aboutsummaryrefslogtreecommitdiff
path: root/id/server
diff options
context:
space:
mode:
authorBojan Suzic <bojan.suzic@iaik.tugraz.at>2014-06-05 18:28:01 +0200
committerBojan Suzic <bojan.suzic@iaik.tugraz.at>2014-06-05 18:28:01 +0200
commitc7c87f61be0358786c563817d56a92434f0ece1d (patch)
treed12dd1349375ecf732ae3f0bf424ae3286964963 /id/server
parent509702fe127404554451857e49a0493e3d24b150 (diff)
parent6f814ec50badeacbb22ac2556c894b996ddc3959 (diff)
downloadmoa-id-spss-c7c87f61be0358786c563817d56a92434f0ece1d.tar.gz
moa-id-spss-c7c87f61be0358786c563817d56a92434f0ece1d.tar.bz2
moa-id-spss-c7c87f61be0358786c563817d56a92434f0ece1d.zip
Merge branch 'moa-2.1-Snapshot' of gitlab.iaik.tugraz.at:afitzek/moa-idspss into moa-2.1-Snapshot
Diffstat (limited to 'id/server')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java22
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java14
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java17
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java102
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java58
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java12
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java19
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java18
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java90
10 files changed, 241 insertions, 113 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 632227d79..c0e1dd3ca 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -27,6 +27,8 @@ import iaik.x509.X509Certificate;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
+import java.util.Date;
+import java.util.GregorianCalendar;
import java.util.List;
import javax.naming.ldap.LdapName;
@@ -445,6 +447,9 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
authData.setSsoSession(true);
+ if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null)
+ authData.setSsoSessionValidTo(assertion.getConditions().getNotOnOrAfter().toDate());
+
//only for SAML1
if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel()))
authData.setQualifiedCertificate(true);
@@ -454,7 +459,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
}
private static void buildAuthDataFormMOASession(AuthenticationData authData, AuthenticationSession session,
- IOAAuthParameters oaParam) throws BuildException {
+ IOAAuthParameters oaParam) throws BuildException, ConfigurationException {
String target = oaParam.getTarget();
@@ -465,7 +470,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
boolean businessService = oaParam.getBusinessService();
authData.setIssuer(session.getAuthURL());
-
+
//baseID or wbpk in case of BusinessService without SSO or BusinessService SSO
authData.setIdentificationValue(identityLink.getIdentificationValue());
authData.setIdentificationType(identityLink.getIdentificationType());
@@ -529,6 +534,19 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
authData.setSsoSession(AuthenticationSessionStoreage.isSSOSession(session.getSessionID()));
+ //set max. SSO session time
+ if (authData.isSsoSession()) {
+ long maxSSOSessionTime = AuthConfigurationProvider.getInstance().getTimeOuts().getMOASessionCreated().longValue() * 1000;
+ Date ssoSessionValidTo = new Date(session.getSessionCreated().getTime() + maxSSOSessionTime);
+ authData.setSsoSessionValidTo(ssoSessionValidTo);
+
+ } else {
+ //set valid to 5 min
+ Date ssoSessionValidTo = new Date(new Date().getTime() + 5 * 60 * 1000);
+ authData.setSsoSessionValidTo(ssoSessionValidTo);
+
+ }
+
/* TODO: Support SSO Mandate MODE!
* Insert functionality to translate mandates in case of SSO
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
index c5ba49b2e..8726c1618 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
@@ -42,6 +42,7 @@ import java.io.Serializable;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
+import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Vector;
@@ -78,6 +79,9 @@ public class AuthenticationSession implements Serializable {
* session ID
*/
private String sessionID;
+
+ private Date sessionCreated = null;
+
/**
* "Gesch&auml;ftsbereich" the online application belongs to; maybe <code>null</code> if the
* online application is a business application
@@ -344,8 +348,9 @@ public class AuthenticationSession implements Serializable {
* @param id
* Session ID
*/
- public AuthenticationSession(String id) {
+ public AuthenticationSession(String id, Date created) {
sessionID = id;
+ sessionCreated = created;
// setTimestampStart();
// infoboxValidators = new ArrayList();
}
@@ -1050,6 +1055,13 @@ public class AuthenticationSession implements Serializable {
this.storkAuthnResponse = storkAuthnResponse;
}
+ /**
+ * @return the sessionCreated
+ */
+ public Date getSessionCreated() {
+ return sessionCreated;
+ }
+
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
index 33e62d3d0..5685977bc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
@@ -135,6 +135,7 @@ public class AuthenticationData implements IAuthData, Serializable {
private String QAALevel = null;
private boolean ssoSession = false;
+ private Date ssoSessionValidTo = null;
private boolean interfederatedSSOSession = false;
private String interfederatedIDP = null;
@@ -656,7 +657,23 @@ public class AuthenticationData implements IAuthData, Serializable {
public void setInterfederatedIDP(String interfederatedIDP) {
this.interfederatedIDP = interfederatedIDP;
}
+
+ /**
+ * @return the ssoSessionValidTo
+ */
+ public Date getSsoSessionValidTo() {
+ return ssoSessionValidTo;
+ }
+
+ /**
+ * @param ssoSessionValidTo the ssoSessionValidTo to set
+ */
+ public void setSsoSessionValidTo(Date ssoSessionValidTo) {
+ this.ssoSessionValidTo = ssoSessionValidTo;
+ }
+
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
index 4ea81f134..7e421da0f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
@@ -53,6 +53,8 @@ public interface IAuthData {
String getBPK();
String getBPKType();
+ Date getSsoSessionValidTo();
+
String getInterfederatedIDP();
String getIdentificationValue();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java
index a0f3dd309..df195c0de 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java
@@ -29,8 +29,10 @@ import java.util.LinkedHashMap;
import java.util.List;
import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.metadata.SingleLogoutService;
+import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
@@ -52,47 +54,87 @@ public class SLOInformationContainer implements Serializable {
public void parseActiveOAs(List<OASessionStore> dbOAs, String removeOAID) {
- activeFrontChannalOAs = new LinkedHashMap<String, SLOInformationImpl>();
- activeBackChannelOAs = new LinkedHashMap<String, SLOInformationImpl>();
+ if (activeBackChannelOAs == null)
+ activeBackChannelOAs = new LinkedHashMap<String, SLOInformationImpl>();
+ if (activeFrontChannalOAs == null)
+ activeFrontChannalOAs = new LinkedHashMap<String, SLOInformationImpl>();
if (dbOAs != null) {
for (OASessionStore oa : dbOAs) {
- //Actually only PVP 2.1 support Single LogOut
- if (PVP2XProtocol.NAME.equals(oa.getProtocolType()) &&
- !oa.getOaurlprefix().equals(removeOAID)) {
+ if (!oa.getOaurlprefix().equals(removeOAID)) {
+
+ //Actually only PVP 2.1 support Single LogOut
+ if (PVP2XProtocol.PATH.equals(oa.getProtocolType())) {
+ SingleLogoutService sloDesc;
+ try {
+ sloDesc = SingleLogOutBuilder.getRequestSLODescriptor(oa.getOaurlprefix());
+
+ if (sloDesc.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI))
+ activeBackChannelOAs.put(oa.getOaurlprefix(),
+ new SLOInformationImpl(
+ oa.getAssertionSessionID(),
+ oa.getUserNameID(),
+ oa.getUserNameIDFormat(),
+ oa.getProtocolType(),
+ sloDesc));
+
+ else
+ activeFrontChannalOAs.put(oa.getOaurlprefix(),
+ new SLOInformationImpl(
+ oa.getAssertionSessionID(),
+ oa.getUserNameID(),
+ oa.getUserNameIDFormat(),
+ oa.getProtocolType(),
+ sloDesc));
+
+ } catch (NOSLOServiceDescriptorException e) {
+ putFailedOA(oa.getOaurlprefix());
+
+ }
+
+ } else
+ putFailedOA(oa.getOaurlprefix());
+ }
+ }
+ }
+ }
+
+ /**
+ * @param dbIDPs
+ * @param value
+ */
+ public void parseActiveIDPs(List<InterfederationSessionStore> dbIDPs,
+ String removeIDP) {
+ if (activeBackChannelOAs == null)
+ activeBackChannelOAs = new LinkedHashMap<String, SLOInformationImpl>();
+ if (activeFrontChannalOAs == null)
+ activeFrontChannalOAs = new LinkedHashMap<String, SLOInformationImpl>();
+
+ if (dbIDPs != null) {
+ for (InterfederationSessionStore el : dbIDPs) {
+ if (!el.getIdpurlprefix().equals(removeIDP)) {
+
SingleLogoutService sloDesc;
try {
- sloDesc = SingleLogOutBuilder.getRequestSLODescriptor(oa.getOaurlprefix());
-
- if (sloDesc.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI))
- activeBackChannelOAs.put(oa.getOaurlprefix(),
- new SLOInformationImpl(
- oa.getAssertionSessionID(),
- oa.getUserNameID(),
- oa.getUserNameIDFormat(),
- oa.getProtocolType(),
- sloDesc));
+ sloDesc = SingleLogOutBuilder.getRequestSLODescriptor(el.getIdpurlprefix());
- else
- activeFrontChannalOAs.put(oa.getOaurlprefix(),
- new SLOInformationImpl(
- oa.getAssertionSessionID(),
- oa.getUserNameID(),
- oa.getUserNameIDFormat(),
- oa.getProtocolType(),
+ activeFrontChannalOAs.put(el.getIdpurlprefix(),
+ new SLOInformationImpl(
+ el.getSessionIndex(),
+ el.getUserNameID(),
+ NameID.TRANSIENT,
+ PVP2XProtocol.PATH,
sloDesc));
} catch (NOSLOServiceDescriptorException e) {
- putFailedOA(oa.getOaurlprefix());
+ putFailedOA(el.getIdpurlprefix());
}
-
- } else
- putFailedOA(oa.getOaurlprefix());
+ }
}
}
}
-
+
public String getNextFrontChannelOA() {
Iterator<String> interator = activeFrontChannalOAs.keySet().iterator();
if (interator.hasNext())
@@ -147,9 +189,5 @@ public class SLOInformationContainer implements Serializable {
if (sloFailedOAs == null)
sloFailedOAs = new ArrayList<String>();
sloFailedOAs.add(oaID);
- }
-
-
-
-
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
index 01f7e18ba..c60e69df6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
@@ -258,21 +258,21 @@ public class MetadataAction implements IAction {
//add SLO descriptor
-// SingleLogoutService postSLOService =
-// SAML2Utils.createSAMLObject(SingleLogoutService.class);
-// postSLOService.setLocation(PVPConfiguration
-// .getInstance().getIDPSSOPostService());
-// postSLOService
-// .setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
-// spSSODescriptor.getSingleLogoutServices().add(postSLOService);
-//
-// SingleLogoutService redirectSLOService =
-// SAML2Utils.createSAMLObject(SingleLogoutService.class);
-// redirectSLOService.setLocation(PVPConfiguration
-// .getInstance().getIDPSSOPostService());
-// redirectSLOService
-// .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
-// spSSODescriptor.getSingleLogoutServices().add(redirectSLOService);
+ SingleLogoutService postSLOService =
+ SAML2Utils.createSAMLObject(SingleLogoutService.class);
+ postSLOService.setLocation(PVPConfiguration
+ .getInstance().getIDPSSOPostService());
+ postSLOService
+ .setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
+ spSSODescriptor.getSingleLogoutServices().add(postSLOService);
+
+ SingleLogoutService redirectSLOService =
+ SAML2Utils.createSAMLObject(SingleLogoutService.class);
+ redirectSLOService.setLocation(PVPConfiguration
+ .getInstance().getIDPSSOPostService());
+ redirectSLOService
+ .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+ spSSODescriptor.getSingleLogoutServices().add(redirectSLOService);
spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
@@ -333,13 +333,13 @@ public class MetadataAction implements IAction {
postSingleSignOnService);
//add SLO descriptor
-// SingleLogoutService postSLOService =
-// SAML2Utils.createSAMLObject(SingleLogoutService.class);
-// postSLOService.setLocation(PVPConfiguration
-// .getInstance().getIDPSSOPostService());
-// postSLOService
-// .setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
-// idpSSODescriptor.getSingleLogoutServices().add(postSLOService);
+ SingleLogoutService postSLOService =
+ SAML2Utils.createSAMLObject(SingleLogoutService.class);
+ postSLOService.setLocation(PVPConfiguration
+ .getInstance().getIDPSSOPostService());
+ postSLOService
+ .setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
+ idpSSODescriptor.getSingleLogoutServices().add(postSLOService);
}
@@ -355,13 +355,13 @@ public class MetadataAction implements IAction {
redirectSingleSignOnService);
//add SLO descriptor
-// SingleLogoutService redirectSLOService =
-// SAML2Utils.createSAMLObject(SingleLogoutService.class);
-// redirectSLOService.setLocation(PVPConfiguration
-// .getInstance().getIDPSSOPostService());
-// redirectSLOService
-// .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
-// idpSSODescriptor.getSingleLogoutServices().add(redirectSLOService);
+ SingleLogoutService redirectSLOService =
+ SAML2Utils.createSAMLObject(SingleLogoutService.class);
+ redirectSLOService.setLocation(PVPConfiguration
+ .getInstance().getIDPSSORedirectService());
+ redirectSLOService
+ .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+ idpSSODescriptor.getSingleLogoutServices().add(redirectSLOService);
}
/*if (PVPConfiguration.getInstance().getIDPResolveSOAPService() != null) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
index c67d10ab7..92441e663 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
@@ -42,6 +42,7 @@ import org.opensaml.xml.security.SecurityException;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
@@ -124,9 +125,11 @@ public class SingleLogOutAction implements IAction {
}
//store active OAs to SLOContaine
- List<OASessionStore> dbOAs = AuthenticationSessionStoreage.getAllActiveOAFromMOASession(session);
+ List<OASessionStore> dbOAs = AuthenticationSessionStoreage.getAllActiveOAFromMOASession(session);
+ List<InterfederationSessionStore> dbIDPs = AuthenticationSessionStoreage.getAllActiveIDPsFromMOASession(session);
SLOInformationContainer sloContainer = new SLOInformationContainer();
sloContainer.setSloRequest(pvpReq);
+ sloContainer.parseActiveIDPs(dbIDPs, logOutReq.getIssuer().getValue());
sloContainer.parseActiveOAs(dbOAs, logOutReq.getIssuer().getValue());
//terminate MOASession
@@ -247,10 +250,13 @@ public class SingleLogOutAction implements IAction {
private void checkStatusCode(SLOInformationContainer sloContainer, LogoutResponse logOutResp) {
Status status = logOutResp.getStatus();
- if (!status.getStatusCode().equals(StatusCode.SUCCESS_URI)) {
+ if (!status.getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+ String message = " Message: ";
+ if (status.getStatusMessage() != null)
+ message += status.getStatusMessage().getMessage();
Logger.warn("Single LogOut for OA " + logOutResp.getIssuer().getValue()
+ " FAILED. (ResponseCode: " + status.getStatusCode().getValue()
- + " Message: " + status.getStatusMessage().getMessage() + ")");
+ + message + ")");
sloContainer.putFailedOA(logOutResp.getIssuer().getValue());
} else
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
index 04d374e93..7aa860c5c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
@@ -35,6 +35,7 @@ import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusMessage;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.SSODescriptor;
import org.opensaml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
@@ -125,7 +126,7 @@ public class SingleLogOutBuilder {
public static SingleLogoutService getRequestSLODescriptor(String entityID) throws NOSLOServiceDescriptorException {
try {
EntityDescriptor entity = MOAMetadataProvider.getInstance().getEntityDescriptor(entityID);
- SPSSODescriptor spsso = entity.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
+ SSODescriptor spsso = entity.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
SingleLogoutService sloService = null;
for (SingleLogoutService el : spsso.getSingleLogoutServices()) {
@@ -173,14 +174,18 @@ public class SingleLogOutBuilder {
if (el.getBinding().equals(spRequest.getBinding()))
sloService = el;
}
- if (sloService == null && spsso.getSingleLogoutServices().size() != 0)
- sloService = spsso.getSingleLogoutServices().get(0);
- else {
- Logger.error("Found no SLO ServiceDescriptor in Metadata");
- throw new NOSLOServiceDescriptorException("NO SLO ServiceDescriptor", null);
+ if (sloService == null) {
+ if (spsso.getSingleLogoutServices().size() != 0)
+ sloService = spsso.getSingleLogoutServices().get(0);
+
+ else {
+ Logger.error("Found no SLO ServiceDescriptor in Metadata");
+ throw new NOSLOServiceDescriptorException("NO SLO ServiceDescriptor", null);
+ }
}
- return sloService;
+
+ return sloService;
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 4d6343fce..fa5d252bd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -135,7 +135,8 @@ public class PVP2AssertionBuilder implements PVPConstants {
SubjectConfirmationData subjectConfirmationData = null;
return buildGenericAssertion(attrQuery.getIssuer().getValue(), date,
- authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex);
+ authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex,
+ new DateTime(authData.getSsoSessionValidTo().getTime()));
}
public static Assertion buildAssertion(AuthnRequest authnRequest,
@@ -393,8 +394,8 @@ public class PVP2AssertionBuilder implements PVPConstants {
SubjectConfirmationData subjectConfirmationData = SAML2Utils
.createSAMLObject(SubjectConfirmationData.class);
subjectConfirmationData.setInResponseTo(authnRequest.getID());
- subjectConfirmationData.setNotOnOrAfter(date.plusMinutes(5));
-
+ subjectConfirmationData.setNotOnOrAfter(new DateTime(authData.getSsoSessionValidTo().getTime()));
+
subjectConfirmationData.setRecipient(assertionConsumerService.getLocation());
//set SLO information
@@ -402,13 +403,13 @@ public class PVP2AssertionBuilder implements PVPConstants {
sloInformation.setNameIDFormat(subjectNameID.getFormat());
sloInformation.setSessionIndex(sessionIndex);
- return buildGenericAssertion(peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex);
+ return buildGenericAssertion(peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter());
}
private static Assertion buildGenericAssertion(String entityID, DateTime date,
AuthnContextClassRef authnContextClassRef, List<Attribute> attrList,
NameID subjectNameID, SubjectConfirmationData subjectConfirmationData,
- String sessionIndex) throws ConfigurationException {
+ String sessionIndex, DateTime isValidTo) throws ConfigurationException {
Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class);
AuthnContext authnContext = SAML2Utils
@@ -448,10 +449,9 @@ public class PVP2AssertionBuilder implements PVPConstants {
audience.setAudienceURI(entityID);
audienceRestriction.getAudiences().add(audience);
- conditions.setNotBefore(date);
-
- conditions.setNotOnOrAfter(date.plusMinutes(5));
-
+ conditions.setNotBefore(date);
+ conditions.setNotOnOrAfter(isValidTo);
+
conditions.getAudienceRestrictions().add(audienceRestriction);
assertion.setConditions(conditions);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
index 6c2900752..1c74aea55 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
@@ -64,7 +64,7 @@ public class AuthenticationSessionStoreage {
AuthenticatedSessionStore session;
try {
- session = searchInDatabase(moaSessionID);
+ session = searchInDatabase(moaSessionID, true);
return session.isAuthenticated();
} catch (MOADatabaseException e) {
@@ -72,19 +72,20 @@ public class AuthenticationSessionStoreage {
}
}
- public static AuthenticationSession createSession() throws MOADatabaseException {
+ public static AuthenticationSession createSession() throws MOADatabaseException, BuildException {
String id = Random.nextRandom();
- AuthenticationSession session = new AuthenticationSession(id);
-
+
AuthenticatedSessionStore dbsession = new AuthenticatedSessionStore();
dbsession.setSessionid(id);
dbsession.setAuthenticated(false);
- //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1
- dbsession.setCreated(new Date());
- dbsession.setUpdated(new Date());
+ //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1
+ Date now = new Date();
+ dbsession.setCreated(now);
+ dbsession.setUpdated(now);
- dbsession.setSession(SerializationUtils.serialize(session));
+ AuthenticationSession session = new AuthenticationSession(id, now);
+ encryptSession(session, dbsession);
//store AssertionStore element to Database
try {
@@ -102,7 +103,7 @@ public class AuthenticationSessionStoreage {
public static AuthenticationSession getSession(String sessionID) throws MOADatabaseException {
try {
- AuthenticatedSessionStore dbsession = searchInDatabase(sessionID);
+ AuthenticatedSessionStore dbsession = searchInDatabase(sessionID, true);
return decryptSession(dbsession);
} catch (MOADatabaseException e) {
@@ -122,7 +123,7 @@ public class AuthenticationSessionStoreage {
public static void storeSession(AuthenticationSession session, String pendingRequestID) throws MOADatabaseException, BuildException {
try {
- AuthenticatedSessionStore dbsession = searchInDatabase(session.getSessionID());
+ AuthenticatedSessionStore dbsession = searchInDatabase(session.getSessionID(), true);
if (MiscUtil.isNotEmpty(pendingRequestID))
dbsession.setPendingRequestID(pendingRequestID);
@@ -175,7 +176,7 @@ public class AuthenticationSessionStoreage {
throws AuthenticationException, BuildException {
try {
- AuthenticatedSessionStore dbsession = searchInDatabase(session.getSessionID());
+ AuthenticatedSessionStore dbsession = searchInDatabase(session.getSessionID(), true);
String id = Random.nextRandom();
@@ -207,7 +208,7 @@ public class AuthenticationSessionStoreage {
AuthenticatedSessionStore session;
try {
- session = searchInDatabase(moaSessionID);
+ session = searchInDatabase(moaSessionID, true);
session.setAuthenticated(value);
MOASessionDBUtils.saveOrUpdate(session);
@@ -249,7 +250,7 @@ public class AuthenticationSessionStoreage {
public static boolean isSSOSession(String sessionID) throws MOADatabaseException {
try {
- AuthenticatedSessionStore dbsession = searchInDatabase(sessionID);
+ AuthenticatedSessionStore dbsession = searchInDatabase(sessionID, true);
return dbsession.isSSOSession();
} catch (MOADatabaseException e) {
@@ -391,8 +392,36 @@ public class AuthenticationSessionStoreage {
MiscUtil.assertNotNull(moaSession, "MOASession");
try {
- AuthenticatedSessionStore dbsession = searchInDatabase(moaSession.getSessionID());
- return dbsession.getActiveOAsessions();
+ List<OASessionStore> oas = new ArrayList<OASessionStore>();
+
+ AuthenticatedSessionStore dbsession = searchInDatabase(moaSession.getSessionID(), false);
+ oas.addAll(dbsession.getActiveOAsessions());
+
+ Session session = MOASessionDBUtils.getCurrentSession();
+ session.getTransaction().commit();
+
+ return oas;
+
+ } catch (MOADatabaseException e) {
+ Logger.warn("NO session information found for sessionID " + moaSession.getSessionID(), e);
+
+ }
+
+ return null;
+ }
+
+ public static List<InterfederationSessionStore> getAllActiveIDPsFromMOASession(AuthenticationSession moaSession) {
+ MiscUtil.assertNotNull(moaSession, "MOASession");
+
+ try {
+ List<InterfederationSessionStore> idps = new ArrayList<InterfederationSessionStore>();
+ AuthenticatedSessionStore dbsession = searchInDatabase(moaSession.getSessionID(), false);
+ idps.addAll(dbsession.getInderfederation());
+
+ Session session = MOASessionDBUtils.getCurrentSession();
+ session.getTransaction().commit();
+
+ return idps;
} catch (MOADatabaseException e) {
Logger.warn("NO session information found for sessionID " + moaSession.getSessionID(), e);
@@ -475,7 +504,7 @@ public class AuthenticationSessionStoreage {
public static String getPendingRequestID(String sessionID) {
try {
- AuthenticatedSessionStore dbsession = searchInDatabase(sessionID);
+ AuthenticatedSessionStore dbsession = searchInDatabase(sessionID, true);
return dbsession.getPendingRequestID();
} catch (MOADatabaseException e) {
@@ -646,7 +675,7 @@ public class AuthenticationSessionStoreage {
return result.get(0).getInderfederation().get(0);
}
- public static String createInterfederatedSession(IRequest req, boolean isAuthenticated, String ssoID) throws MOADatabaseException, AssertionAttributeExtractorExeption {
+ public static String createInterfederatedSession(IRequest req, boolean isAuthenticated, String ssoID) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException {
AuthenticatedSessionStore dbsession = null;
//search for active SSO session
@@ -654,7 +683,7 @@ public class AuthenticationSessionStoreage {
String moaSession = getMOASessionSSOID(ssoID);
if (MiscUtil.isNotEmpty(moaSession)) {
try {
- dbsession = searchInDatabase(moaSession);
+ dbsession = searchInDatabase(moaSession, true);
}catch (MOADatabaseException e) {
@@ -664,28 +693,28 @@ public class AuthenticationSessionStoreage {
String id = null;
Date now = new Date();
-
//create new MOASession if any exists
+ AuthenticationSession session = null;
if (dbsession == null) {
id = Random.nextRandom();
dbsession = new AuthenticatedSessionStore();
dbsession.setSessionid(id);
dbsession.setCreated(now);
-
+ session = new AuthenticationSession(id, now);
+
} else {
id = dbsession.getSessionid();
-
+ session = decryptSession(dbsession);
+
}
-
+
dbsession.setInterfederatedSSOSession(true);
dbsession.setAuthenticated(isAuthenticated);
- dbsession.setUpdated(now);
-
- AuthenticationSession session = new AuthenticationSession(id);
+ dbsession.setUpdated(now);
session.setAuthenticated(true);
- session.setAuthenticatedUsed(false);
- dbsession.setSession(SerializationUtils.serialize(session));
-
+ session.setAuthenticatedUsed(false);
+ encryptSession(session, dbsession);
+
//add interfederation information
List<InterfederationSessionStore> idpList = dbsession.getInderfederation();
InterfederationSessionStore idp = null;
@@ -889,7 +918,7 @@ public class AuthenticationSessionStoreage {
}
@SuppressWarnings("rawtypes")
- private static AuthenticatedSessionStore searchInDatabase(String sessionID) throws MOADatabaseException {
+ private static AuthenticatedSessionStore searchInDatabase(String sessionID, boolean commit) throws MOADatabaseException {
MiscUtil.assertNotNull(sessionID, "moasessionID");
Logger.trace("Get authenticated session with sessionID " + sessionID + " from database.");
Session session = MOASessionDBUtils.getCurrentSession();
@@ -903,7 +932,8 @@ public class AuthenticationSessionStoreage {
result = query.list();
//send transaction
- session.getTransaction().commit();
+ if (commit)
+ session.getTransaction().commit();
}
Logger.trace("Found entries: " + result.size());