update SSO session-transfer to MOA-ID 3.1.x architecture

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2016-02-22 12:57:46 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2016-02-22 12:59:17 +0100
commit: ef59662475c60c027c698caacd2423b34b3524d3 (patch)
tree: 2c327727a20a6b19cfd848b7fe4739f6f4d6757e /id/server/modules/moa-id-module-ssoTransfer
parent: cbfed3f8fb9273155d57b32692b7e577c29a6c8a (diff)
download: moa-id-spss-ef59662475c60c027c698caacd2423b34b3524d3.tar.gz
moa-id-spss-ef59662475c60c027c698caacd2423b34b3524d3.tar.bz2
moa-id-spss-ef59662475c60c027c698caacd2423b34b3524d3.zip
4 files changed, 41 insertions, 24 deletions
diff --git a/id/server/modules/moa-id-module-ssoTransfer/pom.xml b/id/server/modules/moa-id-module-ssoTransfer/pom.xml
index 61af328d3..a6399391a 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/pom.xml
+++ b/id/server/modules/moa-id-module-ssoTransfer/pom.xml
@@ -15,6 +15,24 @@
 			<artifactId>qrgen</artifactId>
 			<version>1.4</version>
 		</dependency>
+		
+				<!-- JSON JWT implementation -->
+		<dependency>
+			<groupId>com.googlecode.jsontoken</groupId>
+			<artifactId>jsontoken</artifactId>
+			<version>1.1</version>
+			<exclusions>
+				<exclusion>
+					<groupId>javax.servlet</groupId>
+					<artifactId>servlet-api</artifactId>
+				</exclusion>
+				<exclusion>
+					<artifactId>google-collections</artifactId>
+					<groupId>com.google.collections</groupId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+		
   </dependencies>
   
 </project>
 \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java
index fa7d59beb..fae1b6f4d 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java
@@ -31,10 +31,6 @@ import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import net.glxn.qrgen.QRCode;
-import net.glxn.qrgen.image.ImageType;
-
-import org.apache.commons.codec.binary.Base64OutputStream;
 import org.apache.velocity.VelocityContext;
 
 import com.google.gson.JsonObject;
@@ -46,17 +42,17 @@ import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils;
 import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.SSOContainerUtils;
 import at.gv.egovernment.moa.id.auth.servlet.AuthServlet;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
-import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
 import at.gv.egovernment.moa.id.moduls.SSOManager;
 import at.gv.egovernment.moa.id.storage.AssertionStorage;
 import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
-import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
 import at.gv.egovernment.moa.id.util.Random;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Base64Utils;
 import at.gv.egovernment.moa.util.MiscUtil;
+import net.glxn.qrgen.QRCode;
+import net.glxn.qrgen.image.ImageType;
 
 
 
@@ -93,13 +89,21 @@ public class SSOTransferGUIServlet extends AuthServlet {
 					
 				} else {
 					//create first step of SSO Transfer GUI
+					String authURL = HTTPUtils.extractAuthURLFromRequest(req);
+					if (!AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix().
+							contains(authURL)) {						
+						Logger.warn("Requested URL is not allowed.");;
+						resp.sendError(500, "Requested URL is not allowed.");
+						
+					}
+					
 					String moaSessionID = AuthenticationSessionStoreage.getMOASessionSSOID(ssoid);
 					if (MiscUtil.isNotEmpty(moaSessionID)) {					
 						AuthenticationSession authSession = AuthenticationSessionStoreage
 								.getSession(moaSessionID);
 						if(authSession != null) {
 							Date now = new Date();
-							String encodedSSOContainer = SSOContainerUtils.generateSignedAndEncryptedSSOContainer(authSession, now);
+							String encodedSSOContainer = SSOContainerUtils.generateSignedAndEncryptedSSOContainer(authURL, authSession, now);
 							
 							String token = Random.nextRandom();
 							AssertionStorage.getInstance().put(token, encodedSSOContainer);
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java
index 884633a1e..270264099 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java
@@ -26,8 +26,6 @@ import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_SESSIONID;
 
 import java.io.BufferedReader;
 import java.io.IOException;
-import java.util.Enumeration;
-import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -35,7 +33,6 @@ import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.BooleanUtils;
 import org.apache.velocity.VelocityContext;
 import org.joda.time.DateTime;
-import org.opensaml.saml2.core.Assertion;
 import org.opensaml.saml2.core.Response;
 
 import com.google.gson.JsonObject;
@@ -52,7 +49,6 @@ import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants;
 import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils;
 import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.SSOContainerUtils;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
-import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.moduls.IRequest;
 import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
@@ -127,7 +123,7 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask {
 			    if (PVPConfiguration.getInstance().getIDPPublicPath().equals(entityID)) {
 			    	// stored SSO session data is from this IDP - start local session reconstruction
 			    	Response ssoInformation = SSOContainerUtils.validateReceivedSSOContainer(sessionBlob);
-			    	SSOContainerUtils.parseSSOContainerToMOASessionDataObject(moasession, ssoInformation);
+			    	SSOContainerUtils.parseSSOContainerToMOASessionDataObject(pendingReq, moasession, ssoInformation);
 			    		
 			    	// store MOASession into database
 					try {
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java
index 8980d3ea7..861dcbf58 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java
@@ -22,8 +22,6 @@
  */
 package at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils;
 
-import iaik.x509.X509Certificate;
-
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.StringWriter;
@@ -87,7 +85,6 @@ import org.w3c.dom.NodeList;
 
 import com.google.gson.JsonObject;
 
-import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.ParseException;
@@ -100,10 +97,10 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
 import at.gv.egovernment.moa.id.data.IAuthData;
 import at.gv.egovernment.moa.id.data.MISMandate;
+import at.gv.egovernment.moa.id.moduls.IRequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder;
-import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSignedException;
@@ -116,6 +113,7 @@ import at.gv.egovernment.moa.id.util.Random;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Base64Utils;
 import at.gv.egovernment.moa.util.MiscUtil;
+import iaik.x509.X509Certificate;
 
 /**
  * @author tlenz
@@ -142,10 +140,10 @@ public class SSOContainerUtils {
         REQUIRED_ATTRIBUTES = Collections.unmodifiableList(tmp);
 	}
 	
-	public static void parseSSOContainerToMOASessionDataObject(AuthenticationSession moasession, Response ssoInformation) throws AssertionAttributeExtractorExeption, ConfigurationException {
+	public static void parseSSOContainerToMOASessionDataObject(IRequest pendingReq, AuthenticationSession moasession, Response ssoInformation) throws AssertionAttributeExtractorExeption, ConfigurationException {
 		AssertionAttributeExtractor attributeExtractor = new AssertionAttributeExtractor(ssoInformation);
 		
-		String authServiceURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+		String authServiceURL = pendingReq.getAuthURL();
 		if (authServiceURL.endsWith("/"))
 			moasession.setAuthURL(authServiceURL);
 		else
@@ -313,10 +311,10 @@ public class SSOContainerUtils {
 	}
 	
 	
-	public static String generateSignedAndEncryptedSSOContainer(
+	public static String generateSignedAndEncryptedSSOContainer(String authURL,
 			AuthenticationSession authSession, Date date) {		
 		try {
-			String entityID = PVPConfiguration.getInstance().getIDPPublicPath();
+			String entityID = authURL;
 			AuthnContextClassRef authnContextClassRef = SAML2Utils
 					.createSAMLObject(AuthnContextClassRef.class);
 			authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel());			
@@ -347,6 +345,7 @@ public class SSOContainerUtils {
 			IAuthData authData = new SSOTransferAuthenticationData(authSession);
 			
 			Assertion assertion = PVP2AssertionBuilder.buildGenericAssertion(
+					authURL,
 					entityID, 
 					new DateTime(date.getTime()), 
 					authnContextClassRef, 
@@ -356,7 +355,7 @@ public class SSOContainerUtils {
 					sessionIndex, 
 					subjectConfirmationData.getNotOnOrAfter());
 		
-			String ssoDataBlob = buildSSOContainerObject(assertion, new DateTime(date.getTime()));
+			String ssoDataBlob = buildSSOContainerObject(authURL, assertion, new DateTime(date.getTime()));
 			
 			JsonObject container = new JsonObject();
 			container.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_TYPE, "SSO");
@@ -377,13 +376,13 @@ public class SSOContainerUtils {
 		return null;
 	}
 	
-	private static String buildSSOContainerObject(Assertion assertion, DateTime date) throws ConfigurationException, EncryptionException, CredentialsNotAvailableException, SecurityException, ParserConfigurationException, MarshallingException, SignatureException, TransformerFactoryConfigurationError, TransformerException, IOException {
+	private static String buildSSOContainerObject(String authURL, Assertion assertion, DateTime date) throws ConfigurationException, EncryptionException, CredentialsNotAvailableException, SecurityException, ParserConfigurationException, MarshallingException, SignatureException, TransformerFactoryConfigurationError, TransformerException, IOException {
 		Response authResponse = SAML2Utils.createSAMLObject(Response.class);
 
 		Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
 		
 		//change to entity value from entity name to IDP EntityID (URL)
-		nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+		nissuer.setValue(authURL);
 		nissuer.setFormat(NameID.ENTITY);
 		authResponse.setIssuer(nissuer);
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2016-02-22 12:57:46 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2016-02-22 12:59:17 +0100
commit	ef59662475c60c027c698caacd2423b34b3524d3 (patch)
tree	2c327727a20a6b19cfd848b7fe4739f6f4d6757e /id/server/modules/moa-id-module-ssoTransfer
parent	cbfed3f8fb9273155d57b32692b7e577c29a6c8a (diff)
download	moa-id-spss-ef59662475c60c027c698caacd2423b34b3524d3.tar.gz moa-id-spss-ef59662475c60c027c698caacd2423b34b3524d3.tar.bz2 moa-id-spss-ef59662475c60c027c698caacd2423b34b3524d3.zip