aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2014-05-05 08:01:58 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2014-05-05 08:01:58 +0200
commitead506b950a862750ff361262dca82d96cdaea47 (patch)
treed52fe9ac1300d199ad79d92e0ab1c5c9d20ab3cb /id/server/idserverlib/src
parent79bcdeaa7bec0a6de4e40a7c2f1e9f81be7612aa (diff)
downloadmoa-id-spss-ead506b950a862750ff361262dca82d96cdaea47.tar.gz
moa-id-spss-ead506b950a862750ff361262dca82d96cdaea47.tar.bz2
moa-id-spss-ead506b950a862750ff361262dca82d96cdaea47.zip
add chainging filter to MOAMetadataProvider
Diffstat (limited to 'id/server/idserverlib/src')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java33
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java76
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java82
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java (renamed from id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java)7
5 files changed, 190 insertions, 14 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index 63b91f6d2..fe2117b9c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -492,11 +492,7 @@ public String getIDPAttributQueryServiceURL() {
}
public boolean isIDPPublicService() {
- if (inderfederatedIDP != null)
- return inderfederatedIDP.isPublicService();
-
- else
- return false;
+ return !getBusinessService();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index f2e3e7cb1..aa61172d1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -22,6 +22,7 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x.metadata;
+import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
@@ -48,7 +49,9 @@ import org.opensaml.xml.parse.BasicParserPool;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2;
import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
-import at.gv.egovernment.moa.id.protocols.pvp2x.verification.MetadataSignatureFilter;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataSignatureFilter;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -156,11 +159,14 @@ public class MOAMetadataProvider implements MetadataProvider {
} else if ( MiscUtil.isNotEmpty(metadataurl) &&
!providersinuse.containsKey(metadataurl) ) {
//PVP2 OA is new, add it to MOAMetadataProvider
+
Logger.info("Loading metadata for: " + oa.getFriendlyName());
httpProvider = createNewHTTPMetaDataProvider(
pvp2Config.getMetadataURL(),
pvp2Config.getCertificate(),
- oa.getFriendlyName());
+ oa.getFriendlyName(),
+ buildMetadataFilterChain(oa, pvp2Config.getMetadataURL(),
+ pvp2Config.getCertificate()));
if (httpProvider != null)
providersinuse.put(metadataurl, httpProvider);
@@ -266,7 +272,9 @@ public class MOAMetadataProvider implements MetadataProvider {
httpProvider = createNewHTTPMetaDataProvider(
metadataURL,
pvp2Config.getCertificate(),
- oa.getFriendlyName());
+ oa.getFriendlyName(),
+ buildMetadataFilterChain(oa, metadataURL,
+ pvp2Config.getCertificate()));
if (httpProvider != null)
providersinuse.put(metadataURL, httpProvider);
@@ -305,7 +313,19 @@ public class MOAMetadataProvider implements MetadataProvider {
timestamp = new Date();
}
- private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName) {
+ private MetadataFilterChain buildMetadataFilterChain(OnlineApplication oa, String metadataURL, byte[] certificate) throws CertificateException {
+ MetadataFilterChain filterChain = new MetadataFilterChain(metadataURL, certificate);
+
+ if (oa.isIsInterfederationIDP() != null && oa.isIsInterfederationIDP()) {
+ Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies");
+ filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oa.getType()));
+
+ }
+
+ return filterChain;
+ }
+
+ private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName, MetadataFilterChain filter) {
HTTPMetadataProvider httpProvider = null;
Timer timer= null;
@@ -321,8 +341,9 @@ public class MOAMetadataProvider implements MetadataProvider {
// TODO: use proper SSL checking
- MetadataFilter filter = new MetadataSignatureFilter(
- metadataURL, certificate);
+ if (filter == null) {
+ filter = new MetadataFilterChain(metadataURL, certificate);
+ }
httpProvider.setMetadataFilter(filter);
httpProvider.initialize();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java
new file mode 100644
index 000000000..3d608fd6d
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;
+
+import org.opensaml.saml2.metadata.provider.FilterException;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.xml.XMLObject;
+
+import at.gv.egovernment.moa.id.commons.db.dao.config.InterfederationIDPType;
+import at.gv.egovernment.moa.id.commons.validation.ValidationHelper;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class InterfederatedIDPPublicServiceFilter implements MetadataFilter {
+
+ private String metadataURL;
+ private boolean isPublicService = false;
+
+ /**
+ *
+ */
+ public InterfederatedIDPPublicServiceFilter(String metadataURL, String oaType) {
+ Logger.debug("Add " + this.getClass().getName() + " to metadata policy");
+ this.metadataURL = metadataURL;
+
+ if (oaType.equals("businessService"))
+ this.isPublicService = false;
+ else
+ this.isPublicService = true;
+ }
+
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject)
+ */
+ @Override
+ public void doFilter(XMLObject arg0) throws FilterException {
+
+ boolean metadatacheck = ValidationHelper.isPublicServiceAllowed(this.metadataURL);
+
+ if (isPublicService && isPublicService != metadatacheck) {
+ Logger.warn("Interfederated IDP " + metadataURL + " is configured " +
+ "as Public-Servic IDP but PublicService policy check FAILED.");
+ throw new FilterException("Interfederated IDP " + metadataURL + " is configured " +
+ "as Public-Servic IDP but PublicService policy check FAILED.");
+
+ }
+
+ Logger.info("Metadata PublicService policy check done OK");
+
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java
new file mode 100644
index 000000000..4e1d939ff
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java
@@ -0,0 +1,82 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;
+
+import java.security.cert.CertificateException;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.opensaml.saml2.metadata.provider.FilterException;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.xml.XMLObject;
+
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MetadataFilterChain implements MetadataFilter {
+
+ private List<MetadataFilter> filters = new ArrayList<MetadataFilter>();
+
+ /**
+ * @throws CertificateException
+ *
+ */
+ public MetadataFilterChain(String url, byte[] certificate) throws CertificateException {
+ addDefaultFilters(url, certificate);
+ }
+
+ public void addDefaultFilters(String url, byte[] certificate) throws CertificateException {
+ filters.add(new MetadataSignatureFilter(url, certificate));
+
+ }
+
+ /**
+ * @return the filter
+ */
+ public List<MetadataFilter> getFilters() {
+ return filters;
+ }
+
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject)
+ */
+ @Override
+ public void doFilter(XMLObject arg0) throws FilterException {
+ for (MetadataFilter filter : filters) {
+ Logger.trace("Use MOAMetadatafilter " + filter.getClass().getName());
+ filter.doFilter(arg0);
+ }
+
+ }
+
+
+
+
+
+
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java
index ed0cf9c62..0405fa114 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java
@@ -20,7 +20,7 @@
* The "NOTICE" text file is part of the distribution. Any derivative works
* that you distribute must include a readable copy of the "NOTICE" text file.
*******************************************************************************/
-package at.gv.egovernment.moa.id.protocols.pvp2x.verification;
+package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;
import iaik.x509.X509Certificate;
@@ -39,6 +39,7 @@ import org.opensaml.xml.security.x509.BasicX509Credential;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier;
import at.gv.egovernment.moa.logging.Logger;
public class MetadataSignatureFilter implements MetadataFilter {
@@ -151,9 +152,9 @@ public class MetadataSignatureFilter implements MetadataFilter {
ConfigurationDBUtils.closeSession();
- Logger.info("Metadata Filter done OK");
+ Logger.info("Metadata signature policy check done OK");
} catch (MOAIDException e) {
- e.printStackTrace();
+ Logger.warn("Metadata signature policy check FAILED.", e);
throw new FilterException(e);
}
}