aboutsummaryrefslogtreecommitdiff
path: root/id/server
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2018-03-12 13:35:46 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2018-03-12 14:16:17 +0100
commitb4c009b6d64cc17974e5917c10f92dbe987d826e (patch)
tree46e3777b7d62ac2d96110d6428d82706d1720345 /id/server
parenta30826d08c748daaf3d6cdc2329f985852822f54 (diff)
downloadmoa-id-spss-b4c009b6d64cc17974e5917c10f92dbe987d826e.tar.gz
moa-id-spss-b4c009b6d64cc17974e5917c10f92dbe987d826e.tar.bz2
moa-id-spss-b4c009b6d64cc17974e5917c10f92dbe987d826e.zip
add specific AuthBlock validation logging
Diffstat (limited to 'id/server')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java10
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/logging/SpecificTraceLogger.java18
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties4
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java36
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java8
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java997
6 files changed, 571 insertions, 502 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index 99b4154e0..59bd3893d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -50,11 +50,14 @@ import java.io.IOException;
import java.io.Serializable;
import java.security.PrivateKey;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
+import java.util.Iterator;
import java.util.List;
import java.util.Map;
+import java.util.Map.Entry;
import java.util.Set;
import org.apache.commons.lang.SerializationUtils;
@@ -925,4 +928,11 @@ public boolean isUseAuthBlockTestTestStore() {
return false;
}
+public String toString() {
+ if (oaConfiguration != null)
+ return Arrays.asList(oaConfiguration).toString();
+
+ return "Object not initialized";
+}
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/logging/SpecificTraceLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/logging/SpecificTraceLogger.java
new file mode 100644
index 000000000..c12021f2c
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/logging/SpecificTraceLogger.java
@@ -0,0 +1,18 @@
+package at.gv.egovernment.moa.id.logging;
+
+
+import at.gv.egovernment.moa.logging.Logger;
+
+public class SpecificTraceLogger{
+
+ /**
+ * Enables Logging on Trace level for single specific parts
+ * @param message
+ */
+ public static void trace(Object message) {
+ if (Logger.isTraceEnabled()) {
+ Logger.traceWithOutEscaption(message);
+
+ }
+ }
+}
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 05f58d5bc..4205f2175 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -161,7 +161,7 @@ validator.09=Die \u00F6ffentlichen Schl\u00FCssel des Identitiy Link stimmen nic
validator.10=Anzahl der URLs zur Authentisierungskomponente ung\u00FCltig {0}
validator.11="Gesch\\u00E4ftsbereich" wurde nicht in den SAML-Attributen gefunden {0}
validator.12=Der Namespace des SAML-Attributs "Gesch\\u00E4ftsbereich" ist ung\u00FCltig {0}
-validator.13=Das Target des 'Gesch\u00E4ftsbereichs' ist ung\u00FCltig {0}
+validator.13=Das Target des 'Gesch\u00E4ftsbereichs' ist ung\u00FCltig. Authblock: {0} , Config: {1}
validator.14="OA" wurde nicht in den SAML-Attributen gefunden {0}
validator.15=Der Namespace des SAML-Attributs "OA" ist ung\u00FCltig {0}
validator.16=Die vorkonfigurierte URL der OnlineApplikation ist fehlerhaft {0}
@@ -179,7 +179,7 @@ validator.25=Eine formal korrekte Zertifikatskette vom Signatorzertifikat zu ein
validator.26=OA Applikation ist eine Wirtschaftsapplikation, trotzdem ist ein SAML-Attribut "Gesch\u00E4ftsbereich" enthalten
validator.27=OA Applikation ist keine Wirtschaftsapplikation, trotzdem ist ein SAML-Attribut "wbPK" enthalten
-validator.28=Fehlerhafter Wert im "wbPK" SAML-Attribut {0}
+validator.28=Fehlerhafter Wert im "wbPK" SAML-Attribut. Authblock: {0} , Config: {1}
validator.29=Fehler beim Auslesen des "wbPK" SAML-Attributs {0}
validator.30=Der Namespace des SAML-Attributs "wbPK" ist ung\u00FCltig {0}
validator.31="wbPK" wurde nicht in den SAML-Attributen gefunden {0}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java
index 9152f2549..197247630 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/logging/Logger.java
@@ -86,12 +86,16 @@ public class Logger {
* <p>Mainly introduce because the <code>message</code> might be <code>null</code>.
*
* @param message the message
+ * @param escape if this flag is true than the message get escapted before logging
* @return the string
*/
- private static String prepareMessage(Object message) {
+ private static String prepareMessage(Object message, boolean escape) {
if(null == message)
return "no message given";
- return StringEscapeUtils.escapeHtml4(message.toString());
+ if (escape)
+ return StringEscapeUtils.escapeHtml4(message.toString());
+ else
+ return message.toString();
}
/**
@@ -124,7 +128,17 @@ public class Logger {
*/
public static void trace(Object message) {
org.slf4j.Logger logger = getLogger();
- logger.trace(prepareMessage(message));
+ logger.trace(prepareMessage(message, true));
+ }
+
+ /**
+ * Trace a message.
+ *
+ * @param message The message to trace.
+ */
+ public static void traceWithOutEscaption(Object message) {
+ org.slf4j.Logger logger = getLogger();
+ logger.trace(prepareMessage(message, false));
}
/**
@@ -157,7 +171,7 @@ public class Logger {
*/
public static void debug(Object message) {
org.slf4j.Logger logger = getLogger();
- logger.debug(prepareMessage(message));
+ logger.debug(prepareMessage(message, true));
}
/**
@@ -167,7 +181,7 @@ public class Logger {
*/
public static void info(Object message) {
org.slf4j.Logger logger = getLogger();
- logger.info(prepareMessage(message));
+ logger.info(prepareMessage(message, true));
}
/**
@@ -178,7 +192,7 @@ public class Logger {
*/
public static void info(String message, Object[] args) {
org.slf4j.Logger logger = getLogger();
- logger.info(prepareMessage(message), args);
+ logger.info(prepareMessage(message, true), args);
}
/**
@@ -188,7 +202,7 @@ public class Logger {
*/
public static void warn(Object message) {
org.slf4j.Logger logger = getLogger();
- logger.warn(prepareMessage(message));
+ logger.warn(prepareMessage(message, true));
}
/**
@@ -199,7 +213,7 @@ public class Logger {
*/
public static void warn(Object message, Throwable t) {
org.slf4j.Logger logger = getLogger();
- logger.warn(prepareMessage(message), t);
+ logger.warn(prepareMessage(message, true), t);
}
/**
@@ -209,7 +223,7 @@ public class Logger {
*/
public static void error(Object message) {
org.slf4j.Logger logger = getLogger();
- logger.error(prepareMessage(message));
+ logger.error(prepareMessage(message, true));
}
/**
@@ -220,7 +234,7 @@ public class Logger {
*/
public static void error(Object message, Throwable t) {
org.slf4j.Logger logger = getLogger();
- logger.error(prepareMessage(message), t);
+ logger.error(prepareMessage(message, true), t);
}
/**
@@ -231,7 +245,7 @@ public class Logger {
*/
public static void error(Object message, Object[] variables) {
org.slf4j.Logger logger = getLogger();
- logger.error(prepareMessage(message), variables);
+ logger.error(prepareMessage(message, true), variables);
}
/**
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index f7c3db8d1..7c435d0b0 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -66,6 +66,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.data.Pair;
+import at.gv.egovernment.moa.id.logging.SpecificTraceLogger;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
@@ -445,6 +446,12 @@ public class AuthenticationServer extends BaseAuthenticationServer {
String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder()
.build(authBlock, oaParam.getKeyBoxIdentifier(),
transformsInfos);
+
+ SpecificTraceLogger.trace("Req. Authblock: " + createXMLSignatureRequest);
+ SpecificTraceLogger.trace("OA config: " + pendingReq.getOnlineApplicationConfiguration().toString());
+ SpecificTraceLogger.trace("saml1RequestedTarget: " + pendingReq.getGenericData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class));
+ SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + pendingReq.getGenericData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class));
+
return createXMLSignatureRequest;
}
@@ -949,6 +956,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
throw new ParseException("parser.04", new Object[]{
REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE}, e);
}
+
// validates <CreateXMLSignatureResponse>
if (pendingReq.needSingleSignOnFunctionality())
new CreateXMLSignatureResponseValidator().validateSSO(csresp, session, pendingReq);
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index 827690ebd..8e3ccb01b 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -72,6 +72,7 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.data.Pair;
+import at.gv.egovernment.moa.id.logging.SpecificTraceLogger;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -136,7 +137,6 @@ public class CreateXMLSignatureResponseValidator {
*/
public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq)
throws ValidateException, BuildException, ConfigurationException {
-
// A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
String oaURL = oaParam.getPublicURLPrefix();
@@ -148,283 +148,294 @@ public class CreateXMLSignatureResponseValidator {
@Deprecated
String saml1RequestedFriendlyName = pendingReq.getGenericData(
MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class);
-
-
- Element samlAssertion = createXMLSignatureResponse.getSamlAssertion();
-
- //validate issuer
- String issuer = samlAssertion.getAttribute("Issuer");
- if (issuer == null) {
- // should not happen, because parser would dedect this
- throw new ValidateException("validator.32", null);
- }
- // replace ' in name with &#39;
- issuer = issuer.replaceAll("'", "&#39;");
- if (!issuer.equals(identityLink.getName()))
- throw new ValidateException("validator.33", new Object[] {issuer, identityLink.getName()});
-
-
- //validate issuerInstant
- String issueInstant = samlAssertion.getAttribute("IssueInstant");
- if (!issueInstant.equals(session.getIssueInstant()))
- throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
-
-
- //validate extended attributes
- SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();
-
- boolean foundOA = false;
- boolean foundGB = false;
- boolean foundWBPK = false;
- int offset = 0;
-
- // check number of SAML attributes
- List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
- int extendedSAMLAttributesNum = 0;
- if (extendedSAMLAttributes != null) {
- extendedSAMLAttributesNum = extendedSAMLAttributes.size();
- }
- int expectedSAMLAttributeNumber = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum;
-
- //remove one attribute from expected attributes if public SP target or wbPK is not part of AuthBlock
- if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
-
- //check number of attributes in AuthBlock response against expected number of attributes
- int actualSAMLAttributeNumber = samlAttributes.length;
- if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
- Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " +
- expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
- throw new ValidateException("validator.36",
- new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
-
- }
-
- //now check every single attribute
- SAMLAttribute samlAttribute = null;
- Pair<String, String> userSectorId = null;
- if (session.getSAMLAttributeGebeORwbpk()) {
- //check the first attribute ("Geschaeftsbereich" or "wbPK")
- samlAttribute = samlAttributes[0];
-
- //calculate bPK or wbPK as reference value for validation
- if (MiscUtil.isNotEmpty(saml1RequestedTarget))
- userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
- identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
- saml1RequestedTarget);
- else
- userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
- identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
- oaParam.getAreaSpecificTargetIdentifier());
-
- //every sector specific identifier that has not 'urn:publicid:gv.at:cdid+' as prefix
- // is internally handled as an AuthBlock with wbPK
- if (!userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
- if (!samlAttribute.getName().equals("wbPK")) {
- if (samlAttribute.getName().equals("Geschaeftsbereich")) {
- throw new ValidateException("validator.26", null);
-
- } else {
- throw new ValidateException("validator.37",
- new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)});
- }
- }
-
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundWBPK = true;
- try {
- Element attrValue = (Element)samlAttribute.getValue();
- String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
- String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
- if (!value.equals(userSectorId.getFirst()))
- throw new ValidateException("validator.28", null);
-
- if (!type.equals(userSectorId.getSecond()))
- throw new ValidateException("validator.28", null);
-
- } catch (Exception ex) {
- throw new ValidateException("validator.29", null);
- }
-
- } else
- throw new ValidateException("validator.30", null);
-
- } else {
- if (!samlAttribute.getName().equals("Geschaeftsbereich")) {
- if (samlAttribute.getName().equals("wbPK"))
- throw new ValidateException("validator.26", null);
-
- else
- throw new ValidateException("validator.37",
- new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)});
- }
-
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundGB = true;
-
- String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(userSectorId.getSecond());
- if (StringUtils.isEmpty(sectorName)) {
- if (saml1RequestedFriendlyName != null)
- sectorName = saml1RequestedFriendlyName;
- else
- sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
- }
-
- String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
- if (!refValueSector.equals((String)samlAttribute.getValue()))
- throw new ValidateException("validator.13", null);
-
- } else
- throw new ValidateException("validator.12", null);
-
- }
-
- } else
- //check nothing if wbPK or public SP target is not part of AuthBlock
- offset--;
-
- // check the second attribute (must be "OA")
- samlAttribute = samlAttributes[1 + offset];
- if (!samlAttribute.getName().equals("OA"))
- throw new ValidateException("validator.37",
- new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
-
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundOA = true;
- if (!oaURL.equals((String)samlAttribute.getValue()))
- throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});
-
- } else
- throw new ValidateException("validator.15", null);
-
-
- // check the third attribute (must be "Geburtsdatum")
- samlAttribute = samlAttributes[2 + offset];
- if (!samlAttribute.getName().equals("Geburtsdatum"))
- throw new ValidateException("validator.37",
- new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
-
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String samlDateOfBirth = (String)samlAttribute.getValue();
- String dateOfBirth = identityLink.getDateOfBirth();
- if (!samlDateOfBirth.equals(dateOfBirth))
- throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
-
- } else
- throw new ValidateException("validator.35", null);
-
- // check four attribute could be a special text
- samlAttribute = samlAttributes[3 + offset];
- if (!samlAttribute.getName().equals("SpecialText"))
- throw new ValidateException("validator.37",
- new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
-
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String samlSpecialText = (String)samlAttribute.getValue();
- samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
-
- String text = "";
- if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
- Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
- text = oaParam.getAditionalAuthBlockText();
-
- }
-
- String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text,
- AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
- pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
- if (!samlSpecialText.equals(specialText))
- throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
-
- } else
- throw new ValidateException("validator.35", null);
-
-
- //check unique AuthBlock tokken
- samlAttribute = samlAttributes[4 + offset];
- if (!samlAttribute.getName().equals("UniqueTokken"))
- throw new ValidateException("validator.37",
- new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
-
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String uniquetokken = (String)samlAttribute.getValue();
-
- if (!uniquetokken.equals(session.getAuthBlockTokken()))
- throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
- } else
- throw new ValidateException("validator.35", null);
-
-
- // now check the extended SAML attributes
- int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset;
- if (extendedSAMLAttributes != null) {
- Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
- while (it.hasNext()) {
- ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
- samlAttribute = samlAttributes[i];
- String actualName = samlAttribute.getName();
- String expectedName = extendedSAMLAttribute.getName();
- if (!actualName.equals(expectedName))
- throw new ValidateException("validator.38",
- new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
-
- String actualNamespace = samlAttribute.getNamespace();
- String expectedNamespace = extendedSAMLAttribute.getNameSpace();
- if (!actualNamespace.equals(expectedNamespace))
- throw new ValidateException("validator.38",
- new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
-
- Object expectedValue = extendedSAMLAttribute.getValue();
- Object actualValue = samlAttribute.getValue();
- try {
- if (expectedValue instanceof String) {
- // replace \r\n because text might be base64-encoded
- String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
- expValue = StringUtils.replaceAll(expValue,"\n","");
- String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
- actValue = StringUtils.replaceAll(actValue,"\n","");
- if (!expValue.equals(actValue))
- throw new ValidateException("validator.38",
- new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });
-
- } else if (expectedValue instanceof Element) {
- // only check the name of the element
- String actualElementName = ((Element)actualValue).getNodeName();
- String expectedElementName = ((Element)expectedValue).getNodeName();
- if (!(expectedElementName.equals(actualElementName)))
- throw new ValidateException("validator.38",
- new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});
-
- } else
- // should not happen
- throw new ValidateException("validator.38",
- new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
-
- } catch (ClassCastException e) {
- throw new ValidateException("validator.38",
- new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
- }
-
- i++;
- }
- }
-
- if (!foundOA)
- throw new ValidateException("validator.14", null);
-
- if (userSectorId != null && !userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
- if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK)
- throw new ValidateException("validator.31", null);
-
- } else {
- if (!foundGB && session.getSAMLAttributeGebeORwbpk())
- throw new ValidateException("validator.11", null);
- }
-
- //Check if dsig:Signature exists
- Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
- if (dsigSignature == null)
- throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
-
+
+ try {
+ Element samlAssertion = createXMLSignatureResponse.getSamlAssertion();
+
+ //validate issuer
+ String issuer = samlAssertion.getAttribute("Issuer");
+ if (issuer == null) {
+ // should not happen, because parser would dedect this
+ throw new ValidateException("validator.32", null);
+ }
+ // replace ' in name with &#39;
+ issuer = issuer.replaceAll("'", "&#39;");
+ if (!issuer.equals(identityLink.getName()))
+ throw new ValidateException("validator.33", new Object[] {issuer, identityLink.getName()});
+
+
+ //validate issuerInstant
+ String issueInstant = samlAssertion.getAttribute("IssueInstant");
+ if (!issueInstant.equals(session.getIssueInstant()))
+ throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
+
+
+ //validate extended attributes
+ SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();
+
+ boolean foundOA = false;
+ boolean foundGB = false;
+ boolean foundWBPK = false;
+ int offset = 0;
+
+ // check number of SAML attributes
+ List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
+ int extendedSAMLAttributesNum = 0;
+ if (extendedSAMLAttributes != null) {
+ extendedSAMLAttributesNum = extendedSAMLAttributes.size();
+ }
+ int expectedSAMLAttributeNumber = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum;
+
+ //remove one attribute from expected attributes if public SP target or wbPK is not part of AuthBlock
+ if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
+
+ //check number of attributes in AuthBlock response against expected number of attributes
+ int actualSAMLAttributeNumber = samlAttributes.length;
+ if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
+ Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " +
+ expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
+ throw new ValidateException("validator.36",
+ new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
+
+ }
+
+ //now check every single attribute
+ SAMLAttribute samlAttribute = null;
+ Pair<String, String> userSectorId = null;
+ if (session.getSAMLAttributeGebeORwbpk()) {
+ //check the first attribute ("Geschaeftsbereich" or "wbPK")
+ samlAttribute = samlAttributes[0];
+
+ //calculate bPK or wbPK as reference value for validation
+ if (MiscUtil.isNotEmpty(saml1RequestedTarget))
+ userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+ identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
+ saml1RequestedTarget);
+ else
+ userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+ identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
+ oaParam.getAreaSpecificTargetIdentifier());
+
+ //every sector specific identifier that has not 'urn:publicid:gv.at:cdid+' as prefix
+ // is internally handled as an AuthBlock with wbPK
+ if (!userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+ if (!samlAttribute.getName().equals("wbPK")) {
+ if (samlAttribute.getName().equals("Geschaeftsbereich")) {
+ throw new ValidateException("validator.26", null);
+
+ } else {
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)});
+ }
+ }
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundWBPK = true;
+ try {
+ Element attrValue = (Element)samlAttribute.getValue();
+ String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
+ String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
+ if (!value.equals(userSectorId.getFirst()))
+ throw new ValidateException("validator.28",
+ new Object[] {value, userSectorId.getFirst()});
+
+ if (!type.equals(userSectorId.getSecond()))
+ throw new ValidateException("validator.28",
+ new Object[] {type, userSectorId.getSecond()});
+
+ } catch (Exception ex) {
+ throw new ValidateException("validator.29", null);
+ }
+
+ } else
+ throw new ValidateException("validator.30", null);
+
+ } else {
+ if (!samlAttribute.getName().equals("Geschaeftsbereich")) {
+ if (samlAttribute.getName().equals("wbPK"))
+ throw new ValidateException("validator.26", null);
+
+ else
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)});
+ }
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundGB = true;
+
+ String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(userSectorId.getSecond());
+ if (StringUtils.isEmpty(sectorName)) {
+ if (saml1RequestedFriendlyName != null)
+ sectorName = saml1RequestedFriendlyName;
+ else
+ sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+ }
+
+ String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
+ if (!refValueSector.equals((String)samlAttribute.getValue()))
+ throw new ValidateException("validator.13", new Object[] {(String)samlAttribute.getValue(), refValueSector});
+
+ } else
+ throw new ValidateException("validator.12", null);
+
+ }
+
+ } else
+ //check nothing if wbPK or public SP target is not part of AuthBlock
+ offset--;
+
+ // check the second attribute (must be "OA")
+ samlAttribute = samlAttributes[1 + offset];
+ if (!samlAttribute.getName().equals("OA"))
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundOA = true;
+ if (!oaURL.equals((String)samlAttribute.getValue()))
+ throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});
+
+ } else
+ throw new ValidateException("validator.15", null);
+
+
+ // check the third attribute (must be "Geburtsdatum")
+ samlAttribute = samlAttributes[2 + offset];
+ if (!samlAttribute.getName().equals("Geburtsdatum"))
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String samlDateOfBirth = (String)samlAttribute.getValue();
+ String dateOfBirth = identityLink.getDateOfBirth();
+ if (!samlDateOfBirth.equals(dateOfBirth))
+ throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
+
+ } else
+ throw new ValidateException("validator.35", null);
+
+ // check four attribute could be a special text
+ samlAttribute = samlAttributes[3 + offset];
+ if (!samlAttribute.getName().equals("SpecialText"))
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String samlSpecialText = (String)samlAttribute.getValue();
+ samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
+
+ String text = "";
+ if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
+ Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
+ text = oaParam.getAditionalAuthBlockText();
+
+ }
+
+ String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text,
+ AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
+ pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
+ if (!samlSpecialText.equals(specialText))
+ throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
+
+ } else
+ throw new ValidateException("validator.35", null);
+
+
+ //check unique AuthBlock tokken
+ samlAttribute = samlAttributes[4 + offset];
+ if (!samlAttribute.getName().equals("UniqueTokken"))
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String uniquetokken = (String)samlAttribute.getValue();
+
+ if (!uniquetokken.equals(session.getAuthBlockTokken()))
+ throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
+ } else
+ throw new ValidateException("validator.35", null);
+
+
+ // now check the extended SAML attributes
+ int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset;
+ if (extendedSAMLAttributes != null) {
+ Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
+ while (it.hasNext()) {
+ ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
+ samlAttribute = samlAttributes[i];
+ String actualName = samlAttribute.getName();
+ String expectedName = extendedSAMLAttribute.getName();
+ if (!actualName.equals(expectedName))
+ throw new ValidateException("validator.38",
+ new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
+
+ String actualNamespace = samlAttribute.getNamespace();
+ String expectedNamespace = extendedSAMLAttribute.getNameSpace();
+ if (!actualNamespace.equals(expectedNamespace))
+ throw new ValidateException("validator.38",
+ new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
+
+ Object expectedValue = extendedSAMLAttribute.getValue();
+ Object actualValue = samlAttribute.getValue();
+ try {
+ if (expectedValue instanceof String) {
+ // replace \r\n because text might be base64-encoded
+ String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
+ expValue = StringUtils.replaceAll(expValue,"\n","");
+ String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
+ actValue = StringUtils.replaceAll(actValue,"\n","");
+ if (!expValue.equals(actValue))
+ throw new ValidateException("validator.38",
+ new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });
+
+ } else if (expectedValue instanceof Element) {
+ // only check the name of the element
+ String actualElementName = ((Element)actualValue).getNodeName();
+ String expectedElementName = ((Element)expectedValue).getNodeName();
+ if (!(expectedElementName.equals(actualElementName)))
+ throw new ValidateException("validator.38",
+ new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});
+
+ } else
+ // should not happen
+ throw new ValidateException("validator.38",
+ new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
+
+ } catch (ClassCastException e) {
+ throw new ValidateException("validator.38",
+ new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
+ }
+
+ i++;
+ }
+ }
+
+ if (!foundOA)
+ throw new ValidateException("validator.14", null);
+
+ if (userSectorId != null && !userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+ if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK)
+ throw new ValidateException("validator.31", null);
+
+ } else {
+ if (!foundGB && session.getSAMLAttributeGebeORwbpk())
+ throw new ValidateException("validator.11", null);
+ }
+
+ //Check if dsig:Signature exists
+ Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
+ if (dsigSignature == null)
+ throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
+
+ } catch (Exception e) {
+ SpecificTraceLogger.trace("Validate AuthBlock without SSO");
+ SpecificTraceLogger.trace("Signed AuthBlock: " + session.getAuthBlock());
+ SpecificTraceLogger.trace("OA config: " + oaParam.toString());
+ SpecificTraceLogger.trace("saml1RequestedTarget: " + saml1RequestedTarget);
+ SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + saml1RequestedFriendlyName);
+ throw e;
+
+ }
}
/**
@@ -436,219 +447,227 @@ public class CreateXMLSignatureResponseValidator {
*/
public void validateSSO(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq)
throws ValidateException {
-
- // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
- String oaURL = pendingReq.getAuthURL();
-
- IIdentityLink identityLink = session.getIdentityLink();
-
- Element samlAssertion = createXMLSignatureResponse.getSamlAssertion();
- String issuer = samlAssertion.getAttribute("Issuer");
- if (issuer == null) {
- // should not happen, because parser would dedect this
- throw new ValidateException("validator.32", null);
- }
- // replace ' in name with &#39;
- issuer = issuer.replaceAll("'", "&#39;");
-
- String issueInstant = samlAssertion.getAttribute("IssueInstant");
- if (!issueInstant.equals(session.getIssueInstant())) {
- throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
- }
-
- String name = identityLink.getName();
-
- if (!issuer.equals(name)) {
- throw new ValidateException("validator.33", new Object[] {issuer, name});
- }
-
- SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();
-
- boolean foundOA = false;
-// boolean foundGB = false;
-// boolean foundWBPK = false;
- int offset = 0;
-
- // check number of SAML aatributes
- List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
- int extendedSAMLAttributesNum = 0;
- if (extendedSAMLAttributes != null) {
- extendedSAMLAttributesNum = extendedSAMLAttributes.size();
- }
- int expectedSAMLAttributeNumber =
- AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + extendedSAMLAttributesNum;
- if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
- int actualSAMLAttributeNumber = samlAttributes.length;
- if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
- Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " +
- expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
- throw new ValidateException(
- "validator.36",
- new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
- }
-
- SAMLAttribute samlAttribute;
- if (!session.getSAMLAttributeGebeORwbpk()) {
- offset--;
- }
-
- // check the first attribute (must be "OA")
- samlAttribute = samlAttributes[0 + offset];
- if (!samlAttribute.getName().equals("OA")) {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundOA = true;
- if (!oaURL.equals((String)samlAttribute.getValue())) { // CHECKS für die AttributeVALUES fehlen noch
- throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});
- }
- } else {
- throw new ValidateException("validator.15", null);
- }
-
- // check the third attribute (must be "Geburtsdatum")
- samlAttribute = samlAttributes[1 + offset];
- if (!samlAttribute.getName().equals("Geburtsdatum")) {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String samlDateOfBirth = (String)samlAttribute.getValue();
- String dateOfBirth = identityLink.getDateOfBirth();
- if (!samlDateOfBirth.equals(dateOfBirth)) {
- throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
- }
- } else {
- throw new ValidateException("validator.35", null);
- }
-
- // check four attribute could be a special text
- samlAttribute = samlAttributes[2 + offset];
- if (!samlAttribute.getName().equals("SpecialText")) {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String samlSpecialText = (String)samlAttribute.getValue();
- samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
-
- String text = "";
- try {
- if (MiscUtil.isNotEmpty(AuthConfigurationProviderFactory.getInstance().getSSOSpecialText())) {
- text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText();
- Logger.debug("Use addional AuthBlock Text from SSO=" +text);
-
- }
- else
- text = new String();
- } catch (ConfigurationException e) {
- Logger.warn("Addional AuthBlock Text can not loaded from SSO!", e);
- }
-
-
- String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text,
- AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
- pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
- if (!samlSpecialText.equals(specialText)) {
- throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
- }
- } else {
- throw new ValidateException("validator.35", null);
- }
-
- //check unique AuthBlock tokken
- samlAttribute = samlAttributes[3 + offset];
- if (!samlAttribute.getName().equals("UniqueTokken")) {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String uniquetokken = (String)samlAttribute.getValue();
-
- if (!uniquetokken.equals(session.getAuthBlockTokken())) {
- throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
- }
- } else {
- throw new ValidateException("validator.35", null);
- }
-
-
- // now check the extended SAML attributes
- int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + offset;
- if (extendedSAMLAttributes != null) {
- Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
- while (it.hasNext()) {
- ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
- samlAttribute = samlAttributes[i];
- String actualName = samlAttribute.getName();
- String expectedName = extendedSAMLAttribute.getName();
- if (!actualName.equals(expectedName)) {
- throw new ValidateException(
- "validator.38",
- new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
- }
- String actualNamespace = samlAttribute.getNamespace();
- String expectedNamespace = extendedSAMLAttribute.getNameSpace();
- if (!actualNamespace.equals(expectedNamespace)) {
- throw new ValidateException(
- "validator.38",
- new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
- }
- Object expectedValue = extendedSAMLAttribute.getValue();
- Object actualValue = samlAttribute.getValue();
- try {
- if (expectedValue instanceof String) {
- // replace \r\n because text might be base64-encoded
- String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
- expValue = StringUtils.replaceAll(expValue,"\n","");
- String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
- actValue = StringUtils.replaceAll(actValue,"\n","");
- if (!expValue.equals(actValue)) {
- throw new ValidateException(
- "validator.38",
- new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });
- }
- } else if (expectedValue instanceof Element) {
- // only check the name of the element
- String actualElementName = ((Element)actualValue).getNodeName();
- String expectedElementName = ((Element)expectedValue).getNodeName();
- if (!(expectedElementName.equals(actualElementName))){
- throw new ValidateException(
- "validator.38",
- new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});
- }
- } else {
- // should not happen
- throw new ValidateException(
- "validator.38",
- new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
- }
- } catch (ClassCastException e) {
- throw new ValidateException(
- "validator.38",
- new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
- }
- i++;
- }
- }
+ try {
+ // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
+ String oaURL = pendingReq.getAuthURL();
+ IIdentityLink identityLink = session.getIdentityLink();
+
+ Element samlAssertion = createXMLSignatureResponse.getSamlAssertion();
+ String issuer = samlAssertion.getAttribute("Issuer");
+ if (issuer == null) {
+ // should not happen, because parser would dedect this
+ throw new ValidateException("validator.32", null);
+ }
+ // replace ' in name with &#39;
+ issuer = issuer.replaceAll("'", "&#39;");
+
+ String issueInstant = samlAssertion.getAttribute("IssueInstant");
+ if (!issueInstant.equals(session.getIssueInstant())) {
+ throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
+ }
+
+ String name = identityLink.getName();
+
+ if (!issuer.equals(name)) {
+ throw new ValidateException("validator.33", new Object[] {issuer, name});
+ }
+
+ SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();
+
+ boolean foundOA = false;
+ // boolean foundGB = false;
+ // boolean foundWBPK = false;
+ int offset = 0;
+
+ // check number of SAML aatributes
+ List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
+ int extendedSAMLAttributesNum = 0;
+ if (extendedSAMLAttributes != null) {
+ extendedSAMLAttributesNum = extendedSAMLAttributes.size();
+ }
+ int expectedSAMLAttributeNumber =
+ AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + extendedSAMLAttributesNum;
+ if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
+ int actualSAMLAttributeNumber = samlAttributes.length;
+ if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
+ Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " +
+ expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
+ throw new ValidateException(
+ "validator.36",
+ new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
+ }
+
+ SAMLAttribute samlAttribute;
+ if (!session.getSAMLAttributeGebeORwbpk()) {
+ offset--;
+ }
+
+ // check the first attribute (must be "OA")
+ samlAttribute = samlAttributes[0 + offset];
+ if (!samlAttribute.getName().equals("OA")) {
+ throw new ValidateException(
+ "validator.37",
+ new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
+ }
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundOA = true;
+ if (!oaURL.equals((String)samlAttribute.getValue())) { // CHECKS für die AttributeVALUES fehlen noch
+ throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});
+ }
+ } else {
+ throw new ValidateException("validator.15", null);
+ }
+
+ // check the third attribute (must be "Geburtsdatum")
+ samlAttribute = samlAttributes[1 + offset];
+ if (!samlAttribute.getName().equals("Geburtsdatum")) {
+ throw new ValidateException(
+ "validator.37",
+ new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
+ }
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String samlDateOfBirth = (String)samlAttribute.getValue();
+ String dateOfBirth = identityLink.getDateOfBirth();
+ if (!samlDateOfBirth.equals(dateOfBirth)) {
+ throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
+ }
+ } else {
+ throw new ValidateException("validator.35", null);
+ }
+
+ // check four attribute could be a special text
+ samlAttribute = samlAttributes[2 + offset];
+ if (!samlAttribute.getName().equals("SpecialText")) {
+ throw new ValidateException(
+ "validator.37",
+ new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
+ }
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String samlSpecialText = (String)samlAttribute.getValue();
+ samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
+
+ String text = "";
+ try {
+ if (MiscUtil.isNotEmpty(AuthConfigurationProviderFactory.getInstance().getSSOSpecialText())) {
+ text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText();
+ Logger.debug("Use addional AuthBlock Text from SSO=" +text);
+
+ }
+ else
+ text = new String();
+ } catch (ConfigurationException e) {
+ Logger.warn("Addional AuthBlock Text can not loaded from SSO!", e);
+ }
+
+
+ String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text,
+ AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
+ pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
+ if (!samlSpecialText.equals(specialText)) {
+ throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
+ }
+ } else {
+ throw new ValidateException("validator.35", null);
+ }
+
+ //check unique AuthBlock tokken
+ samlAttribute = samlAttributes[3 + offset];
+ if (!samlAttribute.getName().equals("UniqueTokken")) {
+ throw new ValidateException(
+ "validator.37",
+ new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
+ }
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String uniquetokken = (String)samlAttribute.getValue();
+
+ if (!uniquetokken.equals(session.getAuthBlockTokken())) {
+ throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
+ }
+ } else {
+ throw new ValidateException("validator.35", null);
+ }
+
+
+ // now check the extended SAML attributes
+ int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + offset;
+ if (extendedSAMLAttributes != null) {
+ Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
+ while (it.hasNext()) {
+ ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
+ samlAttribute = samlAttributes[i];
+ String actualName = samlAttribute.getName();
+ String expectedName = extendedSAMLAttribute.getName();
+ if (!actualName.equals(expectedName)) {
+ throw new ValidateException(
+ "validator.38",
+ new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
+ }
+ String actualNamespace = samlAttribute.getNamespace();
+ String expectedNamespace = extendedSAMLAttribute.getNameSpace();
+ if (!actualNamespace.equals(expectedNamespace)) {
+ throw new ValidateException(
+ "validator.38",
+ new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
+ }
+ Object expectedValue = extendedSAMLAttribute.getValue();
+ Object actualValue = samlAttribute.getValue();
+ try {
+ if (expectedValue instanceof String) {
+ // replace \r\n because text might be base64-encoded
+ String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
+ expValue = StringUtils.replaceAll(expValue,"\n","");
+ String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
+ actValue = StringUtils.replaceAll(actValue,"\n","");
+ if (!expValue.equals(actValue)) {
+ throw new ValidateException(
+ "validator.38",
+ new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });
+ }
+ } else if (expectedValue instanceof Element) {
+ // only check the name of the element
+ String actualElementName = ((Element)actualValue).getNodeName();
+ String expectedElementName = ((Element)expectedValue).getNodeName();
+ if (!(expectedElementName.equals(actualElementName))){
+ throw new ValidateException(
+ "validator.38",
+ new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});
+ }
+ } else {
+ // should not happen
+ throw new ValidateException(
+ "validator.38",
+ new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
+ }
+ } catch (ClassCastException e) {
+ throw new ValidateException(
+ "validator.38",
+ new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
+ }
+ i++;
+ }
+ }
+
+
+ if (!foundOA) throw new ValidateException("validator.14", null);
+
+ //Check if dsig:Signature exists
+ // NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature");
+ // if (nl.getLength() != 1) {
+ // throw new ValidateException("validator.05", null);
+ // }
+ Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
+ if (dsigSignature == null) {
+ throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
+ }
+ } catch (Exception e) {
+ SpecificTraceLogger.trace("Validate AuthBlock with SSO");
+ SpecificTraceLogger.trace("Signed AuthBlock: " + session.getAuthBlock());
+ SpecificTraceLogger.trace("OA config: " + pendingReq.getOnlineApplicationConfiguration().toString());
+ throw e;
+
+ }
- if (!foundOA) throw new ValidateException("validator.14", null);
-
- //Check if dsig:Signature exists
-// NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature");
-// if (nl.getLength() != 1) {
-// throw new ValidateException("validator.05", null);
-// }
- Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
- if (dsigSignature == null) {
- throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
- }
}
public void validateSigningDateTime( CreateXMLSignatureResponse csresp) throws ValidateException {