aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java1
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java122
2 files changed, 22 insertions, 101 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index 36323f3a5..01b202a88 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -71,7 +71,6 @@ public class Constants {
//timeouts and clock skews
public static final int CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000; //2 minutes skew time for response validation
- public static final int CONFIG_PROPS_METADATA_SOCKED_TIMEOUT = 20 * 1000; //20 seconds metadata socked timeout
public static final long CONFIG_PROPS_METADATA_GARBAGE_TIMEOUT = 7 * 24 * 60 * 60 * 1000; //remove unused eIDAS metadata after 7 days
//eIDAS request parameters
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
index 75d57e615..a0330903b 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
@@ -9,11 +9,8 @@ import java.util.Map;
import java.util.Map.Entry;
import java.util.Timer;
-import javax.net.ssl.SSLHandshakeException;
import javax.xml.namespace.QName;
-import org.apache.commons.httpclient.MOAHttpClient;
-import org.apache.commons.httpclient.params.HttpClientParams;
import org.opensaml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.RoleDescriptor;
@@ -29,13 +26,8 @@ import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.auth.IDestroyableObject;
import at.gv.egovernment.moa.id.auth.IGarbageCollectorProcessing;
import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
-import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
-import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
-import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.IMOARefreshableMetadataProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.SimpleMOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetadataSignatureFilter;
import at.gv.egovernment.moa.id.saml2.MetadataFilterChain;
import at.gv.egovernment.moa.logging.Logger;
@@ -43,11 +35,10 @@ import at.gv.egovernment.moa.util.MiscUtil;
import eu.eidas.auth.engine.AbstractProtocolEngine;
@Service("eIDASMetadataProvider")
-public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvider,
+public class MOAeIDASChainingMetadataProvider extends SimpleMOAMetadataProvider implements ObservableMetadataProvider,
IGarbageCollectorProcessing, IDestroyableObject, IMOARefreshableMetadataProvider {
-// private static MOAeIDASChainingMetadataProvider instance = null;
- private static Object mutex = new Object();
+ private Timer timer = null;
private MetadataProvider internalProvider;
private Map<String, Date> lastAccess = null;
@@ -77,6 +68,10 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
*/
@Override
public void fullyDestroy() {
+
+ if (timer != null)
+ timer.cancel();
+
Map<String, HTTPMetadataProvider> loadedproviders = getAllActuallyLoadedProviders();
if (loadedproviders != null) {
for (Entry<String, HTTPMetadataProvider> el : loadedproviders.entrySet()) {
@@ -188,94 +183,20 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
}
}
-
-
- private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL) {
- HTTPMetadataProvider httpProvider = null;
- Timer timer= null;
- MOAHttpClient httpClient = null;
- try {
- AuthConfiguration authConfig = AuthConfigurationProviderFactory.getInstance();
-
- httpClient = new MOAHttpClient();
-
- HttpClientParams httpClientParams = new HttpClientParams();
- httpClientParams.setSoTimeout(Constants.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT);
- httpClient.setParams(httpClientParams);
-
- if (metadataURL.startsWith("https:")) {
- try {
- //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
- MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
- Constants.SSLSOCKETFACTORYNAME,
- authConfig.getTrustedCACertificates(),
- null,
- AuthConfiguration.DEFAULT_X509_CHAININGMODE,
- authConfig.isTrustmanagerrevoationchecking(),
- authConfig.getRevocationMethodOrder(),
- authConfig.getBasicMOAIDConfigurationBoolean(
- AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false));
-
- httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
-
- } catch (MOAHttpProtocolSocketFactoryException e) {
- Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.");
-
- }
- }
-
+
+ private MetadataProvider createNewHTTPMetaDataProvider(String metadataURL) {
+ if (timer == null)
timer = new Timer(true);
- httpProvider = new HTTPMetadataProvider(timer, httpClient,
- metadataURL);
- httpProvider.setParserPool(AbstractProtocolEngine.getSecuredParserPool());
- httpProvider.setRequireValidMetadata(true);
- httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
- httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
- //httpProvider.setRefreshDelayFactor(0.1F);
-
- //add Metadata filters
- MetadataFilterChain filter = new MetadataFilterChain();
- filter.addFilter(new MOASPMetadataSignatureFilter(
- authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE)));
- httpProvider.setMetadataFilter(filter);
-
- httpProvider.initialize();
-
- return httpProvider;
-
- } catch (Throwable e) {
- if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
- Logger.warn("SSL-Server certificate for metadata "
- + metadataURL + " not trusted.", e);
-
- } if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) {
- Logger.warn("Signature verification for metadata"
- + metadataURL + " FAILED.", e);
-
- } if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) {
- Logger.warn("Schema validation for metadata "
- + metadataURL + " FAILED.", e);
- }
-
- Logger.error(
- "Failed to add Metadata file for "
- + metadataURL + "[ "
- + e.getMessage() + " ]", e);
-
- if (httpProvider != null) {
- Logger.debug("Destroy failed Metadata provider");
- httpProvider.destroy();
- }
-
- if (timer != null) {
- Logger.debug("Destroy Timer.");
- timer.cancel();
- }
-
-
- }
- return null;
+ //add Metadata filters
+ MetadataFilterChain filter = new MetadataFilterChain();
+ filter.addFilter(new MOASPMetadataSignatureFilter(
+ authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE)));
+
+ return createNewMoaMetadataProvider(metadataURL, filter,
+ "eIDAS metadata-provider",
+ timer, AbstractProtocolEngine.getSecuredParserPool());
+
}
private Map<String, HTTPMetadataProvider> getAllActuallyLoadedProviders() {
@@ -310,7 +231,7 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
} else {
//load new Metadata Provider
ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;
- HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL);
+ MetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL);
if (newMetadataProvider != null) {
chainProvider.addMetadataProvider(newMetadataProvider);
@@ -320,7 +241,8 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
+ metadataURL + " is added.");
return true;
- }
+ } else
+ Logger.warn("Can not load eIDAS metadata from URL: " + metadataURL);
}
} else