aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-module-AT_eIDAS_connector
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2018-07-10 16:53:03 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2018-07-10 16:53:03 +0200
commit3535ae9500b29d0b2d0f317ea7f47a6c25c6f70e (patch)
tree199550720498b8e8394125440dd44ffe5b302ed8 /id/server/modules/moa-id-module-AT_eIDAS_connector
parent56ae5a8050fa116061eb00be9057abefd0428521 (diff)
downloadmoa-id-spss-3535ae9500b29d0b2d0f317ea7f47a6c25c6f70e.tar.gz
moa-id-spss-3535ae9500b29d0b2d0f317ea7f47a6c25c6f70e.tar.bz2
moa-id-spss-3535ae9500b29d0b2d0f317ea7f47a6c25c6f70e.zip
some small updates and handbook update
Diffstat (limited to 'id/server/modules/moa-id-module-AT_eIDAS_connector')
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java2
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java12
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java10
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java39
4 files changed, 30 insertions, 33 deletions
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
index 55864f3c9..0f4f81122 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
@@ -55,7 +55,7 @@ public class EidasCentralAuthConstants {
public static final String CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "request.sign.alias";
public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.password";
public static final String CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.alias";
- public static final String CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST = CONFIG_PROPS_PREFIX + "required.additinal.attributes";
+ public static final String CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST = CONFIG_PROPS_PREFIX + "required.additional.attributes";
public static final String CONFIG_PROPS_NODE_ENTITYID = CONFIG_PROPS_PREFIX + "node.entityId";
public static final String CONFIG_PROPS_NODE_METADATAURL = CONFIG_PROPS_PREFIX + "node.metadataUrl";
public static final String CONFIG_PROPS_NODE_TRUSTPROFILEID = CONFIG_PROPS_PREFIX + "node.trustprofileID";
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java
index ebbe08588..8376f3aad 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java
@@ -48,6 +48,7 @@ public class EidasCentralAuthRequestBuilderConfiguration implements IPVPAuthnReq
private String scopeRequesterId;
private String providerName;
private List<EAAFRequestedAttribute> requestedAttributes;
+ private String reqId;
/* (non-Javadoc)
@@ -186,7 +187,7 @@ public class EidasCentralAuthRequestBuilderConfiguration implements IPVPAuthnReq
*/
@Override
public String getRequestID() {
- return null;
+ return this.reqId;
}
/* (non-Javadoc)
@@ -256,6 +257,15 @@ public class EidasCentralAuthRequestBuilderConfiguration implements IPVPAuthnReq
this.requestedAttributes = requestedAttributes;
}
+ /**
+ * Set a RequestId for this Authn. Request
+ *
+ * @param reqId
+ */
+ public void setRequestId(String reqId) {
+ this.reqId = reqId;
+ }
+
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
index 08ae845cb..e312299f8 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
@@ -29,6 +29,7 @@ import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
@@ -45,6 +46,7 @@ import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute;
import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
import at.gv.egiz.eaaf.modules.pvp2.sp.impl.PVPAuthnRequestBuilder;
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.config.EidasCentralAuthRequestBuilderConfiguration;
import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider;
@@ -76,6 +78,8 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask {
public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
throws TaskExecutionException {
try{
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_SELECTED);
+
//check if eIDAS authentication is enabled for this SP
if (!Boolean.parseBoolean(pendingReq.getServiceProviderConfiguration().getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_STORK_ENABLED, String.valueOf(false)))) {
Logger.info("eIDAS authentication is NOT enabled for OA: " + pendingReq.getServiceProviderConfiguration().getUniqueIdentifier());
@@ -114,6 +118,8 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask {
//setup AuthnRequestBuilder configuration
EidasCentralAuthRequestBuilderConfiguration authnReqConfig = new EidasCentralAuthRequestBuilderConfiguration();
+ SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
+ authnReqConfig.setRequestId(gen.generateIdentifier());
authnReqConfig.setIdpEntity(entityDesc);
authnReqConfig.setPassive(false);
authnReqConfig.setSignCred(credential.getIDPAssertionSigningCredential());
@@ -130,6 +136,10 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask {
//build and transmit AuthnRequest
authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response);
+ revisionsLogger.logEvent(pendingReq,
+ MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_REQUESTED,
+ authnReqConfig.getRequestID());
+
} catch (MOAIDException e) {
throw new TaskExecutionException(pendingReq, e.getMessage(), e);
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
index f9686029f..214a23f88 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
@@ -59,7 +59,6 @@ import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider;
import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthMetadataProvider;
-import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
@@ -112,7 +111,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
msg = (InboundMessage) decoder.decode(
request, response, metadataProvider, true,
comperator);
-
+
if (MiscUtil.isEmpty(msg.getEntityID())) {
throw new InvalidProtocolRequestException("sp.pvp2.04",
new Object[] {EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING},
@@ -126,9 +125,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
msg.setVerified(true);
}
-
- revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_AUTHRESPONSE);
-
+
//validate assertion
PVPSProfileResponse processedMsg = preProcessAuthResponse((PVPSProfileResponse) msg);
@@ -153,7 +150,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
requestStoreage.storePendingRequest(pendingReq);
//write log entries
- revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_INTERFEDERATION_REVEIVED);
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_MDS_VALID);
Logger.info("Receive a valid assertion from IDP " + msg.getEntityID());
} catch (MessageDecodingException | SecurityException e) {
@@ -208,32 +205,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
}
}
-
- /**
- * @param executionContext
- * @param idpConfig
- * @param message
- * @param objects
- * @throws TaskExecutionException
- * @throws Throwable
- */
- private void handleAuthnResponseValidationProblem(ExecutionContext executionContext, IOAAuthParameters idpConfig, Throwable e) throws TaskExecutionException {
-
- if (idpConfig != null && idpConfig.isPerformLocalAuthenticationOnInterfederationError()) {
- Logger.info("Switch to local authentication on this IDP ... ");
-
- executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION, true);
- executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, true);
- executionContext.remove(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH);
-
- } else {
- throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e);
-
- }
-
- }
-
/**
* PreProcess AuthResponse and Assertion
* @param msg
@@ -257,11 +229,16 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING);
msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement());
+ revisionsLogger.logEvent(pendingReq,
+ MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_RECEIVED,
+ samlResp.getID());
return msg;
} else {
Logger.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue()
+ " from 'ms-specific eIDAS node'.");
+ revisionsLogger.logEvent(pendingReq,
+ MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_RECEIVED_ERROR);
throw new AuthnResponseValidationException("sp.pvp2.05",
new Object[]{EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING, samlResp.getIssuer().getValue(), samlResp.getStatus().getStatusCode().getValue()});