aboutsummaryrefslogtreecommitdiff
path: root/id/server
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2017-10-05 17:33:49 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2017-10-05 17:33:49 +0200
commit0e5df9c3c0918a77bc6d5471c2c62656fcf0b7c9 (patch)
treed648e3cff6ff4c4deda214d85f9ffb640c12407c /id/server
parent546bc276ded107edff4bb7546c4a6761494a09c6 (diff)
downloadmoa-id-spss-0e5df9c3c0918a77bc6d5471c2c62656fcf0b7c9.tar.gz
moa-id-spss-0e5df9c3c0918a77bc6d5471c2c62656fcf0b7c9.tar.bz2
moa-id-spss-0e5df9c3c0918a77bc6d5471c2c62656fcf0b7c9.zip
fix OpenSAML problem that facilitates unsigned AuthnRequests when using http redirect binding
Diffstat (limited to 'id/server')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java49
2 files changed, 53 insertions, 4 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 4f44a6202..95c4f1726 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -31,7 +31,6 @@ import org.opensaml.common.binding.decoding.URIComparator;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;
import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
-import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.StatusResponseType;
@@ -60,6 +59,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.IMOARefreshableMetadataProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.validation.MOASAML2AuthRequestSignedRole;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -159,10 +159,10 @@ public class RedirectBinding implements IDecoder, IEncoder {
SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
- SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();
+ MOASAML2AuthRequestSignedRole signedRole = new MOASAML2AuthRequestSignedRole();
BasicSecurityPolicy policy = new BasicSecurityPolicy();
- policy.getPolicyRules().add(signatureRule);
- policy.getPolicyRules().add(signedRole);
+ policy.getPolicyRules().add(signedRole);
+ policy.getPolicyRules().add(signatureRule);
SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(
policy);
messageContext.setSecurityPolicyResolver(resolver);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java
new file mode 100644
index 000000000..efcf21b50
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.validation;
+
+import org.opensaml.common.binding.SAMLMessageContext;
+import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
+import org.opensaml.ws.transport.http.HTTPInTransport;
+import org.opensaml.xml.util.DatatypeHelper;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOASAML2AuthRequestSignedRole extends SAML2AuthnRequestsSignedRule {
+
+ @Override
+ protected boolean isMessageSigned(SAMLMessageContext messageContext) {
+ // This handles HTTP-Redirect and HTTP-POST-SimpleSign bindings.
+ HTTPInTransport inTransport = (HTTPInTransport) messageContext.getInboundMessageTransport();
+ String sigParam = inTransport.getParameterValue("Signature");
+ boolean isSigned = !DatatypeHelper.isEmpty(sigParam);
+
+ String sigAlgParam = inTransport.getParameterValue("SigAlg");
+ boolean isSigAlgExists = !DatatypeHelper.isEmpty(sigAlgParam);
+
+ return isSigned && isSigAlgExists;
+
+ }
+}