aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2019-08-08 07:40:20 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2019-09-03 10:37:50 +0200
commit3c7e34f087687f886590071f5811d80f223fc3d1 (patch)
treea2d5a474753557510adf91fd09114f5922f0dfa7 /id/server/modules
parent21e97c8104ff0ff0d91e59f7bf9bceb32fa80d03 (diff)
downloadmoa-id-spss-3c7e34f087687f886590071f5811d80f223fc3d1.tar.gz
moa-id-spss-3c7e34f087687f886590071f5811d80f223fc3d1.tar.bz2
moa-id-spss-3c7e34f087687f886590071f5811d80f223fc3d1.zip
re-add configuration parameter to disable 'targetFriendlyName' validation in signed AuthBlock
Diffstat (limited to 'id/server/modules')
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java8
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java7
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java20
3 files changed, 27 insertions, 8 deletions
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index a500a7c93..348c204bf 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -20,6 +20,7 @@ import org.apache.xpath.XPathAPI;
import org.opensaml.xml.util.Base64;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
+import org.springframework.util.Base64Utils;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
@@ -69,6 +70,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
import at.gv.egovernment.moa.id.commons.api.exceptions.BKUException;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.config.ConfigurationProviderImpl;
import at.gv.egovernment.moa.id.logging.SpecificTraceLogger;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.logging.Logger;
@@ -448,7 +450,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
.build(authBlock, oaParam.getKeyBoxIdentifier(),
transformsInfos);
- SpecificTraceLogger.trace("Req. Authblock: " + createXMLSignatureRequest);
+ SpecificTraceLogger.trace("Req. Authblock: " + Base64Utils.encodeToString(createXMLSignatureRequest.getBytes()));
SpecificTraceLogger.trace("OA config: " + pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class).toString());
SpecificTraceLogger.trace("saml1RequestedTarget: " + pendingReq.getRawData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class));
SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + pendingReq.getRawData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class));
@@ -965,7 +967,9 @@ public class AuthenticationServer extends BaseAuthenticationServer {
new CreateXMLSignatureResponseValidator().validateSSO(csresp, session, pendingReq);
else
- new CreateXMLSignatureResponseValidator().validate(csresp, session, pendingReq);
+ new CreateXMLSignatureResponseValidator().validate(csresp, session, pendingReq,
+ authConfig.getBasicConfigurationBoolean(
+ ConfigurationProviderImpl.VALIDATION_AUTHBLOCK_TARGETFRIENDLYNAME, true));
// builds a <VerifyXMLSignatureRequest> for a MOA-SPSS call
List<String> vtids = authConfig.getMoaSpAuthBlockVerifyTransformsInfoIDs();
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
index c8b562282..9b9b76ffc 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
@@ -12,6 +12,7 @@ import org.apache.commons.fileupload.FileUploadException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
+import org.springframework.util.Base64Utils;
import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
@@ -21,6 +22,7 @@ import at.gv.egovernment.moa.id.auth.AuthenticationServer;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.logging.SpecificTraceLogger;
import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
import at.gv.egovernment.moa.logging.Logger;
@@ -80,7 +82,10 @@ public class VerifyAuthenticationBlockTask extends AbstractAuthServletTask {
}
String createXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE);
-
+ if (createXMLSignatureResponse != null)
+ SpecificTraceLogger.trace("Raw signed AuthBlock: " + Base64Utils.encodeToString(createXMLSignatureResponse.getBytes()));
+
+
try {
//check if authblock is received
if (!ParamValidatorUtils.isValidXMLDocument(createXMLSignatureResponse))
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index 78d999971..49b2d2032 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -54,6 +54,7 @@ import java.util.List;
import javax.xml.bind.DatatypeConverter;
import org.jaxen.SimpleNamespaceContext;
+import org.springframework.util.Base64Utils;
import org.w3c.dom.Element;
import at.gv.egiz.eaaf.core.api.IRequest;
@@ -131,12 +132,13 @@ public class CreateXMLSignatureResponseValidator {
* The Method validate is used for validating an explicit {@link CreateXMLSignatureResponse}
* @param createXMLSignatureResponse
* @param session
- * @param pendingReq
+ * @param pendingReq
+ * @param validateTargetFriendlyName
* @throws ValidateException
* @throws BuildException
* @throws ConfigurationException
*/
- public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq)
+ public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq, boolean validateTargetFriendlyName)
throws ValidateException, BuildException, ConfigurationException, EAAFBuilderException {
// A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
IOAAuthParameters oaParam = pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class);
@@ -273,8 +275,16 @@ public class CreateXMLSignatureResponseValidator {
}
String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
- if (!refValueSector.equals((String)samlAttribute.getValue()))
- throw new ValidateException("validator.13", new Object[] {(String)samlAttribute.getValue(), refValueSector});
+ if (!refValueSector.equals((String)samlAttribute.getValue())) {
+ if (validateTargetFriendlyName)
+ throw new ValidateException("validator.13", new Object[] {(String)samlAttribute.getValue(), refValueSector});
+
+ else {
+ Logger.warn("AuthBlock 'TargetFriendlyName' " + samlAttribute.getValue() + " does not match to " + refValueSector);
+
+ }
+
+ }
} else
throw new ValidateException("validator.12", null);
@@ -430,7 +440,7 @@ public class CreateXMLSignatureResponseValidator {
} catch (Exception e) {
SpecificTraceLogger.trace("Validate AuthBlock without SSO");
- SpecificTraceLogger.trace("Signed AuthBlock: " + session.getAuthBlock());
+ SpecificTraceLogger.trace("Signed AuthBlock: " + Base64Utils.encodeToString(session.getAuthBlock().getBytes()));
SpecificTraceLogger.trace("OA config: " + oaParam.toString());
SpecificTraceLogger.trace("saml1RequestedTarget: " + saml1RequestedTarget);
SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + saml1RequestedFriendlyName);