aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2016-02-24 06:22:18 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2016-02-24 06:22:18 +0100
commit101f582d457f3e0bbd42083521360d18168fbd84 (patch)
tree48aa8e439f3e0f02197bacc8095f3aba530ad6c9 /id/server/idserverlib
parentcbdb6946d5af7de63afebf5ad256743303f00935 (diff)
downloadmoa-id-spss-101f582d457f3e0bbd42083521360d18168fbd84.tar.gz
moa-id-spss-101f582d457f3e0bbd42083521360d18168fbd84.tar.bz2
moa-id-spss-101f582d457f3e0bbd42083521360d18168fbd84.zip
add federated IDP authentication modul
Diffstat (limited to 'id/server/idserverlib')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnRequestTask.java293
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java172
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java114
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnRequestBuildException.java (renamed from id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnResponseTask.java)34
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnResponseValidationException.java48
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java68
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java4
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties9
8 files changed, 381 insertions, 361 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnRequestTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnRequestTask.java
deleted file mode 100644
index c8c115f82..000000000
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnRequestTask.java
+++ /dev/null
@@ -1,293 +0,0 @@
-/*
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-package at.gv.egovernment.moa.id.protocols.pvp2x.SP.tasks;
-import java.lang.reflect.InvocationTargetException;
-import java.security.NoSuchAlgorithmException;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.joda.time.DateTime;
-import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
-import org.opensaml.common.xml.SAMLConstants;
-import org.opensaml.saml2.core.AuthnContextClassRef;
-import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
-import org.opensaml.saml2.core.AuthnRequest;
-import org.opensaml.saml2.core.Issuer;
-import org.opensaml.saml2.core.NameID;
-import org.opensaml.saml2.core.NameIDPolicy;
-import org.opensaml.saml2.core.NameIDType;
-import org.opensaml.saml2.core.RequestedAuthnContext;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.SingleSignOnService;
-import org.opensaml.saml2.metadata.provider.MetadataProviderException;
-import org.opensaml.ws.message.encoder.MessageEncodingException;
-import org.opensaml.xml.security.SecurityException;
-
-import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
-import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
-import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-import at.gv.egovernment.moa.id.config.ConfigurationException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
-import at.gv.egovernment.moa.id.moduls.RequestImpl;
-import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
-import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;
-import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
-import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
-import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
-import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
-import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper;
-import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.MiscUtil;
-
-/**
- * @author tlenz
- *
- */
-public abstract class AbstractAuthnRequestTask extends AbstractAuthServletTask {
-
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
- */
- @Override
- public void execute(ExecutionContext executionContext,
- HttpServletRequest request, HttpServletResponse response)
- throws TaskExecutionException {
- boolean requiredLocalAuthentication = true;
-
- String idpEntityID =
- (String) executionContext.get(MOAIDAuthConstants.PROCESSCONTEXT_INTERFEDERATION_ENTITYID);
-
- if (MiscUtil.isEmpty(idpEntityID)) {
- Logger.info("Interfederation not possible -> not inderfederation IDP EntityID found!");
- throw new TaskExecutionException(pendingReq, "Interfederation not possible", new MOAIDException("No inderfederation-IDP EntityID found.", null));
-
- }
-
- //TODO: create MOASession
- //TODO: set relayState to MOASession
- //TODO: add support for requested attributes (from context and from metadata)
-
-
- try {
- OAAuthParameter idp = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(idpEntityID);
- IOAAuthParameters sp = pendingReq.getOnlineApplicationConfiguration();
-
- String requestedIDP = pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class);
-
- if (!idp.isInderfederationIDP() || !idp.isInboundSSOInterfederationAllowed()) {
- Logger.info("Requested interfederation IDP " + requestedIDP + " is not valid for interfederation.");
- Logger.debug("isInderfederationIDP:" + String.valueOf(idp.isInderfederationIDP())
- + " isInboundSSOAllowed:" + String.valueOf(idp.isInboundSSOInterfederationAllowed()));
- Logger.info("Switch to local authentication on this IDP ... ");
-
- executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION, true);
- return;
-
- }
-
-
-
-
- EntityDescriptor idpEntity = MOAMetadataProvider.getInstance().
- getEntityDescriptor(idpEntityID);
-
- if (idpEntity != null ) {
-
- //fetch endpoint from IDP metadata
- SingleSignOnService redirectEndpoint = null;
- for (SingleSignOnService sss :
- idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) {
-
- // use POST binding as default if it exists
- //TODO: maybe use RedirectBinding as default
- if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) {
- redirectEndpoint = sss;
-
- } else if ( sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) &&
- redirectEndpoint == null )
- redirectEndpoint = sss;
- }
-
- if (redirectEndpoint != null) {
-
- AuthnRequest authReq = SAML2Utils
- .createSAMLObject(AuthnRequest.class);
- SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
- authReq.setID(gen.generateIdentifier());
-
- //send passive AuthnRequest
- authReq.setIsPassive(idp.isPassivRequestUsedForInterfederation());
-
- authReq.setAssertionConsumerServiceIndex(0);
- authReq.setIssueInstant(new DateTime());
- Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- issuer.setValue(pendingReq.getAuthURLWithOutSlash());
-
- issuer.setFormat(NameIDType.ENTITY);
- authReq.setIssuer(issuer);
- NameIDPolicy policy = SAML2Utils
- .createSAMLObject(NameIDPolicy.class);
- policy.setAllowCreate(true);
- policy.setFormat(NameID.TRANSIENT);
- authReq.setNameIDPolicy(policy);
-
- authReq.setDestination(redirectEndpoint.getLocation());
-
- RequestedAuthnContext reqAuthContext =
- SAML2Utils.createSAMLObject(RequestedAuthnContext.class);
-
- AuthnContextClassRef authnClassRef =
- SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
-
- //check if STORK protocol module is in ClassPath
- Object storkRequst = null;
- Integer storkSecClass = null;
- try {
- storkRequst = Class.forName("at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest").newInstance();
- if (storkRequst != null &&
- pendingReq.getClass().isInstance(storkRequst)) {
- Object storkAuthnRequest = pendingReq.getClass().getMethod("getStorkAuthnRequest", null).invoke(pendingReq, null);
- storkSecClass = (Integer) storkAuthnRequest.getClass().getMethod("getQaa", null).invoke(storkAuthnRequest, null);
-
- }
-
- } catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) {
-
-
- }
-
-
- if (sp != null && sp.isSTORKPVPGateway()){
- //use PVP SecClass instead of STORK QAA level
- String secClass = null;
- if (storkRequst != null &&
- pendingReq.getClass().isInstance(storkRequst)) {
-
- try {
- secClass = PVPtoSTORKMapper.getInstance().mapToSecClass(
- PVPConstants.STORK_QAA_PREFIX + String.valueOf(storkSecClass));
-
- } catch (Exception e) {
- Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e);
-
- }
- }
-
- if (MiscUtil.isNotEmpty(secClass))
- authnClassRef.setAuthnContextClassRef(secClass);
- else
- authnClassRef.setAuthnContextClassRef("http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3");
-
- } else {
- if (storkRequst != null &&
- pendingReq.getClass().isInstance(storkRequst)) {
- //use requested QAA level from STORK request
- try {
- authnClassRef.setAuthnContextClassRef(
- PVPConstants.STORK_QAA_PREFIX + String.valueOf(storkSecClass));
- Logger.debug("Use STORK-QAA level " + authnClassRef.getAuthnContextClassRef()
- + " from STORK request");
-
- } catch (Exception e) {
- Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e);
-
- }
-
- }
-
- if (MiscUtil.isEmpty(authnClassRef.getAuthnContextClassRef()))
- authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4");
-
- }
-
- reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);
- reqAuthContext.getAuthnContextClassRefs().add(authnClassRef);
- authReq.setRequestedAuthnContext(reqAuthContext);
-
- IEncoder binding = null;
- if (redirectEndpoint.getBinding().equals(
- SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
- binding = new RedirectBinding();
-
- } else if (redirectEndpoint.getBinding().equals(
- SAMLConstants.SAML2_POST_BINDING_URI)) {
- binding = new PostBinding();
-
- }
-
- binding.encodeRequest(request, response, authReq,
- redirectEndpoint.getLocation(), pendingReq.getRequestID());
-
- //build and send request without an error
- requiredLocalAuthentication = false;
-
- revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(),
- pendingReq, MOAIDEventConstants.AUTHPROCESS_INTERFEDERATION_IDP, idpEntity.getEntityID());
-
-
- } else {
- Logger.warn("Requested IDP " + requestedIDP
- + " does not support POST or Redirect Binding.");
-
- }
-
- } else {
- Logger.warn("Requested IDP " + requestedIDP
- + " is not found in InterFederation configuration");
-
- }
-
- } catch (MetadataProviderException e) {
- Logger.error("IDP metadata error." , e);
-
- } catch (NoSuchAlgorithmException e) {
- Logger.error("Build IDP authentication request FAILED.", e);
-
- } catch (MessageEncodingException e) {
- Logger.error("Build IDP authentication request FAILED.", e);
-
- } catch (SecurityException e) {
- Logger.error("Build IDP authentication request FAILED.", e);
-
- } catch (PVP2Exception e) {
- Logger.error("Build IDP authentication request FAILED.", e);
-
- } catch (ConfigurationException e1) {
- Logger.error("Build IDP authentication request FAILED.", e1);
-
- }
-
- //set flag for next step
- executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION,
- requiredLocalAuthentication);
-
- }
-
-}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java
new file mode 100644
index 000000000..312bb823d
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java
@@ -0,0 +1,172 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder;
+
+import java.security.NoSuchAlgorithmException;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.joda.time.DateTime;
+import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.Issuer;
+import org.opensaml.saml2.core.NameIDPolicy;
+import org.opensaml.saml2.core.NameIDType;
+import org.opensaml.saml2.core.RequestedAuthnContext;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.SingleSignOnService;
+import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.xml.security.SecurityException;
+import org.springframework.stereotype.Service;
+
+import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestBuildException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+@Service("PVPAuthnRequestBuilder")
+public class PVPAuthnRequestBuilder {
+
+
+ /**
+ * Build a PVP2.x specific authentication request
+ *
+ * @param pendingReq Currently processed pendingRequest
+ * @param config AuthnRequest builder configuration, never null
+ * @param idpEntity SAML2 EntityDescriptor of the IDP, which receive this AuthnRequest, never null
+ * @param httpResp
+ * @throws NoSuchAlgorithmException
+ * @throws SecurityException
+ * @throws PVP2Exception
+ * @throws MessageEncodingException
+ */
+ public void buildAuthnRequest(IRequest pendingReq, IPVPAuthnRequestBuilderConfiguruation config,
+ HttpServletResponse httpResp) throws NoSuchAlgorithmException, MessageEncodingException, PVP2Exception, SecurityException {
+ //get IDP Entity element from config
+ EntityDescriptor idpEntity = config.getIDPEntityDescriptor();
+
+ AuthnRequest authReq = SAML2Utils
+ .createSAMLObject(AuthnRequest.class);
+
+ //select SingleSignOn Service endpoint from IDP metadata
+ SingleSignOnService endpoint = null;
+ for (SingleSignOnService sss :
+ idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) {
+
+ // use POST binding as default if it exists
+ if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) {
+ endpoint = sss;
+
+ } else if ( sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)
+ && endpoint == null )
+ endpoint = sss;
+
+ }
+
+ if (endpoint == null) {
+ Logger.warn("Building AuthnRequest FAILED: > Requested IDP " + idpEntity.getEntityID()
+ + " does not support POST or Redirect Binding.");
+ throw new AuthnRequestBuildException("sp.pvp2.00", new Object[]{idpEntity.getEntityID()});
+
+ } else
+ authReq.setDestination(endpoint.getLocation());
+
+
+ //set basic AuthnRequest information
+ SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
+ authReq.setID(gen.generateIdentifier());
+ authReq.setIssueInstant(new DateTime());
+
+ //set isPassive flag
+ if (config.isPassivRequest() == null)
+ authReq.setIsPassive(false);
+ else
+ authReq.setIsPassive(config.isPassivRequest());
+
+ //set EntityID of the service provider
+ Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
+ issuer.setFormat(NameIDType.ENTITY);
+ issuer.setValue(config.getSPEntityID());
+ authReq.setIssuer(issuer);
+
+ //set AssertionConsumerService ID
+ if (config.getAssertionConsumerServiceId() != null)
+ authReq.setAssertionConsumerServiceIndex(config.getAssertionConsumerServiceId());
+
+ //set NameIDPolicy
+ if (config.getNameIDPolicyFormat() != null) {
+ NameIDPolicy policy = SAML2Utils.createSAMLObject(NameIDPolicy.class);
+ policy.setAllowCreate(config.getNameIDPolicyAllowCreation());
+ policy.setFormat(config.getNameIDPolicyFormat());
+ authReq.setNameIDPolicy(policy);
+ }
+
+ //set requested QAA level
+ if (config.getAuthnContextClassRef() != null) {
+ RequestedAuthnContext reqAuthContext = SAML2Utils.createSAMLObject(RequestedAuthnContext.class);
+ AuthnContextClassRef authnClassRef = SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
+
+ authnClassRef.setAuthnContextClassRef(config.getAuthnContextClassRef());
+
+ if (config.getAuthnContextComparison() == null)
+ reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);
+ else
+ reqAuthContext.setComparison(config.getAuthnContextComparison());
+
+ reqAuthContext.getAuthnContextClassRefs().add(authnClassRef);
+ authReq.setRequestedAuthnContext(reqAuthContext);
+ }
+
+ //TODO: implement requested attributes
+ //maybe: config.getRequestedAttributes();
+
+ //select message encoder
+ IEncoder binding = null;
+ if (endpoint.getBinding().equals(
+ SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
+ binding = new RedirectBinding();
+
+ } else if (endpoint.getBinding().equals(
+ SAMLConstants.SAML2_POST_BINDING_URI)) {
+ binding = new PostBinding();
+
+ }
+
+ //encode message
+ binding.encodeRequest(null, httpResp, authReq,
+ endpoint.getLocation(), pendingReq.getRequestID(), config.getAuthnRequestSigningCredential());
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java
new file mode 100644
index 000000000..d51231044
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java
@@ -0,0 +1,114 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.config;
+
+import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.xml.security.credential.Credential;
+
+/**
+ * @author tlenz
+ *
+ */
+public interface IPVPAuthnRequestBuilderConfiguruation {
+
+ /**
+ * If true, the SAML2 isPassive flag is set in the AuthnRequest
+ *
+ * @return
+ */
+ public Boolean isPassivRequest();
+
+ /**
+ * Define the ID of the AssertionConsumerService,
+ * which defines the required attributes in service-provider metadata.
+ *
+ * @return
+ */
+ public Integer getAssertionConsumerServiceId();
+
+ /**
+ * Define the SAML2 EntityID of the service provider.
+ *
+ * @return
+ */
+ public String getSPEntityID();
+
+ /**
+ * Define the SAML2 NameIDPolicy
+ *
+ * @return Service-Provider EntityID, but never null
+ */
+ public String getNameIDPolicyFormat();
+
+ /**
+ * Define the AuthnContextClassRefernece of this request
+ *
+ * Example:
+ * http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3
+ * http://www.stork.gov.eu/1.0/citizenQAALevel/4
+ *
+ *
+ * @return
+ */
+ public String getAuthnContextClassRef();
+
+ /**
+ * Define the AuthnContextComparison model, which should be used
+ *
+ * @return
+ */
+ public AuthnContextComparisonTypeEnumeration getAuthnContextComparison();
+
+
+ /**
+ * Define the credential, which should be used to sign the AuthnRequest
+ *
+ * @return
+ */
+ public Credential getAuthnRequestSigningCredential();
+
+
+ /**
+ * Define the SAML2 EntityDescriptor of the IDP, which should receive the AuthnRequest
+ *
+ * @return Credential, but never null.
+ */
+ public EntityDescriptor getIDPEntityDescriptor();
+
+ /**
+ * Set the SAML2 NameIDPolicy allow-creation flag
+ *
+ * @return EntityDescriptor, but never null.
+ */
+ public boolean getNameIDPolicyAllowCreation();
+
+
+ /**
+ * Set the requested SubjectNameID
+ *
+ * @return SubjectNameID, or null if no SubjectNameID should be used
+ */
+ public String getSubjectNameID();
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnResponseTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnRequestBuildException.java
index 6ce8fab59..eebaf6c9e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnResponseTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnRequestBuildException.java
@@ -20,34 +20,28 @@
* The "NOTICE" text file is part of the distribution. Any derivative works
* that you distribute must include a readable copy of the "NOTICE" text file.
*/
-package at.gv.egovernment.moa.id.protocols.pvp2x.SP.tasks;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
-import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions;
/**
* @author tlenz
*
*/
-public abstract class AbstractAuthnResponseTask extends AbstractAuthServletTask {
+public class AuthnRequestBuildException extends PVP2Exception {
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+ /**
+ *
*/
- @Override
- public void execute(ExecutionContext executionContext,
- HttpServletRequest request, HttpServletResponse response)
- throws TaskExecutionException {
-
- //TODO: validate SAML2 assertion
- //TODO: move attributeQuery from AuthenticationDataBuilder to her
- //TODO: add SAML2 interfederation Response to MOASession
- //TODO: update AuthenticationDataBuilder to use Response from MOASession if exists
+ private static final long serialVersionUID = -1375451065455859354L;
+ /**
+ * @param messageId
+ * @param parameters
+ */
+ public AuthnRequestBuildException(String messageId, Object[] parameters) {
+ super(messageId, parameters);
}
+ public AuthnRequestBuildException(String messageId, Object[] parameters, Throwable e) {
+ super(messageId, parameters, e);
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnResponseValidationException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnResponseValidationException.java
new file mode 100644
index 000000000..957f9af1d
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnResponseValidationException.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions;
+
+/**
+ * @author tlenz
+ *
+ */
+public class AuthnResponseValidationException extends PVP2Exception {
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = 8023812861029406575L;
+
+ /**
+ * @param messageId
+ * @param parameters
+ */
+ public AuthnResponseValidationException(String messageId, Object[] parameters) {
+ super(messageId, parameters);
+ }
+
+ public AuthnResponseValidationException(String messageId, Object[] parameters, Throwable e) {
+ super(messageId, parameters, e);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java
index 743caec55..cfdb4426b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java
@@ -32,6 +32,7 @@ import org.hibernate.HibernateException;
import org.hibernate.Query;
import org.hibernate.Session;
import org.hibernate.Transaction;
+import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import com.fasterxml.jackson.core.JsonProcessingException;
@@ -47,8 +48,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.commons.utils.JsonMapper;
-import at.gv.egovernment.moa.id.config.ConfigurationException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.EncryptedData;
import at.gv.egovernment.moa.id.data.SLOInformationInterface;
@@ -65,6 +65,8 @@ import at.gv.egovernment.moa.util.MiscUtil;
@Service("AuthenticationSessionStoreage")
public class DBAuthenticationSessionStoreage implements IAuthenticationSessionStoreage{
+ @Autowired AuthConfiguration authConfig;
+
private static JsonMapper mapper = new JsonMapper();
@Override
@@ -749,44 +751,30 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
}
}
- public String createInterfederatedSession(IRequest req, boolean isAuthenticated, String ssoID) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException {
+ public void createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException {
AuthenticatedSessionStore dbsession = null;
+ Date now = new Date();
- //search for active SSO session
- if (MiscUtil.isNotEmpty(ssoID)) {
- String moaSession = getMOASessionSSOID(ssoID);
- if (MiscUtil.isNotEmpty(moaSession)) {
- try {
- dbsession = searchInDatabase(moaSession, true);
-
- }catch (MOADatabaseException e) {
+ //search for active session
+ String moaSession = getMOASessionSSOID(req.getMOASessionIdentifier());
+ if (MiscUtil.isNotEmpty(moaSession)) {
+ try {
+ dbsession = searchInDatabase(moaSession, true);
- }
- }
- }
-
- String id = null;
- Date now = new Date();
- //create new MOASession if any exists
- AuthenticationSession session = null;
- if (dbsession == null) {
- id = Random.nextRandom();
- dbsession = new AuthenticatedSessionStore();
- dbsession.setSessionid(id);
- dbsession.setCreated(now);
- dbsession.setPendingRequestID(req.getRequestID());
- session = new AuthenticationSession(id, now);
+ }catch (MOADatabaseException e) {
+ Logger.error("NO MOASession found but MOASession MUST already exist!");
+ throw e;
+ }
+ }
- } else {
- id = dbsession.getSessionid();
- session = decryptSession(dbsession);
+ AuthenticationSession session = decryptSession(dbsession);
- }
-
- dbsession.setInterfederatedSSOSession(true);
+ //set Session parameters
+ session.setAuthenticated(isAuthenticated);
dbsession.setAuthenticated(isAuthenticated);
+ dbsession.setInterfederatedSSOSession(true);
dbsession.setUpdated(now);
- session.setAuthenticated(true);
+
encryptSession(session, dbsession);
//add interfederation information
@@ -816,16 +804,8 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
idp.setIdpurlprefix(interFedEntityID);
idp.setAuthURL(req.getAuthURL());
- try {
- OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().
- getOnlineApplicationParameter(idp.getIdpurlprefix());
- idp.setStoreSSOInformation(oa.isInterfederationSSOStorageAllowed());
-
- } catch (ConfigurationException e) {
- Logger.warn("MOASession could not be created.");
- throw new MOADatabaseException(e);
-
- }
+ OAAuthParameter oa = authConfig.getOnlineApplicationParameter(idp.getIdpurlprefix());
+ idp.setStoreSSOInformation(oa.isInterfederationSSOStorageAllowed());
idp.setMoasession(dbsession);
idpList.add(idp);
@@ -839,14 +819,12 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
//store AssertionStore element to Database
try {
MOASessionDBUtils.saveOrUpdate(dbsession);
- Logger.debug("MOASession with sessionID=" + id + " is stored in Database");
} catch (MOADatabaseException e) {
Logger.warn("MOASession could not be created.");
throw new MOADatabaseException(e);
}
- return id;
}
@Override
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java
index e89713b2e..2fd540a67 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java
@@ -242,14 +242,12 @@ public interface IAuthenticationSessionStoreage {
*
* @param req Pending request
* @param isAuthenticated true if the session should be marked as authenticated, otherwise false
- * @param ssoID Single Sign-On session identifer
- * @return MOASessionID of new created MOASession
* @throws MOADatabaseException
* @throws AssertionAttributeExtractorExeption
* @throws BuildException
*/
@Deprecated
- public String createInterfederatedSession(IRequest req, boolean isAuthenticated, String ssoID) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException;
+ public void createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException;
/**
* Search an active federation IDP which could be used for federated Single Sign-On by using an AttributeQuery
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 92f4c1fa2..50d01ce2f 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -270,6 +270,15 @@ pvp2.21=Die Signature des Requests konnte nicht g\u00FCltig validiert werden.
pvp2.22=Der Request konnte nicht g\u00FCltig validiert werden (Fehler\={0}).
pvp2.23={0} ist keine gueltige AssertionConsumerServiceURL oder entspricht nicht den Metadaten.
+
+##add status codes!!!!
+sp.pvp2.00=Can not build PVP AuthnRequest for IDP {0}. No valid SingleSignOnService endpoint found.
+sp.pvp2.01=Can not build PVP AuthnRequest for IDP {0}. IDP is not allowed for federated authentication.
+sp.pvp2.02=Can not build PVP AuthnRequest for IDP {0}. IDP has no (valid) metadata.
+sp.pvp2.03=Receive PVP Response from IDP with unsupported Binding.
+sp.pvp2.04=Receive invalid PVP Response from IDP. No PVP metadata found.
+sp.pvp2.04=Receive invalid PVP Response from IDP {0}. StatusCode {1}.
+
oauth20.01=Fehlerhafte redirect url
oauth20.02=Fehlender oder ung\u00FCltiger Parameter "{0}"
oauth20.03=Angeforderter response_type ist nicht erlaubt