diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2016-01-15 16:55:45 +0100 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2016-01-15 16:55:45 +0100 |
commit | 52cfe0524d896d65254f480bd975554be3f2cb14 (patch) | |
tree | c9a363dcc4bb668d0569191b54fc1e7fcaf6e080 /id/server/idserverlib/src | |
parent | 539018744865c4b10f689672f11f9ae0ddf65fef (diff) | |
parent | 52a855d948a6c3090b5d696774896deac95b621f (diff) | |
download | moa-id-spss-52cfe0524d896d65254f480bd975554be3f2cb14.tar.gz moa-id-spss-52cfe0524d896d65254f480bd975554be3f2cb14.tar.bz2 moa-id-spss-52cfe0524d896d65254f480bd975554be3f2cb14.zip |
Merge branch 'multiple_IDP_publicURLPrefixes' into moa-id-3.0.0-snapshot
Conflicts:
id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
Diffstat (limited to 'id/server/idserverlib/src')
31 files changed, 357 insertions, 112 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java index 899b0fd15..d4350f97b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java @@ -95,6 +95,9 @@ public class DataURLBuilder { // dataURL = individualDataURLPrefix + authServletName; // } else + if (!authBaseURL.endsWith("/")) + authBaseURL += "/"; + dataURL = authBaseURL + authServletName; dataURL = addParameter(dataURL, MOAIDAuthConstants.PARAM_SESSIONID, sessionID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java index 02aaac8cb..d14910319 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java @@ -147,6 +147,9 @@ public class SendAssertionFormBuilder { value = value.replace(ACTION, action); value = value.replace(ID, id); value = value.replace(OANAME, oaParam.getFriendlyName()); + + if (contextpath.endsWith("/")) + contextpath = contextpath.substring(0, contextpath.length() - 1); value = value.replace(CONTEXTPATH, contextpath); value = FormBuildUtils.customiceLayoutBKUSelection(value, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateInterfedeartionRequestTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateInterfedeartionRequestTask.java index 8429baf23..4a6ecd56a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateInterfedeartionRequestTask.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateInterfedeartionRequestTask.java @@ -152,8 +152,7 @@ public class CreateInterfedeartionRequestTask extends AbstractAuthServletTask { authReq.setAssertionConsumerServiceIndex(0); authReq.setIssueInstant(new DateTime()); Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); - String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath(); - issuer.setValue(serviceURL); + issuer.setValue(pendingReq.getAuthURLWithOutSlash()); issuer.setFormat(NameIDType.ENTITY); authReq.setIssuer(issuer); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index 004961116..e659c9447 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -56,7 +56,8 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ String ccc, String module, String action, - HttpServletRequest req) throws WrongParametersException, MOAIDException { + HttpServletRequest req, + IRequest protocolReq) throws WrongParametersException, MOAIDException { String targetFriendlyName = null; @@ -223,20 +224,15 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.05"); moasession.setOAURLRequested(oaURL); - + //check AuthURL - String authURL = req.getScheme() + "://" + req.getServerName(); - if ((req.getScheme().equalsIgnoreCase("https") && req.getServerPort()!=443) || (req.getScheme().equalsIgnoreCase("http") && req.getServerPort()!=80)) { - authURL = authURL.concat(":" + req.getServerPort()); - } - authURL = authURL.concat(req.getContextPath() + "/"); - + String authURL = protocolReq.getAuthURL(); if (!authURL.startsWith("https:") && !AuthConfigurationProviderFactory.getInstance().isHTTPAuthAllowed()) throw new AuthenticationException("auth.07", new Object[] { authURL + "*" }); //set Auth URL from configuration - moasession.setAuthURL(AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() + "/"); + moasession.setAuthURL(authURL); //check and set SourceID if (oaParam.getSAML1Parameter() != null) { @@ -318,7 +314,7 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ oaURL = request.getOAURL(); target = request.getTarget(); - parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, modul, action, req); + parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, modul, action, req, request); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java index c1e084a59..53187088e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java @@ -60,6 +60,7 @@ import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.moduls.RequestStorage; import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -85,14 +86,14 @@ public class LogOutServlet extends AuthServlet { if (MiscUtil.isEmpty(redirectUrl)) { //set default redirect Target Logger.debug("Set default RedirectURL back to MOA-ID-Auth"); - redirectUrl = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); + redirectUrl = HTTPUtils.extractAuthURLFromRequest(req); } else { //return an error if RedirectURL is not a active Online-Applikation OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(redirectUrl); if (oa == null) { Logger.info("RedirctURL does not match to OA configuration. Set default RedirectURL back to MOA-ID-Auth"); - redirectUrl = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); + redirectUrl = HTTPUtils.extractAuthURLFromRequest(req); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java index 7dd8645c6..a914659b0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java @@ -36,6 +36,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.util.FormBuildUtils; +import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.URLEncoder; @@ -64,8 +65,10 @@ public class RedirectServlet extends AuthServlet{ OAAuthParameter oa = null; String redirectTarget = DEFAULT_REDIRECTTARGET; try { - oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(url); - if (oa == null && !url.startsWith(AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix())) { + oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(url); + String authURL = HTTPUtils.extractAuthURLFromRequest(req); + + if (oa == null && !AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix().contains(authURL)) { resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid"); return; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java index c98a7d537..47abf78db 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java @@ -81,7 +81,13 @@ public interface AuthConfiguration extends ConfigurationProvider{ public boolean isAdvancedLoggingActive(); - public String getPublicURLPrefix(); + /** + * Returns the PublicURLPrefix. + * + * @return the PublicURLPrefix (one or more) of this IDP instance. All publicURLPrefix URLs are ends without / + * @throws ConfigurationException if no PublicURLPrefix is found. + */ + public List<String> getPublicURLPrefix() throws ConfigurationException; public boolean isPVP2AssertionEncryptionActive(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java index 645831479..d3c26cdbe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java @@ -6,6 +6,7 @@ import java.io.FileNotFoundException; import java.io.IOException; import java.net.MalformedURLException; import java.net.URI; +import java.net.URL; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -23,6 +24,7 @@ import org.springframework.context.support.ClassPathXmlApplicationContext; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.commons.config.persistence.MOAIDConfiguration; +import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.ConfigurationProviderImpl; import at.gv.egovernment.moa.id.config.ConfigurationUtils; @@ -791,20 +793,47 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide return Boolean.valueOf(prop); } - /** - * Returns the PublicURLPrefix. NOTE: returns {@code null} if no PublicURLPrefix is set. - * - * @return the PublicURLPrefix or {@code null} - */ - public String getPublicURLPrefix() { - try { - return configuration.getStringValue( - MOAIDConfigurationConstants.GENERAL_PUBLICURLPREFIX); + public List<String> getPublicURLPrefix() throws ConfigurationException{ + try { + String publicURLPrefixList = configuration.getStringValue( + MOAIDConfigurationConstants.GENERAL_PUBLICURLPREFIX); + List<String> returnValues = new ArrayList<String>(); + if (publicURLPrefixList != null) { + publicURLPrefixList = KeyValueUtils.normalizeCSVValueString(publicURLPrefixList); + List<String> publicURLPrefixArray = Arrays.asList(publicURLPrefixList.split(",")); + Logger.trace("Found " + publicURLPrefixArray.size() + " PublicURLPrefix in configuration."); + + + for (String el : publicURLPrefixArray) { + try { + new URL(el); + if (el.endsWith("/")) + returnValues.add(el.substring(0, el.length()-1)); + else + returnValues.add(el); + + } catch (MalformedURLException e) { + Logger.warn("IDP PublicURLPrefix URL " + el + " is not a valid URL", e); + } + } + } + + if (returnValues.size() > 0) + return returnValues; + + else { + Logger.warn("MOA-ID PublicURLPrefix is not found in configuration."); + throw new ConfigurationException("config.08", new Object[]{"IDP PublicURLPrefix"}); + + } + } catch (at.gv.egiz.components.configuration.api.ConfigurationException e) { Logger.warn("MOA-ID PublicURLPrefix can not be read from configuration.", e); - return null; + throw new ConfigurationException("config.08", new Object[]{"IDP PublicURLPrefix"}, e); + } + } /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java index d1e04e107..a4bba8b19 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java @@ -75,6 +75,7 @@ public class SLOInformationContainer implements Serializable { if (sloDesc.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) activeBackChannelOAs.put(oa.getOaurlprefix(), new SLOInformationImpl( + oa.getAuthURL(), oa.getAssertionSessionID(), oa.getUserNameID(), oa.getUserNameIDFormat(), @@ -84,6 +85,7 @@ public class SLOInformationContainer implements Serializable { else activeFrontChannalOAs.put(oa.getOaurlprefix(), new SLOInformationImpl( + oa.getAuthURL(), oa.getAssertionSessionID(), oa.getUserNameID(), oa.getUserNameIDFormat(), @@ -123,6 +125,7 @@ public class SLOInformationContainer implements Serializable { activeFrontChannalOAs.put(el.getIdpurlprefix(), new SLOInformationImpl( + el.getAuthURL(), el.getSessionIndex(), el.getUserNameID(), NameID.TRANSIENT, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java index 55b213702..55a56056d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java @@ -39,17 +39,23 @@ public class SLOInformationImpl implements SLOInformationInterface, Serializable private String nameIDFormat = null; private String binding = null; private String serviceURL = null; + private String authURL = null; - public SLOInformationImpl(String sessionID, String nameID, String nameIDFormat, String protocolType) { - new SLOInformationImpl(sessionID, nameID, nameIDFormat, protocolType, null); + public SLOInformationImpl(String authURL, String sessionID, String nameID, String nameIDFormat, String protocolType) { + new SLOInformationImpl(authURL, sessionID, nameID, nameIDFormat, protocolType, null); } - public SLOInformationImpl(String sessionID, String nameID, String nameIDFormat, String protocolType, SingleLogoutService sloService) { + public SLOInformationImpl(String authURL, String sessionID, String nameID, String nameIDFormat, String protocolType, SingleLogoutService sloService) { this.sessionIndex = sessionID; this.nameID = nameID; this.nameIDFormat = nameIDFormat; this.protocolType = protocolType; + if (authURL.endsWith("/")) + this.authURL = authURL.substring(0, authURL.length()-1); + else + this.authURL = authURL; + if (sloService != null) { this.binding = sloService.getBinding(); this.serviceURL = sloService.getLocation(); @@ -148,6 +154,13 @@ public class SLOInformationImpl implements SLOInformationInterface, Serializable public String getServiceURL() { return serviceURL; } + + /** + * @return the authURL from requested IDP without ending / + */ + public String getAuthURL() { + return authURL; + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 771c9a35e..1f4612dca 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -46,6 +46,7 @@ import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; +import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; @@ -364,7 +365,10 @@ public class DispatcherServlet extends AuthServlet{ } catch (AuthnRequestValidatorException e) { //log Error Message StatisticLogger logger = StatisticLogger.getInstance(); - logger.logErrorOperation(e, e.getErrorRequest()); + logger.logErrorOperation(e, e.getErrorRequest()); + + //TODO: maybe add some error message handling??? + return; }catch (InvalidProtocolRequestException e) { @@ -377,6 +381,13 @@ public class DispatcherServlet extends AuthServlet{ "(Errorcode=" + code + " | Description=" + descr + ")"); return; + } catch (ConfigurationException e) { + resp.setContentType("text/html;charset=UTF-8"); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!" + + "(Errorcode=9199" + +" | Description="+ e.getMessage() + ")"); + return; + } catch (MOAIDException e) { Logger.error("Failed to generate a valid protocol request!"); resp.setContentType("text/html;charset=UTF-8"); @@ -544,7 +555,7 @@ public class DispatcherServlet extends AuthServlet{ try { //Store OA specific SSO session information AuthenticationSessionStoreage.addSSOInformation(moasessionID, - newSSOSessionId, assertionID, protocolRequest.getOAURL()); + newSSOSessionId, assertionID, protocolRequest); } catch (AuthenticationException e) { Logger.warn("SSO Session information can not be stored -> SSO is not enabled!"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 39cb5b9c8..b29220af2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -195,7 +195,7 @@ public class AuthenticationManager extends MOAIDAuthConstants { } catch (MOADatabaseException e) { Logger.warn("Delete MOASession FAILED."); - sloContainer.putFailedOA(AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix()); + sloContainer.putFailedOA(pvpReq.getAuthURL()); } @@ -258,8 +258,8 @@ public class AuthenticationManager extends MOAIDAuthConstants { AssertionStorage.getInstance().put(relayState, sloContainer); - String timeOutURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() - + "/idpSingleLogout" + String timeOutURL = pvpReq + + "idpSingleLogout" + "?restart=" + relayState; VelocityContext context = new VelocityContext(); @@ -381,7 +381,7 @@ public class AuthenticationManager extends MOAIDAuthConstants { String form = SendAssertionFormBuilder.buildForm(target.requestedModule(), target.requestedAction(), target.getRequestID(), oaParam, - AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix()); + target.getAuthURL()); MOAReversionLogger.getInstance().logEvent(target.getOnlineApplicationConfiguration(), target, MOAIDEventConstants.AUTHPROCESS_SSO_ASK_USER_START); @@ -450,7 +450,7 @@ public class AuthenticationManager extends MOAIDAuthConstants { authReq.setAssertionConsumerServiceIndex(0); authReq.setIssueInstant(new DateTime()); Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); - String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath(); + String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath().get(0); issuer.setValue(serviceURL); issuer.setFormat(NameIDType.ENTITY); @@ -692,7 +692,9 @@ public class AuthenticationManager extends MOAIDAuthConstants { //Build authentication form - String publicURLPreFix = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); + String publicURLPreFix = target.getAuthURL(); + if (publicURLPreFix.endsWith("/")) + publicURLPreFix = publicURLPreFix.substring(0, publicURLPreFix.length() - 1); String loginForm = LoginFormBuilder.buildLoginForm(target.requestedModule(), target.requestedAction(), oaParam, publicURLPreFix, moasession.getSessionID()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java index 6f43b3ee7..4ae271bbc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java @@ -49,5 +49,13 @@ public interface IRequest { public List<Attribute> getRequestedAttributes(); public IOAAuthParameters getOnlineApplicationConfiguration(); + /** + * get the IDP URL PreFix, which was used for authentication request + * + * @return IDP URL PreFix <String>. The URL prefix always ends without / + */ + public String getAuthURL(); + public String getAuthURLWithOutSlash(); + //public void setTarget(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java index 26fb7bd29..c9482967f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java @@ -23,15 +23,25 @@ package at.gv.egovernment.moa.id.moduls; import java.io.Serializable; +import java.net.MalformedURLException; +import java.net.URL; import java.util.List; +import javax.servlet.http.HttpServletRequest; + import org.opensaml.saml2.core.Attribute; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.ConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +import at.gv.egovernment.moa.id.util.HTTPUtils; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; public abstract class RequestImpl implements IRequest, Serializable{ - + private static final long serialVersionUID = 1L; private String oaURL; @@ -44,12 +54,67 @@ public abstract class RequestImpl implements IRequest, Serializable{ private String requestID; private String sessionIdentifier; private IOAAuthParameters OAConfiguration = null; + private String authURL = null; //MOA-ID interfederation private String requestedIDP = null; private MOAResponse response = null; /** + * @throws ConfigurationException + * + */ + public RequestImpl(HttpServletRequest req) throws ConfigurationException { + String authURLString = HTTPUtils.extractAuthURLFromRequest(req); + URL authURL; + try { + authURL = new URL(authURLString); + + } catch (MalformedURLException e) { + Logger.error("IDP AuthenticationServiceURL Prefix is not a valid URL." + authURLString, e); + throw new ConfigurationException("1299", null, e); + + } + + List<String> configuredPublicURLPrefix = + AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); + + if (MiscUtil.isEmpty(authURLString)) { + Logger.info("AuthenticationServiceURL extraction FAILED. Use default IDP PublicURLPrefix from configuration: " + configuredPublicURLPrefix.get(0)); + this.authURL = configuredPublicURLPrefix.get(0); + + } else { + Logger.debug("Extract AuthenticationServiceURL: " + authURLString); + URL resultURL = null; + + for (String el : configuredPublicURLPrefix) { + try { + URL configuredURL = new URL(el); + if (configuredURL.getHost().equals(authURL.getHost()) && + configuredURL.getPath().equals(authURL.getPath())) { + Logger.debug("Select configurated PublicURLPrefix: " + configuredURL + + " for authURL: " + authURLString); + resultURL = configuredURL; + } + + } catch (MalformedURLException e) { + Logger.error("Configurated IDP PublicURLPrefix is not a valid URL." + el); + + } + } + + if (resultURL == null) { + Logger.warn("Extract AuthenticationServiceURL: " + authURL + " is NOT found in configuration."); + throw new ConfigurationException("config.25", new Object[]{authURLString}); + + } else { + this.authURL = resultURL.toExternalForm(); + + } + } + } + + /** * This method map the protocol specific requested attributes to PVP 2.1 attributes. * * @return List of PVP 2.1 attributes with maps all protocol specific attributes @@ -169,4 +234,27 @@ public abstract class RequestImpl implements IRequest, Serializable{ this.OAConfiguration = oaConfig; } + + /** + * @return the authURL + */ + public String getAuthURL() { + return authURL; + } + + public String getAuthURLWithOutSlash() { + if (authURL.endsWith("/")) + return authURL.substring(0, authURL.length()-1); + else + return authURL; + + } + +// /** +// * @param authURL the authURL to set +// */ +// public void setAuthURL(String authURL) { +// this.authURL = authURL; +// } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java index 9f8b6610f..9327cabd7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -102,10 +102,10 @@ public class AttributQueryAction implements IAction { List<String> attrList = addDefaultAttributes(attrQuery, authData); //build PVP 2.1 assertion - Assertion assertion = PVP2AssertionBuilder.buildAssertion(attrQuery, attrList, authData, date, authData.getSessionIndex()); + Assertion assertion = PVP2AssertionBuilder.buildAssertion(req.getAuthURL(), attrQuery, attrList, authData, date, authData.getSessionIndex()); //build PVP 2.1 response - Response authResponse = AuthResponseBuilder.buildResponse(attrQuery, date, assertion); + Response authResponse = AuthResponseBuilder.buildResponse(req.getAuthURL(), attrQuery, date, assertion); try { SoapBinding decoder = new SoapBinding(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index 1b187d82e..50f91df44 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -110,7 +110,7 @@ public class MetadataAction implements IAction { // .setEntityID(PVPConfiguration.getInstance().getIDPSSOMetadataService()); idpEntityDescriptor - .setEntityID(PVPConfiguration.getInstance().getIDPPublicPath()); + .setEntityID(req.getAuthURLWithOutSlash()); idpEntityDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_HOURS)); @@ -139,10 +139,10 @@ public class MetadataAction implements IAction { idpEntitiesDescriptor.setSignature(signature); //set IDP metadata - idpEntityDescriptor.getRoleDescriptors().add(generateIDPMetadata(keyInfoGenerator)); + idpEntityDescriptor.getRoleDescriptors().add(generateIDPMetadata(req, keyInfoGenerator)); //set SP metadata for interfederation - idpEntityDescriptor.getRoleDescriptors().add(generateSPMetadata(keyInfoGenerator)); + idpEntityDescriptor.getRoleDescriptors().add(generateSPMetadata(req, keyInfoGenerator)); DocumentBuilder builder; DocumentBuilderFactory factory = DocumentBuilderFactory @@ -190,7 +190,7 @@ public class MetadataAction implements IAction { return (PVP2XProtocol.METADATA); } - private RoleDescriptor generateSPMetadata(KeyInfoGenerator keyInfoGenerator) throws CredentialsNotAvailableException, SecurityException, ConfigurationException { + private RoleDescriptor generateSPMetadata(IRequest req, KeyInfoGenerator keyInfoGenerator) throws CredentialsNotAvailableException, SecurityException, ConfigurationException { Logger.debug("Set SP Metadata key information"); @@ -248,7 +248,7 @@ public class MetadataAction implements IAction { postassertionConsumerService.setIndex(0); postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); postassertionConsumerService.setLocation(PVPConfiguration - .getInstance().getSPSSOPostService()); + .getInstance().getSPSSOPostService(req.getAuthURL())); postassertionConsumerService.setIsDefault(true); spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService); @@ -257,7 +257,7 @@ public class MetadataAction implements IAction { redirectassertionConsumerService.setIndex(1); redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); redirectassertionConsumerService.setLocation(PVPConfiguration - .getInstance().getSPSSORedirectService()); + .getInstance().getSPSSORedirectService(req.getAuthURL())); spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService); @@ -273,7 +273,7 @@ public class MetadataAction implements IAction { SingleLogoutService redirectSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class); redirectSLOService.setLocation(PVPConfiguration - .getInstance().getSPSSORedirectService()); + .getInstance().getSPSSORedirectService(req.getAuthURL())); redirectSLOService .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); spSSODescriptor.getSingleLogoutServices().add(redirectSLOService); @@ -293,7 +293,7 @@ public class MetadataAction implements IAction { return spSSODescriptor; } - private IDPSSODescriptor generateIDPMetadata(KeyInfoGenerator keyInfoGenerator) throws ConfigurationException, CredentialsNotAvailableException, SecurityException { + private IDPSSODescriptor generateIDPMetadata(IRequest req, KeyInfoGenerator keyInfoGenerator) throws ConfigurationException, CredentialsNotAvailableException, SecurityException { // //set SignatureMethode @@ -325,12 +325,12 @@ public class MetadataAction implements IAction { idpSSODescriptor.setWantAuthnRequestsSigned(true); - if (PVPConfiguration.getInstance().getIDPSSOPostService() != null) { + if (PVPConfiguration.getInstance().getIDPSSOPostService(req.getAuthURL()) != null) { //add SSO descriptor SingleSignOnService postSingleSignOnService = SAML2Utils .createSAMLObject(SingleSignOnService.class); postSingleSignOnService.setLocation(PVPConfiguration - .getInstance().getIDPSSOPostService()); + .getInstance().getIDPSSOPostService(req.getAuthURL())); postSingleSignOnService .setBinding(SAMLConstants.SAML2_POST_BINDING_URI); idpSSODescriptor.getSingleSignOnServices().add( @@ -347,12 +347,12 @@ public class MetadataAction implements IAction { } - if (PVPConfiguration.getInstance().getIDPSSORedirectService() != null) { + if (PVPConfiguration.getInstance().getIDPSSORedirectService(req.getAuthURL()) != null) { //add SSO descriptor SingleSignOnService redirectSingleSignOnService = SAML2Utils .createSAMLObject(SingleSignOnService.class); redirectSingleSignOnService.setLocation(PVPConfiguration - .getInstance().getIDPSSORedirectService()); + .getInstance().getIDPSSORedirectService(req.getAuthURL())); redirectSingleSignOnService .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); idpSSODescriptor.getSingleSignOnServices().add( @@ -362,7 +362,7 @@ public class MetadataAction implements IAction { SingleLogoutService redirectSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class); redirectSLOService.setLocation(PVPConfiguration - .getInstance().getIDPSSORedirectService()); + .getInstance().getIDPSSORedirectService(req.getAuthURL())); redirectSLOService .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); idpSSODescriptor.getSingleLogoutServices().add(redirectSLOService); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 0c7502003..544fd9925 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -98,6 +98,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.validation.AuthnRequestValidator import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.util.ErrorResponseUtils; +import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.id.util.VelocityLogAdapter; import at.gv.egovernment.moa.logging.Logger; @@ -210,7 +211,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { if(METADATA.equals(action)) { - return new PVPTargetConfiguration(); + return new PVPTargetConfiguration(request); } @@ -387,7 +388,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { samlResponse.setIssueInstant(new DateTime()); Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); - nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + nissuer.setValue(pvpRequest.getAuthURLWithOutSlash()); nissuer.setFormat(NameID.ENTITY); samlResponse.setIssuer(nissuer); @@ -460,7 +461,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { HttpServletResponse response, InboundMessage inMsg, String sessionId, String transactionId) throws MOAIDException { - PVPTargetConfiguration config = new PVPTargetConfiguration(); + PVPTargetConfiguration config = new PVPTargetConfiguration(request); MOARequest msg; if (inMsg instanceof MOARequest && @@ -496,13 +497,24 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { Logger.debug("PreProcess SLO Response from " + resp.getIssuer()); - if (!resp.getDestination().startsWith( - PVPConfiguration.getInstance().getIDPPublicPath())) { + List<String> allowedPublicURLPrefix = + AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); + boolean isAllowedDestination = false; + + for (String prefix : allowedPublicURLPrefix) { + if (!resp.getDestination().startsWith( + prefix)) { + isAllowedDestination = true; + break; + } + } + + if (!isAllowedDestination) { Logger.warn("PVP 2.1 single logout response destination does not match to IDP URL"); throw new AssertionValidationExeption("PVP 2.1 single logout response destination does not match to IDP URL", null); } - + //TODO: check if relayState exists inMsg.getRelayState(); @@ -533,7 +545,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { //validate destination String destinaten = attrQuery.getDestination(); - if (!PVPConfiguration.getInstance().getIDPAttributeQueryService().equals(destinaten)) { + if (!PVPConfiguration.getInstance().getIDPAttributeQueryService(HTTPUtils.extractAuthURLFromRequest(request)).equals(destinaten)) { Logger.warn("AttributeQuery destination does not match IDP AttributeQueryService URL"); throw new AttributQueryException("AttributeQuery destination does not match IDP AttributeQueryService URL", null); @@ -558,7 +570,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { } - PVPTargetConfiguration config = new PVPTargetConfiguration(); + PVPTargetConfiguration config = new PVPTargetConfiguration(request); config.setRequest(moaRequest); config.setOAURL(moaRequest.getEntityID()); config.setOnlineApplicationConfiguration(oa); @@ -586,7 +598,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { if(!(samlReq instanceof AuthnRequest)) { throw new MOAIDException("Unsupported request", new Object[] {}); } - + EntityDescriptor metadata = moaRequest.getEntityMetadata(); if(metadata == null) { throw new NoMetadataInformationException(); @@ -607,6 +619,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { } + //parse AssertionConsumerService AssertionConsumerService consumerService = null; if (MiscUtil.isNotEmpty(authnRequest.getAssertionConsumerServiceURL()) && @@ -669,7 +682,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { Logger.info("Dispatch PVP2 AuthnRequest: OAURL=" + oaURL + " Binding=" + consumerService.getBinding()); - PVPTargetConfiguration config = new PVPTargetConfiguration(); + PVPTargetConfiguration config = new PVPTargetConfiguration(request); config.setOAURL(oaURL); config.setOnlineApplicationConfiguration(oa); config.setBinding(consumerService.getBinding()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index 74b20356e..0b402a0fd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -26,6 +26,8 @@ import java.util.HashMap; import java.util.List; import java.util.Map; +import javax.servlet.http.HttpServletRequest; + import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.impl.AuthnRequestImpl; @@ -46,6 +48,16 @@ import at.gv.egovernment.moa.logging.Logger; public class PVPTargetConfiguration extends RequestImpl { + /** + * @param req + * @throws ConfigurationException + */ + public PVPTargetConfiguration(HttpServletRequest req) + throws ConfigurationException { + super(req); + + } + private static final long serialVersionUID = 4889919265919638188L; InboundMessage request; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 5402e3dce..1e0a9cf32 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -60,6 +60,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -151,11 +152,11 @@ public class PostBinding implements IDecoder, IEncoder { //set metadata descriptor type if (isSPEndPoint) { messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService())); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService(HTTPUtils.extractAuthURLFromRequest(req)))); } else { messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService(HTTPUtils.extractAuthURLFromRequest(req)))); } } catch (ConfigurationException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 81863f48f..0a459a9be 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -60,6 +60,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; +import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -141,11 +142,11 @@ public class RedirectBinding implements IDecoder, IEncoder { //set metadata descriptor type if (isSPEndPoint) { messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService())); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService(HTTPUtils.extractAuthURLFromRequest(req)))); } else { messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService())); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService(HTTPUtils.extractAuthURLFromRequest(req)))); } } catch (ConfigurationException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java index 91888df5c..ebbafd4e3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java @@ -127,7 +127,7 @@ public class AttributQueryBuilder { query.setIssueInstant(now); Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); - nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath().get(0)); nissuer.setFormat(NameID.ENTITY); query.setIssuer(nissuer); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java index 4959df16c..24c2626e3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java @@ -66,13 +66,15 @@ import at.gv.egovernment.moa.logging.Logger; */ public class AuthResponseBuilder { - public static Response buildResponse(RequestAbstractType req, DateTime date, Assertion assertion) throws InvalidAssertionEncryptionException, ConfigurationException { + public static Response buildResponse(String authURL, RequestAbstractType req, DateTime date, Assertion assertion) throws InvalidAssertionEncryptionException, ConfigurationException { Response authResponse = SAML2Utils.createSAMLObject(Response.class); Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); //change to entity value from entity name to IDP EntityID (URL) - nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + if (authURL.endsWith("/")) + authURL = authURL.substring(0, authURL.length()-1); + nissuer.setValue(authURL); nissuer.setFormat(NameID.ENTITY); authResponse.setIssuer(nissuer); authResponse.setInResponseTo(req.getID()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java index 50f42d928..df68a1029 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -215,8 +215,8 @@ public class SingleLogOutBuilder { } DateTime now = new DateTime(); - Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); - issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); + issuer.setValue(sloInfo.getAuthURL()); issuer.setFormat(NameID.ENTITY); sloReq.setIssuer(issuer); sloReq.setIssueInstant(now); @@ -277,7 +277,7 @@ public class SingleLogOutBuilder { private static LogoutResponse buildBasicResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException { LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class); Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); - issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + issuer.setValue(spRequest.getAuthURLWithOutSlash()); issuer.setFormat(NameID.ENTITY); sloResp.setIssuer(issuer); sloResp.setIssueInstant(new DateTime()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index d80ddba25..065118e2b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -90,7 +90,7 @@ import at.gv.egovernment.moa.util.MiscUtil; public class PVP2AssertionBuilder implements PVPConstants { - public static Assertion buildAssertion(AttributeQuery attrQuery, + public static Assertion buildAssertion(String authURL, AttributeQuery attrQuery, List<String> reqAttributes, IAuthData authData, DateTime date, String sessionIndex) throws ConfigurationException { @@ -136,12 +136,12 @@ public class PVP2AssertionBuilder implements PVPConstants { SubjectConfirmationData subjectConfirmationData = null; - return buildGenericAssertion(attrQuery.getIssuer().getValue(), date, + return buildGenericAssertion(authURL, attrQuery.getIssuer().getValue(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, new DateTime(authData.getSsoSessionValidTo().getTime())); } - public static Assertion buildAssertion(AuthnRequest authnRequest, + public static Assertion buildAssertion(String authURL, AuthnRequest authnRequest, IAuthData authData, EntityDescriptor peerEntity, DateTime date, AssertionConsumerService assertionConsumerService, SLOInformationImpl sloInformation) throws MOAIDException { @@ -416,10 +416,25 @@ public class PVP2AssertionBuilder implements PVPConstants { sloInformation.setNameIDFormat(subjectNameID.getFormat()); sloInformation.setSessionIndex(sessionIndex); - return buildGenericAssertion(peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter()); + return buildGenericAssertion(authURL, peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter()); } - public static Assertion buildGenericAssertion(String entityID, DateTime date, + /** + * + * @param authURL IDP PublicURL PreFix + * @param entityID Service Provider EntityID + * @param date + * @param authnContextClassRef + * @param attrList + * @param subjectNameID + * @param subjectConfirmationData + * @param sessionIndex + * @param isValidTo + * @return + * @throws ConfigurationException + */ + + private static Assertion buildGenericAssertion(String authURL, String entityID, DateTime date, AuthnContextClassRef authnContextClassRef, List<Attribute> attrList, NameID subjectNameID, SubjectConfirmationData subjectConfirmationData, String sessionIndex, DateTime isValidTo) throws ConfigurationException { @@ -471,7 +486,9 @@ public class PVP2AssertionBuilder implements PVPConstants { Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); - issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + if (authURL.endsWith("/")) + authURL = authURL.substring(0, authURL.length()-1); + issuer.setValue(authURL); issuer.setFormat(NameID.ENTITY); assertion.setIssuer(issuer); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index dc3b787e4..47d7a29b3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -121,43 +121,46 @@ public class PVPConfiguration { } } - public String getIDPPublicPath() throws ConfigurationException { - String publicPath = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); - if(publicPath != null) { - if(publicPath.endsWith("/")) { - int length = publicPath.length(); - publicPath = publicPath.substring(0, length-1); - } + public List<String> getIDPPublicPath() throws ConfigurationException { + List<String> publicPath = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); + List<String> returnvalue = new ArrayList<String>(); + for (String el : publicPath) { + if(el.endsWith("/")) { + int length = el.length(); + returnvalue.add(el.substring(0, length-1)); + + } else + returnvalue.add(el); } - return publicPath; + return returnvalue; } - public String getSPSSOPostService() throws ConfigurationException { - return getIDPPublicPath() + PVP2_SP_POST; + public String getSPSSOPostService(String publicURLPrefix) throws ConfigurationException { + return publicURLPrefix + PVP2_SP_POST; } - public String getSPSSORedirectService() throws ConfigurationException { - return getIDPPublicPath() + PVP2_SP_REDIRECT; + public String getSPSSORedirectService(String publicURLPrefix) throws ConfigurationException { + return publicURLPrefix + PVP2_SP_REDIRECT; } - public String getIDPSSOPostService() throws ConfigurationException { - return getIDPPublicPath() + PVP2_IDP_POST; + public String getIDPSSOPostService(String publicURLPrefix) throws ConfigurationException { + return publicURLPrefix + PVP2_IDP_POST; } - public String getIDPSSORedirectService() throws ConfigurationException { - return getIDPPublicPath() + PVP2_IDP_REDIRECT; + public String getIDPSSORedirectService(String publicURLPrefix) throws ConfigurationException { + return publicURLPrefix + PVP2_IDP_REDIRECT; } - public String getIDPSSOSOAPService() throws ConfigurationException { - return getIDPPublicPath() + PVP2_IDP_SOAP; + public String getIDPSSOSOAPService(String publicURLPrefix) throws ConfigurationException { + return publicURLPrefix + PVP2_IDP_SOAP; } - public String getIDPAttributeQueryService() throws ConfigurationException { - return getIDPPublicPath() + PVP2_IDP_ATTRIBUTEQUERY; + public String getIDPAttributeQueryService(String publicURLPrefix) throws ConfigurationException { + return publicURLPrefix + PVP2_IDP_ATTRIBUTEQUERY; } - public String getIDPSSOMetadataService() throws ConfigurationException { - return getIDPPublicPath() + PVP2_METADATA; + public String getIDPSSOMetadataService(String publicURLPrefix) throws ConfigurationException { + return publicURLPrefix + PVP2_METADATA; } public String getIDPKeyStoreFilename() { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index a31258784..059e68865 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -82,10 +82,10 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { SLOInformationImpl sloInformation = new SLOInformationImpl(); //build Assertion - Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authData, + Assertion assertion = PVP2AssertionBuilder.buildAssertion(obj.getAuthURL(), authnRequest, authData, peerEntity, date, consumerService, sloInformation); - Response authResponse = AuthResponseBuilder.buildResponse(authnRequest, date, assertion); + Response authResponse = AuthResponseBuilder.buildResponse(obj.getAuthURL(), authnRequest, date, assertion); IEncoder binding = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index 70b778c49..2e5f78611 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -61,6 +61,7 @@ import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException; @@ -175,10 +176,20 @@ public class SAMLVerificationEngine { if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>(); - if (validateDestination && !samlResp.getDestination().startsWith( - PVPConfiguration.getInstance().getIDPPublicPath())) { + List<String> allowedPublicURLPrefix = + AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); + boolean isValidDestination = false; + for (String allowedPreFix : allowedPublicURLPrefix) { + if (validateDestination && samlResp.getDestination().startsWith( + allowedPreFix)) { + isValidDestination = true; + break; + + } + } + if (!isValidDestination) { Logger.warn("PVP 2.1 assertion destination does not match to IDP URL"); - throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null); + throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index d1582b883..9dee39fe8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -377,7 +377,7 @@ public class AuthenticationSessionStoreage { } public static void addSSOInformation(String moaSessionID, String SSOSessionID, - SLOInformationInterface SLOInfo, String OAUrl) throws AuthenticationException { + SLOInformationInterface SLOInfo, IRequest protocolRequest) throws AuthenticationException { AuthenticatedSessionStore dbsession; Transaction tx = null; @@ -412,7 +412,7 @@ public class AuthenticationSessionStoreage { //check if OA already has an active OA session if (dbsession.getActiveOAsessions() != null) { for (OASessionStore el : dbsession.getActiveOAsessions()) { - if (el.getOaurlprefix().equals(OAUrl)) + if (el.getOaurlprefix().equals(protocolRequest.getOAURL())) activeOA = el; } } @@ -421,7 +421,7 @@ public class AuthenticationSessionStoreage { activeOA = new OASessionStore(); //set active OA applications - activeOA.setOaurlprefix(OAUrl); + activeOA.setOaurlprefix(protocolRequest.getOAURL()); activeOA.setMoasession(dbsession); activeOA.setCreated(new Date()); @@ -432,6 +432,7 @@ public class AuthenticationSessionStoreage { activeOA.setUserNameIDFormat(SLOInfo.getUserNameIDFormat()); activeOA.setProtocolType(SLOInfo.getProtocolType()); activeOA.setAttributeQueryUsed(false); + activeOA.setAuthURL(protocolRequest.getAuthURL()); } @@ -463,10 +464,10 @@ public class AuthenticationSessionStoreage { tx.commit(); if (SLOInfo != null) - Logger.info("Add SSO-Session login information for OA: " + OAUrl + Logger.info("Add SSO-Session login information for OA: " + protocolRequest.getOAURL() + " and AssertionID: " + SLOInfo.getSessionIndex()); else - Logger.info("Add SSO-Session login information for OA: " + OAUrl); + Logger.info("Add SSO-Session login information for OA: " + protocolRequest.getOAURL()); } @@ -887,6 +888,7 @@ public class AuthenticationSessionStoreage { idp = new InterfederationSessionStore(); idp.setCreated(now); idp.setIdpurlprefix(req.getInterfederationResponse().getEntityID()); + idp.setAuthURL(req.getAuthURL()); try { OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance(). diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java index 1f08d9019..2aceb833c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java @@ -156,5 +156,21 @@ public class HTTPUtils { return buffer.toString(); } + + /** + * Extract the IDP PublicURLPrefix from authrequest + * + * @param req HttpServletRequest + * @return PublicURLPrefix <String> which ends always without / + */ + public static String extractAuthURLFromRequest(HttpServletRequest req) { + String authURL = req.getScheme() + "://" + req.getServerName(); + if ((req.getScheme().equalsIgnoreCase("https") && req.getServerPort()!=443) || (req.getScheme().equalsIgnoreCase("http") && req.getServerPort()!=80)) { + authURL = authURL.concat(":" + req.getServerPort()); + } + authURL = authURL.concat(req.getContextPath()); + return authURL; + + } } diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index ac5a5be60..ceb701814 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -79,6 +79,7 @@ config.21=F\u00FCr diese Online Applikation sind keine Vollmachtsprofile hinterl config.22=F\u00FCr den Interfederation-Gateway mit der ID {0} ist kein Endpunkt zur Weiterleitung konfiguriert.
config.23=Fehler beim initialisieren von OpenSAML
config.24=MOA-ID-Auth Configfile {1} does not start with {0} prefix.
+config.25=Der verwendete IDP PublicURLPrefix {0} ist nicht erlaubt.
parser.00=Leichter Fehler beim Parsen: {0}
parser.01=Fehler beim Parsen: {0}
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index fa332f0c7..342d54f7f 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -58,6 +58,7 @@ config.21=9006 config.22=9008 config.23=9199 config.24=9199 +config.25=9199 parser.00=1101 parser.01=1101 |