diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2016-01-27 06:37:32 +0100 |
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2016-01-27 06:37:32 +0100 |
| commit | 86cbb2b42468b71cc9c04785d075260cf80fbb9f (patch) | |
| tree | 5be3fd3ed75d7866549bb64ba3091633f95652d2 /id/server/idserverlib/src | |
| parent | 73edf1fc83172503cc7560fbe334d305c440273d (diff) | |
| parent | 9119e437168592b1bc49a434b59c13a88fc0b2ae (diff) | |
| download | moa-id-spss-86cbb2b42468b71cc9c04785d075260cf80fbb9f.tar.gz moa-id-spss-86cbb2b42468b71cc9c04785d075260cf80fbb9f.tar.bz2 moa-id-spss-86cbb2b42468b71cc9c04785d075260cf80fbb9f.zip | |
Merge branch 'moa-id-3.0.0-snapshot' into moa-id-3.2_(OPB)
Diffstat (limited to 'id/server/idserverlib/src')
5 files changed, 37 insertions, 8 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java index 38135b028..9812f346d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java @@ -65,7 +65,7 @@ public class AuthConfigurationProviderFactory { instance = new PropertyBasedAuthConfigurationProvider(fileURI); } catch (URISyntaxException e){ - Logger.error("MOA-ID-Auth configuration file does not starts with file:/ as prefix."); + Logger.error("MOA-ID-Auth configuration file does not starts with file:/ as prefix.", e); throw new ConfigurationException("config24", new Object[]{MOAIDAuthConstants.FILE_URI_PREFIX, fileName}); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 6ed3f0eb5..ee5685e5f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -623,10 +623,25 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { AssertionConsumerService consumerService = null; if (MiscUtil.isNotEmpty(authnRequest.getAssertionConsumerServiceURL()) && MiscUtil.isNotEmpty(authnRequest.getProtocolBinding())) { - //use AssertionConsumerServiceURL from request - consumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class); - consumerService.setBinding(authnRequest.getProtocolBinding()); - consumerService.setLocation(authnRequest.getAssertionConsumerServiceURL()); + //use AssertionConsumerServiceURL from request + + //check requested AssertionConsumingService URL against metadata + List<AssertionConsumerService> metadataAssertionServiceList = spSSODescriptor.getAssertionConsumerServices(); + for (AssertionConsumerService service : metadataAssertionServiceList) { + if (authnRequest.getProtocolBinding().equals(service.getBinding()) + && authnRequest.getAssertionConsumerServiceURL().equals(service.getLocation())) { + consumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class); + consumerService.setBinding(authnRequest.getProtocolBinding()); + consumerService.setLocation(authnRequest.getAssertionConsumerServiceURL()); + Logger.debug("Requested AssertionConsumerServiceURL is valid."); + } + } + + if (consumerService == null) { + throw new InvalidAssertionConsumerServiceException(authnRequest.getAssertionConsumerServiceURL()); + + } + } else { //use AssertionConsumerServiceIndex and select consumerService from metadata @@ -645,9 +660,10 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { if (consumerService == null) { throw new InvalidAssertionConsumerServiceException(aIdx); - } + } } + //select AttributeConsumingService from request AttributeConsumingService attributeConsumer = null; Integer aIdx = authnRequest.getAttributeConsumingServiceIndex(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java index 94a4e8226..392569366 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java @@ -34,6 +34,15 @@ public class InvalidAssertionConsumerServiceException extends PVP2Exception { /** * */ + public InvalidAssertionConsumerServiceException(String wrongURL) { + super("pvp2.23", new Object[]{wrongURL}); + this.statusCodeValue = StatusCode.REQUESTER_URI; + + } + + /** + * + */ private static final long serialVersionUID = 7861790149343943091L; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java index 31e960d59..f62410656 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java @@ -92,7 +92,7 @@ public abstract class AbstractRequestSignedSecurityPolicyRule implements Securit throw e; } - Logger.debug("PVP2X message validation FAILED. Relead metadata for entityID: " + context.getInboundMessageIssuer()); + Logger.debug("PVP2X message validation FAILED. Reload metadata for entityID: " + context.getInboundMessageIssuer()); if (!refreshMetadataProvider(context.getInboundMessageIssuer())) throw e; @@ -139,8 +139,10 @@ public abstract class AbstractRequestSignedSecurityPolicyRule implements Securit throw new SecurityPolicyException("Signature validation FAILED."); } + Logger.debug("PVP AuthnRequest signature valid."); + } catch (org.opensaml.xml.security.SecurityException e) { - Logger.warn("PVP2x message signature validation FAILED.", e); + Logger.info("PVP2x message signature validation FAILED. Message:" + e.getMessage()); throw new SecurityPolicyException("Signature validation FAILED."); } @@ -149,6 +151,7 @@ public abstract class AbstractRequestSignedSecurityPolicyRule implements Securit throw new SecurityPolicyException("Request is not signed."); } + } private void performSchemaValidation(Element source) throws SchemaValidationException { diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index ceb701814..cabf1557e 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -266,6 +266,7 @@ pvp2.19=Der Single LogOut Vorgang musste wegen eines unkorregierbaren Fehler abg pvp2.20=F\u00FCr die im Request angegebene EntityID konnten keine g\u00FCltigen Metadaten gefunden werden.
pvp2.21=Die Signature des Requests konnte nicht g\u00FCltig validiert werden.
pvp2.22=Der Request konnte nicht g\u00FCltig validiert werden (Fehler\={0}).
+pvp2.23={0} ist keine gueltige AssertionConsumerServiceURL oder entspricht nicht den Metadaten.
oauth20.01=Fehlerhafte redirect url
oauth20.02=Fehlender oder ung\u00FCltiger Parameter "{0}"
|