aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2018-03-13 13:55:21 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2018-03-13 13:55:21 +0100
commit74e5abe316de5748073cc69ca7ad1202b48daa5a (patch)
tree9da6f48602172205638fca627abdfc47e52d5923 /id/server/modules
parent5590e7a7477a5598736563b95e0c51ab9cb3c229 (diff)
downloadmoa-id-spss-74e5abe316de5748073cc69ca7ad1202b48daa5a.tar.gz
moa-id-spss-74e5abe316de5748073cc69ca7ad1202b48daa5a.tar.bz2
moa-id-spss-74e5abe316de5748073cc69ca7ad1202b48daa5a.zip
add configuration parameter to disable 'targetFriendlyName' validation in signed AuthBlock
Diffstat (limited to 'id/server/modules')
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java9
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java8
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java19
3 files changed, 28 insertions, 8 deletions
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 7c435d0b0..3d0073276 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -4,6 +4,7 @@ package at.gv.egovernment.moa.id.auth;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
import java.security.Principal;
import java.security.cert.CertificateException;
import java.util.Calendar;
@@ -20,6 +21,7 @@ import org.apache.xpath.XPathAPI;
import org.opensaml.xml.util.Base64;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
+import org.springframework.util.Base64Utils;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
@@ -65,6 +67,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IMISMandate;
import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.config.ConfigurationProviderImpl;
import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.logging.SpecificTraceLogger;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
@@ -447,7 +450,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
.build(authBlock, oaParam.getKeyBoxIdentifier(),
transformsInfos);
- SpecificTraceLogger.trace("Req. Authblock: " + createXMLSignatureRequest);
+ SpecificTraceLogger.trace("Req. Authblock: " + Base64Utils.encodeToString(createXMLSignatureRequest.getBytes()));
SpecificTraceLogger.trace("OA config: " + pendingReq.getOnlineApplicationConfiguration().toString());
SpecificTraceLogger.trace("saml1RequestedTarget: " + pendingReq.getGenericData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class));
SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + pendingReq.getGenericData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class));
@@ -962,7 +965,9 @@ public class AuthenticationServer extends BaseAuthenticationServer {
new CreateXMLSignatureResponseValidator().validateSSO(csresp, session, pendingReq);
else
- new CreateXMLSignatureResponseValidator().validate(csresp, session, pendingReq);
+ new CreateXMLSignatureResponseValidator().validate(csresp, session, pendingReq,
+ authConfig.getBasicMOAIDConfigurationBoolean(
+ ConfigurationProviderImpl.VALIDATION_AUTHBLOCK_TARGETFRIENDLYNAME, true));
// builds a <VerifyXMLSignatureRequest> for a MOA-SPSS call
List<String> vtids = authConfig.getMoaSpAuthBlockVerifyTransformsInfoIDs();
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
index ddd52c337..5730224e5 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
@@ -3,6 +3,7 @@ package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
import static at.gv.egovernment.moa.id.commons.MOAIDAuthConstants.PARAM_XMLRESPONSE;
import java.io.IOException;
+import java.io.UnsupportedEncodingException;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
@@ -12,6 +13,7 @@ import org.apache.commons.fileupload.FileUploadException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
+import org.springframework.util.Base64Utils;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.AuthenticationServer;
@@ -19,9 +21,11 @@ import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.logging.SpecificTraceLogger;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
/**
* Verifies the signed authentication block (provided as {@code CreateXMLSignatureResponse}).<p/>
@@ -79,7 +83,9 @@ public class VerifyAuthenticationBlockTask extends AbstractAuthServletTask {
}
String createXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE);
-
+ if (createXMLSignatureResponse != null)
+ SpecificTraceLogger.trace("Raw signed AuthBlock: " + Base64Utils.encodeToString(createXMLSignatureResponse.getBytes()));
+
try {
//check if authblock is received
if (!ParamValidatorUtils.isValidXMLDocument(createXMLSignatureResponse))
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index 8e3ccb01b..1d2887e6a 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -54,6 +54,7 @@ import java.util.List;
import javax.xml.bind.DatatypeConverter;
import org.jaxen.SimpleNamespaceContext;
+import org.springframework.util.Base64Utils;
import org.w3c.dom.Element;
import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder;
@@ -135,7 +136,7 @@ public class CreateXMLSignatureResponseValidator {
* @throws BuildException
* @throws ConfigurationException
*/
- public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq)
+ public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq, boolean validateTargetFriendlyName)
throws ValidateException, BuildException, ConfigurationException {
// A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
@@ -272,8 +273,16 @@ public class CreateXMLSignatureResponseValidator {
}
String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
- if (!refValueSector.equals((String)samlAttribute.getValue()))
- throw new ValidateException("validator.13", new Object[] {(String)samlAttribute.getValue(), refValueSector});
+ if (!refValueSector.equals((String)samlAttribute.getValue())) {
+ if (validateTargetFriendlyName)
+ throw new ValidateException("validator.13", new Object[] {(String)samlAttribute.getValue(), refValueSector});
+
+ else {
+ Logger.warn("AuthBlock 'TargetFriendlyName' " + samlAttribute.getValue() + " does not match to " + refValueSector);
+
+ }
+
+ }
} else
throw new ValidateException("validator.12", null);
@@ -429,7 +438,7 @@ public class CreateXMLSignatureResponseValidator {
} catch (Exception e) {
SpecificTraceLogger.trace("Validate AuthBlock without SSO");
- SpecificTraceLogger.trace("Signed AuthBlock: " + session.getAuthBlock());
+ SpecificTraceLogger.trace("Signed AuthBlock: " + Base64Utils.encodeToString(session.getAuthBlock().getBytes()));
SpecificTraceLogger.trace("OA config: " + oaParam.toString());
SpecificTraceLogger.trace("saml1RequestedTarget: " + saml1RequestedTarget);
SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + saml1RequestedFriendlyName);
@@ -662,7 +671,7 @@ public class CreateXMLSignatureResponseValidator {
} catch (Exception e) {
SpecificTraceLogger.trace("Validate AuthBlock with SSO");
- SpecificTraceLogger.trace("Signed AuthBlock: " + session.getAuthBlock());
+ SpecificTraceLogger.trace("Signed AuthBlock: " + Base64Utils.encodeToString(session.getAuthBlock().getBytes()));
SpecificTraceLogger.trace("OA config: " + pendingReq.getOnlineApplicationConfiguration().toString());
throw e;