aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2014-06-05 16:27:18 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2014-06-05 16:27:18 +0200
commit985bb947881f880216c97fda93491a305f33c6de (patch)
tree67a6152dc7f4b19e565c9675c9692ecad6ff3e81 /id/server/idserverlib/src/main
parent78c78fc0045580d3456fcb9563209223cf425eb6 (diff)
downloadmoa-id-spss-985bb947881f880216c97fda93491a305f33c6de.tar.gz
moa-id-spss-985bb947881f880216c97fda93491a305f33c6de.tar.bz2
moa-id-spss-985bb947881f880216c97fda93491a305f33c6de.zip
add SSO session timeout to AuthData and SAML2 assertion
Diffstat (limited to 'id/server/idserverlib/src/main')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java22
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java14
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java17
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java18
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java37
6 files changed, 80 insertions, 30 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 632227d79..c0e1dd3ca 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -27,6 +27,8 @@ import iaik.x509.X509Certificate;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
+import java.util.Date;
+import java.util.GregorianCalendar;
import java.util.List;
import javax.naming.ldap.LdapName;
@@ -445,6 +447,9 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
authData.setSsoSession(true);
+ if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null)
+ authData.setSsoSessionValidTo(assertion.getConditions().getNotOnOrAfter().toDate());
+
//only for SAML1
if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel()))
authData.setQualifiedCertificate(true);
@@ -454,7 +459,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
}
private static void buildAuthDataFormMOASession(AuthenticationData authData, AuthenticationSession session,
- IOAAuthParameters oaParam) throws BuildException {
+ IOAAuthParameters oaParam) throws BuildException, ConfigurationException {
String target = oaParam.getTarget();
@@ -465,7 +470,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
boolean businessService = oaParam.getBusinessService();
authData.setIssuer(session.getAuthURL());
-
+
//baseID or wbpk in case of BusinessService without SSO or BusinessService SSO
authData.setIdentificationValue(identityLink.getIdentificationValue());
authData.setIdentificationType(identityLink.getIdentificationType());
@@ -529,6 +534,19 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
authData.setSsoSession(AuthenticationSessionStoreage.isSSOSession(session.getSessionID()));
+ //set max. SSO session time
+ if (authData.isSsoSession()) {
+ long maxSSOSessionTime = AuthConfigurationProvider.getInstance().getTimeOuts().getMOASessionCreated().longValue() * 1000;
+ Date ssoSessionValidTo = new Date(session.getSessionCreated().getTime() + maxSSOSessionTime);
+ authData.setSsoSessionValidTo(ssoSessionValidTo);
+
+ } else {
+ //set valid to 5 min
+ Date ssoSessionValidTo = new Date(new Date().getTime() + 5 * 60 * 1000);
+ authData.setSsoSessionValidTo(ssoSessionValidTo);
+
+ }
+
/* TODO: Support SSO Mandate MODE!
* Insert functionality to translate mandates in case of SSO
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
index c5ba49b2e..8726c1618 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
@@ -42,6 +42,7 @@ import java.io.Serializable;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
+import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Vector;
@@ -78,6 +79,9 @@ public class AuthenticationSession implements Serializable {
* session ID
*/
private String sessionID;
+
+ private Date sessionCreated = null;
+
/**
* "Gesch&auml;ftsbereich" the online application belongs to; maybe <code>null</code> if the
* online application is a business application
@@ -344,8 +348,9 @@ public class AuthenticationSession implements Serializable {
* @param id
* Session ID
*/
- public AuthenticationSession(String id) {
+ public AuthenticationSession(String id, Date created) {
sessionID = id;
+ sessionCreated = created;
// setTimestampStart();
// infoboxValidators = new ArrayList();
}
@@ -1050,6 +1055,13 @@ public class AuthenticationSession implements Serializable {
this.storkAuthnResponse = storkAuthnResponse;
}
+ /**
+ * @return the sessionCreated
+ */
+ public Date getSessionCreated() {
+ return sessionCreated;
+ }
+
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
index 33e62d3d0..5685977bc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
@@ -135,6 +135,7 @@ public class AuthenticationData implements IAuthData, Serializable {
private String QAALevel = null;
private boolean ssoSession = false;
+ private Date ssoSessionValidTo = null;
private boolean interfederatedSSOSession = false;
private String interfederatedIDP = null;
@@ -656,7 +657,23 @@ public class AuthenticationData implements IAuthData, Serializable {
public void setInterfederatedIDP(String interfederatedIDP) {
this.interfederatedIDP = interfederatedIDP;
}
+
+ /**
+ * @return the ssoSessionValidTo
+ */
+ public Date getSsoSessionValidTo() {
+ return ssoSessionValidTo;
+ }
+
+ /**
+ * @param ssoSessionValidTo the ssoSessionValidTo to set
+ */
+ public void setSsoSessionValidTo(Date ssoSessionValidTo) {
+ this.ssoSessionValidTo = ssoSessionValidTo;
+ }
+
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
index 4ea81f134..7e421da0f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
@@ -53,6 +53,8 @@ public interface IAuthData {
String getBPK();
String getBPKType();
+ Date getSsoSessionValidTo();
+
String getInterfederatedIDP();
String getIdentificationValue();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 4d6343fce..fa5d252bd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -135,7 +135,8 @@ public class PVP2AssertionBuilder implements PVPConstants {
SubjectConfirmationData subjectConfirmationData = null;
return buildGenericAssertion(attrQuery.getIssuer().getValue(), date,
- authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex);
+ authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex,
+ new DateTime(authData.getSsoSessionValidTo().getTime()));
}
public static Assertion buildAssertion(AuthnRequest authnRequest,
@@ -393,8 +394,8 @@ public class PVP2AssertionBuilder implements PVPConstants {
SubjectConfirmationData subjectConfirmationData = SAML2Utils
.createSAMLObject(SubjectConfirmationData.class);
subjectConfirmationData.setInResponseTo(authnRequest.getID());
- subjectConfirmationData.setNotOnOrAfter(date.plusMinutes(5));
-
+ subjectConfirmationData.setNotOnOrAfter(new DateTime(authData.getSsoSessionValidTo().getTime()));
+
subjectConfirmationData.setRecipient(assertionConsumerService.getLocation());
//set SLO information
@@ -402,13 +403,13 @@ public class PVP2AssertionBuilder implements PVPConstants {
sloInformation.setNameIDFormat(subjectNameID.getFormat());
sloInformation.setSessionIndex(sessionIndex);
- return buildGenericAssertion(peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex);
+ return buildGenericAssertion(peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter());
}
private static Assertion buildGenericAssertion(String entityID, DateTime date,
AuthnContextClassRef authnContextClassRef, List<Attribute> attrList,
NameID subjectNameID, SubjectConfirmationData subjectConfirmationData,
- String sessionIndex) throws ConfigurationException {
+ String sessionIndex, DateTime isValidTo) throws ConfigurationException {
Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class);
AuthnContext authnContext = SAML2Utils
@@ -448,10 +449,9 @@ public class PVP2AssertionBuilder implements PVPConstants {
audience.setAudienceURI(entityID);
audienceRestriction.getAudiences().add(audience);
- conditions.setNotBefore(date);
-
- conditions.setNotOnOrAfter(date.plusMinutes(5));
-
+ conditions.setNotBefore(date);
+ conditions.setNotOnOrAfter(isValidTo);
+
conditions.getAudienceRestrictions().add(audienceRestriction);
assertion.setConditions(conditions);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
index 5daca0888..1c74aea55 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
@@ -72,19 +72,20 @@ public class AuthenticationSessionStoreage {
}
}
- public static AuthenticationSession createSession() throws MOADatabaseException {
+ public static AuthenticationSession createSession() throws MOADatabaseException, BuildException {
String id = Random.nextRandom();
- AuthenticationSession session = new AuthenticationSession(id);
-
+
AuthenticatedSessionStore dbsession = new AuthenticatedSessionStore();
dbsession.setSessionid(id);
dbsession.setAuthenticated(false);
- //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1
- dbsession.setCreated(new Date());
- dbsession.setUpdated(new Date());
+ //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1
+ Date now = new Date();
+ dbsession.setCreated(now);
+ dbsession.setUpdated(now);
- dbsession.setSession(SerializationUtils.serialize(session));
+ AuthenticationSession session = new AuthenticationSession(id, now);
+ encryptSession(session, dbsession);
//store AssertionStore element to Database
try {
@@ -674,7 +675,7 @@ public class AuthenticationSessionStoreage {
return result.get(0).getInderfederation().get(0);
}
- public static String createInterfederatedSession(IRequest req, boolean isAuthenticated, String ssoID) throws MOADatabaseException, AssertionAttributeExtractorExeption {
+ public static String createInterfederatedSession(IRequest req, boolean isAuthenticated, String ssoID) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException {
AuthenticatedSessionStore dbsession = null;
//search for active SSO session
@@ -692,28 +693,28 @@ public class AuthenticationSessionStoreage {
String id = null;
Date now = new Date();
-
//create new MOASession if any exists
+ AuthenticationSession session = null;
if (dbsession == null) {
id = Random.nextRandom();
dbsession = new AuthenticatedSessionStore();
dbsession.setSessionid(id);
dbsession.setCreated(now);
-
+ session = new AuthenticationSession(id, now);
+
} else {
id = dbsession.getSessionid();
-
+ session = decryptSession(dbsession);
+
}
-
+
dbsession.setInterfederatedSSOSession(true);
dbsession.setAuthenticated(isAuthenticated);
- dbsession.setUpdated(now);
-
- AuthenticationSession session = new AuthenticationSession(id);
+ dbsession.setUpdated(now);
session.setAuthenticated(true);
- session.setAuthenticatedUsed(false);
- dbsession.setSession(SerializationUtils.serialize(session));
-
+ session.setAuthenticatedUsed(false);
+ encryptSession(session, dbsession);
+
//add interfederation information
List<InterfederationSessionStore> idpList = dbsession.getInderfederation();
InterfederationSessionStore idp = null;