diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-02-13 09:44:35 +0100 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-02-13 09:44:35 +0100 |
commit | 6fabc9a604d61622f19ff8ca0b9237c114021c0e (patch) | |
tree | 19665b4096eb65e50576706cbd3bea2d79fc2c5b /id/server | |
parent | f361911ce08962a04b26d67fa7d4698d7294cc74 (diff) | |
download | moa-id-spss-6fabc9a604d61622f19ff8ca0b9237c114021c0e.tar.gz moa-id-spss-6fabc9a604d61622f19ff8ca0b9237c114021c0e.tar.bz2 moa-id-spss-6fabc9a604d61622f19ff8ca0b9237c114021c0e.zip |
Now the whole metadata file is NOT rejected if a single entity is not valid.
Diffstat (limited to 'id/server')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java | 41 |
1 files changed, 34 insertions, 7 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java index f0ae6f446..ed0cf9c62 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java @@ -25,7 +25,9 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; import iaik.x509.X509Certificate; import java.security.cert.CertificateException; +import java.util.ArrayList; import java.util.Iterator; +import java.util.List; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; @@ -69,13 +71,17 @@ public class MetadataSignatureFilter implements MetadataFilter { while(entID.hasNext()) { processEntitiesDescriptor(entID.next()); } - + Iterator<EntityDescriptor> entIT = desc.getEntityDescriptors().iterator(); - - //check every Entity + + List<EntityDescriptor> verifiedEntIT = new ArrayList<EntityDescriptor>(); + + //check every Entity + while(entIT.hasNext()) { EntityDescriptor entity = entIT.next(); + String entityID = entity.getEntityID(); //CHECK if Entity also match MetaData signature. @@ -92,17 +98,31 @@ public class MetadataSignatureFilter implements MetadataFilter { EntityVerifier.verify(desc, entityCrendential); + //add entity to verified entity-list + verifiedEntIT.add(entity); + } catch (Exception e) { - throw new MOAIDException("The App", null, e); + + //remove entity of signature can not be verified. + Logger.info("Entity " + entityID + " is removed from metadata " + + desc.getName() + ". Entity verification error: " + e.getMessage()); +// throw new MOAIDException("The App", null, e); } } else { - throw new NoCredentialsException("NO Certificate found for OA " + entityID); + //remove entity if it is not registrated as OA + Logger.info("Entity " + entityID + " is removed from metadata " + + desc.getName() + ". Entity is not registrated or no certificate is found!"); +// throw new NoCredentialsException("NO Certificate found for OA " + entityID); } - + //TODO: insert to support signed Entity-Elements //processEntityDescriptorr(entIT.next()); - } + } + + //set only verified entity elements + desc.getEntityDescriptors().clear(); + desc.getEntityDescriptors().addAll(verifiedEntIT); } public void doFilter(XMLObject metadata) throws FilterException { @@ -114,6 +134,13 @@ public class MetadataSignatureFilter implements MetadataFilter { } processEntitiesDescriptor(entitiesDescriptor); + + if (entitiesDescriptor.getEntityDescriptors().size() == 0) { + throw new MOAIDException("No valid entity in metadata " + + entitiesDescriptor.getName() + ". Metadata is not loaded.", null); + } + + } else if (metadata instanceof EntityDescriptor) { EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; processEntityDescriptorr(entityDescriptor); |