diff options
author | kstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d> | 2011-10-06 19:15:53 +0000 |
---|---|---|
committer | kstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d> | 2011-10-06 19:15:53 +0000 |
commit | 77c3560745fcba9e3975472dd77cb928924fb35f (patch) | |
tree | ee75d828e3eccf084c9518ed97055dca9ee86e44 /id/server/idserverlib | |
parent | ddd1125b3d9570dec334bd2965ec5a9387585906 (diff) | |
download | moa-id-spss-77c3560745fcba9e3975472dd77cb928924fb35f.tar.gz moa-id-spss-77c3560745fcba9e3975472dd77cb928924fb35f.tar.bz2 moa-id-spss-77c3560745fcba9e3975472dd77cb928924fb35f.zip |
MOA-ID:
- Fixed Bug #556 (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=556&group_id=6&atid=105)
- Update Einbindung Online-Vollmachten (Vor Auswahl der Vollmacht werden die Signaturdaten signiert)
- Update Transformationen (für Online-Vollmachten)
- Änderung der Konfiguration für Online-Vollmachten (keine Templates mehr für Online-Vollmachten; Attribute provideMandatorDate in OA-Konfiguration)
- sampleTemplates in Standard-Konfiguration gelöscht
- Update der Standard-Konfigurationen
MOA-SPSS:
- Library aktualisiert: Axis - Version 1.0_IAIK (gepatchte Variante von Axis 1.0 zur Vermeidung von XXE Attacken)
- axis-1.0_IAIK.jar zu repository hinzugefügt
git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1217 d688527b-c9ab-4aba-bd8d-4036d912da1d
Diffstat (limited to 'id/server/idserverlib')
12 files changed, 670 insertions, 371 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 94fd4f28e..9e15e04dd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -550,7 +550,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { // now validate the extended infoboxes verifyInfoboxes(session, infoboxReadResponseParameters, !oaParam.getProvideStammzahl()); - return getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam, false); + return getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam); } @@ -571,7 +571,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * the BKU including the <code><InfoboxReadResponse></code> * @return String representation of the <code><CreateXMLSignatureRequest></code> */ - public String verifyMandate(String sessionID, MISMandate mandate) + public void verifyMandate(String sessionID, MISMandate mandate) throws AuthenticationException, BuildException, @@ -591,28 +591,25 @@ public class AuthenticationServer implements MOAIDAuthConstants { AuthenticationSession session = getSession(sessionID); - AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance(); - - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( session.getPublicOAURLPrefix()); - try { - // set extended SAML attributes - setExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService()); - } catch (SAXException e) { - throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e); - } catch (IOException e) { - throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e); - } catch (ParserConfigurationException e) { - throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e); - } catch (TransformerException e) { - throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e); + if (oaParam.getProvideFullMandatorData()) { + try { + // set extended SAML attributes if provideMandatorData is true + setExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService()); + } catch (SAXException e) { + throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e); + } catch (IOException e) { + throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e); + } catch (ParserConfigurationException e) { + throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e); + } catch (TransformerException e) { + throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e); + } } - - - return getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam, true); + } /** @@ -625,7 +622,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * @throws BuildException * @throws ValidateException */ - public String getCreateXMLSignatureRequestAuthBlockOrRedirect(AuthenticationSession session, AuthConfigurationProvider authConf, OAAuthParameter oaParam, boolean fromMandate) + public String getCreateXMLSignatureRequestAuthBlockOrRedirect(AuthenticationSession session, AuthConfigurationProvider authConf, OAAuthParameter oaParam) throws ConfigurationException, BuildException, @@ -638,7 +635,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (oaParam==null) oaParam = AuthConfigurationProvider.getInstance(). getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - if (!fromMandate) { +// if (!fromMandate) { //BZ.., calculate bPK for signing to be already present in AuthBlock IdentityLink identityLink = session.getIdentityLink(); if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { @@ -649,11 +646,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { identityLink.setIdentificationValue(bpkBase64); } //..BZ - } +// } // builds the AUTH-block - String authBlock = buildAuthenticationBlock(session, fromMandate); + String authBlock = buildAuthenticationBlock(session); // session.setAuthBlock(authBlock); // builds the <CreateXMLSignatureRequest> @@ -837,7 +834,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * @throws BuildException If an error occurs on serializing an extended SAML attribute * to be appended to the AUTH-Block. */ - private String buildAuthenticationBlock(AuthenticationSession session, boolean fromMandate) throws BuildException { + private String buildAuthenticationBlock(AuthenticationSession session) throws BuildException { IdentityLink identityLink = session.getIdentityLink(); String issuer = identityLink.getName(); String gebDat = identityLink.getDateOfBirth(); @@ -862,8 +859,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { oaURL, gebDat, extendedSAMLAttributes, - session, - fromMandate); + session); return authBlock; } @@ -949,7 +945,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { throw new ValidateException("validator.43", new Object[] {friendlyName}); } // set compatibility mode for mandates infobox and all infoboxes (it is possible to be a parep infobox) - session.setMandateCompatibilityMode(ParepConfiguration.isMandateCompatibilityMode(verifyInfoboxParameter.getApplicationSpecificParams())); + //session.setMandateCompatibilityMode(ParepConfiguration.isMandateCompatibilityMode(verifyInfoboxParameter.getApplicationSpecificParams())); // check for party representation in mandates infobox if (Constants.INFOBOXIDENTIFIER_MANDATES.equalsIgnoreCase(identifier) && !((infoboxTokenList == null || infoboxTokenList.size() == 0))){ //We need app specific parameters @@ -1187,6 +1183,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { Vector extendedSamlAttributes = new Vector(); + extendedSamlAttributes.clear(); //extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(ParepValidator.EXT_SAML_MANDATE_RAW, mandate, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); @@ -1404,72 +1401,189 @@ public class AuthenticationServer implements MOAIDAuthConstants { } - // Exchange person data information by a mandate if needed - boolean mandateMode = session.getUseMandate(); + // builds authentication data and stores it together with a SAML artifact + AuthenticationData authData = buildAuthenticationData(session, vsresp); - List oaAttributes = session.getExtendedSAMLAttributesOA(); - IdentityLink replacementIdentityLink = null; + if (session.getUseMandate()) { + // mandate mode + return null; + } + else { + + String samlAssertion = + new AuthenticationDataAssertionBuilder().build( + authData, + session.getAssertionPrPerson(), + session.getAssertionAuthBlock(), + session.getAssertionIlAssertion(), + session.getBkuURL(), + session.getAssertionSignerCertificateBase64(), + session.getAssertionBusinessService(), + session.getExtendedSAMLAttributesOA()); + authData.setSamlAssertion(samlAssertion); + + String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile"); + if (!ParepUtils.isEmpty(assertionFile)) + try { + ParepUtils.saveStringToFile(samlAssertion, new File(assertionFile)); + } catch (IOException e) { + throw new BuildException( + "builder.00", + new Object[] { "AuthenticationData", e.toString()}, + e); + } + + String samlArtifact = + new SAMLArtifactBuilder().build(session.getAuthURL(), session.getSessionID()); + storeAuthenticationData(samlArtifact, authData); + + // invalidates the authentication session + sessionStore.remove(sessionID); + Logger.info( + "Anmeldedaten zu MOASession " + sessionID + " angelegt, SAML Artifakt " + samlArtifact); + return samlArtifact; + + } + + + + + } + + /** + * Processes a <code><CreateXMLSignatureResponse></code> sent by the + * security layer implementation.<br> + * <ul> + * <li>Validates given <code><CreateXMLSignatureResponse></code></li> + * <li>Parses <code><CreateXMLSignatureResponse></code> for error codes</li> + * <li>Parses authentication block enclosed in + * <code><CreateXMLSignatureResponse></code></li> + * <li>Verifies authentication block by calling the MOA SP component</li> + * <li>Creates authentication data</li> + * <li>Creates a corresponding SAML artifact</li> + * <li>Stores authentication data in the authentication data store + * indexed by the SAML artifact</li> + * <li>Deletes authentication session</li> + * <li>Returns the SAML artifact, encoded BASE64</li> + * </ul> + * + * @param sessionID session ID of the running authentication session + * @param xmlCreateXMLSignatureReadResponse String representation of the + * <code><CreateXMLSignatureResponse></code> + * @return SAML artifact needed for retrieving authentication data, encoded BASE64 + */ + public String verifyAuthenticationBlockMandate( + String sessionID, + Element mandate) + throws + AuthenticationException, + BuildException, + ParseException, + ConfigurationException, + ServiceException, + ValidateException { + + if (isEmpty(sessionID)) + throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID}); + AuthenticationSession session = getSession(sessionID); + //AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance(); -// if (mandateMode) { -// Iterator it = oaAttributes.iterator(); -// //ExtendedSAMLAttribute samlAttribute = (ExtendedSAMLAttribute)it.next(); -// Element mandate = session.getMandateElem(); -// replacementIdentityLink = new IdentityLink(); -// Element mandator = ParepUtils.extractMandator(mandate); -// String dateOfBirth = ""; -// Element prPerson = null; -// String familyName = ""; -// String givenName = ""; -// String identificationType = ""; -// String identificationValue = ""; -// if (mandator != null) { -// boolean physical = ParepUtils.isPhysicalPerson(mandator); -// if (physical) { -// familyName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:FamilyName/text()"); -// givenName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:GivenName/text()"); -// dateOfBirth = ParepUtils.extractMandatorDateOfBirth(mandator); -// } else { -// familyName = ParepUtils.extractMandatorFullName(mandator); -// } -// identificationType = ParepUtils.getIdentification(mandator, "Type"); -// identificationValue = ParepUtils.extractMandatorWbpk(mandator); -// prPerson = ParepUtils.extractPrPersonOfMandate(mandate); -// if (physical && session.getBusinessService() && identificationType!=null && Constants.URN_PREFIX_BASEID.equals(identificationType)) { -// // now we calculate the wbPK and do so if we got it from the BKU -// identificationType = Constants.URN_PREFIX_WBPK + "+" + session.getDomainIdentifier(); -// identificationValue = new BPKBuilder().buildWBPK(identificationValue, session.getDomainIdentifier()); -// ParepUtils.HideStammZahlen(prPerson, true, null, null, true); -// } -// -// -// replacementIdentityLink.setDateOfBirth(dateOfBirth); -// replacementIdentityLink.setFamilyName(familyName); -// replacementIdentityLink.setGivenName(givenName); -// replacementIdentityLink.setIdentificationType(identificationType); -// replacementIdentityLink.setIdentificationValue(identificationValue); -// replacementIdentityLink.setPrPerson(prPerson); -// try { -// replacementIdentityLink.setSamlAssertion(session.getIdentityLink().getSamlAssertion()); -// } catch (Exception e) { -// throw new ValidateException("validator.64", null); -// } -// -// } -// -// } + + IdentityLink tempIdentityLink = null; + + if (session.getUseMandate()) { + tempIdentityLink = new IdentityLink(); + Element mandator = ParepUtils.extractMandator(mandate); + String dateOfBirth = ""; + Element prPerson = null; + String familyName = ""; + String givenName = ""; + String identificationType = ""; + String identificationValue = ""; + if (mandator != null) { + boolean physical = ParepUtils.isPhysicalPerson(mandator); + if (physical) { + familyName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:FamilyName/text()"); + givenName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:GivenName/text()"); + dateOfBirth = ParepUtils.extractMandatorDateOfBirth(mandator); + } else { + familyName = ParepUtils.extractMandatorFullName(mandator); + } + identificationType = ParepUtils.getIdentification(mandator, "Type"); + identificationValue = ParepUtils.extractMandatorWbpk(mandator); + prPerson = ParepUtils.extractPrPersonOfMandate(mandate); + if (physical && session.getBusinessService() && identificationType!=null && Constants.URN_PREFIX_BASEID.equals(identificationType)) { + // now we calculate the wbPK and do so if we got it from the BKU + identificationType = Constants.URN_PREFIX_WBPK + "+" + session.getDomainIdentifier(); + identificationValue = new BPKBuilder().buildWBPK(identificationValue, session.getDomainIdentifier()); + ParepUtils.HideStammZahlen(prPerson, true, null, null, true); + } + + + tempIdentityLink.setDateOfBirth(dateOfBirth); + tempIdentityLink.setFamilyName(familyName); + tempIdentityLink.setGivenName(givenName); + tempIdentityLink.setIdentificationType(identificationType); + tempIdentityLink.setIdentificationValue(identificationValue); + tempIdentityLink.setPrPerson(prPerson); + try { + tempIdentityLink.setSamlAssertion(session.getIdentityLink().getSamlAssertion()); + } catch (Exception e) { + throw new ValidateException("validator.64", null); + } + + } + + } // builds authentication data and stores it together with a SAML artifact - AuthenticationData authData = buildAuthenticationData(session, vsresp, replacementIdentityLink); - String samlArtifact = - new SAMLArtifactBuilder().build(session.getAuthURL(), session.getSessionID()); - storeAuthenticationData(samlArtifact, authData); + AuthenticationData authData = session.getAssertionAuthData(); //buildAuthenticationData(session, vsresp, replacementIdentityLink); - // invalidates the authentication session - sessionStore.remove(sessionID); - Logger.info( - "Anmeldedaten zu MOASession " + sessionID + " angelegt, SAML Artifakt " + samlArtifact); - return samlArtifact; + Element mandatePerson = tempIdentityLink.getPrPerson(); + String mandateData = null; + try { + mandateData = DOMUtils.serializeNode(mandatePerson); + } catch (TransformerException e1) { + throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}); + } catch (IOException e1) { + throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}); + } + + String samlAssertion = + new AuthenticationDataAssertionBuilder().buildMandate( + authData, + session.getAssertionPrPerson(), + mandateData, + session.getAssertionAuthBlock(), + session.getAssertionIlAssertion(), + session.getBkuURL(), + session.getAssertionSignerCertificateBase64(), + session.getAssertionBusinessService(), + session.getExtendedSAMLAttributesOA()); + authData.setSamlAssertion(samlAssertion); + + String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile"); + if (!ParepUtils.isEmpty(assertionFile)) + try { + ParepUtils.saveStringToFile(samlAssertion, new File(assertionFile)); + } catch (IOException e) { + throw new BuildException( + "builder.00", + new Object[] { "AuthenticationData", e.toString()}, + e); + } + + String samlArtifact = + new SAMLArtifactBuilder().build(session.getAuthURL(), session.getSessionID()); + storeAuthenticationData(samlArtifact, authData); + + // invalidates the authentication session + sessionStore.remove(sessionID); + Logger.info( + "Anmeldedaten zu MOASession " + sessionID + " angelegt, SAML Artifakt " + samlArtifact); + return samlArtifact; + } /** @@ -1540,79 +1654,45 @@ public class AuthenticationServer implements MOAIDAuthConstants { } } - // Exchange person data information by a mandate if needed - List oaAttributes = session.getExtendedSAMLAttributesOA(); - IdentityLink replacementIdentityLink = null; - if (session.isMandateCompatibilityMode() && oaAttributes != null && oaAttributes.size()>0) { - // look if we have a mandate - boolean foundMandate = false; - Iterator it = oaAttributes.iterator(); - while (!foundMandate && it.hasNext()) { - ExtendedSAMLAttribute samlAttribute = (ExtendedSAMLAttribute)it.next(); - if (ParepValidator.EXT_SAML_MANDATE_RAW.equals(samlAttribute.getName())) { - Object value = samlAttribute.getValue(); - if (value instanceof Element) { - Element mandate = (Element) value; - replacementIdentityLink = new IdentityLink(); - Element mandator = ParepUtils.extractMandator(mandate); - String dateOfBirth = ""; - Element prPerson = null; - String familyName = ""; - String givenName = ""; - String identificationType = ""; - String identificationValue = ""; - if (mandator != null) { - boolean physical = ParepUtils.isPhysicalPerson(mandator); - if (physical) { - familyName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:FamilyName/text()"); - givenName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:GivenName/text()"); - dateOfBirth = ParepUtils.extractMandatorDateOfBirth(mandator); - } else { - familyName = ParepUtils.extractMandatorFullName(mandator); - } - identificationType = ParepUtils.getIdentification(mandator, "Type"); - identificationValue = ParepUtils.extractMandatorWbpk(mandator); - prPerson = ParepUtils.extractPrPersonOfMandate(mandate); - if (physical && session.getBusinessService() && identificationType!=null && Constants.URN_PREFIX_BASEID.equals(identificationType)) { - // now we calculate the wbPK and do so if we got it from the BKU - identificationType = Constants.URN_PREFIX_WBPK + "+" + session.getDomainIdentifier(); - identificationValue = new BPKBuilder().buildWBPK(identificationValue, session.getDomainIdentifier()); - ParepUtils.HideStammZahlen(prPerson, true, null, null, true); - } - - } - replacementIdentityLink.setDateOfBirth(dateOfBirth); - replacementIdentityLink.setFamilyName(familyName); - replacementIdentityLink.setGivenName(givenName); - replacementIdentityLink.setIdentificationType(identificationType); - replacementIdentityLink.setIdentificationValue(identificationValue); - replacementIdentityLink.setPrPerson(prPerson); - try { - replacementIdentityLink.setSamlAssertion(session.getIdentityLink().getSamlAssertion()); - } catch (Exception e) { - throw new ValidateException("validator.64", null); - } - } else { - Logger.info("The type of Mandate SAML-Attribute is not \"org.w3c.dom.Element\""); - throw new ValidateException("validator.64", null); - } - } - } - } - VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponse(); X509Certificate cert = session.getForeignSignerCertificate(); vsresp.setX509certificate(cert); - AuthenticationData authData = buildAuthenticationData(session, vsresp, replacementIdentityLink); - String samlArtifact = - new SAMLArtifactBuilder().build(session.getAuthURL(), session.getSessionID()); - storeAuthenticationData(samlArtifact, authData); - - // invalidates the authentication session - sessionStore.remove(sessionID); - Logger.info( - "Anmeldedaten zu MOASession " + sessionID + " angelegt, SAML Artifakt " + samlArtifact); - return samlArtifact; + AuthenticationData authData = buildAuthenticationData(session, vsresp); + + + String samlAssertion = + new AuthenticationDataAssertionBuilder().build( + authData, + session.getAssertionPrPerson(), + session.getAssertionAuthBlock(), + session.getAssertionIlAssertion(), + session.getBkuURL(), + session.getAssertionSignerCertificateBase64(), + session.getAssertionBusinessService(), + session.getExtendedSAMLAttributesOA()); + authData.setSamlAssertion(samlAssertion); + + String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile"); + if (!ParepUtils.isEmpty(assertionFile)) + try { + ParepUtils.saveStringToFile(samlAssertion, new File(assertionFile)); + } catch (IOException e) { + throw new BuildException( + "builder.00", + new Object[] { "AuthenticationData", e.toString()}, + e); + } + + String samlArtifact = + new SAMLArtifactBuilder().build(session.getAuthURL(), session.getSessionID()); + storeAuthenticationData(samlArtifact, authData); + + // invalidates the authentication session + sessionStore.remove(sessionID); + Logger.info( + "Anmeldedaten zu MOASession " + sessionID + " angelegt, SAML Artifakt " + samlArtifact); + + return samlArtifact; } /** @@ -1626,18 +1706,10 @@ public class AuthenticationServer implements MOAIDAuthConstants { */ private AuthenticationData buildAuthenticationData( AuthenticationSession session, - VerifyXMLSignatureResponse verifyXMLSigResp, - IdentityLink replacementIdentityLink) + VerifyXMLSignatureResponse verifyXMLSigResp) throws ConfigurationException, BuildException { - IdentityLink identityLink; - if (replacementIdentityLink == null) { - identityLink = session.getIdentityLink(); - } else { - // We have got data form a mandate we need now to use to stay compatible with applications - identityLink = replacementIdentityLink; - } - + IdentityLink identityLink = session.getIdentityLink(); AuthenticationData authData = new AuthenticationData(); OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( @@ -1661,6 +1733,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { authData.setIdentificationValue(identityLink.getIdentificationValue()); } String prPerson = new PersonDataBuilder().build(identityLink, provideStammzahl); + try { String signerCertificateBase64 = ""; if (oaParam.getProvideCertifcate()) { @@ -1696,22 +1769,17 @@ public class AuthenticationServer implements MOAIDAuthConstants { ilAssertion = StringUtils.replaceAll(ilAssertion, identityLink.getIdentificationValue(), ""); } String authBlock = oaParam.getProvideAuthBlock() ? session.getAuthBlock() : ""; - String samlAssertion = - new AuthenticationDataAssertionBuilder().build( - authData, - prPerson, - authBlock, - ilAssertion, - session.getBkuURL(), - signerCertificateBase64, - businessService, - session.getExtendedSAMLAttributesOA()); - authData.setSamlAssertion(samlAssertion); - String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile"); - if (!ParepUtils.isEmpty(assertionFile)) ParepUtils.saveStringToFile(samlAssertion, new File(assertionFile)); //Ex: "c:/saml_assertion.xml" - + session.setAssertionAuthBlock(authBlock); + session.setAssertionAuthData(authData); + session.setAssertionBusinessService(businessService); + session.setAssertionIlAssertion(ilAssertion); + session.setAssertionPrPerson(prPerson); + session.setAssertionSignerCertificateBase64(signerCertificateBase64); + return authData; + + } catch (Throwable ex) { throw new BuildException( "builder.00", @@ -1735,7 +1803,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { } AuthenticationData authData = null; synchronized (authenticationDataStore) { - System.out.println("assertionHandle: " + assertionHandle); + //System.out.println("assertionHandle: " + assertionHandle); authData = (AuthenticationData) authenticationDataStore.get(assertionHandle); if (authData == null) { Logger.error("Assertion not found for SAML Artifact: " + samlArtifact); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index d48054e4b..35c4244c6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -49,6 +49,7 @@ import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; @@ -154,15 +155,14 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion String oaURL, String gebDat, List extendedSAMLAttributes, - AuthenticationSession session, - boolean fromMandate) + AuthenticationSession session) throws BuildException { session.setSAMLAttributeGebeORwbpk(true); String gebeORwbpk = ""; String wbpkNSDeclaration = ""; - //BZ.., reading OA parameters + //reading OA parameters OAAuthParameter oaParam; try { oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( @@ -171,7 +171,6 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion Logger.error("Error on building AUTH-Block: " + e.getMessage()); throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); } - //..BZ if (target == null) { @@ -181,12 +180,11 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; - //BZ.., adding type of wbPK domain identifier + //adding type of wbPK domain identifier ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute); - //..BZ } else { // We do not have a wbPK, therefore no SAML-Attribute is provided @@ -194,13 +192,11 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion } } else { // OA is a govermental application - //BZ.. String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); //gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target }); gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" }); - //..BZ - //BZ.., no business service, adding bPK + //no business service, adding bPK Element bpkSamlValueElement; try { @@ -213,34 +209,41 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion // String s = xmlToString(bpkSamlValueElement); // System.out.println("bpkSamlValueElement: " + s); - - if (!fromMandate) { - ExtendedSAMLAttribute bpkAttribute = - new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - //System.out.println("extendedSAMLAttributes: " + extendedSAMLAttributes.size()); - - extendedSAMLAttributes.add(bpkAttribute); - } + ExtendedSAMLAttribute bpkAttribute = + new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + extendedSAMLAttributes.add(bpkAttribute); + + boolean useMandate = session.getUseMandate(); + if (useMandate) { + String mandateReferenceValue = Random.nextRandom(); + // remove leading "-" + if (mandateReferenceValue.startsWith("-")) + mandateReferenceValue = mandateReferenceValue.substring(1); + + session.setMandateReferenceValue(mandateReferenceValue); + + ExtendedSAMLAttribute mandateReferenceValueAttribute = + new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); + + extendedSAMLAttributes.add(mandateReferenceValueAttribute); + } //gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; - //..BZ } - //BZ.., adding friendly name of OA + //adding friendly name of OA String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); ExtendedSAMLAttribute oaFriendlyNameAttribute = new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); extendedSAMLAttributes.add(oaFriendlyNameAttribute); - //..BZ String assertion; - try { + try { assertion = MessageFormat.format( AUTH_BLOCK, new Object[] { wbpkNSDeclaration, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java index 640c60e49..367116c73 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java @@ -74,6 +74,40 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB "{12}" + " </saml:AttributeStatement>" + NL + "</saml:Assertion>"; + + /** + * XML template for the <code><saml:Assertion></code> to be built + */ + private static final String AUTH_DATA_MANDATE = + "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>" + NL + + "<saml:Assertion xmlns:saml=''" + SAML_NS_URI + "'' xmlns:pr=''" + PD_NS_URI + "'' xmlns:xsi=''" + XSI_NS_URI + "''" + + " xmlns:si=''" + XSI_NS_URI + "''" + + " MajorVersion=''1'' MinorVersion=''0'' AssertionID=''{0}'' Issuer=''{1}'' IssueInstant=''{2}''>" + NL + + " <saml:AttributeStatement>" + NL + + " <saml:Subject>" + NL + + " <saml:NameIdentifier NameQualifier=''{3}''>{4}</saml:NameIdentifier>" + NL + + " <saml:SubjectConfirmation>" + NL + + " <saml:ConfirmationMethod>" + MOA_NS_URI + "cm</saml:ConfirmationMethod>" + NL + + " <saml:SubjectConfirmationData>{5}{6}</saml:SubjectConfirmationData>" + NL + + " </saml:SubjectConfirmation>" + NL + + " </saml:Subject>" + NL + + " <saml:Attribute AttributeName=''PersonData'' AttributeNamespace=''" + PD_NS_URI + "''>" + NL + + " <saml:AttributeValue>{7}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''MandateData'' AttributeNamespace=''" + PD_NS_URI + "''>" + NL + + " <saml:AttributeValue>{8}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''isQualifiedCertificate'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{9}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''bkuURL'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{10}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + "{11}" + + "{12}" + + "{13}" + + " </saml:AttributeStatement>" + NL + + "</saml:Assertion>"; /** * XML template for the <code><saml:Attribute></code> named <code>"isPublicAuthority"</code>, * to be inserted into the <code><saml:Assertion></code> @@ -181,5 +215,94 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB } return assertion; } + + /** + * Builds the authentication data <code><saml:Assertion></code>. + * + * @param authData the <code>AuthenticationData</code> to build the + * <code><saml:Assertion></code> from + * @param xmlPersonData <code>lt;pr:Person></code> element as a String + * @param xmlAuthBlock authentication block to be included in a + * <code>lt;saml:SubjectConfirmationData></code> element; may include + * the <code>"Stammzahl"</code> or not; may be empty + * @param xmlIdentityLink the IdentityLink + * @param signerCertificateBase64 Base64 encoded certificate of the signer. Maybe + * an empty string if the signer certificate should not be provided. + * Will be ignored if the <code>businessService</code> parameter is + * set to <code>false</code>. + * @param businessService <code>true</code> if the online application is a + * business service, otherwise <code>false</code> + * @return the <code><saml:Assertion></code> + * @throws BuildException if an error occurs during the build process + */ + public String buildMandate( + AuthenticationData authData, + String xmlPersonData, + String xmlMandateData, + String xmlAuthBlock, + String xmlIdentityLink, + String bkuURL, + String signerCertificateBase64, + boolean businessService, + List extendedSAMLAttributes) + throws BuildException + { + + String isQualifiedCertificate = authData.isQualifiedCertificate() ? "true" : "false"; + String publicAuthorityAttribute = ""; + if (authData.isPublicAuthority()) { + String publicAuthorityIdentification = authData.getPublicAuthorityCode(); + if (publicAuthorityIdentification == null) + publicAuthorityIdentification = "True"; + publicAuthorityAttribute = MessageFormat.format( + PUBLIC_AUTHORITY_ATT, new Object[] { publicAuthorityIdentification }); + } + + + String signerCertificateAttribute = ""; + if (signerCertificateBase64 != "") { + signerCertificateAttribute = MessageFormat.format( + SIGNER_CERTIFICATE_ATT, new Object[] { signerCertificateBase64 }); + } + + String pkType; + String pkValue; + if (businessService) { + pkType = authData.getIdentificationType(); + pkValue = authData.getWBPK(); + + } else { + // <saml:NameIdentifier NameQualifier> always has the bPK as type/value + pkType = URN_PREFIX_BPK; + pkValue = authData.getBPK(); + } + +// System.out.println("pkType; " + pkType); +// System.out.println("pkValue; " + pkValue); + + String assertion; + try { + + assertion = MessageFormat.format(AUTH_DATA_MANDATE, new Object[] { + authData.getAssertionID(), + authData.getIssuer(), + authData.getIssueInstant(), + pkType, + pkValue, + StringUtils.removeXMLDeclaration(xmlAuthBlock), + StringUtils.removeXMLDeclaration(xmlIdentityLink), + StringUtils.removeXMLDeclaration(xmlPersonData), + StringUtils.removeXMLDeclaration(xmlMandateData), + isQualifiedCertificate, + bkuURL, + publicAuthorityAttribute, + signerCertificateAttribute, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } catch (ParseException e) { + Logger.error("Error on building Authentication Data Assertion: " + e.getMessage()); + throw new BuildException("builder.00", new Object[] { "Authentication Data Assertion", e.toString()}); + } + return assertion; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java index 556b0cb6a..41e4cd37d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java @@ -74,8 +74,8 @@ public class SAMLArtifactBuilder { // alternative sourceId String alternativeSourceID = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter(GENERIC_CONFIG_PARAM_SOURCEID); - System.out.println("alternativeSourceID: " + alternativeSourceID); - System.out.println("authURL: " + authURL); + //System.out.println("alternativeSourceID: " + alternativeSourceID); + //System.out.println("authURL: " + authURL); if (!ParepUtils.isEmpty(alternativeSourceID)) { // if generic config parameter "AuthenticationServer.SourceID" is given, use that sourceID instead of authURL; @@ -85,7 +85,7 @@ public class SAMLArtifactBuilder { sourceID = md.digest(authURL.getBytes()); } - System.out.println("sourceID: " + new String(sourceID)); + //System.out.println("sourceID: " + new String(sourceID)); byte[] assertionHandle = md.digest(sessionID.getBytes()); ByteArrayOutputStream out = new ByteArrayOutputStream(42); @@ -94,9 +94,9 @@ public class SAMLArtifactBuilder { out.write(sourceID, 0, 20); out.write(assertionHandle, 0, 20); byte[] samlArtifact = out.toByteArray(); - System.out.println("samlArtifact: " + new String(samlArtifact)); + //System.out.println("samlArtifact: " + new String(samlArtifact)); String samlArtifactBase64 = Base64Utils.encode(samlArtifact); - System.out.println("samlArtifact Base64: " + samlArtifactBase64); + //System.out.println("samlArtifact Base64: " + samlArtifactBase64); return samlArtifactBase64; } catch (Throwable ex) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index bae95c2a6..61e4cd28b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -36,6 +36,7 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils; +import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; @@ -87,25 +88,41 @@ public class AuthenticationSession { private boolean useMandate; /** - * Selected mandate + * Reference value for mandate */ - private Element mandateElem; + private String mandateReferenceValue; /** - * @return the mandateElem - */ - public Element getMandateElem() { - return mandateElem; - } - - /** - * @param mandateElem the mandateElem to set - */ - public void setMandateElem(Element mandateElem) { - this.mandateElem = mandateElem; - } - - /** + * Authentication data for the assertion + */ + private AuthenticationData assertionAuthData; + + /** + * Persondata for the assertion + */ + private String assertionPrPerson; + + /** + * Authblock for the assertion + */ + private String assertionAuthBlock; + + /** + * Identitylink assertion for the (MOA) assertion + */ + private String assertionIlAssertion; + + /** + * Signer certificate (base64 encoded) for the assertion + */ + private String assertionSignerCertificateBase64; + + /** + * bussiness service for the assertion + */ + boolean assertionBusinessService; + + /** * SessionID for MIS */ private String misSessionID; @@ -176,14 +193,7 @@ public class AuthenticationSession { */ private String pushInfobox; - /** - * AppSpecificConfiguration entry of then mandates infobox-validator. Tells - * whether person data from the representative have to be exchanged by data - * from the mandate - */ - private boolean mandateCompatibilityMode = false; - - + /** * Constructor for AuthenticationSession. @@ -563,20 +573,6 @@ public class AuthenticationSession { } /** - * @return the mandateCompatibilityMode - */ - public boolean isMandateCompatibilityMode() { - return mandateCompatibilityMode; - } - - /** - * @param mandateCompatibilityMode the mandateCompatibilityMode to set - */ - public void setMandateCompatibilityMode(boolean mandateCompatibilityMode) { - this.mandateCompatibilityMode = mandateCompatibilityMode; - } - - /** * Returns domain identifier (the register and number in the register parameter). * <code>null</code> in the case of not a business service. * @@ -660,4 +656,105 @@ public class AuthenticationSession { public String getMISSessionID() { return this.misSessionID; } + + /** + * @return the assertionAuthData + */ + public AuthenticationData getAssertionAuthData() { + return assertionAuthData; + } + + /** + * @param assertionAuthData the assertionAuthData to set + */ + public void setAssertionAuthData(AuthenticationData assertionAuthData) { + this.assertionAuthData = assertionAuthData; + } + + /** + * @return the assertionPrPerson + */ + public String getAssertionPrPerson() { + return assertionPrPerson; + } + + /** + * @param assertionPrPerson the assertionPrPerson to set + */ + public void setAssertionPrPerson(String assertionPrPerson) { + this.assertionPrPerson = assertionPrPerson; + } + + /** + * @return the assertionAuthBlock + */ + public String getAssertionAuthBlock() { + return assertionAuthBlock; + } + + /** + * @param assertionAuthBlock the assertionAuthBlock to set + */ + public void setAssertionAuthBlock(String assertionAuthBlock) { + this.assertionAuthBlock = assertionAuthBlock; + } + + /** + * @return the assertionIlAssertion + */ + public String getAssertionIlAssertion() { + return assertionIlAssertion; + } + + /** + * @param assertionIlAssertion the assertionIlAssertion to set + */ + public void setAssertionIlAssertion(String assertionIlAssertion) { + this.assertionIlAssertion = assertionIlAssertion; + } + + /** + * @return the assertionSignerCertificateBase64 + */ + public String getAssertionSignerCertificateBase64() { + return assertionSignerCertificateBase64; + } + + /** + * @param assertionSignerCertificateBase64 the assertionSignerCertificateBase64 to set + */ + public void setAssertionSignerCertificateBase64(String assertionSignerCertificateBase64) { + this.assertionSignerCertificateBase64 = assertionSignerCertificateBase64; + } + + /** + * @return the assertionBusinessService + */ + public boolean getAssertionBusinessService() { + return assertionBusinessService; + } + + /** + * @param assertionBusinessService the assertionBusinessService to set + */ + public void setAssertionBusinessService(boolean assertionBusinessService) { + this.assertionBusinessService = assertionBusinessService; + } + + /** + * @return the mandateReferenceValue + */ + public String getMandateReferenceValue() { + return mandateReferenceValue; + } + + /** + * @param mandateReferenceValue the mandateReferenceValue to set + */ + public void setMandateReferenceValue(String mandateReferenceValue) { + this.mandateReferenceValue = mandateReferenceValue; + } + + } + diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java index b1ae12084..977784a6b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java @@ -27,7 +27,6 @@ package at.gv.egovernment.moa.id.auth.servlet; import iaik.pki.PKIException; import java.io.IOException; -import java.io.PrintWriter; import java.security.GeneralSecurityException; import java.util.List; @@ -38,16 +37,14 @@ import javax.servlet.http.HttpServletResponse; import javax.xml.parsers.ParserConfigurationException; import org.apache.commons.lang.StringEscapeUtils; -import org.w3c.dom.Document; +import org.w3c.dom.Element; import org.xml.sax.SAXException; -import at.gv.egovernment.moa.id.BuildException; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.WrongParametersException; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; -import at.gv.egovernment.moa.id.auth.builder.GetIdentityLinkFormBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.ConnectionParameter; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; @@ -58,6 +55,7 @@ import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient; import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClientException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.URLEncoder; /**
* Servlet requested for getting the foreign eID
@@ -139,8 +137,6 @@ public class GetMISSessionIDServlet extends AuthServlet { String misSessionID = session.getMISSessionID();
- //System.out.println("MIS Session ID (GetMISServlet): " + misSessionID);
-
AuthConfigurationProvider authConf= AuthConfigurationProvider.getInstance();
ConnectionParameter connectionParameters = authConf.getOnlineMandatesConnectionParameter();
SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters);
@@ -158,31 +154,36 @@ public class GetMISSessionIDServlet extends AuthServlet { // for now: list contains only one element
MISMandate mandate = (MISMandate)list.get(0);
-
+
// verify mandate signature
- String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().verifyMandate(sessionID, mandate);
+ AuthenticationServer.getInstance().verifyMandate(sessionID, mandate);
byte[] byteMandate = mandate.getMandate(); String stringMandate = new String(byteMandate); - Document mandateDoc = DOMUtils.parseDocument(stringMandate, false, null, null); - session.setMandateElem(mandateDoc.getDocumentElement()); - //System.out.println("stringMandate: " + stringMandate); + Element mandateDoc = DOMUtils.parseDocument(stringMandate, false, null, null).getDocumentElement(); + //session.setMandateElem(mandateDoc.getDocumentElement()); - String dataurl =
- new DataURLBuilder().buildDataURL(
- session.getAuthURL(),
- REQ_VERIFY_AUTH_BLOCK,
- session.getSessionID());
-
- Logger.debug(createXMLSignatureRequestOrRedirect);
-
- //String request = getHTMLForm(createXMLSignatureRequestOrRedirect, session.getBkuURL(), dataurl, session.getPublicOAURLPrefix());
- String request = null;
- resp.setContentType("text/html;charset=UTF-8");
- PrintWriter out = new PrintWriter(resp.getOutputStream());
- out.print(request);
- out.flush();
-
+ String redirectURL = null; + String samlArtifactBase64 = + AuthenticationServer.getInstance().verifyAuthenticationBlockMandate(sessionID, mandateDoc); + + + if (!samlArtifactBase64.equals("Redirect to Input Processor")) { + redirectURL = session.getOAURLRequested(); + if (!session.getBusinessService()) { + redirectURL = addURLParameter(redirectURL, PARAM_TARGET, URLEncoder.encode(session.getTarget(), "UTF-8")); + } + redirectURL = addURLParameter(redirectURL, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); + redirectURL = resp.encodeRedirectURL(redirectURL); + } else { + redirectURL = new DataURLBuilder().buildDataURL(session.getAuthURL(), AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, session.getSessionID()); + } + resp.setContentType("text/html"); + resp.setStatus(302); + + resp.addHeader("Location", redirectURL); + Logger.debug("REDIRECT TO: " + redirectURL); +
}
catch (MOAIDException ex) {
@@ -198,6 +199,21 @@ public class GetMISSessionIDServlet extends AuthServlet { } catch (ParserConfigurationException e) { handleError(null, e, req, resp); }
+ } + + /** + * Adds a parameter to a URL. + * @param url the URL + * @param paramname parameter name + * @param paramvalue parameter value + * @return the URL with parameter added + */ + private static String addURLParameter(String url, String paramname, String paramvalue) { + String param = paramname + "=" + paramvalue; + if (url.indexOf("?") < 0) + return url + "?" + param; + else + return url + "&" + param; }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java index 1dfc266a9..b5c57d5cf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java @@ -175,7 +175,7 @@ public class ProcessValidatorInputServlet extends AuthServlet { AuthenticationSession session = AuthenticationServer.getSession(sessionID);
AuthenticationServer.processInput(session, parameters);
- String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().getCreateXMLSignatureRequestAuthBlockOrRedirect(session, null, null, false);
+ String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().getCreateXMLSignatureRequestAuthBlockOrRedirect(session, null, null);
if (!createXMLSignatureRequestOrRedirect.startsWith("Redirect")) {
// Now sign the AUTH Block
String dataURL = new DataURLBuilder().buildDataURL(
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java index 5b9995709..f7f9d8fed 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java @@ -39,8 +39,10 @@ import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.WrongParametersException; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; +import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilderCertificate; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; +import at.gv.egovernment.moa.id.util.ServletUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.URLEncoder; @@ -140,6 +142,28 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { AuthenticationSession session = AuthenticationServer.getSession(sessionID); String samlArtifactBase64 = AuthenticationServer.getInstance().verifyAuthenticationBlock(sessionID, createXMLSignatureResponse); + + if (samlArtifactBase64 == null) { + //mandate Mode + + Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate."); + + String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true); + + // build dataurl + String dataurl = + new DataURLBuilder().buildDataURL( + session.getAuthURL(), + REQ_VERIFY_CERTIFICATE, + session.getSessionID()); + + + //Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)"); + //ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl); + Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)"); + ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl); + + } if (!samlArtifactBase64.equals("Redirect to Input Processor")) { redirectURL = session.getOAURLRequested(); if (!session.getBusinessService()) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java index c9f9491bb..181c46bf9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java @@ -150,7 +150,9 @@ public class VerifyCertificateServlet extends AuthServlet { throw new AuthenticationException("auth.14", null);
}
- boolean useMandate = session.getUseMandate();
+ boolean useMandate = session.getUseMandate(); + +
if (useMandate) {
// Mandate Modus
// make request to MIS
@@ -162,8 +164,6 @@ public class VerifyCertificateServlet extends AuthServlet { // get identitity link as byte[]
Element elem = session.getIdentityLink().getSamlAssertion();
String s = DOMUtils.serializeNode(elem);
-// byte[] idl = DOMUtils.nodeToByteArray(elem);
-// String s = new String(idl);
byte[] idl = s.getBytes();
// redirect url
@@ -187,8 +187,10 @@ public class VerifyCertificateServlet extends AuthServlet { for(int i = 0; i < profilesArray.length; i++) {
profilesArray[i] = profilesArray[i].trim();
}
-
- MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(connectionParameters.getUrl(), idl, cert.getEncoded(), redirectURL, profilesArray, sslFactory);
+ + String oaFriendlyName = oaParam.getFriendlyName(); + String mandateReferenceValue = session.getMandateReferenceValue();
+ MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(connectionParameters.getUrl(), idl, cert.getEncoded(), oaFriendlyName, redirectURL, mandateReferenceValue, profilesArray, sslFactory);
String redirectMISGUI = misSessionID.getRedirectURL();
if (misSessionID == null) {
@@ -236,21 +238,6 @@ public class VerifyCertificateServlet extends AuthServlet { }
/**
- * Adds a parameter to a URL.
- * @param url the URL
- * @param paramname parameter name
- * @param paramvalue parameter value
- * @return the URL with parameter added
- */
- private static String addURLParameter(String url, String paramname, String paramvalue) {
- String param = paramname + "=" + paramvalue;
- if (url.indexOf("?") < 0)
- return url + "?" + param;
- else
- return url + "&" + param;
- }
-
- /**
* Does the request to the SZR-GW
* @param givenname
* @param familyname
@@ -312,50 +299,42 @@ public class VerifyCertificateServlet extends AuthServlet { //
// }
- /**
- * Builds the szrgw:GetIdentityLinkRequest für the SZR-GW
- * @param givenname
- * @param familyname
- * @param birthday
- * @return
- */
- private static Document buildGetIdentityLinkRequest(X509Certificate cert) {
-
- try {
- byte[] certbyte = cert.getEncoded();
- String certstring = Base64.encode(certbyte);
-
- DocumentBuilderFactory factory =DocumentBuilderFactory.newInstance();
- factory.setNamespaceAware(true);
- DocumentBuilder builder = factory.newDocumentBuilder();
- Document doc = builder.newDocument();
-
- Element getIdentityLink = doc.createElementNS(SZRGWConstants.SZRGW_REQUEST_NS, "szrgw:GetIdentityLinkRequest");
- getIdentityLink.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:szrgw", SZRGWConstants.SZRGW_REQUEST_NS);
- doc.appendChild(getIdentityLink);
-
- Element x509certificate = doc.createElementNS(SZRGWConstants.SZRGW_REQUEST_NS, "szrgw:X509Certificate");
- getIdentityLink.appendChild(x509certificate);
- Text certbase64 = doc.createTextNode(certstring);
- x509certificate.appendChild(certbase64);
-
- return doc;
- } catch (ParserConfigurationException e) {
- e.printStackTrace();
- } catch (CertificateEncodingException e) {
- e.printStackTrace();
- }
- return null;
-
- }
-
- /**
- * Checks a parameter.
- * @param param parameter
- * @return true if the parameter is null or empty
- */
- private boolean isEmpty(String param) {
- return param == null || param.length() == 0;
- }
-
+// /**
+// * Builds the szrgw:GetIdentityLinkRequest für the SZR-GW
+// * @param givenname
+// * @param familyname
+// * @param birthday
+// * @return
+// */
+// private static Document buildGetIdentityLinkRequest(X509Certificate cert) {
+//
+// try {
+// byte[] certbyte = cert.getEncoded();
+// String certstring = Base64.encode(certbyte);
+//
+// DocumentBuilderFactory factory =DocumentBuilderFactory.newInstance();
+// factory.setNamespaceAware(true);
+// DocumentBuilder builder = factory.newDocumentBuilder();
+// Document doc = builder.newDocument();
+//
+// Element getIdentityLink = doc.createElementNS(SZRGWConstants.SZRGW_REQUEST_NS, "szrgw:GetIdentityLinkRequest");
+// getIdentityLink.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:szrgw", SZRGWConstants.SZRGW_REQUEST_NS);
+// doc.appendChild(getIdentityLink);
+//
+// Element x509certificate = doc.createElementNS(SZRGWConstants.SZRGW_REQUEST_NS, "szrgw:X509Certificate");
+// getIdentityLink.appendChild(x509certificate);
+// Text certbase64 = doc.createTextNode(certstring);
+// x509certificate.appendChild(certbase64);
+//
+// return doc;
+// } catch (ParserConfigurationException e) {
+// e.printStackTrace();
+// } catch (CertificateEncodingException e) {
+// e.printStackTrace();
+// }
+// return null;
+//
+// }
+//
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java index 99ae497ba..df5abe4f5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java @@ -171,33 +171,9 @@ public class VerifyIdentityLinkServlet extends AuthServlet { } } -// else { -// boolean useMandate = session.getUseMandate(); -// if (useMandate) { // Mandate modus -// // read certificate and set dataurl to VerifyCertificateServlet -// -// Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate."); -// -// String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true); -// -// // build dataurl -// String dataurl = -// new DataURLBuilder().buildDataURL( -// session.getAuthURL(), -// REQ_VERIFY_CERTIFICATE, -// session.getSessionID()); -// -// -// //Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)"); -// //ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl); -// Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)"); -// ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl); -// -// } - else { - ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink"); - } -// } + else { + ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink"); + } } catch (ParseException ex) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java index 3b8caca4c..60678fe22 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java @@ -56,6 +56,7 @@ import org.xml.sax.SAXNotSupportedException; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWSecureSocketFactory;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.StringUtils; public class MISSimpleClient {
@@ -134,7 +135,7 @@ public class MISSimpleClient { }
}
- public static MISSessionId sendSessionIdRequest(String webServiceURL, byte[] idl, byte[] cert, String redirectURL, String mandateIdentifier[], SSLSocketFactory sSLSocketFactory) throws MISSimpleClientException {
+ public static MISSessionId sendSessionIdRequest(String webServiceURL, byte[] idl, byte[] cert, String oaFriendlyName, String redirectURL, String referenceValue, String mandateIdentifier[], SSLSocketFactory sSLSocketFactory) throws MISSimpleClientException {
if (webServiceURL == null) {
throw new NullPointerException("Argument webServiceURL must not be null.");
}
@@ -165,10 +166,22 @@ public class MISSimpleClient { //certElement.appendChild(doc.createTextNode(Base64.encodeBase64(cert)));
// certElement.appendChild(doc.createTextNode(new String(Base64.encodeBase64(cert))));
mirElement.appendChild(certElement);
- }
+ } + + if (!StringUtils.isEmpty(oaFriendlyName)) { + Element oaFriendlyNameElement = doc.createElementNS(MIS_NS, "OAFriendlyName"); + oaFriendlyNameElement.appendChild(doc.createTextNode(oaFriendlyName)); + mirElement.appendChild(oaFriendlyNameElement); + } +
Element redirectElement = doc.createElementNS(MIS_NS, "RedirectURL");
redirectElement.appendChild(doc.createTextNode(redirectURL));
- mirElement.appendChild(redirectElement);
+ mirElement.appendChild(redirectElement); + + Element referenceValueElement = doc.createElementNS(MIS_NS, "ReferenceValue"); + referenceValueElement.appendChild(doc.createTextNode(referenceValue)); + mirElement.appendChild(referenceValueElement); +
if (mandateIdentifier != null && mandateIdentifier.length > 0) {
Element filtersElement = doc.createElementNS(MIS_NS, "Filters");
Element mandateIdentifiersElement = doc.createElementNS(MIS_NS, "MandateIdentifiers");
diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilderTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilderTest.java index 19867dd38..e79394a28 100644 --- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilderTest.java +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilderTest.java @@ -63,7 +63,7 @@ public class AuthenticationBlockAssertionBuilderTest extends UnitTestCase { public void testBuild() throws Exception { AuthenticationBlockAssertionBuilder builder = new AuthenticationBlockAssertionBuilder(); - String assertionBuilt = builder.buildAuthBlock(ISSUER, ISSUE_INSTANT, AUTH_URL, TARGET, "", "", OA_URL, GEB_DAT, null, null, false); + String assertionBuilt = builder.buildAuthBlock(ISSUER, ISSUE_INSTANT, AUTH_URL, TARGET, "", "", OA_URL, GEB_DAT, null, null); assertionBuilt = XML_DECL + assertionBuilt; String assertionShould = XML_DECL + ASSERTION_SHOULD; assertXmlEquals(assertionShould, assertionBuilt); |