aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-modul-citizencard_authentication/src/main
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2018-03-12 13:35:46 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2018-03-12 14:16:17 +0100
commitb4c009b6d64cc17974e5917c10f92dbe987d826e (patch)
tree46e3777b7d62ac2d96110d6428d82706d1720345 /id/server/modules/moa-id-modul-citizencard_authentication/src/main
parenta30826d08c748daaf3d6cdc2329f985852822f54 (diff)
downloadmoa-id-spss-b4c009b6d64cc17974e5917c10f92dbe987d826e.tar.gz
moa-id-spss-b4c009b6d64cc17974e5917c10f92dbe987d826e.tar.bz2
moa-id-spss-b4c009b6d64cc17974e5917c10f92dbe987d826e.zip
add specific AuthBlock validation logging
Diffstat (limited to 'id/server/modules/moa-id-modul-citizencard_authentication/src/main')
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java8
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java997
2 files changed, 516 insertions, 489 deletions
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index f7c3db8d1..7c435d0b0 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -66,6 +66,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.data.Pair;
+import at.gv.egovernment.moa.id.logging.SpecificTraceLogger;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
@@ -445,6 +446,12 @@ public class AuthenticationServer extends BaseAuthenticationServer {
String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder()
.build(authBlock, oaParam.getKeyBoxIdentifier(),
transformsInfos);
+
+ SpecificTraceLogger.trace("Req. Authblock: " + createXMLSignatureRequest);
+ SpecificTraceLogger.trace("OA config: " + pendingReq.getOnlineApplicationConfiguration().toString());
+ SpecificTraceLogger.trace("saml1RequestedTarget: " + pendingReq.getGenericData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class));
+ SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + pendingReq.getGenericData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class));
+
return createXMLSignatureRequest;
}
@@ -949,6 +956,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
throw new ParseException("parser.04", new Object[]{
REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE}, e);
}
+
// validates <CreateXMLSignatureResponse>
if (pendingReq.needSingleSignOnFunctionality())
new CreateXMLSignatureResponseValidator().validateSSO(csresp, session, pendingReq);
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index 827690ebd..8e3ccb01b 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -72,6 +72,7 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.data.Pair;
+import at.gv.egovernment.moa.id.logging.SpecificTraceLogger;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -136,7 +137,6 @@ public class CreateXMLSignatureResponseValidator {
*/
public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq)
throws ValidateException, BuildException, ConfigurationException {
-
// A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
String oaURL = oaParam.getPublicURLPrefix();
@@ -148,283 +148,294 @@ public class CreateXMLSignatureResponseValidator {
@Deprecated
String saml1RequestedFriendlyName = pendingReq.getGenericData(
MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class);
-
-
- Element samlAssertion = createXMLSignatureResponse.getSamlAssertion();
-
- //validate issuer
- String issuer = samlAssertion.getAttribute("Issuer");
- if (issuer == null) {
- // should not happen, because parser would dedect this
- throw new ValidateException("validator.32", null);
- }
- // replace ' in name with &#39;
- issuer = issuer.replaceAll("'", "&#39;");
- if (!issuer.equals(identityLink.getName()))
- throw new ValidateException("validator.33", new Object[] {issuer, identityLink.getName()});
-
-
- //validate issuerInstant
- String issueInstant = samlAssertion.getAttribute("IssueInstant");
- if (!issueInstant.equals(session.getIssueInstant()))
- throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
-
-
- //validate extended attributes
- SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();
-
- boolean foundOA = false;
- boolean foundGB = false;
- boolean foundWBPK = false;
- int offset = 0;
-
- // check number of SAML attributes
- List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
- int extendedSAMLAttributesNum = 0;
- if (extendedSAMLAttributes != null) {
- extendedSAMLAttributesNum = extendedSAMLAttributes.size();
- }
- int expectedSAMLAttributeNumber = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum;
-
- //remove one attribute from expected attributes if public SP target or wbPK is not part of AuthBlock
- if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
-
- //check number of attributes in AuthBlock response against expected number of attributes
- int actualSAMLAttributeNumber = samlAttributes.length;
- if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
- Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " +
- expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
- throw new ValidateException("validator.36",
- new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
-
- }
-
- //now check every single attribute
- SAMLAttribute samlAttribute = null;
- Pair<String, String> userSectorId = null;
- if (session.getSAMLAttributeGebeORwbpk()) {
- //check the first attribute ("Geschaeftsbereich" or "wbPK")
- samlAttribute = samlAttributes[0];
-
- //calculate bPK or wbPK as reference value for validation
- if (MiscUtil.isNotEmpty(saml1RequestedTarget))
- userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
- identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
- saml1RequestedTarget);
- else
- userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
- identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
- oaParam.getAreaSpecificTargetIdentifier());
-
- //every sector specific identifier that has not 'urn:publicid:gv.at:cdid+' as prefix
- // is internally handled as an AuthBlock with wbPK
- if (!userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
- if (!samlAttribute.getName().equals("wbPK")) {
- if (samlAttribute.getName().equals("Geschaeftsbereich")) {
- throw new ValidateException("validator.26", null);
-
- } else {
- throw new ValidateException("validator.37",
- new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)});
- }
- }
-
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundWBPK = true;
- try {
- Element attrValue = (Element)samlAttribute.getValue();
- String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
- String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
- if (!value.equals(userSectorId.getFirst()))
- throw new ValidateException("validator.28", null);
-
- if (!type.equals(userSectorId.getSecond()))
- throw new ValidateException("validator.28", null);
-
- } catch (Exception ex) {
- throw new ValidateException("validator.29", null);
- }
-
- } else
- throw new ValidateException("validator.30", null);
-
- } else {
- if (!samlAttribute.getName().equals("Geschaeftsbereich")) {
- if (samlAttribute.getName().equals("wbPK"))
- throw new ValidateException("validator.26", null);
-
- else
- throw new ValidateException("validator.37",
- new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)});
- }
-
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundGB = true;
-
- String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(userSectorId.getSecond());
- if (StringUtils.isEmpty(sectorName)) {
- if (saml1RequestedFriendlyName != null)
- sectorName = saml1RequestedFriendlyName;
- else
- sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
- }
-
- String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
- if (!refValueSector.equals((String)samlAttribute.getValue()))
- throw new ValidateException("validator.13", null);
-
- } else
- throw new ValidateException("validator.12", null);
-
- }
-
- } else
- //check nothing if wbPK or public SP target is not part of AuthBlock
- offset--;
-
- // check the second attribute (must be "OA")
- samlAttribute = samlAttributes[1 + offset];
- if (!samlAttribute.getName().equals("OA"))
- throw new ValidateException("validator.37",
- new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
-
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundOA = true;
- if (!oaURL.equals((String)samlAttribute.getValue()))
- throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});
-
- } else
- throw new ValidateException("validator.15", null);
-
-
- // check the third attribute (must be "Geburtsdatum")
- samlAttribute = samlAttributes[2 + offset];
- if (!samlAttribute.getName().equals("Geburtsdatum"))
- throw new ValidateException("validator.37",
- new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
-
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String samlDateOfBirth = (String)samlAttribute.getValue();
- String dateOfBirth = identityLink.getDateOfBirth();
- if (!samlDateOfBirth.equals(dateOfBirth))
- throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
-
- } else
- throw new ValidateException("validator.35", null);
-
- // check four attribute could be a special text
- samlAttribute = samlAttributes[3 + offset];
- if (!samlAttribute.getName().equals("SpecialText"))
- throw new ValidateException("validator.37",
- new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
-
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String samlSpecialText = (String)samlAttribute.getValue();
- samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
-
- String text = "";
- if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
- Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
- text = oaParam.getAditionalAuthBlockText();
-
- }
-
- String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text,
- AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
- pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
- if (!samlSpecialText.equals(specialText))
- throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
-
- } else
- throw new ValidateException("validator.35", null);
-
-
- //check unique AuthBlock tokken
- samlAttribute = samlAttributes[4 + offset];
- if (!samlAttribute.getName().equals("UniqueTokken"))
- throw new ValidateException("validator.37",
- new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
-
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String uniquetokken = (String)samlAttribute.getValue();
-
- if (!uniquetokken.equals(session.getAuthBlockTokken()))
- throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
- } else
- throw new ValidateException("validator.35", null);
-
-
- // now check the extended SAML attributes
- int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset;
- if (extendedSAMLAttributes != null) {
- Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
- while (it.hasNext()) {
- ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
- samlAttribute = samlAttributes[i];
- String actualName = samlAttribute.getName();
- String expectedName = extendedSAMLAttribute.getName();
- if (!actualName.equals(expectedName))
- throw new ValidateException("validator.38",
- new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
-
- String actualNamespace = samlAttribute.getNamespace();
- String expectedNamespace = extendedSAMLAttribute.getNameSpace();
- if (!actualNamespace.equals(expectedNamespace))
- throw new ValidateException("validator.38",
- new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
-
- Object expectedValue = extendedSAMLAttribute.getValue();
- Object actualValue = samlAttribute.getValue();
- try {
- if (expectedValue instanceof String) {
- // replace \r\n because text might be base64-encoded
- String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
- expValue = StringUtils.replaceAll(expValue,"\n","");
- String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
- actValue = StringUtils.replaceAll(actValue,"\n","");
- if (!expValue.equals(actValue))
- throw new ValidateException("validator.38",
- new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });
-
- } else if (expectedValue instanceof Element) {
- // only check the name of the element
- String actualElementName = ((Element)actualValue).getNodeName();
- String expectedElementName = ((Element)expectedValue).getNodeName();
- if (!(expectedElementName.equals(actualElementName)))
- throw new ValidateException("validator.38",
- new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});
-
- } else
- // should not happen
- throw new ValidateException("validator.38",
- new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
-
- } catch (ClassCastException e) {
- throw new ValidateException("validator.38",
- new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
- }
-
- i++;
- }
- }
-
- if (!foundOA)
- throw new ValidateException("validator.14", null);
-
- if (userSectorId != null && !userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
- if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK)
- throw new ValidateException("validator.31", null);
-
- } else {
- if (!foundGB && session.getSAMLAttributeGebeORwbpk())
- throw new ValidateException("validator.11", null);
- }
-
- //Check if dsig:Signature exists
- Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
- if (dsigSignature == null)
- throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
-
+
+ try {
+ Element samlAssertion = createXMLSignatureResponse.getSamlAssertion();
+
+ //validate issuer
+ String issuer = samlAssertion.getAttribute("Issuer");
+ if (issuer == null) {
+ // should not happen, because parser would dedect this
+ throw new ValidateException("validator.32", null);
+ }
+ // replace ' in name with &#39;
+ issuer = issuer.replaceAll("'", "&#39;");
+ if (!issuer.equals(identityLink.getName()))
+ throw new ValidateException("validator.33", new Object[] {issuer, identityLink.getName()});
+
+
+ //validate issuerInstant
+ String issueInstant = samlAssertion.getAttribute("IssueInstant");
+ if (!issueInstant.equals(session.getIssueInstant()))
+ throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
+
+
+ //validate extended attributes
+ SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();
+
+ boolean foundOA = false;
+ boolean foundGB = false;
+ boolean foundWBPK = false;
+ int offset = 0;
+
+ // check number of SAML attributes
+ List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
+ int extendedSAMLAttributesNum = 0;
+ if (extendedSAMLAttributes != null) {
+ extendedSAMLAttributesNum = extendedSAMLAttributes.size();
+ }
+ int expectedSAMLAttributeNumber = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum;
+
+ //remove one attribute from expected attributes if public SP target or wbPK is not part of AuthBlock
+ if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
+
+ //check number of attributes in AuthBlock response against expected number of attributes
+ int actualSAMLAttributeNumber = samlAttributes.length;
+ if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
+ Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " +
+ expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
+ throw new ValidateException("validator.36",
+ new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
+
+ }
+
+ //now check every single attribute
+ SAMLAttribute samlAttribute = null;
+ Pair<String, String> userSectorId = null;
+ if (session.getSAMLAttributeGebeORwbpk()) {
+ //check the first attribute ("Geschaeftsbereich" or "wbPK")
+ samlAttribute = samlAttributes[0];
+
+ //calculate bPK or wbPK as reference value for validation
+ if (MiscUtil.isNotEmpty(saml1RequestedTarget))
+ userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+ identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
+ saml1RequestedTarget);
+ else
+ userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+ identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
+ oaParam.getAreaSpecificTargetIdentifier());
+
+ //every sector specific identifier that has not 'urn:publicid:gv.at:cdid+' as prefix
+ // is internally handled as an AuthBlock with wbPK
+ if (!userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+ if (!samlAttribute.getName().equals("wbPK")) {
+ if (samlAttribute.getName().equals("Geschaeftsbereich")) {
+ throw new ValidateException("validator.26", null);
+
+ } else {
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)});
+ }
+ }
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundWBPK = true;
+ try {
+ Element attrValue = (Element)samlAttribute.getValue();
+ String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
+ String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
+ if (!value.equals(userSectorId.getFirst()))
+ throw new ValidateException("validator.28",
+ new Object[] {value, userSectorId.getFirst()});
+
+ if (!type.equals(userSectorId.getSecond()))
+ throw new ValidateException("validator.28",
+ new Object[] {type, userSectorId.getSecond()});
+
+ } catch (Exception ex) {
+ throw new ValidateException("validator.29", null);
+ }
+
+ } else
+ throw new ValidateException("validator.30", null);
+
+ } else {
+ if (!samlAttribute.getName().equals("Geschaeftsbereich")) {
+ if (samlAttribute.getName().equals("wbPK"))
+ throw new ValidateException("validator.26", null);
+
+ else
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)});
+ }
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundGB = true;
+
+ String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(userSectorId.getSecond());
+ if (StringUtils.isEmpty(sectorName)) {
+ if (saml1RequestedFriendlyName != null)
+ sectorName = saml1RequestedFriendlyName;
+ else
+ sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+ }
+
+ String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
+ if (!refValueSector.equals((String)samlAttribute.getValue()))
+ throw new ValidateException("validator.13", new Object[] {(String)samlAttribute.getValue(), refValueSector});
+
+ } else
+ throw new ValidateException("validator.12", null);
+
+ }
+
+ } else
+ //check nothing if wbPK or public SP target is not part of AuthBlock
+ offset--;
+
+ // check the second attribute (must be "OA")
+ samlAttribute = samlAttributes[1 + offset];
+ if (!samlAttribute.getName().equals("OA"))
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundOA = true;
+ if (!oaURL.equals((String)samlAttribute.getValue()))
+ throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});
+
+ } else
+ throw new ValidateException("validator.15", null);
+
+
+ // check the third attribute (must be "Geburtsdatum")
+ samlAttribute = samlAttributes[2 + offset];
+ if (!samlAttribute.getName().equals("Geburtsdatum"))
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String samlDateOfBirth = (String)samlAttribute.getValue();
+ String dateOfBirth = identityLink.getDateOfBirth();
+ if (!samlDateOfBirth.equals(dateOfBirth))
+ throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
+
+ } else
+ throw new ValidateException("validator.35", null);
+
+ // check four attribute could be a special text
+ samlAttribute = samlAttributes[3 + offset];
+ if (!samlAttribute.getName().equals("SpecialText"))
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String samlSpecialText = (String)samlAttribute.getValue();
+ samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
+
+ String text = "";
+ if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
+ Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
+ text = oaParam.getAditionalAuthBlockText();
+
+ }
+
+ String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text,
+ AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
+ pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
+ if (!samlSpecialText.equals(specialText))
+ throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
+
+ } else
+ throw new ValidateException("validator.35", null);
+
+
+ //check unique AuthBlock tokken
+ samlAttribute = samlAttributes[4 + offset];
+ if (!samlAttribute.getName().equals("UniqueTokken"))
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String uniquetokken = (String)samlAttribute.getValue();
+
+ if (!uniquetokken.equals(session.getAuthBlockTokken()))
+ throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
+ } else
+ throw new ValidateException("validator.35", null);
+
+
+ // now check the extended SAML attributes
+ int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset;
+ if (extendedSAMLAttributes != null) {
+ Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
+ while (it.hasNext()) {
+ ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
+ samlAttribute = samlAttributes[i];
+ String actualName = samlAttribute.getName();
+ String expectedName = extendedSAMLAttribute.getName();
+ if (!actualName.equals(expectedName))
+ throw new ValidateException("validator.38",
+ new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
+
+ String actualNamespace = samlAttribute.getNamespace();
+ String expectedNamespace = extendedSAMLAttribute.getNameSpace();
+ if (!actualNamespace.equals(expectedNamespace))
+ throw new ValidateException("validator.38",
+ new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
+
+ Object expectedValue = extendedSAMLAttribute.getValue();
+ Object actualValue = samlAttribute.getValue();
+ try {
+ if (expectedValue instanceof String) {
+ // replace \r\n because text might be base64-encoded
+ String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
+ expValue = StringUtils.replaceAll(expValue,"\n","");
+ String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
+ actValue = StringUtils.replaceAll(actValue,"\n","");
+ if (!expValue.equals(actValue))
+ throw new ValidateException("validator.38",
+ new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });
+
+ } else if (expectedValue instanceof Element) {
+ // only check the name of the element
+ String actualElementName = ((Element)actualValue).getNodeName();
+ String expectedElementName = ((Element)expectedValue).getNodeName();
+ if (!(expectedElementName.equals(actualElementName)))
+ throw new ValidateException("validator.38",
+ new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});
+
+ } else
+ // should not happen
+ throw new ValidateException("validator.38",
+ new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
+
+ } catch (ClassCastException e) {
+ throw new ValidateException("validator.38",
+ new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
+ }
+
+ i++;
+ }
+ }
+
+ if (!foundOA)
+ throw new ValidateException("validator.14", null);
+
+ if (userSectorId != null && !userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+ if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK)
+ throw new ValidateException("validator.31", null);
+
+ } else {
+ if (!foundGB && session.getSAMLAttributeGebeORwbpk())
+ throw new ValidateException("validator.11", null);
+ }
+
+ //Check if dsig:Signature exists
+ Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
+ if (dsigSignature == null)
+ throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
+
+ } catch (Exception e) {
+ SpecificTraceLogger.trace("Validate AuthBlock without SSO");
+ SpecificTraceLogger.trace("Signed AuthBlock: " + session.getAuthBlock());
+ SpecificTraceLogger.trace("OA config: " + oaParam.toString());
+ SpecificTraceLogger.trace("saml1RequestedTarget: " + saml1RequestedTarget);
+ SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + saml1RequestedFriendlyName);
+ throw e;
+
+ }
}
/**
@@ -436,219 +447,227 @@ public class CreateXMLSignatureResponseValidator {
*/
public void validateSSO(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq)
throws ValidateException {
-
- // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
- String oaURL = pendingReq.getAuthURL();
-
- IIdentityLink identityLink = session.getIdentityLink();
-
- Element samlAssertion = createXMLSignatureResponse.getSamlAssertion();
- String issuer = samlAssertion.getAttribute("Issuer");
- if (issuer == null) {
- // should not happen, because parser would dedect this
- throw new ValidateException("validator.32", null);
- }
- // replace ' in name with &#39;
- issuer = issuer.replaceAll("'", "&#39;");
-
- String issueInstant = samlAssertion.getAttribute("IssueInstant");
- if (!issueInstant.equals(session.getIssueInstant())) {
- throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
- }
-
- String name = identityLink.getName();
-
- if (!issuer.equals(name)) {
- throw new ValidateException("validator.33", new Object[] {issuer, name});
- }
-
- SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();
-
- boolean foundOA = false;
-// boolean foundGB = false;
-// boolean foundWBPK = false;
- int offset = 0;
-
- // check number of SAML aatributes
- List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
- int extendedSAMLAttributesNum = 0;
- if (extendedSAMLAttributes != null) {
- extendedSAMLAttributesNum = extendedSAMLAttributes.size();
- }
- int expectedSAMLAttributeNumber =
- AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + extendedSAMLAttributesNum;
- if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
- int actualSAMLAttributeNumber = samlAttributes.length;
- if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
- Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " +
- expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
- throw new ValidateException(
- "validator.36",
- new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
- }
-
- SAMLAttribute samlAttribute;
- if (!session.getSAMLAttributeGebeORwbpk()) {
- offset--;
- }
-
- // check the first attribute (must be "OA")
- samlAttribute = samlAttributes[0 + offset];
- if (!samlAttribute.getName().equals("OA")) {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundOA = true;
- if (!oaURL.equals((String)samlAttribute.getValue())) { // CHECKS für die AttributeVALUES fehlen noch
- throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});
- }
- } else {
- throw new ValidateException("validator.15", null);
- }
-
- // check the third attribute (must be "Geburtsdatum")
- samlAttribute = samlAttributes[1 + offset];
- if (!samlAttribute.getName().equals("Geburtsdatum")) {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String samlDateOfBirth = (String)samlAttribute.getValue();
- String dateOfBirth = identityLink.getDateOfBirth();
- if (!samlDateOfBirth.equals(dateOfBirth)) {
- throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
- }
- } else {
- throw new ValidateException("validator.35", null);
- }
-
- // check four attribute could be a special text
- samlAttribute = samlAttributes[2 + offset];
- if (!samlAttribute.getName().equals("SpecialText")) {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String samlSpecialText = (String)samlAttribute.getValue();
- samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
-
- String text = "";
- try {
- if (MiscUtil.isNotEmpty(AuthConfigurationProviderFactory.getInstance().getSSOSpecialText())) {
- text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText();
- Logger.debug("Use addional AuthBlock Text from SSO=" +text);
-
- }
- else
- text = new String();
- } catch (ConfigurationException e) {
- Logger.warn("Addional AuthBlock Text can not loaded from SSO!", e);
- }
-
-
- String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text,
- AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
- pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
- if (!samlSpecialText.equals(specialText)) {
- throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
- }
- } else {
- throw new ValidateException("validator.35", null);
- }
-
- //check unique AuthBlock tokken
- samlAttribute = samlAttributes[3 + offset];
- if (!samlAttribute.getName().equals("UniqueTokken")) {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String uniquetokken = (String)samlAttribute.getValue();
-
- if (!uniquetokken.equals(session.getAuthBlockTokken())) {
- throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
- }
- } else {
- throw new ValidateException("validator.35", null);
- }
-
-
- // now check the extended SAML attributes
- int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + offset;
- if (extendedSAMLAttributes != null) {
- Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
- while (it.hasNext()) {
- ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
- samlAttribute = samlAttributes[i];
- String actualName = samlAttribute.getName();
- String expectedName = extendedSAMLAttribute.getName();
- if (!actualName.equals(expectedName)) {
- throw new ValidateException(
- "validator.38",
- new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
- }
- String actualNamespace = samlAttribute.getNamespace();
- String expectedNamespace = extendedSAMLAttribute.getNameSpace();
- if (!actualNamespace.equals(expectedNamespace)) {
- throw new ValidateException(
- "validator.38",
- new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
- }
- Object expectedValue = extendedSAMLAttribute.getValue();
- Object actualValue = samlAttribute.getValue();
- try {
- if (expectedValue instanceof String) {
- // replace \r\n because text might be base64-encoded
- String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
- expValue = StringUtils.replaceAll(expValue,"\n","");
- String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
- actValue = StringUtils.replaceAll(actValue,"\n","");
- if (!expValue.equals(actValue)) {
- throw new ValidateException(
- "validator.38",
- new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });
- }
- } else if (expectedValue instanceof Element) {
- // only check the name of the element
- String actualElementName = ((Element)actualValue).getNodeName();
- String expectedElementName = ((Element)expectedValue).getNodeName();
- if (!(expectedElementName.equals(actualElementName))){
- throw new ValidateException(
- "validator.38",
- new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});
- }
- } else {
- // should not happen
- throw new ValidateException(
- "validator.38",
- new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
- }
- } catch (ClassCastException e) {
- throw new ValidateException(
- "validator.38",
- new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
- }
- i++;
- }
- }
+ try {
+ // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
+ String oaURL = pendingReq.getAuthURL();
+ IIdentityLink identityLink = session.getIdentityLink();
+
+ Element samlAssertion = createXMLSignatureResponse.getSamlAssertion();
+ String issuer = samlAssertion.getAttribute("Issuer");
+ if (issuer == null) {
+ // should not happen, because parser would dedect this
+ throw new ValidateException("validator.32", null);
+ }
+ // replace ' in name with &#39;
+ issuer = issuer.replaceAll("'", "&#39;");
+
+ String issueInstant = samlAssertion.getAttribute("IssueInstant");
+ if (!issueInstant.equals(session.getIssueInstant())) {
+ throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
+ }
+
+ String name = identityLink.getName();
+
+ if (!issuer.equals(name)) {
+ throw new ValidateException("validator.33", new Object[] {issuer, name});
+ }
+
+ SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();
+
+ boolean foundOA = false;
+ // boolean foundGB = false;
+ // boolean foundWBPK = false;
+ int offset = 0;
+
+ // check number of SAML aatributes
+ List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
+ int extendedSAMLAttributesNum = 0;
+ if (extendedSAMLAttributes != null) {
+ extendedSAMLAttributesNum = extendedSAMLAttributes.size();
+ }
+ int expectedSAMLAttributeNumber =
+ AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + extendedSAMLAttributesNum;
+ if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
+ int actualSAMLAttributeNumber = samlAttributes.length;
+ if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
+ Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " +
+ expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
+ throw new ValidateException(
+ "validator.36",
+ new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
+ }
+
+ SAMLAttribute samlAttribute;
+ if (!session.getSAMLAttributeGebeORwbpk()) {
+ offset--;
+ }
+
+ // check the first attribute (must be "OA")
+ samlAttribute = samlAttributes[0 + offset];
+ if (!samlAttribute.getName().equals("OA")) {
+ throw new ValidateException(
+ "validator.37",
+ new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
+ }
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundOA = true;
+ if (!oaURL.equals((String)samlAttribute.getValue())) { // CHECKS für die AttributeVALUES fehlen noch
+ throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});
+ }
+ } else {
+ throw new ValidateException("validator.15", null);
+ }
+
+ // check the third attribute (must be "Geburtsdatum")
+ samlAttribute = samlAttributes[1 + offset];
+ if (!samlAttribute.getName().equals("Geburtsdatum")) {
+ throw new ValidateException(
+ "validator.37",
+ new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
+ }
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String samlDateOfBirth = (String)samlAttribute.getValue();
+ String dateOfBirth = identityLink.getDateOfBirth();
+ if (!samlDateOfBirth.equals(dateOfBirth)) {
+ throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
+ }
+ } else {
+ throw new ValidateException("validator.35", null);
+ }
+
+ // check four attribute could be a special text
+ samlAttribute = samlAttributes[2 + offset];
+ if (!samlAttribute.getName().equals("SpecialText")) {
+ throw new ValidateException(
+ "validator.37",
+ new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
+ }
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String samlSpecialText = (String)samlAttribute.getValue();
+ samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
+
+ String text = "";
+ try {
+ if (MiscUtil.isNotEmpty(AuthConfigurationProviderFactory.getInstance().getSSOSpecialText())) {
+ text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText();
+ Logger.debug("Use addional AuthBlock Text from SSO=" +text);
+
+ }
+ else
+ text = new String();
+ } catch (ConfigurationException e) {
+ Logger.warn("Addional AuthBlock Text can not loaded from SSO!", e);
+ }
+
+
+ String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text,
+ AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
+ pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
+ if (!samlSpecialText.equals(specialText)) {
+ throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
+ }
+ } else {
+ throw new ValidateException("validator.35", null);
+ }
+
+ //check unique AuthBlock tokken
+ samlAttribute = samlAttributes[3 + offset];
+ if (!samlAttribute.getName().equals("UniqueTokken")) {
+ throw new ValidateException(
+ "validator.37",
+ new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
+ }
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String uniquetokken = (String)samlAttribute.getValue();
+
+ if (!uniquetokken.equals(session.getAuthBlockTokken())) {
+ throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
+ }
+ } else {
+ throw new ValidateException("validator.35", null);
+ }
+
+
+ // now check the extended SAML attributes
+ int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + offset;
+ if (extendedSAMLAttributes != null) {
+ Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
+ while (it.hasNext()) {
+ ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
+ samlAttribute = samlAttributes[i];
+ String actualName = samlAttribute.getName();
+ String expectedName = extendedSAMLAttribute.getName();
+ if (!actualName.equals(expectedName)) {
+ throw new ValidateException(
+ "validator.38",
+ new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
+ }
+ String actualNamespace = samlAttribute.getNamespace();
+ String expectedNamespace = extendedSAMLAttribute.getNameSpace();
+ if (!actualNamespace.equals(expectedNamespace)) {
+ throw new ValidateException(
+ "validator.38",
+ new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
+ }
+ Object expectedValue = extendedSAMLAttribute.getValue();
+ Object actualValue = samlAttribute.getValue();
+ try {
+ if (expectedValue instanceof String) {
+ // replace \r\n because text might be base64-encoded
+ String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
+ expValue = StringUtils.replaceAll(expValue,"\n","");
+ String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
+ actValue = StringUtils.replaceAll(actValue,"\n","");
+ if (!expValue.equals(actValue)) {
+ throw new ValidateException(
+ "validator.38",
+ new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });
+ }
+ } else if (expectedValue instanceof Element) {
+ // only check the name of the element
+ String actualElementName = ((Element)actualValue).getNodeName();
+ String expectedElementName = ((Element)expectedValue).getNodeName();
+ if (!(expectedElementName.equals(actualElementName))){
+ throw new ValidateException(
+ "validator.38",
+ new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});
+ }
+ } else {
+ // should not happen
+ throw new ValidateException(
+ "validator.38",
+ new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
+ }
+ } catch (ClassCastException e) {
+ throw new ValidateException(
+ "validator.38",
+ new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
+ }
+ i++;
+ }
+ }
+
+
+ if (!foundOA) throw new ValidateException("validator.14", null);
+
+ //Check if dsig:Signature exists
+ // NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature");
+ // if (nl.getLength() != 1) {
+ // throw new ValidateException("validator.05", null);
+ // }
+ Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
+ if (dsigSignature == null) {
+ throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
+ }
+ } catch (Exception e) {
+ SpecificTraceLogger.trace("Validate AuthBlock with SSO");
+ SpecificTraceLogger.trace("Signed AuthBlock: " + session.getAuthBlock());
+ SpecificTraceLogger.trace("OA config: " + pendingReq.getOnlineApplicationConfiguration().toString());
+ throw e;
+
+ }
- if (!foundOA) throw new ValidateException("validator.14", null);
-
- //Check if dsig:Signature exists
-// NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature");
-// if (nl.getLength() != 1) {
-// throw new ValidateException("validator.05", null);
-// }
- Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
- if (dsigSignature == null) {
- throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
- }
}
public void validateSigningDateTime( CreateXMLSignatureResponse csresp) throws ValidateException {