diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2013-07-19 11:50:19 +0200 | 
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2013-07-19 11:50:19 +0200 | 
| commit | 71da4a9bc7e2ff79b2fb4cf8903d15fd75372859 (patch) | |
| tree | a2a5841c65ebb4bda12d703378fc41b3cec69fb4 /id/server/idserverlib | |
| parent | 49acb697426d3c313ad047449ea62ac1bf3f4fd0 (diff) | |
| download | moa-id-spss-71da4a9bc7e2ff79b2fb4cf8903d15fd75372859.tar.gz moa-id-spss-71da4a9bc7e2ff79b2fb4cf8903d15fd75372859.tar.bz2 moa-id-spss-71da4a9bc7e2ff79b2fb4cf8903d15fd75372859.zip | |
SSO and Configuration updated
TODO:
  --PVP2 from configuration
  --UseIFrame for OAs
  --SSO with mandates
  --Resign IdentityLink
  --Encrypted MOASession in Database
Diffstat (limited to 'id/server/idserverlib')
33 files changed, 1086 insertions, 559 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 214a1df7d..a127dc6b5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -57,6 +57,7 @@ import org.opensaml.xml.util.Base64;  import org.opensaml.xml.util.XMLHelper;  import org.w3c.dom.Document;  import org.w3c.dom.Element; +import org.w3c.dom.Node;  import org.w3c.dom.NodeList;  import org.xml.sax.SAXException; @@ -87,6 +88,7 @@ import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;  import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;  import at.gv.egovernment.moa.id.auth.parser.CreateXMLSignatureResponseParser;  import at.gv.egovernment.moa.id.auth.parser.ExtendedInfoboxReadResponseParser; +import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;  import at.gv.egovernment.moa.id.auth.parser.InfoboxReadResponseParser;  import at.gv.egovernment.moa.id.auth.parser.SAMLArtifactParser;  import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; @@ -104,6 +106,7 @@ import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.CreateIdentity  import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClient;  import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException;  import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants; +import at.gv.egovernment.moa.id.commons.db.dao.config.IdentificationNumber;  import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;  import at.gv.egovernment.moa.id.config.ConfigurationException;  import at.gv.egovernment.moa.id.config.ConfigurationProvider; @@ -131,7 +134,9 @@ import at.gv.egovernment.moa.util.Constants;  import at.gv.egovernment.moa.util.DOMUtils;  import at.gv.egovernment.moa.util.DateTimeUtils;  import at.gv.egovernment.moa.util.FileUtils; +import at.gv.egovernment.moa.util.MiscUtil;  import at.gv.egovernment.moa.util.StringUtils; +import at.gv.egovernment.moa.util.XPathUtils;  import eu.stork.mw.messages.saml.STORKAuthnRequest;  import eu.stork.vidp.messages.builder.STORKMessagesBuilder;  import eu.stork.vidp.messages.common.STORKConstants; @@ -419,10 +424,29 @@ public class AuthenticationServer implements MOAIDAuthConstants {  			}  		} -		//build ReadInfobox request        -		String infoboxReadRequest = new InfoboxReadRequestBuilder().build( -				oaParam.isSlVersion12(), oaParam.getBusinessService(), oaParam +		String infoboxReadRequest = ""; +		 +		if (session.isSsoRequested()) { +			//load identityLink with SSO Target +			boolean isbuisness = false; +			String domainIdentifier = ""; +			IdentificationNumber ssobusiness = AuthConfigurationProvider.getInstance().getSSOBusinessService(); +			if (ssobusiness != null) { +				isbuisness = true; +				domainIdentifier = ssobusiness.getValue(); +			} +		 +			//build ReadInfobox request +			infoboxReadRequest = new InfoboxReadRequestBuilder().build( +					oaParam.isSlVersion12(), isbuisness, domainIdentifier); +			 +		} else { +			//build ReadInfobox request +			infoboxReadRequest = new InfoboxReadRequestBuilder().build( +					oaParam.isSlVersion12(), oaParam.getBusinessService(), oaParam  						.getIdentityLinkDomainIdentifier()); +		} +		  		String dataURL = new DataURLBuilder().buildDataURL(  				session.getAuthURL(), REQ_VERIFY_IDENTITY_LINK, session @@ -798,12 +822,14 @@ public class AuthenticationServer implements MOAIDAuthConstants {  				identityLink.setIdentificationType(null);  			}  			else { -			String bpkBase64 = new BPKBuilder().buildBPK(identityLink -					.getIdentificationValue(), session.getTarget()); -				identityLink.setIdentificationValue(bpkBase64); -				 -				//TODO: insert correct Type!!!! -				identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget()); +			 +			//TODO: check correctness!!! bpk calcultion is done during Assertion generation	 +//			String bpkBase64 = new BPKBuilder().buildBPK(identityLink +//					.getIdentificationValue(), session.getTarget()); +//				identityLink.setIdentificationValue(bpkBase64); +//				 +//				//TODO: insert correct Type!!!! +//				identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget());  			}  		}  		// ..BZ @@ -1022,11 +1048,18 @@ public class AuthenticationServer implements MOAIDAuthConstants {  				Constants.URN_PREFIX_BASEID)) {  			// only compute bPK if online application is a public service and we  			// have the Stammzahl -			String bpkBase64 = new BPKBuilder().buildBPK(identityLink -					.getIdentificationValue(), session.getTarget()); -			identificationValue = bpkBase64; -			identificationType = Constants.URN_PREFIX_CDID + "+" + session.getTarget(); +			 +			if (session.isSsoRequested()) { +				identificationType = ""; +				identificationValue = ""; +				 +			} else { +				String bpkBase64 = new BPKBuilder().buildBPK(identityLink +						.getIdentificationValue(), session.getTarget()); +				identificationValue = bpkBase64; +				identificationType = Constants.URN_PREFIX_CDID + "+" + session.getTarget(); +			}  //			identityLink.setIdentificationValue(bpkBase64);  //			identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget()); @@ -1045,17 +1078,41 @@ public class AuthenticationServer implements MOAIDAuthConstants {  		// Bug #485  		// (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105)  		// String oaURL = session.getPublicOAURLPrefix(); -		String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&"); +		  		List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); -		String authBlock = new AuthenticationBlockAssertionBuilder() +		 +		 +		if (session.isSsoRequested()) { +			String oaURL =new String(); +			try { +				oaURL = AuthConfigurationProvider.getInstance().getSSOPublicUrl(); +				 +				if (MiscUtil.isNotEmpty(oaURL)) +					oaURL = oaURL.replaceAll("&", "&"); +				 +			} catch (ConfigurationException e) { +			} +			String authBlock = new AuthenticationBlockAssertionBuilder() +				.buildAuthBlockSSO(issuer, issueInstant, authURL, target, +						targetFriendlyName, identificationValue, +						identificationType, oaURL, gebDat, +						extendedSAMLAttributes, session, oaParam); +			return authBlock; +			 +		} else { +			String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&"); +			String authBlock = new AuthenticationBlockAssertionBuilder()  				.buildAuthBlock(issuer, issueInstant, authURL, target,  						targetFriendlyName, identificationValue,  						identificationType, oaURL, gebDat, -						extendedSAMLAttributes, session); +						extendedSAMLAttributes, session, oaParam); +			return authBlock; +		} +		 -		return authBlock; +		  	}  	/** @@ -1107,7 +1164,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {  				.buildAuthBlock(issuer, issueInstant, authURL, target,  						targetFriendlyName, identificationValue,  						identificationType, oaURL, gebDat, -						extendedSAMLAttributes, session); +						extendedSAMLAttributes, session, oaParam);  		return authBlock;  	} @@ -1807,7 +1864,11 @@ public class AuthenticationServer implements MOAIDAuthConstants {  					REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE });  		}  		// validates <CreateXMLSignatureResponse> -		new CreateXMLSignatureResponseValidator().validate(csresp, session); +		if (session.isSsoRequested()) +			new CreateXMLSignatureResponseValidator().validateSSO(csresp, session); +		else +			new CreateXMLSignatureResponseValidator().validate(csresp, session); +		  		// builds a <VerifyXMLSignatureRequest> for a MOA-SPSS call  		List<String> vtids = authConf.getMoaSpAuthBlockVerifyTransformsInfoIDs();  		String tpid = authConf.getMoaSpAuthBlockTrustProfileID(); @@ -2191,13 +2252,9 @@ public class AuthenticationServer implements MOAIDAuthConstants {  		IdentityLink identityLink = session.getIdentityLink();  		AuthenticationData authData = new AuthenticationData(); -		 -//		OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() -//				.getOnlineApplicationParameter(session.getPublicOAURLPrefix()); -		 +	  		VerifyXMLSignatureResponse verifyXMLSigResp = session.getXMLVerifySignatureResponse(); -		boolean useUTC = oaParam.getUseUTC(); -		boolean isForeigner = session.isForeigner();		 +		boolean useUTC = oaParam.getUseUTC();	  		boolean businessService = oaParam.getBusinessService();  		authData.setMajorVersion(1); @@ -2206,7 +2263,11 @@ public class AuthenticationServer implements MOAIDAuthConstants {  		authData.setIssuer(session.getAuthURL());  		authData.setIssueInstant(DateTimeUtils.buildDateTime(Calendar  				.getInstance(), useUTC)); +		 +		//baseID or wbpk in case of BusinessService without SSO or BusinessService SSO +		authData.setIdentificationValue(identityLink.getIdentificationValue());  		authData.setIdentificationType(identityLink.getIdentificationType()); +		  		authData.setGivenName(identityLink.getGivenName());  		authData.setFamilyName(identityLink.getFamilyName());  		authData.setDateOfBirth(identityLink.getDateOfBirth()); @@ -2218,105 +2279,58 @@ public class AuthenticationServer implements MOAIDAuthConstants {  		authData.setBkuURL(session.getBkuURL());  		authData.setUseUTC(oaParam.getUseUTC()); -		//TODO: check correctness  -//		boolean provideStammzahl = oaParam.getProvideStammzahl(); -//		if (provideStammzahl) { -//			authData.setIdentificationValue(identityLink -//					.getIdentificationValue()); -//		} -		 -//		String prPerson = new PersonDataBuilder().build(identityLink, -//				provideStammzahl); -  		try { -//			String signerCertificateBase64 = ""; -//			if (oaParam.getProvideCertifcate()) { -//				X509Certificate signerCertificate = verifyXMLSigResp -//						.getX509certificate(); -//				if (signerCertificate != null) { -//					signerCertificateBase64 = Base64Utils -//							.encode(signerCertificate.getEncoded()); -//				} else { -//					Logger -//							.info("\"provideCertificate\" is \"true\", but no signer certificate available"); -//				} -//			} -//			authData.setSignerCertificate(signerCertificateBase64); -			if(!isForeigner) { -				//we have Austrian citizen -				if (businessService) { -					authData.setBPK(identityLink.getIdentificationValue()); -					authData.setBPKType(identityLink.getIdentificationType()); -					 -				} else { -					 -					// OLD! BZ.., calculation of bPK already before sending AUTHBlock -					//TL: identitylLink holds the BASEID, bPK is only calculated for AUTHBlock -					//authData.setBPK(identityLink.getIdentificationValue()); -					 -					 // only compute bPK if online application is a public service and we have the Stammzahl -					if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { -						String bpkBase64 = new BPKBuilder().buildBPK( -								identityLink.getIdentificationValue(), target); -						authData.setBPK(bpkBase64); -						authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); -					 } -				} -			} else { -				//we have foreigner, thus we have to calculate bPK and wbPK now (after receiving identity link from SZR-GW -				if (businessService) { -					//since we have foreigner, wbPK is not calculated in BKU -					if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { +			//TODO: resign the IdentityLink!!! +			 +			if (businessService) { +				//since we have foreigner, wbPK is not calculated in BKU +				if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { -						 	String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); -						  -							if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) { -								// If domainIdentifier starts with prefix -								// "urn:publicid:gv.at:wbpk+"; remove this prefix -								registerAndOrdNr = registerAndOrdNr -										.substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); -								Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " -										+ registerAndOrdNr); -							}  +				 	String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); +					  +					if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) { +						// If domainIdentifier starts with prefix +						// "urn:publicid:gv.at:wbpk+"; remove this prefix +						registerAndOrdNr = registerAndOrdNr +								.substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); +						Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " +								+ registerAndOrdNr); +					}  -							String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr); -							authData.setBPK(wbpkBase64); -							authData.setBPKType( Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr);  -					 }										 +					String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr); +					authData.setBPK(wbpkBase64); +					authData.setBPKType( Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr);  				} else { +					authData.setBPK(identityLink.getIdentificationValue()); +					authData.setBPKType(identityLink.getIdentificationType()); +				} +								 +				Element idlassertion = session.getIdentityLink().getSamlAssertion(); +				//set bpk/wpbk; +				Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); +				prIdentification.getFirstChild().setNodeValue(authData.getBPK()); +				//set bkp/wpbk type  +				Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); +				prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType()); +				 +				IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); +				IdentityLink idl = idlparser.parseIdentityLink(); +				authData.setIdentityLink(idl); +				 +			} else { -					 if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {  -						 // only compute bPK if online application is a public service and we have the Stammzahl -						 String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target); -						 authData.setBPK(bpkBase64); -						 authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); -					 } -					 -	 +				if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {  +					// only compute bPK if online application is a public service and we have the Stammzahl +					String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target); +					authData.setBPK(bpkBase64); +					authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());  				} +				authData.setIdentityLink(identityLink);  			} -//			String ilAssertion = oaParam.getProvideIdentityLink() ? identityLink -//					.getSerializedSamlAssertion() -//					: ""; -//			if (!oaParam.getProvideStammzahl()) { -//				ilAssertion = StringUtils.replaceAll(ilAssertion, identityLink -//						.getIdentificationValue(), ""); -//			} -//			String authBlock = oaParam.getProvideAuthBlock() ? session -//					.getAuthBlock() : ""; - -					 -			//TODO: check, if this elements are in use!!!! -//			session.setAssertionAuthBlock(authBlock); -//			session.setAssertionAuthData(authData); -//			session.setAssertionBusinessService(businessService); -//			session.setAssertionIlAssertion(ilAssertion); -//			session.setAssertionPrPerson(prPerson); -//			session.setAssertionSignerCertificateBase64(signerCertificateBase64); - +				  			return authData;  		} catch (Throwable ex) { @@ -2326,27 +2340,6 @@ public class AuthenticationServer implements MOAIDAuthConstants {  	}  	/** -	 * Creates a new session and puts it into the session store. -	 *  -	 * @param id -	 *            Session ID -	 * @return AuthenticationSession created -	 * @exception AuthenticationException -	 *                thrown when an <code>AuthenticationSession</code> is -	 *                running already for the given session ID -	 */ -	private static AuthenticationSession newSession() -			throws AuthenticationException { -		 -		try { -			return AuthenticationSessionStoreage.createSession(); -			 -		} catch (MOADatabaseException e) { -			throw new AuthenticationException("", null); -		} -	} - -	/**  	 * Retrieves a session from the session store.  	 *   	 * @param id @@ -2633,6 +2626,8 @@ public class AuthenticationServer implements MOAIDAuthConstants {  			}  		} +		 +		//TODO: check Target in case of SSO!!      	String spSector = StringUtils.isEmpty(moasession.getTarget()) ? "Business" : moasession.getTarget();      	String spInstitution = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "UNKNOWN" : oaParam.getFriendlyName();      	String spApplication = spInstitution; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index 47bf61db4..e1552a5a6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -48,6 +48,7 @@ public interface MOAIDAuthConstants {    public static final String PARAM_BKU = "bkuURI";    public static final String PARAM_MODUL = "MODUL";    public static final String PARAM_ACTION = "ACTION"; +  public static final String PARAM_SSO = "SSO";    /** servlet parameter "sourceID" */    public static final String PARAM_SOURCEID = "sourceID";      /** servlet parameter "BKUSelectionTemplate" */ diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index fb45e517d..abb33203c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -59,6 +59,7 @@ import at.gv.egovernment.moa.id.util.Random;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.Constants;  import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.MiscUtil;  import at.gv.egovernment.moa.util.StringUtils;  /** @@ -120,6 +121,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion     * The number of SAML attributes included in this AUTH-Block (without the extended SAML attributes).     */    public static final int NUM_OF_SAML_ATTRIBUTES = 4; +  public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 3;    /**     * Constructor for AuthenticationBlockAssertionBuilder. @@ -168,23 +170,14 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion      String oaURL,       String gebDat,      List extendedSAMLAttributes, -    AuthenticationSession session) +    AuthenticationSession session, +    OAAuthParameter oaParam)    throws BuildException    {      session.setSAMLAttributeGebeORwbpk(true);      String gebeORwbpk = "";      String wbpkNSDeclaration = ""; -     -    //reading OA parameters -    OAAuthParameter oaParam; -   try { -      oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( -           session.getPublicOAURLPrefix()); -   } catch (ConfigurationException e) { -      Logger.error("Error on building AUTH-Block: " + e.getMessage()); -         throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); -   } -        +                 if (target == null) {        // OA is a business application        if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) { @@ -216,7 +209,6 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion        //no business service, adding bPK -      System.out.println("identityLinkValue: " + identityLinkValue);        if (identityLinkValue != null) {      	  Element bpkSamlValueElement;      	  try { @@ -264,9 +256,15 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion      extendedSAMLAttributes.add(oaFriendlyNameAttribute); -    //TODO: load special text from OAconfig  -    //String text = "Hiermit bestätige ich, #NAME#, die Übernahme sämtlicher eingelangter Zustellstücke zum #DATE# um #TIME#.";      String text = ""; +    try { +		OAAuthParameter oaparam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix()); +		if (MiscUtil.isNotEmpty(text = oaparam.getAditionalAuthBlockText())) +			Logger.info("Use addional AuthBlock Text from OA=" + oaparam.getPublicURLPrefix()); +	} catch (ConfigurationException e) { +		Logger.warn("Addional AuthBlock Text can not loaded from OA!", e); +	} +         	String specialText =  MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE,  @@ -406,9 +404,14 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion      extendedSAMLAttributes.add(oaFriendlyNameAttribute);      //..BZ -    //TODO: load special text from OAconfig  -    //String text = "Hiermit bestätige ich, #NAME#, die Übernahme sämtlicher eingelangter Zustellstücke zum #DATE# um #TIME#.";      String text = ""; +    try { +		OAAuthParameter oaparam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix()); +		if (MiscUtil.isNotEmpty(text = oaparam.getAditionalAuthBlockText())) +			Logger.info("Use addional AuthBlock Text from OA=" + oaparam.getPublicURLPrefix()); +	} catch (ConfigurationException e) { +		Logger.warn("Addional AuthBlock Text can not loaded from OA!", e); +	}     	String specialText =  MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE,      			new Object[] { generateSpecialText(text, issuer, issueInstant) }); @@ -464,4 +467,92 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion        return null;    } +  public String buildAuthBlockSSO( +		    String issuer,  +		    String issueInstant,  +		    String authURL,  +		    String target, +		    String targetFriendlyName, +		    String identityLinkValue,  +		    String identityLinkType, +		    String oaURL,  +		    String gebDat, +		    List extendedSAMLAttributes, +		    AuthenticationSession session, +		    OAAuthParameter oaParam) +		  throws BuildException +		  { +		    session.setSAMLAttributeGebeORwbpk(true); +		    String gebeORwbpk = ""; +		    String wbpkNSDeclaration = ""; +		            +		    if (target != null) { +		       +		      boolean useMandate = session.getUseMandate(); +		      if (useMandate) { +		    	  String mandateReferenceValue = Random.nextRandom(); +		    	  // remove leading "-" +		    	  if (mandateReferenceValue.startsWith("-")) +		    		  mandateReferenceValue = mandateReferenceValue.substring(1); +		    		  +		    	  session.setMandateReferenceValue(mandateReferenceValue); +		    		  +		    	  ExtendedSAMLAttribute mandateReferenceValueAttribute =  +		    		  new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); +		    	             +		    	  extendedSAMLAttributes.add(mandateReferenceValueAttribute); +		      } +		    } +		     +		    //adding friendly name of OA +		    String friendlyname; +			try { +				friendlyname = AuthConfigurationProvider.getInstance().getSSOFriendlyName(); +	 +		    ExtendedSAMLAttribute oaFriendlyNameAttribute =  +		         new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); +		     +		    extendedSAMLAttributes.add(oaFriendlyNameAttribute); +		     +		     +		    String text = AuthConfigurationProvider.getInstance().getSSOSpecialText(); +		     +		    if (MiscUtil.isEmpty(text)) +		    	text=""; +		   	String specialText =  MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE,  +		   			new Object[] { generateSpecialText(text, issuer, issueInstant) }); +	 + +		 +		   	 +		    String assertion; +    	 +		      assertion = MessageFormat.format( +		        AUTH_BLOCK, new Object[] {  +		          wbpkNSDeclaration,  +		          issuer,  +		          issueInstant,  +		          authURL,  +		          gebeORwbpk,  +		          oaURL,  +		          gebDat, +		          specialText, +		          buildExtendedSAMLAttributes(extendedSAMLAttributes)}); +		       +			    return assertion; +		       +		    } catch (ParseException e) { +		    		Logger.error("Error on building AUTH-Block: " + e.getMessage()); +		    		throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); +		    		 +		    } catch (ConfigurationException e) { +			      Logger.error("Error on building AUTH-Block: " + e.getMessage()); +			      throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); +			} +		     + +		     +		  } +   +    } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index 6a9a5b765..023b36d83 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -92,7 +92,12 @@ public class BPKBuilder {                          identificationValue + ",Register+Registernummer=" + registerAndOrdNr});      } -    String basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr; +    String basisbegriff; +    if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+" )) +    	basisbegriff = identificationValue + "+" + registerAndOrdNr; +    else +    	basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr; +          try {        MessageDigest md = MessageDigest.getInstance("SHA-1");        byte[] hash = md.digest(basisbegriff.getBytes("ISO-8859-1")); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java index 913b12d49..0a526ebbe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java @@ -59,52 +59,52 @@ public class InfoboxValidatorParamsBuilder {     *      * @return Parameters for validating an infobox token.     */ -  public static InfoboxValidatorParams buildInfoboxValidatorParams( -    AuthenticationSession session,  -    VerifyInfoboxParameter verifyInfoboxParameter, -    List infoboxTokenList, -    OAAuthParameter oaParam) -  { -    InfoboxValidatorParamsImpl infoboxValidatorParams = new InfoboxValidatorParamsImpl(); -    IdentityLink identityLink = session.getIdentityLink();  -     -    // the infobox token to validate -    infoboxValidatorParams.setInfoboxTokenList(infoboxTokenList); -    // configuration parameters -    infoboxValidatorParams.setTrustProfileID(verifyInfoboxParameter.getTrustProfileID()); -    infoboxValidatorParams.setSchemaLocations(verifyInfoboxParameter.getSchemaLocations()); -    infoboxValidatorParams.setApplicationSpecificParams(verifyInfoboxParameter.getApplicationSpecificParams()); -    // authentication session parameters -    infoboxValidatorParams.setBkuURL(session.getBkuURL()); -    infoboxValidatorParams.setTarget(session.getTarget()); -    infoboxValidatorParams.setDomainIdentifier(oaParam.getIdentityLinkDomainIdentifier()); -    infoboxValidatorParams.setBusinessApplication(session.getBusinessService()); -    // parameters from the identity link -    infoboxValidatorParams.setFamilyName(identityLink.getFamilyName()); -    infoboxValidatorParams.setGivenName(identityLink.getGivenName()); -    infoboxValidatorParams.setDateOfBirth(identityLink.getDateOfBirth()); -    if (verifyInfoboxParameter.getProvideStammzahl()) { -      infoboxValidatorParams.setIdentificationValue(identityLink.getIdentificationValue()); -    } -    infoboxValidatorParams.setIdentificationType(identityLink.getIdentificationType()); -    infoboxValidatorParams.setPublicKeys(identityLink.getPublicKey()); -    if (verifyInfoboxParameter.getProvideIdentityLink()) { -      Element identityLinkElem = (Element)identityLink.getSamlAssertion().cloneNode(true); -      if (!verifyInfoboxParameter.getProvideStammzahl()) { -        Element identificationValueElem =  -          (Element)XPathUtils.selectSingleNode(identityLinkElem, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); -        if (identificationValueElem != null) { -          identificationValueElem.getFirstChild().setNodeValue(""); -        } -      } -      infoboxValidatorParams.setIdentityLink(identityLinkElem); -    } -     -    //TODO: check if this is Protocol specific -    //infoboxValidatorParams.setHideStammzahl(!oaParam.getProvideStammzahl()); -    infoboxValidatorParams.setHideStammzahl(true); -     -    return infoboxValidatorParams; -  } +//  public static InfoboxValidatorParams buildInfoboxValidatorParams( +//    AuthenticationSession session,  +//    VerifyInfoboxParameter verifyInfoboxParameter, +//    List infoboxTokenList, +//    OAAuthParameter oaParam) +//  { +//    InfoboxValidatorParamsImpl infoboxValidatorParams = new InfoboxValidatorParamsImpl(); +//    IdentityLink identityLink = session.getIdentityLink();  +//     +//    // the infobox token to validate +//    infoboxValidatorParams.setInfoboxTokenList(infoboxTokenList); +//    // configuration parameters +//    infoboxValidatorParams.setTrustProfileID(verifyInfoboxParameter.getTrustProfileID()); +//    infoboxValidatorParams.setSchemaLocations(verifyInfoboxParameter.getSchemaLocations()); +//    infoboxValidatorParams.setApplicationSpecificParams(verifyInfoboxParameter.getApplicationSpecificParams()); +//    // authentication session parameters +//    infoboxValidatorParams.setBkuURL(session.getBkuURL()); +//    infoboxValidatorParams.setTarget(session.getTarget()); +//    infoboxValidatorParams.setDomainIdentifier(oaParam.getIdentityLinkDomainIdentifier()); +//    infoboxValidatorParams.setBusinessApplication(session.getBusinessService()); +//    // parameters from the identity link +//    infoboxValidatorParams.setFamilyName(identityLink.getFamilyName()); +//    infoboxValidatorParams.setGivenName(identityLink.getGivenName()); +//    infoboxValidatorParams.setDateOfBirth(identityLink.getDateOfBirth()); +//    if (verifyInfoboxParameter.getProvideStammzahl()) { +//      infoboxValidatorParams.setIdentificationValue(identityLink.getIdentificationValue()); +//    } +//    infoboxValidatorParams.setIdentificationType(identityLink.getIdentificationType()); +//    infoboxValidatorParams.setPublicKeys(identityLink.getPublicKey()); +//    if (verifyInfoboxParameter.getProvideIdentityLink()) { +//      Element identityLinkElem = (Element)identityLink.getSamlAssertion().cloneNode(true); +//      if (!verifyInfoboxParameter.getProvideStammzahl()) { +//        Element identificationValueElem =  +//          (Element)XPathUtils.selectSingleNode(identityLinkElem, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); +//        if (identificationValueElem != null) { +//          identificationValueElem.getFirstChild().setNodeValue(""); +//        } +//      } +//      infoboxValidatorParams.setIdentityLink(identityLinkElem); +//    } +//     +//    //TODO: check if this is Protocol specific +//    //infoboxValidatorParams.setHideStammzahl(!oaParam.getProvideStammzahl()); +//    infoboxValidatorParams.setHideStammzahl(true); +//     +//    return infoboxValidatorParams; +//  }  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java index ed55d660c..5f100d5fe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java @@ -12,8 +12,6 @@ import at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol;  import at.gv.egovernment.moa.logging.Logger;  public class LoginFormBuilder { - -	private static String SERVLET = "./GenerateIframeTemplate";  	private static String AUTH_URL = "#AUTH_URL#";  	private static String MODUL = "#MODUL#"; @@ -22,6 +20,9 @@ public class LoginFormBuilder {  	private static String BKU_ONLINE = "#ONLINE#";  	private static String BKU_HANDY =  "#HANDY#";   	private static String BKU_LOCAL =  "#LOCAL#";  +	private static String CONTEXTPATH = "#CONTEXTPATH#"; +	 +	private static String SERVLET = CONTEXTPATH+"/GenerateIframeTemplate";  	private static String template; @@ -48,7 +49,7 @@ public class LoginFormBuilder {  		return template;  	} -	public static String buildLoginForm(String modul, String action, String oaname) { +	public static String buildLoginForm(String modul, String action, String oaname, String contextpath) {  		String value = getTemplate();  		if(value != null) { @@ -61,6 +62,7 @@ public class LoginFormBuilder {  			value = value.replace(MODUL, modul);  			value = value.replace(ACTION, action);  			value = value.replace(OANAME, oaname); +			value = value.replace(CONTEXTPATH, contextpath);  		}  		return value;  	} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index ffe938d89..94a41a21f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -145,8 +145,6 @@ public class AuthenticationSession implements Serializable {  	 */  	private String misSessionID; -	private String mandateData; -	  	//store Identitylink  	/**  	 * identity link read from smartcard @@ -231,6 +229,7 @@ public class AuthenticationSession implements Serializable {  	private boolean authenticated;  	private boolean authenticatedUsed = false; +	private boolean ssoRequested = false;  //	/**  //	 * Indicates if target from configuration is used or not @@ -294,15 +293,6 @@ public class AuthenticationSession implements Serializable {  	public void setAction(String action) {  		this.action = action;  	} -	 -	public String getMandateData() { -		return mandateData; -	} - -	public void setMandateData(String mandateData) { -		this.mandateData = mandateData; -	} -  //	public AuthenticationData getAuthData() {  //		return authData; @@ -1106,8 +1096,23 @@ public class AuthenticationSession implements Serializable {  		}catch (Throwable e) {  			Logger.warn("Mandate content could not be generated from MISMandate.");  			return null; -		} -		 -		 +		}		  	} + +	/** +	 * @return the ssoRequested +	 */ +	 +	//TODO: SSO only allowed without mandates, actually   +	public boolean isSsoRequested() { +		return ssoRequested && !useMandate; +	} + +	/** +	 * @param ssoRequested the ssoRequested to set +	 */ +	public void setSsoRequested(boolean ssoRequested) { +		this.ssoRequested = ssoRequested; +	} +	  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java index cb3ed5ad9..a468caf73 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java @@ -122,7 +122,7 @@ public class IdentityLinkAssertionParser {        + "Value";  	/** Xpath expression to the Identification Value element */	 -	private static final String PERSON_IDENT_TYPE_XPATH = +	public static final String PERSON_IDENT_TYPE_XPATH =  		PERSON_XPATH  			+ "/"  			+ PDATA diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index b0a4f2f8a..3f82c2a4c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -36,6 +36,8 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{  		String targetFriendlyName = null; +	    String sso = req.getParameter(PARAM_SSO); +		  	    // escape parameter strings  	    //TODO: use URLEncoder.encode!!  	    target = StringEscapeUtils.escapeHtml(target); @@ -44,7 +46,8 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{  	    templateURL = StringEscapeUtils.escapeHtml(templateURL);  	    useMandate = StringEscapeUtils.escapeHtml(useMandate);  	    ccc = StringEscapeUtils.escapeHtml(ccc); - +	    sso = StringEscapeUtils.escapeHtml(sso); +	      	      // check parameter  		if (!ParamValidatorUtils.isValidOA(oaURL))             throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); @@ -52,7 +55,9 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{               throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12");		      	    if (!ParamValidatorUtils.isValidCCC(ccc))               throw new WrongParametersException("StartAuthentication", PARAM_CCC, "auth.12"); -	    		     +	    if (!ParamValidatorUtils.isValidUseMandate(sso)) +            throw new WrongParametersException("StartAuthentication", PARAM_SSO, "auth.12"); +	      		//check UseMandate flag  		String useMandateString = null;  		boolean useMandateBoolean = false; @@ -68,7 +73,23 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{  			useMandateBoolean = false;  		moasession.setUseMandate(useMandateString); -					 +		 +		 +		//check useSSO flag +		String useSSOString = null; +		boolean useSSOBoolean = false; +		if ((sso != null) && (sso.compareTo("") != 0)) { +			useSSOString = sso; +		} else { +			useSSOString = "false"; +		} + +		if (useSSOString.compareToIgnoreCase("true") == 0) +			useSSOBoolean = true; +		else +			useSSOBoolean = false; +		moasession.setSsoRequested(useSSOBoolean); +		  	    //load OnlineApplication configuration  	    OAAuthParameter oaParam;  		if (moasession.getPublicOAURLPrefix() != null) { @@ -126,9 +147,11 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{  			}  			moasession.setPublicOAURLPrefix(oaParam.getPublicURLPrefix()); +			 +			//TODO: check for SSO  			moasession.setTarget(target); -			moasession.setTargetFriendlyName(targetFriendlyName);  			moasession.setBusinessService(oaParam.getBusinessService()); +			moasession.setTargetFriendlyName(targetFriendlyName);  			moasession.setDomainIdentifier(oaParam.getIdentityLinkDomainIdentifier());  		} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java index 310f3509c..5a0bd33bf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java @@ -9,6 +9,8 @@ import javax.servlet.http.HttpServletResponse;  import at.gv.egovernment.moa.id.auth.builder.RedirectFormBuilder;  import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.egovernment.moa.util.URLEncoder; @@ -16,16 +18,31 @@ public class RedirectServlet extends AuthServlet{  	private static final long serialVersionUID = 1L; -	public static final String REDIRCT_GETPARAM = "redirecturl"; +	public static final String REDIRCT_PARAM_URL = "redirecturl"; +  	protected void doGet(HttpServletRequest req, HttpServletResponse resp)  			throws ServletException, IOException {  		Logger.info("Receive " + RedirectServlet.class + " Request"); -		String url = req.getParameter(REDIRCT_GETPARAM); +		String url = req.getParameter(REDIRCT_PARAM_URL); +		String target = req.getParameter(PARAM_TARGET); +		String artifact = req.getParameter(PARAM_SAMLARTIFACT);  		Logger.info("Redirect to " + url); +		if (MiscUtil.isNotEmpty(target)) { +//			redirectURL = addURLParameter(redirectURL, PARAM_TARGET, +//					URLEncoder.encode(session.getTarget(), "UTF-8")); +			url = addURLParameter(url, PARAM_TARGET, +			URLEncoder.encode(target, "UTF-8")); + + +		} +		url = addURLParameter(url, PARAM_SAMLARTIFACT, +				URLEncoder.encode(artifact, "UTF-8")); +		url = resp.encodeRedirectURL(url); +		  		String redirect_form = RedirectFormBuilder.buildLoginForm(url);  		resp.setContentType("text/html;charset=UTF-8"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java index f8a828f6f..adef74370 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java @@ -207,13 +207,17 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet {  			        String mandateReferenceValue = session.getMandateReferenceValue();  			        byte[] cert = session.getEncodedSignerCertificate(); -			        String targetType = null; -			         -			        if(session.getBusinessService()) { -			        	targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+session.getDomainIdentifier(); +			        //TODO: check in case of SSO!!! +			        String targetType = null;   +			        if(oaParam.getBusinessService()) { +			        	String id = oaParam.getIdentityLinkDomainIdentifier(); +			        	if (id.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) +			        		targetType = id; +			        	else +			        		targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+session.getDomainIdentifier();  			        } else { -			        	targetType = AuthenticationSession.TARGET_PREFIX_ + session.getTarget(); +			        	targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget();  			        } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java index 8eaa8341c..2f12c7ae6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java @@ -229,7 +229,8 @@ public class VerifyIdentityLinkServlet extends AuthServlet {  			AuthenticationSessionStoreage.storeSession(session);  		} catch (MOADatabaseException e) { -			throw new AuthenticationException("", null); +			Logger.info("No valid MOA session found. Authentification process is abourted."); +			throw new AuthenticationException("auth.20", null);  		}      }      catch (ParseException ex) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index ba7893412..d0fb1f87f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -35,9 +35,13 @@ import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;  import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;  import at.gv.egovernment.moa.id.auth.data.IdentityLink;  import at.gv.egovernment.moa.id.auth.data.SAMLAttribute; +import at.gv.egovernment.moa.id.config.ConfigurationException;  import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil;  import at.gv.egovernment.moa.util.StringUtils;  import at.gv.egovernment.moa.util.XPathUtils; @@ -243,9 +247,15 @@ public class CreateXMLSignatureResponseValidator {      if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {        String samlSpecialText = (String)samlAttribute.getValue(); -      //TODO:load Text from OA config -      //String text = "Hiermit bestätige ich, #NAME#, die Übernahme sämtlicher eingelangter Zustellstücke zum #DATE# um #TIME#."; -      String text = ""; +    String text = ""; +    try { +		OAAuthParameter oaparam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix()); +		if (MiscUtil.isNotEmpty(text = oaparam.getAditionalAuthBlockText())) +			Logger.info("Use addional AuthBlock Text from OA=" + oaparam.getPublicURLPrefix()); +	} catch (ConfigurationException e) { +		Logger.warn("Addional AuthBlock Text can not loaded from OA!", e); +	} +              String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, issueInstant);        if (!samlSpecialText.equals(specialText)) { @@ -333,6 +343,211 @@ public class CreateXMLSignatureResponseValidator {      }    } +  /** +   * The Method validate is used for validating an explicit {@link CreateXMLSignatureResponse} +   * @param createXMLSignatureResponse +   * @param session +   * @throws ValidateException +   */ +  public void validateSSO(CreateXMLSignatureResponse createXMLSignatureResponse, AuthenticationSession session) +   throws ValidateException { +       +      // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier +     +	String oaURL; +    try { +		oaURL = AuthConfigurationProvider.getInstance().getSSOPublicUrl(); +	} catch (ConfigurationException e1) { +		oaURL = new String(); +	}  +     +    IdentityLink identityLink = session.getIdentityLink(); +     +    Element samlAssertion = createXMLSignatureResponse.getSamlAssertion();  +    String issuer = samlAssertion.getAttribute("Issuer"); +    if (issuer == null) { +      // should not happen, because parser would dedect this +      throw new ValidateException("validator.32", null); +    } +    // replace ' in name with ' +    issuer = issuer.replaceAll("'", "'"); +     +    String issueInstant = samlAssertion.getAttribute("IssueInstant"); +    if (!issueInstant.equals(session.getIssueInstant())) { +      throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()}); +    } +     +    String name = identityLink.getName(); +     +    if (!issuer.equals(name)) { +      throw new ValidateException("validator.33", new Object[] {issuer, name}); +    }      +        +    SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes(); + +    boolean foundOA = false; +    boolean foundGB = false; +    boolean foundWBPK = false; +    int offset = 0; +     +    // check number of SAML aatributes +    List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); +    int extendedSAMLAttributesNum = 0; +    if (extendedSAMLAttributes != null) { +      extendedSAMLAttributesNum = extendedSAMLAttributes.size(); +    } +    int expectedSAMLAttributeNumber =  +      AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + extendedSAMLAttributesNum; +    if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--; +    int actualSAMLAttributeNumber = samlAttributes.length; +    if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) { +      Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " +  +        expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber); +      throw new ValidateException( +        "validator.36",  +        new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)}); +    } +     +    SAMLAttribute samlAttribute; +    if (!session.getSAMLAttributeGebeORwbpk()) { +      offset--; +    } + +    // check the first attribute (must be "OA") +    samlAttribute = samlAttributes[0 + offset]; +    if (!samlAttribute.getName().equals("OA")) { +      throw new ValidateException( +          "validator.37",  +          new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)}); +    } +    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { +      foundOA = true;             +      if (!oaURL.equals((String)samlAttribute.getValue())) {  // CHECKS für die AttributeVALUES fehlen noch              +        throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});  +      }              +    } else { +      throw new ValidateException("validator.15", null); +    } +       +    // check the third attribute (must be "Geburtsdatum") +    samlAttribute = samlAttributes[1 + offset]; +    if (!samlAttribute.getName().equals("Geburtsdatum")) { +      throw new ValidateException( +          "validator.37",  +          new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)}); +    } +    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { +      String samlDateOfBirth = (String)samlAttribute.getValue(); +      String dateOfBirth = identityLink.getDateOfBirth(); +      if (!samlDateOfBirth.equals(dateOfBirth)) { +        throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth}); +      } +    } else { +      throw new ValidateException("validator.35", null); +    } +      +    // check four attribute could be a special text +    samlAttribute = samlAttributes[2 + offset]; +    if (!samlAttribute.getName().equals("SpecialText")) { +      throw new ValidateException( +          "validator.37",  +          new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(3)}); +    } +    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { +      String samlSpecialText = (String)samlAttribute.getValue(); +       +    String text = ""; +    try { +		if (MiscUtil.isNotEmpty(text = AuthConfigurationProvider.getInstance().getSSOSpecialText())) +			Logger.info("Use addional AuthBlock Text from SSO=" +text); +		else +			text = new String(); +	} catch (ConfigurationException e) { +		Logger.warn("Addional AuthBlock Text can not loaded from SSO!", e); +	} +       +       +      String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, issueInstant); +      if (!samlSpecialText.equals(specialText)) { +        throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); +      } +    } else { +      throw new ValidateException("validator.35", null); +    } +     +    // now check the extended SAML attributes +    int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + offset; +    if (extendedSAMLAttributes != null) { +      Iterator it = extendedSAMLAttributes.iterator(); +      while (it.hasNext()) { +        ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next(); +        samlAttribute = samlAttributes[i]; +        String actualName = samlAttribute.getName(); +        String expectedName = extendedSAMLAttribute.getName(); +        if (!actualName.equals(expectedName)) { +          throw new ValidateException( +            "validator.38",  +            new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName }); +        } +        String actualNamespace = samlAttribute.getNamespace(); +        String expectedNamespace = extendedSAMLAttribute.getNameSpace(); +        if (!actualNamespace.equals(expectedNamespace)) { +          throw new ValidateException( +            "validator.38",  +            new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, }); +        } +        Object expectedValue = extendedSAMLAttribute.getValue(); +        Object actualValue = samlAttribute.getValue(); +        try { +          if (expectedValue instanceof String) { +            // replace \r\n because text might be base64-encoded +            String expValue = StringUtils.replaceAll((String)expectedValue,"\r",""); +            expValue = StringUtils.replaceAll(expValue,"\n",""); +            String actValue = StringUtils.replaceAll((String)actualValue,"\r",""); +            actValue = StringUtils.replaceAll(actValue,"\n",""); +            if (!expValue.equals(actValue)) { +              throw new ValidateException( +              "validator.38",  +              new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });           +            } +          } else if (expectedValue instanceof Element) { +            // only check the name of the element +            String actualElementName = ((Element)actualValue).getNodeName(); +            String expectedElementName = ((Element)expectedValue).getNodeName(); +            if (!(expectedElementName.equals(actualElementName))){ +              throw new ValidateException( +              "validator.38",  +              new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});           +            } +          } else { +            // should not happen +            throw new ValidateException( +              "validator.38",  +              new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()}); +          } +        } catch (ClassCastException e) { +          throw new ValidateException( +              "validator.38",  +              new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()}); +        } +        i++; +      } +    } +     +     +    if (!foundOA) throw new ValidateException("validator.14", null);  +   +     //Check if dsig:Signature exists +//    NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); +//    if (nl.getLength() != 1) { +//      throw new ValidateException("validator.05", null); +//    } +    Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH); +    if (dsigSignature == null) {     +      throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ; +    } +  } +      public void validateSigningDateTime( CreateXMLSignatureResponse csresp) throws ValidateException {  	  //TODO: insert Time validation!!!! diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConnectionParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConnectionParameter.java new file mode 100644 index 000000000..b358a31c9 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConnectionParameter.java @@ -0,0 +1,55 @@ +package at.gv.egovernment.moa.id.config; + +import java.util.Properties; + +import at.gv.egovernment.moa.id.commons.db.dao.config.ConnectionParameterClientAuthType; + +public abstract class ConnectionParameter { +	 +	protected static final String PROP_IDENTIFIER_KEYSTORE = "clientKeyStore";  +	protected static final String PROP_IDENTIFIER_KEYSTOREPASSWORD = "clientKeyStorePassword";  +	protected static final String PROP_IDENTIFIER_ACCEPEDSERVERCERTS =  "acceptedServerCertificates"; +	 +	protected ConnectionParameterClientAuthType database; +	protected Properties prop; +	protected String basedirectory; +	 +	public ConnectionParameter(ConnectionParameterClientAuthType database, Properties prop, String basedirectory) { +		this.database = database; +		this.prop = prop; +		this.basedirectory = basedirectory; +	} +	 +	  /** +	   * Returns the acceptedServerCertificates. +	   * @return String +	   */ +	  public abstract String getAcceptedServerCertificates(); + +	  /** +	   * Returns the clientKeyStore. +	   * @return String +	   */ +	  public abstract String getClientKeyStore(); + +	  /** +	   * Returns the clientKeyStorePassword. +	   * @return String +	   */ +	  public abstract String getClientKeyStorePassword(); +	 +	 +	public boolean isHTTPSURL() { +		if (database==null) +			return false; +		else +			return database.getURL().indexOf("https") == 0; +	} +	 +	public String getUrl() { +		if (database == null) +			return null; +		else +			return database.getURL(); +	} +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 922d86fc0..713fd538e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -49,6 +49,7 @@ import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils;  import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentGeneral;  import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModes;  import at.gv.egovernment.moa.id.commons.db.dao.config.ForeignIdentities; +import at.gv.egovernment.moa.id.commons.db.dao.config.IdentificationNumber;  import at.gv.egovernment.moa.id.commons.db.dao.config.IdentityLinkSigners;  import at.gv.egovernment.moa.id.commons.db.dao.config.LegacyAllowed;  import at.gv.egovernment.moa.id.commons.db.dao.config.MOAIDConfiguration; @@ -57,6 +58,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;  import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineMandates;  import at.gv.egovernment.moa.id.commons.db.dao.config.Protocols;  import at.gv.egovernment.moa.id.commons.db.dao.config.SLRequestTemplates; +import at.gv.egovernment.moa.id.commons.db.dao.config.SSO;  import at.gv.egovernment.moa.id.commons.db.dao.config.SecurityLayer;  import at.gv.egovernment.moa.id.commons.db.dao.config.TimeOuts;  import at.gv.egovernment.moa.id.commons.db.dao.config.TrustAnchor; @@ -617,6 +619,95 @@ public class AuthConfigurationProvider extends ConfigurationProvider {  		return null;    } +  public boolean isSSOBusinessService() throws ConfigurationException { +	  AuthComponentGeneral auth = getAuthComponentGeneral(); +	   +	  SSO sso = auth.getSSO(); +	   +	  if (sso!= null) {		   +		  if (sso.getIdentificationNumber() != null) +			  return true; +	  } +	  return false; +  } +   +  public IdentificationNumber getSSOBusinessService() throws ConfigurationException { +	  AuthComponentGeneral auth = getAuthComponentGeneral(); +	   +	  SSO sso = auth.getSSO(); +	 +	  if (sso!= null)		   +		  return sso.getIdentificationNumber(); +	   +	  return null; +  } +   +  public String getSSOTarget() throws ConfigurationException { +	  AuthComponentGeneral auth = getAuthComponentGeneral(); +	   +	  SSO sso = auth.getSSO(); +	 +	  if (sso!= null)		   +		  return sso.getTarget(); +	   +	  return null; +  } +   +  public String getSSOFriendlyName() { +	  AuthComponentGeneral auth; +	try { +		auth = getAuthComponentGeneral(); + +		SSO sso = auth.getSSO(); +		 +		  if (sso!= null)		   +			  return sso.getFriendlyName(); +		   +	} catch (ConfigurationException e) { +		Logger.warn("No SSO FriendlyName found. Use default Name!!!"); +	}	   +	  return "Default MOA-ID friendly name for SSO"; +  } +   +  public String getSSOSpecialText() { +		try { +			AuthComponentGeneral auth = getAuthComponentGeneral(); + +			SSO sso = auth.getSSO(); +			 +			  if (sso!= null) { +				  String text = sso.getSpecialText(); +				  if (MiscUtil.isEmpty(text)) +					  text = new String(); +				  return text; +			  } +				   +			   +		} catch (ConfigurationException e) { +		}	   +		  return new String(); +  } +   +  public String getSSOPublicUrl() { +		try { +			AuthComponentGeneral auth = getAuthComponentGeneral(); + +			SSO sso = auth.getSSO(); +		 +			if (sso!= null) { +				String url = sso.getPublicURL(); +				 +				if (MiscUtil.isEmpty(url)) +					url = new String(); +			 +				  return url; +			} +			   +		} catch (ConfigurationException e) { +		}	   +		  return new String(); +  } +      /**     * Retruns the STORK Configuration     * @return STORK Configuration diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java index 1536b907b..4ee9986ff 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java @@ -189,7 +189,7 @@ public class BuildFromLegacyConfig {  	    	generalAuth.setSSO(auth_sso);  	    	auth_sso.setTarget("BF");  	    	auth_sso.setFriendlyName("EGIZ MOAID 2.0 Beta"); -	    	 +  	    	//set SecurityLayer Transformations  	    	String[] transformsInfoFileNames = builder.buildTransformsInfoFileNames(builder.getConfigElem(), ConfigurationBuilder.AUTH_SECLAYER_TRANSFORMS_INFO_FILENAME_XPATH); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index efb300a1c..4bbd221a5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -27,6 +27,8 @@ package at.gv.egovernment.moa.id.data;  import java.io.Serializable;  import java.util.Date; +import at.gv.egovernment.moa.id.auth.data.IdentityLink; +  /**   * Encapsulates authentication data contained in a <code><saml:Assertion></code>.   * @@ -67,7 +69,13 @@ public class AuthenticationData implements Serializable {  	/**  	 * user identification type  	 */ -	private String identificationType; +  private String identificationType; +	 +	/** +	 * user identityLink specialized to OAParamter +	 */ +  private IdentityLink identityLink; +	    /**     * application specific user identifier (bPK/wbPK)     */ @@ -78,11 +86,6 @@ public class AuthenticationData implements Serializable {     */    private String bPKType; -   -//  /** -//   * private sector-specific personal identifier (wbPK) -//   */ -//  private String wbPK;    /**     * given name of the user     */ @@ -450,5 +453,21 @@ public void setBPKType(String bPKType) {  	this.bPKType = bPKType;  } +/** + * @return the identityLink + */ +public IdentityLink getIdentityLink() { +	return identityLink; +} + +/** + * @param identityLink the identityLink to set + */ +public void setIdentityLink(IdentityLink identityLink) { +	this.identityLink = identityLink; +} + + +  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index a453010da..22f4a00ad 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -17,6 +17,7 @@ import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer;  import at.gv.egovernment.moa.id.auth.WrongParametersException;  import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;  import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;  import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;  import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.moduls.AuthenticationManager; @@ -273,11 +274,17 @@ public class DispatcherServlet extends AuthServlet{  				RequestStorage.removePendingRequest(httpSession); -				if (useSSOOA || isValidSSOSession) { +				String moasessionID = HTTPSessionUtils.getHTTPSessionString(req.getSession(), +						AuthenticationManager.MOA_SESSION, null); +				 +				AuthenticationSession moasession = AuthenticationSessionStoreage.getSession(moasessionID); +				 +				if ((useSSOOA || isValidSSOSession)  +						&& moasession.isSsoRequested()  +						&& !moasession.getUseMandate()) //TODO: SSO with mandates requires an OVS extension   +				{ +					  					//save SSO session usage in Database				 -					String moasessionID = HTTPSessionUtils.getHTTPSessionString(req.getSession(), -							AuthenticationManager.MOA_SESSION, null); -  					String newSSOSessionId = ssomanager.storeSSOSessionInformations(moasessionID, protocolRequest.getOAURL());  					if (newSSOSessionId != null) { @@ -290,7 +297,9 @@ public class DispatcherServlet extends AuthServlet{  				} else {  					authmanager.logout(req, resp);  				} -					 +				 +				ConfigurationDBUtils.closeSession(); +				  				//authmanager.logout(req, resp);  			} catch (Throwable e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 7c2a9d533..4ec734c41 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -212,18 +212,9 @@ public class AuthenticationManager extends AuthServlet {  			moasession = getORCreateMOASession(request);  			//parse request parameter into MOASession -			try{ -				StartAuthentificationParameterParser.parse(request, response, moasession); -				 -			} -	    	catch (WrongParametersException ex) { -	            handleWrongParameters(ex, request, response); -	          } -	           -	      	catch (MOAIDException ex) { -	      			handleError(null, ex, request, response); -	      	} -						 +			 +			StartAuthentificationParameterParser.parse(request, response, moasession); +							  		    Logger.info("Start Authentication Module: " + moasession.getModul()   		    		+ " Action: " + moasession.getAction()); @@ -274,7 +265,7 @@ public class AuthenticationManager extends AuthServlet {  			//Build authentication form  			String loginForm = LoginFormBuilder.buildLoginForm(target.requestedModule(),  -					target.requestedAction(), oaParam.getFriendlyName()); +					target.requestedAction(), oaParam.getFriendlyName(), request.getContextPath());  			//store MOASession  			try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java index 1e863ec81..84817ba7a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java @@ -1,5 +1,7 @@  package at.gv.egovernment.moa.id.moduls; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom;  import java.util.List;  import javax.servlet.http.Cookie; @@ -13,6 +15,8 @@ import at.gv.egovernment.moa.id.AuthenticationException;  import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils;  import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore;  import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;  import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;  import at.gv.egovernment.moa.id.util.HTTPSessionUtils;  import at.gv.egovernment.moa.id.util.Random; @@ -34,7 +38,14 @@ public class SSOManager {  			instance = new SSOManager();  			//TODO: move to config based timeout! -			sso_timeout = DEFAULTSSOTIMEOUT;		 +			try { +				sso_timeout = (int) AuthConfigurationProvider.getInstance().getTimeOuts().getMOASessionUpdated().longValue(); + +			} catch (ConfigurationException e) { +				Logger.info("SSO Timeout can not be loaded from MOA-ID configuration. Use default Timeout with " + DEFAULTSSOTIMEOUT); +				sso_timeout = DEFAULTSSOTIMEOUT; +			} +		  		}  		return instance; @@ -100,10 +111,8 @@ public class SSOManager {  	public String storeSSOSessionInformations(String moaSessionID, String OAUrl) { -		//TODO: use secure random number generation!!!!!  		String newSSOId = Random.nextRandom(); -		 -		 +			  		System.out.println("generate new SSO Tokken (" + newSSOId + ")");  		if (MiscUtil.isEmpty(moaSessionID) || MiscUtil.isEmpty(OAUrl)) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 3bbb3bd2a..790c42348 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -48,6 +48,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;  import at.gv.egovernment.moa.id.util.ParamValidatorUtils; +import at.gv.egovernment.moa.id.util.VelocityLogAdapter;  public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { @@ -79,6 +80,8 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {  		actions.put(METADATA, new MetadataAction());  		instance = new PVP2XProtocol(); +		 +		new VelocityLogAdapter();  	}  	private static PVP2XProtocol instance = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 6e826005d..97c5e8d20 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -25,6 +25,7 @@ import org.opensaml.xml.parse.BasicParserPool;  import org.opensaml.xml.security.SecurityException;  import org.opensaml.xml.security.credential.Credential; +import at.gv.egovernment.moa.id.auth.stork.VelocityProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; @@ -47,6 +48,7 @@ public class PostBinding implements IDecoder, IEncoder {  			Credential credentials = CredentialProvider  					.getIDPSigningCredential(); +//			VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine();  			VelocityEngine engine = new VelocityEngine();  			engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");  			engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8"); @@ -54,6 +56,7 @@ public class PostBinding implements IDecoder, IEncoder {  			engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");  			engine.setProperty("classpath.resource.loader.class",  					"org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader"); +			engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS, "org.apache.velocity.runtime.log.SimpleLog4JLogSystem");  			engine.init();  			HTTPPostEncoder encoder = new HTTPPostEncoder(engine, @@ -75,6 +78,9 @@ public class PostBinding implements IDecoder, IEncoder {  		} catch (CredentialsNotAvailableException e) {  			e.printStackTrace();  			throw new SecurityException(e); +		} catch (Exception e) { +			e.printStackTrace(); +			throw new SecurityException(e);  		}  	} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java index e464536de..ab880bb9e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java @@ -102,57 +102,57 @@ public class CitizenTokenBuilder {  	} -	public static AttributeStatement buildCitizenToken(MOARequest obj, -			AuthenticationSession authSession) { -		AttributeStatement statement =  -				SAML2Utils.createSAMLObject(AttributeStatement.class); - -		//TL: AuthData generation is moved out from VerifyAuthBlockServlet -		try { - -			//TODO: LOAD oaParam from request and not from MOASession in case of SSO -			OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() -					.getOnlineApplicationParameter(authSession.getPublicOAURLPrefix()); -		 -			AuthenticationData authData = AuthenticationServer.buildAuthenticationData(authSession, -					oaParam, -					authSession.getTarget()); -			 -			Attribute pvpVersion = buildPVPVersion("2.1"); -			Attribute secClass = buildSecClass(3); -			Attribute principalName = buildPrincipalName(authData.getFamilyName()); -			Attribute givenName = buildGivenName(authData.getGivenName()); -			Attribute birthdate = buildBirthday(authData.getDateOfBirth()); -			 -			//TL: getIdentificationValue holds the baseID  --> change to pBK -			Attribute bpk = buildBPK(authData.getBPK()); -			 -			Attribute eid_citizen_qaa = buildEID_CITIZEN_QAALEVEL(3); -			Attribute eid_issuing_nation = buildEID_ISSUING_NATION("AT"); -			Attribute eid_sector_for_id = buildEID_SECTOR_FOR_IDENTIFIER(authData.getIdentificationType()); -			 -			statement.getAttributes().add(pvpVersion); -			statement.getAttributes().add(secClass); -			statement.getAttributes().add(principalName); -			statement.getAttributes().add(givenName); -			statement.getAttributes().add(birthdate); -			statement.getAttributes().add(bpk); -			statement.getAttributes().add(eid_citizen_qaa); -			statement.getAttributes().add(eid_issuing_nation); -			statement.getAttributes().add(eid_sector_for_id); -			 -			return statement; -			 -		} catch (ConfigurationException e) { -			 -			// TODO: check Exception Handling -			return null; -		} catch (BuildException e) { -			 -			// TODO: check Exception Handling -			return null; -		} -		 - -	} +//	public static AttributeStatement buildCitizenToken(MOARequest obj, +//			AuthenticationSession authSession) { +//		AttributeStatement statement =  +//				SAML2Utils.createSAMLObject(AttributeStatement.class); +// +//		//TL: AuthData generation is moved out from VerifyAuthBlockServlet +//		try { +// +//			//TODO: LOAD oaParam from request and not from MOASession in case of SSO +//			OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() +//					.getOnlineApplicationParameter(authSession.getPublicOAURLPrefix()); +//		 +//			AuthenticationData authData = AuthenticationServer.buildAuthenticationData(authSession, +//					oaParam, +//					authSession.getTarget()); +//			 +//			Attribute pvpVersion = buildPVPVersion("2.1"); +//			Attribute secClass = buildSecClass(3); +//			Attribute principalName = buildPrincipalName(authData.getFamilyName()); +//			Attribute givenName = buildGivenName(authData.getGivenName()); +//			Attribute birthdate = buildBirthday(authData.getDateOfBirth()); +//			 +//			//TL: getIdentificationValue holds the baseID  --> change to pBK +//			Attribute bpk = buildBPK(authData.getBPK()); +//			 +//			Attribute eid_citizen_qaa = buildEID_CITIZEN_QAALEVEL(3); +//			Attribute eid_issuing_nation = buildEID_ISSUING_NATION("AT"); +//			Attribute eid_sector_for_id = buildEID_SECTOR_FOR_IDENTIFIER(authData.getIdentificationType()); +//			 +//			statement.getAttributes().add(pvpVersion); +//			statement.getAttributes().add(secClass); +//			statement.getAttributes().add(principalName); +//			statement.getAttributes().add(givenName); +//			statement.getAttributes().add(birthdate); +//			statement.getAttributes().add(bpk); +//			statement.getAttributes().add(eid_citizen_qaa); +//			statement.getAttributes().add(eid_issuing_nation); +//			statement.getAttributes().add(eid_sector_for_id); +//			 +//			return statement; +//			 +//		} catch (ConfigurationException e) { +//			 +//			// TODO: check Exception Handling +//			return null; +//		} catch (BuildException e) { +//			 +//			// TODO: check Exception Handling +//			return null; +//		} +//		 +// +//	}  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java index f3df7a4df..47887ddc2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java @@ -79,31 +79,39 @@ public class GetArtifactAction implements IAction {  					target);  			String samlArtifactBase64 = saml1server.BuildSAMLArtifact(session, oaParam, authData); - -			String redirectURL = oaURL; -			session.getOAURLRequested(); -			if (!session.getBusinessService()) { -				redirectURL = addURLParameter(redirectURL, PARAM_TARGET, -						URLEncoder.encode(session.getTarget(), "UTF-8")); - -			} -			redirectURL = addURLParameter(redirectURL, PARAM_SAMLARTIFACT, -					URLEncoder.encode(samlArtifactBase64, "UTF-8")); -			redirectURL = httpResp.encodeRedirectURL(redirectURL); - -			httpResp.setContentType("text/html"); -			httpResp.setStatus(302); -//			if (AuthenticationSessionStoreage.isSSOSession(session.getSessionID())) { -//				String url = "RedirectServlet?"+RedirectServlet.REDIRCT_GETPARAM+"="+redirectURL;  -//				httpResp.addHeader("Location", url); -//				 -//			} else { +			if (AuthenticationSessionStoreage.isSSOSession(session.getSessionID())) { +				String url = "RedirectServlet"; +				url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8")); +				url = addURLParameter(url, PARAM_TARGET, URLEncoder.encode(oaParam.getTarget(), "UTF-8")); +				url = addURLParameter(url, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); +				url = httpResp.encodeRedirectURL(url); +				 +				httpResp.setContentType("text/html"); +				httpResp.setStatus(302); +				httpResp.addHeader("Location", url); +				 +			} else { +				String redirectURL = oaURL; + +				//session.getOAURLRequested(); +				 +				if (!oaParam.getBusinessService()) { +//					redirectURL = addURLParameter(redirectURL, PARAM_TARGET, +//							URLEncoder.encode(session.getTarget(), "UTF-8")); +					redirectURL = addURLParameter(redirectURL, PARAM_TARGET, +					URLEncoder.encode(oaParam.getTarget(), "UTF-8")); + + +				} +				redirectURL = addURLParameter(redirectURL, PARAM_SAMLARTIFACT, +						URLEncoder.encode(samlArtifactBase64, "UTF-8")); +				redirectURL = httpResp.encodeRedirectURL(redirectURL); +				httpResp.setContentType("text/html"); +				httpResp.setStatus(302);  				httpResp.addHeader("Location", redirectURL); -//			} - -			Logger.debug("REDIRECT TO: " + redirectURL); - +				Logger.debug("REDIRECT TO: " + redirectURL); +			}  			// CONFIRMATION FOR SSO!  			/*  			 * OAAuthParameter oaParam = @@ -146,10 +154,10 @@ public class GetArtifactAction implements IAction {  		} catch (IOException e) {  			// TODO Auto-generated catch block  			e.printStackTrace(); -		} //catch (MOADatabaseException e) { -//			// TODO Auto-generated catch block -//			e.printStackTrace(); -//		} +		} catch (MOADatabaseException e) { +			// TODO Auto-generated catch block +			e.printStackTrace(); +		}  	}  	protected static String addURLParameter(String url, String paramname, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java deleted file mode 100644 index 3a2f4ee9f..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java +++ /dev/null @@ -1,140 +0,0 @@ -package at.gv.egovernment.moa.id.protocols.saml1; - -import iaik.util.logging.Log; - -import java.io.IOException; - -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; - -import org.apache.commons.lang.StringEscapeUtils; - -import at.gv.egovernment.moa.id.AuthenticationException; -import at.gv.egovernment.moa.id.BuildException; -import at.gv.egovernment.moa.id.auth.WrongParametersException; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; -import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.moduls.AuthenticationManager; -import at.gv.egovernment.moa.id.util.ParamValidatorUtils; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.URLEncoder; - -public class GetArtifactServlet extends AuthServlet { - -	/** -	 *  -	 */ -	private static final long serialVersionUID = 3593264832041467899L; - -	/** -	 * Constructor for GetArtifactServlet. -	 */ -	public GetArtifactServlet() { -		super(); -	} - -	@Override -	protected void doGet(HttpServletRequest req, HttpServletResponse resp) -			throws ServletException, IOException { -		 -		Log.err("Sollte nicht mehr verwendet werden!!!!"); -		throw new ServletException("The Servlet Class + " + GetArtifactServlet.class  -				+ " is out of date!!!"); -		 -//		HttpSession httpSession = req.getSession(); -// -//		AuthenticationManager authmanager = AuthenticationManager.getInstance(); -//		AuthenticationSession session = authmanager.getAuthenticationSession(httpSession); -// -//		String oaURL = (String) req.getAttribute(PARAM_OA); -//		oaURL = StringEscapeUtils.escapeHtml(oaURL); -// -//		String target = (String) req.getAttribute(PARAM_TARGET); -//		target = StringEscapeUtils.escapeHtml(target); -//		 -//		try { -// -//			// check parameter -//			if (!ParamValidatorUtils.isValidOA(oaURL)) -//				throw new WrongParametersException("StartAuthentication", -//						PARAM_OA, "auth.12"); -// -//			if (oaURL == null) { -//				oaURL = session.getOAURLRequested(); -//			} -// -//			if (oaURL == null) { -//				throw new WrongParametersException("StartAuthentication", -//						PARAM_OA, "auth.12"); -//			} -// -//			String samlArtifactBase64 = SAML1AuthenticationServer -//					.BuildSAMLArtifact(session); -// -//			String redirectURL = oaURL; -//			session.getOAURLRequested(); -//			if (!session.getBusinessService()) { -//				redirectURL = addURLParameter(redirectURL, PARAM_TARGET, -//						URLEncoder.encode(session.getTarget(), "UTF-8")); -// -//			} -//			redirectURL = addURLParameter(redirectURL, PARAM_SAMLARTIFACT, -//					URLEncoder.encode(samlArtifactBase64, "UTF-8")); -//			redirectURL = resp.encodeRedirectURL(redirectURL); -// -//			resp.setContentType("text/html"); -//			resp.setStatus(302); -// -//			resp.addHeader("Location", redirectURL); -//			Logger.debug("REDIRECT TO: " + redirectURL); -// -//			// CONFIRMATION FOR SSO! -//			/* -//			 * OAAuthParameter oaParam = -//			 * AuthConfigurationProvider.getInstance(). -//			 * getOnlineApplicationParameter(oaURL); -//			 *  -//			 * String friendlyName = oaParam.getFriendlyName(); if(friendlyName -//			 * == null) { friendlyName = oaURL; } -//			 *  -//			 *  -//			 * LoginConfirmationBuilder builder = new -//			 * LoginConfirmationBuilder(); -//			 * builder.addParameter(PARAM_SAMLARTIFACT, samlArtifactBase64); -//			 * String form = builder.finish(oaURL, session.getIdentityLink() -//			 * .getName(), friendlyName); -//			 */ -// -//			/* -//			resp.setContentType("text/html"); -// -//			OutputStream out = resp.getOutputStream(); -//			out.write(form.getBytes("UTF-8")); -//			out.flush(); -//			out.close();*/ -// -//		} catch (WrongParametersException ex) { -//			handleWrongParameters(ex, req, resp); -//		} catch (ConfigurationException e) { -//			// TODO Auto-generated catch block -//			e.printStackTrace(); -//		} catch (BuildException e) { -//			// TODO Auto-generated catch block -//			e.printStackTrace(); -//		} catch (AuthenticationException e) { -//			// TODO Auto-generated catch block -//			e.printStackTrace(); -//		} - -	} - -	@Override -	protected void doPost(HttpServletRequest req, HttpServletResponse resp) -			throws ServletException, IOException { -		doGet(req, resp); -	} - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 1b516fe19..2a7147bcb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -128,17 +128,6 @@ public class SAML1AuthenticationServer extends AuthenticationServer {  			AuthenticationData authData)   					throws ConfigurationException, BuildException, AuthenticationException { -		//TODO: check, if this is correct!!!! -//		String samlAssertion = new AuthenticationDataAssertionBuilder().build( -//				authData, session.getAssertionPrPerson(), -//				session.getAssertionAuthBlock(), -//				session.getAssertionIlAssertion(), session.getBkuURL(), -//				session.getAssertionSignerCertificateBase64(), -//				session.getAssertionBusinessService(), -//				session.getExtendedSAMLAttributesOA(), useCondition, -//				conditionLength); -		 -		  		//Load SAML1 Parameter from OA config  		OASAML1 saml1parameter = oaParam.getSAML1Parameter(); @@ -162,7 +151,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {  			//set prPersion  			boolean provideStammzahl = saml1parameter.isProvideStammzahl(); -			String prPerson = new PersonDataBuilder().build(session.getIdentityLink(), +			String prPerson = new PersonDataBuilder().build(authData.getIdentityLink(),  					provideStammzahl);  			//set Authblock @@ -170,18 +159,18 @@ public class SAML1AuthenticationServer extends AuthenticationServer {  					.getAuthBlock() : "";  			//set IdentityLink for assortion -			String ilAssertion = saml1parameter.isProvideIdentityLink() ? session.getIdentityLink() +			String ilAssertion = saml1parameter.isProvideIdentityLink() ? authData.getIdentityLink()  					.getSerializedSamlAssertion()  					: "";  			if (!saml1parameter.isProvideStammzahl()) { -				ilAssertion = StringUtils.replaceAll(ilAssertion, session.getIdentityLink() +				ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink()  						.getIdentificationValue(), "");  			}  			String samlAssertion;  			if (session.getUseMandate()) { -				List oaAttributes = session.getExtendedSAMLAttributesOA();; +				List oaAttributes = session.getExtendedSAMLAttributesOA();  				if (saml1parameter.isProvideFullMandatorData()) { @@ -250,7 +239,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {  					}				  				} -				String mandateDate = generateMandateDate(session, oaParam); +				String mandateDate = generateMandateDate(session, oaParam, authData);  				samlAssertion = new AuthenticationDataAssertionBuilder().buildMandate(  						authData,  @@ -280,22 +269,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {  			}  			authData.setSamlAssertion(samlAssertion); -	 -			//is removed from MOA-ID 2.0 config  -//			String assertionFile = AuthConfigurationProvider.getInstance() -//					.getGenericConfigurationParameter( -//							"AuthenticationServer.WriteAssertionToFile"); -//			if (!ParepUtils.isEmpty(assertionFile)) -//				try { -//					ParepUtils.saveStringToFile(samlAssertion, new File( -//							assertionFile)); -//				} catch (IOException e) { -//					throw new BuildException("builder.00", new Object[] { -//							"AuthenticationData", e.toString() }, e); -//				} -	 -			 -			//TODO: get sourceID from oaConfig!!! +				  			String samlArtifact = new SAMLArtifactBuilder().build(  					session.getAuthURL(), session.getSessionID(),  					saml1parameter.getSourceID()); @@ -314,7 +288,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {  	}  	private String generateMandateDate(AuthenticationSession session,  -			OAAuthParameter oaParam  +			OAAuthParameter oaParam, AuthenticationData authData  			) throws AuthenticationException, BuildException,  			ParseException, ConfigurationException, ServiceException,  			ValidateException { @@ -364,10 +338,19 @@ public class SAML1AuthenticationServer extends AuthenticationServer {  								.equals(identificationType)) {  					// now we calculate the wbPK and do so if we got it from the  					// BKU -					identificationType = Constants.URN_PREFIX_WBPK + "+" -							+ session.getDomainIdentifier(); +					 + +					//load IdentityLinkDomainType from OAParam  +					String type = oaParam.getIdentityLinkDomainIdentifier();	 +					if (type.startsWith(Constants.URN_PREFIX_WBPK + "+")) +						identificationType = type; +					else +						identificationType = Constants.URN_PREFIX_WBPK + "+" +								+ type; +					 +					  					identificationValue = new BPKBuilder().buildWBPK( -							identificationValue, session.getDomainIdentifier()); +							identificationValue, identificationType);  					ParepUtils  							.HideStammZahlen(prPerson, true, null, null, true);  				} @@ -379,7 +362,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {  				tempIdentityLink.setIdentificationValue(identificationValue);  				tempIdentityLink.setPrPerson(prPerson);  				try { -					tempIdentityLink.setSamlAssertion(session.getIdentityLink() +					tempIdentityLink.setSamlAssertion(authData.getIdentityLink()  							.getSamlAssertion());  				} catch (Exception e) {  					throw new ValidateException("validator.64", null); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index d6cf84d86..fad25bc20 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -95,6 +95,7 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants {  		config.setTarget(oaParam.getTarget()); +		  		//TODO: set reauthenticate if OA.useSSO=false  		request.getSession().setAttribute(PARAM_OA, oaURL); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 90c938e7f..73308e607 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -117,22 +117,7 @@ public class AuthenticationSessionStoreage {  			  }  			  AuthenticatedSessionStore dbsession = (AuthenticatedSessionStore) result.get(0); -			 -//				//delete old SSO Session Ids -//				List<OldSSOSessionIDStore> oldssosessionids = dbsession.getOldssosessionids(); -// -//				for (OldSSOSessionIDStore oldsssid : oldssosessionids) { -//					session.delete(oldsssid); -//				} -//								 -//				//delete active OA -//				List<OASessionStore> activeOAs = dbsession.getActiveOAsessions(); -// -//				for (OASessionStore activeOA : activeOAs) { -//					session.delete(activeOA); -// -//				} -				 +						  				//delete MOA Session  				session.delete(dbsession);  				session.getTransaction().commit(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java index be8e475f2..d6bef8d53 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java @@ -308,18 +308,18 @@ public class ParamValidatorUtils implements MOAIDAuthConstants{      	  Logger.debug("Parameter MOASessionId ist null");
      	  return true; 
        }
 -         
 -
 -      Pattern pattern = Pattern.compile("[0-9-]*");
 +        
 +     Pattern pattern = Pattern.compile("[0-9-]*");
        Matcher matcher = pattern.matcher(sessionID);
        boolean b = matcher.matches();
        if (b) {
      	  Logger.debug("Parameter MOASessionId erfolgreich ueberprueft");
      	  return true;
        }
 -      else {
 -    	  Logger.error("Fehler Ueberpruefung Parameter MOASessionId. MOASessionId entspricht nicht den Kriterien (nur Zeichen 0-9 und -)");
 -    	  return false;
 +      else { +       	  Logger.error("Fehler Ueberpruefung Parameter MOASessionId. MOASessionId entspricht nicht den Kriterien (nur Zeichen 0-9 und -)");
 +       	  return false; +
        }
     }
 diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java index d006dcdfc..f1d0ecd45 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java @@ -24,9 +24,16 @@  package at.gv.egovernment.moa.id.util; + +import iaik.security.random.SeedGenerator; + +import java.io.IOException;  import java.nio.ByteBuffer;  import java.security.SecureRandom; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +  /**   * Random number generator used to generate ID's   * @author Paul Ivancsics @@ -35,21 +42,36 @@ import java.security.SecureRandom;  public class Random {    /** random number generator used */ -	private static SecureRandom random = new SecureRandom(); +	//private static SecureRandom random = new SecureRandom(); +	private static SecureRandom random; +	private static SeedGenerator seedgenerator; +	 +	static { +		random = iaik.security.random.SHA256FIPS186Random.getDefault(); +	    seedgenerator = iaik.security.random.AutoSeedGenerator.getDefault(); + +		 +	}    /**     * Creates a new random number, to be used as an ID.     *      * @return random long as a String     */    public static String nextRandom() { - -	  byte[] b = new byte[16]; // 16 bytes = 128 bits -	  random.nextBytes(b); -		  -	  ByteBuffer bb = ByteBuffer.wrap(b); -	  long l = bb.getLong(); +	byte[] b = new byte[32]; // 32 bytes = 256 bits +	random.nextBytes(b); +		  +    ByteBuffer bb = ByteBuffer.wrap(b); +	long l = bb.getLong(); +	return "" + l; +		 + +  } +   +  public static void seedRandom() { -	  return "" + l; +	  if (seedgenerator.seedAvailable()) +		  random.setSeed(seedgenerator.getSeed());    }  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/VelocityLogAdapter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/VelocityLogAdapter.java new file mode 100644 index 000000000..caa8f1769 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/VelocityLogAdapter.java @@ -0,0 +1,77 @@ +package at.gv.egovernment.moa.id.util; + +import org.apache.velocity.app.Velocity; +import org.apache.velocity.runtime.RuntimeServices; +import org.apache.velocity.runtime.log.LogChute; + +import at.gv.egovernment.moa.logging.Logger; + +public class VelocityLogAdapter implements LogChute { + +	public VelocityLogAdapter() { +		try +	    { +	      /* +	       *  register this class as a logger with the Velocity singleton +	       *  (NOTE: this would not work for the non-singleton method.) +	       */ +	      Velocity.setProperty(Velocity.RUNTIME_LOG_LOGSYSTEM, this ); +	      Velocity.init(); +	    } +	    catch (Exception e) +	    { +	      Logger.error("Failed to register Velocity logger"); +	    } +	} +	 +	public void init(RuntimeServices arg0) throws Exception { +	} + +	public boolean isLevelEnabled(int arg0) { +		switch(arg0) { +		case LogChute.DEBUG_ID: +			return Logger.isDebugEnabled(); +		case LogChute.TRACE_ID: +			return Logger.isTraceEnabled(); +		default: +			return true; +		} +	} + +	public void log(int arg0, String arg1) { +		switch(arg0) { +		case LogChute.DEBUG_ID: +			Logger.debug(arg1); +			break; +		case LogChute.TRACE_ID: +			Logger.trace(arg1); +			break; +		case LogChute.INFO_ID: +			Logger.info(arg1); +			break; +		case LogChute.WARN_ID: +			Logger.warn(arg1); +			break; +		case LogChute.ERROR_ID: +		default: +			Logger.error(arg1); +			break; +		} +	} + +	public void log(int arg0, String arg1, Throwable arg2) { +		switch(arg0) { +		case LogChute.DEBUG_ID: +		case LogChute.TRACE_ID: +		case LogChute.INFO_ID: +		case LogChute.WARN_ID: +			Logger.warn(arg1, arg2); +			break; +		case LogChute.ERROR_ID: +		default: +			Logger.error(arg1, arg2); +			break; +		} +	} +	 +} diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 25f1fef9d..f5745873f 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -34,9 +34,10 @@ auth.13=Vollmachtenmodus f�r ausl�ndische B�rger wird nicht unterst�tzt.  auth.14=Zertifikat konnte nicht ausgelesen werden.
  auth.15=Fehler bei Anfrage an Vollmachten Service.
  auth.16=Fehler bei Abarbeitung der Vollmacht in "{0}" -auth.17=Vollmachtenmodus für nicht-öffentlichen Bereich wird nicht unterstützt.
 +auth.17=Vollmachtenmodus f�r nicht-�ffentlichen Bereich wird nicht unterst�tzt.
  auth.18=Keine MOASessionID vorhanden
 -auth.19=Die Authentifizierung kann nicht passiv durchgeführt werden. +auth.19=Die Authentifizierung kann nicht passiv durchgef�hrt werden.
 +auth.20=No valid MOA session found. Authentification process is abourted.  init.00=MOA ID Authentisierung wurde erfolgreich gestartet
  init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m?glicherweise nicht verf?gbar
 diff --git a/id/server/idserverlib/src/main/resources/resources/templates/loginForm.html b/id/server/idserverlib/src/main/resources/resources/templates/loginForm.html index fe17a6d37..38ef53475 100644 --- a/id/server/idserverlib/src/main/resources/resources/templates/loginForm.html +++ b/id/server/idserverlib/src/main/resources/resources/templates/loginForm.html @@ -2,10 +2,10 @@  <head>  	<meta content="text/html; charset=utf-8" http-equiv="Content-Type">  	<meta content="text/css" http-equiv="Content-Style-Type"> -	<link rel="stylesheet" type="text/css" href="./css/index.css"> -	<link type="text/css" rel="stylesheet" href="./css/2.0/stammzahl.css"> -	<link type="text/css" rel="stylesheet" href="./css/2.0/stylesnew.css"> -	<link type="text/css" rel="stylesheet" href="./css/2.0/stylesinput.css"> +	<link rel="stylesheet" type="text/css" href="#CONTEXTPATH#/css/index.css"> +	<link type="text/css" rel="stylesheet" href="#CONTEXTPATH#/css/2.0/stammzahl.css"> +	<link type="text/css" rel="stylesheet" href="#CONTEXTPATH#/css/2.0/stylesnew.css"> +	<link type="text/css" rel="stylesheet" href="#CONTEXTPATH#/css/2.0/stylesinput.css">  	<script type="text/javascript">  		function isIE() { @@ -46,11 +46,16 @@  				document.getElementById("metroDetected").style.display="block";  			document.getElementById("localBKU").style.display="block"; +			if (checkMandateSSO()) +				return; +			  			setMandateSelection(); - +			setSSOSelection(); +						  			var iFrameURL = "#AUTH_URL#" + "?";  			iFrameURL += "bkuURI=" + "#ONLINE#";  			iFrameURL += "&useMandate=" + document.getElementById("useMandate").value; +			iFrameURL += "&SSO=" + document.getElementById("useSSO").value;  			iFrameURL += "&MODUL=" + "#MODUL#";  			iFrameURL += "&ACTION=" + "#ACTION#"; @@ -60,11 +65,16 @@  		function bkuHandyClicked() {  			document.getElementById("localBKU").style.display="none"; +			if (checkMandateSSO()) +				return; +			  			setMandateSelection(); - +			setSSOSelection(); +			  			var iFrameURL = "#AUTH_URL#" + "?";  			iFrameURL += "bkuURI=" + "#HANDY#";  			iFrameURL += "&useMandate=" + document.getElementById("useMandate").value; +			iFrameURL += "&SSO=" + document.getElementById("useSSO").value;  			iFrameURL += "&MODUL=" + "#MODUL#";  			iFrameURL += "&ACTION=" + "#ACTION#"; @@ -74,8 +84,12 @@  		function storkClicked() {  			document.getElementById("localBKU").style.display="none";  +			if (checkMandateSSO()) +				return; +			  			setMandateSelection(); - +			setSSOSelection(); +			  			var ccc = "AT";  			var countrySelection = document.getElementById("cccSelection"); @@ -87,6 +101,7 @@  			iFrameURL += "bkuURI=" + "#ONLINE#";  			iFrameURL += "&useMandate=" + document.getElementById("useMandate").value;  			iFrameURL += "&ccc=" + ccc; +			iFrameURL += "&SSO=" + document.getElementById("useSSO").value;  			iFrameURL += "&MODUL=" + "#MODUL#";  			iFrameURL += "&ACTION=" + "#ACTION#"; @@ -119,6 +134,31 @@  				}  			}  		} +		 +		function setSSOSelection() { +			document.getElementById("useSSO").value = "false"; +			var checkbox = document.getElementById("SSOCheckBox"); +			if (checkbox !=  null) { +				if (document.getElementById("SSOCheckBox").checked) { +					document.getElementById("useSSO").value = "true"; +				} +			} +		} +		 +		function checkMandateSSO() { +			var sso = document.getElementById("SSOCheckBox"); +			var mandate = document.getElementById("mandateCheckBox"); +			 +			 +			if (sso.checked && mandate.checked) { +				alert("Anmeldung in Vertretung in kombination mit Single Sign-On wird aktuell noch nicht unterstützt!") +				mandate.checked = false; +				sso.checked = false; +				return true; +			} else { +				return false; +			} +		}  	</script>  </head> @@ -140,7 +180,7 @@  			</ul> -->  			<div id="mainnavjump"></div> -			<p id="homelink"><img src="img/2.0/logo.png" style="width: 250px" alt="EGIZ"></p> +			<p id="homelink"><img src="#CONTEXTPATH#/img/2.0/logo.png" style="width: 250px" alt="EGIZ"></p>  			<ul id="mainnav" class="clearfix">  <!-- 				<li><a href="http://www2.egiz.gv.at">Home<span class="hidden">.</span></a></li> -->  <!-- 				<li><a href="http://www.stammzahlenregister.gv.at/site/5970/default.aspx">bPK<span class="hidden">.</span></a></li> @@ -177,6 +217,13 @@  										<td><a href="info_mandates.html" target="_blank"  											class="infobutton" style="margin-left: 5px" tabindex="5">i</a></td>  									</tr> +									<tr> +										<td><input tabindex="1" type="checkbox" name="SSO" +											style="vertical-align: middle; margin-right: 5px" +											id="SSOCheckBox"></td> +										<td><label for="SSOCheckBox">mit SingleSignOn anmelden</label></td> +										<td></td> +									</tr>  								</table>  							</div> @@ -231,6 +278,7 @@  							<form method="get" id="moaidform">  								<input type="hidden" name="bkuURI" value="#LOCAL#">  								<input type="hidden" name="useMandate" id="useMandate"> +								<input type="hidden" name="SSO" id="useSSO">  								<input type="hidden" name="CCC" id="ccc">  								<input type="hidden" name="MODUL" value="#MODUL#">  								<input type="hidden" name="ACTION" value="#ACTION#"> | 
