diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-05-07 17:16:42 +0200 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-05-07 17:16:42 +0200 |
commit | 9ade292185a7cd7ebfd0aad27a48324433737bfe (patch) | |
tree | 963187af67fdaa7248f4e816d56e6ffa9c0b52d2 /id | |
parent | 26822fcf41e37e0fedca87489b60304496c9d0f0 (diff) | |
download | moa-id-spss-9ade292185a7cd7ebfd0aad27a48324433737bfe.tar.gz moa-id-spss-9ade292185a7cd7ebfd0aad27a48324433737bfe.tar.bz2 moa-id-spss-9ade292185a7cd7ebfd0aad27a48324433737bfe.zip |
add inbound/outbound interfederation SSO checks
Diffstat (limited to 'id')
5 files changed, 81 insertions, 1 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java index 39c8ecfdc..a59cc10e0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java @@ -130,4 +130,19 @@ public interface IOAAuthParameters { public String getIDPAttributQueryServiceURL(); + /** + * @return + */ + boolean isInboundSSOInterfederationAllowed(); + + /** + * @return + */ + boolean isInterfederationSSOStorageAllowed(); + + /** + * @return + */ + boolean isOutboundSSOInterfederationAllowed(); + }
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index fe2117b9c..7fc5746ee 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -491,6 +491,30 @@ public String getIDPAttributQueryServiceURL() { } +@Override +public boolean isInboundSSOInterfederationAllowed() { + if (inderfederatedIDP != null) + return inderfederatedIDP.isInboundSSO(); + else + return false; +} + +@Override +public boolean isOutboundSSOInterfederationAllowed() { + if (inderfederatedIDP != null) + return inderfederatedIDP.isOutboundSSO(); + else + return false; +} + +@Override +public boolean isInterfederationSSOStorageAllowed() { + if (inderfederatedIDP != null) + return inderfederatedIDP.isStoreSSOSession(); + else + return false; +} + public boolean isIDPPublicService() { return !getBusinessService(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java index f35027f21..02ac09d70 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -354,6 +354,33 @@ public class DynamicOAAuthParameters implements IOAAuthParameters { this.applicationID = applicationID; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInboundSSOInterfederationAllowed() + */ + @Override + public boolean isInboundSSOInterfederationAllowed() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInterfederationSSOStorageAllowed() + */ + @Override + public boolean isInterfederationSSOStorageAllowed() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isOutboundSSOInterfederationAllowed() + */ + @Override + public boolean isOutboundSSOInterfederationAllowed() { + // TODO Auto-generated method stub + return false; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 8a7a876a7..ee7d452c5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -212,9 +212,17 @@ public class AuthenticationManager extends AuthServlet { boolean requiredLocalAuthentication = true; Logger.debug("Build PVP 2.1 authentication request"); - + //get IDP metadata try { + OAAuthParameter idp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(target.getRequestedIDP()); + if (!idp.isInderfederationIDP() || !idp.isInboundSSOInterfederationAllowed()) { + Logger.info("Requested interfederation IDP " + target.getRequestedIDP() + " is not valid for interfederation."); + Logger.info("Switch to local authentication on this IDP ... "); + perfomLocalAuthentication(request, response, target); + + } + EntityDescriptor idpEntity = MOAMetadataProvider.getInstance(). getEntityDescriptor(target.getRequestedIDP()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index d04480ff5..a786420cf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -414,6 +414,12 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { throw new AttributQueryException("AttributeQuery requests are only allowed for interfederation IDPs.", null); } + + if (!oa.isOutboundSSOInterfederationAllowed()) { + Logger.warn("Interfederation IDP " + oa.getPublicURLPrefix() + " does not allow outgoing SSO interfederation."); + throw new AttributQueryException("Interfederation IDP does not allow outgoing SSO interfederation.", null); + + } PVPTargetConfiguration config = new PVPTargetConfiguration(); config.setRequest(moaRequest); |