first test for authentication which requires no browser session (req.getSession())

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2014-03-07 15:25:00 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2014-03-07 15:25:00 +0100
commit: 56ce62018a9f29f54991d7ea26c74da86305ee0a (patch)
tree: f069bac423bfd2092bff2773bf69fd32c32360a7 /id/server/idserverlib/src/main
parent: ef72bd803121c3383ca9c8f0dd1c308c04963330 (diff)
download: moa-id-spss-56ce62018a9f29f54991d7ea26c74da86305ee0a.tar.gz
moa-id-spss-56ce62018a9f29f54991d7ea26c74da86305ee0a.tar.bz2
moa-id-spss-56ce62018a9f29f54991d7ea26c74da86305ee0a.zip
9 files changed, 82 insertions, 150 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 9ac9986c8..fd47c5f53 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -1886,7 +1886,9 @@ public class AuthenticationServer implements MOAIDAuthConstants {
     	String providerName= oaParam.getFriendlyName();
     	Logger.debug("Issuer value: " + issuerValue);
     	
-    	String acsURL = issuerValue + PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN;
+//    	String acsURL = issuerValue + PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN
+    	String acsURL = new DataURLBuilder().buildDataURL(issuerValue, 
+    			PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN, moasession.getSessionID());    			
     	Logger.debug("MOA Assertion Consumer URL (PEPSConnctor): " + acsURL);
 
     	// prepare collection of required attributes
@@ -1979,8 +1981,8 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 		
 		//send
 		moasession.setStorkAuthnRequest(authnRequest);
-		HttpSession httpSession = req.getSession();
-		httpSession.setAttribute("MOA-Session-ID", moasession.getSessionID());
+//		HttpSession httpSession = req.getSession();
+//		httpSession.setAttribute("MOA-Session-ID", moasession.getSessionID());
 
 
 		Logger.info("Preparing to send STORK AuthnRequest.");
@@ -2002,7 +2004,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 			resp.getOutputStream().write(writer.toString().getBytes());
 		} catch (Exception e) {
 			Logger.error("Error sending STORK SAML AuthnRequest.", e);
-			httpSession.invalidate();
+			//httpSession.invalidate();
 			throw new MOAIDException("stork.02", new Object[] { destination });
 		}
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
index f3495966a..12cf54e16 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
@@ -88,8 +88,7 @@ public class LogOutServlet extends AuthServlet {
 			AuthenticationManager authmanager = AuthenticationManager.getInstance();
 			String moasessionid = AuthenticationSessionStoreage.getMOASessionID(ssoid);
 	
-			RequestStorage.removePendingRequest(RequestStorage.getPendingRequest(req.getSession()), 
-					AuthenticationSessionStoreage.getPendingRequestID(moasessionid));
+			RequestStorage.removePendingRequest(AuthenticationSessionStoreage.getPendingRequestID(moasessionid));
 			
 			authmanager.logout(req, resp, moasessionid);
 			Logger.info("User with SSO Id " + ssoid + " is logged out and get redirect to "+ redirectUrl);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
index c6cd5cd86..7c96c2194 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
@@ -40,6 +40,7 @@ import javax.xml.bind.JAXBElement;
 import javax.xml.transform.stream.StreamSource;
 
 import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.velocity.Template;
 import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
@@ -112,8 +113,10 @@ public class PEPSConnectorServlet extends AuthServlet {
 			super.checkIfHTTPisAllowed(request.getRequestURL().toString());
 			
 			Logger.debug("Trying to find MOA Session-ID");			
-			HttpSession httpSession = request.getSession();
-			String moaSessionID = (String) httpSession.getAttribute("MOA-Session-ID");
+		    String moaSessionID = request.getParameter(PARAM_SESSIONID);
+	           
+		    // escape parameter strings
+		    moaSessionID= StringEscapeUtils.escapeHtml(moaSessionID);
 			
 			if (StringUtils.isEmpty(moaSessionID)) {
 				//No authentication session has been started before
@@ -308,7 +311,7 @@ public class PEPSConnectorServlet extends AuthServlet {
 						response.getOutputStream().write(writer.toString().getBytes());
 					} catch (Exception e1) {
 						Logger.error("Error sending gender retrival form.", e1);
-						httpSession.invalidate();
+//						httpSession.invalidate();
 						throw new MOAIDException("stork.10", null);
 					}
 					
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
index 7c2a032a1..72b479112 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
@@ -147,8 +147,7 @@ public class VerifyIdentityLinkServlet extends AuthServlet {
       throw new IOException(e.getMessage());
     }
     String sessionID = req.getParameter(PARAM_SESSIONID);
-       
-
+           
     // escape parameter strings
 	sessionID = StringEscapeUtils.escapeHtml(sessionID);
     
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
index 31c6f43c5..487e86b34 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
@@ -109,41 +109,24 @@ public class DispatcherServlet extends AuthServlet{
 				
 				Object idObject = req.getParameter(PARAM_TARGET_PENDINGREQUESTID);
 
-				Map<String, IRequest> errorRequests = RequestStorage.getPendingRequest(req.getSession());
+				//Map<String, IRequest> errorRequests = RequestStorage.getPendingRequest(req.getSession());
 				
 				String pendingRequestID = null;
 				if (idObject != null && (idObject instanceof String)) {
-					if (errorRequests.containsKey((String)idObject))
-						pendingRequestID = (String) idObject; 
+					pendingRequestID = (String) idObject; 
 				}
 				
 				if (throwable != null) {					
-					if (errorRequests != null) {
-		
-						synchronized (errorRequests) {
 													
 						IRequest errorRequest = null;
 						if (pendingRequestID != null) {
-							errorRequest = errorRequests.get(pendingRequestID);
+							errorRequest = RequestStorage.getPendingRequest(pendingRequestID);
 						
-							//remove the 
-							RequestStorage.removePendingRequest(errorRequests, pendingRequestID);
-						}
-						else {
-							if (errorRequests.size() > 1) {
-								handleErrorNoRedirect(throwable.getMessage(), throwable,
-										req, resp);
-								
-							} else {
-								Set<String> keys = errorRequests.keySet();
-								errorRequest = errorRequests.get(keys.toArray()[0]);
-								RequestStorage.removeAllPendingRequests(req.getSession());
-							}
-							
 						}
 						
 						if (errorRequest != null) {
-						
+							RequestStorage.removePendingRequest(pendingRequestID);
+							
 							try {
 								IModulInfo handlingModule = ModulStorage
 										.getModuleByPath(errorRequest
@@ -177,16 +160,9 @@ public class DispatcherServlet extends AuthServlet{
 					}
 					handleErrorNoRedirect(throwable.getMessage(), throwable,
 							req, resp);
-
-				} else {
-					// TODO: use better string
-					handleErrorNoRedirect("UNKOWN ERROR DETECTED!", null, req,
-							resp);
-				}
 					
 				return;
 			}
-			}
 
 			Object moduleObject = req.getParameter(PARAM_TARGET_MODULE);
 			String module = null;
@@ -247,32 +223,24 @@ public class DispatcherServlet extends AuthServlet{
 				}
 			}
 
-			HttpSession httpSession = req.getSession();
-			Map<String, IRequest> protocolRequests = null;
+			//HttpSession httpSession = req.getSession();
+			//Map<String, IRequest> protocolRequests = null;
 			IRequest protocolRequest = null;
 			
 			try {
-				protocolRequests = RequestStorage.getPendingRequest(httpSession);
-
 				Object idObject = req.getParameter(PARAM_TARGET_PENDINGREQUESTID);
 	
-				if (protocolRequests != null && 
-					idObject != null && (idObject instanceof String)) {
+				if (idObject != null && (idObject instanceof String)) {
 								
 					protocolRequestID = (String) idObject;
-				
+					protocolRequest = RequestStorage.getPendingRequest(protocolRequestID);
+					
 					//get IRequest if it exits
-					if (protocolRequests.containsKey(protocolRequestID)) {
-						protocolRequest = protocolRequests.get(protocolRequestID);
+					if (protocolRequest != null) {
 						Logger.debug(DispatcherServlet.class.getName()+": Found PendingRequest with ID " + protocolRequestID);
 						
 					} else {
-						Logger.error("No PendingRequest with ID " + protocolRequestID + " found.!");
-
-						Set<String> mapkeys = protocolRequests.keySet();
-						for (String el : mapkeys)
-							Logger.debug("PendingRequest| ID=" + el + "  OAIdentifier=" + protocolRequests.get(el));
-					
+						Logger.error("No PendingRequest with ID " + protocolRequestID + " found.!");		
 						handleErrorNoRedirect("Während des Anmeldevorgangs ist ein Fehler aufgetreten. Bitte versuchen Sie es noch einmal.",
 								null, req, resp);							
 						return;
@@ -282,43 +250,25 @@ public class DispatcherServlet extends AuthServlet{
 						protocolRequest = info.preProcess(req, resp, action);
 						
 						if (protocolRequest != null) {
+								
+							//Start new Authentication
+							protocolRequest.setAction(action);
+							protocolRequest.setModule(module);
+							protocolRequestID = Random.nextRandom();
+							protocolRequest.setRequestID(protocolRequestID);
 							
-							if(protocolRequests != null) {
+							RequestStorage.setPendingRequest(protocolRequest);
 							
-								Set<String> mapkeys = protocolRequests.keySet();
-								for (String el : mapkeys) {
-									IRequest value = protocolRequests.get(el);
-						
-									if (value.getOAURL().equals(protocolRequest.getOAURL())) {
-								
-										if(!AuthenticationSessionStoreage.deleteSessionWithPendingRequestID(el)) {
-											Logger.warn(DispatcherServlet.class.getName()+": NO MOASession with PendingRequestID " + el + " found. Delete all user sessions!");
-											RequestStorage.removeAllPendingRequests(req.getSession());
-									
-										} else {
-											RequestStorage.removePendingRequest(protocolRequests, el);
-										}
-									}
-								}
-
-							} else {
-								protocolRequests = new ConcurrentHashMap<String, IRequest>();
-							}
+							Logger.debug(DispatcherServlet.class.getName()+": Create PendingRequest with ID " + protocolRequestID + ".");
+							
+						} else {
+							Logger.error("Failed to generate a valid protocol request!");
+							resp.setContentType("text/html;charset=UTF-8");
+							resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!");
+							return;
 							
-							synchronized (protocolRequest) {
-								synchronized (protocolRequests) {
-								
-									//Start new Authentication
-									protocolRequest.setAction(action);
-									protocolRequest.setModule(module);
-									protocolRequestID = Random.nextRandom();
-									protocolRequest.setRequestID(protocolRequestID);
-									protocolRequests.put(protocolRequestID, protocolRequest);
-									Logger.debug(DispatcherServlet.class.getName()+": Create PendingRequest with ID " + protocolRequestID + ".");
-								}
-							}
 						}
-						
+																	
 					} catch (ProtocolNotActiveException e) {
 						resp.getWriter().write(e.getMessage());
 						resp.setContentType("text/html;charset=UTF-8");
@@ -338,18 +288,8 @@ public class DispatcherServlet extends AuthServlet{
 						return;
 						
 					}
-						
-					if (protocolRequest == null) {
-						Logger.error("Failed to generate a valid protocol request!");
-						resp.setContentType("text/html;charset=UTF-8");
-						resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!");
-						return;
-						
-					}
 				}
-				
-				RequestStorage.setPendingRequest(httpSession, protocolRequests);
-				
+								
 				AuthenticationManager authmanager = AuthenticationManager.getInstance();									
 				SSOManager ssomanager = SSOManager.getInstance();
 				
@@ -470,7 +410,7 @@ public class DispatcherServlet extends AuthServlet{
 		
 				String assertionID = moduleAction.processRequest(protocolRequest, req, resp, moasession);
 
-				RequestStorage.removePendingRequest(protocolRequests, protocolRequestID);
+				RequestStorage.removePendingRequest(protocolRequestID);
 				
 				if (needAuthentication) {
 					boolean isSSOSession = MiscUtil.isNotEmpty(newSSOSessionId);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 666224b3a..03a61d08f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -252,7 +252,7 @@ public class AuthenticationManager extends AuthServlet {
 			}
 			
 			//set MOAIDSession
-			request.getSession().setAttribute(MOA_SESSION, moasession.getSessionID());
+			//request.getSession().setAttribute(MOA_SESSION, moasession.getSessionID());
 			
 			response.setContentType("text/html;charset=UTF-8");
 			PrintWriter out = new PrintWriter(response.getOutputStream()); 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java
index bfe1151c4..21b4e2b65 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java
@@ -22,64 +22,53 @@
  *******************************************************************************/
 package at.gv.egovernment.moa.id.moduls;
 
-import java.util.Map;
-
-import javax.servlet.http.HttpSession;
-
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.storage.AssertionStorage;
 import at.gv.egovernment.moa.logging.Logger;
 
 public class RequestStorage {
 
-	private static final String PENDING_REQUEST = "PENDING_REQUEST";
-
-	public static Map<String,IRequest> getPendingRequest(HttpSession session) {
+	public static IRequest getPendingRequest(String pendingReqID) {
 		
-				
-			Object obj = session.getAttribute(PENDING_REQUEST);
-			if (obj != null) {
-				synchronized (obj) {
-					if (obj instanceof Map<?,?>) {
-						if (((Map<?,?>) obj).size() > 0) {
-							if ( ((Map<?,?>) obj).keySet().toArray()[0] instanceof String) {
-								if (((Map<?,?>) obj).get(((Map<?,?>) obj).keySet().toArray()[0]) 
-										instanceof IRequest) {
-									return (Map<String, IRequest>) obj;
-							
-							
-							
-								}
-							}
-						}
-					}
-				}
-				session.setAttribute(PENDING_REQUEST, null);
-			}
+		try {
+			AssertionStorage storage = AssertionStorage.getInstance();
+			IRequest pendingRequest = storage.get(pendingReqID, IRequest.class);
+			return pendingRequest;
+		
+		} catch (MOADatabaseException e) {
+			Logger.info("No PendingRequst found with pendingRequestID " + pendingReqID);			
 			return null;
+			
+		}
 	}
 
-	public static void setPendingRequest(HttpSession session, Map<String, IRequest> request) {
-		session.setAttribute(PENDING_REQUEST, request);
-	}
-
-	public static void removeAllPendingRequests(HttpSession session) {
-		
-		Logger.debug(RequestStorage.class.getName()+": Remove all PendingRequests");
+	public static void setPendingRequest(Object pendingRequest) throws MOAIDException {
+		try {
+			AssertionStorage storage = AssertionStorage.getInstance();
+			
+			if (pendingRequest instanceof IRequest) {
+				storage.put(((IRequest)pendingRequest).getRequestID(), pendingRequest);
+				
+			} else {
+				throw new MOAIDException("auth.20", null);
+				
+			}
+			
+		} catch (MOADatabaseException e) {
+			Logger.warn("Pending Request with ID=" + ((IRequest)pendingRequest).getRequestID() +
+					" can not stored.", e);
+			throw new MOAIDException("auth.20", null);
+		}
 		
-		session.setAttribute(PENDING_REQUEST, null);
 	}
 	
-	public static void removePendingRequest(Map<String, IRequest> requestmap, String requestID) {
-		
-		if (requestmap != null && requestID != null) {
+	public static void removePendingRequest(String requestID) {
 		
-			synchronized (requestmap) {
-						
-				if (requestmap.containsKey(requestID)) {
-					requestmap.remove(requestID);
-					Logger.debug(RequestStorage.class.getName()+": Remove PendingRequest with ID " + requestID);
-				
-				}
-			}
+		if (requestID != null) {
+			AssertionStorage storage = AssertionStorage.getInstance();
+			storage.remove(requestID);
+			
 		}
 	}
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 1d85f29bf..db83233fe 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -245,7 +245,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 				}			
 			}
 
-			request.getSession().setAttribute(PARAM_OA, oaURL);
+			//request.getSession().setAttribute(PARAM_OA, oaURL);
 			
 			return config;
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
index e587ef0e1..d82bd1496 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
@@ -125,8 +125,8 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants {
 		
 		config.setTarget(oaParam.getTarget());
 		
-		request.getSession().setAttribute(PARAM_OA, oaURL);
-		request.getSession().setAttribute(PARAM_TARGET, oaParam.getTarget());
+//		request.getSession().setAttribute(PARAM_OA, oaURL);
+//		request.getSession().setAttribute(PARAM_TARGET, oaParam.getTarget());
 		return config;
 	}
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2014-03-07 15:25:00 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2014-03-07 15:25:00 +0100
commit	56ce62018a9f29f54991d7ea26c74da86305ee0a (patch)
tree	f069bac423bfd2092bff2773bf69fd32c32360a7 /id/server/idserverlib/src/main
parent	ef72bd803121c3383ca9c8f0dd1c308c04963330 (diff)
download	moa-id-spss-56ce62018a9f29f54991d7ea26c74da86305ee0a.tar.gz moa-id-spss-56ce62018a9f29f54991d7ea26c74da86305ee0a.tar.bz2 moa-id-spss-56ce62018a9f29f54991d7ea26c74da86305ee0a.zip