aboutsummaryrefslogtreecommitdiff
path: root/id
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2014-06-06 13:48:09 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2014-06-06 13:48:09 +0200
commit0334cd30ddd9719b0801a274250be8476e0e95be (patch)
tree9a804b25974cd012b98eaa6bc50e209416edf0d8 /id
parentc1f3b45adb46f2a7a2c93df278d2b8189eb2fc91 (diff)
downloadmoa-id-spss-0334cd30ddd9719b0801a274250be8476e0e95be.tar.gz
moa-id-spss-0334cd30ddd9719b0801a274250be8476e0e95be.tar.bz2
moa-id-spss-0334cd30ddd9719b0801a274250be8476e0e95be.zip
solve some SLO bugs
Diffstat (limited to 'id')
-rw-r--r--id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java2
-rw-r--r--id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Index.java85
2 files changed, 44 insertions, 43 deletions
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
index 24ba26a59..65a4ab2a7 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
@@ -244,7 +244,7 @@ public class BuildMetadata extends HttpServlet {
//set Single Log-Out service
SingleLogoutService sloService = SAML2Utils.createSAMLObject(SingleLogoutService.class);
- sloService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
+ sloService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
sloService.setLocation(serviceURL + Constants.SERVLET_PVPSINGLELOGOUT);
spSSODescriptor.getSingleLogoutServices().add(sloService);
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Index.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Index.java
index c68ea9b1f..666ecaeee 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Index.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Index.java
@@ -41,7 +41,11 @@ import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
+import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;
import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
+import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
+import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
+import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.LogoutResponse;
@@ -61,6 +65,9 @@ import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.security.MetadataCredentialResolverFactory;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
+import org.opensaml.ws.security.SecurityPolicyResolver;
+import org.opensaml.ws.security.provider.BasicSecurityPolicy;
+import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.parse.BasicParserPool;
@@ -114,31 +121,27 @@ public class Index extends HttpServlet {
return;
}
- if (method.equals("POST")) {
+ if (method.equals("GET")) {
try {
Configuration config = Configuration.getInstance();
//Decode with HttpPost Binding
- HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool());
- BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
+ HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(
+ new BasicParserPool());
+ BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
messageContext
- .setInboundMessageTransport(new HttpServletRequestAdapter(
- request));
+ .setInboundMessageTransport(new HttpServletRequestAdapter(request));
+
decode.decode(messageContext);
-
- SignableXMLObject samlResponse = (SignableXMLObject) messageContext.getInboundMessage();
-
- Signature sign = samlResponse.getSignature();
- if (sign == null) {
- log.info("Only http POST Requests can be used");
- bean.setErrorMessage("Only http POST Requests can be used");
- setAnser(request, response, bean);
- return;
- }
- //Validate Signature
- SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
- profileValidator.validate(sign);
+ messageContext.setMetadataProvider(config.getMetaDataProvier());
+ CriteriaSet criteriaSet = new CriteriaSet();
+ criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));
+ criteriaSet.add(new EntityIDCriteria(config.getPVP2IDPMetadataEntityName()));
+ criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
+
+ MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory();
+ MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(config.getMetaDataProvier());
//Verify Signature
List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();
@@ -149,17 +152,28 @@ public class Index extends HttpServlet {
KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
keyInfoProvider);
- MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory();
- MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(config.getMetaDataProvier());
-
- CriteriaSet criteriaSet = new CriteriaSet();
- criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));
- criteriaSet.add(new EntityIDCriteria(config.getPVP2IDPMetadataEntityName()));
- criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
-
+
ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver);
- trustEngine.validate(sign, criteriaSet);
+
+ SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
+ trustEngine);
+ SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();
+ BasicSecurityPolicy policy = new BasicSecurityPolicy();
+ policy.getPolicyRules().add(signatureRule);
+ policy.getPolicyRules().add(signedRole);
+ SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(
+ policy);
+ messageContext.setSecurityPolicyResolver(resolver);
+
+ messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
+
+ signatureRule.evaluate(messageContext);
+
+ SignableXMLObject samlResponse = (SignableXMLObject) messageContext.getInboundMessage();
+
+
+
log.info("PVP2 statusrequest or statusresponse is valid");
@@ -232,7 +246,7 @@ public class Index extends HttpServlet {
idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleLogoutServices()) {
//Get the service address for the binding you wish to use
- if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) {
+ if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
redirectEndpoint = sss;
}
}
@@ -251,20 +265,7 @@ public class Index extends HttpServlet {
signer.setSigningCredential(authcredential);
sloResp.setSignature(signer);
- //generate Http-POST Binding message
- VelocityEngine engine = new VelocityEngine();
- engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
- engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
- engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
- engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
- engine.setProperty("classpath.resource.loader.class",
- "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
- engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS,
- "org.apache.velocity.runtime.log.SimpleLog4JLogSystem");
- engine.init();
-
- HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
- "templates/pvp_postbinding_template.html");
+ HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
response, true);
BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();