diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2013-07-24 17:13:31 +0200 |
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2013-07-24 17:13:31 +0200 |
| commit | cfb70f755c45a2cad582e8030b1542add9949efb (patch) | |
| tree | 039123854ab630f81dd2387d0f7636056e9e304a /id/server/idserverlib/src/main | |
| parent | 71da4a9bc7e2ff79b2fb4cf8903d15fd75372859 (diff) | |
| download | moa-id-spss-cfb70f755c45a2cad582e8030b1542add9949efb.tar.gz moa-id-spss-cfb70f755c45a2cad582e8030b1542add9949efb.tar.bz2 moa-id-spss-cfb70f755c45a2cad582e8030b1542add9949efb.zip | |
- SSO finalized
- SSO Session is not closed if a new single authentication operation is started
- PVP2 Configuration from Database (but without Metadata) --> TODO: change MetaDataProvider
- Add additional UserFrame in case of SSO
- MOASession encryption
TODO: MetaDataProvider, IdentityLink resign, SSO with Mandates, Legacy Template generation
Diffstat (limited to 'id/server/idserverlib/src/main')
39 files changed, 1521 insertions, 345 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index a127dc6b5..f1c15e83b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -2575,16 +2575,17 @@ public class AuthenticationServer implements MOAIDAuthConstants { Logger.debug("Issuer value: " + issuerValue); - QualityAuthenticationAssuranceLevel qaaLevel = null;//TODO UNCOMMENT AGAIN !! = STORKMessagesBuilder.buildQualityAuthenticationAssuranceLevel(oaParam.getQaaLevel().getValue()); + QualityAuthenticationAssuranceLevel qaaLevel = STORKMessagesBuilder.buildQualityAuthenticationAssuranceLevel(oaParam.getQaaLevel().getValue()); //Logger.debug("QAALevel: " + qaaLevel.getValue()); RequestedAttributes requestedAttributes = null; - //TODO UNCOMMENT AGAIN !! requestedAttributes = oaParam.getRequestedAttributes(); + requestedAttributes = oaParam.getRequestedAttributes(); requestedAttributes.detach(); List<RequestedAttribute> reqAttributeList = new ArrayList<RequestedAttribute>(); List<RequestedAttribute> oaReqAttributeList = null; - //TODO UNCOMMENT AGAIN !! oaReqAttributeList = new ArrayList<RequestedAttribute>(oaParam.getRequestedAttributes().getRequestedAttributes()); + oaReqAttributeList = new ArrayList<RequestedAttribute>(oaParam.getRequestedAttributes().getRequestedAttributes()); + //check if country specific attributes must be additionally requested if (!cpeps.getCountrySpecificRequestedAttributes().isEmpty()) { //add country specific attributes to be requested (Hierarchy: default oa attributes > country specific attributes > oa specific attributes diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java index 5f100d5fe..9ba11bebd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java @@ -1,17 +1,26 @@ package at.gv.egovernment.moa.id.auth.builder; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; import java.io.InputStream; import java.io.StringWriter; +import java.net.URI; import org.apache.commons.io.IOUtils; import at.gv.egovernment.moa.id.auth.servlet.GenerateIFrameTemplateServlet; import at.gv.egovernment.moa.id.config.OAParameter; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol; import at.gv.egovernment.moa.logging.Logger; public class LoginFormBuilder { + + private static final String HTMLTEMPLATESDIR = "htmlTemplates/"; + private static final String HTMLTEMPLATEFULL = "loginFormFull.html"; + private static final String HTMLTEMPLATEIFRAME = "loginFormIFrame.html"; private static String AUTH_URL = "#AUTH_URL#"; private static String MODUL = "#MODUL#"; @@ -24,16 +33,41 @@ public class LoginFormBuilder { private static String SERVLET = CONTEXTPATH+"/GenerateIframeTemplate"; - private static String template; - - private static String getTemplate() { + private static String getTemplate(boolean isIFrame) { - if (template == null) { + String template = null; + try { - String classpathLocation = "resources/templates/loginForm.html"; - InputStream input = Thread.currentThread() - .getContextClassLoader() - .getResourceAsStream(classpathLocation); + String pathLocation; + + InputStream input; + + String rootconfigdir = AuthConfigurationProvider.getInstance().getRootConfigFileDir(); + + if (isIFrame) + pathLocation = rootconfigdir + HTMLTEMPLATESDIR + HTMLTEMPLATEIFRAME; + else + pathLocation = rootconfigdir + HTMLTEMPLATESDIR + HTMLTEMPLATEFULL; + + try { + File file = new File(new URI(pathLocation)); + input = new FileInputStream(file); + + } catch (FileNotFoundException e) { + + Logger.warn("No LoginFormTempaltes found. Use Generic Templates from package."); + + if (isIFrame) + pathLocation = "resources/templates/" + HTMLTEMPLATEIFRAME; + else + pathLocation = "resources/templates/" + HTMLTEMPLATEFULL; + + input = Thread.currentThread() + .getContextClassLoader() + .getResourceAsStream(pathLocation); + + } + StringWriter writer = new StringWriter(); IOUtils.copy(input, writer); template = writer.toString(); @@ -41,16 +75,17 @@ public class LoginFormBuilder { template = template.replace(BKU_ONLINE, OAAuthParameter.ONLINEBKU); template = template.replace(BKU_HANDY, OAAuthParameter.HANDYBKU); template = template.replace(BKU_LOCAL, OAAuthParameter.LOCALBKU); + + input.close(); + } catch (Exception e) { Logger.error("Failed to read template", e); } - } - - return template; + return template; } - public static String buildLoginForm(String modul, String action, String oaname, String contextpath) { - String value = getTemplate(); + public static String buildLoginForm(String modul, String action, String oaname, String contextpath, boolean isIFrame) { + String value = getTemplate(isIFrame); if(value != null) { if(modul == null) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java new file mode 100644 index 000000000..a72848832 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java @@ -0,0 +1,96 @@ +package at.gv.egovernment.moa.id.auth.builder; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.InputStream; +import java.io.StringWriter; +import java.net.URI; + +import org.apache.commons.io.IOUtils; + +import at.gv.egovernment.moa.id.auth.servlet.GenerateIFrameTemplateServlet; +import at.gv.egovernment.moa.id.config.OAParameter; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol; +import at.gv.egovernment.moa.logging.Logger; + +public class SendAssertionFormBuilder { + + private static final String HTMLTEMPLATESDIR = "htmlTemplates/"; + private static final String HTMLTEMPLATEFULL = "sendAssertionFormFull.html"; + private static final String HTMLTEMPLATEIFRAME = "sendAssertionFormIFrame.html"; + + private static String URL = "#URL#"; + private static String MODUL = "#MODUL#"; + private static String ACTION = "#ACTION#"; + private static String OANAME = "#OAName#"; + private static String CONTEXTPATH = "#CONTEXTPATH#"; + + private static String SERVLET = CONTEXTPATH+"/SSOSendAssertionServlet"; + + private static String getTemplate(boolean isIFrame) { + + String template = null; + + try { + String pathLocation; + InputStream input; + + String rootconfigdir = AuthConfigurationProvider.getInstance().getRootConfigFileDir(); + + if (isIFrame) + pathLocation = rootconfigdir + HTMLTEMPLATESDIR + HTMLTEMPLATEIFRAME; + else + pathLocation = rootconfigdir + HTMLTEMPLATESDIR + HTMLTEMPLATEFULL; + + try { + File file = new File(new URI(pathLocation)); + input = new FileInputStream(file); + + } catch (FileNotFoundException e) { + + Logger.warn("No LoginFormTempaltes found. Use Generic Templates from package."); + + if (isIFrame) + pathLocation = "resources/templates/" + HTMLTEMPLATEIFRAME; + else + pathLocation = "resources/templates/" + HTMLTEMPLATEFULL; + + input = Thread.currentThread() + .getContextClassLoader() + .getResourceAsStream(pathLocation); + + } + + StringWriter writer = new StringWriter(); + IOUtils.copy(input, writer); + template = writer.toString(); + template = template.replace(URL, SERVLET); + } catch (Exception e) { + Logger.error("Failed to read template", e); + } + + return template; + } + + public static String buildForm(String modul, String action, String oaname, String contextpath, boolean isIFrame) { + String value = getTemplate(isIFrame); + + if(value != null) { + if(modul == null) { + modul = SAML1Protocol.PATH; + } + if(action == null) { + action = SAML1Protocol.GETARTIFACT; + } + value = value.replace(MODUL, modul); + value = value.replace(ACTION, action); + value = value.replace(OANAME, oaname); + value = value.replace(CONTEXTPATH, contextpath); + } + return value; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 94a41a21f..e6de2ce02 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -1103,7 +1103,7 @@ public class AuthenticationSession implements Serializable { * @return the ssoRequested */ - //TODO: SSO only allowed without mandates, actually + //TODO: SSO only allowed without mandates, actually!!!!!! public boolean isSsoRequested() { return ssoRequested && !useMandate; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index 3f82c2a4c..c9a10b812 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -36,7 +36,7 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ String targetFriendlyName = null; - String sso = req.getParameter(PARAM_SSO); +// String sso = req.getParameter(PARAM_SSO); // escape parameter strings //TODO: use URLEncoder.encode!! @@ -46,17 +46,20 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ templateURL = StringEscapeUtils.escapeHtml(templateURL); useMandate = StringEscapeUtils.escapeHtml(useMandate); ccc = StringEscapeUtils.escapeHtml(ccc); - sso = StringEscapeUtils.escapeHtml(sso); +// sso = StringEscapeUtils.escapeHtml(sso); // check parameter - if (!ParamValidatorUtils.isValidOA(oaURL)) - throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); + + //pvp2.x can use general identifier (equals oaURL in SAML1) +// if (!ParamValidatorUtils.isValidOA(oaURL)) +// throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); + if (!ParamValidatorUtils.isValidUseMandate(useMandate)) throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12"); if (!ParamValidatorUtils.isValidCCC(ccc)) throw new WrongParametersException("StartAuthentication", PARAM_CCC, "auth.12"); - if (!ParamValidatorUtils.isValidUseMandate(sso)) - throw new WrongParametersException("StartAuthentication", PARAM_SSO, "auth.12"); +// if (!ParamValidatorUtils.isValidUseMandate(sso)) +// throw new WrongParametersException("StartAuthentication", PARAM_SSO, "auth.12"); //check UseMandate flag String useMandateString = null; @@ -74,22 +77,7 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ moasession.setUseMandate(useMandateString); - - //check useSSO flag - String useSSOString = null; - boolean useSSOBoolean = false; - if ((sso != null) && (sso.compareTo("") != 0)) { - useSSOString = sso; - } else { - useSSOString = "false"; - } - - if (useSSOString.compareToIgnoreCase("true") == 0) - useSSOBoolean = true; - else - useSSOBoolean = false; - moasession.setSsoRequested(useSSOBoolean); - + //load OnlineApplication configuration OAAuthParameter oaParam; if (moasession.getPublicOAURLPrefix() != null) { @@ -128,6 +116,23 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ } +// //check useSSO flag +// String useSSOString = null; +// boolean useSSOBoolean = false; +// if ((sso != null) && (sso.compareTo("") != 0)) { +// useSSOString = sso; +// } else { +// useSSOString = "false"; +// } + // +// if (useSSOString.compareToIgnoreCase("true") == 0) +// useSSOBoolean = true; +// else +// useSSOBoolean = false; + + //moasession.setSsoRequested(useSSOBoolean); + moasession.setSsoRequested(true && oaParam.useSSO()); //make always SSO if OA requested it!!!! + //Validate BKU URI if (!ParamValidatorUtils.isValidBKUURI(bkuURL, oaParam.getBKUURL())) throw new WrongParametersException("StartAuthentication", PARAM_BKU, "auth.12"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java index 571d4e738..caf2e4490 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java @@ -92,7 +92,9 @@ public class LogOutServlet extends AuthServlet { //delete SSO session and MOA session AuthenticationManager authmanager = AuthenticationManager.getInstance(); - authmanager.logout(req, resp); + String moasessionid = AuthenticationSessionStoreage.getMOASessionID(ssoid); + + authmanager.logout(req, resp, moasessionid); Logger.info("User with SSO Id " + ssoid + " is logged out and get redirect to "+ redirectUrl); } else { Logger.info("No active SSO session found. User is maybe logout already and get redirect to "+ redirectUrl); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java new file mode 100644 index 000000000..ecbd87498 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java @@ -0,0 +1,125 @@ +package at.gv.egovernment.moa.id.auth.servlet; + +import iaik.util.logging.Log; + +import java.io.IOException; +import java.io.PrintWriter; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; + +import org.apache.commons.lang.StringEscapeUtils; + +import at.gv.egovernment.moa.id.AuthenticationException; +import at.gv.egovernment.moa.id.auth.AuthenticationServer; +import at.gv.egovernment.moa.id.auth.WrongParametersException; +import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; +import at.gv.egovernment.moa.id.auth.builder.RedirectFormBuilder; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.moduls.ModulUtils; +import at.gv.egovernment.moa.id.moduls.RequestStorage; +import at.gv.egovernment.moa.id.moduls.SSOManager; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.egovernment.moa.util.URLEncoder; + + + +public class SSOSendAssertionServlet extends AuthServlet{ + + private static final long serialVersionUID = 1L; + + private static final String PARAM = "value"; + + protected void doPost(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + Logger.info("Receive " + SSOSendAssertionServlet.class + " Request"); + try { + + String value = req.getParameter(PARAM); + value = StringEscapeUtils.escapeHtml(value); + if (!ParamValidatorUtils.isValidUseMandate(value)) + throw new WrongParametersException("SSOSendAssertionServlet", PARAM, null); + + + SSOManager ssomanager = SSOManager.getInstance(); + //get SSO Cookie for Request + String ssoId = ssomanager.getSSOSessionID(req); + + //check SSO session + if (ssoId != null) { + String correspondingMOASession = ssomanager.existsOldSSOSession(ssoId); + + if (correspondingMOASession != null) { + Log.warn("Request sends an old SSO Session ID("+ssoId+")! " + + "Invalidate the corresponding MOASession with ID="+ correspondingMOASession); + + + AuthenticationSessionStoreage.destroySession(correspondingMOASession); + + ssomanager.deleteSSOSessionID(req, resp); + } + } + + boolean isValidSSOSession = ssomanager.isValidSSOSession(ssoId, req); + + String moaSessionID = null; + + if (isValidSSOSession) { + + + //check UseMandate flag + String valueString = null;; + if ((value != null) && (value.compareTo("") != 0)) { + valueString = value; + } else { + valueString = "false"; + } + + if (valueString.compareToIgnoreCase("true") == 0) { + moaSessionID = AuthenticationSessionStoreage.getMOASessionID(ssoId); + AuthenticationSession moasession = AuthenticationSessionStoreage.getSession(moaSessionID); + AuthenticationSessionStoreage.setAuthenticated(moaSessionID, true); + + HttpSession httpSession = req.getSession(); + IRequest protocolRequest = RequestStorage.getPendingRequest(httpSession); + + if (protocolRequest == null) + throw new AuthenticationException("auth.21", new Object[] {}); + + String redirectURL = new DataURLBuilder().buildDataURL(moasession.getAuthURL(), + ModulUtils.buildAuthURL(protocolRequest.requestedModule(), protocolRequest.requestedAction()), ""); + + resp.setContentType("text/html"); + resp.setStatus(302); + + resp.addHeader("Location", redirectURL); + Logger.debug("REDIRECT TO: " + redirectURL); + + } + + else { + throw new AuthenticationException("auth.21", new Object[] {}); + } + + } else { + handleError("SSO Session is not valid", null, req, resp); + } + + + } catch (MOADatabaseException e) { + handleError("SSO Session is not found", e, req, resp); + } catch (WrongParametersException e) { + handleError("Parameter is not valid", e, req, resp); + } catch (AuthenticationException e) { + handleError(e.getMessage(), e, req, resp); + } + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 713fd538e..ffcb85044 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.config.auth; +import iaik.security.cipher.AESKeyGenerator; import iaik.util.logging.Log; import java.io.File; @@ -31,11 +32,16 @@ import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.net.MalformedURLException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Properties; +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.NoSuchPaddingException; import javax.xml.bind.JAXBContext; import javax.xml.bind.Marshaller; import javax.xml.bind.Unmarshaller; @@ -56,6 +62,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.MOAIDConfiguration; import at.gv.egovernment.moa.id.commons.db.dao.config.MOASP; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineMandates; +import at.gv.egovernment.moa.id.commons.db.dao.config.PVP2; import at.gv.egovernment.moa.id.commons.db.dao.config.Protocols; import at.gv.egovernment.moa.id.commons.db.dao.config.SLRequestTemplates; import at.gv.egovernment.moa.id.commons.db.dao.config.SSO; @@ -152,7 +159,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider { private static Properties props; private static STORKConfig storkconfig; - + /** * Return the single instance of configuration data. * @@ -288,6 +295,8 @@ public class AuthConfigurationProvider extends ConfigurationProvider { String legacyconfig = props.getProperty("configuration.xml.legacy"); String xmlconfig = props.getProperty("configuration.xml"); + String xmlconfigout = props.getProperty("configuration.xml.out"); + //check if XML config should be used if (MiscUtil.isNotEmpty(legacyconfig) || MiscUtil.isNotEmpty(xmlconfig)) { @@ -301,23 +310,14 @@ public class AuthConfigurationProvider extends ConfigurationProvider { if (MiscUtil.isNotEmpty(legacyconfig)) { Logger.warn("WARNING! MOA-ID 2.0 is started with legacy configuration. This setup is not recommended!"); - MOAIDConfiguration moaconfig = BuildFromLegacyConfig.build(legacyconfig, rootConfigFileDir); + MOAIDConfiguration moaconfig = BuildFromLegacyConfig.build(legacyconfig, rootConfigFileDir, props); ConfigurationDBUtils.save(moaconfig); Logger.info("Legacy Configuration load is completed."); - //TODO: only for Testing!!! - if (MiscUtil.isNotEmpty(xmlconfig)) { - Logger.info("Write MOA-ID 2.x xml config into " + xmlconfig); - JAXBContext jc = JAXBContext.newInstance("at.gv.egovernment.moa.id.commons.db.dao.config"); - Marshaller m = jc.createMarshaller(); - m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); - File test = new File(xmlconfig); - m.marshal(moaconfig, test); - - } + } - //load legacy config if it is configured + //load MOA-ID 2.x config from XML if (MiscUtil.isNotEmpty(xmlconfig)) { Logger.warn("Load configuration from MOA-ID 2.x XML configuration"); @@ -330,7 +330,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider { ConfigurationDBUtils.saveOrUpdate(moaconfig); } catch (Exception e) { - Log.err("MOA-ID XML configuration can not be loaded from File."); + Logger.warn("MOA-ID XML configuration can not be loaded from File.", e); throw new ConfigurationException("config.02", null); } Logger.info("XML Configuration load is completed."); @@ -341,6 +341,17 @@ public class AuthConfigurationProvider extends ConfigurationProvider { Logger.info("MOA-ID 2.0 is loaded."); + //TODO: only for Testing!!! + if (MiscUtil.isNotEmpty(xmlconfigout)) { + Logger.info("Write MOA-ID 2.x xml config into " + xmlconfig); + JAXBContext jc = JAXBContext.newInstance("at.gv.egovernment.moa.id.commons.db.dao.config"); + Marshaller m = jc.createMarshaller(); + m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); + File test = new File(xmlconfigout); + m.marshal(moaidconfig, test); + + } + //build STORK Config AuthComponentGeneral authgeneral = getAuthComponentGeneral(); ForeignIdentities foreign = authgeneral.getForeignIdentities(); @@ -348,7 +359,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider { Logger.warn("Error in MOA-ID Configuration. No STORK configuration found."); throw new ConfigurationException("config.02", null); } - storkconfig = new STORKConfig(foreign.getSTORK(), props); + storkconfig = new STORKConfig(foreign.getSTORK(), props, rootConfigFileDir); //load Chaining modes @@ -383,6 +394,37 @@ public class AuthConfigurationProvider extends ConfigurationProvider { } } + + public Properties getGeneralPVP2ProperiesConfig() { + Properties configProp = new Properties(); + for (Object key : props.keySet()) { + String propPrefix = "protocols.pvp2."; + if (key.toString().startsWith(propPrefix)) { + String propertyName = key.toString().substring(propPrefix.length()); + configProp.put(propertyName, props.get(key.toString())); + } + } + return configProp; + } + + + public PVP2 getGeneralPVP2DBConfig() { + + try { + AuthComponentGeneral auth = getAuthComponentGeneral(); + Protocols protocols = auth.getProtocols(); + if (protocols != null) { + return protocols.getPVP2(); + } + Logger.warn("Error in MOA-ID Configuration. No general Protcol configuration found."); + return null; + + } catch (ConfigurationException e) { + Logger.warn("Error in MOA-ID Configuration. No general AuthComponent configuration found."); + return null; + } + } + public TimeOuts getTimeOuts() throws ConfigurationException { AuthComponentGeneral auth = getAuthComponentGeneral(); @@ -708,6 +750,16 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return new String(); } + public String getMOASessionEncryptionKey() { + + String prop = props.getProperty("configuration.moasession.key"); + + if (MiscUtil.isEmpty(prop)) + return null; + else + return prop; + } + /** * Retruns the STORK Configuration * @return STORK Configuration diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 32c609e81..19a006982 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -222,6 +222,15 @@ public List<String> getTransformsInfos() { return false; } + public boolean useSSOWithoutQuestion() { + OASSO sso = oa_auth.getOASSO(); + if (sso != null) + return sso.isAuthDataFrame(); + else + return false; + + } + public String getSingleLogOutURL() { OASSO sso = oa_auth.getOASSO(); if (sso != null) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java index 4ee9986ff..61f0f7e90 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java @@ -1,8 +1,10 @@ package at.gv.egovernment.moa.id.config.legacy; import iaik.util.logging.Log; +import iaik.x509.X509Certificate; import java.io.BufferedInputStream; +import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; @@ -12,6 +14,7 @@ import java.util.Arrays; import java.util.Collections; import java.util.List; import java.util.Map; +import java.util.Properties; import java.util.Set; import org.opensaml.saml2.metadata.RequestedAttribute; @@ -78,7 +81,7 @@ public class BuildFromLegacyConfig { private static final String GENERIC_CONFIG_PARAM_SOURCEID = "AuthenticationServer.SourceID"; - public static MOAIDConfiguration build(String fileName, String rootConfigFileDir) throws ConfigurationException { + public static MOAIDConfiguration build(String fileName, String rootConfigFileDir, Properties properies) throws ConfigurationException { InputStream stream = null; Element configElem; ConfigurationBuilder builder; @@ -167,6 +170,7 @@ public class BuildFromLegacyConfig { PVP2 prot_pvp2 = new PVP2(); auth_protocols.setPVP2(prot_pvp2); prot_pvp2.setPublicURLPrefix("https://labda.iaik.tugraz.at:8443/moa-id-auth/"); + prot_pvp2.setIssuerName("MOA-ID 2.0 Demo IDP"); Organization pvp2_org = new Organization(); prot_pvp2.setOrganization(pvp2_org); @@ -174,15 +178,25 @@ public class BuildFromLegacyConfig { pvp2_org.setName("OrganisatioName"); pvp2_org.setURL("http://www.egiz.gv.at"); + List<Contact> pvp2_contacts = new ArrayList<Contact>(); + prot_pvp2.setContact(pvp2_contacts); + Contact pvp2_contact = new Contact(); - prot_pvp2.setContact(pvp2_contact); pvp2_contact.setCompany("OrganisationDisplayName"); pvp2_contact.setGivenName("Max"); - pvp2_contact.setMail("max@muster.mann"); - pvp2_contact.setPhone("01 5555 5555"); + + + List<String> mails = new ArrayList<String>(); + pvp2_contact.setMail(mails); + mails.add("max@muster.mann"); + + List<String> phones = new ArrayList<String>(); + pvp2_contact.setPhone(phones); + phones.add("01 5555 5555"); + pvp2_contact.setSurName("Mustermann"); pvp2_contact.setType("technical"); - + pvp2_contacts.add(pvp2_contact); //SSO SSO auth_sso = new SSO(); @@ -414,7 +428,19 @@ public class BuildFromLegacyConfig { OAPVP2 oa_pvp2 = new OAPVP2(); oa_auth.setOAPVP2(oa_pvp2); oa_pvp2.setMetadataURL("TODO!!!"); - oa_pvp2.setCertificate("TODO!!!".getBytes()); + + //TODO: is only a workaround!!!! + Properties props = getGeneralPVP2ProperiesConfig(properies); + File dir = new File(props.getProperty("idp.truststore")); + File[] files = dir.listFiles(); + if (files.length > 0) { + FileInputStream filestream = new FileInputStream(files[0]); + X509Certificate signerCertificate = new X509Certificate(filestream); + oa_pvp2.setCertificate(signerCertificate.getEncoded()); + + } else { + oa_pvp2.setCertificate(null); + } moa_oas.add(moa_oa); } @@ -494,4 +520,16 @@ public class BuildFromLegacyConfig { // auth_moaSP_connection.setClientKeyStore(auth_moaSP_connection_keyStore); return auth_moaSP_connection; } + + private static Properties getGeneralPVP2ProperiesConfig(Properties props) { + Properties configProp = new Properties(); + for (Object key : props.keySet()) { + String propPrefix = "protocols.pvp2."; + if (key.toString().startsWith(propPrefix)) { + String propertyName = key.toString().substring(propPrefix.length()); + configProp.put(propertyName, props.get(key.toString())); + } + } + return configProp; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java index 4b4364555..82c9a92da 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java @@ -43,9 +43,11 @@ public class STORKConfig { private STORK stork;
private Properties props;
private Map<String, CPEPS> cpepsMap;
+ private String basedirectory;
- public STORKConfig(STORK stork, Properties props) {
+ public STORKConfig(STORK stork, Properties props, String basedirectory) {
this.stork = stork;
+ this.basedirectory = basedirectory;
this.props = props;
//create CPEPS map
@@ -92,7 +94,7 @@ public class STORKConfig { public SignatureCreationParameter getSignatureCreationParameter() {
- return new SignatureCreationParameter(props);
+ return new SignatureCreationParameter(props, basedirectory);
}
public SignatureVerificationParameter getSignatureVerificationParameter() {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/SignatureCreationParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/SignatureCreationParameter.java index ee4fc1e20..4010ab491 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/SignatureCreationParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/SignatureCreationParameter.java @@ -40,9 +40,11 @@ public class SignatureCreationParameter { private static final String PROPS_KEYNAME_PASS = "keyname.password";
private Properties props;
+ private String basedirectory;
- SignatureCreationParameter(Properties props) {
+ SignatureCreationParameter(Properties props, String basedirectory) {
this.props = props;
+ this.basedirectory = basedirectory;
}
/**
@@ -50,7 +52,7 @@ public class SignatureCreationParameter { * @return File Path to KeyStore
*/
public String getKeyStorePath() {
- return props.getProperty(PROPS_PREFIX+PROPS_KEYSTORE_FILE);
+ return basedirectory + props.getProperty(PROPS_PREFIX+PROPS_KEYSTORE_FILE);
}
/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 22f4a00ad..e995a1c2e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.storage.ExceptionStoreImpl; import at.gv.egovernment.moa.id.util.HTTPSessionUtils; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; +import at.gv.egovernment.moa.id.util.legacy.LegacyHelper; import at.gv.egovernment.moa.logging.Logger; public class DispatcherServlet extends AuthServlet{ @@ -80,6 +81,10 @@ public class DispatcherServlet extends AuthServlet{ IRequest errorRequest = RequestStorage .getPendingRequest(req.getSession()); + + //remove the + RequestStorage.removePendingRequest(req.getSession()); + if (errorRequest != null) { try { IModulInfo handlingModule = ModulStorage @@ -204,7 +209,7 @@ public class DispatcherServlet extends AuthServlet{ .getOnlineApplicationParameter(protocolRequest.getOAURL()); if (oaParam == null) { //TODO: Find a better place for this!! - req.getSession().invalidate(); + //req.getSession().invalidate(); throw new AuthenticationException("auth.00", new Object[] { protocolRequest.getOAURL() }); } @@ -235,31 +240,32 @@ public class DispatcherServlet extends AuthServlet{ isValidSSOSession = ssomanager.isValidSSOSession(ssoId, req); useSSOOA = oaParam.useSSO(); + //if a legacy request is used SSO should not be allowed, actually + boolean isUseMandateRequested = LegacyHelper.isUseMandateRequested(req); + if (protocolRequest.isPassiv() && protocolRequest.forceAuth()) { // conflict! throw new NoPassivAuthenticationException(); } - - if (protocolRequest.forceAuth()) { - if (!authmanager.tryPerformAuthentication( - req, resp)) { + + boolean tryperform = authmanager.tryPerformAuthentication( + req, resp); + + if (protocolRequest.forceAuth()) { + if (!tryperform) { authmanager.doAuthentication(req, resp, protocolRequest); return; } } else if (protocolRequest.isPassiv()) { - if (authmanager.tryPerformAuthentication(req, - resp) - || (isValidSSOSession && useSSOOA) ) { + if (tryperform || (isValidSSOSession && useSSOOA && !isUseMandateRequested) ) { // Passive authentication ok! } else { throw new NoPassivAuthenticationException(); } } else { - if (authmanager.tryPerformAuthentication(req, - resp) - || (isValidSSOSession && useSSOOA) ) { + if (tryperform || (isValidSSOSession && useSSOOA && !isUseMandateRequested) ) { // Is authenticated .. proceed } else { // Start authentication! @@ -268,21 +274,32 @@ public class DispatcherServlet extends AuthServlet{ return; } } + } - - moduleAction.processRequest(protocolRequest, req, resp); - RequestStorage.removePendingRequest(httpSession); + String moasessionID = null; + AuthenticationSession moasession = null; - String moasessionID = HTTPSessionUtils.getHTTPSessionString(req.getSession(), - AuthenticationManager.MOA_SESSION, null); - - AuthenticationSession moasession = AuthenticationSessionStoreage.getSession(moasessionID); - - if ((useSSOOA || isValidSSOSession) - && moasession.isSsoRequested() - && !moasession.getUseMandate()) //TODO: SSO with mandates requires an OVS extension + if ((useSSOOA || isValidSSOSession)) //TODO: SSO with mandates requires an OVS extension { + + //TODO SSO Question!!!! + if (useSSOOA && isValidSSOSession) { + + moasessionID = ssomanager.getMOASession(ssoId); + moasession = AuthenticationSessionStoreage.getSession(moasessionID); + + //use new OAParameter + if (!oaParam.useSSOWithoutQuestion() && !AuthenticationSessionStoreage.isAuthenticated(moasessionID)) { + authmanager.sendTransmitAssertionQuestion(req, resp, protocolRequest, oaParam); + return; + } + } + else { + moasessionID = HTTPSessionUtils.getHTTPSessionString(req.getSession(), + AuthenticationManager.MOA_SESSION, null); + moasession = AuthenticationSessionStoreage.getSession(moasessionID); + } //save SSO session usage in Database String newSSOSessionId = ssomanager.storeSSOSessionInformations(moasessionID, protocolRequest.getOAURL()); @@ -295,7 +312,23 @@ public class DispatcherServlet extends AuthServlet{ } } else { - authmanager.logout(req, resp); + moasessionID = HTTPSessionUtils.getHTTPSessionString(req.getSession(), + AuthenticationManager.MOA_SESSION, null); + moasession = AuthenticationSessionStoreage.getSession(moasessionID); + } + + moduleAction.processRequest(protocolRequest, req, resp, moasession); + + RequestStorage.removePendingRequest(httpSession); + + boolean isSSOSession = AuthenticationSessionStoreage.isSSOSession(moasessionID); + + if ((useSSOOA || isSSOSession) //TODO: SSO with mandates requires an OVS extension + && !moasession.getUseMandate()) + { + + } else { + authmanager.logout(req, resp, moasessionID); } ConfigurationDBUtils.closeSession(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 4ec734c41..b6742fb9e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -10,14 +10,17 @@ import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import at.gv.egovernment.moa.id.AuthenticationException; +import at.gv.egovernment.moa.id.BuildException; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.auth.WrongParametersException; import at.gv.egovernment.moa.id.auth.builder.LoginFormBuilder; +import at.gv.egovernment.moa.id.auth.builder.SendAssertionFormBuilder; import at.gv.egovernment.moa.id.auth.builder.StartAuthenticationBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.parser.StartAuthentificationParameterParser; import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.config.OAParameter; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; @@ -119,33 +122,40 @@ public class AuthenticationManager extends AuthServlet { try { authSession = AuthenticationSessionStoreage.getSession(sessionID); - } catch (MOADatabaseException e) { - return false; - } + - if (authSession != null) { - Logger.info("MOASession found! A: " - + authSession.isAuthenticated() + ", AU " - + authSession.isAuthenticatedUsed()); - if (authSession.isAuthenticated() - && !authSession.isAuthenticatedUsed()) { - authSession.setAuthenticatedUsed(true); - HTTPSessionUtils.setHTTPSessionString(session, MOA_SESSION, - sessionID); - return true; // got authenticated + if (authSession != null) { + Logger.info("MOASession found! A: " + + authSession.isAuthenticated() + ", AU " + + authSession.isAuthenticatedUsed()); + if (authSession.isAuthenticated() + && !authSession.isAuthenticatedUsed()) { + authSession.setAuthenticatedUsed(true); + + AuthenticationSessionStoreage.storeSession(authSession); + + HTTPSessionUtils.setHTTPSessionString(session, MOA_SESSION, + sessionID); + return true; // got authenticated + } } + + } catch (MOADatabaseException e) { + return false; + } catch (BuildException e) { + return false; } } return false; } public void logout(HttpServletRequest request, - HttpServletResponse response) { + HttpServletResponse response, String moaSessionID) { Logger.info("Logout"); HttpSession session = request.getSession(); - String moaSessionID = HTTPSessionUtils.getHTTPSessionString(session, MOA_SESSION, null); + //String moaSessionID = HTTPSessionUtils.getHTTPSessionString(session, MOA_SESSION, null); if(moaSessionID == null) { moaSessionID = (String) request.getParameter(PARAM_SESSIONID); @@ -171,7 +181,7 @@ public class AuthenticationManager extends AuthServlet { AuthenticationSessionStoreage.destroySession(moaSessionID); - session.invalidate(); + //session.invalidate(); } catch (MOADatabaseException e) { Logger.info("NO MOA Authentication data for ID " + moaSessionID); @@ -185,14 +195,14 @@ public class AuthenticationManager extends AuthServlet { throws ServletException, IOException, MOAIDException { Logger.info("Starting authentication ..."); - if (!ParamValidatorUtils.isValidOA(target.getOAURL())) - throw new WrongParametersException("StartAuthentication", PARAM_OA, - "auth.12"); - - if (target.getOAURL() == null) { - throw new WrongParametersException("StartAuthentication", PARAM_OA, - "auth.12"); - } +// if (!ParamValidatorUtils.isValidOA(target.getOAURL())) +// throw new WrongParametersException("StartAuthentication", PARAM_OA, +// "auth.12"); +// +// if (target.getOAURL() == null) { +// throw new WrongParametersException("StartAuthentication", PARAM_OA, +// "auth.12"); +// } setNoCachingHeadersInHttpRespone(request, response); @@ -205,12 +215,19 @@ public class AuthenticationManager extends AuthServlet { boolean legacyparamavail = ParamValidatorUtils.areAllLegacyParametersAvailable(request); AuthenticationSession moasession; + try { + //check if an MOASession exists and if not create an new MOASession + //moasession = getORCreateMOASession(request); + moasession = AuthenticationSessionStoreage.createSession(); + + } catch (MOADatabaseException e1) { + Logger.error("Database Error! MOASession can not be created!"); + throw new MOAIDException("init.04", new Object[] {}); + } + if (legacyallowed && legacyparamavail) { - //check if an MOASession exists and if not create an new MOASession - moasession = getORCreateMOASession(request); - //parse request parameter into MOASession StartAuthentificationParameterParser.parse(request, response, moasession); @@ -255,7 +272,7 @@ public class AuthenticationManager extends AuthServlet { else { //check if an MOASession exists and if not create an new MOASession - moasession = getORCreateMOASession(request); + //moasession = getORCreateMOASession(request); //set OnlineApplication configuration in Session moasession.setOAURLRequested(target.getOAURL()); @@ -264,8 +281,10 @@ public class AuthenticationManager extends AuthServlet { } //Build authentication form + + String loginForm = LoginFormBuilder.buildLoginForm(target.requestedModule(), - target.requestedAction(), oaParam.getFriendlyName(), request.getContextPath()); + target.requestedAction(), oaParam.getFriendlyName(), request.getContextPath(), oaParam.useIFrame()); //store MOASession try { @@ -286,29 +305,43 @@ public class AuthenticationManager extends AuthServlet { } } - private AuthenticationSession getORCreateMOASession(HttpServletRequest request) throws MOAIDException { + public void sendTransmitAssertionQuestion(HttpServletRequest request, + HttpServletResponse response, IRequest target, OAAuthParameter oaParam) + throws ServletException, IOException, MOAIDException { - //String sessionID = request.getParameter(PARAM_SESSIONID); - String sessionID = (String) request.getSession().getAttribute(MOA_SESSION); - AuthenticationSession moasession; - - try { - moasession = AuthenticationSessionStoreage.getSession(sessionID); - Logger.info("Found existing MOASession with sessionID=" + sessionID - + ". This session is used for reauthentification."); - - } catch (MOADatabaseException e) { - try { - moasession = AuthenticationSessionStoreage.createSession(); - Logger.info("Create a new MOASession with sessionID=" + moasession.getSessionID() + "."); - - } catch (MOADatabaseException e1) { - Logger.error("Database Error! MOASession are not created."); - throw new MOAIDException("init.04", new Object[] { - "0"}); - } - } - - return moasession; - } + String form = SendAssertionFormBuilder.buildForm(target.requestedModule(), + target.requestedAction(), oaParam.getFriendlyName(), request.getContextPath(), oaParam.useIFrame()); + + response.setContentType("text/html;charset=UTF-8"); + PrintWriter out = new PrintWriter(response.getOutputStream()); + out.print(form); + out.flush(); + } + + +// private AuthenticationSession getORCreateMOASession(HttpServletRequest request) throws MOAIDException { +// +// //String sessionID = request.getParameter(PARAM_SESSIONID); +// String sessionID = (String) request.getSession().getAttribute(MOA_SESSION); +// AuthenticationSession moasession; +// +// try { +// moasession = AuthenticationSessionStoreage.getSession(sessionID); +// Logger.info("Found existing MOASession with sessionID=" + sessionID +// + ". This session is used for reauthentification."); +// +// } catch (MOADatabaseException e) { +// try { +// moasession = AuthenticationSessionStoreage.createSession(); +// Logger.info("Create a new MOASession with sessionID=" + moasession.getSessionID() + "."); +// +// } catch (MOADatabaseException e1) { +// Logger.error("Database Error! MOASession are not created."); +// throw new MOAIDException("init.04", new Object[] { +// "0"}); +// } +// } +// +// return moasession; +// } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java index 6630693a6..aa8a8d9a9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java @@ -5,9 +5,10 @@ import javax.servlet.http.HttpServletResponse; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; public interface IAction extends MOAIDAuthConstants { - public void processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) + public void processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException; public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java index 84817ba7a..82273da83 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java @@ -61,10 +61,15 @@ public class SSOManager { String moaSessionId =HTTPSessionUtils.getHTTPSessionString(httpReq.getSession(), AuthenticationManager.MOA_SESSION, null); + return AuthenticationSessionStoreage.isValidSessionWithSSOID(ssoSessionID, moaSessionId); } + public String getMOASession(String ssoSessionID) { + return AuthenticationSessionStoreage.getMOASessionID(ssoSessionID); + } + public String existsOldSSOSession(String ssoId) { Logger.trace("Check that the SSOID has already been used"); @@ -136,23 +141,14 @@ public class SSOManager { Cookie[] cookies = httpReq.getCookies(); if (cookies != null) { - for (Cookie cookie : cookies) { - if (cookie.getName().equals(SSOCOOKIE)) { - cookie.setValue(ssoId); - cookie.setMaxAge(sso_timeout); - cookie.setSecure(true); - httpResp.addCookie(cookie); - return; - } - } - + deleteSSOSessionID(httpReq, httpResp); } + Cookie cookie = new Cookie(SSOCOOKIE, ssoId); cookie.setMaxAge(sso_timeout); cookie.setSecure(true); - httpResp.addCookie(cookie); - return; - + cookie.setPath(httpReq.getContextPath()); + httpResp.addCookie(cookie); } @@ -165,7 +161,7 @@ public class SSOManager { //TODO: funktioniert nicht, da Cookie seltsamerweise immer unsecure übertragen wird (firefox) //if (cookie.getName().equals(SSOCOOKIE) && cookie.getSecure()) { - + if (cookie.getName().equals(SSOCOOKIE)) { return cookie.getValue(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java index 17f1b631b..59a5158bd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java @@ -4,6 +4,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler.RequestManager; @@ -11,10 +12,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler.RequestManager; public class AuthenticationAction implements IAction { public void processRequest(IRequest req, HttpServletRequest httpReq, - HttpServletResponse httpResp) throws MOAIDException { + HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { + System.out.println("Process PVP2 auth request!"); PVPTargetConfiguration pvpRequest = (PVPTargetConfiguration) req; - RequestManager.getInstance().handle(pvpRequest.request, httpReq, httpResp); + RequestManager.getInstance().handle(pvpRequest.request, httpReq, httpResp, moasession); } public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index 59eaa90b1..9fc213a48 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -33,6 +33,7 @@ import org.opensaml.xml.signature.Signer; import org.w3c.dom.Document; import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; @@ -44,7 +45,7 @@ import at.gv.egovernment.moa.logging.Logger; public class MetadataAction implements IAction { public void processRequest(IRequest req, HttpServletRequest httpReq, - HttpServletResponse httpResp) throws MOAIDException { + HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { try { EntitiesDescriptor idpEntitiesDescriptor = diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 790c42348..a63276d6e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -179,18 +179,22 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { AttributeConsumingService attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx); //TODO: maybe change to getEntityID() - String oaURL = consumerService.getLocation(); + //String oaURL = consumerService.getLocation(); + String oaURL = moaRequest.getEntityMetadata().getEntityID(); String binding = consumerService.getBinding(); String entityID = moaRequest.getEntityMetadata().getEntityID(); //String oaURL = (String) request.getParameter(PARAM_OA); oaURL = StringEscapeUtils.escapeHtml(oaURL); - if (!ParamValidatorUtils.isValidOA(oaURL)) - throw new WrongParametersException("StartAuthentication", - PARAM_OA, "auth.12"); +// if (!ParamValidatorUtils.isValidOA(oaURL)) +// throw new WrongParametersException("StartAuthentication", +// PARAM_OA, "auth.12"); + config.setOAURL(oaURL); config.setBinding(binding); config.setRequest(moaRequest); + + //TODO: set correct target; config.setTarget(PVPConfiguration.getInstance().getTargetForSP(entityID)); String useMandate = request.getParameter(PARAM_USEMANDATE); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java index 657f974f8..4fb76c377 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java @@ -5,6 +5,7 @@ import org.opensaml.saml2.core.Attribute; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.util.Constants; public class BPKAttributeBuilder extends BaseAttributeBuilder { @@ -14,12 +15,18 @@ public class BPKAttributeBuilder extends BaseAttributeBuilder { public Attribute build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData) { - // TODO: authSession + oaParam => authData - String bpk = ""; //authSession.getAssertionAuthData().getIdentificationValue(); + String bpk = authData.getBPK(); + String type = authData.getBPKType(); + + if (type.startsWith(Constants.URN_PREFIX_WBPK)) + type = type.substring((Constants.URN_PREFIX_WBPK+"+").length()); + else if (type.startsWith(Constants.URN_PREFIX_CDID)) + type = type.substring((Constants.URN_PREFIX_CDID+"+").length()); + if(bpk.length() > BPK_MAX_LENGTH) { bpk = bpk.substring(0, BPK_MAX_LENGTH); } - return buildStringAttribute(BPK_FRIENDLY_NAME, BPK_NAME, bpk); + return buildStringAttribute(BPK_FRIENDLY_NAME, BPK_NAME, type + ":" + bpk); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java index 9b6884993..8cb2b5be6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java @@ -13,10 +13,10 @@ public class EIDSectorForIDAttributeBuilder extends BaseAttributeBuilder { } public Attribute build(AuthenticationSession authSession, - OAAuthParameter oaParam, AuthenticationData authData) { - // TODO: authSession + oaParam => authData + OAAuthParameter oaParam, AuthenticationData authData) { + String bpktype = authData.getBPKType(); return buildStringAttribute(EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, - EID_SECTOR_FOR_IDENTIFIER_NAME, ""/*authSession.getAssertionAuthData().getIdentificationType()*/); + EID_SECTOR_FOR_IDENTIFIER_NAME, bpktype); } public Attribute buildEmpty() { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index c8059b2f9..7682566f2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -1,7 +1,10 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.config; +import iaik.x509.X509Certificate; + import java.io.File; import java.io.FileInputStream; +import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.Iterator; import java.util.List; @@ -21,12 +24,19 @@ import org.opensaml.saml2.metadata.OrganizationURL; import org.opensaml.saml2.metadata.SurName; import org.opensaml.saml2.metadata.TelephoneNumber; +import at.gv.egovernment.moa.id.commons.db.dao.config.Contact; +import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; +import at.gv.egovernment.moa.id.commons.db.dao.config.PVP2; +import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.ConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.Digester; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; public class PVPConfiguration { + private static PVPConfiguration instance; public static PVPConfiguration getInstance() { @@ -71,26 +81,21 @@ public class PVPConfiguration { public static final String IDP_CONTACT_COMPANY = "company"; public static final String IDP_CONTACT_PHONE = "phone"; - Properties props = new Properties(); - + PVP2 generalpvpconfigdb; + Properties props; + private PVPConfiguration() { - try { - String fileName = System - .getProperty(ConfigurationProvider.CONFIG_PROPERTY_NAME); - String pathName = (new File(fileName)).getParent(); - String configFile = pathName + "/" + PVP_CONFIG_FILE; - - Logger.info("PVP Config file " + configFile); - FileInputStream is = new FileInputStream(configFile); - props.load(is); - is.close(); - } catch (Exception e) { + try { + generalpvpconfigdb = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig(); + props = AuthConfigurationProvider.getInstance().getGeneralPVP2ProperiesConfig(); + + } catch (ConfigurationException e) { e.printStackTrace(); } } public String getIDPPublicPath() { - String publicPath = props.getProperty(IDP_PUBLIC_URL); + String publicPath = generalpvpconfigdb.getPublicURLPrefix(); if(publicPath != null) { if(publicPath.endsWith("/")) { publicPath = publicPath.substring(0, publicPath.length()-2); @@ -128,7 +133,7 @@ public class PVPConfiguration { } public String getIDPIssuerName() { - return props.getProperty(IDP_ISSUER_NAME); + return generalpvpconfigdb.getIssuerName(); } public List<String> getMetadataFiles() { @@ -152,48 +157,66 @@ public class PVPConfiguration { return files; } + //TODO: public String getTargetForSP(String sp) { - String spHash = Digester.toSHA1(sp.getBytes()); - Logger.info("SHA hash for sp: " + sp + " => " + spHash); - return props.getProperty(SP_TARGET_PREFIX + spHash); - } - public String getTrustEntityCertificate(String entityID) { - String path = props.getProperty(IDP_TRUST_STORE); - if (path == null) { + try { + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(sp); + return oaParam.getTarget(); + + } catch (ConfigurationException e) { + Logger.warn("OnlineApplication with ID "+ sp + " is not found."); return null; } + + } - if (!path.endsWith("/")) { - path = path + "/"; + + public iaik.x509.X509Certificate getTrustEntityCertificate(String entityID) { + + try { + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(entityID); + + if (oaParam == null) { + Logger.warn("Online Application with ID " + entityID + " not found!"); + return null; + } + + OAPVP2 pvp2param = oaParam.getPVP2Parameter(); + + if (pvp2param == null) { + return null; + } + + Logger.info("Load TrustEntityCertificate ("+entityID+") from Database."); + return new X509Certificate(pvp2param.getCertificate()); + + } catch (CertificateException e) { + Logger.warn("Signer certificate can not be loaded from session database!", e); + return null; + + } catch (ConfigurationException e) { + e.printStackTrace(); + return null; } - - String entityIDHash = Digester.toSHA1(entityID.getBytes()); - - return path + entityIDHash; } public List<ContactPerson> getIDPContacts() { List<ContactPerson> list = new ArrayList<ContactPerson>(); - String contactList = props.getProperty(IDP_CONTACT_LIST); - - if (contactList != null) { - - String[] contact_keys = contactList.split(","); - - for (int i = 0; i < contact_keys.length; i++) { - - String key = contact_keys[i]; + List<Contact> contacts = generalpvpconfigdb.getContact(); + + if (contacts != null) { + + for (Contact contact : contacts) { ContactPerson person = SAML2Utils .createSAMLObject(ContactPerson.class); - String type = props.getProperty(IDP_CONTACT_PREFIX + "." + key - + "." + IDP_CONTACT_TYPE); + String type = contact.getType(); if (type == null) { - Logger.error("IDP Contact with key " + key + Logger.error("IDP Contact with SurName " + contact.getSurName() + " has no type defined!"); break; } @@ -218,15 +241,14 @@ public class PVPConfiguration { } if (enumType == null) { - Logger.error("IDP Contact with key " + key + Logger.error("IDP Contact with SurName " + contact.getSurName() + " has invalid type defined: " + type); break; } person.setType(enumType); - String givenName = props.getProperty(IDP_CONTACT_PREFIX + "." - + key + "." + IDP_CONTACT_GIVENNAME); + String givenName = contact.getGivenName(); if (givenName != null) { GivenName name = SAML2Utils @@ -235,8 +257,7 @@ public class PVPConfiguration { person.setGivenName(name); } - String company = props.getProperty(IDP_CONTACT_PREFIX + "." - + key + "." + IDP_CONTACT_COMPANY); + String company = contact.getCompany(); if (company != null) { Company comp = SAML2Utils.createSAMLObject(Company.class); @@ -244,8 +265,7 @@ public class PVPConfiguration { person.setCompany(comp); } - String surname = props.getProperty(IDP_CONTACT_PREFIX + "." - + key + "." + IDP_CONTACT_SURNAME); + String surname = contact.getSurName(); if (surname != null) { SurName name = SAML2Utils.createSAMLObject(SurName.class); @@ -253,35 +273,22 @@ public class PVPConfiguration { person.setSurName(name); } - Set<Object> keySet = props.keySet(); - Iterator<Object> keyIt = keySet.iterator(); - - while (keyIt.hasNext()) { - - String currentKey = keyIt.next().toString(); - - if (currentKey.startsWith(IDP_CONTACT_PREFIX + "." + key - + "." + IDP_CONTACT_PHONE)) { - String phone = props.getProperty(currentKey); - - if (phone != null) { - TelephoneNumber telePhone = SAML2Utils - .createSAMLObject(TelephoneNumber.class); - telePhone.setNumber(phone); - person.getTelephoneNumbers().add(telePhone); - } - } else if (currentKey.startsWith(IDP_CONTACT_PREFIX + "." - + key + "." + IDP_CONTACT_MAIL)) { - String mail = props.getProperty(currentKey); - - if (mail != null) { - EmailAddress mailAddress = SAML2Utils - .createSAMLObject(EmailAddress.class); - mailAddress.setAddress(mail); - person.getEmailAddresses().add(mailAddress); - } - } + List<String> phones = contact.getPhone(); + for (String phone : phones) { + TelephoneNumber telePhone = SAML2Utils + .createSAMLObject(TelephoneNumber.class); + telePhone.setNumber(phone); + person.getTelephoneNumbers().add(telePhone); } + + List<String> mails = contact.getMail(); + for (String mail : mails) { + EmailAddress mailAddress = SAML2Utils + .createSAMLObject(EmailAddress.class); + mailAddress.setAddress(mail); + person.getEmailAddresses().add(mailAddress); + } + list.add(person); } } @@ -291,10 +298,18 @@ public class PVPConfiguration { public Organization getIDPOrganisation() { Organization org = SAML2Utils.createSAMLObject(Organization.class); - String org_name = props.getProperty(IDP_ORG_NAME); - String org_dispname = props.getProperty(IDP_ORG_DISPNAME); - String org_url = props.getProperty(IDP_ORG_URL); - + at.gv.egovernment.moa.id.commons.db.dao.config.Organization organisation = generalpvpconfigdb.getOrganization(); + + String org_name = null; + String org_dispname = null; + String org_url = null; + + if (organisation != null) { + org_name = organisation.getName(); + org_dispname = organisation.getDisplayName(); + org_url = organisation.getURL(); + } + if (org_name == null || org_dispname == null || org_url == null) { return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java index c18296383..d479de2d7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java @@ -9,6 +9,7 @@ import org.opensaml.saml2.core.ArtifactResolve; import org.opensaml.saml2.core.ArtifactResponse; import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPAssertionStorage; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding; @@ -23,7 +24,7 @@ public class ArtifactResolution implements IRequestHandler { } public void process(MOARequest obj, HttpServletRequest req, - HttpServletResponse resp) throws MOAIDException { + HttpServletResponse resp, AuthenticationSession moasession) throws MOAIDException { if (!handleObject(obj)) { throw new MOAIDException("pvp2.13", null); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index db41bf389..f8270cf33 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -15,6 +15,7 @@ import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; +import at.gv.egovernment.moa.id.AuthenticationException; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.moduls.AuthenticationManager; @@ -29,6 +30,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.logging.Logger; public class AuthnRequestHandler implements IRequestHandler, PVPConstants { @@ -38,7 +40,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { } public void process(MOARequest obj, HttpServletRequest req, - HttpServletResponse resp) throws MOAIDException { + HttpServletResponse resp, AuthenticationSession authSession) throws MOAIDException { if (!handleObject(obj)) { throw new MOAIDException("pvp2.13", null); } @@ -46,9 +48,12 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { AuthnRequest authnRequest = (AuthnRequest) obj.getSamlRequest(); EntityDescriptor peerEntity = obj.getEntityMetadata(); - - AuthenticationManager authmanager = AuthenticationManager.getInstance(); - AuthenticationSession authSession =authmanager.getAuthenticationSession(req.getSession()); +// if (!AuthenticationSessionStoreage.isAuthenticated(authSession.getSessionID())) { +// throw new AuthenticationException("auth.21", new Object[] {}); +// } + +// AuthenticationManager authmanager = AuthenticationManager.getInstance(); +// AuthenticationSession authSession =authmanager.getAuthenticationSession(req.getSession()); // authSession.getM diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java index 002713f79..458316c6d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java @@ -4,11 +4,12 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; public interface IRequestHandler { public boolean handleObject(MOARequest obj); public void process(MOARequest obj, HttpServletRequest req, - HttpServletResponse resp) throws MOAIDException; + HttpServletResponse resp, AuthenticationSession moasession) throws MOAIDException; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java index 9121f7558..a043bfde5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java @@ -8,6 +8,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSupported; @@ -30,13 +31,13 @@ public class RequestManager { handler.add(new ArtifactResolution()); } - public void handle(MOARequest obj, HttpServletRequest req, HttpServletResponse resp) + public void handle(MOARequest obj, HttpServletRequest req, HttpServletResponse resp, AuthenticationSession moasession) throws SAMLRequestNotSupported, MOAIDException { Iterator<IRequestHandler> it = handler.iterator(); while(it.hasNext()) { IRequestHandler handler = it.next(); if(handler.handleObject(obj)) { - handler.process(obj, req, resp); + handler.process(obj, req, resp, moasession); return; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java index 4a1cd45da..38251ab56 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java @@ -57,23 +57,14 @@ public class CredentialProvider { public static Credential getSPTrustedCredential(String entityID) throws CredentialsNotAvailableException { - String filename = PVPConfiguration.getInstance() - .getTrustEntityCertificate(entityID); - iaik.x509.X509Certificate cert; - try { - cert = new X509Certificate(new FileInputStream(new File(filename))); - } catch (CertificateException e) { - e.printStackTrace(); - throw new CredentialsNotAvailableException(e.getMessage(), null); - } catch (FileNotFoundException e) { - e.printStackTrace(); - throw new CredentialsNotAvailableException(e.getMessage(), null); - } catch (IOException e) { - e.printStackTrace(); - throw new CredentialsNotAvailableException(e.getMessage(), null); + iaik.x509.X509Certificate cert = PVPConfiguration.getInstance() + .getTrustEntityCertificate(entityID); + + if (cert == null) { + throw new CredentialsNotAvailableException("ServiceProvider Certificate can not be loaded from Database", null); } - + BasicX509Credential credential = new BasicX509Credential(); credential.setEntityId(entityID); credential.setUsageType(UsageType.SIGNING); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java index d3acf9351..42282f208 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java @@ -1,5 +1,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; +import java.util.List; + import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.security.SAMLSignatureProfileValidator; @@ -53,18 +55,31 @@ public class EntityVerifier { Logger.error("Failed to validate Signature", e); throw new SAMLRequestNotSignedException(e); } + + List<EntityDescriptor> entities = entityDescriptor.getEntityDescriptors(); - Credential credential = CredentialProvider.getSPTrustedCredential(entityDescriptor.getName()); - if(credential == null) { - throw new NoCredentialsException("moaID IDP"); - } + if (entities.size() > 0) { + + if (entities.size() > 1) { + Logger.warn("More then one EntityID in Metadatafile with Name " + + entityDescriptor.getName() + " defined. Actually only the first" + + " entryID is used to select the certificate to perform Metadata verification."); + } + + Credential credential = CredentialProvider.getSPTrustedCredential(entities.get(0).getEntityID()); + + if(credential == null) { + throw new NoCredentialsException("moaID IDP"); + } - SignatureValidator sigValidator = new SignatureValidator(credential); - try { - sigValidator.validate(entityDescriptor.getSignature()); - } catch (ValidationException e) { - Logger.error("Failed to verfiy Signature", e); - throw new SAMLRequestNotSignedException(e); + SignatureValidator sigValidator = new SignatureValidator(credential); + try { + sigValidator.validate(entityDescriptor.getSignature()); + + } catch (ValidationException e) { + Logger.error("Failed to verfiy Signature", e); + throw new SAMLRequestNotSignedException(e); + } } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java index 47887ddc2..75825d92d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java @@ -33,12 +33,16 @@ import at.gv.egovernment.moa.util.URLEncoder; public class GetArtifactAction implements IAction { public void processRequest(IRequest req, HttpServletRequest httpReq, - HttpServletResponse httpResp) { - HttpSession httpSession = httpReq.getSession(); - - AuthenticationManager authmanager = AuthenticationManager.getInstance(); - AuthenticationSession session = authmanager.getAuthenticationSession(httpSession); + HttpServletResponse httpResp, AuthenticationSession session) throws AuthenticationException { + +// HttpSession httpSession = httpReq.getSession(); +// AuthenticationManager authmanager = AuthenticationManager.getInstance(); +// AuthenticationSession session = authmanager.getAuthenticationSession(httpSession); +// if (!AuthenticationSessionStoreage.isAuthenticated(session.getSessionID())) { +// throw new AuthenticationException("auth.21", new Object[] {}); +// } + String oaURL = (String) req.getOAURL(); String target = (String) req.getTarget(); @@ -83,7 +87,8 @@ public class GetArtifactAction implements IAction { if (AuthenticationSessionStoreage.isSSOSession(session.getSessionID())) { String url = "RedirectServlet"; url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8")); - url = addURLParameter(url, PARAM_TARGET, URLEncoder.encode(oaParam.getTarget(), "UTF-8")); + if (!oaParam.getBusinessService()) + url = addURLParameter(url, PARAM_TARGET, URLEncoder.encode(oaParam.getTarget(), "UTF-8")); url = addURLParameter(url, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); url = httpResp.encodeRedirectURL(url); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java new file mode 100644 index 000000000..433302b4f --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java @@ -0,0 +1,135 @@ +package at.gv.egovernment.moa.id.protocols.saml1; + +import java.io.IOException; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; + +import org.apache.commons.lang.StringEscapeUtils; + +import at.gv.egovernment.moa.id.AuthenticationException; +import at.gv.egovernment.moa.id.BuildException; +import at.gv.egovernment.moa.id.auth.WrongParametersException; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.moduls.AuthenticationManager; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.URLEncoder; + +public class GetArtifactServlet extends AuthServlet { + + /** + * + */ + private static final long serialVersionUID = 3593264832041467899L; + + /** + * Constructor for GetArtifactServlet. + */ + public GetArtifactServlet() { + super(); + } + + @Override + protected void doGet(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + HttpSession httpSession = req.getSession(); + + + +// AuthenticationSession session = AuthenticationManager +// .getAuthenticationSession(httpSession); +// +// String oaURL = (String) req.getAttribute(PARAM_OA); +// oaURL = StringEscapeUtils.escapeHtml(oaURL); +// +// String target = (String) req.getAttribute(PARAM_TARGET); +// target = StringEscapeUtils.escapeHtml(target); +// +// try { +// +// // check parameter +// if (!ParamValidatorUtils.isValidOA(oaURL)) +// throw new WrongParametersException("StartAuthentication", +// PARAM_OA, "auth.12"); +// +// if (oaURL == null) { +// oaURL = session.getOAURLRequested(); +// } +// +// if (oaURL == null) { +// throw new WrongParametersException("StartAuthentication", +// PARAM_OA, "auth.12"); +// } +// +// String samlArtifactBase64 = SAML1AuthenticationServer +// .BuildSAMLArtifact(session); +// +// String redirectURL = oaURL; +// session.getOAURLRequested(); +// if (!session.getBusinessService()) { +// redirectURL = addURLParameter(redirectURL, PARAM_TARGET, +// URLEncoder.encode(session.getTarget(), "UTF-8")); +// +// } +// redirectURL = addURLParameter(redirectURL, PARAM_SAMLARTIFACT, +// URLEncoder.encode(samlArtifactBase64, "UTF-8")); +// redirectURL = resp.encodeRedirectURL(redirectURL); +// +// resp.setContentType("text/html"); +// resp.setStatus(302); +// +// resp.addHeader("Location", redirectURL); +// Logger.debug("REDIRECT TO: " + redirectURL); +// +// // CONFIRMATION FOR SSO! +// /* +// * OAAuthParameter oaParam = +// * AuthConfigurationProvider.getInstance(). +// * getOnlineApplicationParameter(oaURL); +// * +// * String friendlyName = oaParam.getFriendlyName(); if(friendlyName +// * == null) { friendlyName = oaURL; } +// * +// * +// * LoginConfirmationBuilder builder = new +// * LoginConfirmationBuilder(); +// * builder.addParameter(PARAM_SAMLARTIFACT, samlArtifactBase64); +// * String form = builder.finish(oaURL, session.getIdentityLink() +// * .getName(), friendlyName); +// */ +// +// /* +// resp.setContentType("text/html"); +// +// OutputStream out = resp.getOutputStream(); +// out.write(form.getBytes("UTF-8")); +// out.flush(); +// out.close();*/ +// +// } catch (WrongParametersException ex) { +// handleWrongParameters(ex, req, resp); +// } catch (ConfigurationException e) { +// // TODO Auto-generated catch block +// e.printStackTrace(); +// } catch (BuildException e) { +// // TODO Auto-generated catch block +// e.printStackTrace(); +// } catch (AuthenticationException e) { +// // TODO Auto-generated catch block +// e.printStackTrace(); +// } + + } + + @Override + protected void doPost(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + doGet(req, resp); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 73308e607..da5556b30 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -16,6 +16,7 @@ import org.hibernate.Session; import org.hibernate.Transaction; import at.gv.egovernment.moa.id.AuthenticationException; +import at.gv.egovernment.moa.id.BuildException; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; @@ -25,6 +26,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.util.Random; +import at.gv.egovernment.moa.id.util.SessionEncrytionUtil; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -45,6 +47,20 @@ public class AuthenticationSessionStoreage { } } + public static void setAuthenticated(String moaSessionID, boolean value) { + + AuthenticatedSessionStore session; + + try { + session = searchInDatabase(moaSessionID); + session.setAuthenticated(value); + MOASessionDBUtils.saveOrUpdate(session); + + + } catch (MOADatabaseException e) { + Logger.warn("isAuthenticated can not be stored in MOASession " + moaSessionID, e); + } + } public static AuthenticationSession createSession() throws MOADatabaseException { String id = Random.nextRandom(); @@ -73,12 +89,14 @@ public class AuthenticationSessionStoreage { return session; } - public static void storeSession(AuthenticationSession session) throws MOADatabaseException { + public static void storeSession(AuthenticationSession session) throws MOADatabaseException, BuildException { try { AuthenticatedSessionStore dbsession = searchInDatabase(session.getSessionID()); dbsession.setAuthenticated(session.isAuthenticated()); - dbsession.setSession(SerializationUtils.serialize(session)); + byte[] serialized = SerializationUtils.serialize(session); + + dbsession.setSession(SessionEncrytionUtil.encrypt(serialized)); //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 dbsession.setUpdated(new Date()); @@ -138,7 +156,7 @@ public class AuthenticationSessionStoreage { // } public static String changeSessionID(AuthenticationSession session) - throws AuthenticationException { + throws AuthenticationException, BuildException { try { AuthenticatedSessionStore dbsession = searchInDatabase(session.getSessionID()); @@ -148,7 +166,10 @@ public class AuthenticationSessionStoreage { dbsession.setSessionid(id); dbsession.setAuthenticated(session.isAuthenticated()); - dbsession.setSession(SerializationUtils.serialize(session)); + + byte[] serialized = SerializationUtils.serialize(session); + + dbsession.setSession(SessionEncrytionUtil.encrypt(serialized)); //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 dbsession.setUpdated(new Date()); @@ -160,24 +181,6 @@ public class AuthenticationSessionStoreage { } catch (MOADatabaseException e) { throw new AuthenticationException("TODO!", null); } - - -// synchronized (sessionStore) { -// if (sessionStore.containsKey(session.getSessionID())) { -// AuthenticationSession theSession = sessionStore.get(session -// .getSessionID()); -// if (theSession != session) { -// throw new AuthenticationException("TODO!", null); -// } -// -// sessionStore.remove(session.getSessionID()); -// String id = Random.nextRandom(); -// session.setSessionID(id); -// sessionStore.put(id, session); -// return id; -// } -// } -// throw new AuthenticationException("TODO!", null); } public static void addSSOInformation(String moaSessionID, String SSOSessionID, @@ -232,6 +235,7 @@ public class AuthenticationSessionStoreage { dbsession.setSSOSession(true); dbsession.setSSOsessionid(SSOSessionID); + dbsession.setAuthenticated(false); //Store MOASession session.saveOrUpdate(dbsession); @@ -255,7 +259,11 @@ public class AuthenticationSessionStoreage { try { AuthenticatedSessionStore dbsession = searchInDatabase(sessionID); - AuthenticationSession session = (AuthenticationSession) SerializationUtils.deserialize(dbsession.getSession()); + + //decrypt Session + byte[] decrypted = SessionEncrytionUtil.decrypt(dbsession.getSession()); + + AuthenticationSession session = (AuthenticationSession) SerializationUtils.deserialize(decrypted); return session; @@ -282,6 +290,37 @@ public class AuthenticationSessionStoreage { } + public static String getMOASessionID(String SSOSessionID) { + MiscUtil.assertNotNull(SSOSessionID, "moasessionID"); + Logger.trace("Get authenticated session with SSOID " + SSOSessionID + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List<AuthenticatedSessionStore> result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getSessionWithSSOID"); + query.setString("sessionid", SSOSessionID); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() != 1) { + Logger.trace("No entries found."); + return null; + + } else { + return result.get(0).getSessionid(); + + } + + } + public static boolean isValidSessionWithSSOID(String SSOId, String moaSessionId) { MiscUtil.assertNotNull(SSOId, "moasessionID"); @@ -308,19 +347,21 @@ public class AuthenticationSessionStoreage { return false; } else { - AuthenticatedSessionStore dbsession = result.get(0); + return true; - - if (dbsession.getSessionid().equals(moaSessionId) && dbsession.isAuthenticated()) { - Log.info("Found SSO Session Cookie for MOA Session =" + moaSessionId); - return true; - - } else { - Log.warn("Found SSO Session with ID="+ dbsession.getSessionid() - + " but this Session does not match to MOA Sesson ID=" + moaSessionId); - } - - return false; +// AuthenticatedSessionStore dbsession = result.get(0); +// +// +// if (dbsession.getSessionid().equals(moaSessionId) && dbsession.isAuthenticated()) { +// Log.info("Found SSO Session Cookie for MOA Session =" + moaSessionId); +// return true; +// +// } else { +// Log.warn("Found SSO Session with ID="+ dbsession.getSessionid() +// + " but this Session does not match to MOA Sesson ID=" + moaSessionId); +// } +// +// return false; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java new file mode 100644 index 000000000..4ae4e5c44 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java @@ -0,0 +1,82 @@ +package at.gv.egovernment.moa.id.util; + +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.KeySpec; + +import javax.crypto.Cipher; +import javax.crypto.NoSuchPaddingException; +import javax.crypto.SecretKey; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; + +import at.gv.egovernment.moa.id.BuildException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.logging.Logger; + +public class SessionEncrytionUtil { + + static SecretKey secret = null; + + static { + try { + String key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey(); + + if (key != null) { + SecretKeyFactory factory; + + factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); + KeySpec spec = new PBEKeySpec(key.toCharArray(), "TestSALT".getBytes(), 1024, 128); + SecretKey tmp = factory.generateSecret(spec); + secret = new SecretKeySpec(tmp.getEncoded(), "AES"); + + } else { + Logger.warn("MOASession encryption is deaktivated."); + } + + } catch (Exception e) { + Logger.warn("MOASession encryption can not be inizialized.", e); + } + + } + + public static byte[] encrypt(byte[] data) throws BuildException { + Cipher cipher; + + if (secret != null) { + try { + cipher = Cipher.getInstance("AES/ECB/"+"ISO10126Padding"); + cipher.init(Cipher.ENCRYPT_MODE, secret); + + Logger.debug("Encrypt MOASession"); + return cipher.doFinal(data); + + } catch (Exception e) { + Logger.warn("MOASession is not encrypted",e); + throw new BuildException("MOASession is not encrypted", new Object[]{}, e); + } + } else + return data; + } + + public static byte[] decrypt(byte[] data) throws BuildException { + Cipher cipher; + + if (secret != null) { + try { + cipher = Cipher.getInstance("AES/ECB/"+"ISO10126Padding"); + cipher.init(Cipher.DECRYPT_MODE, secret); + + Logger.debug("Decrypt MOASession"); + return cipher.doFinal(data); + + } catch (Exception e) { + Logger.warn("MOASession is not decrypted",e); + throw new BuildException("MOASession is not decrypted", new Object[]{}, e); + } + } else + return data; + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/legacy/LegacyHelper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/legacy/LegacyHelper.java new file mode 100644 index 000000000..03521cf2f --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/legacy/LegacyHelper.java @@ -0,0 +1,33 @@ +package at.gv.egovernment.moa.id.util.legacy; + +import javax.servlet.http.HttpServletRequest; + +import org.apache.commons.lang.StringEscapeUtils; + +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.WrongParametersException; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; + +public class LegacyHelper implements MOAIDAuthConstants{ + + public static boolean isUseMandateRequested(HttpServletRequest req) throws WrongParametersException { + + String useMandate = req.getParameter(PARAM_USEMANDATE); + useMandate = StringEscapeUtils.escapeHtml(useMandate); + if (!ParamValidatorUtils.isValidUseMandate(useMandate)) + throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12"); + + //check UseMandate flag + String useMandateString = null; + if ((useMandate != null) && (useMandate.compareTo("") != 0)) { + useMandateString = useMandate; + } else { + useMandateString = "false"; + } + + if (useMandateString.compareToIgnoreCase("true") == 0) + return true; + else + return false; + } +} diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index f5745873f..95bcad1ec 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -37,7 +37,8 @@ auth.16=Fehler bei Abarbeitung der Vollmacht in "{0}" auth.17=Vollmachtenmodus f�r nicht-�ffentlichen Bereich wird nicht unterst�tzt.
auth.18=Keine MOASessionID vorhanden
auth.19=Die Authentifizierung kann nicht passiv durchgef�hrt werden.
-auth.20=No valid MOA session found. Authentification process is abourted. +auth.20=No valid MOA session found. Authentification process is abourted.
+auth.21=Der Anmeldevorgang wurde durch den Benutzer abgebrochen. init.00=MOA ID Authentisierung wurde erfolgreich gestartet
init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m?glicherweise nicht verf?gbar
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/loginForm.html b/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html index 38ef53475..1228ba90e 100644 --- a/id/server/idserverlib/src/main/resources/resources/templates/loginForm.html +++ b/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html @@ -46,16 +46,16 @@ document.getElementById("metroDetected").style.display="block"; document.getElementById("localBKU").style.display="block"; - if (checkMandateSSO()) - return; +/* if (checkMandateSSO()) + return; */ setMandateSelection(); - setSSOSelection(); +/* setSSOSelection(); */ var iFrameURL = "#AUTH_URL#" + "?"; iFrameURL += "bkuURI=" + "#ONLINE#"; iFrameURL += "&useMandate=" + document.getElementById("useMandate").value; - iFrameURL += "&SSO=" + document.getElementById("useSSO").value; +/* iFrameURL += "&SSO=" + document.getElementById("useSSO").value; */ iFrameURL += "&MODUL=" + "#MODUL#"; iFrameURL += "&ACTION=" + "#ACTION#"; @@ -65,16 +65,16 @@ function bkuHandyClicked() { document.getElementById("localBKU").style.display="none"; - if (checkMandateSSO()) - return; +/* if (checkMandateSSO()) + return; */ setMandateSelection(); - setSSOSelection(); +/* setSSOSelection(); */ var iFrameURL = "#AUTH_URL#" + "?"; iFrameURL += "bkuURI=" + "#HANDY#"; iFrameURL += "&useMandate=" + document.getElementById("useMandate").value; - iFrameURL += "&SSO=" + document.getElementById("useSSO").value; +/* iFrameURL += "&SSO=" + document.getElementById("useSSO").value; */ iFrameURL += "&MODUL=" + "#MODUL#"; iFrameURL += "&ACTION=" + "#ACTION#"; @@ -84,11 +84,11 @@ function storkClicked() { document.getElementById("localBKU").style.display="none"; - if (checkMandateSSO()) - return; +/* if (checkMandateSSO()) + return; */ setMandateSelection(); - setSSOSelection(); +/* setSSOSelection(); */ var ccc = "AT"; var countrySelection = document.getElementById("cccSelection"); @@ -100,8 +100,8 @@ var iFrameURL = "#AUTH_URL#" + "?"; iFrameURL += "bkuURI=" + "#ONLINE#"; iFrameURL += "&useMandate=" + document.getElementById("useMandate").value; - iFrameURL += "&ccc=" + ccc; - iFrameURL += "&SSO=" + document.getElementById("useSSO").value; + iFrameURL += "&CCC=" + ccc; +/* iFrameURL += "&SSO=" + document.getElementById("useSSO").value; */ iFrameURL += "&MODUL=" + "#MODUL#"; iFrameURL += "&ACTION=" + "#ACTION#"; @@ -135,7 +135,7 @@ } } - function setSSOSelection() { +/* function setSSOSelection() { document.getElementById("useSSO").value = "false"; var checkbox = document.getElementById("SSOCheckBox"); if (checkbox != null) { @@ -143,9 +143,9 @@ document.getElementById("useSSO").value = "true"; } } - } + } */ - function checkMandateSSO() { +/* function checkMandateSSO() { var sso = document.getElementById("SSOCheckBox"); var mandate = document.getElementById("mandateCheckBox"); @@ -158,7 +158,7 @@ } else { return false; } - } + } */ </script> </head> @@ -217,13 +217,13 @@ <td><a href="info_mandates.html" target="_blank" class="infobutton" style="margin-left: 5px" tabindex="5">i</a></td> </tr> - <tr> +<!-- <tr> <td><input tabindex="1" type="checkbox" name="SSO" style="vertical-align: middle; margin-right: 5px" id="SSOCheckBox"></td> - <td><label for="SSOCheckBox">mit SingleSignOn anmelden</label></td> + <td><label for="SSOCheckBox">Single Sign-On</label></td> <td></td> - </tr> + </tr> --> </table> </div> @@ -278,7 +278,7 @@ <form method="get" id="moaidform"> <input type="hidden" name="bkuURI" value="#LOCAL#"> <input type="hidden" name="useMandate" id="useMandate"> - <input type="hidden" name="SSO" id="useSSO"> +<!-- <input type="hidden" name="SSO" id="useSSO"> --> <input type="hidden" name="CCC" id="ccc"> <input type="hidden" name="MODUL" value="#MODUL#"> <input type="hidden" name="ACTION" value="#ACTION#"> diff --git a/id/server/idserverlib/src/main/resources/resources/templates/loginFormIFrame.html b/id/server/idserverlib/src/main/resources/resources/templates/loginFormIFrame.html new file mode 100644 index 000000000..3d39f9233 --- /dev/null +++ b/id/server/idserverlib/src/main/resources/resources/templates/loginFormIFrame.html @@ -0,0 +1,260 @@ +<html> +<head> + <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> + <meta content="text/css" http-equiv="Content-Style-Type"> + <link rel="stylesheet" type="text/css" href="#CONTEXTPATH#/css/index.css"> + + <script type="text/javascript"> + function isIE() { + return (/MSIE (\d+\.\d+);/.test(navigator.userAgent)); + } + + function isFullscreen() { + try { + return ((top.innerWidth == screen.width) && (top.innerHeight == screen.height)); + } catch (e) { + return false; + } + } + + function isActivexEnabled() { + var supported = null; + try { + supported = !!new ActiveXObject("htmlfile"); + } catch (e) { + supported = false; + } + return supported; + } + + function isMetro() { + if (!isIE()) + return false; + return !isActivexEnabled() && isFullscreen(); + } + + window.onload=function() { + document.getElementById("localBKU").style.display="block"; + return; + } + + function bkuLocalClicked() { + if (isMetro()) + document.getElementById("metroDetected").style.display="block"; + +/* if (checkMandateSSO()) + return; */ + + setMandateSelection(); +/* setSSOSelection(); */ + + document.getElementById("moaidform").submit(); + } + + function bkuOnlineClicked() { + if (isMetro()) + document.getElementById("metroDetected").style.display="block"; + +/* if (checkMandateSSO()) + return; */ + + setMandateSelection(); +/* setSSOSelection(); */ + + var iFrameURL = "#AUTH_URL#" + "?"; + iFrameURL += "bkuURI=" + "#ONLINE#"; + iFrameURL += "&useMandate=" + document.getElementById("useMandate").value; + iFrameURL += "&SSO=" + document.getElementById("useSSO").value; + iFrameURL += "&MODUL=" + "#MODUL#"; + iFrameURL += "&ACTION=" + "#ACTION#"; + + generateIFrame(iFrameURL); + } + + function bkuHandyClicked() { + document.getElementById("localBKU").style.display="none"; + +/* if (checkMandateSSO()) + return; */ + + setMandateSelection(); +/* setSSOSelection(); */ + + var iFrameURL = "#AUTH_URL#" + "?"; + iFrameURL += "bkuURI=" + "#HANDY#"; + iFrameURL += "&useMandate=" + document.getElementById("useMandate").value; + iFrameURL += "&SSO=" + document.getElementById("useSSO").value; + iFrameURL += "&MODUL=" + "#MODUL#"; + iFrameURL += "&ACTION=" + "#ACTION#"; + + generateIFrame(iFrameURL); + } + + function storkClicked() { + document.getElementById("localBKU").style.display="none"; + +/* if (checkMandateSSO()) + return; */ + + setMandateSelection(); +/* setSSOSelection(); */ + + var ccc = "AT"; + var countrySelection = document.getElementById("cccSelection"); + + if (countrySelection != null) { + ccc = document.getElementById("cccSelection").value; + } + + var iFrameURL = "#AUTH_URL#" + "?"; + iFrameURL += "bkuURI=" + "#ONLINE#"; + iFrameURL += "&useMandate=" + document.getElementById("useMandate").value; + iFrameURL += "&CCC=" + ccc; + iFrameURL += "&SSO=" + document.getElementById("useSSO").value; + iFrameURL += "&MODUL=" + "#MODUL#"; + iFrameURL += "&ACTION=" + "#ACTION#"; + + generateIFrame(iFrameURL); + } + + function generateIFrame(iFrameURL) { + var el = document.getElementById("bkulogin"); + var parent = el.parentNode; + + var iframe = document.createElement("iframe"); + iframe.setAttribute("src", iFrameURL); + iframe.setAttribute("width", "220"); + iframe.setAttribute("height", "165"); + iframe.setAttribute("frameborder", "0"); + iframe.setAttribute("scrolling", "no"); + iframe.setAttribute("title", "Login"); + + parent.replaceChild(iframe, el); + +/* document.location.href=iFrameURL; */ + } + + function setMandateSelection() { + document.getElementById("useMandate").value = "false"; + var checkbox = document.getElementById("mandateCheckBox"); + if (checkbox != null) { + if (document.getElementById("mandateCheckBox").checked) { + document.getElementById("useMandate").value = "true"; + } + } + } + +/* function setSSOSelection() { + document.getElementById("useSSO").value = "false"; + var checkbox = document.getElementById("SSOCheckBox"); + if (checkbox != null) { + if (document.getElementById("SSOCheckBox").checked) { + document.getElementById("useSSO").value = "true"; + } + } + } + + function checkMandateSSO() { + var sso = document.getElementById("SSOCheckBox"); + var mandate = document.getElementById("mandateCheckBox"); + + + if (sso.checked && mandate.checked) { + alert("Anmeldung in Vertretung in kombination mit Single Sign-On wird aktuell noch nicht unterstützt!") + mandate.checked = false; + sso.checked = false; + return true; + } else { + return false; + } + } */ + </script> +</head> + + +<body> + <div id="leftcontent"> + <h2 id="tabheader" class="dunkel"> + Login mit Bürgerkarte + </h2> + <div id="bkulogin" class="hell"> + + <div id="mandateLogin" style="margin-top: 10px; margin-bottom: 10px"> + <table style="margin-left: auto; margin-right: auto;"> + <tr> + <td><input tabindex="1" type="checkbox" name="Mandate" + style="vertical-align: middle; margin-right: 5px" + id="mandateCheckBox"></td> + <td><label for="mandateCheckBox">in Vertretung anmelden</label></td> + <td><a href="info_mandates.html" target="_blank" + class="infobutton" style="margin-left: 5px" tabindex="5">i</a></td> + </tr> +<!-- <tr> + <td><input tabindex="1" type="checkbox" name="SSO" + style="vertical-align: middle; margin-right: 5px" + id="SSOCheckBox"></td> + <td><label for="SSOCheckBox">Single Sign-On</label></td> + <td></td> + </tr> --> + </table> + </div> + + <div id="bkukarte" class="hell"> + <button name="bkuButton" type="button" onClick="bkuOnlineClicked();">KARTE</button> + </div> + + <div id="bkuhandy" class="hell"> + <button name="bkuButton" type="button" onClick="bkuHandyClicked();">HANDY</button> + </div> + + <div id="localBKU" style="display:none" class="hell"> + <hr> + <form method="get" id="moaidform" action="#AUTH_URL#"> + <input type="hidden" name="bkuURI" value="#LOCAL#"> + <input type="hidden" name="useMandate" id="useMandate"> + <input type="hidden" name="SSO" id="useSSO"> + <input type="hidden" name="CCC" id="ccc"> + <input type="hidden" name="MODUL" value="#MODUL#"> + <input type="hidden" name="ACTION" value="#ACTION#"> + <input type="submit" size="400" value="lokale BKU" class="sendButton" style="margin-top: 5px;"> + </form> + <p style="margin-bottom: 0px; margin-top: 3px;"> + <small>Alternativ können Sie eine lokal installierte BKU verwenden.</small> + </p> + </div> + + <div id="stork" class="hell" align="center"> + <div id="leftcontent" style="margin-bottom:10px"> + <h2 id="tabheader" class="dunkel"> + Home Country Selection + </h2> + </div> + <p> + <select name="cccSelection" id="cccSelection" size="1" style="width: 120px; margin-right: 5px;" > + <option value="BE">België/Belgique</option> + <option value="EE">Eesti</option> + <option value="ES">España</option> + <option value="IS">Ísland</option> + <option value="IT">Italia</option> + <option value="LI">Liechtenstein</option> + <option value="LT">Lithuania</option> + <option value="PT">Portugal</option> + <option value="SI">Slovenija</option> + <option value="FI">Suomi</option> + <option value="SE">Sverige</option> + </select> + <button name="bkuButton" type="button" onClick="storkClicked();">Send</button> + <a href="info_stork.html" target="_blank" class="infobutton" style="color:#FFF">i</a> + </p> + </div> + </div> + + <div id="metroDetected" style="display:none" class="hell"> + <p> + Anscheinend verwenden Sie Internet Explorer im Metro-Modus. Wählen Sie bitte "Auf dem Desktop anzeigen" aus den Optionen um die Karten-Anmeldung starten zu können. + </p> + </div> + + </div> +</body> +</html> diff --git a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html b/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html index 1215c2b58..ccd85a38a 100644 --- a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html +++ b/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html @@ -31,7 +31,7 @@ --> </style> - <form action="${action}" method="post"> + <form action="${action}" method="post" target="_parent"> <div> #if($RelayState)<input type="hidden" name="RelayState" value="${RelayState}"/>#end diff --git a/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html b/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html new file mode 100644 index 000000000..c4b7196b1 --- /dev/null +++ b/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html @@ -0,0 +1,104 @@ +<html> +<head> + <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> + <meta content="text/css" http-equiv="Content-Style-Type"> + <link rel="stylesheet" type="text/css" href="#CONTEXTPATH#/css/index.css"> + <link type="text/css" rel="stylesheet" href="#CONTEXTPATH#/css/2.0/stammzahl.css"> + <link type="text/css" rel="stylesheet" href="#CONTEXTPATH#/css/2.0/stylesnew.css"> + <link type="text/css" rel="stylesheet" href="#CONTEXTPATH#/css/2.0/stylesinput.css"> + +</head> + + +<body> + <div class="pageWidth"> + + <div id="pagebase"> + <div id="page"> + + <div id="header" class="header clearfix"> + <h1 class="main_header">MOA-ID 2.0 - Login Preview</h1> + +<!-- <ul id="servicenav"> + <li><a href="http://www.dsk.gv.at">Datenschutzkommission<span class="hidden">.</span></a></li> + <li><a href="http://www.stammzahlenregister.gv.at/site/5109/default.aspx">Stammzahlenregister<span class="hidden">.</span></a></li> + <li><a href="http://www.dsk.gv.at/DesktopDefault.aspx?alias=dvr">Datenverarbeitungsregister<span class="hidden">.</span></a></li> + <li><a href="http://www.dsk.gv.at/DesktopDefault.aspx?alias=dsken" lang="en" class="last-item">English<span class="hidden">.</span></a></li> + </ul> --> + + <div id="mainnavjump"></div> + <p id="homelink"><img src="#CONTEXTPATH#/img/2.0/logo.png" style="width: 250px" alt="EGIZ"></p> + <ul id="mainnav" class="clearfix"> +<!-- <li><a href="http://www2.egiz.gv.at">Home<span class="hidden">.</span></a></li> --> +<!-- <li><a href="http://www.stammzahlenregister.gv.at/site/5970/default.aspx">bPK<span class="hidden">.</span></a></li> + <li><a href="http://www.stammzahlenregister.gv.at/site/5981/default.aspx">Ergänzungsregister<span class="hidden">.</span></a></li> + <li class="selected"><a href="http://www.stammzahlenregister.gv.at/site/5983/default.aspx" class="current">Vollmachten<span class="hidden"> (gewählt)</span><span class="hidden">.</span></a></li> + <li><a href="http://www.stammzahlenregister.gv.at/site/6001/default.aspx">Veröffentlichungen<span class="hidden">.</span></a></li> --> + </ul> + + </div> + + + <br class="clearAll"> + + <div id="viewcontrol" class="switch"> + <div id="page1" class="case selected-case"> + <div style="margin-left: 0px;"> + +<!-- <h2 class="OA_header">Anmeldung an: #OAName#</h2> --> + + <div id="main" class="full"> + <div id="leftcontent" class="full"> + <h2 id="tabheader" class="dunkel full"> + Anmeldeinformationen: + + </h2> + + <div id="selectArea" class="hell full"> + <b>Anmeldung an:</b> + <p>#OAName#</p> + + +<!-- <div class="hell"> --> + <div id="leftbutton" class="hell full"> + <form method="post" id="moaidform_yes" action="#URL#"> + <input type="hidden" name="value" value="true"> + <input type="hidden" name="mod" value="#MODUL#"> + <input type="hidden" name="action" value="#ACTION#"> + <input type="submit" size="400" value="Ja" class="setAssertionButton_full"> + </form> + </div> + <div id="rightbutton" class="hell full"> + <form method="post" id="moaidform_no" action="#URL#"> + <input type="hidden" name="value" value="false"> + <input type="hidden" name="mod" value="#MODUL#"> + <input type="hidden" name="action" value="#ACTION#"> + <input type="submit" size="400" value="Nein" class="setAssertionButton_full"> + </form> + </div> + + </div> + </div> + </div> + </div> + </div> + + <br style="clear: both"> + <div id="footer" class="clearfix"> + +<!-- <h2 class="hidden">Über die Website der Stammzahlenregisterbehörde</h2> + <ul> + <li><a href="http://www.stammzahlenregister.gv.at/site/5115/Default.aspx" class="first-item">Impressum<span class="hidden">.</span></a></li> + <li><a href="http://www.stammzahlenregister.gv.at/site/6004/Default.aspx" lang="en">Sitemap<span class="hidden">.</span></a></li> + + <li><a href="http://www.stammzahlenregister.gv.at/site/5122/Default.aspx">Kontakt<span class="hidden">.</span></a></li> + <li><a href="http://www.stammzahlenregister.gv.at/site/6005/Default.aspx">Hilfe<span class="hidden">.</span></a></li> + </ul> --> + </div> + + + </div> + </div> + </div> +</body> +</html> diff --git a/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormIFrame.html b/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormIFrame.html new file mode 100644 index 000000000..46e8f46d8 --- /dev/null +++ b/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormIFrame.html @@ -0,0 +1,42 @@ +<html> +<head> + <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> + <meta content="text/css" http-equiv="Content-Style-Type"> + <link rel="stylesheet" type="text/css" href="#CONTEXTPATH#/css/index.css"> +</head> + + +<body> + <div id="leftcontent"> + <h2 id="tabheader" class="dunkel"> + Anmeldeinformationen: + + </h2> + + <div id="selectArea" class="hell"> + <b>Anmeldung an:</b> + <p>#OAName#</p> + + +<!-- <div class="hell"> --> + <div id="leftbutton" class="hell"> + <form method="post" id="moaidform_yes" action="#URL#"> + <input type="hidden" name="value" value="true"> + <input type="hidden" name="mod" value="#MODUL#"> + <input type="hidden" name="action" value="#ACTION#"> + <input type="submit" size="400" value="Ja" class="setAssertionButton"> + </form> + </div> + <div id="rightbutton" class="hell"> + <form method="post" id="moaidform_no" action="#URL#"> + <input type="hidden" name="value" value="false"> + <input type="hidden" name="mod" value="#MODUL#"> + <input type="hidden" name="action" value="#ACTION#"> + <input type="submit" size="400" value="Nein" class="setAssertionButton"> + </form> + </div> + + </div> + </div> +</body> +</html> |