aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2018-05-16 09:29:09 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2018-05-16 09:29:09 +0200
commitc61850c5607d066a3c322794c1220f26b31103a0 (patch)
tree8e91dbb441f5af6879c4314b38159b7ed9b4add4 /id/server/idserverlib/src
parent44bce0049b598604cc1a30f419e936c6b5fc59cf (diff)
downloadmoa-id-spss-c61850c5607d066a3c322794c1220f26b31103a0.tar.gz
moa-id-spss-c61850c5607d066a3c322794c1220f26b31103a0.tar.bz2
moa-id-spss-c61850c5607d066a3c322794c1220f26b31103a0.zip
add initial version of Security-Layer 2.0 Authentication module
Diffstat (limited to 'id/server/idserverlib/src')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java23
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java37
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties9
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties6
7 files changed, 86 insertions, 4 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
index c78361eda..583bb2ab4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
@@ -84,7 +84,9 @@ public class DataURLBuilder {
dataURL = authBaseURL + authServletName;
- dataURL = addParameter(dataURL, MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, sessionID);
+ if (sessionID != null)
+ dataURL = addParameter(dataURL, MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, sessionID);
+
return dataURL;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
index f61b9a4da..50cafb4f6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
@@ -134,7 +134,12 @@ public abstract class AbstractController extends MOAIDAuthConstants {
try {
//switch to protocol-finalize method to generate a protocol-specific error message
-
+
+ //log error directly in debug mode
+ if (Logger.isDebugEnabled())
+ Logger.warn(loggedException.getMessage(), loggedException);
+
+
//put exception into transaction store for redirect
String key = Random.nextLongRandom();
if (pendingReq != null) {
@@ -147,7 +152,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
new ExceptionContainer(null, loggedException),-1);
}
-
+
//build up redirect URL
String redirectURL = null;
redirectURL = ServletUtils.getBaseUrl(req);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
index 32f103ca7..18641c090 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
@@ -55,7 +55,7 @@ public abstract class AbstractProcessEngineSignalController extends AbstractCont
// wake up next task
processEngine.signal(pendingReq);
- } catch (Exception ex) {
+ } catch (Exception ex) {
handleError(null, ex, req, resp, pendingReq);
} finally {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 7f183c5eb..a24683545 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -92,6 +92,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
public class AuthenticationManager extends MOAIDAuthConstants {
private static List<String> reqParameterWhiteListeForModules = new ArrayList<String>();
+ private static List<String> reqHeaderWhiteListeForModules = new ArrayList<String>();
public static final String MOA_SESSION = "MoaAuthenticationSession";
public static final String MOA_AUTHENTICATED = "MoaAuthenticated";
@@ -321,6 +322,16 @@ public class AuthenticationManager extends MOAIDAuthConstants {
}
+ /**
+ * Add a request header to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext}
+ *
+ * @param httpReqParam http header name, but never null
+ */
+ public void addHeaderNameToWhiteList(String httpReqParam) {
+ if (MiscUtil.isNotEmpty(httpReqParam))
+ reqHeaderWhiteListeForModules.add(httpReqParam.toLowerCase());
+
+ }
/**
* Checks if a authenticated MOASession already exists and if {protocolRequest} is authenticated
@@ -422,6 +433,18 @@ public class AuthenticationManager extends MOAIDAuthConstants {
}
}
+ //add additional http request parameter to context
+ if (!reqHeaderWhiteListeForModules.isEmpty()) {
+ Enumeration<String> reqHeaderNames = httpReq.getHeaderNames();
+ while(reqHeaderNames.hasMoreElements()) {
+ String paramName = reqHeaderNames.nextElement();
+ if (MiscUtil.isNotEmpty(paramName) && reqHeaderWhiteListeForModules.contains(paramName.toLowerCase()) ) {
+ executionContext.put(paramName,
+ StringEscapeUtils.escapeHtml(httpReq.getHeader(paramName)));
+ }
+ }
+ }
+
//start process engine
startProcessEngine(pendingReq, executionContext);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
index cd700c74a..611dff3b1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
@@ -89,6 +89,43 @@ public class SSLUtils {
}
+ public static SSLSocketFactory getSSLSocketFactory(
+ ConfigurationProvider conf, String url )
+ throws IOException, GeneralSecurityException, ConfigurationException, PKIException {
+
+ // else create new SSLSocketFactory
+ String trustStoreURL = conf.getTrustedCACertificates();
+
+ if (trustStoreURL == null)
+ throw new ConfigurationException(
+ "config.08", new Object[] {"TrustedCACertificates"});
+
+ String acceptedServerCertURL = "";
+
+ //INFO: MOA-ID 2.x always use defaultChainingMode
+
+ try {
+ SSLSocketFactory ssf = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory(
+ url,
+ null,
+ trustStoreURL,
+ acceptedServerCertURL,
+ AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode(),
+ AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(),
+ AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder(),
+ null,
+ null,
+ "pkcs12");
+
+ return ssf;
+
+ } catch (SSLConfigurationException e) {
+ throw new ConfigurationException(e.getErrorID(), e.getParameters(), e.getE());
+
+ }
+ }
+
+
/**
* Creates an <code>SSLSocketFactory</code> which utilizes an
* <code>IAIKX509TrustManager</code> for the given trust store,
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 4205f2175..9cc4b0b5e 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -336,3 +336,12 @@ slo.02=Es wurde keine aktive SSO Session gefunden oder Sie sind bei keiner Onlin
process.01=Fehler beim Ausf\u00FChren des Prozesses.
process.02=Fehler beim Erstellen eines geeigneten Prozesses f\u00FCr die SessionID {0}.
process.03=Fehler beim Weiterf\u00FChren es Prozesses. Msg:{0}
+
+sl20.00=Allgemeiner Fehler w\u00e4hrend SL2.0 Authentifizierung. Msg: {0}
+sl20.01=Fehler beim Generieren des SL2.0 Kommandos. Msg: {0}
+sl20.02=Fehler beim Parsen des SL2.0 Kommandos. Msg: {0}
+sl20.03=Fehlende Konfiguration im SL2.0 Modul. Msg: {0}
+sl20.04=Http request enth\u00e4lt keinen SL2.0 Transportcontainer.
+sl20.05=Fehler beim Validieren eines JWS oder JWE Tokens. Reason: {0}.
+sl20.06=Http transport-binding error. Reason: {0}
+
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index 0a37fdc91..6de581cae 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -253,6 +253,12 @@ oauth20.06=1000
oauth20.09=9005
oauth20.10=9102
+sl20.00=14999
+sl20.01=14000
+sl20.02=14001
+sl20.03=14800
+sl20.04=14001
+
##Map MIS/BKU statuscodes to MOA-ID-Auth statuscodes
mis.301=1005
bku.6001=1005 \ No newline at end of file