add initial version of Security-Layer 2.0 Authentication module

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2018-05-16 09:29:09 +0200
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2018-05-16 09:29:09 +0200
commit: c61850c5607d066a3c322794c1220f26b31103a0 (patch)
tree: 8e91dbb441f5af6879c4314b38159b7ed9b4add4 /id/server/idserverlib/src/main
parent: 44bce0049b598604cc1a30f419e936c6b5fc59cf (diff)
download: moa-id-spss-c61850c5607d066a3c322794c1220f26b31103a0.tar.gz
moa-id-spss-c61850c5607d066a3c322794c1220f26b31103a0.tar.bz2
moa-id-spss-c61850c5607d066a3c322794c1220f26b31103a0.zip
7 files changed, 86 insertions, 4 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
index c78361eda..583bb2ab4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
@@ -84,7 +84,9 @@ public class DataURLBuilder {
 		
 		dataURL = authBaseURL + authServletName;
 
-    dataURL = addParameter(dataURL, MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, sessionID);
+		if (sessionID != null)
+			dataURL = addParameter(dataURL, MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, sessionID);
+		
   	return dataURL;
   }
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
index f61b9a4da..50cafb4f6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
@@ -134,7 +134,12 @@ public abstract class AbstractController extends MOAIDAuthConstants {
 					
 		try {			
 			//switch to protocol-finalize method to generate a protocol-specific error message
-							
+
+			//log error directly in debug mode
+			if (Logger.isDebugEnabled())
+				Logger.warn(loggedException.getMessage(), loggedException);
+				
+			
 			//put exception into transaction store for redirect
 			String key = Random.nextLongRandom();
 			if (pendingReq != null) {
@@ -147,7 +152,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
 						new ExceptionContainer(null, loggedException),-1);
 				
 			}
-				
+			
 			//build up redirect URL
 			String redirectURL = null;
 			redirectURL = ServletUtils.getBaseUrl(req);	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
index 32f103ca7..18641c090 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
@@ -55,7 +55,7 @@ public abstract class AbstractProcessEngineSignalController extends AbstractCont
 			// wake up next task
 			processEngine.signal(pendingReq);
 			
-		} catch (Exception ex) {
+		} catch (Exception ex) {		
 			handleError(null, ex, req, resp, pendingReq);
 			
 		} finally {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 7f183c5eb..a24683545 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -92,6 +92,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
 public class AuthenticationManager extends MOAIDAuthConstants {
 
 	private static List<String> reqParameterWhiteListeForModules = new ArrayList<String>();
+	private static List<String> reqHeaderWhiteListeForModules = new ArrayList<String>();
 	
 	public static final String MOA_SESSION = "MoaAuthenticationSession";
 	public static final String MOA_AUTHENTICATED = "MoaAuthenticated";
@@ -321,6 +322,16 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 		
 	}
 	
+	/**
+	 * Add a request header to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext} 
+	 * 
+	 * @param httpReqParam http header name, but never null
+	 */
+	public void addHeaderNameToWhiteList(String httpReqParam) {
+		if (MiscUtil.isNotEmpty(httpReqParam))
+			reqHeaderWhiteListeForModules.add(httpReqParam.toLowerCase());
+		
+	}
 	
 	/**
 	 * Checks if a authenticated MOASession already exists and if {protocolRequest} is authenticated
@@ -422,6 +433,18 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 			}			
 		}
 		
+		//add additional http request parameter to context
+		if (!reqHeaderWhiteListeForModules.isEmpty()) {
+			Enumeration<String> reqHeaderNames = httpReq.getHeaderNames();
+			while(reqHeaderNames.hasMoreElements()) { 
+				String paramName = reqHeaderNames.nextElement();
+				if (MiscUtil.isNotEmpty(paramName) && reqHeaderWhiteListeForModules.contains(paramName.toLowerCase()) ) {
+					executionContext.put(paramName, 
+							StringEscapeUtils.escapeHtml(httpReq.getHeader(paramName)));				
+				}
+			}			
+		}
+		
 		//start process engine
 		startProcessEngine(pendingReq, executionContext);
 		
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
index cd700c74a..611dff3b1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
@@ -89,6 +89,43 @@ public class SSLUtils {
     
   }
   
+  public static SSLSocketFactory getSSLSocketFactory(
+		    ConfigurationProvider conf, String url )
+		    throws IOException, GeneralSecurityException, ConfigurationException, PKIException {
+		    
+			    // else create new SSLSocketFactory
+			    String trustStoreURL = conf.getTrustedCACertificates();
+			    
+			    if (trustStoreURL == null)
+			      throw new ConfigurationException(
+			        "config.08", new Object[] {"TrustedCACertificates"});
+			    
+			    String acceptedServerCertURL = "";
+		 	    
+		   	   //INFO: MOA-ID 2.x always use defaultChainingMode 
+			    
+			    try {	    
+			    	SSLSocketFactory ssf = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory(
+			    					url,
+			    					null,
+			    					trustStoreURL, 
+			    					acceptedServerCertURL, 
+			    					AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode(), 
+			    					AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(),
+			    					AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder(),
+			    					null, 
+			    					null, 
+			    					"pkcs12");
+			    		    	
+			    	return ssf;
+			    	
+			    } catch (SSLConfigurationException e) {
+			    	throw new ConfigurationException(e.getErrorID(), e.getParameters(), e.getE());
+			    	
+			    }
+		  }
+  
+  
   /**
    * Creates an <code>SSLSocketFactory</code> which utilizes an
    * <code>IAIKX509TrustManager</code> for the given trust store,
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 4205f2175..9cc4b0b5e 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -336,3 +336,12 @@ slo.02=Es wurde keine aktive SSO Session gefunden oder Sie sind bei keiner Onlin
 process.01=Fehler beim Ausf\u00FChren des Prozesses.
 process.02=Fehler beim Erstellen eines geeigneten Prozesses f\u00FCr die SessionID {0}.
 process.03=Fehler beim Weiterf\u00FChren es Prozesses. Msg:{0}
+
+sl20.00=Allgemeiner Fehler w\u00e4hrend SL2.0 Authentifizierung. Msg: {0}
+sl20.01=Fehler beim Generieren des SL2.0 Kommandos. Msg: {0}
+sl20.02=Fehler beim Parsen des SL2.0 Kommandos. Msg: {0}
+sl20.03=Fehlende Konfiguration im SL2.0 Modul. Msg: {0}
+sl20.04=Http request enth\u00e4lt keinen SL2.0 Transportcontainer.
+sl20.05=Fehler beim Validieren eines JWS oder JWE Tokens. Reason: {0}.
+sl20.06=Http transport-binding error. Reason: {0} 
+
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index 0a37fdc91..6de581cae 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -253,6 +253,12 @@ oauth20.06=1000
 oauth20.09=9005
 oauth20.10=9102
 
+sl20.00=14999
+sl20.01=14000
+sl20.02=14001
+sl20.03=14800
+sl20.04=14001
+
 ##Map MIS/BKU statuscodes to MOA-ID-Auth statuscodes
 mis.301=1005
 bku.6001=1005
 \ No newline at end of file
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2018-05-16 09:29:09 +0200
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2018-05-16 09:29:09 +0200
commit	c61850c5607d066a3c322794c1220f26b31103a0 (patch)
tree	8e91dbb441f5af6879c4314b38159b7ed9b4add4 /id/server/idserverlib/src/main
parent	44bce0049b598604cc1a30f419e936c6b5fc59cf (diff)
download	moa-id-spss-c61850c5607d066a3c322794c1220f26b31103a0.tar.gz moa-id-spss-c61850c5607d066a3c322794c1220f26b31103a0.tar.bz2 moa-id-spss-c61850c5607d066a3c322794c1220f26b31103a0.zip