aboutsummaryrefslogtreecommitdiff
path: root/id/server
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2017-10-17 15:04:49 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2017-10-17 15:04:49 +0200
commit92834aed9d97772a0d37330b9c60aee18374c759 (patch)
tree30adff7052c6eca919aed447a9640522b2c94c3d /id/server
parent698a0066e84dee07f0f8de8aa408d9744f755660 (diff)
parent7c5d84f1f4054d2c85207364d5d996c4ec6fe1f8 (diff)
downloadmoa-id-spss-92834aed9d97772a0d37330b9c60aee18374c759.tar.gz
moa-id-spss-92834aed9d97772a0d37330b9c60aee18374c759.tar.bz2
moa-id-spss-92834aed9d97772a0d37330b9c60aee18374c759.zip
Merge branch 'eIDAS_node_implementation' into development_preview
Diffstat (limited to 'id/server')
-rw-r--r--id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html37
-rw-r--r--id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties2
-rw-r--r--id/server/data/deploy/conf/moa-id/SLTemplates/template_thirdBKU.html (renamed from id/server/data/deploy/conf/moa-id/SLTemplates/template_onlineBKU.html)0
-rw-r--r--id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html10
-rw-r--r--id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html (renamed from id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html)8
-rw-r--r--id/server/data/deploy/conf/moa-id/log4j.properties7
-rw-r--r--id/server/data/deploy/conf/moa-id/moa-id.properties6
-rw-r--r--id/server/doc/handbook/config/config.html89
-rw-r--r--id/server/doc/handbook/index.html2
-rw-r--r--id/server/doc/handbook/install/install.html9
-rw-r--r--id/server/doc/htmlTemplates/BKU-selection.html10
-rw-r--r--id/server/doc/htmlTemplates/BKU-selection_with_OnlineBKU.html4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java48
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java45
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java14
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java168
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java281
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java34
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java26
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java16
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java129
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java65
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java130
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java20
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java149
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java17
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java24
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java51
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java114
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java72
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java45
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java10
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java53
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java15
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java15
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java11
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java37
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java49
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties3
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties1
-rw-r--r--id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html193
-rw-r--r--id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html235
-rw-r--r--id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html16
-rw-r--r--id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm36
-rw-r--r--id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html46
-rw-r--r--id/server/moa-id-commons/pom.xml8
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java31
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java14
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java68
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java23
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java9
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java34
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java88
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java27
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java1
-rw-r--r--id/server/moa-id-frontend-resources/pom.xml72
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java (renamed from id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java)51
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java45
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java1
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java82
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java110
-rw-r--r--id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html2
-rw-r--r--id/server/moa-id-frontend-resources/src/main/resources/mainGUI/index.html2
-rw-r--r--id/server/moa-id-frontend-resources/src/main/resources/mainGUI/template_thirdBKU.html37
-rw-r--r--id/server/moa-id-frontend-resources/src/main/resources/templates/iframeLBKUdetectSPSpecific.html12
-rw-r--r--id/server/moa-id-frontend-resources/src/main/resources/templates/loginFormFull.html10
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java94
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java514
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java9
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java10
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java39
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java1
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java491
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java2
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java23
-rw-r--r--id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml31
-rw-r--r--id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java30
-rw-r--r--id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java2
-rw-r--r--id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java247
-rw-r--r--id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml6
-rw-r--r--id/server/modules/moa-id-module-eIDAS/pom.xml10
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java2
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java6
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java35
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java31
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java63
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java4
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java15
-rw-r--r--id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java17
-rw-r--r--id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java89
-rw-r--r--id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java8
-rw-r--r--id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java7
-rw-r--r--id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java50
-rw-r--r--id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java18
-rw-r--r--id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java3
120 files changed, 2994 insertions, 2077 deletions
diff --git a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html
index 32f0a7d4d..1f365c104 100644
--- a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html
+++ b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html
@@ -12,7 +12,8 @@
<title>Anmeldung mittels Bürgerkarte oder Handy-Signatur</title>
</head>
-<body onload="onChangeChecks();checkIfBrowserSupportsJava();" onresize="onChangeChecks();">
+<!--body onload="onChangeChecks();checkIfBrowserSupportsJava();" onresize="onChangeChecks();"-->
+<body onload="onChangeChecks();" onresize="onChangeChecks();">
<div id="page">
<div id="page1" class="case selected-case" role="main">
<h2 class="OA_header" role="heading">Anmeldung an: $OAName</h2>
@@ -37,19 +38,32 @@
</div>
<div id="bkuselectionarea">
<div id="bkukarte">
- <img id="bkuimage" class="bkuimage" src="$contextPath/img/karte.png"
- alt="OnlineBKU" /> <input name="bkuButtonOnline" type="button"
- onClick="bkuOnlineClicked();" tabindex="2" role="button"
- value="Karte" />
+ <img id="bkuimage" class="bkuimage" src="$contextPath/img/karte.png" alt="OnlineBKU" />
+
+ <!-- Remove support for Online BKU and swith the card button to local BKU-->
+ <!--input name="bkuButtonOnline" type="button" onClick="bkuOnlineClicked();" tabindex="2" role="button" value="Karte" /-->
+
+ <form method="get" id="moaidform" action="$contextPath$submitEndpoint" class="verticalcenter" target="_parent">
+ <input type="hidden" name="bkuURI" value="$bkuLocal" />
+ <input type="hidden" name="useMandate" id="useMandate" />
+ <input type="hidden" name="SSO" id="useSSO" />
+ <input type="hidden" name="ccc" id="ccc" />
+ <input type="hidden" name="pendingid" value="$pendingReqID" />
+ <input type="submit" value=" Karte " tabindex="4" role="button" onclick="setMandateSelection();">
+ </form>
+
+ <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"></iframe>
+
+ <!-- BKU detection with static template-->
+ <!--iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe-->
+
</div>
<div id="bkuhandy">
- <img class="bkuimage" src="$contextPath/img/handysign.png"
- alt="HandyBKU" /> <input name="bkuButtonHandy" type="button"
- onClick="bkuHandyClicked();" tabindex="3" role="button"
- value="HANDY" />
+ <img class="bkuimage" src="$contextPath/img/handysign.png" alt="HandyBKU" />
+ <input name="bkuButtonHandy" type="button" onClick="bkuHandyClicked();" tabindex="3" role="button" value="HANDY" />
</div>
</div>
- <div id="localBKU">
+ <!--div id="localBKU">
<form method="get" id="moaidform" action="$contextPath$submitEndpoint"
class="verticalcenter" target="_parent">
<input type="hidden" name="bkuURI" value="$bkuLocal" />
@@ -60,7 +74,8 @@
<input type="submit" value=" Lokale Bürgerkartenumgebung " tabindex="4"
role="button" onclick="setMandateSelection();">
</form>
- </div>
+ <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"><\/iframe>
+ </div-->
<!-- Single Sign-On Session transfer functionality -->
<!--div id="ssoSessionTransferBlock">
diff --git a/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties
index 63b053228..512319d75 100644
--- a/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties
+++ b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties
@@ -21,7 +21,7 @@ general.pvp.schemavalidation=true
hibernate.dialect=org.hibernate.dialect.MySQLDialect
hibernate.connection.url=jdbc:mysql://localhost/moa-id-config?charSet=utf-8&autoReconnect=true
hibernate.connection.charSet=utf-8
-hibernate.connection.driver_class=com.mysql.jdbc.Driver
+hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
hibernate.connection.username=
hibernate.connection.password=
diff --git a/id/server/data/deploy/conf/moa-id/SLTemplates/template_onlineBKU.html b/id/server/data/deploy/conf/moa-id/SLTemplates/template_thirdBKU.html
index 52abf83fb..52abf83fb 100644
--- a/id/server/data/deploy/conf/moa-id/SLTemplates/template_onlineBKU.html
+++ b/id/server/data/deploy/conf/moa-id/SLTemplates/template_thirdBKU.html
diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html
index 53c4f0d5d..1f365c104 100644
--- a/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html
+++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html
@@ -51,8 +51,12 @@
<input type="hidden" name="pendingid" value="$pendingReqID" />
<input type="submit" value=" Karte " tabindex="4" role="button" onclick="setMandateSelection();">
</form>
- <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe>
-
+
+ <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"></iframe>
+
+ <!-- BKU detection with static template-->
+ <!--iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe-->
+
</div>
<div id="bkuhandy">
<img class="bkuimage" src="$contextPath/img/handysign.png" alt="HandyBKU" />
@@ -70,7 +74,7 @@
<input type="submit" value=" Lokale Bürgerkartenumgebung " tabindex="4"
role="button" onclick="setMandateSelection();">
</form>
- <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"><\/iframe>
+ <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"><\/iframe>
</div-->
<!-- Single Sign-On Session transfer functionality -->
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html
index 64e88a688..4ea9a4873 100644
--- a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html
+++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html
@@ -31,11 +31,9 @@
<form action="${action}" method="post" target="_parent">
<div>
- #if($RelayState)<input type="hidden" name="RelayState"
- value="${RelayState}" />#end #if($SAMLRequest)<input type="hidden"
- name="SAMLRequest" value="${SAMLRequest}" />#end #if($SAMLResponse)<input
- type="hidden" name="SAMLResponse" value="${SAMLResponse}" />#end
-
+ #if($RelayState) <input type="hidden" name="RelayState" value="${RelayState}"/> #end
+ #if($SAMLRequest) <input type="hidden" name="SAMLRequest" value="${SAMLRequest}" /> #end
+ #if($SAMLResponse) <inputtype="hidden" name="SAMLResponse" value="${SAMLResponse}" /> #end
</div>
<noscript>
<div>
diff --git a/id/server/data/deploy/conf/moa-id/log4j.properties b/id/server/data/deploy/conf/moa-id/log4j.properties
index d83e8e550..f37100a5b 100644
--- a/id/server/data/deploy/conf/moa-id/log4j.properties
+++ b/id/server/data/deploy/conf/moa-id/log4j.properties
@@ -19,8 +19,7 @@ log4j.logger.at.gv.egovernment.moa.id.configuration=info,CONFIGTOOL
# configure the stdout appender
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
-#log4j.appender.stdout.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} | %20c | %10t | %m%n
-log4j.appender.stdout.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} |%20.20c | %10t | %m%n
+log4j.appender.stdout.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} |%20.20c | %10t | %m%n
# configure the rolling file appender (R)
log4j.appender.R=org.apache.log4j.RollingFileAppender
@@ -28,7 +27,7 @@ log4j.appender.R.File=${catalina.base}/logs/moa-id.log
log4j.appender.R.MaxFileSize=10000KB
log4j.appender.R.MaxBackupIndex=1
log4j.appender.R.layout=org.apache.log4j.PatternLayout
-log4j.appender.R.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} | %t | %m%n
+log4j.appender.R.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} | %t | %m%n
# configure the rolling file appender (R)
log4j.appender.CONFIGTOOL=org.apache.log4j.RollingFileAppender
@@ -36,4 +35,4 @@ log4j.appender.CONFIGTOOL.File=${catalina.base}/logs/moa-id-webgui.log
log4j.appender.CONFIGTOOL.MaxFileSize=10000KB
log4j.appender.CONFIGTOOL.MaxBackupIndex=1
log4j.appender.CONFIGTOOL.layout=org.apache.log4j.PatternLayout
-log4j.appender.CONFIGTOOL.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} | %t | %m%n \ No newline at end of file
+log4j.appender.CONFIGTOOL.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} | %t | %m%n \ No newline at end of file
diff --git a/id/server/data/deploy/conf/moa-id/moa-id.properties b/id/server/data/deploy/conf/moa-id/moa-id.properties
index 26ed52176..78572a96f 100644
--- a/id/server/data/deploy/conf/moa-id/moa-id.properties
+++ b/id/server/data/deploy/conf/moa-id/moa-id.properties
@@ -71,7 +71,7 @@ protocols.oauth20.jwt.ks.key.password=password
moasession.hibernate.dialect=org.hibernate.dialect.MySQLDialect
moasession.hibernate.connection.url=jdbc:mysql://localhost/moa-id-session?charSet=utf-8&serverTimezone=UTC
moasession.hibernate.connection.charSet=utf-8
-moasession.hibernate.connection.driver_class=com.mysql.jdbc.Driver
+moasession.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
moasession.hibernate.connection.username=
moasession.hibernate.connection.password=
@@ -103,7 +103,7 @@ configuration.hibernate.show_sql=false
configuration.hibernate.connection.url=jdbc:mysql://localhost/moa-id-config?charSet=utf-8&autoReconnect=true&serverTimezone=UTC
configuration.hibernate.connection.charSet=utf-8
-configuration.hibernate.connection.driver_class=com.mysql.jdbc.Driver
+configuration.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
configuration.hibernate.connection.username=
configuration.hibernate.connection.password=
configuration.dbcp.connectionProperties=
@@ -123,7 +123,7 @@ configuration.dbcp.validationQuery=SELECT 1
advancedlogging.hibernate.dialect=org.hibernate.dialect.MySQLDialect
advancedlogging.hibernate.connection.url=jdbc:mysql://localhost/moa-id-statistic?charSet=utf-8&autoReconnect=true&serverTimezone=UTC
advancedlogging.hibernate.connection.charSet=utf-8
-advancedlogging.hibernate.connection.driver_class=com.mysql.jdbc.Driver
+advancedlogging.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver
advancedlogging.hibernate.connection.username=
advancedlogging.hibernate.connection.password=
diff --git a/id/server/doc/handbook/config/config.html b/id/server/doc/handbook/config/config.html
index 0361442ac..e6b86204a 100644
--- a/id/server/doc/handbook/config/config.html
+++ b/id/server/doc/handbook/config/config.html
@@ -1070,14 +1070,9 @@ https://&lt;host&gt;:&lt;port&gt;/moa-id-auth/MonitoringServlet</pre>
<p>Hiermit werden die URLs zu den Default B&uuml;rgerkartenumgebungen (BKUs) definiert die von MOA-ID-Auth f&uuml;r einen Anmeldevorgang verwendet werden, wenn die B&uuml;rgerkartenauswahl nicht bereits auf Seiten der Online-Applikation erfolgt ist (siehe <a href="./../protocol/protocol.html#allgemeines_legacy">Legacy Request</a>) oder in der Online-Applikationskonfiguration keine BKU URLs konfiguriert wurden (siehe <a href="#konfigurationsparameter_oa_bku">Kapitel 3.2.2</a>).</p>
<table class="configtable">
<tr>
- <th>Name</th>
- <th>Beispielwert</th>
- <th>Beschreibung</th>
- </tr>
- <tr>
- <td>Online BKU</td>
- <td><p>https://demo.egiz.gv.at/demoportal_bkuonline/https-security-layer-request</p></td>
- <td>URL zu einer Online-BKU Instanz</td>
+ <th width="16%">Name</th>
+ <th width="42%">Beispielwert</th>
+ <th width="42%">Beschreibung</th>
</tr>
<tr>
<td>Handy BKU</td>
@@ -1089,6 +1084,12 @@ https://&lt;host&gt;:&lt;port&gt;/moa-id-auth/MonitoringServlet</pre>
<td>https://127.0.0.1:3496/https-security-layer-request</td>
<td>URL auf die lokale BKU Instanz</td>
</tr>
+ <tr>
+ <td>Optionale dritte BKU</td>
+ <td><p>https://demo.egiz.gv.at/demoportal_bkuonline/https-security-layer-request</p></td>
+ <td><p>URL zu einer optionalen dritten BKU Instanz.</p>
+ <p><strong>Hinweis:</strong> Hiermit kann z.B. die OnlineBKU eingebunden werden</p></td>
+ </tr>
</table>
<h4><a name="konfigurationsparameter_allgemein_sl-templates" id="konfigurationsparameter_allgemein_bku2"></a>3.1.3 Security-Layer Request Templates</h4>
<p>Security-Layer (SL) Templates dienen der Kommunikation mit der gew&auml;hlten B&uuml;rgerkartenumgebung. Die hier hinterlegen SL-Templates werden f&uuml;r die Kommunikation mit der jeweiligen BKU verwendet. N&auml;here Details zum Aufbau dieser SL-Templates finden Sie im <a href="#import_template_sltemplate">Kapitel 4.3</a>. </p>
@@ -1101,11 +1102,6 @@ https://&lt;host&gt;:&lt;port&gt;/moa-id-auth/MonitoringServlet</pre>
<th>Beschreibung</th>
</tr>
<tr>
- <td>Online BKU</td>
- <td><p>SLTemplates/template_onlineBKU.html</p></td>
- <td><p>SL Template zur Kommunikation mit der Online-BKU.</p></td>
- </tr>
- <tr>
<td>Handy BKU</td>
<td>SLTemplates/template_handyBKU.html</td>
<td>SL Template zur Kommunikation mit der Handy-BKU</td>
@@ -1115,6 +1111,11 @@ https://&lt;host&gt;:&lt;port&gt;/moa-id-auth/MonitoringServlet</pre>
<td>SLTemplates/template_localeBKU.html</td>
<td>SL Template zur Kommunikation mit einer lokalen BKU Instanz</td>
</tr>
+ <tr>
+ <td>Dritte BKU</td>
+ <td><p>SLTemplates/template_thirdBKU.html</p></td>
+ <td><p>SL Template zur Kommunikation mit der optionalen dritten BKU Instanz.</p></td>
+ </tr>
</table>
<h4><a name="konfigurationsparameter_allgemein_certvalidation" id="konfigurationsparameter_allgemein_bku3"></a>3.1.4 Zertifikatspr&uuml;fung</h4>
<p>Dieser Bereich behandelt die allgemeine Einstellungen zur Zertifikatspr&uuml;fung und die Konfiguration von vertrauensw&uuml;rdigen Zertifikaten.</p>
@@ -1688,15 +1689,6 @@ Soll die B&uuml;rgerkartenauswahl weiterhin, wie in MOA-ID 1.5.1 im Kontext der
<th>Beschreibung</th>
</tr>
<tr>
- <td><span id="wwlbl_newOA_generalOA_bkuOnlineURL">Online BKU</span></td>
- <td><p>https://demo.egiz.gv.at/<br>
- demoportal_bkuonline/<br>
- https-security-layer-request</p></td>
- <td align="center">X</td>
- <td align="center">X</td>
- <td>URL zu einer applikationsspezifischen Online-BKU Instanz. Erfolgt keine applikationsspezifische Konfiguration wird die <a href="#konfigurationsparameter_allgemein_bku">Online-BKU der allgemeinen Konfiguration</a> f&uuml;r den Anmeldevorgang verwendet.</td>
- </tr>
- <tr>
<td><p><span id="wwlbl_newOA_generalOA_bkuHandyURL">Handy BKU</span></p></td>
<td>https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx</td>
<td align="center">X</td>
@@ -1711,6 +1703,15 @@ Soll die B&uuml;rgerkartenauswahl weiterhin, wie in MOA-ID 1.5.1 im Kontext der
<td>URL auf die lokale BKU Instanz. Erfolgt keine applikationsspezifischen Konfiguration wird die <a href="#konfigurationsparameter_allgemein_bku">locale BKU der allgemeinen Konfiguration</a> f&uuml;r den Anmeldevorgang verwendet.</td>
</tr>
<tr>
+ <td><span id="wwlbl_newOA_generalOA_bkuOnlineURL">Dritte BKU</span></td>
+ <td><p>https://demo.egiz.gv.at/<br>
+ demoportal_bkuonline/<br>
+ https-security-layer-request</p></td>
+ <td align="center">X</td>
+ <td align="center">X</td>
+ <td>URL zu einer applikationsspezifischen dritten BKU Instanz. Erfolgt keine applikationsspezifische Konfiguration wird die <a href="#konfigurationsparameter_allgemein_bku">dritte BKU der allgemeinen Konfiguration</a> f&uuml;r den Anmeldevorgang verwendet.</td>
+ </tr>
+ <tr>
<td><span id="wwlbl_newOA_generalOA_keyBoxIdentifier">KeyBoxIdentifier</span></td>
<td><span id="wwctrl_newOA_generalOA_keyBoxIdentifier">SecureSignatureKeypair</span></td>
<td align="center">X</td>
@@ -1724,20 +1725,6 @@ Soll die B&uuml;rgerkartenauswahl weiterhin, wie in MOA-ID 1.5.1 im Kontext der
<td align="center">X</td>
<td>&Uuml;ber diese Funktion k&ouml;nnen drei zus&auml;tzliche SecurtityLayer-Request Templates f&uuml;r diese Online-Applikation definiert werden. Diese hier definierten Templates dienen als zus&auml;tzliche WhiteList f&uuml;r Templates welche im &bdquo;StartAuthentication&ldquo; Request mit dem Parameter &bdquo;template&ldquo; &uuml;bergeben werden. Sollte im &bdquo;StartAuthentication&ldquo; Request der Parameter &bdquo;template&ldquo; fehlen, es wurde jedoch eine &bdquo;bkuURL&ldquo; &uuml;bergeben, dann wird f&uuml;r den Authentifizierungsvorgang das erste Template in dieser Liste verwendet. Detailinformationen zum <a href="./../protocol/protocol.html#allgemeines_legacy">Legacy Request</a> finden Sie im Kapitel Protokolle.</td>
</tr>
- <tr>
- <td>BKU-Selection Template</td>
- <td>&nbsp;</td>
- <td align="center">X</td>
- <td align="center">X</td>
- <td>Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates f&uuml;r die B&uuml;rgerkartenauswahl. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus <a href="#import_template_bku">Kapitel 4.1</a> umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle f&uuml;r Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen. </td>
- </tr>
- <tr>
- <td>Send-Assertion Template</td>
- <td>&nbsp;</td>
- <td align="center">X</td>
- <td align="center">X</td>
- <td>Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates f&uuml;r die zus&auml;tzliche Anmeldeabfrage im Falle einer Single Sign-On Anmeldung. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus <a href="#import_template_sso">Kapitel 4.2</a> umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle f&uuml;r Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen.</td>
- </tr>
</table>
<h4><a name="konfigurationsparameter_oa_testcredentials" id="uebersicht_zentraledatei_aktualisierung10"></a> 3.2.3 Test Identit&auml;ten</h4>
<p>In diesem Abschnitt k&ouml;nnen f&uuml;r diese Online-Applikation Testidentit&auml;ten erlaubt werden. Diese Testidentit&auml;ten k&ouml;nnen auch bei produktiven Instanzen freigeschalten werden, da die Unterschiedung zwischen Produkt- und Testidentit&auml;t anhand einer speziellen OID im Signaturzertifikat der Testidentit&auml;t getroffen wird. Folgende Konfigurationsparameter stehen hierf&uuml;r zur Verf&uuml;gung.</p>
@@ -2007,6 +1994,13 @@ Soll die B&uuml;rgerkartenauswahl weiterhin, wie in MOA-ID 1.5.1 im Kontext der
<td align="center">&nbsp;</td>
<td>Zertifikat mit dem die Metadaten der Online-Applikation signiert sind. Dieses wird ben&ouml;tigt um die Metadaten zu verifizieren.</td>
</tr>
+ <tr>
+ <td>SAML2 Post-Binding Template</td>
+ <td>&nbsp;</td>
+ <td align="center">X</td>
+ <td align="center">X</td>
+ <td>Pfad zum online-applikationsspezifischen Template f&uuml;r SAML2 (PVP2 S-Profil) http POST-Binding. Relative Pfadangaben werden dabei relativ zum Verzeichnis, in dem sich die MOA-ID-Auth Basiskonfigurationsdatei befindet, interpretiert. Das Template kann ausschlie&szlig;lich aus dem Dateisystem geladen werden.</td>
+ </tr>
</table>
<h5><a name="konfigurationsparameter_oa_protocol_openIDConnect" id="uebersicht_zentraledatei_aktualisierung27"></a>3.2.8.3 OpenID Connect</h5>
<p>In diesem Bereich erfolgt die applikationsspezifische Konfiguration f&uuml;r OpenID Connect (OAuth 2.0). </p>
@@ -2074,7 +2068,30 @@ wenn die individuelle Security-Layer Transformation den Formvorschriften der Sp
<td align="center">X</td>
<td>Wird diese Option gew&auml;hlt wird im AuthBlock, welcher im Anmeldevorgang signiert wird, keine bPK oder wbPK dargestellt.</td>
</tr>
+ <tr>
+ <td>BKU-Selection Template</td>
+ <td>&nbsp;</td>
+ <td align="center">X</td>
+ <td align="center">X</td>
+ <td>Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates f&uuml;r die B&uuml;rgerkartenauswahl. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus <a href="#import_template_bku">Kapitel 4.1</a> umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle f&uuml;r Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen. </td>
+ </tr>
+ <tr>
+ <td>Send-Assertion Template</td>
+ <td>&nbsp;</td>
+ <td align="center">X</td>
+ <td align="center">X</td>
+ <td>Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates f&uuml;r die zus&auml;tzliche Anmeldeabfrage im Falle einer Single Sign-On Anmeldung. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus <a href="#import_template_sso">Kapitel 4.2</a> umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle f&uuml;r Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen.</td>
+ </tr>
+ <tr>
+ <td>Vollmachtenservice Auswahlseite Template</td>
+ <td>&nbsp;</td>
+ <td align="center">X</td>
+ <td align="center">X</td>
+ <td>Pfad zum online-applikationsspezifischen Template zur Auswahl des gew&uuml;nschten Vollmachtenservices. Relative Pfadangaben werden dabei relativ zum Verzeichnis, in dem sich die MOA-ID-Auth Basiskonfigurationsdatei befindet, interpretiert. Das Template kann ausschlie&szlig;lich aus dem Dateisystem geladen werden.</td>
+ </tr>
</table>
+<h5>&nbsp;</h5>
+<h5>&nbsp;</h5>
<h5><a name="konfigurationsparameter_oa_additional_formular" id="uebersicht_zentraledatei_aktualisierung29"></a>3.2.9.1 Login-Fenster Konfiguration</h5>
<p>Diese Konfigurationsparameter bieten zus&auml;tzliche Einstellungen f&uuml;r eine Anpassung der B&uuml;rgerkartenauswahl welche von MOA-ID-Auth generiert wird.
Zur besseren Handhabung werden die angegebenen Parameter direkt in einer Vorschau dargestellt.
diff --git a/id/server/doc/handbook/index.html b/id/server/doc/handbook/index.html
index 0eab8f187..e72105816 100644
--- a/id/server/doc/handbook/index.html
+++ b/id/server/doc/handbook/index.html
@@ -29,7 +29,7 @@
</div>
<div class="container">
- <h2>&Uuml;bersicht zur Dokumentation der Version 3.1.x </h2>
+ <h2>&Uuml;bersicht zur Dokumentation der Version 3.3.x </h2>
<dl>
<dt><a href="./intro/intro.html">Einf&uuml;hrung</a></dt>
diff --git a/id/server/doc/handbook/install/install.html b/id/server/doc/handbook/install/install.html
index aa4114539..db96cda3c 100644
--- a/id/server/doc/handbook/install/install.html
+++ b/id/server/doc/handbook/install/install.html
@@ -235,8 +235,8 @@ https://&lt;host&gt;:&lt;port&gt;/egiz-configuration-webapp/</pre>
<h5><a name="webservice_basisinstallation_logging_format" id="webservice_basisinstallation_logging_format"></a>2.1.3.1 Format der Log-Meldungen</h5>
<p> Anhand einer konkreten Log-Meldung wird das Format der MOA SP/SS Log-Meldungen erl&auml;utert: </p>
<pre>
-INFO | 01 21:25:26,540 | Thread-3 | TID=1049225059594-100 NID=node1
- MSG=Starte neue Transaktion: TID=1049225059594-100, Service=SignatureVerification
+ INFO | 2017-09-18 10:29:22,904 | SID-7947921060553739539 | TID-4708232418268334030 | https://sso.demosp.at/handysignatur
+ | ajp-nio-28109-exec-7 | No SSO Session cookie found
</pre>
<p> Der Wert <code>INFO</code> besagt, dass die Log-Meldung im Log-Level <code>INFO</code> entstanden ist. Folgende Log-Levels existieren:</p>
<ul>
@@ -257,7 +257,10 @@ INFO | 01 21:25:26,540 | Thread-3 | TID=1049225059594-100 NID=node1
</li>
</ul>
<p>Der n&auml;chste Wert <code>01 21:25:26,540</code> gibt den Zeitpunkt an, zu dem die Log-Meldung generiert wurde (in diesem Fall den 1. Tag im aktuellen Monat, sowie die genaue Uhrzeit). </p>
- <p> Der Wert <code>Thread-3</code> bezeichnet den Thread, von dem die Anfrage bearbeitet wird.</p>
+ <p>Der Wert <code>SID-7947921060553739539</code> bezeichnet die SessionID, welche diesem Request zugeordnet wurde. Eine SessionID ist innerhalb einer SSO auch &uuml;ber mehrere Authentifizierungsrequests eindeutig. Das Loggen der SessionID kann mittels <code>%X{sessionId}</code> in der log4j Konfiguration gesetzt werden</p>
+ <p>Der Wert <code>TID-4708232418268334030</code> bezeichnet die TransactionsID, welche diesem Request zugeordnet wurde. Eine TransactionsID ist innerhalb eines Authentifizierungsrequests eindeutig. Das Loggen der TransactionsID kann mittels <code>%X{transactionId}</code> in der log4j Konfiguration gesetzt werden</p>
+ <p>Der Wert <code>https://sso.demosp.at/handysignatur</code> bezeichnet die Online Applikation (eindeutiger Identifier dieses Service Providers) f&uuml;r welchen dieser Authentifizierungsrequest durchgef&uuml;hrt wird. Das Loggen des OA Identifiers kann mittels <code>%X{oaId}</code> in der log4j Konfiguration gesetzt werden</p>
+ <p>Der Wert <code>ajp-nio-28109-exec-7</code> bezeichnet den Thread, von dem die Anfrage bearbeitet wird.</p>
<p> Der Rest der Zeile einer Log-Meldung ist der eigentliche Text, mit dem das System bestimmte Informationen anzeigt. Im Fehlerfall ist h&auml;ufig ein Java Stack-Trace angef&uuml;gt, der eine genauere Ursachen-Forschung erm&ouml;glicht.</p>
<h5> <a name="webservice_basisinstallation_logging_messages" id="webservice_basisinstallation_logging_messages"></a>2.1.3.2 Wichtige Log-Meldungen</h5>
<p> Neben den im Abschnitt <a href="#webservice_basisinstallation_installation_tomcatstartstop_verify">2.1.2.4.3</a> beschriebenen Log-Meldungen, die anzeigen, ob das Service ordnungsgem&auml;&szlig; gestartet wurde, geben nachfolgenden Log-Meldungen Aufschluss &uuml;ber die Abarbeitung von Anfragen. </p>
diff --git a/id/server/doc/htmlTemplates/BKU-selection.html b/id/server/doc/htmlTemplates/BKU-selection.html
index 53c4f0d5d..1f365c104 100644
--- a/id/server/doc/htmlTemplates/BKU-selection.html
+++ b/id/server/doc/htmlTemplates/BKU-selection.html
@@ -51,8 +51,12 @@
<input type="hidden" name="pendingid" value="$pendingReqID" />
<input type="submit" value=" Karte " tabindex="4" role="button" onclick="setMandateSelection();">
</form>
- <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe>
-
+
+ <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"></iframe>
+
+ <!-- BKU detection with static template-->
+ <!--iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe-->
+
</div>
<div id="bkuhandy">
<img class="bkuimage" src="$contextPath/img/handysign.png" alt="HandyBKU" />
@@ -70,7 +74,7 @@
<input type="submit" value=" Lokale Bürgerkartenumgebung " tabindex="4"
role="button" onclick="setMandateSelection();">
</form>
- <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"><\/iframe>
+ <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"><\/iframe>
</div-->
<!-- Single Sign-On Session transfer functionality -->
diff --git a/id/server/doc/htmlTemplates/BKU-selection_with_OnlineBKU.html b/id/server/doc/htmlTemplates/BKU-selection_with_OnlineBKU.html
index 32f0a7d4d..aaf931b7d 100644
--- a/id/server/doc/htmlTemplates/BKU-selection_with_OnlineBKU.html
+++ b/id/server/doc/htmlTemplates/BKU-selection_with_OnlineBKU.html
@@ -60,6 +60,10 @@
<input type="submit" value=" Lokale Bürgerkartenumgebung " tabindex="4"
role="button" onclick="setMandateSelection();">
</form>
+ <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"><\/iframe>
+
+ <!-- BKU detection with static template-->
+ <!--iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe-->
</div>
<!-- Single Sign-On Session transfer functionality -->
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
index 55b1a7c9a..72aef5fed 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
@@ -116,16 +116,18 @@ public class StatisticLogger implements IStatisticLogger{
//set actual date and time
dblog.setTimestamp(new Date());
-
- //set OA databaseID
- //dblog.setOaID(dbOA.getHjid());
-
+
//log basic AuthInformation
dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH));
dblog.setOafriendlyName(dbOA.getFriendlyName());
- boolean isbusinessservice = isBusinessService(dbOA);
- dblog.setBusinessservice(isbusinessservice);
+ try {
+ dblog.setBusinessservice(dbOA.hasBaseIdTransferRestriction());
+
+ } catch (Exception e) {
+ Logger.warn("Can not extract some information for StatisticLogger.", e);
+ }
+
dblog.setOatarget(authData.getBPKType());
@@ -266,9 +268,14 @@ public class StatisticLogger implements IStatisticLogger{
if (dbOA != null) {
dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH));
dblog.setOafriendlyName(dbOA.getFriendlyName());
- dblog.setOatarget(dbOA.getTarget());
- //dblog.setOaID(dbOA.getHjid());
- dblog.setBusinessservice(isBusinessService(dbOA));
+
+ try {
+ dblog.setOatarget(dbOA.getAreaSpecificTargetIdentifier());
+ dblog.setBusinessservice(dbOA.hasBaseIdTransferRestriction());
+ } catch (Exception e) {
+ Logger.warn("Can not extract some information for StatisticLogger.", e);
+
+ }
IAuthenticationSession moasession = null;
if (MiscUtil.isNotEmpty(errorRequest.getInternalSSOSessionIdentifier())) {
@@ -314,15 +321,7 @@ public class StatisticLogger implements IStatisticLogger{
}
}
-
- private boolean isBusinessService(IOAAuthParameters dbOA) {
- if (dbOA.getOaType().equals("businessService"))
- return true;
- else
- return false;
- }
-
private String getMessageWithMaxLength(String msg, int maxlength) {
return getErrorMessageWithMaxLength(msg, maxlength);
@@ -391,15 +390,15 @@ public class StatisticLogger implements IStatisticLogger{
if (bkuURL.equals(dbOA.getBKUURL(OAAuthParameter.LOCALBKU)))
return IOAAuthParameters.LOCALBKU;
- if (bkuURL.equals(dbOA.getBKUURL(OAAuthParameter.ONLINEBKU)))
- return IOAAuthParameters.ONLINEBKU;
+ if (bkuURL.equals(dbOA.getBKUURL(OAAuthParameter.THIRDBKU)))
+ return IOAAuthParameters.THIRDBKU;
}
Logger.trace("Staticic Log search BKUType from DefaultBKUs");
try {
- if (bkuURL.equals(authConfig.getDefaultBKUURL(IOAAuthParameters.ONLINEBKU)))
- return IOAAuthParameters.ONLINEBKU;
+ if (bkuURL.equals(authConfig.getDefaultBKUURL(IOAAuthParameters.THIRDBKU)))
+ return IOAAuthParameters.THIRDBKU;
if (bkuURL.equals(authConfig.getDefaultBKUURL(IOAAuthParameters.LOCALBKU)))
return IOAAuthParameters.LOCALBKU;
@@ -422,12 +421,7 @@ public class StatisticLogger implements IStatisticLogger{
Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.HANDYBKU);
return IOAAuthParameters.HANDYBKU;
}
-
- if (bkuURL.contains(GENERIC_ONLINE_BKU)) {
- Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.ONLINEBKU);
- return IOAAuthParameters.ONLINEBKU;
- }
-
+
Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.AUTHTYPE_OTHERS);
return IOAAuthParameters.AUTHTYPE_OTHERS;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java
index 6d53fd510..0b066f3b9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java
@@ -23,10 +23,8 @@
package at.gv.egovernment.moa.id.advancedlogging;
-import java.util.Date;
-
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
-import at.gv.egovernment.moa.util.MiscUtil;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
/**
* @author tlenz
@@ -34,6 +32,43 @@ import at.gv.egovernment.moa.util.MiscUtil;
*/
public class TransactionIDUtils {
+ /**
+ * Set all MDC variables from pending request to this threat context<br>
+ * These includes SessionID, TransactionID, and unique service-provider identifier
+ *
+ * @param pendingRequest
+ */
+ public static void setAllLoggingVariables(IRequest pendingRequest) {
+ setTransactionId(pendingRequest.getUniqueTransactionIdentifier());
+ setSessionId(pendingRequest.getUniqueSessionIdentifier());
+ setServiceProviderId(pendingRequest.getOnlineApplicationConfiguration().getPublicURLPrefix());
+
+ }
+
+ /**
+ * Remove all MDC variables from this threat context
+ *
+ */
+ public static void removeAllLoggingVariables() {
+ removeSessionId();
+ removeTransactionId();
+ removeServiceProviderId();
+
+ }
+
+
+ public static void setServiceProviderId(String oaUniqueId) {
+ org.apache.log4j.MDC.put(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID, oaUniqueId);
+ org.slf4j.MDC.put(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID, oaUniqueId);
+
+ }
+
+ public static void removeServiceProviderId() {
+ org.apache.log4j.MDC.remove(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID);
+ org.slf4j.MDC.remove(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID);
+
+ }
+
public static void setTransactionId(String pendingRequestID) {
org.apache.log4j.MDC.put(MOAIDAuthConstants.MDC_TRANSACTION_ID,
"TID-" + pendingRequestID);
@@ -50,9 +85,9 @@ public class TransactionIDUtils {
public static void setSessionId(String uniqueSessionId) {
org.apache.log4j.MDC.put(MOAIDAuthConstants.MDC_SESSION_ID,
- "TID-" + uniqueSessionId);
+ "SID-" + uniqueSessionId);
org.slf4j.MDC.put(MOAIDAuthConstants.MDC_SESSION_ID,
- "TID-" + uniqueSessionId);
+ "SID-" + uniqueSessionId);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java
index bbb322a4f..34d0d4be1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java
@@ -74,20 +74,26 @@ public class AuthenticationSessionCleaner implements Runnable {
ExceptionContainer exContainer = (ExceptionContainer) entry;
if (exContainer.getExceptionThrown() != null) {
- //add session and transaction ID to log if exists
+ //add session, transaction, and service-provider IDs into logging context if exists
if (MiscUtil.isNotEmpty(exContainer.getUniqueTransactionID()))
TransactionIDUtils.setTransactionId(exContainer.getUniqueTransactionID());
if (MiscUtil.isNotEmpty(exContainer.getUniqueSessionID()))
TransactionIDUtils.setSessionId(exContainer.getUniqueSessionID());
+ if (MiscUtil.isNotEmpty(exContainer.getUniqueServiceProviderId()))
+ TransactionIDUtils.setServiceProviderId(exContainer.getUniqueServiceProviderId());
+
//log exception to technical log
logExceptionToTechnicalLog(exContainer.getExceptionThrown());
//remove session and transaction ID from thread
- TransactionIDUtils.removeSessionId();
- TransactionIDUtils.removeTransactionId();
- }
+ TransactionIDUtils.removeAllLoggingVariables();
+
+ } else {
+ Logger.warn("Receive an ExceptionContainer that includes no 'Exception' object. Somethinge is suspect!!!!!");
+
+ }
}
} catch (Exception e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index cad3354f5..5a5d0bcf6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -267,9 +267,9 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
//####################################################
//set general authData info's
authData.setIssuer(protocolRequest.getAuthURL());
- authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality());
- authData.setIsBusinessService(oaParam.getBusinessService());
-
+ authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality());
+ authData.setBaseIDTransferRestrication(oaParam.hasBaseIdTransferRestriction());
+
//####################################################
//parse user info's from identityLink
@@ -816,21 +816,11 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
* @param oaParam Service-Provider configuration, never null
* @param bPKType bPK-Type to check
* @return true, if bPK-Type matchs to Service-Provider configuration, otherwise false
+ * @throws ConfigurationException
*/
- private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) {
- String oaTarget = null;
- if (oaParam.getBusinessService()) {
- oaTarget = oaParam.getIdentityLinkDomainIdentifier();
-
- } else {
- oaTarget = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget();
-
- }
-
- if (oaTarget.equals(bPKType))
- return true;
- else
- return false;
+ private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) throws ConfigurationException {
+ return oaParam.getAreaSpecificTargetIdentifier().equals(bPKType);
+
}
private void parseBasicUserInfosFromIDL(AuthenticationData authData, IIdentityLink identityLink, Collection<String> includedGenericSessionData) {
@@ -918,9 +908,10 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
*
* @return Pair<bPK, bPKType> which was received by PVP-Attribute and could be decrypted for this Service Provider,
* or <code>null</code> if no attribute exists or can not decrypted
+ * @throws ConfigurationException
*/
private Pair<String, String> getEncryptedbPKFromPVPAttribute(IAuthenticationSession session,
- AuthenticationData authData, IOAAuthParameters spConfig) {
+ AuthenticationData authData, IOAAuthParameters spConfig) throws ConfigurationException {
//set List of encrypted bPKs to authData DAO
String pvpEncbPKListAttr = session.getGenericDataFromSession(PVPConstants.ENC_BPK_LIST_NAME, String.class);
if (MiscUtil.isNotEmpty(pvpEncbPKListAttr)) {
@@ -935,35 +926,44 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
String second = fullEncbPK.substring(0, index);
int secIndex = second.indexOf("+");
if (secIndex >= 0) {
- if (spConfig.getTarget().equals(second.substring(secIndex+1))) {
- Logger.debug("Found encrypted bPK for online-application "
- + spConfig.getPublicURLPrefix()
- + " Start decryption process ...");
- PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey();
- if (privKey != null) {
- try {
- String bPK = BPKBuilder.decryptBPK(encbPK, spConfig.getTarget(), privKey);
- if (MiscUtil.isNotEmpty(bPK)) {
- Logger.info("bPK decryption process finished successfully.");
- return Pair.newInstance(bPK, Constants.URN_PREFIX_CDID + "+" + spConfig.getTarget());
-
- } else {
- Logger.error("bPK decryption FAILED.");
-
+ String oaTargetId = spConfig.getAreaSpecificTargetIdentifier();
+ if (oaTargetId.startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+ String publicServiceShortTarget = oaTargetId.substring(MOAIDAuthConstants.PREFIX_CDID.length());
+ if (publicServiceShortTarget.equals(second.substring(secIndex+1))) {
+ Logger.debug("Found encrypted bPK for online-application "
+ + spConfig.getPublicURLPrefix()
+ + " Start decryption process ...");
+ PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey();
+ if (privKey != null) {
+ try {
+ String bPK = BPKBuilder.decryptBPK(encbPK, publicServiceShortTarget, privKey);
+ if (MiscUtil.isNotEmpty(bPK)) {
+ Logger.info("bPK decryption process finished successfully.");
+ return Pair.newInstance(bPK, oaTargetId);
+
+ } else {
+ Logger.error("bPK decryption FAILED.");
+
+ }
+ } catch (BuildException e) {
+ Logger.error("bPK decryption FAILED.", e);
+
}
- } catch (BuildException e) {
- Logger.error("bPK decryption FAILED.", e);
- }
+ } else {
+ Logger.info("bPK decryption FAILED, because no valid decryption key is found.");
+
+ }
} else {
- Logger.info("bPK decryption FAILED, because no valid decryption key is found.");
+ Logger.info("Found encrypted bPK but " +
+ "encrypted bPK target does not match to online-application target");
- }
+ }
} else {
- Logger.info("Found encrypted bPK but " +
- "encrypted bPK target does not match to online-application target");
+ Logger.info("Encrypted bPKs are only allowed for public services with prefix: " + MOAIDAuthConstants.PREFIX_CDID
+ + " BUT oaTarget is " + oaTargetId);
}
}
@@ -1066,7 +1066,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
}
private IIdentityLink buildOAspecificIdentityLink(IOAAuthParameters oaParam, IIdentityLink idl, String bPK, String bPKType) throws MOAIDException {
- if (oaParam.getBusinessService()) {
+ if (oaParam.hasBaseIdTransferRestriction()) {
Element idlassertion = idl.getSamlAssertion();
//set bpk/wpbk;
Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
@@ -1097,69 +1097,45 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
}
- private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException {
+ private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException, ConfigurationException {
- String bPK;
- String bPKType;
-
String baseID = authData.getIdentificationValue();
- String baseIDType = authData.getIdentificationType();
-
- if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) {
- //Calculate eIDAS identifier
- if (oaParam.getBusinessService() &&
- oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_EIDAS)) {
- String[] splittedTarget = oaParam.getIdentityLinkDomainIdentifier().split("\\+");
- String cititzenCountryCode = splittedTarget[1];
- String eIDASOutboundCountry = splittedTarget[2];
-
- if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) {
- Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry");
-
- }
-
- Pair<String, String> eIDASID = new BPKBuilder().buildeIDASIdentifer(baseIDType, baseID,
- cititzenCountryCode, eIDASOutboundCountry);
- Logger.debug("Authenticate user with bPK:" + eIDASID.getFirst() + " Type:" + eIDASID.getSecond());
- return eIDASID;
-
- } else if (oaParam.getBusinessService()) {
- //is Austrian private-service application
- String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier();
- bPK = new BPKBuilder().buildbPKorwbPK(baseID, registerAndOrdNr);
- bPKType = registerAndOrdNr;
-
- } else {
- // only compute bPK if online application is a public service and we have the Stammzahl
- String target = null;
- Class<?> saml1RequstTemplate = null;
- try {
- saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl");
- if (saml1RequstTemplate != null &&
- saml1RequstTemplate.isInstance(pendingReq)) {
- target = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq);
+ String baseIDType = authData.getIdentificationType();
+ Pair<String, String> sectorSpecId = null;
+
+ if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) {
+ //SAML1 legacy target parameter work-around
+ String oaTargetId = null;
+ Class<?> saml1RequstTemplate = null;
+ try {
+ saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl");
+ if (saml1RequstTemplate != null &&
+ saml1RequstTemplate.isInstance(pendingReq)) {
+ oaTargetId = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq);
- }
+ }
- } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) { }
+ } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) { }
+
+ if (MiscUtil.isEmpty(oaTargetId)) {
+ oaTargetId = oaParam.getAreaSpecificTargetIdentifier();
+ Logger.debug("Use OA target identifier '" + oaTargetId + "' from configuration");
- if (MiscUtil.isEmpty(target))
- target = oaParam.getTarget();
-
- bPK = new BPKBuilder().buildBPK(baseID, target);
- bPKType = Constants.URN_PREFIX_CDID + "+" + target;
-
- }
-
+ } else
+ Logger.info("Use OA target identifier '" + oaTargetId + "' from SAML1 request for bPK calculation");
+
+ //calculate sector specific unique identifier
+ sectorSpecId = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseID, oaTargetId);
+
+
} else {
- Logger.warn("!!!baseID-element does not include a baseID. This should not be happen any more!!!");
- bPK = baseID;
- bPKType = baseIDType;
-
+ Logger.fatal("!!!baseID-element does not include a baseID. This should not be happen any more!!!");
+ sectorSpecId = Pair.newInstance(baseID, baseIDType);
+
}
- Logger.trace("Authenticate user with bPK:" + bPK + " Type:" + bPKType);
- return Pair.newInstance(bPK, bPKType);
+ Logger.trace("Authenticate user with bPK:" + sectorSpecId.getFirst() + " Type:" + sectorSpecId.getSecond());
+ return sectorSpecId;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
index 32ac8ad68..a7f6e873f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
@@ -60,6 +60,7 @@ import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
@@ -76,77 +77,192 @@ import at.gv.egovernment.moa.util.MiscUtil;
*/
public class BPKBuilder {
- /**
- * Builds the bPK from the given parameters.
- *
- * @param identificationValue Base64 encoded "Stammzahl"
- * @param target "Bereich lt. Verordnung des BKA"
- * @return bPK in a BASE64 encoding
- * @throws BuildException if an error occurs on building the bPK
- */
- public String buildBPK(String identificationValue, String target)
- throws BuildException {
-
- if ((identificationValue == null ||
- identificationValue.length() == 0 ||
- target == null ||
- target.length() == 0)) {
- throw new BuildException("builder.00",
- new Object[]{"BPK", "Unvollständige Parameterangaben: identificationValue=" +
- identificationValue + ",target=" + target});
- }
- String basisbegriff;
- if (target.startsWith(Constants.URN_PREFIX_CDID + "+"))
- basisbegriff = identificationValue + "+" + target;
- else
- basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target;
+ /**
+ * Calculates an area specific unique person-identifier from a baseID
+ *
+ * @param baseID baseId from user but never null
+ * @param targetIdentifier target identifier for area specific identifier calculation but never null
+ * @return Pair<unique person identifier for this target, targetArea> but never null
+ * @throws BuildException if some input data are not valid
+ */
+ public Pair<String, String> generateAreaSpecificPersonIdentifier(String baseID, String targetIdentifier) throws BuildException{
+ return generateAreaSpecificPersonIdentifier(baseID, Constants.URN_PREFIX_BASEID, targetIdentifier);
+
+ }
+
+ /**
+ * Calculates an area specific unique person-identifier from an unique identifier with a specific type
+ *
+ * @param baseID baseId from user but never null
+ * @param baseIdType Type of the baseID but never null
+ * @param targetIdentifier target identifier for area specific identifier calculation but never null
+ * @return Pair<unique person identifier for this target, targetArea> but never null
+ * @throws BuildException if some input data are not valid
+ */
+ public Pair<String, String> generateAreaSpecificPersonIdentifier(String baseID, String baseIdType, String targetIdentifier) throws BuildException{
+ if (MiscUtil.isEmpty(baseID))
+ throw new BuildException("builder.00", new Object[]{"baseID is empty or null"});
- return calculatebPKwbPK(basisbegriff);
- }
+ if (MiscUtil.isEmpty(baseIdType))
+ throw new BuildException("builder.00", new Object[]{"the type of baseID is empty or null"});
+
+ if (MiscUtil.isEmpty(targetIdentifier))
+ throw new BuildException("builder.00", new Object[]{"OA specific target identifier is empty or null"});
+ if (baseIdType.equals(Constants.URN_PREFIX_BASEID)) {
+ Logger.trace("Find baseID. Starting unique identifier caluclation for this target");
+
+ if (targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_CDID) ||
+ targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_WPBK) ||
+ targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_STORK)) {
+ Logger.trace("Calculate bPK, wbPK, or STORK identifier for target: " + targetIdentifier);
+ return Pair.newInstance(calculatebPKwbPK(baseID + "+" + targetIdentifier), targetIdentifier);
+
+ } else if (targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_EIDAS)) {
+ Logger.trace("Calculate eIDAS identifier for target: " + targetIdentifier);
+ String[] splittedTarget = targetIdentifier.split("\\+");
+ String cititzenCountryCode = splittedTarget[1];
+ String eIDASOutboundCountry = splittedTarget[2];
+
+ if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) {
+ Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry");
+
+ }
+ return buildeIDASIdentifer(baseID, baseIdType, cititzenCountryCode, eIDASOutboundCountry);
+
+
+ } else
+ throw new BuildException("builder.00",
+ new Object[]{"Target identifier: " + targetIdentifier + " is NOT allowed or unknown"});
+
+ } else {
+ Logger.trace("BaseID is not of type " + Constants.URN_PREFIX_BASEID + ". Check type against requested target ...");
+ if (baseIdType.equals(targetIdentifier)) {
+ Logger.debug("Unique identifier is already area specific. Is nothing todo");
+ return Pair.newInstance(baseID, targetIdentifier);
+
+ } else {
+ Logger.warn("Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required!");
+ throw new BuildException("builder.00",
+ new Object[]{"Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required"});
+
+ }
+ }
+ }
+
+
/**
- * Builds the wbPK from the given parameters.
+ * Builds the storkeid from the given parameters.
*
- * @param identificationValue Base64 encoded "Stammzahl"
- * @param registerAndOrdNr type of register + "+" + number in register.
- * @return wbPK in a BASE64 encoding
+ * @param baseID baseID of the citizen
+ * @param baseIDType Type of the baseID
+ * @param sourceCountry CountryCode of that country, which build the eIDAs ID
+ * @param destinationCountry CountryCode of that country, which receives the eIDAs ID
+ *
+ * @return Pair<eIDAs, bPKType> in a BASE64 encoding
* @throws BuildException if an error occurs on building the wbPK
*/
- public String buildWBPK(String identificationValue, String registerAndOrdNr)
- throws BuildException {
+ private Pair<String, String> buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry)
+ throws BuildException {
+ String bPK = null;
+ String bPKType = null;
+
+ // check if we have been called by public sector application
+ if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) {
+ bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry;
+ Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType);
+ bPK = calculatebPKwbPK(baseID + "+" + bPKType);
+
+ } else { // if not, sector identification value is already calculated by BKU
+ Logger.debug("eIDAS eIdentifier already provided by BKU");
+ bPK = baseID;
+ }
- if ((identificationValue == null ||
- identificationValue.length() == 0 ||
- registerAndOrdNr == null ||
- registerAndOrdNr.length() == 0)) {
+ if ((MiscUtil.isEmpty(bPK) ||
+ MiscUtil.isEmpty(sourceCountry) ||
+ MiscUtil.isEmpty(destinationCountry))) {
throw new BuildException("builder.00",
- new Object[]{"wbPK", "Unvollständige Parameterangaben: identificationValue=" +
- identificationValue + ",Register+Registernummer=" + registerAndOrdNr});
+ new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" +
+ bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry});
}
-
- String basisbegriff;
- if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+"))
- basisbegriff = identificationValue + "+" + registerAndOrdNr;
- else
- basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr;
-
- return calculatebPKwbPK(basisbegriff);
- }
-
- public String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException {
- if (MiscUtil.isEmpty(baseID) ||
- !(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") ||
- bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") ||
- bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) {
- throw new BuildException("builder.00",
- new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget
- + " has an unkown prefix."});
-
- }
-
- return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget);
-
+
+ Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]");
+ String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK;
+
+ return Pair.newInstance(eIdentifier, bPKType);
}
+
+// /**
+// * Builds the bPK from the given parameters.
+// *
+// * @param identificationValue Base64 encoded "Stammzahl"
+// * @param target "Bereich lt. Verordnung des BKA"
+// * @return bPK in a BASE64 encoding
+// * @throws BuildException if an error occurs on building the bPK
+// */
+// private String buildBPK(String identificationValue, String target)
+// throws BuildException {
+//
+// if ((identificationValue == null ||
+// identificationValue.length() == 0 ||
+// target == null ||
+// target.length() == 0)) {
+// throw new BuildException("builder.00",
+// new Object[]{"BPK", "Unvollständige Parameterangaben: identificationValue=" +
+// identificationValue + ",target=" + target});
+// }
+// String basisbegriff;
+// if (target.startsWith(Constants.URN_PREFIX_CDID + "+"))
+// basisbegriff = identificationValue + "+" + target;
+// else
+// basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target;
+//
+// return calculatebPKwbPK(basisbegriff);
+// }
+//
+// /**
+// * Builds the wbPK from the given parameters.
+// *
+// * @param identificationValue Base64 encoded "Stammzahl"
+// * @param registerAndOrdNr type of register + "+" + number in register.
+// * @return wbPK in a BASE64 encoding
+// * @throws BuildException if an error occurs on building the wbPK
+// */
+// private String buildWBPK(String identificationValue, String registerAndOrdNr)
+// throws BuildException {
+//
+// if ((identificationValue == null ||
+// identificationValue.length() == 0 ||
+// registerAndOrdNr == null ||
+// registerAndOrdNr.length() == 0)) {
+// throw new BuildException("builder.00",
+// new Object[]{"wbPK", "Unvollständige Parameterangaben: identificationValue=" +
+// identificationValue + ",Register+Registernummer=" + registerAndOrdNr});
+// }
+//
+// String basisbegriff;
+// if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+"))
+// basisbegriff = identificationValue + "+" + registerAndOrdNr;
+// else
+// basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr;
+//
+// return calculatebPKwbPK(basisbegriff);
+// }
+//
+// private String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException {
+// if (MiscUtil.isEmpty(baseID) ||
+// !(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") ||
+// bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") ||
+// bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) {
+// throw new BuildException("builder.00",
+// new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget
+// + " has an unkown prefix."});
+//
+// }
+//
+// return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget);
+//
+// }
public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException {
MiscUtil.assertNotNull(bpk, "BPK");
@@ -199,48 +315,7 @@ public class BPKBuilder {
return null;
}
}
-
- /**
- * Builds the storkeid from the given parameters.
- *
- * @param baseID baseID of the citizen
- * @param baseIDType Type of the baseID
- * @param sourceCountry CountryCode of that country, which build the eIDAs ID
- * @param destinationCountry CountryCode of that country, which receives the eIDAs ID
- *
- * @return Pair<eIDAs, bPKType> in a BASE64 encoding
- * @throws BuildException if an error occurs on building the wbPK
- */
- public Pair<String, String> buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry)
- throws BuildException {
- String bPK = null;
- String bPKType = null;
-
- // check if we have been called by public sector application
- if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) {
- bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry;
- Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType);
- bPK = calculatebPKwbPK(baseID + "+" + bPKType);
-
- } else { // if not, sector identification value is already calculated by BKU
- Logger.debug("eIDAS eIdentifier already provided by BKU");
- bPK = baseID;
- }
-
- if ((MiscUtil.isEmpty(bPK) ||
- MiscUtil.isEmpty(sourceCountry) ||
- MiscUtil.isEmpty(destinationCountry))) {
- throw new BuildException("builder.00",
- new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" +
- bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry});
- }
-
- Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]");
- String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK;
- return Pair.newInstance(eIdentifier, bPKType);
- }
-
private String calculatebPKwbPK(String basisbegriff) throws BuildException {
try {
MessageDigest md = MessageDigest.getInstance("SHA-1");
@@ -281,6 +356,4 @@ public class BPKBuilder {
result = cipher.doFinal(encryptedBytes);
return result;
}
-
-
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java
index 73fe961eb..4c4af4239 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java
@@ -53,9 +53,11 @@ import java.util.List;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DateTimeUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moa.util.StringUtils;
/**
@@ -156,8 +158,9 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
* @param oaParam parameter for the OA
* @param session current session
* @return String representation of <code>&lt;CreateXMLSignatureRequest&gt;</code>
+ * @throws ConfigurationException
*/
- public String buildForeignID(String subject, IRequest pendingReq) {
+ public String buildForeignID(String subject, IRequest pendingReq) throws ConfigurationException {
String request = "";
request += "<sl:CreateXMLSignatureRequest xmlns:sl=\"http://www.buergerkarte.at/namespaces/securitylayer/1.2#\">";
@@ -181,11 +184,22 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
return request;
}
- public static String buildForeignIDTextToBeSigned(String subject, IRequest pendingReq) {
+ public static String buildForeignIDTextToBeSigned(String subject, IRequest pendingReq) throws ConfigurationException {
IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
- String target = pendingReq.getGenericData(
- MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
- String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);
+ String target = null;
+ String sectorName = null;
+
+
+ String saml1Target = pendingReq.getGenericData(
+ MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
+ if (MiscUtil.isNotEmpty(saml1Target)) {
+ target = saml1Target;
+ sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(saml1Target);
+
+ } else {
+ target = oaParam.getAreaSpecificTargetIdentifier();
+ sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+ }
Calendar cal = Calendar.getInstance();
String date = DateTimeUtils.buildDate(cal);
@@ -243,11 +257,11 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
request += oaParam.getPublicURLPrefix();
request += "</td>";
request += "</tr>";
- boolean business = oaParam.getBusinessService();
- if (business) {
+
+ if (!target.startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
// OA is businessservice
- String identifierType = oaParam.getIdentityLinkDomainIdentifierType();
- String identifier = oaParam.getIdentityLinkDomainIdentifier();
+ String identifierType = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+ String identifier = oaParam.getAreaSpecificTargetIdentifier();
request += "<tr>";
request += "<td class=\"italicstyle\">";
request += identifierType + ":";
@@ -263,7 +277,7 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
request += "<td class=\"italicstyle\">";
request += "Sektor (Sector):</td>";
request += "<td class=\"normalstyle\">";
- request += target + " (" + sectorName + ")";
+ request += target.substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
request += "</td>";
request += "</tr>";
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
index f4f6e82ba..fc5489673 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
@@ -31,14 +31,10 @@ import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
-import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
-import at.gv.egovernment.moa.util.MiscUtil;
/**
* @author tlenz
@@ -57,13 +53,14 @@ public class DynamicOAAuthParameterBuilder {
if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
String attrValue = attr.getAttributeValues().get(0).getDOM().getTextContent();
if (attrValue.startsWith(Constants.URN_PREFIX_CDID)) {
- dynamicOA.setBusinessService(false);
- dynamicOA.setTarget(attrValue.substring((Constants.URN_PREFIX_CDID + "+").length()));
+ //dynamicOA.setBusinessService(false);
+ dynamicOA.setAreaSpecificTargetIdentifier(attrValue);
} else if( attrValue.startsWith(Constants.URN_PREFIX_WBPK) ||
- attrValue.startsWith(Constants.URN_PREFIX_STORK) ) {
- dynamicOA.setBusinessService(true);
- dynamicOA.setTarget(attrValue);
+ attrValue.startsWith(Constants.URN_PREFIX_STORK) ||
+ attrValue.startsWith(Constants.URN_PREFIX_EIDAS)) {
+ //dynamicOA.setBusinessService(true);
+ dynamicOA.setAreaSpecificTargetIdentifier(attrValue);
} else {
Logger.error("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea");
@@ -84,13 +81,16 @@ public class DynamicOAAuthParameterBuilder {
* @param oaParam
* @param protocolRequest
* @return
+ * @throws ConfigurationException
*/
public static IOAAuthParameters buildFromAuthnRequest(
- IOAAuthParameters oaParam, IRequest protocolRequest) {
+ IOAAuthParameters oaParam, IRequest protocolRequest) throws ConfigurationException {
DynamicOAAuthParameters dynOAParams = new DynamicOAAuthParameters();
dynOAParams.setApplicationID(oaParam.getPublicURLPrefix());
- dynOAParams.setBusinessService(oaParam.getBusinessService());
+
+ dynOAParams.setHasBaseIdProcessingRestriction(oaParam.hasBaseIdInternalProcessingRestriction());
+ dynOAParams.setHasBaseIdTransfergRestriction(oaParam.hasBaseIdTransferRestriction());
Object storkRequst = null;
try {
@@ -98,9 +98,9 @@ public class DynamicOAAuthParameterBuilder {
if (storkRequst != null &&
protocolRequest.getClass().isInstance(storkRequst)) {
- dynOAParams.setBusinessTarget(Constants.URN_PREFIX_STORK + "+" + "AT" + "+"
+ dynOAParams.setAreaSpecificTargetIdentifier(Constants.URN_PREFIX_STORK + "+" + "AT" + "+"
+ protocolRequest.getClass().getMethod("getSpCountry", null).invoke(protocolRequest, null));
- dynOAParams.setBusinessService(true);
+ //dynOAParams.setBusinessService(true);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java
index a82ba501c..d5ca89656 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java
@@ -56,12 +56,16 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.ConnectionParameterInterface;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.spss.MOAException;
import at.gv.egovernment.moa.spss.api.SignatureVerificationService;
+import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest;
+import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponse;
import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureRequestParser;
import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureResponseBuilder;
import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest;
import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse;
import at.gv.egovernment.moa.util.MiscUtil;
+import at.gv.egovernment.moaspss.logging.Logger;
/**
* Invoker of the <code>SignatureVerification</code> web service of MOA-SPSS.<br>
@@ -108,6 +112,18 @@ public class SignatureVerificationInvoker {
}
+ public VerifyCMSSignatureResponse verifyCMSSignature(VerifyCMSSignatureRequest cmsSigVerifyReq) throws ServiceException {
+ try {
+ return svs.verifyCMSSignature(cmsSigVerifyReq);
+
+ } catch (MOAException e) {
+ Logger.warn("CMS signature verification has an error.", e);
+ throw new ServiceException("service.03", new Object[] { e.toString()}, e);
+
+ }
+
+ }
+
/**
* Method verifyXMLSignature.
* @param request to be sent
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java
index c582050ad..710008714 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java
@@ -32,7 +32,7 @@ import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration;
import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder;
-import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad;
import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
@@ -68,10 +68,10 @@ public class GenerateBKUSelectionFrameTask extends AbstractAuthServletTask {
throw new AuthenticationException("auth.00", new Object[] { pendingReq.getOAURL() });
}
-
- IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+
+ IGUIBuilderConfiguration config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
pendingReq,
- ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_BKUSELECTION,
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_BKUSELECTION,
GeneralProcessEngineSignalController.ENDPOINT_BKUSELECTION_EVALUATION);
guiBuilder.build(response, config, "BKU-Selection form");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java
index ca99e9ba3..475009cf2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java
@@ -31,7 +31,7 @@ import org.springframework.stereotype.Component;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration;
import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder;
-import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad;
import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
@@ -67,10 +67,10 @@ public class GenerateSSOConsentEvaluatorFrameTask extends AbstractAuthServletTas
//store pending request
requestStoreage.storePendingRequest(pendingReq);
- //build consents evaluator form
- IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+ //build consents evaluator form
+ IGUIBuilderConfiguration config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
pendingReq,
- ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_SENDASSERTION,
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_SENDASSERTION,
GeneralProcessEngineSignalController.ENDPOINT_SENDASSERTION_EVALUATION);
guiBuilder.build(response, config, "SendAssertion-Evaluation");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
index 92d76751f..b2db8d5a2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
@@ -52,7 +52,7 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
@Autowired AuthConfiguration authConfig;
public void parse(IAuthenticationSession moasession,
- String target,
+ String reqTarget,
String oaURL,
String bkuURL,
String templateURL,
@@ -61,10 +61,11 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
HttpServletRequest req,
IRequest protocolReq) throws WrongParametersException, MOAIDException {
- String targetFriendlyName = null;
-
+ String resultTargetFriendlyName = null;
+ String resultTarget = null;
+
// escape parameter strings
- target = StringEscapeUtils.escapeHtml(target);
+ reqTarget = StringEscapeUtils.escapeHtml(reqTarget);
bkuURL = StringEscapeUtils.escapeHtml(bkuURL);
templateURL = StringEscapeUtils.escapeHtml(templateURL);
useMandate = StringEscapeUtils.escapeHtml(useMandate);
@@ -102,66 +103,70 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
// get target and target friendly name from config
- String targetConfig = oaParam.getTarget();
- String targetFriendlyNameConfig = oaParam.getTargetFriendlyName();
+ String targetConfig = oaParam.getAreaSpecificTargetIdentifier();
+ String targetFriendlyNameConfig = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+
+ //SAML1 legacy work-around for public area targets in request
+ if (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") &&
+ !StringUtils.isEmpty(reqTarget)) {
+ //INFO: ONLY SAML1 legacy mode
+ // if SAML1 is used and target attribute is given in request
+ // use requested target
+ // check target parameter
+ if (!ParamValidatorUtils.isValidTarget(reqTarget)) {
+ Logger.error("Selected target is invalid. Used target: " + reqTarget);
+ throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12");
+ }
+ resultTarget = MOAIDAuthConstants.PREFIX_CDID + reqTarget;
- if (!oaParam.getBusinessService()) {
- if (StringUtils.isEmpty(targetConfig)
- || (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") &&
- !StringUtils.isEmpty(target))
- ) {
- //INFO: ONLY SAML1 legacy mode
- // if SAML1 is used and target attribute is given in request
- // use requested target
- // check target parameter
- if (!ParamValidatorUtils.isValidTarget(target)) {
- Logger.error("Selected target is invalid. Using target: " + target);
- throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12");
- }
- if (MiscUtil.isNotEmpty(targetConfig))
- targetFriendlyName = targetFriendlyNameConfig;
+ String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(reqTarget);
+ if (MiscUtil.isNotEmpty(sectorName))
+ resultTargetFriendlyName = sectorName;
+
+ else {
+ //check target contains subSector
+ int delimiter = reqTarget.indexOf("-");
+ if (delimiter > 0) {
+ resultTargetFriendlyName =
+ TargetToSectorNameMapper.getSectorNameViaTarget(reqTarget.substring(0, delimiter));
- else {
- String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);
- if (MiscUtil.isNotEmpty(sectorName))
- targetFriendlyName = sectorName;
-
- else {
- //check target contains subSector
- int delimiter = target.indexOf("-");
- if (delimiter > 0) {
- targetFriendlyName =
- TargetToSectorNameMapper.getSectorNameViaTarget(target.substring(0, delimiter));
-
- }
- }
- }
-
- } else {
- // use target from config
- target = targetConfig;
- targetFriendlyName = targetFriendlyNameConfig;
+ }
}
- if (isEmpty(target))
- throw new WrongParametersException("StartAuthentication",
- PARAM_TARGET, "auth.05");
-
- protocolReq.setGenericDataToSession(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, target);
+ if (MiscUtil.isNotEmpty(targetConfig) && MiscUtil.isEmpty(resultTargetFriendlyName))
+ resultTargetFriendlyName = targetFriendlyNameConfig;
+
+ //set info's into request-context. (It's required to support SAML1 requested target parameters)
+ protocolReq.setGenericDataToSession(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, resultTarget);
protocolReq.setGenericDataToSession(
- MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, targetFriendlyName);
- Logger.debug("Service-Provider is of type 'PublicService' with DomainIdentifier:" + target);
-
- } else {
- Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + oaParam.getIdentityLinkDomainIdentifier());
+ MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, resultTargetFriendlyName);
- if (useMandateBoolean) {
- Logger.error("Online-Mandate Mode for business application not supported.");
- throw new AuthenticationException("auth.17", null);
- }
+ } else {
+ Logger.trace("Use oa sector-identifier from configuration");
+ resultTarget = targetConfig;
+ resultTargetFriendlyName = targetFriendlyNameConfig;
}
-
+
+ //check if target is found
+ if (MiscUtil.isEmpty(resultTarget))
+ throw new WrongParametersException("StartAuthentication",
+ PARAM_TARGET, "auth.05");
+
+ //check if mandates are allowed
+ if (useMandateBoolean && oaParam.hasBaseIdInternalProcessingRestriction()) {
+ Logger.error("Online-Mandate Mode for business application not supported.");
+ throw new AuthenticationException("auth.17", null);
+
+ }
+
+ if (resultTarget.startsWith(MOAIDAuthConstants.PREFIX_CDID))
+ Logger.debug("Service-Provider is of type 'PublicService' with DomainIdentifier:" + resultTarget);
+ else
+ Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + resultTarget);
+
+
+
//Validate BKU URI
List<String> allowedbkus = oaParam.getBKUURL();
allowedbkus.addAll(authConfig.getDefaultBKUURLs());
@@ -247,16 +252,4 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, req, pendingReq);
}
-
- /**
- * Checks a parameter.
- *
- * @param param
- * parameter
- * @return true if the parameter is null or empty
- */
- private boolean isEmpty(String param) {
- return param == null || param.length() == 0;
- }
-
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
index 1431911a3..353261085 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
@@ -33,6 +33,7 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.ExceptionHandler;
import com.google.common.net.MediaType;
+
import at.gv.egovernment.moa.id.advancedlogging.IStatisticLogger;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
@@ -139,13 +140,11 @@ public abstract class AbstractController extends MOAIDAuthConstants {
if (pendingReq != null) {
revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR);
transactionStorage.put(key,
- new ExceptionContainer(pendingReq.getUniqueSessionIdentifier(),
- pendingReq.getUniqueTransactionIdentifier(), loggedException),-1);
+ new ExceptionContainer(pendingReq, loggedException),-1);
} else {
transactionStorage.put(key,
- new ExceptionContainer(null,
- null, loggedException),-1);
+ new ExceptionContainer(null, loggedException),-1);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
index 0ce7b0050..32f103ca7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
@@ -45,11 +45,7 @@ public abstract class AbstractProcessEngineSignalController extends AbstractCont
//change pending-request ID
requestStorage.changePendingRequestID(pendingReq);
pendingRequestID = pendingReq.getRequestID();
-
- //add transactionID and unique sessionID to Logger
- TransactionIDUtils.setSessionId(pendingReq.getUniqueSessionIdentifier());
- TransactionIDUtils.setTransactionId(pendingReq.getUniqueTransactionIdentifier());
-
+
// process instance is mandatory
if (pendingReq.getProcessInstanceId() == null) {
throw new MOAIllegalStateException("process.03", new Object[]{"MOA session does not provide process instance id."});
@@ -64,8 +60,7 @@ public abstract class AbstractProcessEngineSignalController extends AbstractCont
} finally {
//MOASessionDBUtils.closeSession();
- TransactionIDUtils.removeTransactionId();
- TransactionIDUtils.removeSessionId();
+ TransactionIDUtils.removeAllLoggingVariables();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java
index 9b658d81b..49145a850 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java
@@ -33,9 +33,11 @@ import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
+import at.gv.egovernment.moa.id.auth.frontend.builder.AbstractServiceProviderSpecificGUIFormBuilderConfiguration;
import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder;
-import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.commons.MOAIDConstants;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.moduls.IRequestStorage;
@@ -52,6 +54,7 @@ public class GUILayoutBuilderServlet extends AbstractController {
public static final String ENDPOINT_CSS = "/css/buildCSS";
public static final String ENDPOINT_JS = "/js/buildJS";
+ public static final String ENDPOINT_BKUDETECTION = "/feature/bkuDetection";
@Autowired AuthConfiguration authConfig;
@Autowired IRequestStorage requestStoreage;
@@ -65,30 +68,65 @@ public class GUILayoutBuilderServlet extends AbstractController {
}
+ @RequestMapping(value = ENDPOINT_BKUDETECTION, method = {RequestMethod.GET})
+ public void buildBkuDetectionFrame(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ try {
+ IRequest pendingReq = extractPendingRequest(req);
+
+ //initialize GUI builder configuration
+ AbstractServiceProviderSpecificGUIFormBuilderConfiguration config = null;
+ if (pendingReq != null)
+ config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
+ pendingReq,
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_BKUDETECTION_SP_SPECIFIC,
+ null);
+
+ else {
+ config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
+ HTTPUtils.extractAuthURLFromRequest(req),
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_BKUDETECTION_GENERIC,
+ null);
+ config.setTemplateClasspahtDir(
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_MAINGUI_DIRECTORY);
+
+ }
+
+ //build GUI component
+ formBuilder.build(resp, config, MOAIDConstants.DEFAULT_CONTENT_TYPE_HTML_UTF8, "BKUDetection-Frame");
+
+
+ } catch (Exception e) {
+ Logger.warn("GUI ressource:'BKUDetection' generation FAILED.", e);
+ resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Created resource failed");
+
+ }
+
+ }
+
@RequestMapping(value = "/css/buildCSS", method = {RequestMethod.GET})
public void buildCSS(HttpServletRequest req, HttpServletResponse resp) throws IOException {
try {
IRequest pendingReq = extractPendingRequest(req);
//initialize GUI builder configuration
- ServiceProviderSpecificGUIFormBuilderConfiguration config = null;
+ SPSpecificGUIBuilderConfigurationWithDBLoad config = null;
if (pendingReq != null)
- config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+ config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
pendingReq,
- ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_CSS,
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_CSS,
null);
else
- config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+ config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
HTTPUtils.extractAuthURLFromRequest(req),
- ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_CSS,
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_CSS,
null);
//build GUI component
formBuilder.build(resp, config, "text/css; charset=UTF-8", "CSS-Form");
} catch (Exception e) {
- Logger.warn("GUI ressource:'CSS' generation FAILED.");
+ Logger.warn("GUI ressource:'CSS' generation FAILED.", e);
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Created resource failed");
}
@@ -100,24 +138,24 @@ public class GUILayoutBuilderServlet extends AbstractController {
IRequest pendingReq = extractPendingRequest(req);
//initialize GUI builder configuration
- ServiceProviderSpecificGUIFormBuilderConfiguration config = null;
+ SPSpecificGUIBuilderConfigurationWithDBLoad config = null;
if (pendingReq != null)
- config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+ config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
pendingReq,
- ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_JS,
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_JS,
GeneralProcessEngineSignalController.ENDPOINT_BKUSELECTION_EVALUATION);
else
- config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+ config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
HTTPUtils.extractAuthURLFromRequest(req),
- ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_JS,
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_JS,
GeneralProcessEngineSignalController.ENDPOINT_BKUSELECTION_EVALUATION);
//build GUI component
formBuilder.build(resp, config, "text/javascript; charset=UTF-8", "JavaScript");
} catch (Exception e) {
- Logger.warn("GUI ressource:'JavaScript' generation FAILED.");
+ Logger.warn("GUI ressource:'JavaScript' generation FAILED.", e);
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Created resource failed");
}
@@ -142,6 +180,7 @@ public class GUILayoutBuilderServlet extends AbstractController {
} catch (Exception e) {
Logger.warn("GUI-Layout builder-servlet has an error during request-preprocessing.", e);
+
}
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java
index bedc67513..466364adb 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java
@@ -57,8 +57,8 @@ public class UniqueSessionIdentifierInterceptor implements HandlerInterceptor {
String uniqueSessionIdentifier = ssomanager.getUniqueSessionIdentifier(ssoId);
if (MiscUtil.isEmpty(uniqueSessionIdentifier))
uniqueSessionIdentifier = Random.nextRandom();
- TransactionIDUtils.setSessionId(uniqueSessionIdentifier);
+ TransactionIDUtils.setSessionId(uniqueSessionIdentifier);
request.setAttribute(MOAIDConstants.UNIQUESESSIONIDENTIFIER, uniqueSessionIdentifier);
return true;
@@ -79,8 +79,8 @@ public class UniqueSessionIdentifierInterceptor implements HandlerInterceptor {
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
throws Exception {
- // TODO Auto-generated method stub
-
+ TransactionIDUtils.removeAllLoggingVariables();
+
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java
index c31666bbb..fc5cc0495 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java
@@ -52,6 +52,8 @@ package at.gv.egovernment.moa.id.config;
import java.util.HashMap;
import java.util.Map;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+
/**
* @author bzwattendorfer
*
@@ -106,6 +108,8 @@ public class TargetToSectorNameMapper implements TargetsAndSectorNames {
}
public static String getSectorNameViaTarget(String target) {
+ if (target.startsWith(MOAIDAuthConstants.PREFIX_CDID))
+ target = target.substring(MOAIDAuthConstants.PREFIX_CDID.length());
return targetMap.get(target) != null ? (String) targetMap.get(target) : "";
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index 6a6359058..3d04a142e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -60,7 +60,9 @@ import java.util.Set;
import org.apache.commons.lang.SerializationUtils;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.MOAIDConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IStorkConfig;
import at.gv.egovernment.moa.id.commons.api.data.BPKDecryptionParameters;
@@ -96,10 +98,31 @@ public class OAAuthParameter implements IOAAuthParameters, Serializable{
final public static String DEFAULT_KEYBOXIDENTIFIER = "SecureSignatureKeypair";
private Map<String, String> oaConfiguration;
+ private List<String> targetAreasWithNoInteralBaseIdRestriction = new ArrayList<String>();
+ private List<String> targetAreasWithNoBaseIdTransmissionRestriction = new ArrayList<String>();
-
- public OAAuthParameter(final Map<String, String> oa) {
+ public OAAuthParameter(final Map<String, String> oa, AuthConfiguration authConfig) {
this.oaConfiguration = oa;
+
+ //set oa specific restrictions
+ targetAreasWithNoInteralBaseIdRestriction = KeyValueUtils.getListOfCSVValues(
+ authConfig.getBasicMOAIDConfiguration(
+ CONFIG_KEY_RESTRICTIONS_BASEID_INTERNAL,
+ MOAIDAuthConstants.PREFIX_CDID));
+
+ targetAreasWithNoBaseIdTransmissionRestriction = KeyValueUtils.getListOfCSVValues(
+ authConfig.getBasicMOAIDConfiguration(
+ CONFIG_KEY_RESTRICTIONS_BASEID_TRANSMISSION,
+ MOAIDAuthConstants.PREFIX_CDID));
+
+ if (Logger.isTraceEnabled()) {
+ Logger.trace("Internal policy for OA: " + getPublicURLPrefix());
+ for (String el : targetAreasWithNoInteralBaseIdRestriction)
+ Logger.trace(" Allow baseID processing for prefix " + el);
+ for (String el : targetAreasWithNoBaseIdTransmissionRestriction)
+ Logger.trace(" Allow baseID transfer for prefix " + el);
+
+ }
}
@@ -111,12 +134,54 @@ public class OAAuthParameter implements IOAAuthParameters, Serializable{
return this.oaConfiguration.get(key);
}
+ @Override
+ public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException {
+ String targetAreaIdentifier = getAreaSpecificTargetIdentifier();
+ for (String el : targetAreasWithNoInteralBaseIdRestriction) {
+ if (targetAreaIdentifier.startsWith(el))
+ return false;
+
+ }
+ return true;
+
+ }
+
+ @Override
+ public boolean hasBaseIdTransferRestriction() throws ConfigurationException {
+ String targetAreaIdentifier = getAreaSpecificTargetIdentifier();
+ for (String el : targetAreasWithNoBaseIdTransmissionRestriction) {
+ if (targetAreaIdentifier.startsWith(el))
+ return false;
+
+ }
+ return true;
+
+ }
+
+ @Override
+ public String getAreaSpecificTargetIdentifier() throws ConfigurationException {
+ if (getBusinessService())
+ return getIdentityLinkDomainIdentifier();
+ else
+ return MOAIDAuthConstants.PREFIX_CDID + getTarget();
+
+ }
+
+ @Override
+ public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException{
+ if (getBusinessService())
+ return getIdentityLinkDomainIdentifierType();
+ else
+ return getTargetFriendlyName();
+
+ }
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier()
*/
-@Override
-public String getIdentityLinkDomainIdentifier() {
+//@Override
+private String getIdentityLinkDomainIdentifier() {
String type = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE);
String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE);
if (MiscUtil.isNotEmpty(type) && MiscUtil.isNotEmpty(value)) {
@@ -138,8 +203,8 @@ public String getIdentityLinkDomainIdentifier() {
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType()
*/
-@Override
-public String getIdentityLinkDomainIdentifierType() {
+//@Override
+private String getIdentityLinkDomainIdentifierType() {
String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE);
if (MiscUtil.isNotEmpty(value))
return MOAIDConfigurationConstants.BUSINESSSERVICENAMES.get(value);
@@ -151,8 +216,8 @@ public String getIdentityLinkDomainIdentifierType() {
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget()
*/
-@Override
-public String getTarget() {
+//@Override
+private String getTarget() {
if (Boolean.parseBoolean(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_USE_OWN)))
return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_TARGET);
@@ -171,8 +236,8 @@ public String getTarget() {
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName()
*/
-@Override
-public String getTargetFriendlyName() {
+//@Override
+private String getTargetFriendlyName() {
if (Boolean.parseBoolean(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_USE_OWN)))
return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_NAME);
@@ -265,8 +330,8 @@ public String getKeyBoxIdentifier() {
*/
@Override
public String getBKUURL(String bkutype) {
- if (bkutype.equals(ONLINEBKU)) {
- return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE);
+ if (bkutype.equals(THIRDBKU)) {
+ return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD);
} else if (bkutype.equals(HANDYBKU)) {
return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY);
@@ -274,10 +339,15 @@ public String getKeyBoxIdentifier() {
} else if (bkutype.equals(LOCALBKU)) {
return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL);
+ } else if (bkutype.equals(ONLINEBKU)) {
+ return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD);
+
}
+
+
Logger.warn("BKU Type does not match: "
- + ONLINEBKU + " or " + HANDYBKU + " or " + LOCALBKU);
+ + THIRDBKU + " or " + HANDYBKU + " or " + LOCALBKU);
return null;
}
@@ -288,8 +358,8 @@ public String getKeyBoxIdentifier() {
public List<String> getBKUURL() {
List<String> list = new ArrayList<String>();
- if (oaConfiguration.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE))
- list.add(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE));
+ if (oaConfiguration.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD))
+ list.add(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD));
if (oaConfiguration.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY))
list.add(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY));
@@ -648,8 +718,8 @@ public boolean isInterfederationSSOStorageAllowed() {
return false;
}
-public boolean isIDPPublicService() {
- return !getBusinessService();
+public boolean isIDPPublicService() throws ConfigurationException {
+ return !hasBaseIdTransferRestriction();
}
@@ -735,11 +805,7 @@ public String getPublicURLPrefix() {
}
-/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService()
- */
-@Override
-public boolean getBusinessService() {
+private boolean getBusinessService() {
String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_BUSINESSSERVICE);
if (MiscUtil.isNotEmpty(value))
return Boolean.parseBoolean(value);
@@ -780,16 +846,16 @@ public String getFriendlyName() {
}
-/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType()
- */
-@Override
-public String getOaType() {
- if (getBusinessService())
- return "businessService";
- else
- return "publicService";
-}
+///* (non-Javadoc)
+// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType()
+// */
+//@Override
+//public String getOaType() {
+// if (getBusinessService())
+// return "businessService";
+// else
+// return "publicService";
+//}
/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
index 35d052acd..332604257 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
@@ -412,7 +412,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
return null;
}
- return new OAAuthParameter(oa);
+ return new OAAuthParameter(oa, this);
}
/**
@@ -676,7 +676,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
templatesList.add(configuration.getStringValue(
MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL));
templatesList.add(configuration.getStringValue(
- MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE));
+ MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD));
templatesList.add(configuration.getStringValue(
MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_HANDY));
@@ -701,9 +701,9 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
try {
switch (type) {
- case IOAAuthParameters.ONLINEBKU:
+ case IOAAuthParameters.THIRDBKU:
slRequestTemplate = configuration.getStringValue(
- MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE);
+ MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD);
break;
case IOAAuthParameters.LOCALBKU:
slRequestTemplate = configuration.getStringValue(
@@ -714,7 +714,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_HANDY);
break;
default:
- Logger.warn("getSLRequestTemplates: BKU Type does not match: " + IOAAuthParameters.ONLINEBKU + " or " + IOAAuthParameters.HANDYBKU + " or "
+ Logger.warn("getSLRequestTemplates: BKU Type does not match: " + IOAAuthParameters.THIRDBKU + " or " + IOAAuthParameters.HANDYBKU + " or "
+ IOAAuthParameters.LOCALBKU);
}
@@ -736,7 +736,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
List<String> bkuurlsList = new ArrayList<String>();
try {
bkuurlsList.add(configuration.getStringValue(
- MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE));
+ MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD));
bkuurlsList.add(configuration.getStringValue(
MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL));
bkuurlsList.add(configuration.getStringValue(
@@ -762,9 +762,9 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
String defaultBKUUrl = null;
try {
switch (type) {
- case IOAAuthParameters.ONLINEBKU:
+ case IOAAuthParameters.THIRDBKU:
defaultBKUUrl = configuration.getStringValue(
- MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE);
+ MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD);
break;
case IOAAuthParameters.LOCALBKU:
defaultBKUUrl = configuration.getStringValue(
@@ -775,7 +775,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY);
break;
default:
- Logger.warn("getDefaultBKUURL: BKU Type does not match: " + IOAAuthParameters.ONLINEBKU + " or " + IOAAuthParameters.HANDYBKU + " or "
+ Logger.warn("getDefaultBKUURL: BKU Type does not match: " + IOAAuthParameters.THIRDBKU + " or " + IOAAuthParameters.HANDYBKU + " or "
+ IOAAuthParameters.LOCALBKU);
}
@@ -817,7 +817,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
public String getSSOFriendlyName() {
try {
return configuration.getStringValue(
- MOAIDConfigurationConstants.GENERAL_AUTH_SSO_TARGET, "Default MOA-ID friendly name for SSO");
+ MOAIDConfigurationConstants.GENERAL_AUTH_SSO_SERVICENAME, "Default MOA-ID friendly name for SSO");
} catch (at.gv.egiz.components.configuration.api.ConfigurationException e) {
Logger.warn("Single Sign-On FriendlyName can not be read from configuration.", e);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
index 9fd58b5c7..f3db82315 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
@@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters;
import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute;
import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
/**
* @author tlenz
@@ -45,33 +46,84 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
private static final long serialVersionUID = 1648437815185614566L;
private String publicURLPrefix;
-
- private String businessTarget;
-
- private boolean businessService;
-
+
private boolean isInderfederationIDP;
-
private String IDPQueryURL;
- private String target;
-
+ private boolean hasBaseIdProcessingRestriction;
+ private boolean hasBaseIdTransfergRestriction;
+ private String oaTargetAreaIdentifier;
+
+
/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget()
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdInternalProcessingRestriction()
*/
@Override
- public String getTarget() {
- return this.target;
+ public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException {
+ return this.hasBaseIdProcessingRestriction;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdTransferRestriction()
+ */
+ @Override
+ public boolean hasBaseIdTransferRestriction() throws ConfigurationException {
+ return this.hasBaseIdTransfergRestriction;
}
/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier()
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifier()
+ */
+ @Override
+ public String getAreaSpecificTargetIdentifier() throws ConfigurationException {
+ return this.oaTargetAreaIdentifier;
+ }
+
+ /**
+ * @param hasBaseIdProcessingRestriction the hasBaseIdProcessingRestriction to set
+ */
+ public void setHasBaseIdProcessingRestriction(boolean hasBaseIdProcessingRestriction) {
+ this.hasBaseIdProcessingRestriction = hasBaseIdProcessingRestriction;
+ }
+
+ /**
+ * @param hasBaseIdTransfergRestriction the hasBaseIdTransfergRestriction to set
+ */
+ public void setHasBaseIdTransfergRestriction(boolean hasBaseIdTransfergRestriction) {
+ this.hasBaseIdTransfergRestriction = hasBaseIdTransfergRestriction;
+ }
+
+ /**
+ * @param oaTargetAreaIdentifier the oaTargetAreaIdentifier to set
+ */
+ public void setAreaSpecificTargetIdentifier(String oaTargetAreaIdentifier) {
+ this.oaTargetAreaIdentifier = oaTargetAreaIdentifier;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifierFriendlyName()
*/
@Override
- public String getIdentityLinkDomainIdentifier() {
- return this.businessTarget;
+ public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException {
+ return null;
}
+// /* (non-Javadoc)
+// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget()
+// */
+// //@Override
+// public String getTarget() {
+// return this.target;
+// }
+//
+// /* (non-Javadoc)
+// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier()
+// */
+// //@Override
+// public String getIdentityLinkDomainIdentifier() {
+// return this.businessTarget;
+// }
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIDPAttributQueryServiceURL()
*/
@@ -164,7 +216,7 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType()
*/
- @Override
+ //@Override
public String getIdentityLinkDomainIdentifierType() {
// TODO Auto-generated method stub
return null;
@@ -251,26 +303,26 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
return null;
}
- /**
- * @param isBusinessService the isBusinessService to set
- */
- public void setBusinessService(boolean isBusinessService) {
- businessService = isBusinessService;
- }
-
- /**
- * @param target the target to set
- */
- public void setTarget(String target) {
- this.target = target;
- }
-
- /**
- * @param businessTarget the businessTarget to set
- */
- public void setBusinessTarget(String businessTarget) {
- this.businessTarget = businessTarget;
- }
+// /**
+// * @param isBusinessService the isBusinessService to set
+// */
+// public void setBusinessService(boolean isBusinessService) {
+// businessService = isBusinessService;
+// }
+
+// /**
+// * @param target the target to set
+// */
+// public void setTarget(String target) {
+// this.target = target;
+// }
+//
+// /**
+// * @param businessTarget the businessTarget to set
+// */
+// public void setBusinessTarget(String businessTarget) {
+// this.businessTarget = businessTarget;
+// }
/**
* @param inderfederatedIDP the inderfederatedIDP to set
@@ -400,27 +452,18 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
return this.publicURLPrefix;
}
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType()
- */
- @Override
- public String getOaType() {
- // TODO Auto-generated method stub
- return null;
- }
-
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService()
- */
- @Override
- public boolean getBusinessService() {
- return this.businessService;
- }
+// /* (non-Javadoc)
+// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService()
+// */
+// //@Override
+// public boolean getBusinessService() {
+// return this.businessService;
+// }
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName()
*/
- @Override
+ //@Override
public String getTargetFriendlyName() {
// TODO Auto-generated method stub
return null;
@@ -487,4 +530,6 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
// TODO Auto-generated method stub
return false;
}
+
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
index f5f056ccc..7f56f519b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
@@ -120,7 +120,8 @@ public class AuthenticationData implements IAuthData, Serializable {
* the corresponding <code>lt;saml:Assertion&gt;</code>
*/
- private boolean businessService;
+ private boolean isBaseIDTransferRestrication = true;
+
/**
* STORK attributes from response
@@ -742,13 +743,15 @@ public class AuthenticationData implements IAuthData, Serializable {
* @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService()
*/
@Override
- public boolean isBusinessService() {
- return this.businessService;
+ public boolean isBaseIDTransferRestrication() {
+ return isBaseIDTransferRestrication;
}
-
- public void setIsBusinessService(boolean flag) {
- this.businessService = flag;
-
+
+ /**
+ * @param isBaseIDTransmittionAllowed the isBaseIDTransmittionAllowed to set
+ */
+ public void setBaseIDTransferRestrication(boolean isBaseIDTransferRestrication) {
+ this.isBaseIDTransferRestrication = isBaseIDTransferRestrication;
}
/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java
index 1c6fdcb65..4820b6fdc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java
@@ -24,6 +24,8 @@ package at.gv.egovernment.moa.id.data;
import java.io.Serializable;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+
/**
* @author tlenz
*
@@ -34,13 +36,21 @@ public class ExceptionContainer implements Serializable {
private Throwable exceptionThrown = null;
private String uniqueSessionID = null;
private String uniqueTransactionID = null;
+ private String uniqueServiceProviderId = null;
/**
*
*/
- public ExceptionContainer(String uniqueSessionID, String uniqueTransactionID, Throwable exception) {
- this.uniqueSessionID = uniqueSessionID;
- this.uniqueTransactionID = uniqueTransactionID;
+ public ExceptionContainer(IRequest pendingReq, Throwable exception) {
+ if (pendingReq != null) {
+ this.uniqueSessionID = pendingReq.getUniqueSessionIdentifier();
+ this.uniqueTransactionID = pendingReq.getUniqueTransactionIdentifier();
+
+ if (pendingReq.getOnlineApplicationConfiguration() != null)
+ this.uniqueServiceProviderId = pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix();
+
+ }
+
this.exceptionThrown = exception;
}
@@ -62,6 +72,14 @@ public class ExceptionContainer implements Serializable {
public String getUniqueTransactionID() {
return uniqueTransactionID;
}
+
+ /**
+ * @return the uniqueServiceProviderId
+ */
+ public String getUniqueServiceProviderId() {
+ return uniqueServiceProviderId;
+ }
+
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
index 4c15cd3d1..e9fef4676 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
@@ -38,8 +38,8 @@ public interface IAuthData {
Date getIssueInstant();
String getIssuer();
-
- boolean isBusinessService();
+ boolean isBaseIDTransferRestrication();
+
boolean isSsoSession();
//boolean isInterfederatedSSOSession();
boolean isUseMandate();
@@ -90,5 +90,6 @@ public interface IAuthData {
String getCcc();
public <T> T getGenericData(String key, final Class<T> clazz);
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index ab0a1ec40..aff2c83ad 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -23,6 +23,7 @@
package at.gv.egovernment.moa.id.moduls;
import java.io.IOException;
+import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
@@ -47,6 +48,7 @@ import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
+import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions;
import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
@@ -89,6 +91,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
@Service("MOAID_AuthenticationManager")
public class AuthenticationManager extends MOAIDAuthConstants {
+ private static List<String> reqParameterWhiteListeForModules = new ArrayList<String>();
public static final String MOA_SESSION = "MoaAuthenticationSession";
public static final String MOA_AUTHENTICATED = "MoaAuthenticated";
@@ -202,6 +205,14 @@ public class AuthenticationManager extends MOAIDAuthConstants {
public AuthenticationSession doAuthentication(HttpServletRequest httpReq,
HttpServletResponse httpResp, RequestImpl pendingReq) throws MOADatabaseException, ServletException, IOException, MOAIDException {
+ //load OA configuration from pending request
+ IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
+
+ //set logging context and log unique OA identifier to revision log
+ TransactionIDUtils.setServiceProviderId(pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix());
+ revisionsLogger.logEvent(oaParam,
+ pendingReq, MOAIDEventConstants.AUTHPROCESS_SERVICEPROVIDER, pendingReq.getOAURL());
+
//generic authentication request validation
if (pendingReq.isPassiv()
&& pendingReq.forceAuth()) {
@@ -236,12 +247,8 @@ public class AuthenticationManager extends MOAIDAuthConstants {
boolean isValidSSOSession = ssoManager.isValidSSOSession(ssoId, pendingReq);
// check if Service-Provider allows SSO sessions
- IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
boolean useSSOOA = oaParam.useSSO() || oaParam.isInderfederationIDP();
-
- revisionsLogger.logEvent(oaParam,
- pendingReq, MOAIDEventConstants.AUTHPROCESS_SERVICEPROVIDER, pendingReq.getOAURL());
-
+
//if a legacy request is used SSO should not be allowed in case of mandate authentication
boolean isUseMandateRequested = LegacyHelper.isUseMandateRequested(httpReq);
@@ -304,6 +311,18 @@ public class AuthenticationManager extends MOAIDAuthConstants {
}
/**
+ * Add a request parameter to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext}
+ *
+ * @param httpReqParam http parameter name, but never null
+ */
+ public void addParameterNameToWhiteList(String httpReqParam) {
+ if (MiscUtil.isNotEmpty(httpReqParam))
+ reqParameterWhiteListeForModules.add(httpReqParam);
+
+ }
+
+
+ /**
* Checks if a authenticated MOASession already exists and if {protocolRequest} is authenticated
*
* @param protocolRequest Authentication request which is actually in process
@@ -381,17 +400,25 @@ public class AuthenticationManager extends MOAIDAuthConstants {
executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_ISLEGACYREQUEST, leagacyMode);
executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, !leagacyMode
&& MiscUtil.isEmpty(pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class)));
+
+ //add X509 SSL client certificate if exist
+ if (httpReq.getAttribute("javax.servlet.request.X509Certificate") != null) {
+ Logger.debug("Find SSL-client-certificate on request --> Add it to context");
+ executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE,
+ ((X509Certificate[])httpReq.getAttribute("javax.servlet.request.X509Certificate")));
+
+ }
- //add leagcy parameters to context
- if (leagacyMode) {
+ //add additional http request parameter to context
+ if (!reqParameterWhiteListeForModules.isEmpty() || leagacyMode) {
Enumeration<String> reqParamNames = httpReq.getParameterNames();
while(reqParamNames.hasMoreElements()) {
String paramName = reqParamNames.nextElement();
if (MiscUtil.isNotEmpty(paramName) &&
- MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName))
+ ( MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName)
+ || reqParameterWhiteListeForModules.contains(paramName) ))
executionContext.put(paramName,
- StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName)));
-
+ StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName)));
}
}
@@ -615,7 +642,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
//send SLO response to SLO request issuer
SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq);
LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs());
- sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);
+ sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq);
} else {
//print SLO information directly
@@ -651,7 +678,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
if (pvpReq != null) {
SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq);
LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
- sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);
+ sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq);
revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java
index eec48e0f3..90ccb3c27 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java
@@ -52,9 +52,8 @@ public class RequestStorage implements IRequestStorage{
}
//set transactionID and sessionID to Logger
- TransactionIDUtils.setTransactionId(pendingRequest.getUniqueTransactionIdentifier());
- TransactionIDUtils.setSessionId(pendingRequest.getUniqueSessionIdentifier());
-
+ TransactionIDUtils.setAllLoggingVariables(pendingRequest);
+
return pendingRequest;
} catch (MOADatabaseException | NullPointerException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java
new file mode 100644
index 000000000..b05e60e94
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java
@@ -0,0 +1,114 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.opemsaml;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.OutputStreamWriter;
+import java.io.Writer;
+
+import org.apache.velocity.VelocityContext;
+import org.apache.velocity.app.VelocityEngine;
+import org.opensaml.common.binding.SAMLMessageContext;
+import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
+import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.ws.transport.http.HTTPOutTransport;
+import org.opensaml.ws.transport.http.HTTPTransportUtils;
+
+import at.gv.egovernment.moa.id.auth.frontend.builder.GUIFormBuilderImpl;
+import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOAIDHTTPPostEncoder extends HTTPPostEncoder {
+
+ private VelocityEngine velocityEngine;
+ private IGUIBuilderConfiguration guiConfig;
+ private GUIFormBuilderImpl guiBuilder;
+
+ /**
+ * @param engine
+ * @param templateId
+ */
+ public MOAIDHTTPPostEncoder(IGUIBuilderConfiguration guiConfig, GUIFormBuilderImpl guiBuilder, VelocityEngine engine) {
+ super(engine, null);
+ this.velocityEngine = engine;
+ this.guiConfig = guiConfig;
+ this.guiBuilder = guiBuilder;
+
+ }
+
+ /**
+ * Base64 and POST encodes the outbound message and writes it to the outbound transport.
+ *
+ * @param messageContext current message context
+ * @param endpointURL endpoint URL to which to encode message
+ *
+ * @throws MessageEncodingException thrown if there is a problem encoding the message
+ */
+ protected void postEncode(SAMLMessageContext messageContext, String endpointURL) throws MessageEncodingException {
+ Logger.debug("Invoking Velocity template to create POST body");
+ InputStream is = null;
+ try {
+ //build Velocity Context from GUI input paramters
+ VelocityContext context = guiBuilder.generateVelocityContextFromConfiguration(guiConfig);
+
+ //load template
+ is = guiBuilder.getTemplateInputStream(guiConfig);
+
+ //populate velocity context with SAML2 parameters
+ populateVelocityContext(context, messageContext, endpointURL);
+
+ //populate transport parameter
+ HTTPOutTransport outTransport = (HTTPOutTransport) messageContext.getOutboundMessageTransport();
+ HTTPTransportUtils.addNoCacheHeaders(outTransport);
+ HTTPTransportUtils.setUTF8Encoding(outTransport);
+ HTTPTransportUtils.setContentType(outTransport, "text/html");
+
+ //evaluate template and write content to response
+ Writer out = new OutputStreamWriter(outTransport.getOutgoingStream(), "UTF-8");
+ velocityEngine.evaluate(context, out, "SAML2_POST_BINDING", new BufferedReader(new InputStreamReader(is)));
+ out.flush();
+
+ } catch (Exception e) {
+ Logger.error("Error invoking Velocity template", e);
+ throw new MessageEncodingException("Error creating output document", e);
+
+ } finally {
+ if (is != null) {
+ try {
+ is.close();
+
+ } catch (IOException e) {
+ Logger.error("Can NOT close GUI-Template InputStream.", e);
+ }
+ }
+
+ }
+ }
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java
index eff839e4e..c13c5e288 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java
@@ -23,7 +23,6 @@
package at.gv.egovernment.moa.id.protocols.builder.attributes;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
@@ -51,6 +50,9 @@ public class BPKAttributeBuilder implements IPVPAttributeBuilder {
else if (type.startsWith(Constants.URN_PREFIX_CDID))
type = type.substring((Constants.URN_PREFIX_CDID + "+").length());
+ else if (type.startsWith(Constants.URN_PREFIX_EIDAS))
+ type = type.substring((Constants.URN_PREFIX_EIDAS + "+").length());
+
if (bpk.length() > BPK_MAX_LENGTH) {
bpk = bpk.substring(0, BPK_MAX_LENGTH);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java
index a6a5f1dd4..b4846db12 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java
@@ -38,7 +38,7 @@ public class EIDSourcePIN implements IPVPAttributeBuilder {
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
- if (authData.isBusinessService())
+ if (authData.isBaseIDTransferRestrication())
throw new AttributePolicyException(EID_SOURCE_PIN_NAME);
else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java
index 1d836802a..ccaecb3b6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java
@@ -23,7 +23,6 @@
package at.gv.egovernment.moa.id.protocols.builder.attributes;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
@@ -37,7 +36,7 @@ public class EIDSourcePINType implements IPVPAttributeBuilder {
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
- if (authData.isBusinessService())
+ if (authData.isBaseIDTransferRestrication())
throw new UnavailableAttributeException(EID_SOURCE_PIN_TYPE_NAME);
else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java
index 97043a3a0..f85fd7cae 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java
@@ -60,7 +60,7 @@ public class MandateLegalPersonFullNameAttributeBuilder implements IPVPAttribute
}
CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
if (corporation == null) {
- Logger.error("No corporation mandate");
+ Logger.info("No corporation mandate");
throw new NoMandateDataAttributeException();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java
index 46472c983..7e0815ab2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java
@@ -42,41 +42,12 @@ public class MandateLegalPersonSourcePinAttributeBuilder implements IPVPAttribu
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
- if(authData.isUseMandate()) {
-
- //get PVP attribute directly, if exists
- String sourcePin = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class);
-
- if (MiscUtil.isEmpty(sourcePin)) {
- Element mandate = authData.getMandate();
- if(mandate == null) {
- throw new NoMandateDataAttributeException();
-
- }
- Mandate mandateObject = MandateBuilder.buildMandate(mandate);
- if(mandateObject == null) {
- throw new NoMandateDataAttributeException();
-
- }
- CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
- if(corporation == null) {
- Logger.error("No corporation mandate");
- throw new NoMandateDataAttributeException();
-
- }
- if(corporation.getIdentification().size() == 0) {
- Logger.error("Failed to generate IdentificationType");
- throw new NoMandateDataAttributeException();
-
- }
-
- sourcePin = corporation.getIdentification().get(0).getValue().getValue();
-
- }
-
+ if(authData.isUseMandate()) {
return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME,
- MANDATE_LEG_PER_SOURCE_PIN_NAME, sourcePin);
+ MANDATE_LEG_PER_SOURCE_PIN_NAME, getLegalPersonIdentifierFromMandate(authData));
+
}
+
return null;
}
@@ -84,4 +55,39 @@ public class MandateLegalPersonSourcePinAttributeBuilder implements IPVPAttribu
public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
return g.buildEmptyAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, MANDATE_LEG_PER_SOURCE_PIN_NAME);
}
+
+
+ protected String getLegalPersonIdentifierFromMandate(IAuthData authData) throws NoMandateDataAttributeException {
+ //get PVP attribute directly, if exists
+ String sourcePin = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class);
+
+ if (MiscUtil.isEmpty(sourcePin)) {
+ Element mandate = authData.getMandate();
+ if(mandate == null) {
+ throw new NoMandateDataAttributeException();
+
+ }
+ Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+ if(mandateObject == null) {
+ throw new NoMandateDataAttributeException();
+
+ }
+ CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
+ if(corporation == null) {
+ Logger.info("No corporation mandate");
+ throw new NoMandateDataAttributeException();
+
+ }
+ if(corporation.getIdentification().size() == 0) {
+ Logger.info("Failed to generate IdentificationType");
+ throw new NoMandateDataAttributeException();
+
+ }
+
+ sourcePin = corporation.getIdentification().get(0).getValue().getValue();
+
+ }
+
+ return sourcePin;
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java
index 41c35dad3..8b22acc01 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java
@@ -59,12 +59,12 @@ public class MandateLegalPersonSourcePinTypeAttributeBuilder implements IPVPAttr
}
CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
if (corporation == null) {
- Logger.error("No corporate mandate");
+ Logger.info("No corporate mandate");
throw new NoMandateDataAttributeException();
}
if (corporation.getIdentification().size() == 0) {
- Logger.error("Failed to generate IdentificationType");
+ Logger.info("Failed to generate IdentificationType");
throw new NoMandateDataAttributeException();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
index df8f86f7e..15eed3d44 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
@@ -30,9 +30,12 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPers
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
import at.gv.egovernment.moa.id.util.MandateBuilder;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
@@ -50,6 +53,7 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui
//get PVP attribute directly, if exists
String bpk = authData.getGenericData(MANDATE_NAT_PER_BPK_NAME, String.class);
+ String type = null;
if (MiscUtil.isEmpty(bpk)) {
//read bPK from mandate if it is not directly included
@@ -63,38 +67,53 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui
}
PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
if (physicalPerson == null) {
- Logger.error("No physicalPerson mandate");
+ Logger.info("No physicalPerson mandate");
throw new NoMandateDataAttributeException();
}
IdentificationType id = null;
id = physicalPerson.getIdentification().get(0);
if (id == null) {
- Logger.error("Failed to generate IdentificationType");
+ Logger.info("Failed to generate IdentificationType");
throw new NoMandateDataAttributeException();
}
try {
- if (id.getType().equals(Constants.URN_PREFIX_BASEID)) {
- if (oaParam.getBusinessService()) {
- bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier());
-
- } else {
- bpk = new BPKBuilder().buildBPK(id.getValue().getValue(), oaParam.getTarget());
-
- }
-
+ if (id.getType().equals(Constants.URN_PREFIX_BASEID)) {
+ Pair<String, String> calcResult = new BPKBuilder().generateAreaSpecificPersonIdentifier(id.getValue().getValue(),
+ oaParam.getAreaSpecificTargetIdentifier());
+ bpk = calcResult.getFirst();
+ type = calcResult.getSecond();
+
} else
bpk = id.getValue().getValue();
+ if (MiscUtil.isEmpty(bpk))
+ throw new UnavailableAttributeException(BPK_NAME);
+
+ if (type.startsWith(Constants.URN_PREFIX_WBPK))
+ type = type.substring((Constants.URN_PREFIX_WBPK + "+").length());
+
+ else if (type.startsWith(Constants.URN_PREFIX_CDID))
+ type = type.substring((Constants.URN_PREFIX_CDID + "+").length());
+
+ else if (type.startsWith(Constants.URN_PREFIX_EIDAS))
+ type = type.substring((Constants.URN_PREFIX_EIDAS + "+").length());
+
+ if (bpk.length() > BPK_MAX_LENGTH) {
+ bpk = bpk.substring(0, BPK_MAX_LENGTH);
+ }
+
+
}
- catch (BuildException e) {
+ catch (BuildException | ConfigurationException e) {
Logger.error("Failed to generate IdentificationType");
throw new NoMandateDataAttributeException();
}
}
- return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, bpk);
+ Logger.trace("Authenticate user with bPK/wbPK " + bpk + " and Type=" + type);
+ return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, type + ":" + bpk);
}
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java
index a64880889..b9ac891a9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java
@@ -65,7 +65,7 @@ public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttrib
}
PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
if (physicalPerson == null) {
- Logger.error("No physicalPerson mandate");
+ Logger.info("No physicalPerson mandate");
throw new NoMandateDataAttributeException();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java
index 085579108..d29df66e8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java
@@ -62,7 +62,7 @@ public class MandateNaturalPersonFamilyNameAttributeBuilder implements IPVPAttr
}
PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
if(physicalPerson == null) {
- Logger.error("No physicalPerson mandate");
+ Logger.info("No physicalPerson mandate");
throw new NoMandateDataAttributeException();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java
index 4cd2ca670..32efe061e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java
@@ -59,7 +59,7 @@ public class MandateNaturalPersonGivenNameAttributeBuilder implements IPVPAttrib
}
PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
if (physicalPerson == null) {
- Logger.error("No physicalPerson mandate");
+ Logger.info("No physicalPerson mandate");
throw new NoMandateDataAttributeException();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
index 69a731e53..6f0a49ce0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
@@ -27,10 +27,7 @@ import org.w3c.dom.Element;
import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
-import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException;
@@ -58,18 +55,18 @@ public class MandateNaturalPersonSourcePinAttributeBuilder implements IPVPAttri
PhysicalPersonType physicalPerson = mandateObject.getMandator()
.getPhysicalPerson();
if (physicalPerson == null) {
- Logger.error("No physicalPerson mandate");
+ Logger.info("No physicalPerson mandate");
throw new NoMandateDataAttributeException();
}
IdentificationType id = null;
id = physicalPerson.getIdentification().get(0);
- if(oaParam.getBusinessService()) {
+ if(authData.isBaseIDTransferRestrication()) {
throw new AttributePolicyException(this.getName());
}
if(id == null) {
- Logger.error("Failed to generate IdentificationType");
+ Logger.info("Failed to generate IdentificationType");
throw new NoMandateDataAttributeException();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java
index 41a821c98..f7d1af33f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java
@@ -28,7 +28,6 @@ import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
@@ -55,7 +54,7 @@ public class MandateNaturalPersonSourcePinTypeAttributeBuilder implements IPVPAt
PhysicalPersonType physicalPerson = mandateObject.getMandator()
.getPhysicalPerson();
if (physicalPerson == null) {
- Logger.error("No physicalPerson mandate");
+ Logger.info("No physicalPerson mandate");
throw new NoMandateDataAttributeException();
}
IdentificationType id = null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
index 365a31fe1..72691a034 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
@@ -39,6 +39,7 @@ import org.opensaml.saml2.core.Response;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.xml.security.SecurityException;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
@@ -79,6 +80,7 @@ public class AttributQueryAction implements IAction {
@Autowired private IDPCredentialProvider pvpCredentials;
@Autowired private AuthConfiguration authConfig;
@Autowired(required=true) private MOAMetadataProvider metadataProvider;
+ @Autowired(required=true) ApplicationContext springContext;
private final static List<String> DEFAULTSTORKATTRIBUTES = Arrays.asList(
new String[]{PVPConstants.EID_STORK_TOKEN_NAME});
@@ -141,9 +143,9 @@ public class AttributQueryAction implements IAction {
metadataProvider, issuerEntityID, attrQuery, date,
assertion, authConfig.isPVP2AssertionEncryptionActive());
- SoapBinding decoder = new SoapBinding();
+ SoapBinding decoder = springContext.getBean("PVPSOAPBinding", SoapBinding.class);
decoder.encodeRespone(httpReq, httpResp, authResponse, null, null,
- pvpCredentials.getIDPAssertionSigningCredential());
+ pvpCredentials.getIDPAssertionSigningCredential(), pendingReq);
return null;
} catch (MessageEncodingException e) {
@@ -225,9 +227,9 @@ public class AttributQueryAction implements IAction {
}
//check next IDP service area policy. BusinessService IDPs can only request wbPKs
- if (!spConfig.getBusinessService() && !idp.isIDPPublicService()) {
+ if (!spConfig.hasBaseIdTransferRestriction() && !idp.isIDPPublicService()) {
Logger.error("Interfederated IDP " + idp.getPublicURLPrefix()
- + " has a BusinessService-IDP but requests PublicService attributes.");
+ + " is a BusinessService-IDP but requests PublicService attributes.");
throw new MOAIDException("auth.34", new Object[]{nextIDPInformation.getIdpurlprefix()});
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java
index aac49844e..9d60ae4b2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java
@@ -35,6 +35,7 @@ import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.xml.security.SecurityException;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
@@ -62,6 +63,7 @@ public class AuthenticationAction implements IAction {
@Autowired IDPCredentialProvider pvpCredentials;
@Autowired AuthConfiguration authConfig;
@Autowired(required=true) private MOAMetadataProvider metadataProvider;
+ @Autowired(required=true) ApplicationContext springContext;
public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq,
HttpServletResponse httpResp, IAuthData authData) throws MOAIDException {
@@ -102,11 +104,11 @@ public class AuthenticationAction implements IAction {
if (consumerService.getBinding().equals(
SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
- binding = new RedirectBinding();
+ binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class);
} else if (consumerService.getBinding().equals(
SAMLConstants.SAML2_POST_BINDING_URI)) {
- binding = new PostBinding();
+ binding = springContext.getBean("PVPPOSTBinding", PostBinding.class);
}
@@ -117,7 +119,7 @@ public class AuthenticationAction implements IAction {
try {
binding.encodeRespone(httpReq, httpResp, authResponse,
consumerService.getLocation(), moaRequest.getRelayState(),
- pvpCredentials.getIDPAssertionSigningCredential());
+ pvpCredentials.getIDPAssertionSigningCredential(), req);
//set protocol type
sloInformation.setProtocolType(req.requestedModule());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index a7a249eed..216d7a8b1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -444,13 +444,13 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
IEncoder encoder = null;
if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
- encoder = new RedirectBinding();
+ encoder = applicationContext.getBean("PVPRedirectBinding", RedirectBinding.class);
} else if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) {
- encoder = new PostBinding();
+ encoder = applicationContext.getBean("PVPPOSTBinding", PostBinding.class);
} else if (pvpRequest.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
- encoder = new SoapBinding();
+ encoder = applicationContext.getBean("PVPSOAPBinding", SoapBinding.class);
}
if(encoder == null) {
@@ -465,7 +465,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
X509Credential signCred = pvpCredentials.getIDPAssertionSigningCredential();
encoder.encodeRespone(request, response, samlResponse, pvpRequest.getConsumerURL(),
- relayState, signCred);
+ relayState, signCred, protocolRequest);
return true;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
index ff703d585..f709da213 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
@@ -111,7 +111,7 @@ public class SingleLogOutAction implements IAction {
//LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, null);
Logger.info("Sending SLO success message to requester ...");
- sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());
+ sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState(), pvpReq);
return null;
} else {
@@ -127,7 +127,7 @@ public class SingleLogOutAction implements IAction {
//LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, null);
Logger.info("Sending SLO success message to requester ...");
- sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());
+ sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState(), pvpReq);
return null;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
index 3b2fb3687..ccbef6e6c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
@@ -31,6 +31,7 @@ import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
public interface IEncoder {
@@ -43,12 +44,13 @@ public interface IEncoder {
* @param targetLocation URL, where the request should be transmit
* @param relayState token for session handling
* @param credentials Credential to sign the request object
+ * @param pendingReq Internal MOA-ID request object that contains session-state informations but never null
* @throws MessageEncodingException
* @throws SecurityException
* @throws PVP2Exception
*/
public void encodeRequest(HttpServletRequest req,
- HttpServletResponse resp, RequestAbstractType request, String targetLocation, String relayState, Credential credentials)
+ HttpServletResponse resp, RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
throws MessageEncodingException, SecurityException, PVP2Exception;
/**
@@ -59,10 +61,11 @@ public interface IEncoder {
* @param targetLocation URL, where the request should be transmit
* @param relayState token for session handling
* @param credentials Credential to sign the response object
+ * @param pendingReq Internal MOA-ID request object that contains session-state informations but never null
* @throws MessageEncodingException
* @throws SecurityException
*/
public void encodeRespone(HttpServletRequest req,
- HttpServletResponse resp, StatusResponseType response, String targetLocation, String relayState, Credential credentials)
+ HttpServletResponse resp, StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
throws MessageEncodingException, SecurityException, PVP2Exception;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 9977e607b..c7688c14b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -25,13 +25,11 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.apache.velocity.app.VelocityEngine;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.binding.decoding.URIComparator;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
-import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
@@ -49,8 +47,17 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+import at.gv.egovernment.moa.id.auth.frontend.builder.GUIFormBuilderImpl;
+import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithFileSystemLoad;
import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
+import at.gv.egovernment.moa.id.opemsaml.MOAIDHTTPPostEncoder;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
@@ -62,10 +69,14 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
+@Service("PVPPOSTBinding")
public class PostBinding implements IDecoder, IEncoder {
+
+ @Autowired(required=true) AuthConfiguration authConfig;
+ @Autowired(required=true) GUIFormBuilderImpl guiBuilder;
public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
- RequestAbstractType request, String targetLocation, String relayState, Credential credentials)
+ RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
throws MessageEncodingException, SecurityException {
try {
@@ -75,9 +86,18 @@ public class PostBinding implements IDecoder, IEncoder {
//load default PVP security configurations
MOADefaultBootstrap.initializeDefaultPVPConfiguration();
- VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine();
- HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
- "resources/templates/pvp_postbinding_template.html");
+ //initialize POST binding encoder with template decoration
+ IGUIBuilderConfiguration guiConfig =
+ new SPSpecificGUIBuilderConfigurationWithFileSystemLoad(
+ pendingReq,
+ "pvp_postbinding_template.html",
+ MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL,
+ null,
+ authConfig.getRootConfigFileDir());
+ MOAIDHTTPPostEncoder encoder = new MOAIDHTTPPostEncoder(guiConfig, guiBuilder,
+ VelocityProvider.getClassPathVelocityEngine());
+
+ //set OpenSAML2 process parameter into binding context dao
HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
resp, true);
BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
@@ -103,22 +123,27 @@ public class PostBinding implements IDecoder, IEncoder {
}
public void encodeRespone(HttpServletRequest req, HttpServletResponse resp,
- StatusResponseType response, String targetLocation, String relayState, Credential credentials)
+ StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
throws MessageEncodingException, SecurityException {
try {
-// X509Credential credentials = credentialProvider
-// .getIDPAssertionSigningCredential();
-
//load default PVP security configurations
MOADefaultBootstrap.initializeDefaultPVPConfiguration();
Logger.debug("create SAML POSTBinding response");
- VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine();
-
- HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
- "resources/templates/pvp_postbinding_template.html");
+ //initialize POST binding encoder with template decoration
+ IGUIBuilderConfiguration guiConfig =
+ new SPSpecificGUIBuilderConfigurationWithFileSystemLoad(
+ pendingReq,
+ "pvp_postbinding_template.html",
+ MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL,
+ null,
+ authConfig.getRootConfigFileDir());
+ MOAIDHTTPPostEncoder encoder = new MOAIDHTTPPostEncoder(guiConfig, guiBuilder,
+ VelocityProvider.getClassPathVelocityEngine());
+
+ //set OpenSAML2 process parameter into binding context dao
HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
resp, true);
BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 279038967..95c4f1726 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -31,7 +31,6 @@ import org.opensaml.common.binding.decoding.URIComparator;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;
import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
-import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.StatusResponseType;
@@ -50,7 +49,9 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
+import org.springframework.stereotype.Service;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
@@ -58,14 +59,16 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.IMOARefreshableMetadataProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.validation.MOASAML2AuthRequestSignedRole;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
+@Service("PVPRedirectBinding")
public class RedirectBinding implements IDecoder, IEncoder {
public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
- RequestAbstractType request, String targetLocation, String relayState, Credential credentials)
+ RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
throws MessageEncodingException, SecurityException {
// try {
@@ -100,7 +103,7 @@ public class RedirectBinding implements IDecoder, IEncoder {
public void encodeRespone(HttpServletRequest req, HttpServletResponse resp,
StatusResponseType response, String targetLocation, String relayState,
- Credential credentials) throws MessageEncodingException, SecurityException {
+ Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException {
// try {
// X509Credential credentials = credentialProvider
// .getIDPAssertionSigningCredential();
@@ -156,10 +159,10 @@ public class RedirectBinding implements IDecoder, IEncoder {
SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
- SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();
+ MOASAML2AuthRequestSignedRole signedRole = new MOASAML2AuthRequestSignedRole();
BasicSecurityPolicy policy = new BasicSecurityPolicy();
- policy.getPolicyRules().add(signatureRule);
- policy.getPolicyRules().add(signedRole);
+ policy.getPolicyRules().add(signedRole);
+ policy.getPolicyRules().add(signatureRule);
SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(
policy);
messageContext.setSecurityPolicyResolver(resolver);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
index 94d91694a..552b64ac6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
@@ -48,7 +48,9 @@ import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.signature.SignableXMLObject;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
@@ -60,6 +62,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
+@Service("PVPSOAPBinding")
public class SoapBinding implements IDecoder, IEncoder {
@Autowired(required=true) private MOAMetadataProvider metadataProvider;
@@ -136,13 +139,13 @@ public class SoapBinding implements IDecoder, IEncoder {
}
public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
- RequestAbstractType request, String targetLocation, String relayState, Credential credentials)
+ RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
throws MessageEncodingException, SecurityException, PVP2Exception {
}
public void encodeRespone(HttpServletRequest req, HttpServletResponse resp,
- StatusResponseType response, String targetLocation, String relayState, Credential credentials)
+ StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
throws MessageEncodingException, SecurityException, PVP2Exception {
// try {
// Credential credentials = credentialProvider
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
index 2df72637d..4aa4f7419 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
@@ -59,7 +59,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableEx
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.Constants;
/**
* @author tlenz
@@ -70,7 +69,7 @@ public class AttributQueryBuilder {
@Autowired IDPCredentialProvider credentialProvider;
- public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) {
+ public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) throws ConfigurationException {
Logger.debug("Build OA specific Attributes for AttributQuery request");
@@ -87,17 +86,13 @@ public class AttributQueryBuilder {
} else {
//add OA specific information
if (rA.equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
- if (oa.getBusinessService())
- attr = generator.buildStringAttribute(attr.getFriendlyName(),
- attr.getName(), oa.getIdentityLinkDomainIdentifier());
- else
- attr = generator.buildStringAttribute(attr.getFriendlyName(),
- attr.getName(), Constants.URN_PREFIX_CDID + "+" + oa.getTarget());
+ attr = generator.buildStringAttribute(attr.getFriendlyName(),
+ attr.getName(), oa.getAreaSpecificTargetIdentifier());
+
}
//TODO: add attribute values for SSO with mandates (ProfileList)
-
-
+
attrList.add(attr);
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java
index 01ef4a43d..f29418853 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java
@@ -44,6 +44,8 @@ import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.xml.security.SecurityException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.commons.api.IRequest;
@@ -64,6 +66,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
@Service("PVPAuthnRequestBuilder")
public class PVPAuthnRequestBuilder {
+ @Autowired(required=true) ApplicationContext springContext;
/**
* Build a PVP2.x specific authentication request
@@ -202,17 +205,17 @@ public class PVPAuthnRequestBuilder {
IEncoder binding = null;
if (endpoint.getBinding().equals(
SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
- binding = new RedirectBinding();
+ binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class);
} else if (endpoint.getBinding().equals(
SAMLConstants.SAML2_POST_BINDING_URI)) {
- binding = new PostBinding();
+ binding = springContext.getBean("PVPPOSTBinding", PostBinding.class);
}
//encode message
binding.encodeRequest(null, httpResp, authReq,
- endpoint.getLocation(), pendingReq.getRequestID(), config.getAuthnRequestSigningCredential());
+ endpoint.getLocation(), pendingReq.getRequestID(), config.getAuthnRequestSigningCredential(), pendingReq);
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
index de59e6055..4fef52aec 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
@@ -59,6 +59,7 @@ import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureConstants;
import org.opensaml.xml.signature.Signer;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
import org.springframework.stereotype.Service;
import org.w3c.dom.Document;
@@ -95,7 +96,9 @@ import at.gv.egovernment.moa.logging.Logger;
public class SingleLogOutBuilder {
@Autowired(required=true) private MOAMetadataProvider metadataProvider;
+ @Autowired(required=true) ApplicationContext springContext;
@Autowired private IDPCredentialProvider credentialProvider;
+
public void checkStatusCode(ISLOInformationContainer sloContainer, LogoutResponse logOutResp) {
Status status = logOutResp.getStatus();
@@ -185,15 +188,15 @@ public class SingleLogOutBuilder {
public void sendFrontChannelSLOMessage(SingleLogoutService consumerService,
LogoutResponse sloResp, HttpServletRequest req, HttpServletResponse resp,
- String relayState) throws MOAIDException {
+ String relayState, PVPTargetConfiguration pvpReq) throws MOAIDException {
IEncoder binding = null;
if (consumerService.getBinding().equals(
SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
- binding = new RedirectBinding();
+ binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class);
} else if (consumerService.getBinding().equals(
SAMLConstants.SAML2_POST_BINDING_URI)) {
- binding = new PostBinding();
+ binding = springContext.getBean("PVPPOSTBinding", PostBinding.class);
}
@@ -204,7 +207,7 @@ public class SingleLogOutBuilder {
try {
binding.encodeRespone(req, resp, sloResp,
consumerService.getLocation(), relayState,
- credentialProvider.getIDPAssertionSigningCredential());
+ credentialProvider.getIDPAssertionSigningCredential(), pvpReq);
} catch (MessageEncodingException e) {
Logger.error("Message Encoding exception", e);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 55d8fa1ff..45539da3f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -60,11 +60,11 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBod
import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.data.SLOInformationImpl;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
@@ -338,20 +338,8 @@ public class PVP2AssertionBuilder implements PVPConstants {
}
//set bPK-Type from configuration, because it MUST be equal to service-provider type
- if (oaParam.getBusinessService()) {
- if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
- bpktype = oaParam.getIdentityLinkDomainIdentifier();
- else
- bpktype = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier();
-
- } else {
- if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+"))
- bpktype = oaParam.getTarget();
- else
- bpktype = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget();
-
- }
-
+ bpktype = oaParam.getAreaSpecificTargetIdentifier();
+
} else {
//sourcePin is include --> check sourcePinType
if (MiscUtil.isEmpty(bpktype))
@@ -365,21 +353,10 @@ public class PVP2AssertionBuilder implements PVPConstants {
}
- if (bpktype.equals(Constants.URN_PREFIX_BASEID)) {
- if (oaParam.getBusinessService()) {
- subjectNameID.setValue(new BPKBuilder().buildWBPK(bpk, oaParam.getIdentityLinkDomainIdentifier()));
- if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
- subjectNameID.setNameQualifier(oaParam.getIdentityLinkDomainIdentifier());
- else
- subjectNameID.setNameQualifier(Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier());
-
- } else {
- subjectNameID.setValue(new BPKBuilder().buildBPK(bpk, oaParam.getTarget()));
- if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+"))
- subjectNameID.setNameQualifier(oaParam.getTarget());
- else
- subjectNameID.setNameQualifier(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
- }
+ if (bpktype.equals(Constants.URN_PREFIX_BASEID)) {
+ Pair<String, String> calcbPK = new BPKBuilder().generateAreaSpecificPersonIdentifier(bpk, oaParam.getAreaSpecificTargetIdentifier());
+ subjectNameID.setValue(calcbPK.getFirst());
+ subjectNameID.setNameQualifier(calcbPK.getSecond());
} else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index 5380d7f53..ab355646c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -217,6 +217,9 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
Logger.warn("Refresh PVP2X metadata for onlineApplication: "
+ entityID + " FAILED.", e);
+ } catch (ConfigurationException e) {
+ Logger.warn("Refresh PVP2X metadata for onlineApplication: "
+ + entityID + " FAILED.", e);
}
return false;
@@ -484,13 +487,13 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
}
- private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException {
+ private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException, ConfigurationException {
PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate);
filterChain.getFilters().add(new SchemaValidationFilter());
if (oaParam.isInderfederationIDP()) {
Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies");
- filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.getBusinessService()));
+ filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.hasBaseIdTransferRestriction()));
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java
new file mode 100644
index 000000000..efcf21b50
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.validation;
+
+import org.opensaml.common.binding.SAMLMessageContext;
+import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
+import org.opensaml.ws.transport.http.HTTPInTransport;
+import org.opensaml.xml.util.DatatypeHelper;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOASAML2AuthRequestSignedRole extends SAML2AuthnRequestsSignedRule {
+
+ @Override
+ protected boolean isMessageSigned(SAMLMessageContext messageContext) {
+ // This handles HTTP-Redirect and HTTP-POST-SimpleSign bindings.
+ HTTPInTransport inTransport = (HTTPInTransport) messageContext.getInboundMessageTransport();
+ String sigParam = inTransport.getParameterValue("Signature");
+ boolean isSigned = !DatatypeHelper.isEmpty(sigParam);
+
+ String sigAlgParam = inTransport.getParameterValue("SigAlg");
+ boolean isSigAlgExists = !DatatypeHelper.isEmpty(sigAlgParam);
+
+ return isSigned && isSigAlgExists;
+
+ }
+}
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 50b2c5ece..05f58d5bc 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -88,6 +88,8 @@ config.24=MOA-ID-Auth Configfile {1} does not start with {0} prefix.
config.25=Der verwendete IDP PublicURLPrefix {0} ist nicht erlaubt.
config.26=Federated IDP {0} contains no AttributeQuery URL.
config.27=Fehler beim Verarbeiten eines Konfigurationsparameters. Msg:{0}
+config.28=Fehler beim initialisieren des SSL-TrustManagers. Zertifikat {0} kann nicht geladen werden; Ursache: {1}
+config.29=Fehler beim initialisieren des SSL-TrustManagers. TrustStore: {0} | Ursache: {1}
parser.00=Leichter Fehler beim Parsen: {0}
parser.01=Fehler beim Parsen: {0}
@@ -273,6 +275,7 @@ eIDAS.13=Generation of eIDAS Response FAILED. Reason:{0}
eIDAS.14=eIDAS Response validation FAILED: LevelOfAssurance {0} is to low.
eIDAS.15=Generation of eIDAS Response FAILED. Required attribute: {0} is NOT available.
eIDAS.16=eIDAS Response attribute-validation FAILED. Attribute:{0} Reason: {1}.
+eIDAS.17=Generation of eIDAS Response FAILED. Citzen use mandates for authentication but there are no mandate attributes requested
pvp2.01=Fehler beim kodieren der PVP2 Antwort
pvp2.02=Ungueltiges Datumsformat
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index c6d0844ce..0a37fdc91 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -230,6 +230,7 @@ eIDAS.13=1307
eIDAS.14=1301
eIDAS.15=1307
eIDAS.16=1301
+eIDAS.17=1307
pvp2.01=6100
pvp2.06=6100
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html b/id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html
deleted file mode 100644
index f5bca7f1f..000000000
--- a/id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html
+++ /dev/null
@@ -1,193 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
-<html>
-<head>
-<BASE href="<BASE_href>">
- <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
- <title>Berufsm&auml;&szlig;ige Parteieinvertretung</title>
-</head>
-<body>
- Berufsm&auml;&szlig;ige Parteienvertretung einer
- nat&uuml;rlichen/juristischen Person
- <form name="ProcessInputForm" method="post" accept-charset="UTF-8"
- enctype="application/x-www-form-urlencoded" action="<BKU>">
- <table width="80%" border="0">
- <tr />
- <tr />
- <tr>
- <td colspan="3"><em>Vertreter:</em></td>
- </tr>
- <tr>
- <td align="right" width="20%">Vorname&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpgivenname_" type="text" disabled="true"
- id="rpgivenname" value="<rpgivenname>" size="50" readonly="true" />
- </td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Name&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpfamilyname_" type="text" disabled="true"
- id="rpfamilyname" value="<rpfamilyname>" size="50" readonly="true" />
- </td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Geburtsdatum&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpdobyear_" type="text" disabled="true"
- id="rpdobyear" value="<rpdobyear>" size="4" maxlength="4"
- readonly="true" /> - <input name="rpdobmonth_" type="text"
- disabled="true" id="rpdobmonth" value="<rpdobmonth>" size="2"
- maxlength="2" readonly="true" /> - <input name="rpdobday_"
- type="text" disabled="true" id="rpdobday" value="<rpdobday>"
- size="2" maxlength="2" readonly="true" /></td>
- <td></td>
- </tr>
- <tr>
- <td colspan="2"><br /> <em>Ich bin berufsm&auml;&szlig;ig
- berechtigt f&uuml;r die nachfolgend genannte Person in deren Namen
- mit der B&uuml;rgerkarte einzuschreiten.</em></td>
- <td>&nbsp;</td>
- </tr>
- <tr>
- <td colspan="3"><br /> <em>Vertretene Person:</em></td>
- </tr>
- <tr>
- <td colspan="3"><input name="physical_" type="radio"
- physdisabled="" value="true" physselected="" />&nbsp;nat&uuml;rliche
- Person:&nbsp;</td>
- </tr>
- <tr>
- <td align="right">Vorname&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="givenname_" type="text" id="givenname"
- value="<givenname>" physdisabled="" size="50" />&nbsp;<img
- src="img/info.gif" title="Vorname laut ZMR Schreibweise" alt="Info"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Name&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="familyname_" type="text" id="familyname"
- value="<familyname>" physdisabled="" size="50" />&nbsp;<img
- src="img/info.gif" title="Familienname laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Geburtsdatum&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="dobyear_" type="text" id="dobyear" size="4"
- maxlength="4" value="<dobyear>" physdisabled="" /> - <input
- name="dobmonth_" type="text" id="dobmonth" size="2" maxlength="2"
- value="<dobmonth>" physdisabled="" /> - <input name="dobday_"
- type="text" id="dobday" size="2" maxlength="2" value="<dobday>"
- physdisabled="" />&nbsp;<img src="img/info.gif"
- title="Format: JJJJ-MM-TT" alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="center"><em>optional:</em></td>
- <td colspan="2" />
- </tr>
- <tr>
- <td align="right">Stra&szlig;e&nbsp;</td>
- <td><input name="streetname_" type="text" id="streetname"
- value="<streetname>" physdisabled="" size="50" />&nbsp;<img
- src="img/info.gif" title="Stra&szlig;e laut ZMR Schreibweise"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Hausnummer&nbsp;</td>
- <td><input name="buildingnumber_" type="text"
- id="buildingnumber" value="<buildingnumber>" physdisabled=""
- size="50" />&nbsp;<img src="img/info.gif"
- title="Hausnummer laut ZMR Schreibweise" alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Einh. Nr.&nbsp;</td>
- <td><input name="unit_" type="text" id="unit" value="<unit>"
- size="50" physdisabled="" />&nbsp;<img src="img/info.gif"
- title="Nutzungseinheitsnummer laut ZMR Schreibweise" alt="Info"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Postleitzahl&nbsp;</td>
- <td><input name="postalcode_" type="text" id="postalcode"
- value="<postalcode>" size="50" physdisabled="" />&nbsp;<img
- src="img/info.gif" title="Postleitzahl laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Gemeinde&nbsp;</td>
- <td><input name="municipality_" type="text" id="municipality"
- value="<municipality>" size="50" physdisabled="" />&nbsp;<img
- src="img/info.gif" title="Gemeinde laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td colspan="3">&nbsp;</td>
- </tr>
- <tr>
- <td colspan="3"><input name="physical_" type="radio"
- cbdisabled="" value="false" cbselected=""/ >&nbsp;juristische
- Person:&nbsp;</td>
- </tr>
- <tr>
- <td align="right">Name&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" src="img/stern.gif"
- alt="Stern" width="10" height="16" /></td>
- <td><input name="fullname_" type="text" cbdisabled=""
- id="fullname" value="<fullname>" size="50" />&nbsp;<img
- src="img/info.gif"
- title="Name der Organisation laut ZMR Schreibweise" alt="Info"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right" nowrap="nowrap"><select
- name="cbidentificationtype_" size="1" cbseldisabled="">
- <option value="urn:publicid:gv.at:baseid+XFN" fnselected="">Firmenbuchnummer</option>
- <option value="urn:publicid:gv.at:baseid+XZVR" vrselected="">Vereinsnummer</option>
- <option value="urn:publicid:gv.at:baseid+XERSB" ersbselected="">Ord.Nr.im
- Erg&auml;nzungsreg.</option>
- </select>&nbsp;<img title=" Dieses Feld muss ausgef&uuml;llt sein!"
- src="img/stern.gif" alt="Stern" width="10" height="16" /></td>
- <td><input name="cbidentificationvalue_" type="text"
- cbdisabled="" id="cbidentificationvalue"
- value="<cbidentificationvalue>" size="50" />&nbsp;<img
- src="img/info.gif" title="Ordnungsbegriff laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- </table>
- <br />
- <errortext>
- <p>
- <em>Bitte halten Sie Ihre B&uuml;rgerkartenumgebung bereit.</em>
- </p>
- <p>
- <input name="XMLRequest" type="hidden"
- value="&lt;?xml version='1.0' encoding='UTF-8'?>&lt;NullOperationRequest xmlns='http://www.buergerkarte.at/namespaces/securitylayer/1.2#'/>" />
- <input name="DataURL" type="hidden" value="<DataURL>" /> <input
- type="submit" name="Submit" value=" Weiter " /> <input
- name="Clear" type="reset" id="Clear"
- value="Formular zur&uuml;cksetzen" />
- </p>
- <br />
- </form>
-</body>
-</html>
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html b/id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html
deleted file mode 100644
index cffc46981..000000000
--- a/id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html
+++ /dev/null
@@ -1,235 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
-
-<html>
-<head>
-<BASE href="<BASE_href>">
- <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
- <title>Berufsm&auml;&szlig;ige Parteieinvertretung</title>
- <link href="css/styles.css" type="text/css" rel="stylesheet">
- <link href="css/styles_opera.css" type="text/css" rel="stylesheet">
- <link href="css/mandates.css" type="text/css" rel="stylesheet">
-
- <script src="formallg.js" type="text/javascript"></script>
- <script src="fa.js" type="text/javascript"></script>
-</head>
-<body>
-
-
- <div class="hleft">
- <!--Stammzahlenregisterbehörde<br/>-->
- &nbsp;
- <!--Ballhausplatz 2<br/>-->
- <!--1014 Wien-->
- </div>
- <div class="hright" align="right">
- <img src="img/egov_schrift.gif" alt="E-Gov Logo" />
- </div>
- <div class="htitle" align="left">
- <h1>Berufsm&auml;&szlig;ige Parteienvertretung</h1>
- </div>
- <div class="leiste1" align="center">Bitte beachten Sie</div>
- <div class="leiste2" align="center"></div>
- <div class="leiste3">
- <img title=" Dieses Feld muss ausgefüllt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" />&nbsp; Feld muss
- ausgef&uuml;llt sein
- </div>
- <div class="leiste3">
- <img title=" Hilfe zum Ausfüllen " alt="Info" src="img/info.gif"
- width="10" height="16" />&nbsp; Ausf&uuml;llhilfe
- </div>
- <div class="leiste3">
- <img title=" Angabe bitte ergänzen oder richtig stellen! "
- alt="Rufezeichen" src="img/rufezeichen.gif" width="10" height="16" />&nbsp;
- Fehlerhinweis
- </div>
- <div style="clear: both">&nbsp;</div>
-
- <h2>Berufsm&auml;&szlig;ige Parteienvertretung einer
- nat&uuml;rlichen/juristischen Person</h2>
- <div class="boundingbox">
- <form name="ProcessInputForm" method="post" accept-charset="UTF-8"
- enctype="application/x-www-form-urlencoded" action="<BKU>">
- <table width="80%" border="0">
- <tr />
- <tr />
- <tr>
- <td colspan="3"><em>Vertreter:</em></td>
- </tr>
- <tr>
- <td align="right" width="20%">Vorname&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpgivenname_" type="text" disabled="true"
- id="rpgivenname" value="<rpgivenname>" size="50" readonly="true" />
- </td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Name&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpfamilyname_" type="text" disabled="true"
- id="rpfamilyname" value="<rpfamilyname>" size="50" readonly="true" />
- </td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Geburtsdatum&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpdobyear_" type="text" disabled="true"
- id="rpdobyear" value="<rpdobyear>" size="4" maxlength="4"
- readonly="true" /> - <input name="rpdobmonth_" type="text"
- disabled="true" id="rpdobmonth" value="<rpdobmonth>" size="2"
- maxlength="2" readonly="true" /> - <input name="rpdobday_"
- type="text" disabled="true" id="rpdobday" value="<rpdobday>"
- size="2" maxlength="2" readonly="true" /></td>
- <td></td>
- </tr>
- <tr>
- <td colspan="2"><br /> <em>Ich bin berufsm&auml;&szlig;ig
- berechtigt f&uuml;r die nachfolgend genannte Person in deren
- Namen mit der B&uuml;rgerkarte einzuschreiten.</em></td>
- <td>&nbsp;</td>
- </tr>
- <tr>
- <td colspan="3"><br /> <em>Vertretene Person:</em></td>
- </tr>
- <tr>
- <td colspan="3"><input name="physical_" type="radio"
- physdisabled="" value="true" physselected="" />&nbsp;nat&uuml;rliche
- Person:&nbsp;</td>
- </tr>
- <tr>
- <td align="right">Vorname&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="givenname_" type="text" id="givenname"
- value="<givenname>" physdisabled="" size="50" />&nbsp;<img
- src="img/info.gif" title="Vorname laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Name&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="familyname_" type="text" id="familyname"
- value="<familyname>" physdisabled="" size="50" />&nbsp;<img
- src="img/info.gif" title="Familienname laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Geburtsdatum&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="dobyear_" type="text" id="dobyear" size="4"
- maxlength="4" value="<dobyear>" physdisabled="" /> - <input
- name="dobmonth_" type="text" id="dobmonth" size="2" maxlength="2"
- value="<dobmonth>" physdisabled="" /> - <input name="dobday_"
- type="text" id="dobday" size="2" maxlength="2" value="<dobday>"
- physdisabled="" />&nbsp;<img src="img/info.gif"
- title="Format: JJJJ-MM-TT" alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="center"><em>optional:</em></td>
- <td colspan="2" />
- </tr>
- <tr>
- <td align="right">Stra&szlig;e&nbsp;</td>
- <td><input name="streetname_" type="text" id="streetname"
- value="<streetname>" physdisabled="" size="50" />&nbsp;<img
- src="img/info.gif" title="Stra&szlig;e laut ZMR Schreibweise"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Hausnummer&nbsp;</td>
- <td><input name="buildingnumber_" type="text"
- id="buildingnumber" value="<buildingnumber>" physdisabled=""
- size="50" />&nbsp;<img src="img/info.gif"
- title="Hausnummer laut ZMR Schreibweise" alt="Info" border="0" />
- </td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Einh. Nr.&nbsp;</td>
- <td><input name="unit_" type="text" id="unit" value="<unit>"
- size="50" physdisabled="" />&nbsp;<img src="img/info.gif"
- title="Nutzungseinheitsnummer laut ZMR Schreibweise" alt="Info"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Postleitzahl&nbsp;</td>
- <td><input name="postalcode_" type="text" id="postalcode"
- value="<postalcode>" size="50" physdisabled="" />&nbsp;<img
- src="img/info.gif" title="Postleitzahl laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Gemeinde&nbsp;</td>
- <td><input name="municipality_" type="text" id="municipality"
- value="<municipality>" size="50" physdisabled="" />&nbsp;<img
- src="img/info.gif" title="Gemeinde laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td colspan="3">&nbsp;</td>
- </tr>
- <tr>
- <td colspan="3"><input name="physical_" type="radio"
- cbdisabled="" value="false" cbselected=""/ >&nbsp;juristische
- Person:&nbsp;</td>
- </tr>
- <tr>
- <td align="right">Name&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!"
- src="img/stern.gif" alt="Stern" width="10" height="16" /></td>
- <td><input name="fullname_" type="text" cbdisabled=""
- id="fullname" value="<fullname>" size="50" />&nbsp;<img
- src="img/info.gif"
- title="Name der Organisation laut ZMR Schreibweise" alt="Info"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right" nowrap="nowrap"><select
- name="cbidentificationtype_" size="1" cbseldisabled="">
- <option value="urn:publicid:gv.at:baseid+XFN" fnselected="">Firmenbuchnummer</option>
- <option value="urn:publicid:gv.at:baseid+XZVR" vrselected="">Vereinsnummer</option>
- <option value="urn:publicid:gv.at:baseid+XERSB" ersbselected="">Ord.Nr.im
- Erg&auml;nzungsreg.</option>
- </select>&nbsp;<img title=" Dieses Feld muss ausgef&uuml;llt sein!"
- src="img/stern.gif" alt="Stern" width="10" height="16" /></td>
- <td><input name="cbidentificationvalue_" type="text"
- cbdisabled="" id="cbidentificationvalue"
- value="<cbidentificationvalue>" size="50" />&nbsp;<img
- src="img/info.gif" title="Ordnungsbegriff laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- </table>
- <br />
- <errortext>
- <p>
- <em>Bitte halten Sie Ihre B&uuml;rgerkartenumgebung bereit.</em>
- </p>
- <p>
- <input name="XMLRequest" type="hidden"
- value="&lt;?xml version='1.0' encoding='UTF-8'?>&lt;NullOperationRequest xmlns='http://www.buergerkarte.at/namespaces/securitylayer/1.2#'/>" />
- <input name="DataURL" type="hidden" value="<DataURL>" /> <input
- type="submit" name="Submit" value=" Weiter " /> <input
- name="Clear" type="reset" id="Clear"
- value="Formular zur&uuml;cksetzen" />
- </p>
- <br />
- </form>
- </div>
-</body>
-</html>
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html b/id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html
deleted file mode 100644
index f47ee53ff..000000000
--- a/id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html
+++ /dev/null
@@ -1,16 +0,0 @@
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-
- <body>
- <form action="${action}" method="post" target="_parent">
- <div>
- <input type="hidden" name="SAMLResponse" value="${SAMLResponse}"/>
- </div>
- <p>Please indicate the gender of the represented.</p>
- <div>
- <input type="submit" name="gender" value="M"/>
- <input type="submit" name="gender" value="F"/>
- </div>
- </form>
-
- </body>
-</html> \ No newline at end of file
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm b/id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm
deleted file mode 100644
index 7fcc1bb36..000000000
--- a/id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm
+++ /dev/null
@@ -1,36 +0,0 @@
-##
-## Velocity Template for OASIS WEBFORM BINDING
-##
-## Velocity context may contain the following properties
-## action - String - the action URL for the form
-## signresponse - String - the Base64 encoded SAML Request
-## verifyresponse - String - the Base64 encoded SAML Response
-## clienturl - String - URL where the USer gets redirected after the signature process
-
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-
- <body onload="document.forms[0].submit()">
- <noscript>
- <p>
- <strong>Note:</strong> Since your browser does not support JavaScript,
- you must press the Continue button once to proceed.
- </p>
- </noscript>
-
- <form action="${action}" method="post">
- <div>
- #if($signrequest)<input type="hidden" name="signrequest" value="${signrequest}"/>#end
-
- #if($verifyrequest)<input type="hidden" name="verifyrequest" value="${verifyrequest}"/>#end
- #if($clienturl)<input type="hidden" name="clienturl" value="${clienturl}"/>#end
-
- </div>
- <noscript>
- <div>
- <input type="submit" value="Continue"/>
- </div>
- </noscript>
- </form>
-
- </body>
-</html> \ No newline at end of file
diff --git a/id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html b/id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html
new file mode 100644
index 000000000..45c183215
--- /dev/null
+++ b/id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html
@@ -0,0 +1,46 @@
+## ## Velocity Template for SAML 2 HTTP-POST binding ## ## Velocity
+##context may contain the following properties ## action - String - the
+##action URL for the form ## RelayState - String - the relay state for the
+##message ## SAMLRequest - String - the Base64 encoded SAML Request ##
+##SAMLResponse - String - the Base64 encoded SAML Response
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+
+<body onload="document.forms[0].submit()">
+ <noscript>
+ <p>
+ <strong>Note:</strong> Since your browser does not support
+ JavaScript, you must press the Continue button once to proceed.
+ </p>
+ </noscript>
+
+
+ <div id="alert">Your login is being processed. Thank you for
+ waiting.</div>
+
+ <style type="text/css">
+<!--
+#alert {
+ margin: 100px 250px;
+ font-family: Verdana, Arial, Helvetica, sans-serif;
+ font-size: 14px;
+ font-weight: normal;
+}
+-->
+</style>
+
+ <form action="${action}" method="post" target="_parent">
+ <div>
+ #if($RelayState) <input type="hidden" name="RelayState" value="${RelayState}"/> #end
+ #if($SAMLRequest) <input type="hidden" name="SAMLRequest" value="${SAMLRequest}" /> #end
+ #if($SAMLResponse) <input type="hidden" name="SAMLResponse" value="${SAMLResponse}" /> #end
+ </div>
+ <noscript>
+ <div>
+ <input type="submit" value="Continue" />
+ </div>
+ </noscript>
+ </form>
+
+</body>
+</html> \ No newline at end of file
diff --git a/id/server/moa-id-commons/pom.xml b/id/server/moa-id-commons/pom.xml
index c4007fc80..fd8ddc7fb 100644
--- a/id/server/moa-id-commons/pom.xml
+++ b/id/server/moa-id-commons/pom.xml
@@ -215,7 +215,7 @@
<dependency>
<groupId>com.sun.xml.bind</groupId>
<artifactId>jaxb-xjc</artifactId>
- <version>2.2.11</version>
+ <version>2.3.0</version>
</dependency>
<dependency>
@@ -227,7 +227,7 @@
<dependency>
<groupId>org.jvnet.jaxb2_commons</groupId>
<artifactId>jaxb2-basics-runtime</artifactId>
- <version>0.11.0</version>
+ <version>1.11.1</version>
</dependency>
<dependency>
@@ -257,7 +257,7 @@
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-jpa</artifactId>
- <version>1.10.4.RELEASE</version>
+ <version>${org.springframework.data.spring-data-jpa}</version>
</dependency>
@@ -301,7 +301,7 @@
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-dbcp2</artifactId>
- <version>2.1.1</version>
+ <version>${org.apache.commons.commons.dbcp2}</version>
</dependency>
<dependency>
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
index b16941f51..6f6735d48 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
@@ -9,6 +9,7 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import iaik.asn1.ObjectID;
@@ -123,12 +124,12 @@ public class MOAIDAuthConstants extends MOAIDConstants{
/** List of OWs */
public static final List<ObjectID> OW_LIST = Arrays.asList(
new ObjectID(OW_ORGANWALTER));
-
- /**BKU type identifiers to use bkuURI from configuration*/
- public static final String REQ_BKU_TYPE_LOCAL = "local";
- public static final String REQ_BKU_TYPE_ONLINE = "online";
- public static final String REQ_BKU_TYPE_HANDY = "handy";
- public static final List<String> REQ_BKU_TYPES = Arrays.asList(REQ_BKU_TYPE_LOCAL, REQ_BKU_TYPE_ONLINE, REQ_BKU_TYPE_HANDY);
+
+ public static final List<String> REQ_BKU_TYPES = Arrays.asList(
+ IOAAuthParameters.HANDYBKU,
+ IOAAuthParameters.LOCALBKU,
+ IOAAuthParameters.THIRDBKU,
+ IOAAuthParameters.ONLINEBKU);
public static final List<String> LEGACYPARAMETERWHITELIST
= Arrays.asList(PARAM_TARGET, PARAM_BKU, PARAM_OA, PARAM_TEMPLATE, PARAM_USEMANDATE, PARAM_CCC, PARAM_SOURCEID);
@@ -171,24 +172,32 @@ public class MOAIDAuthConstants extends MOAIDConstants{
public static final String REGEX_PATTERN_TARGET = "^[A-Za-z]{2}(-.*)?$";
+ //MDC variables for logging
public static final String MDC_TRANSACTION_ID = "transactionId";
public static final String MDC_SESSION_ID = "sessionId";
+ public static final String MDC_SERVICEPROVIDER_ID = "oaId";
//AuthnRequest IssueInstant validation
public static final int TIME_JITTER = 5; //all 5 minutes time jitter
-
+
+ //General MOASession data-store keys
+ public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert";
+
+ //Process context keys
public static final String PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH = "interfederationAuthentication";
public static final String PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION = "requireLocalAuthentication";
public static final String PROCESSCONTEXT_PERFORM_BKUSELECTION = "performBKUSelection";
public static final String PROCESSCONTEXT_ISLEGACYREQUEST = "isLegacyRequest";
public static final String PROCESSCONTEXT_UNIQUE_OA_IDENTFIER = "uniqueSPId";
+ public static final String PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE = MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE;
//General protocol-request data-store keys
+ public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate";
+
+ @Deprecated
public static final String AUTHPROCESS_DATA_TARGET = "authProces_Target";
+ @Deprecated
public static final String AUTHPROCESS_DATA_TARGETFRIENDLYNAME = "authProces_TargetFriendlyName";
- public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate";
- //General MOASession data-store keys
- public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert";
-
+
}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
index e9f9a7e80..98f0616a5 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
@@ -28,6 +28,8 @@ import java.util.Hashtable;
import java.util.List;
import java.util.Map;
+import at.gv.egovernment.moa.util.Constants;
+
/**
* @author tlenz
*
@@ -40,9 +42,15 @@ public class MOAIDConstants {
public static final String FILE_URI_PREFIX = "file:/";
- public static final String PREFIX_WPBK = "urn:publicid:gv.at:wbpk+";
- public static final String PREFIX_STORK = "urn:publicid:gv.at:storkid+";
- public static final String PREFIX_EIDAS = "urn:publicid:gv.at:eidasid+";
+ public static final String PREFIX_BASEID = Constants.URN_PREFIX_BASEID;
+ public static final String PREFIX_PBK = Constants.URN_PREFIX_BPK;
+ public static final String PREFIX_HPI = Constants.URN_PREFIX_HPI;
+
+ public static final String PREFIX_CDID = Constants.URN_PREFIX_CDID + "+";
+ public static final String PREFIX_WPBK = Constants.URN_PREFIX_WBPK + "+";
+ public static final String PREFIX_STORK = Constants.URN_PREFIX_STORK + "+";
+ public static final String PREFIX_EIDAS = Constants.URN_PREFIX_EIDAS + "+";
+
public static final String IDENIFICATIONTYPE_FN = "FN";
public static final String IDENIFICATIONTYPE_ERSB = "ERSB";
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
index bba6d0541..1e1bfa94b 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
@@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.commons.api.data.CPEPS;
import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters;
import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute;
import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
/**
* @author tlenz
@@ -38,9 +39,16 @@ import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
*/
public interface IOAAuthParameters {
- public static final String ONLINEBKU = "online";
+ public static final String CONFIG_KEY_RESTRICTIONS_BASEID_INTERNAL = "configuration.restrictions.baseID.idpProcessing";
+ public static final String CONFIG_KEY_RESTRICTIONS_BASEID_TRANSMISSION = "configuration.restrictions.baseID.spTransmission";
+
+ public static final String THIRDBKU = "thirdBKU";
public static final String HANDYBKU = "handy";
public static final String LOCALBKU = "local";
+
+ @Deprecated
+ public static final String ONLINEBKU = "online";
+
public static final String INDERFEDERATEDIDP = "interfederated";
public static final String EIDAS = "eIDAS";
public static final String AUTHTYPE_OTHERS = "others";
@@ -63,20 +71,52 @@ public interface IOAAuthParameters {
public String getFriendlyName();
public String getPublicURLPrefix();
-
- public String getOaType();
- public boolean getBusinessService();
+ /**
+ * Indicates if this online applications has private area restrictions that disallow baseId processing in general
+ * This restriction is evaluated from area-identifier of this online application and a policy from configuration.
+ * The configuration key 'configuration.restrictions.baseID.idpProcessing' specifies a list of comma-separated values
+ * of area-identifier prefixes that are allowed to receive a baseID. By default only the prefix
+ * 'urn:publicid:gv.at:cdid+' is allowed to receive baseIDs
+ *
+ * @return true if there is a restriction, otherwise false
+ * @throws ConfigurationException In case of online-application configuration has public and private identifies
+ */
+ public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException;
+
/**
- * Get target of a public service-provider
+ * Indicates if this online applications has private area restrictions that disallow baseId transfer to OA
+ * This restriction is evaluated from area-identifier of this online application and a policy from configuration.
+ * The configuration key 'configuration.restrictions.baseID.spTransmission' specifies a list of comma-separated values
+ * of area-identifier prefixes that are allowed to receive a baseID. By default only the prefix
+ * 'urn:publicid:gv.at:cdid+' is allowed to receive baseIDs
*
- * @return target identifier without prefix
+ * @return true if there is a restriction, otherwise false
+ * @throws ConfigurationException In case of online-application configuration has public and private identifies
*/
- public String getTarget();
+ public boolean hasBaseIdTransferRestriction() throws ConfigurationException;
- public String getTargetFriendlyName();
+ /**
+ * Get the full area-identifier for this online application to calculate the
+ * area-specific unique person identifier (bPK, wbPK, eIDAS unique identifier, ...).
+ * This identifier always contains the full prefix
+ *
+ * @return area identifier with prefix
+ * @throws ConfigurationException In case of online-application configuration has public and private identifies
+ */
+ public String getAreaSpecificTargetIdentifier() throws ConfigurationException;
+
+ /**
+ * Get a friendly name for the specific area-identifier of this online application
+ *
+ * @return fiendly name of the area-identifier
+ * @throws ConfigurationException In case of online-application configuration has public and private identifies
+ */
+ public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException;
+
+
public boolean isInderfederationIDP();
public boolean isSTORKPVPGateway();
@@ -84,13 +124,6 @@ public interface IOAAuthParameters {
public boolean isRemovePBKFromAuthBlock();
/**
- * Return the private-service domain-identifier with PreFix
- *
- * @return the identityLinkDomainIdentifier
- */
- public String getIdentityLinkDomainIdentifier();
-
- /**
* @return the keyBoxIdentifier
*/
public String getKeyBoxIdentifier();
@@ -138,11 +171,6 @@ public interface IOAAuthParameters {
*/
public List<String> getMandateProfiles();
- /**
- * @return the identityLinkDomainIdentifierType
- */
- public String getIdentityLinkDomainIdentifierType();
-
public boolean isShowMandateCheckBox();
public boolean isOnlyMandateAllowed();
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
index b8284c8f9..93f26051c 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
@@ -143,7 +143,9 @@ public class ConfigurationMigrationUtils {
if (MiscUtil.isNotEmpty(oa.getEventCodes())) {
result.put(MOAIDConfigurationConstants.SERVICE_REVERSION_LOGS_EVENTCODES, oa.getEventCodes());
}
-
+
+ result.put(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL, oa.getMandateServiceSelectionTemplateURL());
+ result.put(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL, oa.getSaml2PostBindingTemplateURL());
//convert target
String target_full = oa.getTarget();
@@ -206,7 +208,7 @@ public class ConfigurationMigrationUtils {
if (bkuurls != null) {
result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY, bkuurls.getHandyBKU());
result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL, bkuurls.getLocalBKU());
- result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE, bkuurls.getOnlineBKU());
+ result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD, bkuurls.getOnlineBKU());
}
@@ -769,6 +771,9 @@ public class ConfigurationMigrationUtils {
}
dbOA.setSelectedSZRGWServiceURL(oa.get(MOAIDConfigurationConstants.SERVICE_EXTERNAL_SZRGW_SERVICE_URL));
+
+ dbOA.setMandateServiceSelectionTemplateURL(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL));
+ dbOA.setSaml2PostBindingTemplateURL(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL));
if (Boolean.valueOf(oa.get(MOAIDConfigurationConstants.SERVICE_BUSINESSSERVICE))) {
dbOA.setType(MOA_CONFIG_BUSINESSSERVICE);
@@ -826,7 +831,7 @@ public class ConfigurationMigrationUtils {
authoa.setBKUURLS(bkuruls);
bkuruls.setHandyBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY));
bkuruls.setLocalBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL));
- bkuruls.setOnlineBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE));
+ bkuruls.setOnlineBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD));
//store SecurtiyLayerTemplates
TemplatesType templates = authoa.getTemplates();
@@ -1433,7 +1438,7 @@ public class ConfigurationMigrationUtils {
defaultbkus.getHandyBKU());
result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL,
defaultbkus.getLocalBKU());
- result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE,
+ result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD,
defaultbkus.getOnlineBKU());
}
@@ -1443,7 +1448,7 @@ public class ConfigurationMigrationUtils {
slreq.getHandyBKU());
result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL,
slreq.getLocalBKU());
- result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE,
+ result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD,
slreq.getOnlineBKU());
}
@@ -1706,8 +1711,8 @@ public class ConfigurationMigrationUtils {
if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY)))
dbbkus.setHandyBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY));
- if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE)))
- dbbkus.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE));
+ if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD)))
+ dbbkus.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD));
if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL)))
dbbkus.setLocalBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL));
@@ -1895,8 +1900,8 @@ public class ConfigurationMigrationUtils {
slrequesttempl.setHandyBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_HANDY));
if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL)))
slrequesttempl.setLocalBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL));
- if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE)))
- slrequesttempl.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE));
+ if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD)))
+ slrequesttempl.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD));
if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_AUTH_TRUSTSTORE_URL)))
dbconfig.setTrustedCACertificates(moaconfig.get(MOAIDConfigurationConstants.GENERAL_AUTH_TRUSTSTORE_URL));
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
index 9fe90daa4..695df3123 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
@@ -70,7 +70,7 @@ public final class MOAIDConfigurationConstants extends MOAIDConstants {
public static final String SERVICE_AUTH_TARGET_PUBLIC_OWN_NAME = SERVICE_AUTH_TARGET_PUBLIC + ".own.name";
private static final String SERVICE_AUTH_BKU = AUTH + "." + BKU;
- public static final String SERVICE_AUTH_BKU_ONLINE = SERVICE_AUTH_BKU + ".onlineBKU";
+ public static final String SERVICE_AUTH_BKU_THIRD = SERVICE_AUTH_BKU + ".onlineBKU";
public static final String SERVICE_AUTH_BKU_LOCAL = SERVICE_AUTH_BKU + ".localBKU";
public static final String SERVICE_AUTH_BKU_HANDY = SERVICE_AUTH_BKU + ".handyBKU";
public static final String SERVICE_AUTH_BKU_KEYBOXIDENTIFIER = SERVICE_AUTH_BKU + ".keyBoxIdentifier";
@@ -105,6 +105,9 @@ public final class MOAIDConfigurationConstants extends MOAIDConstants {
public static final String SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETHEIGHT = SERVICE_AUTH_TEMPLATES_CUSTOMIZATION + ".applet.hight";
public static final String SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETWIDTH = SERVICE_AUTH_TEMPLATES_CUSTOMIZATION + ".applet.width";
+ public static final String SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL = SERVICE_AUTH_TEMPLATES + ".saml2.postbinding.url";
+ public static final String SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL = SERVICE_AUTH_TEMPLATES + ".elga.mandateserviceselection.url";
+
private static final String SERVICE_AUTH_TESTCREDENTIALS = AUTH + "." + TESTCREDENTIALS;
public static final String SERVICE_AUTH_TESTCREDENTIALS_ENABLED = SERVICE_AUTH_TESTCREDENTIALS + ".enabled";
public static final String SERVICE_AUTH_TESTCREDENTIALS_OIDs = SERVICE_AUTH_TESTCREDENTIALS + ".oids";
@@ -193,13 +196,13 @@ public final class MOAIDConfigurationConstants extends MOAIDConstants {
private static final String GENERAL_DEFAULTS = PREFIX_MOAID_GENERAL + ".defaults";
private static final String GENERAL_DEFAULTS_BKU = GENERAL_DEFAULTS + "." + BKU;
- public static final String GENERAL_DEFAULTS_BKU_ONLINE = GENERAL_DEFAULTS_BKU + ".onlineBKU";
+ public static final String GENERAL_DEFAULTS_BKU_THIRD = GENERAL_DEFAULTS_BKU + ".onlineBKU";
public static final String GENERAL_DEFAULTS_BKU_HANDY = GENERAL_DEFAULTS_BKU + ".handyBKU";
public static final String GENERAL_DEFAULTS_BKU_LOCAL = GENERAL_DEFAULTS_BKU + ".localBKU";
private static final String GENERAL_DEFAULTS_TEMPLATES = GENERAL_DEFAULTS + "." + TEMPLATES;
public static final String GENERAL_DEFAULTS_TEMPLATES_LOCAL = GENERAL_DEFAULTS_TEMPLATES + ".localBKU";
public static final String GENERAL_DEFAULTS_TEMPLATES_HANDY = GENERAL_DEFAULTS_TEMPLATES + ".handyBKU";
- public static final String GENERAL_DEFAULTS_TEMPLATES_ONLINE = GENERAL_DEFAULTS_TEMPLATES + ".onlineBKU";
+ public static final String GENERAL_DEFAULTS_TEMPLATES_THIRD = GENERAL_DEFAULTS_TEMPLATES + ".onlineBKU";
private static final String GENERAL_AUTH = PREFIX_MOAID_GENERAL + ".auth";
private static final String GENERAL_AUTH_CERTIFICATE = GENERAL_AUTH + ".certificate";
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java
index 4aee10bc1..196923ce6 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java
@@ -109,10 +109,44 @@ public class OnlineApplication
@XmlTransient
protected String selectedSZRGWServiceURL = null;
+ @XmlTransient
+ protected String saml2PostBindingTemplateURL = null;
+
+ @XmlTransient
+ protected String mandateServiceSelectionTemplateURL = null;
+
/**
+ * @return the saml2PostBindingTemplateURL
+ */
+ public String getSaml2PostBindingTemplateURL() {
+ return saml2PostBindingTemplateURL;
+ }
+
+ /**
+ * @param saml2PostBindingTemplateURL the saml2PostBindingTemplateURL to set
+ */
+ public void setSaml2PostBindingTemplateURL(String saml2PostBindingTemplateURL) {
+ this.saml2PostBindingTemplateURL = saml2PostBindingTemplateURL;
+ }
+
+ /**
+ * @return the mandateServiceSelectionTemplateURL
+ */
+ public String getMandateServiceSelectionTemplateURL() {
+ return mandateServiceSelectionTemplateURL;
+ }
+
+ /**
+ * @param mandateServiceSelectionTemplateURL the mandateServiceSelectionTemplateURL to set
+ */
+ public void setMandateServiceSelectionTemplateURL(String mandateServiceSelectionTemplateURL) {
+ this.mandateServiceSelectionTemplateURL = mandateServiceSelectionTemplateURL;
+ }
+
+ /**
* @return the selectedSZRGWServiceURL
*/
public String getSelectedSZRGWServiceURL() {
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
index 9fc6f799d..dd606ea18 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java
@@ -57,6 +57,8 @@ import java.util.ArrayList;
import java.util.List;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Base64Utils;
+import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moaspss.logging.LoggingContext;
import at.gv.egovernment.moaspss.logging.LoggingContextManager;
import iaik.pki.jsse.IAIKX509TrustManager;
@@ -72,21 +74,27 @@ import iaik.pki.jsse.IAIKX509TrustManager;
public class MOAIDTrustManager extends IAIKX509TrustManager {
/** an x509Certificate array containing all accepted server certificates*/
- private X509Certificate[] acceptedServerCertificates;
+ private X509Certificate[] acceptedServerCertificates = null;
/**
* Constructor
* @param acceptedServerCertificateStoreURL the url leading to the acceptedServer cert store
* @throws GeneralSecurityException occurs on security errors
* @throws IOException occurs on IO errors
+ * @throws SSLConfigurationException
*/
public MOAIDTrustManager(String acceptedServerCertificateStoreURL)
- throws IOException, GeneralSecurityException {
+ throws IOException, GeneralSecurityException, SSLConfigurationException {
- if (acceptedServerCertificateStoreURL != null)
- buildAcceptedServerCertificates(acceptedServerCertificateStoreURL);
- else
- acceptedServerCertificates = null;
+ if (acceptedServerCertificateStoreURL != null && MiscUtil.isNotEmpty(acceptedServerCertificateStoreURL.trim())) {
+ Logger.info("Initialize SSL-TrustStore with explicit accepted server-certificates");
+ buildAcceptedServerCertificates(acceptedServerCertificateStoreURL);
+
+ } else {
+ Logger.info("Initialize SSL-TrustStore without explicit accepted server-certificates");
+ acceptedServerCertificates = null;
+
+ }
}
@@ -111,26 +119,72 @@ public class MOAIDTrustManager extends IAIKX509TrustManager {
* containing accepted server X509 certificates
* @throws GeneralSecurityException on security errors
* @throws IOException on any IO errors
+ * @throws SSLConfigurationException
*/
private void buildAcceptedServerCertificates(String acceptedServerCertificateStoreURL)
- throws IOException, GeneralSecurityException {
-
+ throws IOException, GeneralSecurityException, SSLConfigurationException {
List<X509Certificate> certList = new ArrayList<X509Certificate>();
URL storeURL = new URL(acceptedServerCertificateStoreURL);
+
+ //check URL to TrustStore
+ if (storeURL.getFile() == null) {
+ Logger.error("Can NOT initialize SSLTrustManager. TrustStore: " + acceptedServerCertificateStoreURL
+ + " is NOT found");
+ throw new SSLConfigurationException("config.29", new Object[]{acceptedServerCertificateStoreURL, "File or Directory NOT found!"});
+
+ }
File storeDir = new File(storeURL.getFile());
- // list certificate files in directory
- File[] certFiles = storeDir.listFiles();
+
+ //check directory and files
+ if (storeDir == null || storeDir.listFiles() == null) {
+ Logger.error("Can NOT initialize SSLTrustManager. TrustStore: " + acceptedServerCertificateStoreURL
+ + " is NOT found");
+ throw new SSLConfigurationException("config.29", new Object[]{acceptedServerCertificateStoreURL, "Files or Directory NOT found!"});
+
+ }
+
+ // list certificate files in directory
+ File[] certFiles = storeDir.listFiles();
for (int i = 0; i < certFiles.length; i++) {
- // for each: create an X509Certificate and store it in list
- File certFile = certFiles[i];
- FileInputStream fis = new FileInputStream(certFile.getPath());
- CertificateFactory certFact = CertificateFactory.getInstance("X.509");
- X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis);
- fis.close();
- certList.add(cert);
+ // for each: create an X509Certificate and store it in list
+ File certFile = certFiles[i];
+ FileInputStream fis = null;
+ try {
+ fis = new FileInputStream(certFile.getPath());
+ CertificateFactory certFact = CertificateFactory.getInstance("X.509");
+ X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis);
+ certList.add(cert);
+
+ } catch (Exception e) {
+ Logger.error("Can NOT initialize SSLTrustManager. Certificate: " + certFile.getPath()
+ + " is not loadable, Reason: " + e.getMessage());
+
+ if (Logger.isDebugEnabled()) {
+ try {
+ if (fis != null)
+ Logger.debug("Certificate: " + Base64Utils.encode(fis));
+
+ } catch (Exception e1) {
+ Logger.warn("Can NOT log content of certificate: " + certFile.getPath()
+ + ". Reason: " + e.getMessage(), e);
+
+ }
+ }
+
+ throw new SSLConfigurationException("config.28", new Object[]{certFile.getPath(), e.getMessage()}, e);
+
+ } finally {
+ if (fis != null)
+ fis.close();
+
+ }
}
+
// store acceptedServerCertificates
acceptedServerCertificates = (X509Certificate[]) certList.toArray(new X509Certificate[0]);
+ Logger.debug("Add #" + acceptedServerCertificates.length
+ + " certificates as 'AcceptedServerCertificates' from: " + acceptedServerCertificateStoreURL );
+
}
/**
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
index 109390132..abf2d211c 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
@@ -49,7 +49,6 @@ package at.gv.egovernment.moa.id.commons.utils.ssl;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
-import java.security.Security;
import java.util.HashMap;
import java.util.Map;
@@ -66,8 +65,6 @@ import at.gv.egovernment.moaspss.logging.LoggingContextManager;
import iaik.pki.DefaultPKIConfiguration;
import iaik.pki.PKIException;
import iaik.pki.PKIFactory;
-//import iaik.pki.jsse.IAIKX509TrustManager;
-import iaik.security.provider.IAIK;
/**
@@ -83,18 +80,18 @@ public class SSLUtils {
/** SSLSocketFactory store, mapping URL->SSLSocketFactory **/
private static Map<String, SSLSocketFactory> sslSocketFactories = new HashMap<String, SSLSocketFactory>();
- /**
- * Initializes the SSLSocketFactory store.
- */
- public static void initialize() {
- sslSocketFactories = new HashMap<String, SSLSocketFactory>();
- // JSSE Abhängigkeit
- //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
- Security.addProvider(new IAIK());
- //System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
-
-
- }
+// /**
+// * Initializes the SSLSocketFactory store.
+// */
+// public static void initialize() {
+// sslSocketFactories = new HashMap<String, SSLSocketFactory>();
+// // JSSE Abhängigkeit
+// //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
+// Security.addProvider(new IAIK());
+// //System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
+//
+//
+// }
/**
* IAIK PKI module and MOA-SIG uses a ThreadLocal variable for logging
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
index 2a4e3b362..1d94e5da0 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
@@ -454,7 +454,6 @@ public interface Constants {
/** URN prefix for context dependent id (stork). */
public static final String URN_PREFIX_STORK = URN_PREFIX + ":storkid";
- //TODO: update to eIDAS prefix
/** URN prefix for context dependent id (eIDAS). */
public static final String URN_PREFIX_EIDAS = URN_PREFIX + ":eidasid";
diff --git a/id/server/moa-id-frontend-resources/pom.xml b/id/server/moa-id-frontend-resources/pom.xml
index 64ebc14b6..342cedac8 100644
--- a/id/server/moa-id-frontend-resources/pom.xml
+++ b/id/server/moa-id-frontend-resources/pom.xml
@@ -29,6 +29,78 @@
<repositoryPath>${basedir}/../../../../repository</repositoryPath>
</properties>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>groovy-maven-plugin</artifactId>
+ <version>1.5</version>
+ <executions>
+ <execution>
+ <phase>generate-resources</phase>
+ <goals>
+ <goal>execute</goal>
+ </goals>
+ <configuration>
+ <source>
+ <![CDATA[
+ println("==== Creating version.txt ====");
+ File mainDir = new File("${basedir}/src/main/resources");
+ if(mainDir.exists() && !mainDir.isDirectory()) {
+ println("Main dir does not exist, wont create version.txt!");
+ return;
+ }
+ File confDir = new File("${basedir}/src/main/resources/mainGUI");
+ if(confDir.exists() && !confDir.isDirectory()) {
+ println("Conf dir is not a directory, wont create version.txt!");
+ return;
+ }
+ if(!confDir.exists()) {
+ confDir.mkdir();
+ }
+ File versionFile = new File("${basedir}/src/main/resources/mainGUI/version.txt");
+ if(versionFile.exists() && versionFile.isDirectory()) {
+ println("Version file exists and is directory! Wont overwrite");
+ return;
+ }
+ if(versionFile.exists() && !versionFile.isDirectory()) {
+ println("Version file already exists, overwriting!");
+ }
+ println("Creating Version File");
+ BufferedWriter writer = new BufferedWriter(new FileWriter(versionFile));
+
+ writer.write("groupId = ${project.groupId}");
+ writer.newLine();
+ writer.write("version = ${project.version}");
+ writer.newLine();
+ writer.write("timestamp = ${maven.build.timestamp}");
+
+ String buildTag = "";
+ String buildNumber = "";
+ String buildId = "";
+ try {
+ buildTag = "${BUILD_TAG}";
+ buildNumber = "${BUILD_NUMBER}";
+ buildId = "${BUILD_ID}";
+
+ writer.write("BUILD_TAG = " + buildTag + "\n");
+ writer.write("BUILD_NUMBER = " + buildNumber + "\n");
+ writer.write("BUILD_ID = " + buildId + "\n");
+
+ } catch (Exception e) {
+ println("============= Could not find BUILD_TAG probably this is not a Jenkins/Hudson build ===========");
+ }
+
+ writer.close();
+ ]]>
+ </source>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+
<dependencies>
<dependency>
<groupId>MOA.id.server</groupId>
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
index 63df81b3c..da38e3bef 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
@@ -39,21 +39,30 @@ import at.gv.egovernment.moa.util.MiscUtil;
* @author tlenz
*
*/
-public class ServiceProviderSpecificGUIFormBuilderConfiguration extends AbstractGUIFormBuilderConfiguration {
+public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration extends AbstractGUIFormBuilderConfiguration {
+ public static final String VIEW_TEMPLATE_MAINGUI_DIRECTORY = "mainGUI/";
+
public static final String VIEW_BKUSELECTION = "loginFormFull.html";
public static final String VIEW_SENDASSERTION = "sendAssertionFormFull.html";
public static final String VIEW_TEMPLATE_CSS = "css_template.css";
- public static final String VIEW_TEMPLATE_JS = "javascript_tempalte.js";
+ public static final String VIEW_TEMPLATE_JS = "javascript_tempalte.js";
+ public static final String VIEW_TEMPLATE_BKUDETECTION_SP_SPECIFIC = "iframeLBKUdetectSPSpecific.html";
+ public static final String VIEW_TEMPLATE_BKUDETECTION_GENERIC = "iframeLBKUdetect.html";
public static final String PARAM_BKU_ONLINE = "bkuOnline";
public static final String PARAM_BKU_HANDY = "bkuHandy";
- public static final String PARAM_BKU_LOCAL = "bkuLocal";
+ public static final String PARAM_BKU_LOCAL = "bkuLocal";
+
+ public static final String PARAM_BKU_URL_HANDY = "bkuURLHandy";
+ public static final String PARAM_BKU_URL_LOCAL = "bkuURLLocal";
+ public static final String PARAM_BKU_URL_THIRD = "bkuURLThird";
public static final String PARAM_OANAME = "OAName";
public static final String PARAM_COUNTRYLIST = "countryList";
- private IRequest pendingReq = null;
+ protected IRequest pendingReq = null;
+ protected String templateClasspahtDir = null;
/**
* @param authURL PublicURLPrefix of the IDP but never null
@@ -61,7 +70,7 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract
* @param formSubmitEndpoint EndPoint on which the form should be submitted,
* or null if the form must not submitted
*/
- public ServiceProviderSpecificGUIFormBuilderConfiguration(String authURL, String viewName,
+ public AbstractServiceProviderSpecificGUIFormBuilderConfiguration(String authURL, String viewName,
String formSubmitEndpoint) {
super(authURL, viewName, formSubmitEndpoint);
@@ -73,7 +82,7 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract
* @param formSubmitEndpoint EndPoint on which the form should be submitted,
* or null if the form must not submitted
*/
- public ServiceProviderSpecificGUIFormBuilderConfiguration(IRequest pendingReq, String viewName,
+ public AbstractServiceProviderSpecificGUIFormBuilderConfiguration(IRequest pendingReq, String viewName,
String formSubmitEndpoint) {
super(pendingReq.getAuthURL(), viewName, formSubmitEndpoint);
this.pendingReq = pendingReq;
@@ -86,7 +95,7 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract
@Override
public Map<String, Object> getSpecificViewParameters() {
Map<String, Object> params = new HashMap<String, Object>();
- params.put(PARAM_BKU_ONLINE, IOAAuthParameters.ONLINEBKU);
+ params.put(PARAM_BKU_ONLINE, IOAAuthParameters.THIRDBKU);
params.put(PARAM_BKU_HANDY, IOAAuthParameters.HANDYBKU);
params.put(PARAM_BKU_LOCAL, IOAAuthParameters.LOCALBKU);
@@ -97,10 +106,23 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract
IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
if (oaParam != null) {
params.put(PARAM_OANAME, oaParam.getFriendlyName());
+
+ //set BKU URLs
+ if (MiscUtil.isNotEmpty(oaParam.getBKUURL(IOAAuthParameters.LOCALBKU)))
+ params.put(PARAM_BKU_URL_LOCAL, oaParam.getBKUURL(IOAAuthParameters.LOCALBKU));
+ else
+ params.put(PARAM_BKU_URL_LOCAL, MOAIDAuthConstants.DEFAULT_BKU_HTTPS);
+ if (MiscUtil.isNotEmpty(oaParam.getBKUURL(IOAAuthParameters.HANDYBKU)))
+ params.put(PARAM_BKU_URL_HANDY, oaParam.getBKUURL(IOAAuthParameters.HANDYBKU));
+ if (MiscUtil.isNotEmpty(oaParam.getBKUURL(IOAAuthParameters.THIRDBKU)))
+ params.put(PARAM_BKU_URL_THIRD, oaParam.getBKUURL(IOAAuthParameters.THIRDBKU));
+ //set eIDAS login information if requird
if (oaParam.isShowStorkLogin())
addCountrySelection(params, oaParam);
+ else
+ params.put(PARAM_COUNTRYLIST, "");
FormBuildUtils.customiceLayoutBKUSelection(params, oaParam);
@@ -150,7 +172,7 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract
*/
@Override
public String getClasspathTemplateDir() {
- return null;
+ return templateClasspahtDir;
}
/* (non-Javadoc)
@@ -183,4 +205,17 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract
return null;
}
+ /**
+ * Set a specific classPath directory for this template configuration.
+ * <br> If the directory is null then the default directory /templates is used.
+ *
+ * @param templateClasspahtDir the templateClasspahtDir to set
+ */
+ public void setTemplateClasspahtDir(String templateClasspahtDir) {
+ this.templateClasspahtDir = templateClasspahtDir;
+ }
+
+
+
+
}
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java
index e8cd60afb..285c90163 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java
@@ -78,24 +78,16 @@ public class GUIFormBuilderImpl implements IGUIFormBuilder {
build(httpResp, config, getInternalContentType(config), loggerName);
}
-
-
+
@Override
public void build(HttpServletResponse httpResp, IGUIBuilderConfiguration config,
String contentType, String loggerName) throws GUIBuildException {
InputStream is = null;
try {
- String viewName = config.getViewName();
+ String viewName = config.getViewName();
+ is = getTemplateInputStream(config);
- //load Tempate
- is = getInternalTemplate(config);
- if (is == null) {
- Logger.warn("No GUI with viewName:" + viewName + " FOUND.");
- throw new GUIBuildException("No GUI with viewName:" + viewName + " FOUND.");
-
- }
-
//build Velocity Context from input paramters
VelocityContext context = buildContextFromViewParams(config.getViewParameters());
@@ -137,6 +129,35 @@ public class GUIFormBuilderImpl implements IGUIFormBuilder {
}
+ /**
+ * Generate a new {@link VelocityContext} and populate it with MOA-ID GUI parameters
+ *
+ * @param config
+ * @return
+ */
+ public VelocityContext generateVelocityContextFromConfiguration(IGUIBuilderConfiguration config) {
+ return buildContextFromViewParams(config.getViewParameters());
+
+ }
+
+ /**
+ * Load the template from different resources
+ *
+ * @param config
+ * @return An {@link InputStream} but never null. The {@link InputStream} had to be closed be the invoking method
+ * @throws GUIBuildException
+ */
+ public InputStream getTemplateInputStream(IGUIBuilderConfiguration config) throws GUIBuildException {
+ InputStream is = getInternalTemplate(config);
+ if (is == null) {
+ Logger.warn("No GUI with viewName:" + config.getViewName() + " FOUND.");
+ throw new GUIBuildException("No GUI with viewName:" + config.getViewName() + " FOUND.");
+
+ }
+ return is;
+
+ }
+
private String getInternalContentType(IGUIBuilderConfiguration config) {
if (MiscUtil.isEmpty(config.getDefaultContentType()))
return DEFAULT_CONTENT_TYPE;
@@ -167,7 +188,7 @@ public class GUIFormBuilderImpl implements IGUIFormBuilder {
} catch (Exception e) {
//load template from classpath as backup
- Logger.info("GUI template:" + viewName + " is not found in configuration directory. "
+ Logger.debug("GUI template:" + viewName + " is not found in configuration directory. "
+ " Load template from project library ... ");
try {
pathLocation = getInternalClasspathTemplateDir(config) + viewName;
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java
index 198220e97..8e8a63094 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java
@@ -64,4 +64,5 @@ public interface IGUIFormBuilder {
*/
void build(HttpServletResponse httpResp, IGUIBuilderConfiguration config, String contentType,
String loggerName) throws GUIBuildException;
+
}
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java
new file mode 100644
index 000000000..13d8d3bb7
--- /dev/null
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java
@@ -0,0 +1,82 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.frontend.builder;
+
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+
+/**
+ * @author tlenz
+ *
+ */
+public class SPSpecificGUIBuilderConfigurationWithDBLoad extends AbstractServiceProviderSpecificGUIFormBuilderConfiguration {
+
+ /**
+ * @param authURL PublicURLPrefix of the IDP but never null
+ * @param viewName Name of the template (with suffix) but never null
+ * @param formSubmitEndpoint EndPoint on which the form should be submitted,
+ * or null if the form must not submitted
+ */
+ public SPSpecificGUIBuilderConfigurationWithDBLoad(String authURL, String viewName,
+ String formSubmitEndpoint) {
+ super(authURL, viewName, formSubmitEndpoint);
+
+ }
+
+ /**
+ * @param Current processed pending-request DAO but never null
+ * @param viewName Name of the template (with suffix) but never null
+ * @param formSubmitEndpoint EndPoint on which the form should be submitted,
+ * or null if the form must not submitted
+ */
+ public SPSpecificGUIBuilderConfigurationWithDBLoad(IRequest pendingReq, String viewName,
+ String formSubmitEndpoint) {
+ super(pendingReq, viewName, formSubmitEndpoint);
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String)
+ */
+ @Override
+ public InputStream getTemplate(String viewName) {
+ if (pendingReq != null && pendingReq.getOnlineApplicationConfiguration() != null) {
+
+ byte[] oatemplate = null;
+ if (VIEW_BKUSELECTION.equals(viewName))
+ oatemplate = pendingReq.getOnlineApplicationConfiguration().getBKUSelectionTemplate();
+
+ else if (VIEW_SENDASSERTION.equals(viewName))
+ oatemplate = pendingReq.getOnlineApplicationConfiguration().getSendAssertionTemplate();
+
+ // OA specific template requires a size of 8 bits minimum
+ if (oatemplate != null && oatemplate.length > 7)
+ return new ByteArrayInputStream(oatemplate);
+ }
+
+ return null;
+ }
+
+}
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java
new file mode 100644
index 000000000..b5c50004b
--- /dev/null
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java
@@ -0,0 +1,110 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.frontend.builder;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
+
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.FileUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+public class SPSpecificGUIBuilderConfigurationWithFileSystemLoad extends AbstractServiceProviderSpecificGUIFormBuilderConfiguration {
+
+ private String configKeyIdentifier = null;
+ private String configRootContextDir = null;
+
+ /**
+ * @param authURL PublicURLPrefix of the IDP but never null
+ * @param viewName Name of the template (with suffix) but never null
+ * @param configKeyIdentifier Identifier of the configuration key in OA configuration that holds the filesystem URI to template
+ * @param formSubmitEndpoint EndPoint on which the form should be submitted
+ * @param configRootContextDir Path to MOA-ID-Auth configuration root directory
+ * or null if the form must not submitted
+ */
+ public SPSpecificGUIBuilderConfigurationWithFileSystemLoad(String authURL, String viewName,
+ String configKeyIdentifier, String formSubmitEndpoint, String configRootContextDir) {
+ super(authURL, viewName, formSubmitEndpoint);
+ this.configKeyIdentifier = configKeyIdentifier;
+ this.configRootContextDir = configRootContextDir;
+
+ }
+
+ /**
+ * @param Current processed pending-request DAO but never null
+ * @param viewName Name of the template (with suffix) but never null
+ * @param configKeyIdentifier Identifier of the configuration key in OA configuration that holds the filesystem URI to template
+ * @param formSubmitEndpoint EndPoint on which the form should be submitted
+ * @param configRootContextDir Path to MOA-ID-Auth configuration root directory
+ */
+ public SPSpecificGUIBuilderConfigurationWithFileSystemLoad(IRequest pendingReq, String viewName,
+ String configKeyIdentifier, String formSubmitEndpoint, String configRootContextDir) {
+ super(pendingReq, viewName, formSubmitEndpoint);
+ this.configKeyIdentifier = configKeyIdentifier;
+ this.configRootContextDir = configRootContextDir;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String)
+ */
+ @Override
+ public InputStream getTemplate(String viewName) {
+ if (pendingReq != null && pendingReq.getOnlineApplicationConfiguration() != null &&
+ configKeyIdentifier != null) {
+ try {
+ String templateURL = pendingReq.getOnlineApplicationConfiguration().getConfigurationValue(configKeyIdentifier);
+ if (MiscUtil.isNotEmpty(templateURL)) {
+ String absURL = FileUtils.makeAbsoluteURL(templateURL, configRootContextDir);
+ if (!absURL.startsWith("file:")) {
+ Logger.warn("GUI template are only loadable from filesystem! "
+ + "(templateURL: " + absURL + ")");
+ return null;
+ }
+
+ Logger.debug("Load template URL for view: " + viewName + " from: " + absURL);
+ URI uri = new URL(absURL).toURI();
+ return new FileInputStream(new File(uri));
+
+ }
+ } catch (FileNotFoundException | URISyntaxException | MalformedURLException e) {
+ Logger.warn("Template for view: " + viewName + " is NOT loadable! -> Switch to default template", e);
+
+ }
+ }
+ Logger.trace("NO ServiceProvider specific template for view: " + viewName + " available");
+ return null;
+ }
+
+}
diff --git a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
index 54dc9d910..261e19a33 100644
--- a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
+++ b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
@@ -24,7 +24,7 @@
document.write('</form>');
try {
document.bkudetectform.submit();
- } catch(e) {}
+ } catch(e) {console.log(e)}
}
//-->
</script>
diff --git a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/index.html b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/index.html
index 5f7e92321..7fc2b0298 100644
--- a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/index.html
+++ b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/index.html
@@ -2,7 +2,7 @@
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf8" >
- <title>MOA-ID 3.2.x</title>
+ <title>MOA-ID 3.3.x</title>
<link rel="stylesheet" href="./common/main.css" type="text/css">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link href='https://fonts.googleapis.com/css?family=Roboto:300,400' rel='stylesheet' type='text/css'>
diff --git a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/template_thirdBKU.html b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/template_thirdBKU.html
new file mode 100644
index 000000000..a9932d49d
--- /dev/null
+++ b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/template_thirdBKU.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="de">
+ <head>
+ <title></title>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+ <script language="javascript" type="text/javascript">
+ function onAnmeldeSubmit() {
+ document.CustomizedForm.submit();
+ document.CustomizedForm.Senden.disabled=true;
+ }
+ </script>
+ </head>
+ <body onLoad="onAnmeldeSubmit()">
+ <form name="CustomizedForm" action="<BKU>" method="post" enctype="multipart/form-data">
+ Falls Sie nicht automatisch weitergeleitet werden klicken Sie bitte hier:
+ <input class="button" type="hidden" value="Starte Anmeldung" name="Senden">
+ <input type="hidden" name="XMLRequest" value="<XMLRequest>">
+ <input type="hidden" name="DataURL" value="<DataURL>">
+ <input type="hidden" name="PushInfobox" value="<PushInfobox>">
+
+ <!-- Angabe der Parameter fuer die Online-BKU -->
+ <input type="hidden" name="appletWidth" value="<APPLETWIDTH>">
+ <input type="hidden" name="appletHeight" value="<APPLETHEIGHT>">
+
+ <!-- [OPTIONAL] Aendern Sie hier die Hintergrundfarbe der Online-BKU -->
+ <input type="hidden" name="appletBackgroundColor" value="<COLOR>">
+ <input type="hidden" name="redirectTarget" value="<REDIRECTTARGET>">
+ </form>
+
+ <form name="CustomizedInfoForm" action="<BKU>" method="post">
+ <input type="hidden" name="XMLRequest" value="<CertInfoXMLRequest>">
+ <input type="hidden" name="DataURL" value="<CertInfoDataURL>">
+ </form>
+ <form name="DummyForm" action="<BKU>" method="post">
+ </form>
+ </body>
+</html>
diff --git a/id/server/moa-id-frontend-resources/src/main/resources/templates/iframeLBKUdetectSPSpecific.html b/id/server/moa-id-frontend-resources/src/main/resources/templates/iframeLBKUdetectSPSpecific.html
new file mode 100644
index 000000000..79a217946
--- /dev/null
+++ b/id/server/moa-id-frontend-resources/src/main/resources/templates/iframeLBKUdetectSPSpecific.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="de">
+<head>
+<title>BKU-Erkennung</title>
+</head>
+<body style="background-color:transparent" onload="parent.setBKUAvailable(false);document.forms[0].submit();">
+ <form name="bkudetectform" method="POST" target="bkudetect" action="$bkuURLLocal" enctype="application/x-www-form-urlencoded">
+ <input type="hidden" name="XMLRequest" value="&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;&lt;NullOperationRequest xmlns=&quot;http://www.buergerkarte.at/namespaces/securitylayer/1.2#&quot;/&gt;" />
+ <input type="hidden" name="RedirectURL" value="$contextPath/iframeLBKUdetected.html"/>
+ </form>
+</body>
+</html>
diff --git a/id/server/moa-id-frontend-resources/src/main/resources/templates/loginFormFull.html b/id/server/moa-id-frontend-resources/src/main/resources/templates/loginFormFull.html
index 53c4f0d5d..c4da51dc1 100644
--- a/id/server/moa-id-frontend-resources/src/main/resources/templates/loginFormFull.html
+++ b/id/server/moa-id-frontend-resources/src/main/resources/templates/loginFormFull.html
@@ -50,8 +50,11 @@
<input type="hidden" name="ccc" id="ccc" />
<input type="hidden" name="pendingid" value="$pendingReqID" />
<input type="submit" value=" Karte " tabindex="4" role="button" onclick="setMandateSelection();">
- </form>
- <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe>
+ </form>
+ <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"></iframe>
+
+ <!-- BKU detection with static template-->
+ <!--iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe-->
</div>
<div id="bkuhandy">
@@ -59,6 +62,7 @@
<input name="bkuButtonHandy" type="button" onClick="bkuHandyClicked();" tabindex="3" role="button" value="HANDY" />
</div>
</div>
+
<!--div id="localBKU">
<form method="get" id="moaidform" action="$contextPath$submitEndpoint"
class="verticalcenter" target="_parent">
@@ -70,7 +74,7 @@
<input type="submit" value=" Lokale Bürgerkartenumgebung " tabindex="4"
role="button" onclick="setMandateSelection();">
</form>
- <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"><\/iframe>
+ <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection"><\/iframe>
</div-->
<!-- Single Sign-On Session transfer functionality -->
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 9294f3658..0a2371575 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -65,6 +65,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IMISMandate;
import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.util.XMLUtil;
import at.gv.egovernment.moa.logging.Logger;
@@ -192,8 +193,8 @@ public class AuthenticationServer extends BaseAuthenticationServer {
Logger.debug("Non-SSO Login requested or SSO not allowed/possible");
//build ReadInfobox request
infoboxReadRequest = new InfoboxReadRequestBuilder().build(
- oaParam.getBusinessService(), oaParam
- .getIdentityLinkDomainIdentifier());
+ oaParam.hasBaseIdInternalProcessingRestriction(), oaParam
+ .getAreaSpecificTargetIdentifier());
}
@@ -401,9 +402,9 @@ public class AuthenticationServer extends BaseAuthenticationServer {
try {
// sets the extended SAML attributes for OID (Organwalter)
setExtendedSAMLAttributeForMandatesOID(session, mandate, oaParam
- .getBusinessService());
+ .hasBaseIdTransferRestriction());
- validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService());
+ validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.hasBaseIdTransferRestriction());
} catch (SAXException e) {
@@ -523,9 +524,10 @@ public class AuthenticationServer extends BaseAuthenticationServer {
* @return <code>&lt;saml:Assertion&gt;</code> as a String
* @throws BuildException If an error occurs on serializing an extended SAML attribute
* to be appended to the AUTH-Block.
+ * @throws ConfigurationException
*/
private String buildAuthenticationBlock(IAuthenticationSession session,
- IOAAuthParameters oaParam, IRequest pendingReq) throws BuildException {
+ IOAAuthParameters oaParam, IRequest pendingReq) throws BuildException, ConfigurationException {
IIdentityLink identityLink = session.getIdentityLink();
String issuer = identityLink.getName();
@@ -533,12 +535,16 @@ public class AuthenticationServer extends BaseAuthenticationServer {
String identificationValue = null;
String identificationType = null;
+ String identificationTypeFriendlyName = null;
//get processing data from pending-request
String authURL = pendingReq.getAuthURL();
- String requestedTarget = pendingReq.getGenericData(
- MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
- String targetFriendlyName = pendingReq.getGenericData(
+
+ @Deprecated
+ String saml1RequestedTarget = pendingReq.getGenericData(
+ MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
+ @Deprecated
+ String saml1RequestedFriendlyName = pendingReq.getGenericData(
MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class);
@@ -546,45 +552,45 @@ public class AuthenticationServer extends BaseAuthenticationServer {
if (session.isOW() || pendingReq.needSingleSignOnFunctionality() || oaParam.isRemovePBKFromAuthBlock()) {
identificationType = "";
identificationValue = "";
-
+
} else if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
- if (oaParam.getBusinessService()) {
-
- String bpkBase64 = new BPKBuilder().buildWBPK(identityLink
- .getIdentificationValue(), oaParam.getIdentityLinkDomainIdentifier());
- identificationValue = bpkBase64;
-
- if (oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_WBPK + "+"))
- identificationType = oaParam.getIdentityLinkDomainIdentifier();
- else
- identificationType = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier();
-
- } else {
- String bpkBase64 = new BPKBuilder().buildBPK(identityLink
- .getIdentificationValue(), requestedTarget);
- identificationValue = bpkBase64;
- identificationType = Constants.URN_PREFIX_CDID + "+" + requestedTarget;
+ if (MiscUtil.isNotEmpty(saml1RequestedTarget)) {
+ Logger.debug("Build AuthBlock bPK from SAML1 requested target");
+ Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+ identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
+ saml1RequestedTarget);
+ identificationValue = calcId.getFirst();
+ identificationType = calcId.getSecond();
+ identificationTypeFriendlyName = saml1RequestedFriendlyName;
+
+ } else {
+ Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+ identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
+ oaParam.getAreaSpecificTargetIdentifier());
+ identificationValue = calcId.getFirst();
+ identificationType = calcId.getSecond();
+ identificationTypeFriendlyName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
}
-
} else {
identificationValue = identityLink.getIdentificationValue();
identificationType = identityLink.getIdentificationType();
+ identificationTypeFriendlyName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
}
//set AuthBlock generation time to session
- String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar
- .getInstance());
+ String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar.getInstance());
session.setIssueInstant(issueInstant);
- // Bug #485
- // (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105)
- // String oaURL = session.getPublicOAURLPrefix();
-
+ //load extend attributes
List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
+ //load special authblock text patterns for replacement
+ Map<String, String> authBlockTextPatterns = AuthenticationBlockAssertionBuilder.
+ generateSpezialAuthBlockPatternMap(pendingReq, issuer, gebDat, issueInstant);
+
String authBlock = null;
if (pendingReq.needSingleSignOnFunctionality()) {
String oaURL = pendingReq.getAuthURL();
@@ -592,19 +598,20 @@ public class AuthenticationServer extends BaseAuthenticationServer {
oaURL = oaURL.replaceAll("&", "&amp;");
authBlock = new AuthenticationBlockAssertionBuilder()
- .buildAuthBlockSSO(issuer, issueInstant, authURL, requestedTarget,
- targetFriendlyName, identificationValue,
- identificationType, oaURL, gebDat,
- extendedSAMLAttributes, session, oaParam);
-
+ .buildAuthBlockSSO(issuer, issueInstant, authURL,
+ oaURL, gebDat,
+ extendedSAMLAttributes, session, oaParam, authBlockTextPatterns);
} else {
String oaURL = oaParam.getPublicURLPrefix().replaceAll("&", "&amp;");
authBlock = new AuthenticationBlockAssertionBuilder()
- .buildAuthBlock(issuer, issueInstant, authURL, requestedTarget,
- targetFriendlyName, identificationValue,
- identificationType, oaURL, gebDat,
- extendedSAMLAttributes, session, oaParam);
+ .buildAuthBlock(issuer, issueInstant, authURL,
+ identificationValue,
+ identificationType,
+ gebDat,
+ oaURL,
+ identificationTypeFriendlyName,
+ extendedSAMLAttributes, session, oaParam, authBlockTextPatterns);
}
@@ -1062,9 +1069,10 @@ public class AuthenticationServer extends BaseAuthenticationServer {
Element valueBpK = mandatePerson.getOwnerDocument().createElementNS(
Constants.PD_NS_URI, "Value");
- String bpkBase64 = new BPKBuilder().buildBPK(baseid, target);
+ Pair<String, String> targedId = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseid, target);
+
valueBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode(
- bpkBase64));
+ targedId.getFirst()));
Element typeBpK = mandatePerson.getOwnerDocument().createElementNS(
Constants.PD_NS_URI, "Type");
typeBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode(
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
index ecc91991e..80702795b 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
@@ -28,7 +28,11 @@ import java.io.StringWriter;
import java.text.MessageFormat;
import java.text.SimpleDateFormat;
import java.util.Calendar;
+import java.util.HashMap;
+import java.util.Iterator;
import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
import javax.xml.bind.DatatypeConverter;
import javax.xml.transform.Result;
@@ -46,7 +50,9 @@ import org.w3c.dom.Node;
import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.ParseException;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.commons.api.data.ExtendedSAMLAttribute;
import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
@@ -126,6 +132,15 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
public static final int NUM_OF_SAML_ATTRIBUTES = 5;
public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 4;
+ public static final String bPKwbPKNSDECLARATION = " xmlns:pr=\"" + PD_NS_URI + "\"";
+
+ public static final String AUTHBLOCK_TEXT_PATTERN_NAME = "#NAME#";
+ public static final String AUTHBLOCK_TEXT_PATTERN_BIRTHDAY = "#BIRTHDAY#";
+ public static final String AUTHBLOCK_TEXT_PATTERN_DATE = "#DATE#";
+ public static final String AUTHBLOCK_TEXT_PATTERN_TIME = "#TIME#";
+
+ public static final String PENDING_REQ_AUTHBLOCK_TEXT_KEY = "specialAuthBlockTextKeyValueMap";
+
/**
* Constructor for AuthenticationBlockAssertionBuilder.
*/
@@ -133,322 +148,210 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
super();
}
+ public static Map<String, String> generateSpezialAuthBlockPatternMap(IRequest pendingReq, String issuer, String gebDat, String issueInstant) {
+ Map<String, String> result = new HashMap<String, String>();
+
+ //convert issueInstant
+ Calendar datetime = DatatypeConverter.parseDateTime(issueInstant);
+ SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy");
+ SimpleDateFormat timeformat = new SimpleDateFormat("HH:mm:ss");
+
+ //set default values
+ result.put(AUTHBLOCK_TEXT_PATTERN_NAME, issuer);
+ result.put(AUTHBLOCK_TEXT_PATTERN_BIRTHDAY, gebDat);
+ result.put(AUTHBLOCK_TEXT_PATTERN_DATE, dateformat.format(datetime.getTime()));
+ result.put(AUTHBLOCK_TEXT_PATTERN_TIME, timeformat.format(datetime.getTime()));
+
+ //set other values from pendingReq if exists
+ Map<?,?> processSpecificElements = pendingReq.getGenericData(PENDING_REQ_AUTHBLOCK_TEXT_KEY, Map.class);
+ if (processSpecificElements != null && !processSpecificElements.isEmpty()) {
+ Logger.debug("Find process-specific patterns for 'special AuthBlock-Text'. Start processing ...");
+ Iterator<?> mapIterator = processSpecificElements.entrySet().iterator();
+ while (mapIterator.hasNext()) {
+ Object objEl = mapIterator.next();
+ if (objEl instanceof Entry<?, ?>) {
+ try {
+ @SuppressWarnings("unchecked")
+ Entry<String, String> el = (Entry<String, String>) objEl;
+ Logger.trace(" Add pattern-> Key: " + el.getKey() + " Value:" + el.getValue());
+ if (result.containsKey(el.getKey()))
+ Logger.warn(" Can not add pattern: " + el.getKey() + " , because it already exists.");
+ else
+ result.put(el.getKey(), el.getValue());
+
+ } catch (Exception e) {
+ Logger.warn("A pendingReq. specific 'special AuthBlock-Text' element has a suspect type. Ignore it!", e);
+
+ }
+ }
+ }
+ }
+
+ return result;
+ }
+
+
/**
- * Builds the authentication block <code>&lt;saml:Assertion&gt;</code>
- *
- * @param issuer authentication block issuer; <code>"GivenName FamilyName"</code>
- * @param issueInstant current timestamp
- * @param authURL URL of MOA-ID authentication component
- * @param target "Gesch&auml;ftsbereich"; maybe <code>null</code> if the application
- * is a business application
- * @param identityLinkValue the content of the <code>&lt;pr:Value&gt;</code>
- * child element of the <code>&lt;pr:Identification&gt;</code>
- * element derived from the Identitylink; this is the
- * value of the <code>wbPK</code>;
- * maybe <code>null</code> if the application is a public service
- * @param identityLinkType the content of the <code>&lt;pr:Type&gt;</code>
- * child element of the <code>&lt;pr:Identification&gt;</code>
- * element derived from the Identitylink; this includes the
- * URN prefix and the identification number of the business
- * application used as input for wbPK computation;
- * maybe <code>null</code> if the application is a public service
- * @param oaURL public URL of online application requested
- * @param gebDat The date of birth from the identity link.
- * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock.
*
- * @return String representation of authentication block
- * <code>&lt;saml:Assertion&gt;</code> built
- *
- * @throws BuildException If an error occurs on serializing an extended SAML attribute
- * to be appended to the AUTH-Block.
+ * @param issuer
+ * @param issueInstant
+ * @param authURL
+ * @param sectorSpecificUniqueId
+ * @param sectorSpecificUniqueIdType
+ * @param gebDat
+ * @param oaURL
+ * @param spTargetAreaFriendlyName
+ * @param extendedSAMLAttributes
+ * @param session
+ * @param oaParam
+ * @return
+ * @throws BuildException
+ * @throws ConfigurationException
*/
public String buildAuthBlock(
String issuer,
String issueInstant,
- String authURL,
- String target,
- String targetFriendlyName,
- String identityLinkValue,
- String identityLinkType,
- String oaURL,
- String gebDat,
+ String authURL,
+ String sectorSpecificUniqueId,
+ String sectorSpecificUniqueIdType,
+ String gebDat,
+ String oaURL,
+ String spTargetAreaFriendlyName,
List<ExtendedSAMLAttribute> extendedSAMLAttributes,
IAuthenticationSession session,
- IOAAuthParameters oaParam)
- throws BuildException
-
- {
- session.setSAMLAttributeGebeORwbpk(true);
- String gebeORwbpk = "";
- String wbpkNSDeclaration = "";
-
- if (target == null) {
-
- // OA is a business application
- if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) {
- // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator
- gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
- wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
+ IOAAuthParameters oaParam,
+ Map<String, String> specialAuthBlockTextPatterns)
+ throws BuildException, ConfigurationException {
+
+ //initialize state
+ session.setSAMLAttributeGebeORwbpk(true);
+ String usedwbPKbPKNamespaceDeclaration = org.apache.commons.lang3.StringUtils.EMPTY;
+ String publicSectorIdOrwbPK = org.apache.commons.lang3.StringUtils.EMPTY;
+
+
+ if (!sectorSpecificUniqueIdType.startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+ //service provider has not an sector Id from Austrian public-domain --> build AuthBlock like a wbPK
+
+ if (!Constants.URN_PREFIX_HPI.equals(sectorSpecificUniqueIdType)) {
+ //Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator
+ publicSectorIdOrwbPK = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] {sectorSpecificUniqueId, sectorSpecificUniqueIdType});
+ usedwbPKbPKNamespaceDeclaration = bPKwbPKNSDECLARATION;
- //adding type of wbPK domain identifier
- ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute =
- new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
+ //adding type of wbPK domain identifier
+ ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute =
+ new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", spTargetAreaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
- extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute);
+ extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute);
- } else {
- // We do not have a wbPK, therefore no SAML-Attribute is provided
- session.setSAMLAttributeGebeORwbpk(false);
- }
+ } else {
+ // We do not have a wbPK, therefore no SAML-Attribute is provided
+ session.setSAMLAttributeGebeORwbpk(false);
+
+ }
+ } else {
+ // OA is a govermental application
+
+ //convert sector identifier into friendly name and add it to AuthBlock
+ String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(sectorSpecificUniqueIdType);
+ if (StringUtils.isEmpty(sectorName)) {
+ if (spTargetAreaFriendlyName != null)
+ sectorName = spTargetAreaFriendlyName;
+
+ }
+ publicSectorIdOrwbPK = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE,
+ new Object[] {sectorSpecificUniqueIdType.substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")" });
- } else {
- // OA is a govermental application
- String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);
- if (StringUtils.isEmpty(sectorName)) {
- if (targetFriendlyName != null)
- sectorName = targetFriendlyName;
- }
-
-
- //gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target });
- gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" });
-
- //no business service, adding bPK
- if (identityLinkValue != null) {
- Element bpkSamlValueElement;
- try {
- bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement();
- } catch (Exception e) {
- Logger.error("Error on building AUTH-Block: " + e.getMessage());
- throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
- }
-
- // String s = xmlToString(bpkSamlValueElement);
- // System.out.println("bpkSamlValueElement: " + s);
-
- ExtendedSAMLAttribute bpkAttribute =
- new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
- extendedSAMLAttributes.add(bpkAttribute);
- }
-
- boolean useMandate = session.isMandateUsed();
- if (useMandate) {
- //String mandateReferenceValue = Random.nextRandom();
- String mandateReferenceValue = Random.nextProcessReferenceValue();
- // remove leading "-"
- if (mandateReferenceValue.startsWith("-"))
- mandateReferenceValue = mandateReferenceValue.substring(1);
-
- session.setMandateReferenceValue(mandateReferenceValue);
-
- ExtendedSAMLAttribute mandateReferenceValueAttribute =
- new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK);
-
- extendedSAMLAttributes.add(mandateReferenceValueAttribute);
- }
-
-
-
- //gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
- wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
- }
-
- //adding friendly name of OA
- String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName();
-
- ExtendedSAMLAttribute oaFriendlyNameAttribute =
- new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-
- extendedSAMLAttributes.add(oaFriendlyNameAttribute);
+ //add bPK to AuthBlock if it is not empty
+ if (MiscUtil.isNotEmpty(sectorSpecificUniqueId)) {
+ Element bpkSamlValueElement;
+ try {
+ bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { sectorSpecificUniqueId, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement();
+
+ } catch (Exception e) {
+ Logger.error("Error on building AUTH-Block: " + e.getMessage());
+ throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
+
+ }
+
+ ExtendedSAMLAttribute bpkAttribute =
+ new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
+ extendedSAMLAttributes.add(bpkAttribute);
+ }
+
+ usedwbPKbPKNamespaceDeclaration = bPKwbPKNSDECLARATION;
+ }
+ //check if mandates should be used
+ if (session.isMandateUsed()) {
+
+ //generate mandate reference value
+ String mandateReferenceValue = Random.nextProcessReferenceValue();
+ session.setMandateReferenceValue(mandateReferenceValue);
+
+ ExtendedSAMLAttribute mandateReferenceValueAttribute =
+ new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK);
+
+ extendedSAMLAttributes.add(mandateReferenceValueAttribute);
+ }
+
+ //adding friendly name of OA
+ String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName();
+ ExtendedSAMLAttribute oaFriendlyNameAttribute =
+ new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
+ extendedSAMLAttributes.add(oaFriendlyNameAttribute);
- String text = "";
- if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
- Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
- text = oaParam.getAditionalAuthBlockText();
- }
- String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE,
- new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) });
+ //generate special AuthBlock text
+ String text = "";
+ if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
+ Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
+ text = oaParam.getAditionalAuthBlockText();
+ }
+ String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE,
+ new Object[] { generateSpecialText(text, specialAuthBlockTextPatterns) });
- //generate unique AuthBlock tokken
- String uniquetokken = Random.nextRandom();
- session.setAuthBlockTokken(uniquetokken);
+
+ //generate unique AuthBlock tokken
+ String uniquetokken = Random.nextProcessReferenceValue();
+ session.setAuthBlockTokken(uniquetokken);
String assertion;
try {
assertion = MessageFormat.format(
AUTH_BLOCK, new Object[] {
- wbpkNSDeclaration,
+ usedwbPKbPKNamespaceDeclaration,
issuer,
issueInstant,
authURL,
- gebeORwbpk,
+ publicSectorIdOrwbPK,
oaURL,
gebDat,
specialText,
- MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE,
- new Object[] { uniquetokken }),
+ MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, new Object[] {uniquetokken}),
buildExtendedSAMLAttributes(extendedSAMLAttributes)});
- } catch (ParseException e) {
- Logger.error("Error on building AUTH-Block: " + e.getMessage());
- throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
- }
-
- return assertion;
-
- }
-
- /**
- * Builds the authentication block <code>&lt;saml:Assertion&gt;</code>
- *
- * @param issuer authentication block issuer; <code>"GivenName FamilyName"</code>
- * @param issueInstant current timestamp
- * @param authURL URL of MOA-ID authentication component
- * @param target "Gesch&auml;ftsbereich"; maybe <code>null</code> if the application
- * is a business application
- * @param identityLinkValue the content of the <code>&lt;pr:Value&gt;</code>
- * child element of the <code>&lt;pr:Identification&gt;</code>
- * element derived from the Identitylink; this is the
- * value of the <code>wbPK</code>;
- * maybe <code>null</code> if the application is a public service
- * @param identityLinkType the content of the <code>&lt;pr:Type&gt;</code>
- * child element of the <code>&lt;pr:Identification&gt;</code>
- * element derived from the Identitylink; this includes the
- * URN prefix and the identification number of the business
- * application used as input for wbPK computation;
- * maybe <code>null</code> if the application is a public service
- * @param oaURL public URL of online application requested
- * @param gebDat The date of birth from the identity link.
- * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock.
- *
- * @return String representation of authentication block
- * <code>&lt;saml:Assertion&gt;</code> built
- *
- * @throws BuildException If an error occurs on serializing an extended SAML attribute
- * to be appended to the AUTH-Block.
- */
- public String buildAuthBlockForeignID(
- String issuer,
- String issueInstant,
- String authURL,
- String target,
- String identityLinkValue,
- String identityLinkType,
- String oaURL,
- String gebDat,
- List<ExtendedSAMLAttribute> extendedSAMLAttributes,
- IAuthenticationSession session,
- IOAAuthParameters oaParam)
- throws BuildException
- {
- session.setSAMLAttributeGebeORwbpk(true);
- String gebeORwbpk = "";
- String wbpkNSDeclaration = "";
-
- if (target == null) {
- // OA is a business application
- if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) {
- // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator
- gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
- wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
-
- //BZ.., adding type of wbPK domain identifier
- ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute =
- new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-
- extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute);
- //..BZ
-
- } else {
- // We do not have a wbPK, therefore no SAML-Attribute is provided
- session.setSAMLAttributeGebeORwbpk(false);
- }
- } else {
- // OA is a govermental application
- //BZ..
- String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);
- //gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target });
- gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" });
- //..BZ
-
- //BZ.., no business service, adding bPK
- Element bpkSamlValueElement;
- try {
- bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement();
- } catch (Exception e) {
- Logger.error("Error on building AUTH-Block: " + e.getMessage());
- throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
- }
-
- ExtendedSAMLAttribute bpkAttribute =
- new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-
- extendedSAMLAttributes.add(bpkAttribute);
- //gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
- wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
- //..BZ
- }
-
- //BZ.., adding friendly name of OA
- String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName();
-
- ExtendedSAMLAttribute oaFriendlyNameAttribute =
- new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-
- extendedSAMLAttributes.add(oaFriendlyNameAttribute);
- //..BZ
-
- String text = "";
- if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
- Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
- text = oaParam.getAditionalAuthBlockText();
- }
-
- String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE,
- new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) });
-
- //generate unique AuthBlock tokken
- String uniquetokken = Random.nextRandom();
- session.setAuthBlockTokken(uniquetokken);
-
- String assertion;
- try {
- assertion = MessageFormat.format(
- AUTH_BLOCK, new Object[] {
- wbpkNSDeclaration,
- issuer,
- issueInstant,
- authURL,
- gebeORwbpk,
- oaURL,
- gebDat,
- specialText,
- MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE,
- new Object[] { uniquetokken }),
- buildExtendedSAMLAttributes(extendedSAMLAttributes)});
} catch (ParseException e) {
Logger.error("Error on building AUTH-Block: " + e.getMessage());
throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
+
}
return assertion;
}
- public static String generateSpecialText(String inputtext, String issuer, String gebDat, String issueInstant) {
- Calendar datetime = DatatypeConverter.parseDateTime(issueInstant);
- SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy");
- SimpleDateFormat timeformat = new SimpleDateFormat("HH:mm:ss");
-
- String text = inputtext.replaceAll("#NAME#", issuer);
- text = text.replaceAll("#BIRTHDAY#", gebDat);
- text = text.replaceAll("#DATE#", dateformat.format(datetime.getTime()));
- text = text.replaceAll("#TIME#", timeformat.format(datetime.getTime()));
-
- return text;
+ public static String generateSpecialText(String inputtext, Map<String, String> specialAuthBlockTextPatterns) {
+ Iterator<Entry<String, String>> it = specialAuthBlockTextPatterns.entrySet().iterator();
+ String text = inputtext;
+ while (it.hasNext()) {
+ Entry<String, String> el = it.next();
+ text = text.replaceAll(el.getKey(), el.getValue());
+
+ }
+
+ return text;
+
}
public static String xmlToString(Node node) {
@@ -472,65 +375,52 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
String issuer,
String issueInstant,
String authURL,
- String target,
- String targetFriendlyName,
- String identityLinkValue,
- String identityLinkType,
String oaURL,
String gebDat,
List<ExtendedSAMLAttribute> extendedSAMLAttributes,
IAuthenticationSession session,
- IOAAuthParameters oaParam)
+ IOAAuthParameters oaParam,
+ Map<String, String> specialAuthBlockTextPatterns)
throws BuildException
{
session.setSAMLAttributeGebeORwbpk(true);
String gebeORwbpk = "";
String wbpkNSDeclaration = "";
-
- if (target != null) {
-
- boolean useMandate = session.isMandateUsed();
- if (useMandate) {
- //String mandateReferenceValue = Random.nextRandom();
- String mandateReferenceValue = Random.nextProcessReferenceValue();
- // remove leading "-"
- if (mandateReferenceValue.startsWith("-"))
- mandateReferenceValue = mandateReferenceValue.substring(1);
-
- session.setMandateReferenceValue(mandateReferenceValue);
+
+ //add mandate reference-value if mandates are used
+ if (session.isMandateUsed()) {
+ String mandateReferenceValue = Random.nextProcessReferenceValue();
+ session.setMandateReferenceValue(mandateReferenceValue);
- ExtendedSAMLAttribute mandateReferenceValueAttribute =
- new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK);
+ ExtendedSAMLAttribute mandateReferenceValueAttribute =
+ new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK);
- extendedSAMLAttributes.add(mandateReferenceValueAttribute);
- }
+ extendedSAMLAttributes.add(mandateReferenceValueAttribute);
}
+
//adding friendly name of OA
String friendlyname;
try {
- friendlyname = AuthConfigurationProviderFactory.getInstance().getSSOFriendlyName();
-
- ExtendedSAMLAttribute oaFriendlyNameAttribute =
- new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-
- extendedSAMLAttributes.add(oaFriendlyNameAttribute);
-
-
- String text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText();
+ friendlyname = AuthConfigurationProviderFactory.getInstance().getSSOFriendlyName();
+ ExtendedSAMLAttribute oaFriendlyNameAttribute =
+ new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
+ extendedSAMLAttributes.add(oaFriendlyNameAttribute);
+
+ //generate special AuthBlock text
+ String text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText();
if (MiscUtil.isEmpty(text))
text="";
String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE,
- new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) });
+ new Object[] { generateSpecialText(text, specialAuthBlockTextPatterns) });
+
//generate unique AuthBlock tokken
- String uniquetokken = Random.nextRandom();
+ String uniquetokken = Random.nextProcessReferenceValue();
session.setAuthBlockTokken(uniquetokken);
- String assertion;
-
- assertion = MessageFormat.format(
+ String assertion = MessageFormat.format(
AUTH_BLOCK, new Object[] {
wbpkNSDeclaration,
issuer,
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
index 608f50200..88a235978 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
@@ -120,12 +120,11 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
//get Target from config or from request in case of SAML 1
String target = null;
- if (MiscUtil.isNotEmpty(pendingReq.getGenericData("target", String.class)) &&
+ if (MiscUtil.isNotEmpty(pendingReq.getGenericData("saml1_target", String.class)) &&
pendingReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol"))
- target = pendingReq.getGenericData("target", String.class);
- else
- target = oaParam.getTarget();
-
+ target = pendingReq.getGenericData("saml1_target", String.class);
+
+
String bkuURL = oaParam.getBKUURL(bkuid);
if (MiscUtil.isEmpty(bkuURL)) {
Logger.info("No OA specific BKU defined. Use BKU from default configuration");
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java
index 975dec429..d2fd4d1de 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java
@@ -35,7 +35,6 @@ import org.w3c.dom.Element;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.MISSimpleClientException;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
@@ -100,14 +99,7 @@ public class PrepareGetMISMandateTask extends AbstractAuthServletTask {
byte[] authBlock = moasession.getAuthBlock().getBytes("UTF-8");
//TODO: check in case of SSO!!!
- String targetType = null;
- if(oaParam.getBusinessService()){
- targetType = oaParam.getIdentityLinkDomainIdentifier();
-
- } else {
- targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget();
-
- }
+ String targetType = oaParam.getAreaSpecificTargetIdentifier();
revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(),
pendingReq, MOAIDEventConstants.AUTHPROCESS_MANDATE_SERVICE_REQUESTED, mandateReferenceValue);
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java
index a09f0a2a8..602914229 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java
@@ -46,10 +46,16 @@
package at.gv.egovernment.moa.id.auth.parser;
+import java.io.IOException;
+
+import javax.xml.transform.TransformerException;
+
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import at.gv.egovernment.moa.id.auth.exception.ParseException;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.util.DOMUtils;
/**
* Parses an <code>&lt;ErrorResponse&gt;</code>.
@@ -84,15 +90,30 @@ public class ErrorResponseParser {
*/
public ErrorResponseParser(Element errorElement) throws ParseException {
if (errorElement != null) {
- String namespace = errorElement.getNamespaceURI();
- NodeList nl = errorElement.getElementsByTagNameNS(namespace, "ErrorCode");
- if (nl.getLength() == 1) {
- errorCode_ = ((Element)nl.item(0)).getFirstChild().getNodeValue();
- }
- nl = errorElement.getElementsByTagNameNS(namespace, "Info");
- if (nl.getLength() == 1) {
- errorInfo_ = ((Element)nl.item(0)).getFirstChild().getNodeValue();
- }
+ try {
+ String namespace = errorElement.getNamespaceURI();
+ NodeList nl = errorElement.getElementsByTagNameNS(namespace, "ErrorCode");
+ if (nl.getLength() == 1) {
+ errorCode_ = ((Element)nl.item(0)).getFirstChild().getNodeValue();
+ }
+ nl = errorElement.getElementsByTagNameNS(namespace, "Info");
+ if (nl.getLength() == 1 && ((Element)nl.item(0)).getFirstChild() != null) {
+ errorInfo_ = ((Element)nl.item(0)).getFirstChild().getNodeValue();
+
+ }
+ } catch ( Exception e) {
+ try {
+ if (Logger.isDebugEnabled())
+ Logger.warn("Can not extract error code from BKU response. Full-response: " + DOMUtils.serializeNode(errorElement), e) ;
+ else
+ Logger.warn("Can not extract error code from BKU response. Exception: " + e.getMessage()) ;
+
+ } catch (TransformerException | IOException e1) {
+ Logger.warn("Can not extract error code from BKU response.", e);
+ Logger.warn("Can not serialize error response.", e1);
+
+ }
+ }
}
}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java
index 275a85129..154092b03 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java
@@ -150,6 +150,7 @@ public class InfoboxReadResponseParser {
if ("InfoboxReadResponse".equals(responseElem.getLocalName())) {
infoBoxElem_ = responseElem;
+
} else {
ErrorResponseParser erp = new ErrorResponseParser(responseElem);
throw new BKUException("auth.08",
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index a227ab5be..da96bfe54 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -57,8 +57,10 @@ import org.jaxen.SimpleNamespaceContext;
import org.w3c.dom.Element;
import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder;
+import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
import at.gv.egovernment.moa.id.auth.data.SAMLAttribute;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.ValidateException;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
@@ -69,6 +71,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -128,42 +131,46 @@ public class CreateXMLSignatureResponseValidator {
* @param session
* @param pendingReq
* @throws ValidateException
+ * @throws BuildException
+ * @throws ConfigurationException
*/
public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq)
- throws ValidateException {
+ throws ValidateException, BuildException, ConfigurationException {
// A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
-
- String gbTarget = pendingReq.getGenericData(
- MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
- String targetFriendlyName = pendingReq.getGenericData(
- MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class);
String oaURL = oaParam.getPublicURLPrefix();
- boolean businessService = oaParam.getBusinessService();
-
IIdentityLink identityLink = session.getIdentityLink();
+ @Deprecated
+ String saml1RequestedTarget = pendingReq.getGenericData(
+ MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
+ @Deprecated
+ String saml1RequestedFriendlyName = pendingReq.getGenericData(
+ MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class);
+
+
Element samlAssertion = createXMLSignatureResponse.getSamlAssertion();
+
+ //validate issuer
String issuer = samlAssertion.getAttribute("Issuer");
if (issuer == null) {
// should not happen, because parser would dedect this
throw new ValidateException("validator.32", null);
}
// replace ' in name with &#39;
- issuer = issuer.replaceAll("'", "&#39;");
+ issuer = issuer.replaceAll("'", "&#39;");
+ if (!issuer.equals(identityLink.getName()))
+ throw new ValidateException("validator.33", new Object[] {issuer, identityLink.getName()});
+
+ //validate issuerInstant
String issueInstant = samlAssertion.getAttribute("IssueInstant");
- if (!issueInstant.equals(session.getIssueInstant())) {
- throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
- }
+ if (!issueInstant.equals(session.getIssueInstant()))
+ throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
- String name = identityLink.getName();
- if (!issuer.equals(name)) {
- throw new ValidateException("validator.33", new Object[] {issuer, name});
- }
-
+ //validate extended attributes
SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();
boolean foundOA = false;
@@ -171,241 +178,253 @@ public class CreateXMLSignatureResponseValidator {
boolean foundWBPK = false;
int offset = 0;
- // check number of SAML aatributes
+ // check number of SAML attributes
List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
int extendedSAMLAttributesNum = 0;
if (extendedSAMLAttributes != null) {
- extendedSAMLAttributesNum = extendedSAMLAttributes.size();
+ extendedSAMLAttributesNum = extendedSAMLAttributes.size();
}
- int expectedSAMLAttributeNumber =
- AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum;
+ int expectedSAMLAttributeNumber = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum;
+
+ //remove one attribute from expected attributes if public SP target or wbPK is not part of AuthBlock
if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
+
+ //check number of attributes in AuthBlock response against expected number of attributes
int actualSAMLAttributeNumber = samlAttributes.length;
if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
- Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " +
- expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
- throw new ValidateException(
- "validator.36",
- new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
+ Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " +
+ expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
+ throw new ValidateException("validator.36",
+ new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
+
}
- SAMLAttribute samlAttribute;
- if (session.getSAMLAttributeGebeORwbpk()) {
- // check the first attribute ("Geschaeftsbereich" or "wbPK")
- samlAttribute = samlAttributes[0];
- if (businessService) {
- if (!samlAttribute.getName().equals("wbPK")) {
- if (samlAttribute.getName().equals("Geschaeftsbereich")) {
- throw new ValidateException("validator.26", null);
- } else {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)});
- }
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundWBPK = true;
- try {
- Element attrValue = (Element)samlAttribute.getValue();
- String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
- String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
- if (!value.equals(identityLink.getIdentificationValue())) {
- throw new ValidateException("validator.28", null);
- }
- if (!type.equals(identityLink.getIdentificationType())) {
- throw new ValidateException("validator.28", null);
- }
- } catch (Exception ex) {
- throw new ValidateException("validator.29", null);
- }
- } else {
- throw new ValidateException("validator.30", null);
- }
- } else {
- if (!samlAttribute.getName().equals("Geschaeftsbereich")) {
- if (samlAttribute.getName().equals("wbPK")) {
- throw new ValidateException("validator.26", null);
- } else {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)});
- }
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundGB = true;
- String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(gbTarget);
- if (StringUtils.isEmpty(sectorName)) {
- if (targetFriendlyName != null)
- sectorName = targetFriendlyName;
- }
- gbTarget = gbTarget + " (" + sectorName + ")";
- //gbTarget = gbTarget + " (" + TargetToSectorNameMapper.getSectorNameViaTarget(gbTarget) + ")";
+ //now check every single attribute
+ SAMLAttribute samlAttribute = null;
+ Pair<String, String> userSectorId = null;
+ if (session.getSAMLAttributeGebeORwbpk()) {
+ //check the first attribute ("Geschaeftsbereich" or "wbPK")
+ samlAttribute = samlAttributes[0];
+
+ //calculate bPK or wbPK as reference value for validation
+ if (MiscUtil.isNotEmpty(saml1RequestedTarget))
+ userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+ identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
+ saml1RequestedTarget);
+ else
+ userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+ identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
+ oaParam.getAreaSpecificTargetIdentifier());
+
+ //every sector specific identifier that has not 'urn:publicid:gv.at:cdid+' as prefix
+ // is internally handled as an AuthBlock with wbPK
+ if (!userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+ if (!samlAttribute.getName().equals("wbPK")) {
+ if (samlAttribute.getName().equals("Geschaeftsbereich")) {
+ throw new ValidateException("validator.26", null);
+
+ } else {
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)});
+ }
+ }
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundWBPK = true;
+ try {
+ Element attrValue = (Element)samlAttribute.getValue();
+ String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
+ String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
+ if (!value.equals(userSectorId.getFirst()))
+ throw new ValidateException("validator.28", null);
- if (!gbTarget.equals((String)samlAttribute.getValue())) {
- throw new ValidateException("validator.13", null);
- }
- } else {
- throw new ValidateException("validator.12", null);
- }
- }
- } else {
- offset--;
- }
+ if (!type.equals(userSectorId.getSecond()))
+ throw new ValidateException("validator.28", null);
+
+ } catch (Exception ex) {
+ throw new ValidateException("validator.29", null);
+ }
+
+ } else
+ throw new ValidateException("validator.30", null);
+
+ } else {
+ if (!samlAttribute.getName().equals("Geschaeftsbereich")) {
+ if (samlAttribute.getName().equals("wbPK"))
+ throw new ValidateException("validator.26", null);
+
+ else
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)});
+ }
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundGB = true;
+
+ String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(userSectorId.getSecond());
+ if (StringUtils.isEmpty(sectorName)) {
+ if (saml1RequestedFriendlyName != null)
+ sectorName = saml1RequestedFriendlyName;
+ else
+ sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+ }
+
+ String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
+ if (!refValueSector.equals((String)samlAttribute.getValue()))
+ throw new ValidateException("validator.13", null);
+
+ } else
+ throw new ValidateException("validator.12", null);
+
+ }
+
+ } else
+ //check nothing if wbPK or public SP target is not part of AuthBlock
+ offset--;
+
+ // check the second attribute (must be "OA")
+ samlAttribute = samlAttributes[1 + offset];
+ if (!samlAttribute.getName().equals("OA"))
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundOA = true;
+ if (!oaURL.equals((String)samlAttribute.getValue()))
+ throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});
+
+ } else
+ throw new ValidateException("validator.15", null);
- // check the second attribute (must be "OA")
- samlAttribute = samlAttributes[1 + offset];
- if (!samlAttribute.getName().equals("OA")) {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundOA = true;
- if (!oaURL.equals((String)samlAttribute.getValue())) { // CHECKS für die AttributeVALUES fehlen noch
- throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});
- }
- } else {
- throw new ValidateException("validator.15", null);
- }
- // check the third attribute (must be "Geburtsdatum")
- samlAttribute = samlAttributes[2 + offset];
- if (!samlAttribute.getName().equals("Geburtsdatum")) {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String samlDateOfBirth = (String)samlAttribute.getValue();
- String dateOfBirth = identityLink.getDateOfBirth();
- if (!samlDateOfBirth.equals(dateOfBirth)) {
- throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
- }
- } else {
- throw new ValidateException("validator.35", null);
- }
+ // check the third attribute (must be "Geburtsdatum")
+ samlAttribute = samlAttributes[2 + offset];
+ if (!samlAttribute.getName().equals("Geburtsdatum"))
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String samlDateOfBirth = (String)samlAttribute.getValue();
+ String dateOfBirth = identityLink.getDateOfBirth();
+ if (!samlDateOfBirth.equals(dateOfBirth))
+ throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
+
+ } else
+ throw new ValidateException("validator.35", null);
- // check four attribute could be a special text
- samlAttribute = samlAttributes[3 + offset];
- if (!samlAttribute.getName().equals("SpecialText")) {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String samlSpecialText = (String)samlAttribute.getValue();
- samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
+ // check four attribute could be a special text
+ samlAttribute = samlAttributes[3 + offset];
+ if (!samlAttribute.getName().equals("SpecialText"))
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String samlSpecialText = (String)samlAttribute.getValue();
+ samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
- String text = "";
- if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
- Logger.info("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
- text = oaParam.getAditionalAuthBlockText();
- }
+ String text = "";
+ if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
+ Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
+ text = oaParam.getAditionalAuthBlockText();
+
+ }
- String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant);
- if (!samlSpecialText.equals(specialText)) {
- throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
- }
- } else {
- throw new ValidateException("validator.35", null);
+ String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text,
+ AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
+ pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
+ if (!samlSpecialText.equals(specialText))
+ throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
+
+ } else
+ throw new ValidateException("validator.35", null);
- }
-
-
- //check unique AuthBlock tokken
- samlAttribute = samlAttributes[4 + offset];
- if (!samlAttribute.getName().equals("UniqueTokken")) {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String uniquetokken = (String)samlAttribute.getValue();
+
+ //check unique AuthBlock tokken
+ samlAttribute = samlAttributes[4 + offset];
+ if (!samlAttribute.getName().equals("UniqueTokken"))
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String uniquetokken = (String)samlAttribute.getValue();
- if (!uniquetokken.equals(session.getAuthBlockTokken())) {
- throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
- }
- } else {
- throw new ValidateException("validator.35", null);
- }
-
-
- // now check the extended SAML attributes
- int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset;
- if (extendedSAMLAttributes != null) {
- Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
- while (it.hasNext()) {
- ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
- samlAttribute = samlAttributes[i];
- String actualName = samlAttribute.getName();
- String expectedName = extendedSAMLAttribute.getName();
- if (!actualName.equals(expectedName)) {
- throw new ValidateException(
- "validator.38",
- new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
- }
- String actualNamespace = samlAttribute.getNamespace();
- String expectedNamespace = extendedSAMLAttribute.getNameSpace();
- if (!actualNamespace.equals(expectedNamespace)) {
- throw new ValidateException(
- "validator.38",
- new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
- }
- Object expectedValue = extendedSAMLAttribute.getValue();
- Object actualValue = samlAttribute.getValue();
- try {
- if (expectedValue instanceof String) {
- // replace \r\n because text might be base64-encoded
- String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
- expValue = StringUtils.replaceAll(expValue,"\n","");
- String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
- actValue = StringUtils.replaceAll(actValue,"\n","");
- if (!expValue.equals(actValue)) {
- throw new ValidateException(
- "validator.38",
- new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });
- }
- } else if (expectedValue instanceof Element) {
- // only check the name of the element
- String actualElementName = ((Element)actualValue).getNodeName();
- String expectedElementName = ((Element)expectedValue).getNodeName();
- if (!(expectedElementName.equals(actualElementName))){
- throw new ValidateException(
- "validator.38",
- new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});
- }
- } else {
- // should not happen
- throw new ValidateException(
- "validator.38",
- new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
- }
- } catch (ClassCastException e) {
- throw new ValidateException(
- "validator.38",
- new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
- }
- i++;
- }
- }
-
+ if (!uniquetokken.equals(session.getAuthBlockTokken()))
+ throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
+ } else
+ throw new ValidateException("validator.35", null);
- if (!foundOA) throw new ValidateException("validator.14", null);
- if (businessService) {
- if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) throw new ValidateException("validator.31", null);
- } else {
- if (!foundGB) throw new ValidateException("validator.11", null);
- }
+
+ // now check the extended SAML attributes
+ int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset;
+ if (extendedSAMLAttributes != null) {
+ Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
+ while (it.hasNext()) {
+ ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
+ samlAttribute = samlAttributes[i];
+ String actualName = samlAttribute.getName();
+ String expectedName = extendedSAMLAttribute.getName();
+ if (!actualName.equals(expectedName))
+ throw new ValidateException("validator.38",
+ new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
+
+ String actualNamespace = samlAttribute.getNamespace();
+ String expectedNamespace = extendedSAMLAttribute.getNameSpace();
+ if (!actualNamespace.equals(expectedNamespace))
+ throw new ValidateException("validator.38",
+ new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
+
+ Object expectedValue = extendedSAMLAttribute.getValue();
+ Object actualValue = samlAttribute.getValue();
+ try {
+ if (expectedValue instanceof String) {
+ // replace \r\n because text might be base64-encoded
+ String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
+ expValue = StringUtils.replaceAll(expValue,"\n","");
+ String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
+ actValue = StringUtils.replaceAll(actValue,"\n","");
+ if (!expValue.equals(actValue))
+ throw new ValidateException("validator.38",
+ new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });
+
+ } else if (expectedValue instanceof Element) {
+ // only check the name of the element
+ String actualElementName = ((Element)actualValue).getNodeName();
+ String expectedElementName = ((Element)expectedValue).getNodeName();
+ if (!(expectedElementName.equals(actualElementName)))
+ throw new ValidateException("validator.38",
+ new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});
+
+ } else
+ // should not happen
+ throw new ValidateException("validator.38",
+ new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
+
+ } catch (ClassCastException e) {
+ throw new ValidateException("validator.38",
+ new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
+ }
+
+ i++;
+ }
+ }
+
+ if (!foundOA)
+ throw new ValidateException("validator.14", null);
+
+ if (userSectorId != null && !userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+ if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK)
+ throw new ValidateException("validator.31", null);
+
+ } else {
+ if (!foundGB)
+ throw new ValidateException("validator.11", null);
+ }
- //Check if dsig:Signature exists
-// NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature");
-// if (nl.getLength() != 1) {
-// throw new ValidateException("validator.05", null);
-// }
- Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
- if (dsigSignature == null) {
- throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
- }
+ //Check if dsig:Signature exists
+ Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
+ if (dsigSignature == null)
+ throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
+
}
/**
@@ -521,7 +540,7 @@ public class CreateXMLSignatureResponseValidator {
try {
if (MiscUtil.isNotEmpty(AuthConfigurationProviderFactory.getInstance().getSSOSpecialText())) {
text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText();
- Logger.info("Use addional AuthBlock Text from SSO=" +text);
+ Logger.debug("Use addional AuthBlock Text from SSO=" +text);
}
else
@@ -531,7 +550,9 @@ public class CreateXMLSignatureResponseValidator {
}
- String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant);
+ String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text,
+ AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
+ pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
if (!samlSpecialText.equals(specialText)) {
throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
index 4953dad02..c4ea80df9 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
@@ -183,7 +183,7 @@ public class VerifyXMLSignatureResponseValidator {
// to be ignored
boolean ignoreManifestValidationResult = false;
if (whatToCheck.equals(CHECK_IDENTITY_LINK))
- ignoreManifestValidationResult = (oaParam.getBusinessService()) ? true
+ ignoreManifestValidationResult = (oaParam.hasBaseIdInternalProcessingRestriction()) ? true
: false;
if (ignoreManifestValidationResult) {
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
index 55562176d..09c64c267 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
@@ -66,10 +66,10 @@ import org.w3c.dom.NodeList;
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.ParseException;
-import at.gv.egovernment.moa.id.auth.exception.ValidateException;
import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException;
import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.BoolUtils;
import at.gv.egovernment.moa.util.Constants;
@@ -688,7 +688,7 @@ public class ParepUtils {
* <code>false</code> calculates (w)bPKs and changes also the <code>pr:Identifivation/pr:Type</code> elements.
* @return The element where Stammzahlen are hidden.
*/
- public static Element HideStammZahlen(Element hideElement, boolean businessApplication, String target, String registerID, boolean blank)
+ public static Element HideStammZahlen(Element hideElement, boolean businessApplication, String oaTargetAreaId, boolean blank)
throws BuildException {
try {
if (hideElement != null) {
@@ -706,20 +706,11 @@ public class ParepUtils {
}
if (blank) {
idValueNode.setNodeValue("");
- } else {
- String idValue = idValueNode.getNodeValue();
- if (businessApplication) {
- // wbPK berechnen
- idTypeNode.setNodeValue(Constants.URN_PREFIX_WBPK + "+" + registerID);
- String bpkBase64 = new BPKBuilder().buildWBPK(idValueNode.getNodeValue(), registerID);
- idValueNode.setNodeValue(bpkBase64);
-
- } else {
- // bPK berechnen
- idTypeNode.setNodeValue(Constants.URN_PREFIX_BPK);
- String bpkBase64 = new BPKBuilder().buildBPK(idValueNode.getNodeValue(), target);
- idValueNode.setNodeValue(bpkBase64);
- }
+
+ } else {
+ Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier(idValueNode.getNodeValue(), oaTargetAreaId);
+ idValueNode.setNodeValue(calcId.getFirst());
+
}
}
}
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml
index 0db2b26a8..0207eb6c9 100644
--- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml
@@ -7,4 +7,35 @@
</parent>
<artifactId>moa-id-module-bkaMobilaAuthSAML2Test</artifactId>
<description>BKA MobileAuth Test for SAML2 applications</description>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-jdk15on</artifactId>
+ <version>1.52</version>
+ </dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcpkix-jdk15on</artifactId>
+ <version>1.52</version>
+ </dependency>
+
+ <!-- JSON JWT implementation -->
+ <dependency>
+ <groupId>com.googlecode.jsontoken</groupId>
+ <artifactId>jsontoken</artifactId>
+ <version>1.1</version>
+ <exclusions>
+ <exclusion>
+ <groupId>javax.servlet</groupId>
+ <artifactId>servlet-api</artifactId>
+ </exclusion>
+ <exclusion>
+ <artifactId>google-collections</artifactId>
+ <groupId>com.google.collections</groupId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ </dependencies>
+
</project> \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java
index 44554e21d..0cef4cb41 100644
--- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java
@@ -30,9 +30,11 @@ import javax.annotation.PostConstruct;
import org.springframework.beans.factory.annotation.Autowired;
import at.gv.egovernment.moa.id.auth.modules.AuthModule;
+import at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests.tasks.FirstBKAMobileAuthTask;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
+import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -45,7 +47,8 @@ public class BKAMobileAuthModule implements AuthModule {
private int priority = 1;
- @Autowired protected AuthConfiguration authConfig;
+ @Autowired(required=true) protected AuthConfiguration authConfig;
+ @Autowired(required=true) private AuthenticationManager authManager;
private List<String> uniqueIDsDummyAuthEnabled = new ArrayList<String>();
@@ -77,7 +80,10 @@ public class BKAMobileAuthModule implements AuthModule {
for (String el : uniqueIDsDummyAuthEnabled)
Logger.info(" EntityID: " + el);
}
- }
+ }
+
+ //parameter to whiteList
+ authManager.addParameterNameToWhiteList(FirstBKAMobileAuthTask.REQ_PARAM_eID_BLOW);
}
/* (non-Javadoc)
@@ -87,10 +93,22 @@ public class BKAMobileAuthModule implements AuthModule {
public String selectProcess(ExecutionContext context) {
String spEntityID = (String) context.get(MOAIDAuthConstants.PROCESSCONTEXT_UNIQUE_OA_IDENTFIER);
if (MiscUtil.isNotEmpty(spEntityID)) {
- if (uniqueIDsDummyAuthEnabled.contains(spEntityID))
- return "BKAMobileAuthentication";
-
- }
+ if (uniqueIDsDummyAuthEnabled.contains(spEntityID)) {
+ String eIDBlob = (String)context.get(FirstBKAMobileAuthTask.REQ_PARAM_eID_BLOW);
+ if (eIDBlob != null && MiscUtil.isNotEmpty(eIDBlob.trim())) {
+ return "BKAMobileAuthentication";
+
+ } else {
+ Logger.debug("Dummy-auth are enabled for " + spEntityID + " but no '"
+ + FirstBKAMobileAuthTask.REQ_PARAM_eID_BLOW + "' req. parameter available.");
+
+ }
+
+ } else
+ Logger.debug("Unique SP-Id: " + spEntityID + " is not in whitelist of mobile-auth module.");
+
+ } else
+ Logger.debug("No unique service-provider identifier!");
return null;
}
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java
index 884129453..aa16a9172 100644
--- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java
@@ -56,7 +56,7 @@ public class BKAMobileAuthSpringResourceProvider implements SpringResourceProvid
*/
@Override
public String getName() {
- return "BKA MobileAuth SAML2 Test";
+ return "Module for 'Mobile-Auth with Crypto-Binding'";
}
}
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java
index 66112edc5..43043ddd6 100644
--- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java
@@ -22,16 +22,56 @@
*/
package at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests.tasks;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.KeySpec;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.SecretKeySpec;
+import javax.security.cert.CertificateException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.bouncycastle.asn1.cms.CMSObjectIdentifiers;
+import org.bouncycastle.cms.CMSSignedData;
+import org.joda.time.DateTime;
+import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParseException;
+import com.google.gson.JsonParser;
+
+import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-import at.gv.egovernment.moa.id.auth.servlet.GeneralProcessEngineSignalController;
+import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession;
+import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest;
+import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponse;
+import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponseElement;
+import at.gv.egovernment.moa.spss.api.common.SignerInfo;
+import at.gv.egovernment.moa.spss.api.impl.VerifyCMSSignatureRequestImpl;
+import at.gv.egovernment.moa.util.Base64Utils;
+import at.gv.egovernment.moa.util.MiscUtil;
/**
@@ -41,6 +81,20 @@ import at.gv.egovernment.moa.logging.Logger;
@Component("FirstBKAMobileAuthTask")
public class FirstBKAMobileAuthTask extends AbstractAuthServletTask {
+ private static final String CONF_MOASPSS_TRUSTPROFILE = "modules.bkamobileAuth.verify.trustprofile";
+ private static final String CONF_SIGNING_TIME_JITTER = "modules.bkamobileAuth.verify.time.jitter";
+ private static final String CONF_EID_TOKEN_ENCRYPTION_KEY = "modules.bkamobileAuth.eIDtoken.encryption.pass";
+
+ private static final String EIDCONTAINER_KEY_SALT = "salt";
+ private static final String EIDCONTAINER_KEY_IV = "iv";
+ private static final String EIDCONTAINER_EID = "eid";
+ private static final String EIDCONTAINER_KEY_IDL = "idl";
+ private static final String EIDCONTAINER_KEY_BINDINGCERT = "cert";
+
+ public static final String REQ_PARAM_eID_BLOW = "eidToken";
+
+ @Autowired(required=true) private AuthConfiguration authConfig;
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
*/
@@ -48,9 +102,196 @@ public class FirstBKAMobileAuthTask extends AbstractAuthServletTask {
public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
throws TaskExecutionException {
- Logger.info("Redirect to Second BKA Mobile Auth task");
- performRedirectToItself(pendingReq, response, GeneralProcessEngineSignalController.ENDPOINT_GENERIC);
+ try {
+ String eIDBlobRawB64 = request.getParameter(REQ_PARAM_eID_BLOW);
+ if (MiscUtil.isEmpty(eIDBlobRawB64)) {
+ //TODO: add dummy-auth functionality
+
+ Logger.warn("NO eID data blob included!");
+ throw new MOAIDException("NO eID data blob included!", null);
+ }
+
+ parseDemoValuesIntoMOASession(pendingReq, pendingReq.getMOASession(), eIDBlobRawB64);
+
+ } catch (MOAIDException e) {
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ } catch (Exception e) {
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ }
+
+ //Logger.info("Redirect to Second BKA Mobile Auth task");
+ //performRedirectToItself(pendingReq, response, GeneralProcessEngineSignalController.ENDPOINT_GENERIC);
+
+ }
+
+ /**
+ * @param pendingReq
+ * @param moaSession
+ * @param eIDBlobRaw
+ * @throws MOAIDException
+ * @throws IOException
+ */
+ private void parseDemoValuesIntoMOASession(IRequest pendingReq, IAuthenticationSession moaSession, String eIDBlobRawB64) throws MOAIDException, IOException {
+ Logger.debug("Check eID blob signature ... ");
+ byte[] eIDBlobRaw = Base64Utils.decode(eIDBlobRawB64.trim(), false);
+
+ VerifyCMSSignatureResponse cmsResp = SignatureVerificationInvoker.getInstance().verifyCMSSignature(
+ createCMSVerificationReq(eIDBlobRaw));
+
+ if (cmsResp.getResponseElements().isEmpty()) {
+ Logger.warn("No CMS signature-verification response");
+ throw new MOAIDException("Signature verification FAILED: No response", null);
+
+ }
+ VerifyCMSSignatureResponseElement sigVerifyResp = (VerifyCMSSignatureResponseElement) cmsResp.getResponseElements().get(0);
+ analyseCMSSignatureVerificationResponse(sigVerifyResp);
+
+
+ Logger.info("eID blob signature is VALID!");
+ byte[] decRawEidBlob = null;
+ byte[] signedData = null;
+ try {
+ Logger.debug("Starting eID information extraction ... ");
+ CMSSignedData cmsContent = new CMSSignedData(eIDBlobRaw);
+ signedData = (byte[])cmsContent.getSignedContent().getContent();
+ if (!cmsContent.getSignedContent().getContentType().equals(CMSObjectIdentifiers.data)) {
+ Logger.warn("Signature contains NO 'data' OID 1.2.840.113549.1.7.1");
+ throw new MOAIDException("Signature contains NO 'data' OID 1.2.840.113549.1.7.1", null);
+ }
+ if (signedData == null) {
+ Logger.warn("CMS SignedData is empty or null");
+ throw new MOAIDException("CMS SignedData is empty or null", null);
+ }
+ Logger.info("Signed content extracted");
+
+
+ Logger.debug("Starting signed content decryption ... ");
+ JsonParser parser = new JsonParser();
+ JsonObject signedDataJson = (JsonObject) parser.parse(new String(signedData, "UTF-8"));
+ byte[] salt = Base64Utils.decode(signedDataJson.get(EIDCONTAINER_KEY_SALT).getAsString(), false);
+ byte[] ivraw = Base64Utils.decode(signedDataJson.get(EIDCONTAINER_KEY_IV).getAsString(), false);
+ byte[] encRawEidBlob = Base64Utils.decode(signedDataJson.get(EIDCONTAINER_EID).getAsString(), false);
+ SecretKey seckey = generateDecryptionKey(salt);
+ IvParameterSpec iv = new IvParameterSpec(ivraw);
+ Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+ cipher.init(Cipher.DECRYPT_MODE, seckey, iv);
+ decRawEidBlob = cipher.doFinal(encRawEidBlob);
+ Logger.info("eID data decryption completed");
+
+
+ Logger.debug("Starting eID-blob parsing ...");
+ JsonObject eIDBlobJson = (JsonObject) parser.parse(new String(decRawEidBlob, "UTF-8"));
+ String idlB64 = eIDBlobJson.get(
+ EIDCONTAINER_KEY_IDL).getAsString();
+ String bindingCertB64 = eIDBlobJson.get(
+ EIDCONTAINER_KEY_BINDINGCERT).getAsString();
+ javax.security.cert.X509Certificate bindingCert = javax.security.cert.X509Certificate.getInstance(Base64Utils.decode(bindingCertB64, false));
+ if (!sigVerifyResp.getSignerInfo().getSignerCertificate().equals(bindingCert)) {
+ Logger.error("eID-blob signing certificate DOES NOT match to binding certificate included in eID blob!");
+ Logger.info("BindingCert: " + bindingCert.toString());
+ Logger.info("SigningCert: " + sigVerifyResp.getSignerInfo().getSignerCertificate().toString());
+ throw new MOAIDException("eID-blob signing certificate DOES NOT match to binding certificate included in eID blob!", null);
+
+ }
+ Logger.info("eID-blob parsing completed");
+
+
+ Logger.debug("Parse eID information into MOA-Session ...");
+ byte[] rawIDL = Base64Utils.decode(idlB64, false);
+ IIdentityLink identityLink = new IdentityLinkAssertionParser(new ByteArrayInputStream(rawIDL)).parseIdentityLink();
+ moaSession.setIdentityLink(identityLink);
+ moaSession.setUseMandates(false);
+ moaSession.setForeigner(false);
+ moaSession.setBkuURL("http://egiz.gv.at/BKA_MobileAuthTest");
+ moaSession.setQAALevel(PVPConstants.STORK_QAA_1_3);
+ Logger.info("Session Restore completed");
+
+
+ } catch (MOAIDException e) {
+ throw e;
+
+ } catch (JsonParseException e) {
+ if (decRawEidBlob != null)
+ Logger.error("eID-blob parse error! blob: " + new String(decRawEidBlob, "UTF-8"), e);
+
+ if (signedData != null)
+ Logger.error("eID-blob parse error! blob: " + new String(signedData, "UTF-8"), e);
+
+ if (decRawEidBlob == null && signedData == null)
+ Logger.error("eID-blob parse error!", e);
+
+ throw new MOAIDException("eID-blob parse error!", null);
+
+ } catch (org.bouncycastle.cms.CMSException e) {
+ Logger.error("Can not parse CMS signature.", e);
+ throw new MOAIDException("Can not parse CMS signature.", null, e);
+
+ } catch (InvalidAlgorithmParameterException| NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException | IllegalBlockSizeException | BadPaddingException e) {
+ Logger.error("Can not decrypte eID data.", e);
+ throw new MOAIDException("Can not decrypte eID data", null, e);
+ } catch (CertificateException e) {
+ Logger.error("Can not extract mobile-app binding-certificate from eID blob.", e);
+ throw new MOAIDException("Can not extract mobile-app binding-certificate from eID blob.", null, e);
+
+ } finally {
+
+ }
+
+ }
+
+ private SecretKey generateDecryptionKey(byte[] salt) throws MOAIDException {
+ String decryptionPassPhrase = authConfig.getBasicMOAIDConfiguration(CONF_EID_TOKEN_ENCRYPTION_KEY, "DEFAULTPASSWORD");
+ try {
+ SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
+ KeySpec spec = new PBEKeySpec(decryptionPassPhrase.toCharArray(), salt, 2000, 128);
+ SecretKey derivedKey = factory.generateSecret(spec);
+ SecretKeySpec symKeySpec = new SecretKeySpec(derivedKey.getEncoded(), "AES");
+ return symKeySpec;
+
+ } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
+ Logger.error("Mobile-Auth Module has an internal errror.", e);
+ throw new MOAIDException("Mobile-Auth Module has an internal errror.", null, e);
+
+ }
+ }
+
+ /**
+ * @throws MOAIDException
+ *
+ */
+ private void analyseCMSSignatureVerificationResponse(VerifyCMSSignatureResponseElement verifySigResult) throws MOAIDException {
+ //validate CMS signature verification response
+ if (verifySigResult.getSignatureCheck().getCode() != 0) {
+ Logger.warn("CMS signature verification FAILED with StatusCode: " + verifySigResult.getSignatureCheck().getCode());
+ throw new MOAIDException("CMS signature verification FAILED with StatusCode: " + verifySigResult.getSignatureCheck().getCode(), null);
+
+ }
+ if (verifySigResult.getCertificateCheck().getCode() != 0) {
+ Logger.warn("CMS certificate verification FAILED with StatusCode: " + verifySigResult.getCertificateCheck().getCode());
+ throw new MOAIDException("CMS certificate verification FAILED with StatusCode: " + verifySigResult.getCertificateCheck().getCode(), null);
+
+ }
+ SignerInfo signerInfos = verifySigResult.getSignerInfo();
+ DateTime date = new DateTime(signerInfos.getSigningTime().getTime());
+ Integer signingTimeJitter = Integer.valueOf(authConfig.getBasicMOAIDConfiguration(CONF_SIGNING_TIME_JITTER, "5"));
+ if (date.plusMinutes(signingTimeJitter).isBeforeNow()) {
+ Logger.warn("CMS signature-time is before: " + date.plusMinutes(signingTimeJitter));
+ throw new MOAIDException("CMS signature-time is before: " + date.plusMinutes(signingTimeJitter), null);
+
+ }
+
}
+ private VerifyCMSSignatureRequest createCMSVerificationReq(byte[] eIDBlobRaw) {
+ VerifyCMSSignatureRequestImpl cmsSigVerifyReq = new VerifyCMSSignatureRequestImpl();
+ cmsSigVerifyReq.setSignatories(VerifyCMSSignatureRequestImpl.ALL_SIGNATORIES);
+ cmsSigVerifyReq.setExtended(false);
+ cmsSigVerifyReq.setPDF(false);
+ cmsSigVerifyReq.setTrustProfileId(authConfig.getBasicMOAIDConfiguration(CONF_MOASPSS_TRUSTPROFILE, "!!NOT SET!!!"));
+ cmsSigVerifyReq.setCMSSignature(new ByteArrayInputStream(eIDBlobRaw));
+ return cmsSigVerifyReq;
+ }
}
diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml
index 4a0f4d5f2..6f41f347a 100644
--- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml
+++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml
@@ -12,8 +12,10 @@
<pd:StartEvent id="start" />
<pd:Transition from="start" to="firstStep" />
- <pd:Transition from="firstStep" to="secondStep"/>
- <pd:Transition from="secondStep" to="finalizeAuthentication" />
+ <!-- pd:Transition from="firstStep" to="secondStep"/>
+ <pd:Transition from="secondStep" to="finalizeAuthentication" /-->
+
+ <pd:Transition from="firstStep" to="finalizeAuthentication" />
<pd:Transition from="finalizeAuthentication" to="end" />
diff --git a/id/server/modules/moa-id-module-eIDAS/pom.xml b/id/server/modules/moa-id-module-eIDAS/pom.xml
index f3d8eeb36..cf3325d24 100644
--- a/id/server/modules/moa-id-module-eIDAS/pom.xml
+++ b/id/server/modules/moa-id-module-eIDAS/pom.xml
@@ -12,11 +12,11 @@
<properties>
<repositoryPath>${basedir}/../../../../repository</repositoryPath>
- <eidas-commons.version>1.4.0-SNAPSHOT</eidas-commons.version>
- <eidas-light-commons.version>1.4.0-SNAPSHOT</eidas-light-commons.version>
- <eidas-saml-engine.version>1.4.0-SNAPSHOT</eidas-saml-engine.version>
- <eidas-encryption.version>1.4.0-SNAPSHOT</eidas-encryption.version>
- <eidas-configmodule.version>1.4.0-SNAPSHOT</eidas-configmodule.version>
+ <eidas-commons.version>1.4.0</eidas-commons.version>
+ <eidas-light-commons.version>1.4.0</eidas-light-commons.version>
+ <eidas-saml-engine.version>1.4.0</eidas-saml-engine.version>
+ <eidas-encryption.version>1.4.0</eidas-encryption.version>
+ <eidas-configmodule.version>1.4.0</eidas-configmodule.version>
</properties>
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index c0101b553..d975b6e0a 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -69,6 +69,8 @@ public class Constants {
public static final String CONIG_PROPS_EIDAS_METADATA_URLS_LIST_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".metadata.url";
+ public static final String CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".bpk.target.";
+
//timeouts and clock skews
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
index 6f1d75bfe..154006ed8 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
@@ -31,7 +31,6 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.BooleanUtils;
-import org.apache.commons.lang3.StringUtils;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
@@ -41,6 +40,7 @@ import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
import com.google.common.net.MediaType;
@@ -227,7 +227,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
authnRequestBuilder.levelOfAssuranceComparison(LevelOfAssuranceComparison.MINIMUM);
//set correct SPType for this online application
- if (oaConfig.getBusinessService())
+ if (oaConfig.hasBaseIdTransferRestriction())
authnRequestBuilder.spType(SpType.PRIVATE.getValue());
else
authnRequestBuilder.spType(SpType.PUBLIC.getValue());
@@ -306,7 +306,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
context.put("RelayState", pendingReq.getRequestID());
- Logger.debug("Using assertion consumer url as action: " + authnReqEndpoint.getLocation());
+ Logger.debug("Using SingleSignOnService url as action: " + authnReqEndpoint.getLocation());
context.put("action", authnReqEndpoint.getLocation());
Logger.debug("Starting template merge");
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 940b91b44..1ce900ebb 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -56,6 +56,7 @@ import at.gv.egovernment.moa.id.commons.MOAIDConstants;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
import at.gv.egovernment.moa.id.moduls.RequestImpl;
import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController;
import at.gv.egovernment.moa.logging.Logger;
@@ -269,7 +270,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
//validate request country-code against eIDAS node config
String reqCC = samlReq.getOriginCountryCode();
- String eIDASTarget = oaConfig.getIdentityLinkDomainIdentifier();
+ String eIDASTarget = oaConfig.getAreaSpecificTargetIdentifier();
//validate eIDAS target
Pattern pattern = Pattern.compile("^" + at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS
@@ -283,14 +284,22 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
} else {
String[] splittedTarget = eIDASTarget.split("\\+");
if (!splittedTarget[2].equalsIgnoreCase(reqCC)) {
- Logger.error("Configuration for eIDAS-node:" + samlReq.getIssuer()
+ Logger.debug("Configuration for eIDAS-node:" + samlReq.getIssuer()
+ " Destination Country from request (" + reqCC
- + ") does not match to configuration:" + eIDASTarget);
- throw new MOAIDException("eIDAS.01",
- new Object[]{"Destination Country from request does not match to configuration"});
+ + ") does not match to configuration:" + eIDASTarget
+ + " --> Perform additional organisation check ...");
+
+ //check if eIDAS domain for bPK calculation is a valid target
+ if (!iseIDASTargetAValidOrganisation(reqCC, splittedTarget[2])) {
+ throw new MOAIDException("eIDAS.01",
+ new Object[]{"Destination Country from request does not match to configuration"});
+
+ }
+
}
- Logger.debug("CountryCode from request matches eIDAS-node configuration target");
+ Logger.debug("CountryCode from request matches eIDAS-node configuration target: " + eIDASTarget);
+
}
@@ -439,6 +448,20 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) {
return false;
}
+
+ private boolean iseIDASTargetAValidOrganisation(String reqCC, String bPKTargetArea) {
+ if (MiscUtil.isNotEmpty(reqCC)) {
+ List<String> allowedOrganisations = KeyValueUtils.getListOfCSVValues(
+ authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX + reqCC.toLowerCase()));
+ if (allowedOrganisations.contains(bPKTargetArea)) {
+ Logger.debug(bPKTargetArea + " is a valid OrganisationIdentifier for request-country: "+ reqCC);
+ return true;
+ }
+ }
+
+ Logger.info("OrganisationIdentifier: " + bPKTargetArea + " is not allowed for country: " + reqCC);
+ return false;
+ }
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java
index c008048cb..ea5a002e0 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java
@@ -22,7 +22,13 @@
*/
package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator;
import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonSourcePinAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
/**
* @author tlenz
@@ -31,6 +37,31 @@ import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonS
public class eIDASAttrLegalPersonIdentifier extends MandateLegalPersonSourcePinAttributeBuilder implements IeIDASAttribute {
@Override
+ public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
+ IAttributeGenerator<ATT> g) throws AttributeException {
+ if(authData.isUseMandate()) {
+
+ //extract eIDAS unique Id prefix from naturalPerson bPK identifier
+ if (MiscUtil.isEmpty(authData.getBPKType())
+ || !authData.getBPKType().startsWith(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS)) {
+ Logger.error("BPKType is empty or does not start with eIDAS bPKType prefix! bPKType:" + authData.getBPKType());
+ throw new AttributeException("Suspect bPKType for eIDAS identifier generation");
+
+ }
+
+ //add eIDAS eID prefix to legal person identifier
+ String prefix = authData.getBPKType().substring(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS.length() + 1);
+ String legalPersonID = prefix.replaceAll("\\+", "/") + "/" + getLegalPersonIdentifierFromMandate(authData);
+ return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME,
+ MANDATE_LEG_PER_SOURCE_PIN_NAME, legalPersonID);
+
+ }
+
+ return null;
+
+ }
+
+ @Override
public String getName() {
return eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri().toString();
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
index d0cda38c7..b91bbde9e 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
@@ -77,6 +77,8 @@ public class eIDASAuthenticationRequest implements IAction {
@Autowired protected MOAReversionLogger revisionsLogger;
@Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider;
+
+
@Override
public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException {
EIDASData eidasRequest;
@@ -91,29 +93,32 @@ public class eIDASAuthenticationRequest implements IAction {
//gather attributes
ImmutableAttributeMap reqAttributeList = (ImmutableAttributeMap) eidasRequest.getEidasRequestedAttributes();
ImmutableAttributeMap.Builder attrMapBuilder = ImmutableAttributeMap.builder();
-
- //generate eIDAS attributes
- for(AttributeDefinition<?> attr : reqAttributeList.getDefinitions()) {
- Pair<AttributeDefinition<?>, ImmutableSet<AttributeValue<?>>> eIDASAttr = eIDASAttributeBuilder.buildAttribute(
- attr, req.getOnlineApplicationConfiguration(), authData);
-
- if(eIDASAttr == null) {
- if (attr.isRequired()) {
- Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available.");
- throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()});
-
- } else
- Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available.");
- } else {
- //add attribute to Map
- attrMapBuilder.put(
- (AttributeDefinition)eIDASAttr.getFirst(),
- (ImmutableSet)eIDASAttr.getSecond());
+ //generate eIDAS attributes
+ for(AttributeDefinition<?> attr : reqAttributeList.getDefinitions())
+ buildAndAddAttribute(attrMapBuilder, attr, eidasRequest, authData);
+
+
+ //Check if Mandate attributes are requested if mandates was used
+ if (authData.isUseMandate()) {
+ if (reqAttributeList.getDefinitionByNameUri(
+ eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri()) == null) {
+ Logger.info("Citzen perfom authentication with mandates but no mandate attribute are included. --> Add mandate attribute 'LEGAL_PERSON_IDENTIFIER'");
+ buildAndAddAttribute(attrMapBuilder, eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER, eidasRequest, authData);
+
+ }
+
+ if (reqAttributeList.getDefinitionByNameUri(
+ eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME.getNameUri()) == null) {
+ Logger.info("Citzen perfom authentication with mandates but no mandate attribute are included. --> Add mandate attribute 'LEGAL_NAME'");
+ buildAndAddAttribute(attrMapBuilder, eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME, eidasRequest, authData);
}
}
+ //build final attibute set
+ ImmutableAttributeMap eIDASAttrbutMap = attrMapBuilder.build();
+
// construct eIDaS response
AuthenticationResponse.Builder responseBuilder = new AuthenticationResponse.Builder();
@@ -127,7 +132,7 @@ public class eIDASAuthenticationRequest implements IAction {
responseBuilder.levelOfAssurance(authData.getEIDASQAALevel());
//add attributes
- responseBuilder.attributes(attrMapBuilder.build());
+ responseBuilder.attributes(eIDASAttrbutMap);
//set success statuscode
responseBuilder.statusCode(StatusCode.SUCCESS_URI);
@@ -221,6 +226,26 @@ public class eIDASAuthenticationRequest implements IAction {
return "eIDAS_AuthnRequest";
}
+ private void buildAndAddAttribute(ImmutableAttributeMap.Builder attrMapBuilder, AttributeDefinition<?> attr, IRequest req, IAuthData authData) throws MOAIDException {
+ Pair<AttributeDefinition<?>, ImmutableSet<AttributeValue<?>>> eIDASAttr = eIDASAttributeBuilder.buildAttribute(
+ attr, req.getOnlineApplicationConfiguration(), authData);
+
+ if(eIDASAttr == null) {
+ if (attr.isRequired()) {
+ Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available.");
+ throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()});
+
+ } else
+ Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available.");
+
+ } else {
+ //add attribute to Map
+ attrMapBuilder.put(
+ (AttributeDefinition)eIDASAttr.getFirst(),
+ (ImmutableSet)eIDASAttr.getSecond());
+
+ }
+ }
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
index d65d74c3f..299eb442e 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
@@ -48,6 +48,7 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAuthnRequestBuilder;
@@ -150,7 +151,8 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask {
String sourcePinType = moasession.getIdentityLink().getIdentificationType();
String sourcePinValue = moasession.getIdentityLink().getIdentificationValue();
if (sourcePinType.startsWith(Constants.URN_PREFIX_BASEID)) {
- representativeBPK = new BPKBuilder().buildBPK(sourcePinValue, configTarget);
+ Pair<String, String> userId = new BPKBuilder().generateAreaSpecificPersonIdentifier(sourcePinValue, configTarget);
+ representativeBPK = userId.getFirst();
} else {
Logger.debug("No 'SourcePin' found for representative. "
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java
index 98f8d13c7..52970e240 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java
@@ -30,7 +30,7 @@ import org.springframework.stereotype.Component;
import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration;
import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder;
-import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithFileSystemLoad;
import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
@@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConsta
import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateUtils;
import at.gv.egovernment.moa.id.auth.servlet.GeneralProcessEngineSignalController;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
import at.gv.egovernment.moa.logging.Logger;
@@ -60,11 +61,13 @@ public class SelectMandateServiceTask extends AbstractAuthServletTask {
//check if Service-Provider allows ELGA-mandates
if (ELGAMandateUtils.checkServiceProviderAgainstELGAModulConfigration(authConfig, pendingReq)) {
Logger.trace("Build GUI for mandate-service selection ...");
-
- IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
- pendingReq,
- ELGAMandatesAuthConstants.TEMPLATE_MANDATE_SERVICE_SELECTION,
- GeneralProcessEngineSignalController.ENDPOINT_GENERIC);
+
+ IGUIBuilderConfiguration config = new SPSpecificGUIBuilderConfigurationWithFileSystemLoad(
+ pendingReq,
+ ELGAMandatesAuthConstants.TEMPLATE_MANDATE_SERVICE_SELECTION,
+ MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL,
+ GeneralProcessEngineSignalController.ENDPOINT_GENERIC,
+ authConfig.getRootConfigFileDir());
guiBuilder.build(response, config, "Mandate-Service selection");
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
index 2f6a54027..4ce77d861 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
@@ -75,14 +75,6 @@ public class SSOTransferAuthenticationData implements IAuthData {
}
/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService()
- */
- @Override
- public boolean isBusinessService() {
- return this.isIDPPrivateService;
- }
-
- /* (non-Javadoc)
* @see at.gv.egovernment.moa.id.data.IAuthData#isSsoSession()
*/
@Override
@@ -362,4 +354,13 @@ public class SSOTransferAuthenticationData implements IAuthData {
return this.authSession.getGenericDataFromSession(key, clazz);
}
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.data.IAuthData#isBaseIDTransferRestrication()
+ */
+ @Override
+ public boolean isBaseIDTransferRestrication() {
+ return this.isIDPPrivateService;
+ }
+
}
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java
index 3affa17b3..c2132c1f9 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java
@@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.api.data.CPEPS;
import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters;
import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute;
import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
/**
* @author tlenz
@@ -42,15 +43,7 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters {
public SSOTransferOnlineApplication() {
}
-
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService()
- */
- @Override
- public boolean getBusinessService() {
- return false;
- }
-
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#useSSO()
*/
@@ -107,33 +100,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters {
}
/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType()
- */
- @Override
- public String getOaType() {
- // TODO Auto-generated method stub
- return null;
- }
-
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget()
- */
- @Override
- public String getTarget() {
- // TODO Auto-generated method stub
- return null;
- }
-
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName()
- */
- @Override
- public String getTargetFriendlyName() {
- // TODO Auto-generated method stub
- return null;
- }
-
- /* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInderfederationIDP()
*/
@Override
@@ -151,14 +117,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters {
return false;
}
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier()
- */
- @Override
- public String getIdentityLinkDomainIdentifier() {
- // TODO Auto-generated method stub
- return null;
- }
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getKeyBoxIdentifier()
@@ -226,15 +184,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters {
}
/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType()
- */
- @Override
- public String getIdentityLinkDomainIdentifierType() {
- // TODO Auto-generated method stub
- return null;
- }
-
- /* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isShowMandateCheckBox()
*/
@Override
@@ -441,4 +390,38 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters {
return false;
}
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdInternalProcessingRestriction()
+ */
+ @Override
+ public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException {
+ return false;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdTransferRestriction()
+ */
+ @Override
+ public boolean hasBaseIdTransferRestriction() throws ConfigurationException {
+ return false;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifier()
+ */
+ @Override
+ public String getAreaSpecificTargetIdentifier() throws ConfigurationException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifierFriendlyName()
+ */
+ @Override
+ public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
}
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java b/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java
index fe859c7bc..8ca087e1d 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java
@@ -232,6 +232,14 @@ public class Tests {
*/
public static void main(String[] args) {
+ String org_resp = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWwycDpSZXNwb25zZSBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L1NhbWwyL2Fjcy9wb3N0IiBJRD0iXzQ0MDVlMmE5NTBiYWVkODdjYTBjOWNhZWY4ZThhYzBmIiBJblJlc3BvbnNlVG89ImlkLWY3VUhoSU1BOFdqeXFkUEJ3IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PHNhbWwyOklzc3VlciB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdDwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGE1MTIiLz48ZHM6UmVmZXJlbmNlIFVSST0iI180NDA1ZTJhOTUwYmFlZDg3Y2EwYzljYWVmOGU4YWMwZiI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhNTEyIi8+PGRzOkRpZ2VzdFZhbHVlPng3a2RBVVRJTmlpak9sbmZNRVJnY29tZEFub2MwejIwTEI5NXN3TitIRXdnRTBCUUNaR0ZIZVJKQWVxbmxjRmZabUZNZnUyejE3OGFlRlVaK1VCOGpRPT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+cVFsWFRPdmtON2QzZ1BxaXR0VDRnNUtYNDkrNE45TWMza2NvS1p1RUhTZU1zd2p4dzNkZHpVcGd4bHJnUWc2QTl5cC80dTgxSlM3dVpSSWRESm9iRm81OUE4RWV0Qmh2cXptdElaOUt3ejJad0IyclhENlBFaERxOURnbHpZR0dOd05od2dFZXpPbzBlRTRpNHBETkRQdDkxaC9FOU1qMkxoR0NVM3U2ZEZ0ZHQ2R2FEa000RHVJcVZKeWdHQzdVZDJMeU14Q1NyVC9mRHpQSUN6RENCcDExRTNEaVRYWk55MTBaa1J2RU5tOUZrY0lPVHlRcmlrNXkrV25Ed0UrTDUzZUhNL1l4WkJBa2pGMjRRaEc0YVBxY1FhcFdEdWNSaDdYNkZsU1Y0bUpqNHp5TlMzSmZBeUFaN0J4S2w3anlxWjIzT1VTYm5MTkRIdVNpK2JzZkt3PT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUZ5VENDQkxHZ0F3SUJBZ0lDQXJRd0RRWUpLb1pJaHZjTkFRRUxCUUF3Z1pneEN6QUpCZ05WQkFZVEFrRlVNUTB3Q3dZRFZRUUkKRXdSWGFXVnVNU2N3SlFZRFZRUUtFeDVDZFc1a1pYTnRhVzVwYzNSbGNtbDFiU0JtZFdWeUlFbHVibVZ5WlhNeERqQU1CZ05WQkFzVApCVWxVTFUxVE1Sa3dGd1lEVlFRREV4QlFiM0owWVd4MlpYSmlkVzVrTFVOQk1TWXdKQVlKS29aSWh2Y05BUWtCRmhkaWJXa3RhWFl0Ck1pMWxMV05oUUdKdGFTNW5kaTVoZERBZUZ3MHhOakV5TWpBd09ETXlNVFphRncweE9UQXhNRGt3T0RNeU1UWmFNSUdITVFzd0NRWUQKVlFRR0V3SkJWREVOTUFzR0ExVUVDQk1FVjJsbGJqRVpNQmNHQTFVRUNoTVFRblZ1WkdWemEyRnVlbXhsY21GdGRERUxNQWtHQTFVRQpDeE1DU1ZReEhEQWFCZ05WQkFNVEUzTjBjQzFsYm5SM0xXSnJZUzFqYkdsbGJuUXhJekFoQmdrcWhraUc5dzBCQ1FFV0ZIcGxjblJwClptbHJZWFJBWW10aExtZDJMbUYwTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEya2lxMTZNQWNUTTkKRjJPUzlNZEJ0eHpqMmdnSmpuZWVjNFRvZitvZXBEVWRpTk5HRDFmSDFZRU9qZ3ZiSzhvc2tXZ3ptbmFRM1FyV0RrZmlEM2l1dXpLKwp1eWc3L3psSHdyV2VmY0sycGkvbTJqQXNqTXZXZFlDWk9raDNoL3dEN25oMkpRd0N4Sy91K1hxbnVMWnBHQkRlTExqMStHWTFQL3F0CktNWWxzZ2ZwWTNjWFlKL3dvWk9ZblZhK1liOE1USHNNempQcEpXVkw2QURFREhMU1lVZ3h2LzMzSDlISGFQUXNNRmpDejVuRitWUkUKQ0EwbnpWS3dXcFN1dWdabmk5KzdMNVlUUUR5VDNNUUtQeURxRmZnMUVQS21BV1F0UU84OXUvZ3JERVNZNldLMlFxV2JieUZ6Ykx4TQozVjI3Sit6OE8wV3dsMzlyTS9DVDdIcjNkd0lEQVFBQm80SUNLakNDQWlZd0NRWURWUjBUQkFJd0FEQUxCZ05WSFE4RUJBTUNCZUF3CkxBWUpZSVpJQVliNFFnRU5CQjhXSFU5d1pXNVRVMHdnUjJWdVpYSmhkR1ZrSUVObGNuUnBabWxqWVhSbE1CMEdBMVVkRGdRV0JCUmcKUURkQnNoT1BpYUs0VGxNT3Nqdlltek04U0RDQjBRWURWUjBqQklISk1JSEdnQlNtSHZSZUdrTzBpTjZpeUwxb1pRUEZNRzltMDZHQgpxcVNCcHpDQnBERUxNQWtHQTFVRUJoTUNRVlF4RFRBTEJnTlZCQWdUQkZkcFpXNHhEVEFMQmdOVkJBY1RCRmRwWlc0eEp6QWxCZ05WCkJBb1RIa0oxYm1SbGMyMXBibWx6ZEdWeWFYVnRJR1oxWlhJZ1NXNXVaWEpsY3pFT01Bd0dBMVVFQ3hNRlNWUXRUVk14RmpBVUJnTlYKQkFNVERWQnZjblJoYkZKdmIzUXRRMEV4SmpBa0Jna3Foa2lHOXcwQkNRRVdGMkp0YVMxcGRpMHlMV1V0WTJGQVltMXBMbWQyTG1GMApnZ0VCTUI4R0ExVWRFUVFZTUJhQkZIcGxjblJwWm1scllYUkFZbXRoTG1kMkxtRjBNQ0lHQTFVZEVnUWJNQm1CRjJKdGFTMXBkaTB5CkxXVXRZMkZBWW0xcExtZDJMbUYwTUVVR0ExVWRId1ErTUR3d09xQTRvRGFHTkdoMGRIQTZMeTl3YjNKMFlXd3VZbTFwTG1kMkxtRjAKTDNKbFppOXdhMmt2Y0c5eWRHRnNRMEV2VUc5eWRHRnNWaTVqY213d1R3WUlLd1lCQlFVSEFRRUVRekJCTUQ4R0NDc0dBUVVGQnpBQwpoak5vZEhSd09pOHZjRzl5ZEdGc0xtSnRhUzVuZGk1aGRDOXlaV1l2Y0d0cEwzQnZjblJoYkVOQkwybHVaR1Y0TG1oMGJXd3dEZ1lICktpZ0FDZ0VCQVFRREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJtRGRkb2NaakNUMmlDOGx4bUNwdGQxTEtMaEUvdVVUTEYKZDVCUUlFMm52bUYrcUdwd09HSXlLUlhvSVJ2R04rZjU2Tm53cCthVTNqdjJONWh1OURoRWlubGYxbmRDTzJiSGlUYTZyS3FyZDY5dApTY0tjUWk5empHd25iOXV2MU5BR05UN0pxVWN5VGh3bTB6bnpGWU9CMXdZQnVyaC9kQWVaYkR4ekpDNnZLdjZZT2gvWWV5MWdDUGZNCkYxRlFnUVQ5QXRDZTFvTVA0dHQ4dXZVUldSYm0za3JEaFNsL3kxSDN0WDVJQlZ2cjl0cko0ekpiYkZNUGdLS0FXaERINEI0aUJaNmwKUzZILzBqWjlUSWsyRFpjbExISjUvNnVuajg4ZnBXcis2dUE4K3F3alNWUjY5RnZHdXJwckZzOVFMMDZCUjBELzRXNXkrNFFSUk9HWQpNYVVCPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWwycDpTdGF0dXM+PHNhbWwycDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWwycDpTdGF0dXM+PHNhbWwyOkFzc2VydGlvbiBJRD0iXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PHNhbWwyOklzc3Vlcj5odHRwczovL3N0cC1hdXRoLWFwcC5lbnR3LnBvcnRhbC5ia2EuZ3YuYXQvc3RkcG9ydGFsLWlkcC9wb3J0YWx2ZXJidW5kLmd2LmF0PC9zYW1sMjpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTUxMiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGE1MTIiLz48ZHM6RGlnZXN0VmFsdWU+TWZVYVFUQ3A4N05CejdHanBOcXU5LzJCUm0yNFRac1hFRWQvK0YwTDZHTjZMWlRvWFdoaTQ3b2g3WW8rQ0RySTcxUS9hUXp6NmdqZU5YeC9ManViaXc9PTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5rUXlmclkyb3phODBNOEY4VFh0SXJtVno4SEFuaHJOY0wxblJRSW1IY2d5VjBnMFcxMW9JaVMzM1ZCbDJLeHVZaVdicFg0ZXdzcW9rSTBaZWxGQ0RoU1ZtTFpZUlRzWGV4ellSZ3hhUUdQZnNnMUh6eStYRzVEQUFSRk9pdDh3SGlpeFE1QVIzOFJRendudml0bTJRYkNoVGhzVk5zeHp4RmpEZnh3ejlpNzcvd3VPZTVERlU5Z0hzWUtEVUxrVFVyT1BveGM0RFgyQjYvd0E0cFJ2Z1lhTnFSQVltenFpSWlQQW5DMnZETXdjemQ2M2wzb3NuNHZlb3k3a0pYN0JkZTVUM29MREx5Tno4VXFua1pHY2c3Nkp4WGVweGptdmtnSy8yRk91d3VvUTY4WnI5T25hRE1vNmRqTlFzU2xpL2ZlMGFjVVpHVDVrajRBUU12NDYyc3c9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRnlUQ0NCTEdnQXdJQkFnSUNBclF3RFFZSktvWklodmNOQVFFTEJRQXdnWmd4Q3pBSkJnTlZCQVlUQWtGVU1RMHdDd1lEVlFRSQpFd1JYYVdWdU1TY3dKUVlEVlFRS0V4NUNkVzVrWlhOdGFXNXBjM1JsY21sMWJTQm1kV1Z5SUVsdWJtVnlaWE14RGpBTUJnTlZCQXNUCkJVbFVMVTFUTVJrd0Z3WURWUVFERXhCUWIzSjBZV3gyWlhKaWRXNWtMVU5CTVNZd0pBWUpLb1pJaHZjTkFRa0JGaGRpYldrdGFYWXQKTWkxbExXTmhRR0p0YVM1bmRpNWhkREFlRncweE5qRXlNakF3T0RNeU1UWmFGdzB4T1RBeE1Ea3dPRE15TVRaYU1JR0hNUXN3Q1FZRApWUVFHRXdKQlZERU5NQXNHQTFVRUNCTUVWMmxsYmpFWk1CY0dBMVVFQ2hNUVFuVnVaR1Z6YTJGdWVteGxjbUZ0ZERFTE1Ba0dBMVVFCkN4TUNTVlF4SERBYUJnTlZCQU1URTNOMGNDMWxiblIzTFdKcllTMWpiR2xsYm5ReEl6QWhCZ2txaGtpRzl3MEJDUUVXRkhwbGNuUnAKWm1scllYUkFZbXRoTG1kMkxtRjBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTJraXExNk1BY1RNOQpGMk9TOU1kQnR4emoyZ2dKam5lZWM0VG9mK29lcERVZGlOTkdEMWZIMVlFT2pndmJLOG9za1dnem1uYVEzUXJXRGtmaUQzaXV1eksrCnV5ZzcvemxId3JXZWZjSzJwaS9tMmpBc2pNdldkWUNaT2toM2gvd0Q3bmgySlF3Q3hLL3UrWHFudUxacEdCRGVMTGoxK0dZMVAvcXQKS01ZbHNnZnBZM2NYWUovd29aT1luVmErWWI4TVRIc016alBwSldWTDZBREVESExTWVVneHYvMzNIOUhIYVBRc01GakN6NW5GK1ZSRQpDQTBuelZLd1dwU3V1Z1puaTkrN0w1WVRRRHlUM01RS1B5RHFGZmcxRVBLbUFXUXRRTzg5dS9nckRFU1k2V0syUXFXYmJ5RnpiTHhNCjNWMjdKK3o4TzBXd2wzOXJNL0NUN0hyM2R3SURBUUFCbzRJQ0tqQ0NBaVl3Q1FZRFZSMFRCQUl3QURBTEJnTlZIUThFQkFNQ0JlQXcKTEFZSllJWklBWWI0UWdFTkJCOFdIVTl3Wlc1VFUwd2dSMlZ1WlhKaGRHVmtJRU5sY25ScFptbGpZWFJsTUIwR0ExVWREZ1FXQkJSZwpRRGRCc2hPUGlhSzRUbE1Pc2p2WW16TThTRENCMFFZRFZSMGpCSUhKTUlIR2dCU21IdlJlR2tPMGlONml5TDFvWlFQRk1HOW0wNkdCCnFxU0JwekNCcERFTE1Ba0dBMVVFQmhNQ1FWUXhEVEFMQmdOVkJBZ1RCRmRwWlc0eERUQUxCZ05WQkFjVEJGZHBaVzR4SnpBbEJnTlYKQkFvVEhrSjFibVJsYzIxcGJtbHpkR1Z5YVhWdElHWjFaWElnU1c1dVpYSmxjekVPTUF3R0ExVUVDeE1GU1ZRdFRWTXhGakFVQmdOVgpCQU1URFZCdmNuUmhiRkp2YjNRdFEwRXhKakFrQmdrcWhraUc5dzBCQ1FFV0YySnRhUzFwZGkweUxXVXRZMkZBWW0xcExtZDJMbUYwCmdnRUJNQjhHQTFVZEVRUVlNQmFCRkhwbGNuUnBabWxyWVhSQVltdGhMbWQyTG1GME1DSUdBMVVkRWdRYk1CbUJGMkp0YVMxcGRpMHkKTFdVdFkyRkFZbTFwTG1kMkxtRjBNRVVHQTFVZEh3UStNRHd3T3FBNG9EYUdOR2gwZEhBNkx5OXdiM0owWVd3dVltMXBMbWQyTG1GMApMM0psWmk5d2Eya3ZjRzl5ZEdGc1EwRXZVRzl5ZEdGc1ZpNWpjbXd3VHdZSUt3WUJCUVVIQVFFRVF6QkJNRDhHQ0NzR0FRVUZCekFDCmhqTm9kSFJ3T2k4dmNHOXlkR0ZzTG1KdGFTNW5kaTVoZEM5eVpXWXZjR3RwTDNCdmNuUmhiRU5CTDJsdVpHVjRMbWgwYld3d0RnWUgKS2lnQUNnRUJBUVFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQm1EZGRvY1pqQ1QyaUM4bHhtQ3B0ZDFMS0xoRS91VVRMRgpkNUJRSUUybnZtRitxR3B3T0dJeUtSWG9JUnZHTitmNTZObndwK2FVM2p2Mk41aHU5RGhFaW5sZjFuZENPMmJIaVRhNnJLcXJkNjl0ClNjS2NRaTl6akd3bmI5dXYxTkFHTlQ3SnFVY3lUaHdtMHpuekZZT0Ixd1lCdXJoL2RBZVpiRHh6SkM2dkt2NllPaC9ZZXkxZ0NQZk0KRjFGUWdRVDlBdENlMW9NUDR0dDh1dlVSV1JibTNrckRoU2wveTFIM3RYNUlCVnZyOXRySjR6SmJiRk1QZ0tLQVdoREg0QjRpQlo2bApTNkgvMGpaOVRJazJEWmNsTEhKNS82dW5qODhmcFdyKzZ1QTgrcXdqU1ZSNjlGdkd1cnByRnM5UUwwNkJSMEQvNFc1eSs0UVJST0dZCk1hVUI8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6cGVyc2lzdGVudCIgTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdCIgU1BOYW1lUXVhbGlmaWVyPSJodHRwczovL3NhbWxwcm94eS10ZXN0LnVjb20uZ3YuYXQvc3AiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj54bnRHMDBlakpBZ0w3KzBtdVRJb3JoYUljeW89PC9zYW1sMjpOYW1lSUQ+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgQWRkcmVzcz0iMTI5LjI3LjE1Mi4xMjYiIEluUmVzcG9uc2VUbz0iaWQtZjdVSGhJTUE4V2p5cWRQQnciIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi42MjNaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc2FtbHByb3h5LXRlc3QudWNvbS5ndi5hdC9TYW1sMi9hY3MvcG9zdCIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q+PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE3LTA5LTIwVDE0OjQ5OjUyLjU5M1oiIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi41OTNaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U+aHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L3NwPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNDk1WiIgU2Vzc2lvbkluZGV4PSJfYjBhOGUxOTQ5YzQyMjU5NjA0MzAxMDUwNjBkMGQyYTgiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTctMDktMjBUMTU6MTk6NTIuNjAyWiI+PHNhbWwyOlN1YmplY3RMb2NhbGl0eSBBZGRyZXNzPSIxMjkuMjcuMTUyLjEyNiIvPjxzYW1sMjpBdXRobkNvbnRleHQ+PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPmh0dHA6Ly93d3cucmVmLmd2LmF0L25zL25hbWVzL2FnaXovcHZwL3NlY2NsYXNzLzAtMjwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sMjpBdXRobkNvbnRleHQ+PC9zYW1sMjpBdXRoblN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJDT1NULUNFTlRFUi1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+QVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQQVJUSUNJUEFOVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS43MSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCOjExMTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlBSSU5DSVBBTC1OQU1FIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjI2MS4yMCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5Nb2JpbGVBdXRoPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iT1UiIE5hbWU9InVybjpvaWQ6Mi41LjQuMTEiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+RHVtbXktT0U8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJNQUlMIiBOYW1lPSJ1cm46b2lkOjAuOS4yMzQyLjE5MjAwMzAwLjEwMC4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+bW9iaWxlLmF1dGguMkBia2EuZ3YuYXQ8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQVlAtVkVSU0lPTiIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuMTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+Mi4xPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iSU5WT0lDRS1SRUNQVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNDAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+QVQ6QjoxMTE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJPVS1PS1oiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMTUzIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlPkJLQS1EVU1NWTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlVTRVJJRCIgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlPm1vYmlsZS5hdXRoLjJAYmthLmd2LmF0PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iUk9MRVMiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMjYxLjMwIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlPnVjb21tX1VzZXIoKTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IkdJVkVOLU5BTUUiIE5hbWU9InVybjpvaWQ6Mi41LjQuNDIiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+WndlaTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9Ik9VLUdWLU9VLUlEIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+QVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJHSUQiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCS0E6cGd1bHJyZHBvPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iU0VDQ0xBU1MiIE5hbWU9Imh0dHA6Ly9sZnJ6LmF0L3N0ZHBvcnRhbC9uYW1lcy9wdnAvc2VjQ2xhc3MiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+Mjwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sMjpBc3NlcnRpb24+PC9zYW1sMnA6UmVzcG9uc2U+";
+ String org_req = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWwycDpSZXNwb25zZSBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L1NhbWwyL2Fjcy9wb3N0IiBJRD0iXzQ0MDVlMmE5NTBiYWVkODdjYTBjOWNhZWY4ZThhYzBmIiBJblJlc3BvbnNlVG89ImlkLWY3VUhoSU1BOFdqeXFkUEJ3IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI%2BPHNhbWwyOklzc3VlciB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BaHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdDwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGE1MTIiLz48ZHM6UmVmZXJlbmNlIFVSST0iI180NDA1ZTJhOTUwYmFlZDg3Y2EwYzljYWVmOGU4YWMwZiI%2BPGRzOlRyYW5zZm9ybXM%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhNTEyIi8%2BPGRzOkRpZ2VzdFZhbHVlPng3a2RBVVRJTmlpak9sbmZNRVJnY29tZEFub2MwejIwTEI5NXN3TitIRXdnRTBCUUNaR0ZIZVJKQWVxbmxjRmZabUZNZnUyejE3OGFlRlVaK1VCOGpRPT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU%2BcVFsWFRPdmtON2QzZ1BxaXR0VDRnNUtYNDkrNE45TWMza2NvS1p1RUhTZU1zd2p4dzNkZHpVcGd4bHJnUWc2QTl5cC80dTgxSlM3dVpSSWRESm9iRm81OUE4RWV0Qmh2cXptdElaOUt3ejJad0IyclhENlBFaERxOURnbHpZR0dOd05od2dFZXpPbzBlRTRpNHBETkRQdDkxaC9FOU1qMkxoR0NVM3U2ZEZ0ZHQ2R2FEa000RHVJcVZKeWdHQzdVZDJMeU14Q1NyVC9mRHpQSUN6RENCcDExRTNEaVRYWk55MTBaa1J2RU5tOUZrY0lPVHlRcmlrNXkrV25Ed0UrTDUzZUhNL1l4WkJBa2pGMjRRaEc0YVBxY1FhcFdEdWNSaDdYNkZsU1Y0bUpqNHp5TlMzSmZBeUFaN0J4S2w3anlxWjIzT1VTYm5MTkRIdVNpK2JzZkt3PT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUZ5VENDQkxHZ0F3SUJBZ0lDQXJRd0RRWUpLb1pJaHZjTkFRRUxCUUF3Z1pneEN6QUpCZ05WQkFZVEFrRlVNUTB3Q3dZRFZRUUkKRXdSWGFXVnVNU2N3SlFZRFZRUUtFeDVDZFc1a1pYTnRhVzVwYzNSbGNtbDFiU0JtZFdWeUlFbHVibVZ5WlhNeERqQU1CZ05WQkFzVApCVWxVTFUxVE1Sa3dGd1lEVlFRREV4QlFiM0owWVd4MlpYSmlkVzVrTFVOQk1TWXdKQVlKS29aSWh2Y05BUWtCRmhkaWJXa3RhWFl0Ck1pMWxMV05oUUdKdGFTNW5kaTVoZERBZUZ3MHhOakV5TWpBd09ETXlNVFphRncweE9UQXhNRGt3T0RNeU1UWmFNSUdITVFzd0NRWUQKVlFRR0V3SkJWREVOTUFzR0ExVUVDQk1FVjJsbGJqRVpNQmNHQTFVRUNoTVFRblZ1WkdWemEyRnVlbXhsY21GdGRERUxNQWtHQTFVRQpDeE1DU1ZReEhEQWFCZ05WQkFNVEUzTjBjQzFsYm5SM0xXSnJZUzFqYkdsbGJuUXhJekFoQmdrcWhraUc5dzBCQ1FFV0ZIcGxjblJwClptbHJZWFJBWW10aExtZDJMbUYwTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEya2lxMTZNQWNUTTkKRjJPUzlNZEJ0eHpqMmdnSmpuZWVjNFRvZitvZXBEVWRpTk5HRDFmSDFZRU9qZ3ZiSzhvc2tXZ3ptbmFRM1FyV0RrZmlEM2l1dXpLKwp1eWc3L3psSHdyV2VmY0sycGkvbTJqQXNqTXZXZFlDWk9raDNoL3dEN25oMkpRd0N4Sy91K1hxbnVMWnBHQkRlTExqMStHWTFQL3F0CktNWWxzZ2ZwWTNjWFlKL3dvWk9ZblZhK1liOE1USHNNempQcEpXVkw2QURFREhMU1lVZ3h2LzMzSDlISGFQUXNNRmpDejVuRitWUkUKQ0EwbnpWS3dXcFN1dWdabmk5KzdMNVlUUUR5VDNNUUtQeURxRmZnMUVQS21BV1F0UU84OXUvZ3JERVNZNldLMlFxV2JieUZ6Ykx4TQozVjI3Sit6OE8wV3dsMzlyTS9DVDdIcjNkd0lEQVFBQm80SUNLakNDQWlZd0NRWURWUjBUQkFJd0FEQUxCZ05WSFE4RUJBTUNCZUF3CkxBWUpZSVpJQVliNFFnRU5CQjhXSFU5d1pXNVRVMHdnUjJWdVpYSmhkR1ZrSUVObGNuUnBabWxqWVhSbE1CMEdBMVVkRGdRV0JCUmcKUURkQnNoT1BpYUs0VGxNT3Nqdlltek04U0RDQjBRWURWUjBqQklISk1JSEdnQlNtSHZSZUdrTzBpTjZpeUwxb1pRUEZNRzltMDZHQgpxcVNCcHpDQnBERUxNQWtHQTFVRUJoTUNRVlF4RFRBTEJnTlZCQWdUQkZkcFpXNHhEVEFMQmdOVkJBY1RCRmRwWlc0eEp6QWxCZ05WCkJBb1RIa0oxYm1SbGMyMXBibWx6ZEdWeWFYVnRJR1oxWlhJZ1NXNXVaWEpsY3pFT01Bd0dBMVVFQ3hNRlNWUXRUVk14RmpBVUJnTlYKQkFNVERWQnZjblJoYkZKdmIzUXRRMEV4SmpBa0Jna3Foa2lHOXcwQkNRRVdGMkp0YVMxcGRpMHlMV1V0WTJGQVltMXBMbWQyTG1GMApnZ0VCTUI4R0ExVWRFUVFZTUJhQkZIcGxjblJwWm1scllYUkFZbXRoTG1kMkxtRjBNQ0lHQTFVZEVnUWJNQm1CRjJKdGFTMXBkaTB5CkxXVXRZMkZBWW0xcExtZDJMbUYwTUVVR0ExVWRId1ErTUR3d09xQTRvRGFHTkdoMGRIQTZMeTl3YjNKMFlXd3VZbTFwTG1kMkxtRjAKTDNKbFppOXdhMmt2Y0c5eWRHRnNRMEV2VUc5eWRHRnNWaTVqY213d1R3WUlLd1lCQlFVSEFRRUVRekJCTUQ4R0NDc0dBUVVGQnpBQwpoak5vZEhSd09pOHZjRzl5ZEdGc0xtSnRhUzVuZGk1aGRDOXlaV1l2Y0d0cEwzQnZjblJoYkVOQkwybHVaR1Y0TG1oMGJXd3dEZ1lICktpZ0FDZ0VCQVFRREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJtRGRkb2NaakNUMmlDOGx4bUNwdGQxTEtMaEUvdVVUTEYKZDVCUUlFMm52bUYrcUdwd09HSXlLUlhvSVJ2R04rZjU2Tm53cCthVTNqdjJONWh1OURoRWlubGYxbmRDTzJiSGlUYTZyS3FyZDY5dApTY0tjUWk5empHd25iOXV2MU5BR05UN0pxVWN5VGh3bTB6bnpGWU9CMXdZQnVyaC9kQWVaYkR4ekpDNnZLdjZZT2gvWWV5MWdDUGZNCkYxRlFnUVQ5QXRDZTFvTVA0dHQ4dXZVUldSYm0za3JEaFNsL3kxSDN0WDVJQlZ2cjl0cko0ekpiYkZNUGdLS0FXaERINEI0aUJaNmwKUzZILzBqWjlUSWsyRFpjbExISjUvNnVuajg4ZnBXcis2dUE4K3F3alNWUjY5RnZHdXJwckZzOVFMMDZCUjBELzRXNXkrNFFSUk9HWQpNYVVCPC9kczpYNTA5Q2VydGlmaWNhdGU%2BPC9kczpYNTA5RGF0YT48L2RzOktleUluZm8%2BPC9kczpTaWduYXR1cmU%2BPHNhbWwycDpTdGF0dXM%2BPHNhbWwycDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWwycDpTdGF0dXM%2BPHNhbWwyOkFzc2VydGlvbiBJRD0iXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BPHNhbWwyOklzc3Vlcj5odHRwczovL3N0cC1hdXRoLWFwcC5lbnR3LnBvcnRhbC5ia2EuZ3YuYXQvc3RkcG9ydGFsLWlkcC9wb3J0YWx2ZXJidW5kLmd2LmF0PC9zYW1sMjpJc3N1ZXI%2BPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI%2BPGRzOlNpZ25lZEluZm8%2BPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTUxMiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGE1MTIiLz48ZHM6RGlnZXN0VmFsdWU%2BTWZVYVFUQ3A4N05CejdHanBOcXU5LzJCUm0yNFRac1hFRWQvK0YwTDZHTjZMWlRvWFdoaTQ3b2g3WW8rQ0RySTcxUS9hUXp6NmdqZU5YeC9ManViaXc9PTwvZHM6RGlnZXN0VmFsdWU%2BPC9kczpSZWZlcmVuY2U%2BPC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5rUXlmclkyb3phODBNOEY4VFh0SXJtVno4SEFuaHJOY0wxblJRSW1IY2d5VjBnMFcxMW9JaVMzM1ZCbDJLeHVZaVdicFg0ZXdzcW9rSTBaZWxGQ0RoU1ZtTFpZUlRzWGV4ellSZ3hhUUdQZnNnMUh6eStYRzVEQUFSRk9pdDh3SGlpeFE1QVIzOFJRendudml0bTJRYkNoVGhzVk5zeHp4RmpEZnh3ejlpNzcvd3VPZTVERlU5Z0hzWUtEVUxrVFVyT1BveGM0RFgyQjYvd0E0cFJ2Z1lhTnFSQVltenFpSWlQQW5DMnZETXdjemQ2M2wzb3NuNHZlb3k3a0pYN0JkZTVUM29MREx5Tno4VXFua1pHY2c3Nkp4WGVweGptdmtnSy8yRk91d3VvUTY4WnI5T25hRE1vNmRqTlFzU2xpL2ZlMGFjVVpHVDVrajRBUU12NDYyc3c9PTwvZHM6U2lnbmF0dXJlVmFsdWU%2BPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUlJRnlUQ0NCTEdnQXdJQkFnSUNBclF3RFFZSktvWklodmNOQVFFTEJRQXdnWmd4Q3pBSkJnTlZCQVlUQWtGVU1RMHdDd1lEVlFRSQpFd1JYYVdWdU1TY3dKUVlEVlFRS0V4NUNkVzVrWlhOdGFXNXBjM1JsY21sMWJTQm1kV1Z5SUVsdWJtVnlaWE14RGpBTUJnTlZCQXNUCkJVbFVMVTFUTVJrd0Z3WURWUVFERXhCUWIzSjBZV3gyWlhKaWRXNWtMVU5CTVNZd0pBWUpLb1pJaHZjTkFRa0JGaGRpYldrdGFYWXQKTWkxbExXTmhRR0p0YVM1bmRpNWhkREFlRncweE5qRXlNakF3T0RNeU1UWmFGdzB4T1RBeE1Ea3dPRE15TVRaYU1JR0hNUXN3Q1FZRApWUVFHRXdKQlZERU5NQXNHQTFVRUNCTUVWMmxsYmpFWk1CY0dBMVVFQ2hNUVFuVnVaR1Z6YTJGdWVteGxjbUZ0ZERFTE1Ba0dBMVVFCkN4TUNTVlF4SERBYUJnTlZCQU1URTNOMGNDMWxiblIzTFdKcllTMWpiR2xsYm5ReEl6QWhCZ2txaGtpRzl3MEJDUUVXRkhwbGNuUnAKWm1scllYUkFZbXRoTG1kMkxtRjBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTJraXExNk1BY1RNOQpGMk9TOU1kQnR4emoyZ2dKam5lZWM0VG9mK29lcERVZGlOTkdEMWZIMVlFT2pndmJLOG9za1dnem1uYVEzUXJXRGtmaUQzaXV1eksrCnV5ZzcvemxId3JXZWZjSzJwaS9tMmpBc2pNdldkWUNaT2toM2gvd0Q3bmgySlF3Q3hLL3UrWHFudUxacEdCRGVMTGoxK0dZMVAvcXQKS01ZbHNnZnBZM2NYWUovd29aT1luVmErWWI4TVRIc016alBwSldWTDZBREVESExTWVVneHYvMzNIOUhIYVBRc01GakN6NW5GK1ZSRQpDQTBuelZLd1dwU3V1Z1puaTkrN0w1WVRRRHlUM01RS1B5RHFGZmcxRVBLbUFXUXRRTzg5dS9nckRFU1k2V0syUXFXYmJ5RnpiTHhNCjNWMjdKK3o4TzBXd2wzOXJNL0NUN0hyM2R3SURBUUFCbzRJQ0tqQ0NBaVl3Q1FZRFZSMFRCQUl3QURBTEJnTlZIUThFQkFNQ0JlQXcKTEFZSllJWklBWWI0UWdFTkJCOFdIVTl3Wlc1VFUwd2dSMlZ1WlhKaGRHVmtJRU5sY25ScFptbGpZWFJsTUIwR0ExVWREZ1FXQkJSZwpRRGRCc2hPUGlhSzRUbE1Pc2p2WW16TThTRENCMFFZRFZSMGpCSUhKTUlIR2dCU21IdlJlR2tPMGlONml5TDFvWlFQRk1HOW0wNkdCCnFxU0JwekNCcERFTE1Ba0dBMVVFQmhNQ1FWUXhEVEFMQmdOVkJBZ1RCRmRwWlc0eERUQUxCZ05WQkFjVEJGZHBaVzR4SnpBbEJnTlYKQkFvVEhrSjFibVJsYzIxcGJtbHpkR1Z5YVhWdElHWjFaWElnU1c1dVpYSmxjekVPTUF3R0ExVUVDeE1GU1ZRdFRWTXhGakFVQmdOVgpCQU1URFZCdmNuUmhiRkp2YjNRdFEwRXhKakFrQmdrcWhraUc5dzBCQ1FFV0YySnRhUzFwZGkweUxXVXRZMkZBWW0xcExtZDJMbUYwCmdnRUJNQjhHQTFVZEVRUVlNQmFCRkhwbGNuUnBabWxyWVhSQVltdGhMbWQyTG1GME1DSUdBMVVkRWdRYk1CbUJGMkp0YVMxcGRpMHkKTFdVdFkyRkFZbTFwTG1kMkxtRjBNRVVHQTFVZEh3UStNRHd3T3FBNG9EYUdOR2gwZEhBNkx5OXdiM0owWVd3dVltMXBMbWQyTG1GMApMM0psWmk5d2Eya3ZjRzl5ZEdGc1EwRXZVRzl5ZEdGc1ZpNWpjbXd3VHdZSUt3WUJCUVVIQVFFRVF6QkJNRDhHQ0NzR0FRVUZCekFDCmhqTm9kSFJ3T2k4dmNHOXlkR0ZzTG1KdGFTNW5kaTVoZEM5eVpXWXZjR3RwTDNCdmNuUmhiRU5CTDJsdVpHVjRMbWgwYld3d0RnWUgKS2lnQUNnRUJBUVFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQm1EZGRvY1pqQ1QyaUM4bHhtQ3B0ZDFMS0xoRS91VVRMRgpkNUJRSUUybnZtRitxR3B3T0dJeUtSWG9JUnZHTitmNTZObndwK2FVM2p2Mk41aHU5RGhFaW5sZjFuZENPMmJIaVRhNnJLcXJkNjl0ClNjS2NRaTl6akd3bmI5dXYxTkFHTlQ3SnFVY3lUaHdtMHpuekZZT0Ixd1lCdXJoL2RBZVpiRHh6SkM2dkt2NllPaC9ZZXkxZ0NQZk0KRjFGUWdRVDlBdENlMW9NUDR0dDh1dlVSV1JibTNrckRoU2wveTFIM3RYNUlCVnZyOXRySjR6SmJiRk1QZ0tLQVdoREg0QjRpQlo2bApTNkgvMGpaOVRJazJEWmNsTEhKNS82dW5qODhmcFdyKzZ1QTgrcXdqU1ZSNjlGdkd1cnByRnM5UUwwNkJSMEQvNFc1eSs0UVJST0dZCk1hVUI8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6cGVyc2lzdGVudCIgTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdCIgU1BOYW1lUXVhbGlmaWVyPSJodHRwczovL3NhbWxwcm94eS10ZXN0LnVjb20uZ3YuYXQvc3AiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj54bnRHMDBlakpBZ0w3KzBtdVRJb3JoYUljeW89PC9zYW1sMjpOYW1lSUQ%2BPHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgQWRkcmVzcz0iMTI5LjI3LjE1Mi4xMjYiIEluUmVzcG9uc2VUbz0iaWQtZjdVSGhJTUE4V2p5cWRQQnciIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi42MjNaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc2FtbHByb3h5LXRlc3QudWNvbS5ndi5hdC9TYW1sMi9hY3MvcG9zdCIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q%2BPHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE3LTA5LTIwVDE0OjQ5OjUyLjU5M1oiIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi41OTNaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U%2BaHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L3NwPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24%2BPC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNDk1WiIgU2Vzc2lvbkluZGV4PSJfYjBhOGUxOTQ5YzQyMjU5NjA0MzAxMDUwNjBkMGQyYTgiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTctMDktMjBUMTU6MTk6NTIuNjAyWiI%2BPHNhbWwyOlN1YmplY3RMb2NhbGl0eSBBZGRyZXNzPSIxMjkuMjcuMTUyLjEyNiIvPjxzYW1sMjpBdXRobkNvbnRleHQ%2BPHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPmh0dHA6Ly93d3cucmVmLmd2LmF0L25zL25hbWVzL2FnaXovcHZwL3NlY2NsYXNzLzAtMjwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BPC9zYW1sMjpBdXRobkNvbnRleHQ%2BPC9zYW1sMjpBdXRoblN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJDT1NULUNFTlRFUi1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BQVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQQVJUSUNJUEFOVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS43MSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCOjExMTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlBSSU5DSVBBTC1OQU1FIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjI2MS4yMCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5Nb2JpbGVBdXRoPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iT1UiIE5hbWU9InVybjpvaWQ6Mi41LjQuMTEiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BRHVtbXktT0U8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJNQUlMIiBOYW1lPSJ1cm46b2lkOjAuOS4yMzQyLjE5MjAwMzAwLjEwMC4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BbW9iaWxlLmF1dGguMkBia2EuZ3YuYXQ8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQVlAtVkVSU0lPTiIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuMTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BMi4xPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iSU5WT0lDRS1SRUNQVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNDAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BQVQ6QjoxMTE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJPVS1PS1oiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMTUzIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlPkJLQS1EVU1NWTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlVTRVJJRCIgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlPm1vYmlsZS5hdXRoLjJAYmthLmd2LmF0PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iUk9MRVMiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMjYxLjMwIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlPnVjb21tX1VzZXIoKTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IkdJVkVOLU5BTUUiIE5hbWU9InVybjpvaWQ6Mi41LjQuNDIiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BWndlaTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9Ik9VLUdWLU9VLUlEIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BQVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJHSUQiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCS0E6cGd1bHJyZHBvPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iU0VDQ0xBU1MiIE5hbWU9Imh0dHA6Ly9sZnJ6LmF0L3N0ZHBvcnRhbC9uYW1lcy9wdnAvc2VjQ2xhc3MiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BMjwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sMjpBc3NlcnRpb24%2BPC9zYW1sMnA6UmVzcG9uc2U%2B";
+ String req = java.net.URLEncoder.encode(org_resp);
+
+ System.out.println(org_resp);
+ System.out.println(req);
+ System.out.println(org_req);
+
/*
* Test verifyable random functions with RSA
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
index d3ebffdfd..9981e8156 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
@@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.data.SLOInformationImpl;
import at.gv.egovernment.moa.id.data.SLOInformationInterface;
import at.gv.egovernment.moa.id.moduls.IAction;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moa.util.URLEncoder;
@Service("SAML1_GetArtifactAction")
@@ -84,10 +85,12 @@ public class GetArtifactAction implements IAction {
String samlArtifactBase64 = saml1server.BuildSAMLArtifact(oaParam, authData, sourceID);
+ String oaTargetArea = req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class);
+
if (authData.isSsoSession()) {
String url = req.getAuthURL() + "/RedirectServlet";
url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8"));
- if (!oaParam.getBusinessService())
+ if (MiscUtil.isNotEmpty(oaTargetArea))
url = addURLParameter(url, MOAIDAuthConstants.PARAM_TARGET,
URLEncoder.encode(req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class), "UTF-8"));
url = addURLParameter(url, MOAIDAuthConstants.PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8"));
@@ -99,7 +102,7 @@ public class GetArtifactAction implements IAction {
} else {
String redirectURL = oaURL;
- if (!oaParam.getBusinessService()) {
+ if (MiscUtil.isNotEmpty(oaTargetArea)) {
redirectURL = addURLParameter(redirectURL, MOAIDAuthConstants.PARAM_TARGET,
URLEncoder.encode(req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class), "UTF-8"));
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
index df8f13544..bf4a55e46 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
@@ -48,7 +48,6 @@ import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder;
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
import at.gv.egovernment.moa.id.auth.builder.PersonDataBuilder;
import at.gv.egovernment.moa.id.auth.builder.SAMLArtifactBuilder;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.ParseException;
@@ -65,6 +64,7 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.storage.ITransactionStorage;
import at.gv.egovernment.moa.id.util.Random;
@@ -239,7 +239,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
//set prPersion
boolean provideStammzahl = saml1parameter.isProvideStammzahl()
- || oaParam.getBusinessService();
+ || oaParam.hasBaseIdTransferRestriction();
String prPerson = "";
String ilAssertion = "";
@@ -268,7 +268,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
id.setValue(value );
if ( MiscUtil.isNotEmpty(authData.getIdentificationValue()) &&
- saml1parameter.isProvideIdentityLink() && !authData.isBusinessService()) {
+ saml1parameter.isProvideIdentityLink() && !authData.isBaseIDTransferRestrication()) {
//add baseID if it is requested and available and SP is publicService
value.setValue(authData.getIdentificationValue());
id.setType(authData.getIdentificationType());
@@ -332,7 +332,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
try {
ExtendedSAMLAttribute[] extendedSAMLAttributes = addExtendedSamlAttributes(
- authData.getMISMandate(), oaParam.getBusinessService(),
+ authData.getMISMandate(), oaParam.hasBaseIdTransferRestriction(),
saml1parameter.isProvideStammzahl());
if (extendedSAMLAttributes != null) {
@@ -406,7 +406,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
ilAssertion,
authData.getBkuURL(),
signerCertificateBase64,
- oaParam.getBusinessService(),
+ oaParam.hasBaseIdTransferRestriction(),
oaAttributes,
useCondition,
conditionLength);
@@ -419,7 +419,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
ilAssertion,
authData.getBkuURL(),
signerCertificateBase64,
- oaParam.getBusinessService(),
+ oaParam.hasBaseIdTransferRestriction(),
authData.getExtendedSAMLAttributesOA(),
useCondition,
conditionLength);
@@ -486,27 +486,20 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
prPerson = ParepUtils.extractPrPersonOfMandate(mandate);
if (physical
- && oaParam.getBusinessService()
+ && oaParam.hasBaseIdTransferRestriction()
&& identificationType != null
&& Constants.URN_PREFIX_BASEID
.equals(identificationType)) {
// now we calculate the wbPK and do so if we got it from the
// BKU
-
- //load IdentityLinkDomainType from OAParam
- String type = oaParam.getIdentityLinkDomainIdentifier();
- if (type.startsWith(Constants.URN_PREFIX_WBPK + "+"))
- identificationType = type;
- else
- identificationType = Constants.URN_PREFIX_WBPK + "+"
- + type;
-
-
- identificationValue = new BPKBuilder().buildWBPK(
- identificationValue, identificationType);
- ParepUtils
- .HideStammZahlen(prPerson, true, null, null, true);
+ //load IdentityLinkDomainType from OAParam
+ Pair<String, String> targedId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+ identificationValue, oaParam.getAreaSpecificTargetIdentifier());
+ identificationValue = targedId.getFirst();
+ identificationType = targedId.getSecond();
+
+ ParepUtils.HideStammZahlen(prPerson, true, null, true);
}
}
@@ -520,18 +513,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
try {
boolean provideStammzahl = oaParam.getSAML1Parameter().isProvideStammzahl();
- String oatargetType;
- if(oaParam.getBusinessService()) {
- if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
- oatargetType = oaParam.getIdentityLinkDomainIdentifier();
- else
- oatargetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+oaParam.getIdentityLinkDomainIdentifier();
-
- } else {
- oatargetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget();
-
- }
-
+ String oatargetType = oaParam.getAreaSpecificTargetIdentifier();
Element prIdentification = (Element) prPerson.
getElementsByTagNameNS(Constants.PD_NS_URI,"Identification").item(0);
@@ -544,7 +526,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
String baseid = getBaseId(prPerson);
Element identificationBpK;
if (MiscUtil.isNotEmpty(baseid)) {
- identificationBpK = createIdentificationBPK(prPerson, baseid, oaParam.getTarget());
+ identificationBpK = createIdentificationBPK(prPerson, baseid, oatargetType);
if (!provideStammzahl) {
prIdentification.getFirstChild().setTextContent("");
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
index 37d66d29b..19fadb318 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
@@ -40,6 +40,7 @@ import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters;
@@ -118,7 +119,7 @@ public class SAML1Protocol extends AbstractAuthProtocolModulController {
//preProcess SAML1 Request
preProcess(req, resp, pendingReq);
-
+
performAuthentication(req, resp, pendingReq);
return;
@@ -190,14 +191,19 @@ public class SAML1Protocol extends AbstractAuthProtocolModulController {
if (MiscUtil.isNotEmpty(target)) {
pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, target);
- pendingRequest.setTarget(target);
+ pendingRequest.setTarget(MOAIDAuthConstants.PREFIX_CDID + target);
+
+ } else {
+ String targetArea = oaParam.getAreaSpecificTargetIdentifier();
+ pendingRequest.setTarget(targetArea);
+
+ if (targetArea.startsWith(MOAIDAuthConstants.PREFIX_CDID))
+ pendingRequest.setGenericDataToSession(REQ_DATA_TARGET,
+ targetArea.substring(MOAIDAuthConstants.PREFIX_CDID.length()));
- }
- else {
- pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, oaParam.getTarget());
- pendingRequest.setTarget(oaParam.getTarget());
}
+
//AuthnRequest needs authentication
pendingRequest.setNeedAuthentication(true);
diff --git a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java
index 6372fefa8..a56be1f46 100644
--- a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java
+++ b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java
@@ -78,7 +78,8 @@ public class IdentityLinkTestModule implements TestModuleInterface {
domVerifyXMLSignatureResponse).parseData();
DynamicOAAuthParameters oaParam = new DynamicOAAuthParameters();
- oaParam.setBusinessService(true);
+ oaParam.setHasBaseIdProcessingRestriction(true);
+ oaParam.setHasBaseIdTransfergRestriction(true);
VerifyXMLSignatureResponseValidator.getInstance().validate(
verifyXMLSignatureResponse,