diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-05-15 09:08:44 +0200 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-05-15 09:08:44 +0200 |
commit | aae0d003526cb8665df93bb715ba126dd12a473d (patch) | |
tree | 8de60c929677823f5af2c2e74a01c2bb657ff435 /id/server/idserverlib/src/main | |
parent | 67a903a6a33bd8b40e84a12a3ba9c556eb0eb275 (diff) | |
download | moa-id-spss-aae0d003526cb8665df93bb715ba126dd12a473d.tar.gz moa-id-spss-aae0d003526cb8665df93bb715ba126dd12a473d.tar.bz2 moa-id-spss-aae0d003526cb8665df93bb715ba126dd12a473d.zip |
add additional errorcodes if SAML request validation failed
Diffstat (limited to 'id/server/idserverlib/src/main')
9 files changed, 57 insertions, 18 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 4eba83ad5..a3827ab73 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -36,6 +36,7 @@ import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; @@ -56,6 +57,7 @@ import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestValidatorException; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.storage.DBExceptionStoreImpl; +import at.gv.egovernment.moa.id.util.ErrorResponseUtils; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.id.util.legacy.LegacyHelper; @@ -310,11 +312,23 @@ public class DispatcherServlet extends AuthServlet{ StatisticLogger logger = StatisticLogger.getInstance(); logger.logErrorOperation(e, e.getErrorRequest()); return; - - } catch (MOAIDException e) { + + }catch (InvalidProtocolRequestException e) { + ErrorResponseUtils utils = ErrorResponseUtils.getInstance(); + String code = utils.mapInternalErrorToExternalError(e.getMessageId()); + String descr = e.getMessage(); + Logger.error("Protocol validation FAILED!"); + resp.setContentType("text/html;charset=UTF-8"); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Protocol validation FAILED!" + + "(Errorcode=" + code + + " | Description=" + descr + ")"); + return; + } catch (MOAIDException e) { Logger.error("Failed to generate a valid protocol request!"); resp.setContentType("text/html;charset=UTF-8"); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!"); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!" + + "(Errorcode=6000" + +" | Description=Das Authentifizierungsprotokoll wurde nicht erkannt oder wird nicht unterst\u00FCzt" + ")"); return; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 8732409b5..863bfe501 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -22,8 +22,6 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x; -import iaik.pkcs.pkcs11.objects.Object; - import java.io.IOException; import java.util.ArrayList; import java.util.HashMap; @@ -52,12 +50,15 @@ import org.opensaml.saml2.metadata.AssertionConsumerService; import org.opensaml.saml2.metadata.AttributeConsumingService; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.ws.security.SecurityPolicyException; import org.opensaml.xml.io.MarshallingException; +import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.signature.SignableXMLObject; import edu.emory.mathcs.backport.java.util.Arrays; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; @@ -191,16 +192,20 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { return null; } try { - InboundMessage msg = (InboundMessage) decoder.decode(request, response); + if (MiscUtil.isEmpty(msg.getEntityID())) { + throw new InvalidProtocolRequestException("pvp2.20", new Object[] {}); + + } + if(!msg.isVerified()) { SAMLVerificationEngine engine = new SAMLVerificationEngine(); engine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); msg.setVerified(true); } - + if (msg instanceof MOARequest && ((MOARequest)msg).getSamlRequest() instanceof AuthnRequest) return preProcessAuthRequest(request, response, (MOARequest) msg); @@ -252,9 +257,23 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { throw new MOAIDException("Unsupported PVP21 message", new Object[] {}); } - } catch (PVP2Exception e) { throw e; + + } catch (SecurityPolicyException e) { + String samlRequest = request.getParameter("SAMLRequest"); + Logger.warn("Receive INVALID protocol request: " + samlRequest, e); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); + + } catch (SecurityException e) { + String samlRequest = request.getParameter("SAMLRequest"); + Logger.warn("Receive INVALID protocol request: " + samlRequest, e); + throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); + + } catch (InvalidProtocolRequestException e) { + String samlRequest = request.getParameter("SAMLRequest"); + Logger.warn("Receive INVALID protocol request: " + samlRequest, e); + throw e; } catch (Throwable e) { String samlRequest = request.getParameter("SAMLRequest"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java index 3094abba8..6080f8a33 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java @@ -36,8 +36,7 @@ public class MOAURICompare implements URIComparator { this.serviceURL = serviceURL; } - public boolean compare(String uri1, String uri2) { - + public boolean compare(String uri1, String uri2) { if (this.serviceURL.equals(uri1)) return true; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index f5dba014b..8fba6cde0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -148,7 +148,7 @@ public class RedirectBinding implements IDecoder, IEncoder { .setInboundMessageTransport(new HttpServletRequestAdapter(req)); decode.decode(messageContext); - + messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index 048c7f14c..75332cfea 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -79,7 +79,7 @@ public class SoapBinding implements IDecoder, IEncoder { if (!xmlElemList.isEmpty()) { SignableXMLObject attrReq = (SignableXMLObject) xmlElemList.get(0); MOARequest request = new MOARequest(attrReq, getSAML2BindingName()); - + request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); request.setVerified(false); return request; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index fde453920..6388042d9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -51,6 +51,7 @@ import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.SignatureTrustEngine; import org.opensaml.xml.validation.ValidationException; +import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; @@ -91,11 +92,11 @@ public class SAMLVerificationEngine { try { if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { - throw new Exception("Signature was either invalid or signing key could not be established as trusted"); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } } catch (SecurityException e) { - // Indicates processing error evaluating the signature e.printStackTrace(); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } } @@ -116,11 +117,11 @@ public class SAMLVerificationEngine { try { if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { - throw new Exception("Signature was either invalid or signing key could not be established as trusted"); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } } catch (SecurityException e) { - // Indicates processing error evaluating the signature - e.printStackTrace(); + e.printStackTrace(); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ErrorResponseUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ErrorResponseUtils.java index 778351d1f..aff7e5057 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ErrorResponseUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ErrorResponseUtils.java @@ -42,7 +42,7 @@ public class ErrorResponseUtils { private static ErrorResponseUtils instance = null; private static final String[] DEFAULT_MESSAGE_RESOURCES = - { "resources/properties/id_messages" }; + { "resources/properties/protocol_response_statuscodes" }; private static final Locale[] DEFAULT_MESSAGE_LOCALES = new Locale[] { new Locale("de", "AT") }; private Messages messages = null; diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 603815154..c8cca157d 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -243,6 +243,9 @@ pvp2.16=Fehler beim verschl\u00FCsseln der PVP2 Assertion pvp2.17=Der QAA Level {0} entspricht nicht dem angeforderten QAA Level {1}
pvp2.18=Es konnten nicht alle Single Sign-On Sessions beendet werden.
pvp2.19=Der Single LogOut Vorgang musste wegen eines unkorregierbaren Fehler abgebrochen werden.
+pvp2.20=Für die im Request angegebene EntityID konnten keine g\u00FCltigen Metadaten gefunden werden.
+pvp2.21=Die Signature des Requests konnte nicht g\u00FCltig validiert werden.
+pvp2.22=Der Request konnte nicht g\u00FCltig validiert werden (Fehler={0}).
oauth20.01=Fehlerhafte redirect url
oauth20.02=Fehlender Parameter "{0}"
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index 99be5df59..2a55ea64c 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -173,6 +173,9 @@ pvp2.06=6100 pvp2.13=9199 pvp2.16=6101 pvp2.17=6102 +pvp2.20=6103 +pvp2.21=6104 +pvp2.22=6105 oauth20.01=6200 oauth20.06=1000 |