aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2016-03-08 11:10:19 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2016-03-08 11:10:19 +0100
commitb9937af42fdab6b85aa1121148bda474c70f5e75 (patch)
treeb40401aef3a0dff9dac0db55ae6f4b519a6bac49 /id/server/modules
parente2d27757411fdcba586cc162f362c72ca3ae689c (diff)
downloadmoa-id-spss-b9937af42fdab6b85aa1121148bda474c70f5e75.tar.gz
moa-id-spss-b9937af42fdab6b85aa1121148bda474c70f5e75.tar.bz2
moa-id-spss-b9937af42fdab6b85aa1121148bda474c70f5e75.zip
finish first beta-version of ELGA mandate-service client-module
Diffstat (limited to 'id/server/modules')
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java2
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java180
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java2
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java2
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml2
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java2
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java4
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java3
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java6
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java40
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ELGAInitializeBKUAuthenticationTask.java107
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java65
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java15
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java5
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml8
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml4
-rw-r--r--id/server/modules/moa-id-module-openID/pom.xml6
-rw-r--r--id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java20
-rw-r--r--id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java4
-rw-r--r--id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java19
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java17
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java94
-rw-r--r--id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java280
-rw-r--r--id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java11
-rw-r--r--id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java19
25 files changed, 595 insertions, 322 deletions
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java
index e3afc713b..aff6b1ca6 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java
@@ -54,7 +54,7 @@ public class CertificateReadRequestTask extends AbstractAuthServletTask {
//execute default task initialization
defaultTaskInitialization(req, executionContext);
- boolean useMandate = moasession.getUseMandate();
+ boolean useMandate = moasession.isMandateUsed();
boolean identityLinkAvailable = BooleanUtils.isTrue((Boolean) executionContext.get("identityLinkAvailable"));
if (!identityLinkAvailable && useMandate) {
Logger.error("Online-Mandate Mode for foreign citizencs not supported.");
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
index 54db1d8ff..b1b87f68d 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
@@ -34,6 +34,7 @@ import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
import at.gv.egovernment.moa.id.auth.parser.StartAuthentificationParameterParser;
@@ -62,91 +63,8 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
throws TaskExecutionException {
try {
- Logger.info("BKU is selected -> Start BKU communication ...");
- defaultTaskInitialization(request, executionContext);
-
- boolean isLegacyRequest = false;
- Object isLegacyRequestObj = executionContext.get("isLegacyRequest");
- if (isLegacyRequestObj != null && isLegacyRequestObj instanceof Boolean)
- isLegacyRequest = (boolean) isLegacyRequestObj;
-
- if (isLegacyRequest) {
- //parse request parameter into MOASession
- Logger.info("Start Authentication Module: " + pendingReq.requestedModule()
- + " Action: " + pendingReq.requestedAction());
-
- authInitialisationParser.parse(executionContext, request, moasession, pendingReq);
-
- } else {
- String bkuid = (String) executionContext.get(MOAIDAuthConstants.PARAM_BKU);
- String useMandate = (String) executionContext.get(MOAIDAuthConstants.PARAM_USEMANDATE);
- String ccc = (String) executionContext.get(MOAIDAuthConstants.PARAM_CCC);
-
- if (MiscUtil.isEmpty(bkuid)) {
- Logger.warn("BKU-type is empty. Maybe an old BKU-selection template is in use.");
- throw new MOAIDException("auth.23", new Object[] {});
- }
-
- //load OA Config
- IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
-
- if (oaParam == null)
- throw new AuthenticationException("auth.00", new Object[] { pendingReq.getOAURL() });
-
- else {
- revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(),
- pendingReq, MOAIDEventConstants.AUTHPROCESS_BKUTYPE_SELECTED, bkuid);
-
- //get Target from config or from request in case of SAML 1
- String target = null;
- if (MiscUtil.isNotEmpty(pendingReq.getGenericData("target", String.class)) &&
- pendingReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol"))
- target = pendingReq.getGenericData("target", String.class);
- else
- target = oaParam.getTarget();
-
- String bkuURL = oaParam.getBKUURL(bkuid);
- if (MiscUtil.isEmpty(bkuURL)) {
- Logger.info("No OA specific BKU defined. Use BKU from default configuration");
- bkuURL = authConfig.getDefaultBKUURL(bkuid);
- }
-
- //search for OA specific template
- String templateURL = null;
- List<String> oaTemplateURLList = oaParam.getTemplateURL();
- if ( oaTemplateURLList != null && oaTemplateURLList.size() > 0
- && MiscUtil.isNotEmpty(oaTemplateURLList.get(0)) ) {
- templateURL = oaTemplateURLList.get(0);
-
- } else {
- templateURL = authConfig.getSLRequestTemplates(bkuid);
- }
-
- //make url absolut if it is a local url
- if (MiscUtil.isNotEmpty(templateURL))
- templateURL = FileUtils.makeAbsoluteURL(templateURL,
- authConfig.getRootConfigFileDir());
-
- if (oaParam.isOnlyMandateAllowed())
- useMandate = "true";
-
- if (!oaParam.isShowMandateCheckBox())
- useMandate = "false";
-
- //parse all OA parameters i
- authInitialisationParser.parse( moasession,
- target,
- pendingReq.getOAURL(),
- bkuURL,
- templateURL,
- useMandate,
- ccc,
- request,
- pendingReq);
- }
- }
-
- executionContext.put(MOAIDAuthConstants.PARAM_USEMANDATE, moasession.getUseMandate());
+ //
+ internalInitializeWithoutPersist(executionContext, request, response);
// make sure MOASession and Pending-Request has been persisted before running the process
try {
@@ -171,5 +89,97 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
}
}
+
+ protected void internalInitializeWithoutPersist(ExecutionContext executionContext,
+ HttpServletRequest request, HttpServletResponse response) throws WrongParametersException, MOAIDException, MOADatabaseException {
+
+ Logger.info("BKU is selected -> Start BKU communication ...");
+ defaultTaskInitialization(request, executionContext);
+
+ boolean isLegacyRequest = false;
+ Object isLegacyRequestObj = executionContext.get("isLegacyRequest");
+ if (isLegacyRequestObj != null && isLegacyRequestObj instanceof Boolean)
+ isLegacyRequest = (boolean) isLegacyRequestObj;
+
+ if (isLegacyRequest) {
+ //parse request parameter into MOASession
+ Logger.info("Start Authentication Module: " + pendingReq.requestedModule()
+ + " Action: " + pendingReq.requestedAction());
+
+ authInitialisationParser.parse(executionContext, request, moasession, pendingReq);
+
+ } else {
+ String bkuid = (String) executionContext.get(MOAIDAuthConstants.PARAM_BKU);
+ String useMandate = (String) executionContext.get(MOAIDAuthConstants.PARAM_USEMANDATE);
+ String ccc = (String) executionContext.get(MOAIDAuthConstants.PARAM_CCC);
+
+ if (MiscUtil.isEmpty(bkuid)) {
+ Logger.warn("BKU-type is empty. Maybe an old BKU-selection template is in use.");
+ throw new MOAIDException("auth.23", new Object[] {});
+ }
+
+ //load OA Config
+ IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
+
+ if (oaParam == null)
+ throw new AuthenticationException("auth.00", new Object[] { pendingReq.getOAURL() });
+
+ else {
+ revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(),
+ pendingReq, MOAIDEventConstants.AUTHPROCESS_BKUTYPE_SELECTED, bkuid);
+
+ //get Target from config or from request in case of SAML 1
+ String target = null;
+ if (MiscUtil.isNotEmpty(pendingReq.getGenericData("target", String.class)) &&
+ pendingReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol"))
+ target = pendingReq.getGenericData("target", String.class);
+ else
+ target = oaParam.getTarget();
+
+ String bkuURL = oaParam.getBKUURL(bkuid);
+ if (MiscUtil.isEmpty(bkuURL)) {
+ Logger.info("No OA specific BKU defined. Use BKU from default configuration");
+ bkuURL = authConfig.getDefaultBKUURL(bkuid);
+ }
+
+ //search for OA specific template
+ String templateURL = null;
+ List<String> oaTemplateURLList = oaParam.getTemplateURL();
+ if ( oaTemplateURLList != null && oaTemplateURLList.size() > 0
+ && MiscUtil.isNotEmpty(oaTemplateURLList.get(0)) ) {
+ templateURL = oaTemplateURLList.get(0);
+
+ } else {
+ templateURL = authConfig.getSLRequestTemplates(bkuid);
+ }
+
+ //make url absolut if it is a local url
+ if (MiscUtil.isNotEmpty(templateURL))
+ templateURL = FileUtils.makeAbsoluteURL(templateURL,
+ authConfig.getRootConfigFileDir());
+
+ if (oaParam.isOnlyMandateAllowed())
+ useMandate = "true";
+
+ if (!oaParam.isShowMandateCheckBox())
+ useMandate = "false";
+
+ //parse all OA parameters i
+ authInitialisationParser.parse( moasession,
+ target,
+ pendingReq.getOAURL(),
+ bkuURL,
+ templateURL,
+ useMandate,
+ ccc,
+ request,
+ pendingReq);
+ }
+ }
+
+ executionContext.put(MOAIDAuthConstants.PARAM_USEMANDATE, moasession.isMandateUsed());
+ executionContext.put(MOAIDAuthConstants.PARAM_USEMISMANDATE, moasession.isMandateUsed());
+
+ }
}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java
index 464c1f3a1..cd444f7c8 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java
@@ -89,7 +89,7 @@ public class VerifyCertificateTask extends AbstractAuthServletTask {
throw new AuthenticationException("auth.14", null);
}
- if (moasession.getUseMandate()) {
+ if (moasession.isMandateUsed()) {
// verify certificate for OrganWalter
authServer.verifyCertificate(moasession, cert, pendingReq);
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
index e346c8bee..7b5a7b9c0 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
@@ -56,7 +56,6 @@ import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.TransformerException;
import org.apache.commons.codec.binary.Base64;
-import org.apache.commons.httpclient.HostConfiguration;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.methods.PostMethod;
import org.apache.commons.httpclient.methods.StringRequestEntity;
@@ -148,7 +147,6 @@ public class MISSimpleClient {
//misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate)));
misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate).getBytes()));
- misMandate.setFullMandateIncluded(true);
foundMandates.add(misMandate);
}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml
index 74792ed72..afa3fe2ad 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml
@@ -38,7 +38,7 @@
<pd:Transition from="verifyCertificate" to="verifyAuthBlock" conditionExpression="ctx['useMandate']" />
<pd:Transition from="verifyCertificate" to="getForeignID" />
- <pd:Transition from="verifyAuthBlock" to="prepareGetMISMandate" conditionExpression="ctx['useMandate']" />
+ <pd:Transition from="verifyAuthBlock" to="prepareGetMISMandate" conditionExpression="ctx['useMISMandate']" />
<pd:Transition from="verifyAuthBlock" to="finalizeAuthentication" />
<pd:Transition from="prepareGetMISMandate" to="getMISMandate" />
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index 909b29fab..8471439e2 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -79,6 +79,4 @@ public class Constants {
public static final int eIDAS_REVERSIONSLOG_SP_AUTHREQUEST= 3403;
public static final int eIDAS_REVERSIONSLOG_SP_AUTHRESPONSE= 3404;
- public static final String eIDAS_GENERIC_REQ_DATA_COUNTRY = "country";
-
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
index dea9e675e..9858d6004 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
@@ -15,6 +15,7 @@ import at.gv.egovernment.moa.id.auth.modules.eidas.utils.MOAPersonalAttributeLis
import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
import eu.eidas.auth.commons.EIDASAuthnResponse;
@@ -72,6 +73,9 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
AuthenticationSessionStorageConstants.eIDAS_RESPONSE,
decSamlToken);
+ //set issuer nation as PVP attribute into MOASession
+ moasession.setGenericDataToSession(PVPConstants.EID_ISSUING_NATION_NAME, samlResp.getCountry());
+
//store MOA-session to database
authenticatedSessionStorage.storeSession(moasession);
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 4caa6700a..1e3b0f507 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -39,6 +39,7 @@ import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.moduls.RequestImpl;
import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -153,7 +154,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
// - memorize country code of target country
pendingReq.setGenericDataToSession(
- Constants.eIDAS_GENERIC_REQ_DATA_COUNTRY, samlReq.getCountry());
+ RequestImpl.eIDAS_GENERIC_REQ_DATA_COUNTRY, samlReq.getCountry());
// - memorize requested attributes
pendingReq.setEidasRequestedAttributes(new MOAPersonalAttributeList(samlReq.getPersonalAttributeList()));
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
index d75d4b1b9..5f3f89aee 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
@@ -37,7 +37,6 @@ import org.springframework.http.MediaType;
import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
-import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider;
@@ -90,8 +89,9 @@ public class eIDASAuthenticationRequest implements IAction {
case Constants.eIDAS_ATTR_DATEOFBIRTH: newValue = new SimpleDateFormat("YYYY-MM-dd").format(authData.getDateOfBirth()); break;
case Constants.eIDAS_ATTR_CURRENTFAMILYNAME: newValue = authData.getFamilyName();break;
case Constants.eIDAS_ATTR_CURRENTGIVENNAME: newValue = authData.getGivenName();break;
- case Constants.eIDAS_ATTR_PERSONALIDENTIFIER: newValue = new BPKBuilder().buildStorkeIdentifier(authData.getIdentificationType(), authData.getIdentificationValue(),
- eidasRequest.getGenericData(Constants.eIDAS_GENERIC_REQ_DATA_COUNTRY, String.class)); break;
+
+ //TODO: change bPK builder !!!!!!
+ case Constants.eIDAS_ATTR_PERSONALIDENTIFIER: newValue = authData.getBPK(); break;
}
if("".equals(newValue))
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java
index b521116d3..320c4fdc6 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java
@@ -42,6 +42,8 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest
private EntityDescriptor idpEntity;
private Credential signCred;
private String subjectNameID;
+ private String subjectNameIDQualifier;
+ private String requestID;
/* (non-Javadoc)
@@ -73,7 +75,7 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest
*/
@Override
public String getNameIDPolicyFormat() {
- return NameID.TRANSIENT;
+ return NameID.PERSISTENT;
}
/* (non-Javadoc)
@@ -81,7 +83,7 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest
*/
@Override
public boolean getNameIDPolicyAllowCreation() {
- return true;
+ return false;
}
/* (non-Javadoc)
@@ -143,6 +145,15 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest
this.subjectNameID = subjectNameID;
}
+
+
+ /**
+ * @param requestID the requestID to set
+ */
+ public void setRequestID(String requestID) {
+ this.requestID = requestID;
+ }
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnRequestSigningCredential()
*/
@@ -183,5 +194,30 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest
return NameID.PERSISTENT;
}
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getRequestID()
+ */
+ @Override
+ public String getRequestID() {
+ return this.requestID;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDQualifier()
+ */
+ @Override
+ public String getSubjectNameIDQualifier() {
+ return this.subjectNameIDQualifier;
+ }
+
+ /**
+ * @param subjectNameIDQualifier the subjectNameIDQualifier to set
+ */
+ public void setSubjectNameIDQualifier(String subjectNameIDQualifier) {
+ this.subjectNameIDQualifier = subjectNameIDQualifier;
+ }
+
+
+
}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ELGAInitializeBKUAuthenticationTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ELGAInitializeBKUAuthenticationTask.java
new file mode 100644
index 000000000..50bac3eab
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ELGAInitializeBKUAuthenticationTask.java
@@ -0,0 +1,107 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.stereotype.Component;
+
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.modules.internal.tasks.InitializeBKUAuthenticationTask;
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("ELGAInitializeBKUAuthenticationTask")
+public class ELGAInitializeBKUAuthenticationTask extends InitializeBKUAuthenticationTask {
+
+ @Override
+ public void execute(ExecutionContext executionContext,
+ HttpServletRequest request, HttpServletResponse response)
+ throws TaskExecutionException {
+
+ try {
+ //perform Default-BKU authentication initialization
+ internalInitializeWithoutPersist(executionContext, request, response);
+
+ //perform ELGA Mandate-Service specific parts
+ Logger.debug("Perfom ELGA-Mandate specific parts of initialisation.");
+ Boolean misMandateUsed = (Boolean) executionContext.get(MOAIDAuthConstants.PARAM_USEMISMANDATE);
+
+ boolean elgaMandateUsed = false;
+ Object elgaMandateUsedObj = executionContext.get(MOAIDAuthConstants.PARAM_USEELGAMANDATE);
+ if (elgaMandateUsedObj == null ||
+ !(elgaMandateUsedObj instanceof String || elgaMandateUsedObj instanceof Boolean)) {
+ Logger.error("Use ELGA-MandateService flag has a wrong type.");
+ throw new MOAIDException("auth.12", new Object[]{"Start-BKU Authentication","useELGAMandate"});
+
+ } else {
+ if (elgaMandateUsedObj instanceof String)
+ elgaMandateUsed = Boolean.parseBoolean((String) elgaMandateUsedObj);
+ else
+ elgaMandateUsed = (boolean) elgaMandateUsedObj;
+
+ }
+
+
+ //check if both mandate Services are requested
+ if ( (misMandateUsed != null && misMandateUsed) &&
+ elgaMandateUsed ) {
+ Logger.error("Can not use MIS-MandateService and ELGA-MandateService twince");
+ throw new MOAIDException("validator.73", null);
+
+ }
+
+ //remove MIS-Mandate flag and set useMandate flag to MOASession
+ if (elgaMandateUsed) {
+ Logger.debug("Authentication process select ELGA-MandateService.");
+ executionContext.remove(MOAIDAuthConstants.PARAM_USEMISMANDATE);
+ moasession.setUseMandates(elgaMandateUsed);
+ }
+
+ //disable SSO if it is requested
+ if (pendingReq.needSingleSignOnFunctionality() && moasession.isMandateUsed()) {
+ Logger.info("ELGA-MandateService does not allow Single Sign-On. SSO get disabled for this request.");
+ pendingReq.setNeedSingleSignOnFunctionality(false);
+
+
+ }
+
+ //store MOASession and pendingRequest
+ requestStoreage.storePendingRequest(pendingReq);
+ authenticatedSessionStorage.storeSession(moasession);
+
+ } catch (MOADatabaseException | MOAIDException e) {
+ Logger.info("Initialize BKUAuthentication with ELGA Mandates FAILED. Reason:" + e.getMessage());
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ }
+ }
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java
index 13e17e03e..a5e316f10 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java
@@ -37,6 +37,7 @@ import org.opensaml.xml.security.SecurityException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
@@ -46,6 +47,7 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCred
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
@@ -55,7 +57,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
-import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -67,7 +69,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
@Component("ReceiveElgaMandateResponseTask")
public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask {
- @Autowired SAMLVerificationEngine samlVerificationEngine;
+ @Autowired SAMLVerificationEngineSP samlVerificationEngine;
@Autowired ELGAMandatesCredentialProvider credentialProvider;
@Autowired ELGAMandateServiceMetadataProvider metadataProvider;
@@ -81,13 +83,18 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask {
try {
IDecoder decoder = null;
+ MOAURICompare comperator = null;
//select Response Binding
if (request.getMethod().equalsIgnoreCase("POST")) {
decoder = new PostBinding();
+ comperator = new MOAURICompare(pendingReq.getAuthURL()
+ + ELGAMandatesAuthConstants.ENDPOINT_POST);
Logger.debug("Receive PVP Response from ELGA mandate-service, by using POST-Binding.");
} else if (request.getMethod().equalsIgnoreCase("GET")) {
decoder = new RedirectBinding();
+ comperator = new MOAURICompare(pendingReq.getAuthURL()
+ + ELGAMandatesAuthConstants.ENDPOINT_REDIRECT);
Logger.debug("Receive PVP Response from ELGA mandate-service, by using Redirect-Binding.");
} else {
@@ -99,7 +106,8 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask {
}
//decode PVP response object
- msg = (InboundMessage) decoder.decode(request, response, metadataProvider, true);
+ msg = (InboundMessage) decoder.decode(request, response, metadataProvider, true,
+ comperator);
if (MiscUtil.isEmpty(msg.getEntityID())) {
throw new InvalidProtocolRequestException("sp.pvp2.04",
@@ -138,7 +146,7 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask {
//validate receive mandate reference-value
String responseRefValue = extractor.getSingleAttributeValue(PVPConstants.MANDATE_REFERENCE_VALUE_NAME);
if (!moasession.getMandateReferenceValue().equals(responseRefValue)) {
- Logger.warn("PVP Response from ELGA mandate-service contains not all requested attributes.");
+ Logger.warn("PVP Response from ELGA mandate-service contains a not valid MandateReferenceValue.");
throw new AssertionValidationExeption("sp.pvp2.07",
new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING,
PVPConstants.MANDATE_REFERENCE_VALUE_FRIENDLY_NAME});
@@ -157,30 +165,35 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask {
//store MOASession
authenticatedSessionStorage.storeSession(moasession);
- //TODO write log entries
- //revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_INTERFEDERATION_REVEIVED);
+ //write revisions log entry
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_RECEIVED);
Logger.info("Receive a valid assertion from ELGA mandate-service " + msg.getEntityID());
} catch (MessageDecodingException | SecurityException e) {
String samlRequest = request.getParameter("SAMLRequest");
Logger.warn("Receive INVALID PVP Response from ELGA mandate-service: " + samlRequest, e);
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED);
throw new TaskExecutionException(pendingReq, "Receive INVALID PVP Response from ELGA mandate-service", e);
} catch (IOException | MarshallingException | TransformerException e) {
Logger.warn("Processing PVP response from ELGA mandate-service FAILED.", e);
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED);
throw new TaskExecutionException(pendingReq, "Processing PVP response from ELGA mandate-service FAILED.", e);
} catch (CredentialsNotAvailableException e) {
Logger.error("ELGA mandate-service: PVP response decrytion FAILED. No credential found.", e);
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED);
throw new TaskExecutionException(pendingReq, "ELGA mandate-service: PVP response decrytion FAILED. No credential found.", e);
} catch (AssertionValidationExeption | AuthnResponseValidationException e) {
- Logger.info("ELGA mandate-service: PVP response validation FAILED. Msg:" + e.getMessage());
+ Logger.info("ELGA mandate-service: PVP response validation FAILED. Msg:" + e.getMessage());
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED, e.getMessageId());
throw new TaskExecutionException(pendingReq, "ELGA mandate-service: PVP response validation FAILED.", e);
} catch (Exception e) {
- Logger.info("ELGA mandate-service: General Exception. Msg:" + e.getMessage());
+ Logger.info("ELGA mandate-service: General Exception. Msg:" + e.getMessage());
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED);
throw new TaskExecutionException(pendingReq, "ELGA mandate-service: General Exception.", e);
}
@@ -210,12 +223,36 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask {
return msg;
} else {
- Logger.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue()
- + " from federated IDP.");
- throw new AuthnResponseValidationException("sp.pvp2.04",
- new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING,
- samlResp.getIssuer().getValue(),
- samlResp.getStatus().getStatusCode().getValue()});
+ String errorMsg = "No error message";
+ StatusCode firstCode = samlResp.getStatus().getStatusCode();
+
+ //get errormessage from response
+ if (samlResp.getStatus().getStatusMessage() != null &&
+ MiscUtil.isNotEmpty(samlResp.getStatus().getStatusMessage().getMessage()))
+ errorMsg = samlResp.getStatus().getStatusMessage().getMessage();
+
+ //extract response status-codes
+ if (firstCode.getStatusCode() == null) {
+ Logger.info("Receive StatusCode:" + firstCode.getValue() + " | Msg:" + errorMsg
+ + " from federated IDP.");
+ throw new AuthnResponseValidationException("sp.pvp2.05",
+ new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING,
+ samlResp.getIssuer().getValue(),
+ firstCode.getValue(),
+ samlResp.getStatus().getStatusMessage().getMessage()});
+
+ } else {
+ StatusCode secondCode = firstCode.getStatusCode();
+ Logger.info("Receive StatusCode:" + firstCode.getValue() + " -> StatusCode:" + secondCode.getValue()
+ + " | Msg:" + errorMsg + " from federated IDP.");
+ throw new AuthnResponseValidationException("sp.pvp2.09",
+ new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING,
+ samlResp.getIssuer().getValue(),
+ firstCode.getValue(),
+ secondCode.getValue(),
+ samlResp.getStatus().getStatusMessage().getMessage()});
+
+ }
}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
index bcd8076bc..2a3e72640 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
@@ -34,6 +34,7 @@ import org.opensaml.xml.security.SecurityException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
@@ -92,7 +93,7 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask {
authnReqConfig.setPassive(false);
authnReqConfig.setSignCred(credential.getIDPAssertionSigningCredential());
authnReqConfig.setSPEntityID(pendingReq.getAuthURL() + ELGAMandatesAuthConstants.ENDPOINT_METADATA);
-
+
//set bPK of representative
String representativeBPK = null;
@@ -129,15 +130,19 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask {
}
}
-
- //TODO: check subjectNameID: as per PVP S-Profile specification,
- // subjectNameID starts with target postfix (like. GH:xxxxxxxxxxxxx)
+
+ //set bPK of representative as SAML2 subjectNameID
authnReqConfig.setSubjectNameID(representativeBPK );
+ authnReqConfig.setSubjectNameIDQualifier(configTarget);
+
+ //set MandateReferenceValue as RequestID
+ authnReqConfig.setRequestID(moasession.getMandateReferenceValue());
//build and transmit AuthnRequest
authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response);
- //TODO: TODO: add revisionslog entries
+ //write revisions log entry
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_SERVICE_REQUESTED, moasession.getMandateReferenceValue());
} catch (MetadataProviderException e) {
throw new TaskExecutionException(pendingReq, "ELGA Mandate-Service metadata problem", new ELGAMetadataException("service.10",
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
index 6deb8eb2b..49f131983 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
@@ -197,13 +197,12 @@ public class ELGAMandateServiceMetadataProvider extends SimpleMOAMetadataProvide
filter,
ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING);
- metadataProvider.setRequireValidMetadata(true);
-
-
if (metadataProvider == null) {
Logger.error("Create ELGA Mandate-Service Client FAILED.");
throw new MetadataProviderException("Can not initialize ELGA Mandate-Service metadaa provider.");
}
+
+ metadataProvider.setRequireValidMetadata(true);
}
}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml
index b648e4d27..8cd08d226 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml
@@ -5,7 +5,7 @@
- National authentication with Austrian Citizen Card and mobile signature with our without mandate.
- Legacy authentication for foreign citizens using MOCCA supported signature cards.
-->
- <pd:Task id="initializeBKUAuthentication" class="InitializeBKUAuthenticationTask" />
+ <pd:Task id="elgaInitializeBKUAuthentication" class="ELGAInitializeBKUAuthenticationTask" />
<pd:Task id="createIdentityLinkForm" class="CreateIdentityLinkFormTask" />
<pd:Task id="verifyIdentityLink" class="VerifyIdentityLinkTask" async="true" />
<pd:Task id="verifyAuthBlock" class="VerifyAuthenticationBlockTask" async="true" />
@@ -25,9 +25,9 @@
<!-- Process is triggered either by GenerateIFrameTemplateServlet (upon bku selection) or by AuthenticationManager (upon legacy authentication start using legacy parameters. -->
<pd:StartEvent id="start" />
- <pd:Transition from="start" to="initializeBKUAuthentication" />
+ <pd:Transition from="start" to="elgaInitializeBKUAuthentication" />
- <pd:Transition from="initializeBKUAuthentication" to="createIdentityLinkForm" />
+ <pd:Transition from="elgaInitializeBKUAuthentication" to="createIdentityLinkForm" />
<pd:Transition from="createIdentityLinkForm" to="verifyIdentityLink" />
@@ -43,7 +43,7 @@
<pd:Transition from="verifyCertificate" to="verifyAuthBlock" conditionExpression="ctx['useMandate']" />
<pd:Transition from="verifyCertificate" to="getForeignID" />
- <pd:Transition from="verifyAuthBlock" to="prepareGetMISMandate" conditionExpression="ctx['useMandate']" />
+ <pd:Transition from="verifyAuthBlock" to="prepareGetMISMandate" conditionExpression="ctx['useMISMandate']" />
<pd:Transition from="verifyAuthBlock" to="requestELGAMandateTask" conditionExpression="ctx['useELGAMandate']" />
<pd:Transition from="verifyAuthBlock" to="finalizeAuthentication" />
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml
index 6e567a42c..c1abe78df 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml
@@ -27,6 +27,10 @@
class="at.gv.egovernment.moa.id.auth.modules.elgamandates.controller.ELGAMandateSignalController"/>
<!-- Federated Authentication Process Tasks -->
+ <bean id="ELGAInitializeBKUAuthenticationTask"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks.ELGAInitializeBKUAuthenticationTask"
+ scope="prototype"/>
+
<bean id="RequestELGAMandateTask"
class="at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks.RequestELGAMandateTask"
scope="prototype"/>
diff --git a/id/server/modules/moa-id-module-openID/pom.xml b/id/server/modules/moa-id-module-openID/pom.xml
index 030cd32a0..4684c8032 100644
--- a/id/server/modules/moa-id-module-openID/pom.xml
+++ b/id/server/modules/moa-id-module-openID/pom.xml
@@ -78,12 +78,6 @@
<artifactId>guava</artifactId>
<version>19.0</version>
</dependency>
-
-<!-- <dependency>
- <groupId>com.google.guava</groupId>
- <artifactId>guava</artifactId>
- <version>19.0</version>
- </dependency> -->
<!-- TestNG -->
<dependency>
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
index 17e88e381..103a03063 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
@@ -90,20 +90,11 @@ public class SSOTransferAuthenticationData implements IAuthData {
}
/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.data.IAuthData#isInterfederatedSSOSession()
- */
- @Override
- public boolean isInterfederatedSSOSession() {
- // TODO Auto-generated method stub
- return false;
- }
-
- /* (non-Javadoc)
* @see at.gv.egovernment.moa.id.data.IAuthData#isUseMandate()
*/
@Override
public boolean isUseMandate() {
- return this.authSession.getUseMandate();
+ return this.authSession.isMandateUsed();
}
/* (non-Javadoc)
@@ -168,15 +159,6 @@ public class SSOTransferAuthenticationData implements IAuthData {
}
/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.data.IAuthData#getInterfederatedIDP()
- */
- @Override
- public String getInterfederatedIDP() {
- // TODO Auto-generated method stub
- return null;
- }
-
- /* (non-Javadoc)
* @see at.gv.egovernment.moa.id.data.IAuthData#getIdentificationValue()
*/
@Override
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java
index 4d41ff652..dea538f75 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java
@@ -105,7 +105,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableEx
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
-import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
import at.gv.egovernment.moa.id.util.Random;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
@@ -139,7 +139,7 @@ public class SSOContainerUtils {
}
@Autowired IDPCredentialProvider credentials;
- @Autowired SAMLVerificationEngine samlVerificationEngine;
+ @Autowired SAMLVerificationEngineSP samlVerificationEngine;
@Autowired AuthConfiguration authConfig;
public void parseSSOContainerToMOASessionDataObject(IRequest pendingReq, AuthenticationSession moasession, Response ssoInformation) throws AssertionAttributeExtractorExeption, ConfigurationException {
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java b/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java
index 1beab574a..57f4d11ad 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java
@@ -22,17 +22,6 @@
*/
package at.gv.egiz.tests;
-import java.io.IOException;
-
-import org.hibernate.mapping.Map;
-
-import com.fasterxml.jackson.core.JsonParseException;
-import com.fasterxml.jackson.databind.JsonMappingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.gson.JsonElement;
-import com.google.gson.JsonObject;
-import com.google.gson.JsonParser;
-
/**
* @author tlenz
*
@@ -65,10 +54,10 @@ public class Tests {
- } catch (IOException e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
- }
+// } catch (IOException e) {
+// // TODO Auto-generated catch block
+// e.printStackTrace();
+// }
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
index 4ae162f5a..19eae06d7 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
@@ -171,7 +171,22 @@ public class FederatedAuthnRequestBuilderConfiguration implements IPVPAuthnReque
*/
@Override
public String getSubjectNameIDFormat() {
- // TODO Auto-generated method stub
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getRequestID()
+ */
+ @Override
+ public String getRequestID() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDQualifier()
+ */
+ @Override
+ public String getSubjectNameIDQualifier() {
return null;
}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
index a07a87c2b..d5c5354c0 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
@@ -32,12 +32,9 @@ import javax.servlet.http.HttpServletResponse;
import javax.xml.transform.TransformerException;
import org.opensaml.saml2.core.Attribute;
-import org.opensaml.saml2.core.AttributeQuery;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.ws.message.decoder.MessageDecodingException;
-import org.opensaml.ws.soap.common.SOAPException;
-import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.SecurityException;
import org.springframework.beans.factory.annotation.Autowired;
@@ -45,8 +42,11 @@ import org.springframework.stereotype.Component;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
@@ -55,12 +55,12 @@ import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCr
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
-import at.gv.egovernment.moa.id.data.FederatedAuthenticatenContainer;
import at.gv.egovernment.moa.id.moduls.RequestImpl;
import at.gv.egovernment.moa.id.moduls.SSOManager;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
@@ -73,11 +73,9 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
-import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
-import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
-import at.gv.egovernment.moa.id.storage.ITransactionStorage;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -88,11 +86,12 @@ import at.gv.egovernment.moa.util.MiscUtil;
@Component("ReceiveFederatedAuthnResponseTask")
public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
- @Autowired private SAMLVerificationEngine samlVerificationEngine;
+ @Autowired private SAMLVerificationEngineSP samlVerificationEngine;
@Autowired private FederatedAuthCredentialProvider credentialProvider;
@Autowired private SSOManager ssoManager;
@Autowired private AttributQueryBuilder attributQueryBuilder;
- @Autowired private ITransactionStorage transactionStorage;
+ @Autowired private AuthenticationDataBuilder authDataBuilder;
+
/* (non-Javadoc)
@@ -106,13 +105,16 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
try {
IDecoder decoder = null;
+ MOAURICompare comperator = null;
//select Response Binding
if (request.getMethod().equalsIgnoreCase("POST")) {
decoder = new PostBinding();
+ comperator = new MOAURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_POST);
Logger.trace("Receive PVP Response from federated IDP, by using POST-Binding.");
} else if (request.getMethod().equalsIgnoreCase("GET")) {
decoder = new RedirectBinding();
+ comperator = new MOAURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_REDIRECT);
Logger.trace("Receive PVP Response from federated IDP, by using Redirect-Binding.");
} else {
@@ -123,7 +125,9 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
}
//decode PVP response object
- msg = (InboundMessage) decoder.decode(request, response, MOAMetadataProvider.getInstance(), true);
+ msg = (InboundMessage) decoder.decode(
+ request, response, MOAMetadataProvider.getInstance(), true,
+ comperator);
if (MiscUtil.isEmpty(msg.getEntityID())) {
throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
@@ -179,8 +183,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
} else {
//SP is real Service-Provider --> check attributes in response
// and start Attribute-Query if required
-
- //get authenticationData and store it into MOASession
+
getAuthDataFromInterfederation(extractor, pendingReq.getOnlineApplicationConfiguration(),
idpConfig);
@@ -197,7 +200,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
//store valid assertion into pending-request
pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg);
-
+ pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_ENTITYID, processedMsg.getEntityID());
+
//store pending-request
requestStoreage.storePendingRequest(pendingReq);
@@ -245,55 +249,17 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
try {
Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... ");
Collection<String> requestedAttr = pendingReq.getRequestedAttributes();
-
+
//check if SAML2 Assertion contains a minimal set of attributes
if (!extractor.containsAllRequiredAttributes()) {
- Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ...");
- //collect attributes by using BackChannel communication
- String endpoint = idpConfig.getIDPAttributQueryServiceURL();
- if (MiscUtil.isEmpty(endpoint)) {
- Logger.error("No AttributeQueryURL for interfederationIDP " + idpConfig.getPublicURLPrefix());
- throw new ConfigurationException("config.26", new Object[]{idpConfig.getPublicURLPrefix()});
-
- }
-
+ Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ...");
+
//build attributQuery request
List<Attribute> attributs =
attributQueryBuilder.buildSAML2AttributeList(spConfig, requestedAttr.iterator());
- AttributeQuery query =
- attributQueryBuilder.buildAttributQueryRequest(extractor.getNameID(), endpoint, attributs);
-
- //build SOAP request
- List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
- if (xmlObjects.size() == 0) {
- Logger.error("Receive emptry AttributeQuery response-body.");
- throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null);
-
- }
-
- if (xmlObjects.get(0) instanceof Response) {
- Response intfResp = (Response) xmlObjects.get(0);
-
- //validate PVP 2.1 response
- try {
- samlVerificationEngine.verifyIDPResponse(intfResp,
- TrustEngineFactory.getSignatureKnownKeysTrustEngine(
- MOAMetadataProvider.getInstance()));
-
- //create assertion attribute extractor from AttributeQuery response
- extractor = new AssertionAttributeExtractor(intfResp);
-
- } catch (Exception e) {
- Logger.warn("PVP 2.1 assertion validation FAILED.", e);
- throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e);
- }
-
- } else {
- Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response");
- throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null);
-
- }
+ //request IDP to get additional attributes
+ extractor = authDataBuilder.getAuthDataFromAttributeQuery(attributs, extractor.getNameID(), idpConfig);
} else {
Logger.info("Interfedation response include a minimal set of attributes with are required. Skip AttributQuery request step. ");
@@ -314,14 +280,13 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
moasession.setGenericDataToSession(el, extractor.getSingleAttributeValue(el));
Logger.debug("Add PVP-attribute " + el + " into MOASession");
- }
-
- } catch (SOAPException e) {
- throw new BuildException("builder.06", null, e);
-
- } catch (SecurityException e) {
- throw new BuildException("builder.06", null, e);
+ }
+ //set validTo from this federated IDP response
+ moasession.setGenericDataToSession(
+ AuthenticationSessionStorageConstants.FEDERATION_RESPONSE_VALIDE_TO,
+ extractor.getAssertionNotOnOrAfter());
+
} catch (AttributQueryException e) {
throw new BuildException("builder.06", null, e);
@@ -334,6 +299,9 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
} catch (AssertionAttributeExtractorExeption e) {
throw new BuildException("builder.06", null, e);
+ } catch (MOAIDException e) {
+ throw new BuildException("builder.06", null, e);
+
}
}
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
index 5eb39880e..9d0dac0f8 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
@@ -26,9 +26,12 @@ import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.util.List;
import java.util.Vector;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBElement;
+import javax.xml.bind.JAXBException;
import javax.xml.bind.Marshaller;
import javax.xml.namespace.QName;
import javax.xml.parsers.ParserConfigurationException;
@@ -40,7 +43,10 @@ import org.springframework.stereotype.Service;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;
+import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
+import at.gv.e_government.reference.namespace.mandates._20040701_.Mandator;
import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder;
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
import at.gv.egovernment.moa.id.auth.builder.PersonDataBuilder;
@@ -48,7 +54,6 @@ import at.gv.egovernment.moa.id.auth.builder.SAMLArtifactBuilder;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl;
-import at.gv.egovernment.moa.id.auth.data.IdentityLink;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.ParseException;
@@ -61,7 +66,9 @@ import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
import at.gv.egovernment.moa.id.config.auth.data.SAML1ConfigurationParameters;
import at.gv.egovernment.moa.id.data.AuthenticationData;
+import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.storage.ITransactionStorage;
import at.gv.egovernment.moa.id.util.Random;
import at.gv.egovernment.moa.logging.Logger;
@@ -262,15 +269,20 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
person.getIdentification().add(id );
Value value = new Value();
id.setValue(value );
-
- id.setType(authData.getIdentificationType());
- //add baseID if it is requested and available
- if ( MiscUtil.isNotEmpty(authData.getIdentificationValue()) &&
- saml1parameter.isProvideIdentityLink() )
+
+ if ( MiscUtil.isNotEmpty(authData.getIdentificationValue()) &&
+ saml1parameter.isProvideIdentityLink() && !authData.isBusinessService()) {
+ //add baseID if it is requested and available and SP is publicService
value.setValue(authData.getIdentificationValue());
- else
- value.setValue("");
-
+ id.setType(authData.getIdentificationType());
+
+ } else {
+ //otherwise add bPK
+ value.setValue(authData.getBPK());
+ id.setType(authData.getBPKType());
+
+ }
+
familyName.setValue(authData.getFamilyName());
familyName.setPrimary("undefined");
name.getGivenName().add(authData.getGivenName());
@@ -310,14 +322,15 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
}
- String samlAssertion;
+ String samlAssertion;
+
+ //add mandate info's
if (authData.isUseMandate()) {
List<ExtendedSAMLAttribute> oaAttributes = authData.getExtendedSAMLAttributesOA();
- //only provide full mandate if it is included.
- //In case of federation only a short mandate could be include
+ //only provide full mandate if it is included.
if (saml1parameter.isProvideFullMandatorData()
- && authData.getMISMandate().isFullMandateIncluded()) {
+ && authData.getMISMandate() != null) {
try {
@@ -442,33 +455,36 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
throw new AuthenticationException("auth.10", new Object[] {
REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID });
- IdentityLink tempIdentityLink = null;
-
+ Element prPerson = null;
+ String identificationType = "";
+ String identificationValue = "";
+
Element mandate = authData.getMandate();
+ if (mandate == null) {
+ //no full-mandate include
+ Logger.info("AuthData contains no full-mandate. Starting 'mandateDate' generation from PVP attributes ...");
+ mandate = generateMandateDateFromPVPMandateAttributes(authData);
+
+ }
- if (authData.isUseMandate()) {
- tempIdentityLink = new IdentityLink();
+ if (mandate != null) {
Element mandator = ParepUtils.extractMandator(mandate);
String dateOfBirth = "";
- Element prPerson = null;
String familyName = "";
String givenName = "";
- String identificationType = "";
- String identificationValue = "";
if (mandator != null) {
boolean physical = ParepUtils.isPhysicalPerson(mandator);
if (physical) {
- familyName = ParepUtils.extractText(mandator,
- "descendant-or-self::pr:Name/pr:FamilyName/text()");
- givenName = ParepUtils.extractText(mandator,
- "descendant-or-self::pr:Name/pr:GivenName/text()");
- dateOfBirth = ParepUtils
- .extractMandatorDateOfBirth(mandator);
+ familyName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:FamilyName/text()");
+ givenName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:GivenName/text()");
+ dateOfBirth = ParepUtils.extractMandatorDateOfBirth(mandator);
+
} else {
familyName = ParepUtils.extractMandatorFullName(mandator);
+
}
- identificationType = ParepUtils.getIdentification(mandator,
- "Type");
+
+ identificationType = ParepUtils.getIdentification(mandator, "Type");
identificationValue = ParepUtils.extractMandatorWbpk(mandator);
prPerson = ParepUtils.extractPrPersonOfMandate(mandate);
@@ -495,33 +511,19 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
ParepUtils
.HideStammZahlen(prPerson, true, null, null, true);
}
-
- tempIdentityLink.setDateOfBirth(dateOfBirth);
- tempIdentityLink.setFamilyName(familyName);
- tempIdentityLink.setGivenName(givenName);
- tempIdentityLink.setIdentificationType(identificationType);
- tempIdentityLink.setIdentificationValue(identificationValue);
- tempIdentityLink.setPrPerson(prPerson);
- try {
- tempIdentityLink.setSamlAssertion(authData.getIdentityLink()
- .getSamlAssertion());
- } catch (Exception e) {
- throw new ValidateException("validator.64", null);
- }
-
}
-
+
}
-
- Element mandatePerson = tempIdentityLink.getPrPerson();
-
- String mandateData = null;
- try {
+
+ if (prPerson == null) {
+ Logger.warn("Mandates are enabled, but no mandate-information is found in authData.");
+ throw new AuthenticationException("auth.16", new Object[] { "Mandates are enabled, but no mandate information is included" });
+ }
+
+ try {
boolean provideStammzahl = oaParam.getSAML1Parameter().isProvideStammzahl();
-
- String oatargetType;
-
+ String oatargetType;
if(oaParam.getBusinessService()) {
if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
oatargetType = oaParam.getIdentityLinkDomainIdentifier();
@@ -530,64 +532,166 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
} else {
oatargetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget();
+
}
- Element prIdentification = (Element) mandatePerson
- .getElementsByTagNameNS(Constants.PD_NS_URI,
- "Identification").item(0);
+ Element prIdentification = (Element) prPerson.
+ getElementsByTagNameNS(Constants.PD_NS_URI,"Identification").item(0);
- if (!oatargetType.equals(tempIdentityLink.getIdentificationType())) {
-
- String isPrPerson = mandatePerson.getAttribute("xsi:type");
+ if (!oatargetType.equals(identificationType)) {
+ String isPrPerson = prPerson.getAttribute("xsi:type");
if (!StringUtils.isEmpty(isPrPerson)) {
if (isPrPerson.equalsIgnoreCase("pr:PhysicalPerson")) {
- String baseid = getBaseId(mandatePerson);
- Element identificationBpK = createIdentificationBPK(mandatePerson,
- baseid, oaParam.getTarget());
-
- if (!provideStammzahl) {
- prIdentification.getFirstChild().setTextContent("");
+
+ String baseid = getBaseId(prPerson);
+ Element identificationBpK;
+ if (MiscUtil.isNotEmpty(baseid)) {
+ identificationBpK = createIdentificationBPK(prPerson, baseid, oaParam.getTarget());
+
+ if (!provideStammzahl) {
+ prIdentification.getFirstChild().setTextContent("");
+ }
+
+ prPerson.insertBefore(identificationBpK,
+ prIdentification);
+
+ } else {
+ Logger.info("No baseID included. --> Build 'MandateDate' without baseID");
+
}
+
+
- mandatePerson.insertBefore(identificationBpK,
- prIdentification);
+
}
}
} else {
-
-// Element identificationBpK = mandatePerson.getOwnerDocument()
-// .createElementNS(Constants.PD_NS_URI, "Identification");
-// Element valueBpK = mandatePerson.getOwnerDocument().createElementNS(
-// Constants.PD_NS_URI, "Value");
-//
-// valueBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode(
-// tempIdentityLink.getIdentificationValue()));
-// Element typeBpK = mandatePerson.getOwnerDocument().createElementNS(
-// Constants.PD_NS_URI, "Type");
-// typeBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode(
-// "urn:publicid:gv.at:cdid+bpk"));
-// identificationBpK.appendChild(valueBpK);
-// identificationBpK.appendChild(typeBpK);
-//
-// mandatePerson.insertBefore(identificationBpK, prIdentification);
+ ;
}
-
- mandateData = DOMUtils.serializeNode(mandatePerson);
+ return DOMUtils.serializeNode(prPerson);
} catch (TransformerException e1) {
- throw new AuthenticationException("auth.16",
- new Object[] { GET_MIS_SESSIONID });
+ throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID });
} catch (IOException e1) {
- throw new AuthenticationException("auth.16",
- new Object[] { GET_MIS_SESSIONID });
+ throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID });
}
- return mandateData;
}
+ private Element generateMandateDateFromPVPMandateAttributes(IAuthData authdata) throws BuildException {
+ String legalSourcePin = authdata.getGenericData(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class);
+ String legalSourceType = authdata.getGenericData(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, String.class);
+ String legalCommonName = authdata.getGenericData(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME, String.class);
+
+ String natSourcePin = authdata.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME, String.class);
+ String natSourcePinType = authdata.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, String.class);
+ String natbPK = authdata.getGenericData(PVPConstants.MANDATE_NAT_PER_BPK_NAME, String.class);
+
+ String natGivenName = authdata.getGenericData(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME, String.class);
+ String natFamilyName = authdata.getGenericData(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME, String.class);
+ String natDateOfBirth = authdata.getGenericData(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME, String.class);
+
+ Mandate mandateObject = new Mandate();
+ Mandator mandator = new Mandator();
+ mandateObject.setMandator(mandator);
+
+ if (MiscUtil.isNotEmpty(legalCommonName) && MiscUtil.isNotEmpty(legalSourceType)
+ && MiscUtil.isNotEmpty(legalSourcePin)) {
+ Logger.debug("Build 'mandateDate' element for legal person ...");
+ at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType legalperson =
+ new at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType();
+ at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType legalID =
+ new at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType();
+ at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value idvalue =
+ new at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value();
+
+ legalID.setValue(idvalue );
+ legalperson.getIdentification().add(legalID );
+ mandator.setCorporateBody(legalperson);
+ legalperson.setFullName(legalCommonName);
+ legalID.setType(legalSourceType);
+ idvalue.setValue(legalSourcePin);
+
+ } else if (MiscUtil.isNotEmpty(natFamilyName) && MiscUtil.isNotEmpty(natGivenName) && MiscUtil.isNotEmpty(natDateOfBirth)
+ && (MiscUtil.isNotEmpty(natSourcePin) || MiscUtil.isNotEmpty(natbPK))){
+ Logger.debug("Build 'mandateDate' element for natural person ...");
+ at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType physPerson =
+ new at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType();
+ at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType persName =
+ new at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType();
+ at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType.FamilyName familyName =
+ new at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType.FamilyName();
+ at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType persID =
+ new at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType();
+ at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value idValue =
+ new at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value();
+
+ physPerson.setName(persName );
+ persName.getFamilyName().add(familyName );
+ physPerson.getIdentification().add(persID );
+ persID.setValue(idValue );
+ mandator.setPhysicalPerson(physPerson);
+
+ String[] pvp2GivenName = natGivenName.split(" ");
+ for(int i=0; i<pvp2GivenName.length; i++)
+ persName.getGivenName().add(pvp2GivenName[i]);
+
+ familyName.setValue(natFamilyName);
+ physPerson.setDateOfBirth(natDateOfBirth);
+
+ if (MiscUtil.isNotEmpty(natSourcePin)) {
+ persID.setType(Constants.URN_PREFIX_BASEID);
+ idValue.setValue(natSourcePin);
+
+ } else {
+ String[] pvp2bPK = natbPK.split(":");
+ if (pvp2bPK.length == 2) {
+ idValue.setValue(pvp2bPK[1]);
+ Pattern pattern = Pattern.compile(MOAIDAuthConstants.REGEX_PATTERN_TARGET);
+ Matcher matcher = pattern.matcher(pvp2bPK[0]);
+ if (matcher.matches())
+ persID.setType(Constants.URN_PREFIX_CDID + "+" + pvp2bPK[0]);
+
+ //TODO: maybe change to this, because original SAML1 response has
+ // target Constants.URN_PREFIX_BPK
+ //persID.setType(Constants.URN_PREFIX_BPK);
+
+
+ else
+ persID.setType(Constants.URN_PREFIX_WBPK + "+" + pvp2bPK[0]);
+
+ } else {
+ Logger.warn("Receive mandator bPK from federation with an unsupported format. " + natbPK);
+ throw new BuildException("auth.16", new Object[]{"Receive mandator bPK from federation with an unsupported format."});
+
+ }
+ }
+
+ } else {
+ Logger.error("mandateDate' elemente could not generated. AuthData contains not all PVP-attributes which are necessary.");
+ throw new BuildException("auth.16", new Object[]{"'mandateDate' elemente could not generated. AuthData contains not all PVP-attributes which are necessary."});
+
+ }
+
+ try {
+ JAXBContext jc = JAXBContext.newInstance("at.gv.e_government.reference.namespace.mandates._20040701_");
+ Marshaller m = jc.createMarshaller();
+ ByteArrayOutputStream stream = new ByteArrayOutputStream();
+ m.marshal(mandateObject, stream);
+ stream.close();
+
+ return DOMUtils.parseDocument(new String(stream.toByteArray(), "UTF-8"), false, null, null).getDocumentElement();
+
+ } catch (JAXBException | IOException | SAXException | ParserConfigurationException e) {
+ Logger.error("Failed to parse short mandate", e);
+ throw new BuildException("auth.16", new Object[]{"Failed to parse 'mandateDate element'"}, e);
+
+ }
+
+ }
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
index f3650065e..8cc894040 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
@@ -189,11 +189,16 @@ public class SAML1Protocol extends AbstractAuthProtocolModulController {
revisionsLogger.logEvent(pendingRequest, MOAIDEventConstants.AUTHPROTOCOL_SAML1_AUTHNREQUEST);
- if (MiscUtil.isNotEmpty(target))
+ if (MiscUtil.isNotEmpty(target)) {
pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, target);
-
- else
+ pendingRequest.setTarget(target);
+
+ }
+ else {
pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, oaParam.getTarget());
+ pendingRequest.setTarget(oaParam.getTarget());
+
+ }
//AuthnRequest needs authentication
pendingRequest.setNeedAuthentication(true);
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java
index 64c0a0c8e..d93aebcec 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java
@@ -45,7 +45,8 @@ public class SAML1RequestImpl extends RequestImpl {
private static final long serialVersionUID = -4961979968425683115L;
private String sourceID = null;
-
+ private String target = null;
+
/**
* @return the sourceID
*/
@@ -60,6 +61,22 @@ public class SAML1RequestImpl extends RequestImpl {
this.sourceID = sourceID;
}
+
+
+ /**
+ * @return the target
+ */
+ public String getTarget() {
+ return target;
+ }
+
+ /**
+ * @param target the target to set
+ */
+ public void setTarget(String target) {
+ this.target = target;
+ }
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes()
*/