gz moa-id-spss-da937437e46e06365072820aa555d4cb3f9f9110.tar.bz2 moa-id-spss-da937437e46e06365072820aa555d4cb3f9f9110.zip