aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2016-03-10 12:31:38 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2016-03-10 12:31:38 +0100
commita6cadad81df2b44a99ca452ea1737abf1fa7d3e8 (patch)
treea9358c03beaed2c8955655304f5b081a40b14360 /id/server/modules
parente34d8e8a2292a0ea049ab3b3aa6e649aa215e82b (diff)
downloadmoa-id-spss-a6cadad81df2b44a99ca452ea1737abf1fa7d3e8.tar.gz
moa-id-spss-a6cadad81df2b44a99ca452ea1737abf1fa7d3e8.tar.bz2
moa-id-spss-a6cadad81df2b44a99ca452ea1737abf1fa7d3e8.zip
add additional PVP response validation
Diffstat (limited to 'id/server/modules')
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java3
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java23
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java9
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java5
4 files changed, 37 insertions, 3 deletions
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java
index e4eaa5ee7..b50d1cf4e 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java
@@ -75,6 +75,9 @@ public class ELGAMandatesAuthConstants {
Collections.unmodifiableList(new ArrayList<Pair<String, String>>() {
private static final long serialVersionUID = 1L;
{
+ //add PVP Version attribute
+ add(Pair.newInstance(PVPConstants.PVP_VERSION_NAME, PVPConstants.PVP_VERSION_FRIENDLY_NAME));
+
//request mandate type
add(Pair.newInstance(PVPConstants.MANDATE_TYPE_NAME, PVPConstants.MANDATE_TYPE_FRIENDLY_NAME));
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java
index 0688e7c64..f976793b8 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java
@@ -46,6 +46,7 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateServi
import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
@@ -142,6 +143,8 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask {
}
+
+
//load MOASession object
defaultTaskInitialization(request, executionContext);
@@ -216,10 +219,28 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask {
Logger.debug("Start PVP-2.1 assertion processing... ");
Response samlResp = (Response) msg.getResponse();
+ //validate 'inResponseTo' attribute
+ String authnReqID = pendingReq.getGenericData(
+ PVPTargetConfiguration.DATAID_INTERFEDERATION_REQUESTID, String.class);
+ String inResponseTo = samlResp.getInResponseTo();
+
+ if (MiscUtil.isEmpty(authnReqID) || MiscUtil.isEmpty(inResponseTo) ||
+ !authnReqID.equals(inResponseTo)) {
+ Logger.info("Validation of request/response IDs FAILED."
+ + " ReqID:" + authnReqID + " InRespTo:" + inResponseTo);
+ throw new AuthnResponseValidationException("sp.pvp2.07",
+ new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING,
+ "'InResponseTo'"});
+
+ }
+
// check SAML2 response status-code
if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
//validate PVP 2.1 assertion
- samlVerificationEngine.validateAssertion(samlResp, true, credentialProvider.getIDPAssertionEncryptionCredential());
+ samlVerificationEngine.validateAssertion(samlResp, true,
+ credentialProvider.getIDPAssertionEncryptionCredential(),
+ pendingReq.getAuthURL() + ELGAMandatesAuthConstants.ENDPOINT_METADATA,
+ ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING);
msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement());
return msg;
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
index 2a3e72640..d25921167 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
@@ -46,6 +46,7 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateServi
import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider;
import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAuthnRequestBuilder;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
@@ -137,7 +138,13 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask {
//set MandateReferenceValue as RequestID
authnReqConfig.setRequestID(moasession.getMandateReferenceValue());
-
+ pendingReq.setGenericDataToSession(
+ PVPTargetConfiguration.DATAID_INTERFEDERATION_REQUESTID,
+ authnReqConfig.getRequestID());
+
+ //store pending-request
+ requestStoreage.storePendingRequest(pendingReq);
+
//build and transmit AuthnRequest
authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response);
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
index d5c5354c0..01163efd6 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
@@ -347,7 +347,10 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
// check SAML2 response status-code
if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
//validate PVP 2.1 assertion
- samlVerificationEngine.validateAssertion(samlResp, true, credentialProvider.getIDPAssertionEncryptionCredential());
+ samlVerificationEngine.validateAssertion(samlResp, true,
+ credentialProvider.getIDPAssertionEncryptionCredential(),
+ pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_METADATA,
+ FederatedAuthConstants.MODULE_NAME_FOR_LOGGING);
msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement());
return msg;