aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java33
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java168
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java281
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java34
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java26
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java134
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java115
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java149
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java17
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java22
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java15
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java37
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java7
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java5
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java14
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java62
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java1
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java94
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java514
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java9
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java10
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java491
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java2
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java23
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java2
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java2
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java4
-rw-r--r--id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java17
-rw-r--r--id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java89
-rw-r--r--id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java7
-rw-r--r--id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java50
-rw-r--r--id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java18
-rw-r--r--id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java3
40 files changed, 1262 insertions, 1220 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
index 15900cc7c..72aef5fed 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
@@ -116,16 +116,18 @@ public class StatisticLogger implements IStatisticLogger{
//set actual date and time
dblog.setTimestamp(new Date());
-
- //set OA databaseID
- //dblog.setOaID(dbOA.getHjid());
-
+
//log basic AuthInformation
dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH));
dblog.setOafriendlyName(dbOA.getFriendlyName());
- boolean isbusinessservice = isBusinessService(dbOA);
- dblog.setBusinessservice(isbusinessservice);
+ try {
+ dblog.setBusinessservice(dbOA.hasBaseIdTransferRestriction());
+
+ } catch (Exception e) {
+ Logger.warn("Can not extract some information for StatisticLogger.", e);
+ }
+
dblog.setOatarget(authData.getBPKType());
@@ -266,9 +268,14 @@ public class StatisticLogger implements IStatisticLogger{
if (dbOA != null) {
dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH));
dblog.setOafriendlyName(dbOA.getFriendlyName());
- dblog.setOatarget(dbOA.getTarget());
- //dblog.setOaID(dbOA.getHjid());
- dblog.setBusinessservice(isBusinessService(dbOA));
+
+ try {
+ dblog.setOatarget(dbOA.getAreaSpecificTargetIdentifier());
+ dblog.setBusinessservice(dbOA.hasBaseIdTransferRestriction());
+ } catch (Exception e) {
+ Logger.warn("Can not extract some information for StatisticLogger.", e);
+
+ }
IAuthenticationSession moasession = null;
if (MiscUtil.isNotEmpty(errorRequest.getInternalSSOSessionIdentifier())) {
@@ -314,15 +321,7 @@ public class StatisticLogger implements IStatisticLogger{
}
}
-
- private boolean isBusinessService(IOAAuthParameters dbOA) {
- if (dbOA.getOaType().equals("businessService"))
- return true;
- else
- return false;
- }
-
private String getMessageWithMaxLength(String msg, int maxlength) {
return getErrorMessageWithMaxLength(msg, maxlength);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 9e586b0f4..5a5d0bcf6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -267,9 +267,9 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
//####################################################
//set general authData info's
authData.setIssuer(protocolRequest.getAuthURL());
- authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality());
- authData.setIsBusinessService(oaParam.getBusinessService());
-
+ authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality());
+ authData.setBaseIDTransferRestrication(oaParam.hasBaseIdTransferRestriction());
+
//####################################################
//parse user info's from identityLink
@@ -816,21 +816,11 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
* @param oaParam Service-Provider configuration, never null
* @param bPKType bPK-Type to check
* @return true, if bPK-Type matchs to Service-Provider configuration, otherwise false
+ * @throws ConfigurationException
*/
- private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) {
- String oaTarget = null;
- if (oaParam.getBusinessService()) {
- oaTarget = oaParam.getIdentityLinkDomainIdentifier();
-
- } else {
- oaTarget = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget();
-
- }
-
- if (oaTarget.equals(bPKType))
- return true;
- else
- return false;
+ private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) throws ConfigurationException {
+ return oaParam.getAreaSpecificTargetIdentifier().equals(bPKType);
+
}
private void parseBasicUserInfosFromIDL(AuthenticationData authData, IIdentityLink identityLink, Collection<String> includedGenericSessionData) {
@@ -918,9 +908,10 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
*
* @return Pair<bPK, bPKType> which was received by PVP-Attribute and could be decrypted for this Service Provider,
* or <code>null</code> if no attribute exists or can not decrypted
+ * @throws ConfigurationException
*/
private Pair<String, String> getEncryptedbPKFromPVPAttribute(IAuthenticationSession session,
- AuthenticationData authData, IOAAuthParameters spConfig) {
+ AuthenticationData authData, IOAAuthParameters spConfig) throws ConfigurationException {
//set List of encrypted bPKs to authData DAO
String pvpEncbPKListAttr = session.getGenericDataFromSession(PVPConstants.ENC_BPK_LIST_NAME, String.class);
if (MiscUtil.isNotEmpty(pvpEncbPKListAttr)) {
@@ -935,35 +926,44 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
String second = fullEncbPK.substring(0, index);
int secIndex = second.indexOf("+");
if (secIndex >= 0) {
- if (spConfig.getTarget().equals(second.substring(secIndex+1))) {
- Logger.debug("Found encrypted bPK for online-application "
- + spConfig.getPublicURLPrefix()
- + " Start decryption process ...");
- PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey();
- if (privKey != null) {
- try {
- String bPK = BPKBuilder.decryptBPK(encbPK, spConfig.getTarget(), privKey);
- if (MiscUtil.isNotEmpty(bPK)) {
- Logger.info("bPK decryption process finished successfully.");
- return Pair.newInstance(bPK, Constants.URN_PREFIX_CDID + "+" + spConfig.getTarget());
-
- } else {
- Logger.error("bPK decryption FAILED.");
-
+ String oaTargetId = spConfig.getAreaSpecificTargetIdentifier();
+ if (oaTargetId.startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+ String publicServiceShortTarget = oaTargetId.substring(MOAIDAuthConstants.PREFIX_CDID.length());
+ if (publicServiceShortTarget.equals(second.substring(secIndex+1))) {
+ Logger.debug("Found encrypted bPK for online-application "
+ + spConfig.getPublicURLPrefix()
+ + " Start decryption process ...");
+ PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey();
+ if (privKey != null) {
+ try {
+ String bPK = BPKBuilder.decryptBPK(encbPK, publicServiceShortTarget, privKey);
+ if (MiscUtil.isNotEmpty(bPK)) {
+ Logger.info("bPK decryption process finished successfully.");
+ return Pair.newInstance(bPK, oaTargetId);
+
+ } else {
+ Logger.error("bPK decryption FAILED.");
+
+ }
+ } catch (BuildException e) {
+ Logger.error("bPK decryption FAILED.", e);
+
}
- } catch (BuildException e) {
- Logger.error("bPK decryption FAILED.", e);
- }
+ } else {
+ Logger.info("bPK decryption FAILED, because no valid decryption key is found.");
+
+ }
} else {
- Logger.info("bPK decryption FAILED, because no valid decryption key is found.");
+ Logger.info("Found encrypted bPK but " +
+ "encrypted bPK target does not match to online-application target");
- }
+ }
} else {
- Logger.info("Found encrypted bPK but " +
- "encrypted bPK target does not match to online-application target");
+ Logger.info("Encrypted bPKs are only allowed for public services with prefix: " + MOAIDAuthConstants.PREFIX_CDID
+ + " BUT oaTarget is " + oaTargetId);
}
}
@@ -1066,7 +1066,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
}
private IIdentityLink buildOAspecificIdentityLink(IOAAuthParameters oaParam, IIdentityLink idl, String bPK, String bPKType) throws MOAIDException {
- if (oaParam.getBusinessService()) {
+ if (oaParam.hasBaseIdTransferRestriction()) {
Element idlassertion = idl.getSamlAssertion();
//set bpk/wpbk;
Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
@@ -1097,69 +1097,45 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
}
- private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException {
+ private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException, ConfigurationException {
- String bPK;
- String bPKType;
-
String baseID = authData.getIdentificationValue();
- String baseIDType = authData.getIdentificationType();
-
- if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) {
- //Calculate eIDAS identifier
- if (oaParam.getBusinessService() &&
- oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_EIDAS)) {
- String[] splittedTarget = oaParam.getIdentityLinkDomainIdentifier().split("\\+");
- String cititzenCountryCode = splittedTarget[1];
- String eIDASOutboundCountry = splittedTarget[2];
-
- if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) {
- Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry");
-
- }
-
- Pair<String, String> eIDASID = new BPKBuilder().buildeIDASIdentifer(baseID, baseIDType,
- cititzenCountryCode, eIDASOutboundCountry);
- Logger.debug("Authenticate user with bPK:" + eIDASID.getFirst() + " Type:" + eIDASID.getSecond());
- return eIDASID;
-
- } else if (oaParam.getBusinessService()) {
- //is Austrian private-service application
- String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier();
- bPK = new BPKBuilder().buildbPKorwbPK(baseID, registerAndOrdNr);
- bPKType = registerAndOrdNr;
-
- } else {
- // only compute bPK if online application is a public service and we have the Stammzahl
- String target = null;
- Class<?> saml1RequstTemplate = null;
- try {
- saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl");
- if (saml1RequstTemplate != null &&
- saml1RequstTemplate.isInstance(pendingReq)) {
- target = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq);
+ String baseIDType = authData.getIdentificationType();
+ Pair<String, String> sectorSpecId = null;
+
+ if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) {
+ //SAML1 legacy target parameter work-around
+ String oaTargetId = null;
+ Class<?> saml1RequstTemplate = null;
+ try {
+ saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl");
+ if (saml1RequstTemplate != null &&
+ saml1RequstTemplate.isInstance(pendingReq)) {
+ oaTargetId = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq);
- }
+ }
- } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) { }
+ } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) { }
+
+ if (MiscUtil.isEmpty(oaTargetId)) {
+ oaTargetId = oaParam.getAreaSpecificTargetIdentifier();
+ Logger.debug("Use OA target identifier '" + oaTargetId + "' from configuration");
- if (MiscUtil.isEmpty(target))
- target = oaParam.getTarget();
-
- bPK = new BPKBuilder().buildBPK(baseID, target);
- bPKType = Constants.URN_PREFIX_CDID + "+" + target;
-
- }
-
+ } else
+ Logger.info("Use OA target identifier '" + oaTargetId + "' from SAML1 request for bPK calculation");
+
+ //calculate sector specific unique identifier
+ sectorSpecId = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseID, oaTargetId);
+
+
} else {
- Logger.warn("!!!baseID-element does not include a baseID. This should not be happen any more!!!");
- bPK = baseID;
- bPKType = baseIDType;
-
+ Logger.fatal("!!!baseID-element does not include a baseID. This should not be happen any more!!!");
+ sectorSpecId = Pair.newInstance(baseID, baseIDType);
+
}
- Logger.trace("Authenticate user with bPK:" + bPK + " Type:" + bPKType);
- return Pair.newInstance(bPK, bPKType);
+ Logger.trace("Authenticate user with bPK:" + sectorSpecId.getFirst() + " Type:" + sectorSpecId.getSecond());
+ return sectorSpecId;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
index 32ac8ad68..a7f6e873f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
@@ -60,6 +60,7 @@ import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
@@ -76,77 +77,192 @@ import at.gv.egovernment.moa.util.MiscUtil;
*/
public class BPKBuilder {
- /**
- * Builds the bPK from the given parameters.
- *
- * @param identificationValue Base64 encoded "Stammzahl"
- * @param target "Bereich lt. Verordnung des BKA"
- * @return bPK in a BASE64 encoding
- * @throws BuildException if an error occurs on building the bPK
- */
- public String buildBPK(String identificationValue, String target)
- throws BuildException {
-
- if ((identificationValue == null ||
- identificationValue.length() == 0 ||
- target == null ||
- target.length() == 0)) {
- throw new BuildException("builder.00",
- new Object[]{"BPK", "Unvollständige Parameterangaben: identificationValue=" +
- identificationValue + ",target=" + target});
- }
- String basisbegriff;
- if (target.startsWith(Constants.URN_PREFIX_CDID + "+"))
- basisbegriff = identificationValue + "+" + target;
- else
- basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target;
+ /**
+ * Calculates an area specific unique person-identifier from a baseID
+ *
+ * @param baseID baseId from user but never null
+ * @param targetIdentifier target identifier for area specific identifier calculation but never null
+ * @return Pair<unique person identifier for this target, targetArea> but never null
+ * @throws BuildException if some input data are not valid
+ */
+ public Pair<String, String> generateAreaSpecificPersonIdentifier(String baseID, String targetIdentifier) throws BuildException{
+ return generateAreaSpecificPersonIdentifier(baseID, Constants.URN_PREFIX_BASEID, targetIdentifier);
+
+ }
+
+ /**
+ * Calculates an area specific unique person-identifier from an unique identifier with a specific type
+ *
+ * @param baseID baseId from user but never null
+ * @param baseIdType Type of the baseID but never null
+ * @param targetIdentifier target identifier for area specific identifier calculation but never null
+ * @return Pair<unique person identifier for this target, targetArea> but never null
+ * @throws BuildException if some input data are not valid
+ */
+ public Pair<String, String> generateAreaSpecificPersonIdentifier(String baseID, String baseIdType, String targetIdentifier) throws BuildException{
+ if (MiscUtil.isEmpty(baseID))
+ throw new BuildException("builder.00", new Object[]{"baseID is empty or null"});
- return calculatebPKwbPK(basisbegriff);
- }
+ if (MiscUtil.isEmpty(baseIdType))
+ throw new BuildException("builder.00", new Object[]{"the type of baseID is empty or null"});
+
+ if (MiscUtil.isEmpty(targetIdentifier))
+ throw new BuildException("builder.00", new Object[]{"OA specific target identifier is empty or null"});
+ if (baseIdType.equals(Constants.URN_PREFIX_BASEID)) {
+ Logger.trace("Find baseID. Starting unique identifier caluclation for this target");
+
+ if (targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_CDID) ||
+ targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_WPBK) ||
+ targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_STORK)) {
+ Logger.trace("Calculate bPK, wbPK, or STORK identifier for target: " + targetIdentifier);
+ return Pair.newInstance(calculatebPKwbPK(baseID + "+" + targetIdentifier), targetIdentifier);
+
+ } else if (targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_EIDAS)) {
+ Logger.trace("Calculate eIDAS identifier for target: " + targetIdentifier);
+ String[] splittedTarget = targetIdentifier.split("\\+");
+ String cititzenCountryCode = splittedTarget[1];
+ String eIDASOutboundCountry = splittedTarget[2];
+
+ if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) {
+ Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry");
+
+ }
+ return buildeIDASIdentifer(baseID, baseIdType, cititzenCountryCode, eIDASOutboundCountry);
+
+
+ } else
+ throw new BuildException("builder.00",
+ new Object[]{"Target identifier: " + targetIdentifier + " is NOT allowed or unknown"});
+
+ } else {
+ Logger.trace("BaseID is not of type " + Constants.URN_PREFIX_BASEID + ". Check type against requested target ...");
+ if (baseIdType.equals(targetIdentifier)) {
+ Logger.debug("Unique identifier is already area specific. Is nothing todo");
+ return Pair.newInstance(baseID, targetIdentifier);
+
+ } else {
+ Logger.warn("Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required!");
+ throw new BuildException("builder.00",
+ new Object[]{"Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required"});
+
+ }
+ }
+ }
+
+
/**
- * Builds the wbPK from the given parameters.
+ * Builds the storkeid from the given parameters.
*
- * @param identificationValue Base64 encoded "Stammzahl"
- * @param registerAndOrdNr type of register + "+" + number in register.
- * @return wbPK in a BASE64 encoding
+ * @param baseID baseID of the citizen
+ * @param baseIDType Type of the baseID
+ * @param sourceCountry CountryCode of that country, which build the eIDAs ID
+ * @param destinationCountry CountryCode of that country, which receives the eIDAs ID
+ *
+ * @return Pair<eIDAs, bPKType> in a BASE64 encoding
* @throws BuildException if an error occurs on building the wbPK
*/
- public String buildWBPK(String identificationValue, String registerAndOrdNr)
- throws BuildException {
+ private Pair<String, String> buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry)
+ throws BuildException {
+ String bPK = null;
+ String bPKType = null;
+
+ // check if we have been called by public sector application
+ if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) {
+ bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry;
+ Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType);
+ bPK = calculatebPKwbPK(baseID + "+" + bPKType);
+
+ } else { // if not, sector identification value is already calculated by BKU
+ Logger.debug("eIDAS eIdentifier already provided by BKU");
+ bPK = baseID;
+ }
- if ((identificationValue == null ||
- identificationValue.length() == 0 ||
- registerAndOrdNr == null ||
- registerAndOrdNr.length() == 0)) {
+ if ((MiscUtil.isEmpty(bPK) ||
+ MiscUtil.isEmpty(sourceCountry) ||
+ MiscUtil.isEmpty(destinationCountry))) {
throw new BuildException("builder.00",
- new Object[]{"wbPK", "Unvollständige Parameterangaben: identificationValue=" +
- identificationValue + ",Register+Registernummer=" + registerAndOrdNr});
+ new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" +
+ bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry});
}
-
- String basisbegriff;
- if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+"))
- basisbegriff = identificationValue + "+" + registerAndOrdNr;
- else
- basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr;
-
- return calculatebPKwbPK(basisbegriff);
- }
-
- public String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException {
- if (MiscUtil.isEmpty(baseID) ||
- !(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") ||
- bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") ||
- bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) {
- throw new BuildException("builder.00",
- new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget
- + " has an unkown prefix."});
-
- }
-
- return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget);
-
+
+ Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]");
+ String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK;
+
+ return Pair.newInstance(eIdentifier, bPKType);
}
+
+// /**
+// * Builds the bPK from the given parameters.
+// *
+// * @param identificationValue Base64 encoded "Stammzahl"
+// * @param target "Bereich lt. Verordnung des BKA"
+// * @return bPK in a BASE64 encoding
+// * @throws BuildException if an error occurs on building the bPK
+// */
+// private String buildBPK(String identificationValue, String target)
+// throws BuildException {
+//
+// if ((identificationValue == null ||
+// identificationValue.length() == 0 ||
+// target == null ||
+// target.length() == 0)) {
+// throw new BuildException("builder.00",
+// new Object[]{"BPK", "Unvollständige Parameterangaben: identificationValue=" +
+// identificationValue + ",target=" + target});
+// }
+// String basisbegriff;
+// if (target.startsWith(Constants.URN_PREFIX_CDID + "+"))
+// basisbegriff = identificationValue + "+" + target;
+// else
+// basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target;
+//
+// return calculatebPKwbPK(basisbegriff);
+// }
+//
+// /**
+// * Builds the wbPK from the given parameters.
+// *
+// * @param identificationValue Base64 encoded "Stammzahl"
+// * @param registerAndOrdNr type of register + "+" + number in register.
+// * @return wbPK in a BASE64 encoding
+// * @throws BuildException if an error occurs on building the wbPK
+// */
+// private String buildWBPK(String identificationValue, String registerAndOrdNr)
+// throws BuildException {
+//
+// if ((identificationValue == null ||
+// identificationValue.length() == 0 ||
+// registerAndOrdNr == null ||
+// registerAndOrdNr.length() == 0)) {
+// throw new BuildException("builder.00",
+// new Object[]{"wbPK", "Unvollständige Parameterangaben: identificationValue=" +
+// identificationValue + ",Register+Registernummer=" + registerAndOrdNr});
+// }
+//
+// String basisbegriff;
+// if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+"))
+// basisbegriff = identificationValue + "+" + registerAndOrdNr;
+// else
+// basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr;
+//
+// return calculatebPKwbPK(basisbegriff);
+// }
+//
+// private String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException {
+// if (MiscUtil.isEmpty(baseID) ||
+// !(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") ||
+// bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") ||
+// bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) {
+// throw new BuildException("builder.00",
+// new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget
+// + " has an unkown prefix."});
+//
+// }
+//
+// return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget);
+//
+// }
public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException {
MiscUtil.assertNotNull(bpk, "BPK");
@@ -199,48 +315,7 @@ public class BPKBuilder {
return null;
}
}
-
- /**
- * Builds the storkeid from the given parameters.
- *
- * @param baseID baseID of the citizen
- * @param baseIDType Type of the baseID
- * @param sourceCountry CountryCode of that country, which build the eIDAs ID
- * @param destinationCountry CountryCode of that country, which receives the eIDAs ID
- *
- * @return Pair<eIDAs, bPKType> in a BASE64 encoding
- * @throws BuildException if an error occurs on building the wbPK
- */
- public Pair<String, String> buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry)
- throws BuildException {
- String bPK = null;
- String bPKType = null;
-
- // check if we have been called by public sector application
- if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) {
- bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry;
- Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType);
- bPK = calculatebPKwbPK(baseID + "+" + bPKType);
-
- } else { // if not, sector identification value is already calculated by BKU
- Logger.debug("eIDAS eIdentifier already provided by BKU");
- bPK = baseID;
- }
-
- if ((MiscUtil.isEmpty(bPK) ||
- MiscUtil.isEmpty(sourceCountry) ||
- MiscUtil.isEmpty(destinationCountry))) {
- throw new BuildException("builder.00",
- new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" +
- bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry});
- }
-
- Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]");
- String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK;
- return Pair.newInstance(eIdentifier, bPKType);
- }
-
private String calculatebPKwbPK(String basisbegriff) throws BuildException {
try {
MessageDigest md = MessageDigest.getInstance("SHA-1");
@@ -281,6 +356,4 @@ public class BPKBuilder {
result = cipher.doFinal(encryptedBytes);
return result;
}
-
-
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java
index 73fe961eb..4c4af4239 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java
@@ -53,9 +53,11 @@ import java.util.List;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DateTimeUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moa.util.StringUtils;
/**
@@ -156,8 +158,9 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
* @param oaParam parameter for the OA
* @param session current session
* @return String representation of <code>&lt;CreateXMLSignatureRequest&gt;</code>
+ * @throws ConfigurationException
*/
- public String buildForeignID(String subject, IRequest pendingReq) {
+ public String buildForeignID(String subject, IRequest pendingReq) throws ConfigurationException {
String request = "";
request += "<sl:CreateXMLSignatureRequest xmlns:sl=\"http://www.buergerkarte.at/namespaces/securitylayer/1.2#\">";
@@ -181,11 +184,22 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
return request;
}
- public static String buildForeignIDTextToBeSigned(String subject, IRequest pendingReq) {
+ public static String buildForeignIDTextToBeSigned(String subject, IRequest pendingReq) throws ConfigurationException {
IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
- String target = pendingReq.getGenericData(
- MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
- String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);
+ String target = null;
+ String sectorName = null;
+
+
+ String saml1Target = pendingReq.getGenericData(
+ MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
+ if (MiscUtil.isNotEmpty(saml1Target)) {
+ target = saml1Target;
+ sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(saml1Target);
+
+ } else {
+ target = oaParam.getAreaSpecificTargetIdentifier();
+ sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+ }
Calendar cal = Calendar.getInstance();
String date = DateTimeUtils.buildDate(cal);
@@ -243,11 +257,11 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
request += oaParam.getPublicURLPrefix();
request += "</td>";
request += "</tr>";
- boolean business = oaParam.getBusinessService();
- if (business) {
+
+ if (!target.startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
// OA is businessservice
- String identifierType = oaParam.getIdentityLinkDomainIdentifierType();
- String identifier = oaParam.getIdentityLinkDomainIdentifier();
+ String identifierType = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+ String identifier = oaParam.getAreaSpecificTargetIdentifier();
request += "<tr>";
request += "<td class=\"italicstyle\">";
request += identifierType + ":";
@@ -263,7 +277,7 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
request += "<td class=\"italicstyle\">";
request += "Sektor (Sector):</td>";
request += "<td class=\"normalstyle\">";
- request += target + " (" + sectorName + ")";
+ request += target.substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
request += "</td>";
request += "</tr>";
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
index f4f6e82ba..fc5489673 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
@@ -31,14 +31,10 @@ import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
-import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
-import at.gv.egovernment.moa.util.MiscUtil;
/**
* @author tlenz
@@ -57,13 +53,14 @@ public class DynamicOAAuthParameterBuilder {
if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
String attrValue = attr.getAttributeValues().get(0).getDOM().getTextContent();
if (attrValue.startsWith(Constants.URN_PREFIX_CDID)) {
- dynamicOA.setBusinessService(false);
- dynamicOA.setTarget(attrValue.substring((Constants.URN_PREFIX_CDID + "+").length()));
+ //dynamicOA.setBusinessService(false);
+ dynamicOA.setAreaSpecificTargetIdentifier(attrValue);
} else if( attrValue.startsWith(Constants.URN_PREFIX_WBPK) ||
- attrValue.startsWith(Constants.URN_PREFIX_STORK) ) {
- dynamicOA.setBusinessService(true);
- dynamicOA.setTarget(attrValue);
+ attrValue.startsWith(Constants.URN_PREFIX_STORK) ||
+ attrValue.startsWith(Constants.URN_PREFIX_EIDAS)) {
+ //dynamicOA.setBusinessService(true);
+ dynamicOA.setAreaSpecificTargetIdentifier(attrValue);
} else {
Logger.error("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea");
@@ -84,13 +81,16 @@ public class DynamicOAAuthParameterBuilder {
* @param oaParam
* @param protocolRequest
* @return
+ * @throws ConfigurationException
*/
public static IOAAuthParameters buildFromAuthnRequest(
- IOAAuthParameters oaParam, IRequest protocolRequest) {
+ IOAAuthParameters oaParam, IRequest protocolRequest) throws ConfigurationException {
DynamicOAAuthParameters dynOAParams = new DynamicOAAuthParameters();
dynOAParams.setApplicationID(oaParam.getPublicURLPrefix());
- dynOAParams.setBusinessService(oaParam.getBusinessService());
+
+ dynOAParams.setHasBaseIdProcessingRestriction(oaParam.hasBaseIdInternalProcessingRestriction());
+ dynOAParams.setHasBaseIdTransfergRestriction(oaParam.hasBaseIdTransferRestriction());
Object storkRequst = null;
try {
@@ -98,9 +98,9 @@ public class DynamicOAAuthParameterBuilder {
if (storkRequst != null &&
protocolRequest.getClass().isInstance(storkRequst)) {
- dynOAParams.setBusinessTarget(Constants.URN_PREFIX_STORK + "+" + "AT" + "+"
+ dynOAParams.setAreaSpecificTargetIdentifier(Constants.URN_PREFIX_STORK + "+" + "AT" + "+"
+ protocolRequest.getClass().getMethod("getSpCountry", null).invoke(protocolRequest, null));
- dynOAParams.setBusinessService(true);
+ //dynOAParams.setBusinessService(true);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
index cfe075520..b2db8d5a2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
@@ -33,7 +33,6 @@ import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
-import at.gv.egovernment.moa.id.commons.MOAIDConstants;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IRequest;
@@ -53,7 +52,7 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
@Autowired AuthConfiguration authConfig;
public void parse(IAuthenticationSession moasession,
- String target,
+ String reqTarget,
String oaURL,
String bkuURL,
String templateURL,
@@ -62,10 +61,11 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
HttpServletRequest req,
IRequest protocolReq) throws WrongParametersException, MOAIDException {
- String targetFriendlyName = null;
-
+ String resultTargetFriendlyName = null;
+ String resultTarget = null;
+
// escape parameter strings
- target = StringEscapeUtils.escapeHtml(target);
+ reqTarget = StringEscapeUtils.escapeHtml(reqTarget);
bkuURL = StringEscapeUtils.escapeHtml(bkuURL);
templateURL = StringEscapeUtils.escapeHtml(templateURL);
useMandate = StringEscapeUtils.escapeHtml(useMandate);
@@ -103,70 +103,70 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
// get target and target friendly name from config
- String targetConfig = oaParam.getTarget();
- String targetFriendlyNameConfig = oaParam.getTargetFriendlyName();
+ String targetConfig = oaParam.getAreaSpecificTargetIdentifier();
+ String targetFriendlyNameConfig = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+
+ //SAML1 legacy work-around for public area targets in request
+ if (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") &&
+ !StringUtils.isEmpty(reqTarget)) {
+ //INFO: ONLY SAML1 legacy mode
+ // if SAML1 is used and target attribute is given in request
+ // use requested target
+ // check target parameter
+ if (!ParamValidatorUtils.isValidTarget(reqTarget)) {
+ Logger.error("Selected target is invalid. Used target: " + reqTarget);
+ throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12");
+ }
+ resultTarget = MOAIDAuthConstants.PREFIX_CDID + reqTarget;
- if (!oaParam.getBusinessService()) {
- if (StringUtils.isEmpty(targetConfig)
- || (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") &&
- !StringUtils.isEmpty(target))
- ) {
- //INFO: ONLY SAML1 legacy mode
- // if SAML1 is used and target attribute is given in request
- // use requested target
- // check target parameter
- if (!ParamValidatorUtils.isValidTarget(target)) {
- Logger.error("Selected target is invalid. Using target: " + target);
- throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12");
- }
- if (MiscUtil.isNotEmpty(targetConfig))
- targetFriendlyName = targetFriendlyNameConfig;
+ String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(reqTarget);
+ if (MiscUtil.isNotEmpty(sectorName))
+ resultTargetFriendlyName = sectorName;
+
+ else {
+ //check target contains subSector
+ int delimiter = reqTarget.indexOf("-");
+ if (delimiter > 0) {
+ resultTargetFriendlyName =
+ TargetToSectorNameMapper.getSectorNameViaTarget(reqTarget.substring(0, delimiter));
- else {
- String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);
- if (MiscUtil.isNotEmpty(sectorName))
- targetFriendlyName = sectorName;
-
- else {
- //check target contains subSector
- int delimiter = target.indexOf("-");
- if (delimiter > 0) {
- targetFriendlyName =
- TargetToSectorNameMapper.getSectorNameViaTarget(target.substring(0, delimiter));
-
- }
- }
- }
-
- } else {
- // use target from config
- target = targetConfig;
- targetFriendlyName = targetFriendlyNameConfig;
+ }
}
- if (isEmpty(target))
- throw new WrongParametersException("StartAuthentication",
- PARAM_TARGET, "auth.05");
-
- protocolReq.setGenericDataToSession(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, target);
+ if (MiscUtil.isNotEmpty(targetConfig) && MiscUtil.isEmpty(resultTargetFriendlyName))
+ resultTargetFriendlyName = targetFriendlyNameConfig;
+
+ //set info's into request-context. (It's required to support SAML1 requested target parameters)
+ protocolReq.setGenericDataToSession(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, resultTarget);
protocolReq.setGenericDataToSession(
- MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, targetFriendlyName);
- Logger.debug("Service-Provider is of type 'PublicService' with DomainIdentifier:" + target);
-
+ MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, resultTargetFriendlyName);
+
} else {
- Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + oaParam.getIdentityLinkDomainIdentifier());
+ Logger.trace("Use oa sector-identifier from configuration");
+ resultTarget = targetConfig;
+ resultTargetFriendlyName = targetFriendlyNameConfig;
- /*eIDAS SPs have the same policies regarding Austrian baseIDs as Austrian business services,
- * but mandates are allowed for these
- */
- if (useMandateBoolean &&
- !oaParam.getIdentityLinkDomainIdentifier().startsWith(MOAIDConstants.PREFIX_EIDAS)) {
- Logger.error("Online-Mandate Mode for business application not supported.");
- throw new AuthenticationException("auth.17", null);
-
- }
}
-
+
+ //check if target is found
+ if (MiscUtil.isEmpty(resultTarget))
+ throw new WrongParametersException("StartAuthentication",
+ PARAM_TARGET, "auth.05");
+
+ //check if mandates are allowed
+ if (useMandateBoolean && oaParam.hasBaseIdInternalProcessingRestriction()) {
+ Logger.error("Online-Mandate Mode for business application not supported.");
+ throw new AuthenticationException("auth.17", null);
+
+ }
+
+ if (resultTarget.startsWith(MOAIDAuthConstants.PREFIX_CDID))
+ Logger.debug("Service-Provider is of type 'PublicService' with DomainIdentifier:" + resultTarget);
+ else
+ Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + resultTarget);
+
+
+
//Validate BKU URI
List<String> allowedbkus = oaParam.getBKUURL();
allowedbkus.addAll(authConfig.getDefaultBKUURLs());
@@ -252,16 +252,4 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, req, pendingReq);
}
-
- /**
- * Checks a parameter.
- *
- * @param param
- * parameter
- * @return true if the parameter is null or empty
- */
- private boolean isEmpty(String param) {
- return param == null || param.length() == 0;
- }
-
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java
index c31666bbb..fc5cc0495 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java
@@ -52,6 +52,8 @@ package at.gv.egovernment.moa.id.config;
import java.util.HashMap;
import java.util.Map;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+
/**
* @author bzwattendorfer
*
@@ -106,6 +108,8 @@ public class TargetToSectorNameMapper implements TargetsAndSectorNames {
}
public static String getSectorNameViaTarget(String target) {
+ if (target.startsWith(MOAIDAuthConstants.PREFIX_CDID))
+ target = target.substring(MOAIDAuthConstants.PREFIX_CDID.length());
return targetMap.get(target) != null ? (String) targetMap.get(target) : "";
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index e96169688..3d04a142e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -60,7 +60,9 @@ import java.util.Set;
import org.apache.commons.lang.SerializationUtils;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.MOAIDConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IStorkConfig;
import at.gv.egovernment.moa.id.commons.api.data.BPKDecryptionParameters;
@@ -96,10 +98,31 @@ public class OAAuthParameter implements IOAAuthParameters, Serializable{
final public static String DEFAULT_KEYBOXIDENTIFIER = "SecureSignatureKeypair";
private Map<String, String> oaConfiguration;
+ private List<String> targetAreasWithNoInteralBaseIdRestriction = new ArrayList<String>();
+ private List<String> targetAreasWithNoBaseIdTransmissionRestriction = new ArrayList<String>();
-
- public OAAuthParameter(final Map<String, String> oa) {
+ public OAAuthParameter(final Map<String, String> oa, AuthConfiguration authConfig) {
this.oaConfiguration = oa;
+
+ //set oa specific restrictions
+ targetAreasWithNoInteralBaseIdRestriction = KeyValueUtils.getListOfCSVValues(
+ authConfig.getBasicMOAIDConfiguration(
+ CONFIG_KEY_RESTRICTIONS_BASEID_INTERNAL,
+ MOAIDAuthConstants.PREFIX_CDID));
+
+ targetAreasWithNoBaseIdTransmissionRestriction = KeyValueUtils.getListOfCSVValues(
+ authConfig.getBasicMOAIDConfiguration(
+ CONFIG_KEY_RESTRICTIONS_BASEID_TRANSMISSION,
+ MOAIDAuthConstants.PREFIX_CDID));
+
+ if (Logger.isTraceEnabled()) {
+ Logger.trace("Internal policy for OA: " + getPublicURLPrefix());
+ for (String el : targetAreasWithNoInteralBaseIdRestriction)
+ Logger.trace(" Allow baseID processing for prefix " + el);
+ for (String el : targetAreasWithNoBaseIdTransmissionRestriction)
+ Logger.trace(" Allow baseID transfer for prefix " + el);
+
+ }
}
@@ -111,12 +134,54 @@ public class OAAuthParameter implements IOAAuthParameters, Serializable{
return this.oaConfiguration.get(key);
}
+ @Override
+ public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException {
+ String targetAreaIdentifier = getAreaSpecificTargetIdentifier();
+ for (String el : targetAreasWithNoInteralBaseIdRestriction) {
+ if (targetAreaIdentifier.startsWith(el))
+ return false;
+
+ }
+ return true;
+
+ }
+
+ @Override
+ public boolean hasBaseIdTransferRestriction() throws ConfigurationException {
+ String targetAreaIdentifier = getAreaSpecificTargetIdentifier();
+ for (String el : targetAreasWithNoBaseIdTransmissionRestriction) {
+ if (targetAreaIdentifier.startsWith(el))
+ return false;
+
+ }
+ return true;
+
+ }
+
+ @Override
+ public String getAreaSpecificTargetIdentifier() throws ConfigurationException {
+ if (getBusinessService())
+ return getIdentityLinkDomainIdentifier();
+ else
+ return MOAIDAuthConstants.PREFIX_CDID + getTarget();
+
+ }
+
+ @Override
+ public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException{
+ if (getBusinessService())
+ return getIdentityLinkDomainIdentifierType();
+ else
+ return getTargetFriendlyName();
+
+ }
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier()
*/
-@Override
-public String getIdentityLinkDomainIdentifier() {
+//@Override
+private String getIdentityLinkDomainIdentifier() {
String type = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE);
String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE);
if (MiscUtil.isNotEmpty(type) && MiscUtil.isNotEmpty(value)) {
@@ -138,8 +203,8 @@ public String getIdentityLinkDomainIdentifier() {
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType()
*/
-@Override
-public String getIdentityLinkDomainIdentifierType() {
+//@Override
+private String getIdentityLinkDomainIdentifierType() {
String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE);
if (MiscUtil.isNotEmpty(value))
return MOAIDConfigurationConstants.BUSINESSSERVICENAMES.get(value);
@@ -151,8 +216,8 @@ public String getIdentityLinkDomainIdentifierType() {
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget()
*/
-@Override
-public String getTarget() {
+//@Override
+private String getTarget() {
if (Boolean.parseBoolean(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_USE_OWN)))
return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_TARGET);
@@ -171,8 +236,8 @@ public String getTarget() {
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName()
*/
-@Override
-public String getTargetFriendlyName() {
+//@Override
+private String getTargetFriendlyName() {
if (Boolean.parseBoolean(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_USE_OWN)))
return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_NAME);
@@ -653,8 +718,8 @@ public boolean isInterfederationSSOStorageAllowed() {
return false;
}
-public boolean isIDPPublicService() {
- return !getBusinessService();
+public boolean isIDPPublicService() throws ConfigurationException {
+ return !hasBaseIdTransferRestriction();
}
@@ -740,11 +805,7 @@ public String getPublicURLPrefix() {
}
-/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService()
- */
-@Override
-public boolean getBusinessService() {
+private boolean getBusinessService() {
String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_BUSINESSSERVICE);
if (MiscUtil.isNotEmpty(value))
return Boolean.parseBoolean(value);
@@ -785,16 +846,16 @@ public String getFriendlyName() {
}
-/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType()
- */
-@Override
-public String getOaType() {
- if (getBusinessService())
- return "businessService";
- else
- return "publicService";
-}
+///* (non-Javadoc)
+// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType()
+// */
+//@Override
+//public String getOaType() {
+// if (getBusinessService())
+// return "businessService";
+// else
+// return "publicService";
+//}
/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
index b1fc12f26..332604257 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
@@ -412,7 +412,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
return null;
}
- return new OAAuthParameter(oa);
+ return new OAAuthParameter(oa, this);
}
/**
@@ -817,7 +817,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
public String getSSOFriendlyName() {
try {
return configuration.getStringValue(
- MOAIDConfigurationConstants.GENERAL_AUTH_SSO_TARGET, "Default MOA-ID friendly name for SSO");
+ MOAIDConfigurationConstants.GENERAL_AUTH_SSO_SERVICENAME, "Default MOA-ID friendly name for SSO");
} catch (at.gv.egiz.components.configuration.api.ConfigurationException e) {
Logger.warn("Single Sign-On FriendlyName can not be read from configuration.", e);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
index 9fd58b5c7..f3db82315 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
@@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters;
import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute;
import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
/**
* @author tlenz
@@ -45,33 +46,84 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
private static final long serialVersionUID = 1648437815185614566L;
private String publicURLPrefix;
-
- private String businessTarget;
-
- private boolean businessService;
-
+
private boolean isInderfederationIDP;
-
private String IDPQueryURL;
- private String target;
-
+ private boolean hasBaseIdProcessingRestriction;
+ private boolean hasBaseIdTransfergRestriction;
+ private String oaTargetAreaIdentifier;
+
+
/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget()
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdInternalProcessingRestriction()
*/
@Override
- public String getTarget() {
- return this.target;
+ public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException {
+ return this.hasBaseIdProcessingRestriction;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdTransferRestriction()
+ */
+ @Override
+ public boolean hasBaseIdTransferRestriction() throws ConfigurationException {
+ return this.hasBaseIdTransfergRestriction;
}
/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier()
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifier()
+ */
+ @Override
+ public String getAreaSpecificTargetIdentifier() throws ConfigurationException {
+ return this.oaTargetAreaIdentifier;
+ }
+
+ /**
+ * @param hasBaseIdProcessingRestriction the hasBaseIdProcessingRestriction to set
+ */
+ public void setHasBaseIdProcessingRestriction(boolean hasBaseIdProcessingRestriction) {
+ this.hasBaseIdProcessingRestriction = hasBaseIdProcessingRestriction;
+ }
+
+ /**
+ * @param hasBaseIdTransfergRestriction the hasBaseIdTransfergRestriction to set
+ */
+ public void setHasBaseIdTransfergRestriction(boolean hasBaseIdTransfergRestriction) {
+ this.hasBaseIdTransfergRestriction = hasBaseIdTransfergRestriction;
+ }
+
+ /**
+ * @param oaTargetAreaIdentifier the oaTargetAreaIdentifier to set
+ */
+ public void setAreaSpecificTargetIdentifier(String oaTargetAreaIdentifier) {
+ this.oaTargetAreaIdentifier = oaTargetAreaIdentifier;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifierFriendlyName()
*/
@Override
- public String getIdentityLinkDomainIdentifier() {
- return this.businessTarget;
+ public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException {
+ return null;
}
+// /* (non-Javadoc)
+// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget()
+// */
+// //@Override
+// public String getTarget() {
+// return this.target;
+// }
+//
+// /* (non-Javadoc)
+// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier()
+// */
+// //@Override
+// public String getIdentityLinkDomainIdentifier() {
+// return this.businessTarget;
+// }
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIDPAttributQueryServiceURL()
*/
@@ -164,7 +216,7 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType()
*/
- @Override
+ //@Override
public String getIdentityLinkDomainIdentifierType() {
// TODO Auto-generated method stub
return null;
@@ -251,26 +303,26 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
return null;
}
- /**
- * @param isBusinessService the isBusinessService to set
- */
- public void setBusinessService(boolean isBusinessService) {
- businessService = isBusinessService;
- }
-
- /**
- * @param target the target to set
- */
- public void setTarget(String target) {
- this.target = target;
- }
-
- /**
- * @param businessTarget the businessTarget to set
- */
- public void setBusinessTarget(String businessTarget) {
- this.businessTarget = businessTarget;
- }
+// /**
+// * @param isBusinessService the isBusinessService to set
+// */
+// public void setBusinessService(boolean isBusinessService) {
+// businessService = isBusinessService;
+// }
+
+// /**
+// * @param target the target to set
+// */
+// public void setTarget(String target) {
+// this.target = target;
+// }
+//
+// /**
+// * @param businessTarget the businessTarget to set
+// */
+// public void setBusinessTarget(String businessTarget) {
+// this.businessTarget = businessTarget;
+// }
/**
* @param inderfederatedIDP the inderfederatedIDP to set
@@ -400,27 +452,18 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
return this.publicURLPrefix;
}
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType()
- */
- @Override
- public String getOaType() {
- // TODO Auto-generated method stub
- return null;
- }
-
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService()
- */
- @Override
- public boolean getBusinessService() {
- return this.businessService;
- }
+// /* (non-Javadoc)
+// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService()
+// */
+// //@Override
+// public boolean getBusinessService() {
+// return this.businessService;
+// }
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName()
*/
- @Override
+ //@Override
public String getTargetFriendlyName() {
// TODO Auto-generated method stub
return null;
@@ -487,4 +530,6 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
// TODO Auto-generated method stub
return false;
}
+
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
index f5f056ccc..7f56f519b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
@@ -120,7 +120,8 @@ public class AuthenticationData implements IAuthData, Serializable {
* the corresponding <code>lt;saml:Assertion&gt;</code>
*/
- private boolean businessService;
+ private boolean isBaseIDTransferRestrication = true;
+
/**
* STORK attributes from response
@@ -742,13 +743,15 @@ public class AuthenticationData implements IAuthData, Serializable {
* @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService()
*/
@Override
- public boolean isBusinessService() {
- return this.businessService;
+ public boolean isBaseIDTransferRestrication() {
+ return isBaseIDTransferRestrication;
}
-
- public void setIsBusinessService(boolean flag) {
- this.businessService = flag;
-
+
+ /**
+ * @param isBaseIDTransmittionAllowed the isBaseIDTransmittionAllowed to set
+ */
+ public void setBaseIDTransferRestrication(boolean isBaseIDTransferRestrication) {
+ this.isBaseIDTransferRestrication = isBaseIDTransferRestrication;
}
/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
index 4c15cd3d1..e9fef4676 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
@@ -38,8 +38,8 @@ public interface IAuthData {
Date getIssueInstant();
String getIssuer();
-
- boolean isBusinessService();
+ boolean isBaseIDTransferRestrication();
+
boolean isSsoSession();
//boolean isInterfederatedSSOSession();
boolean isUseMandate();
@@ -90,5 +90,6 @@ public interface IAuthData {
String getCcc();
public <T> T getGenericData(String key, final Class<T> clazz);
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java
index a6a5f1dd4..b4846db12 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java
@@ -38,7 +38,7 @@ public class EIDSourcePIN implements IPVPAttributeBuilder {
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
- if (authData.isBusinessService())
+ if (authData.isBaseIDTransferRestrication())
throw new AttributePolicyException(EID_SOURCE_PIN_NAME);
else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java
index 1d836802a..ccaecb3b6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java
@@ -23,7 +23,6 @@
package at.gv.egovernment.moa.id.protocols.builder.attributes;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
@@ -37,7 +36,7 @@ public class EIDSourcePINType implements IPVPAttributeBuilder {
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
- if (authData.isBusinessService())
+ if (authData.isBaseIDTransferRestrication())
throw new UnavailableAttributeException(EID_SOURCE_PIN_TYPE_NAME);
else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
index f4e69749c..a74ed4af5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
@@ -30,7 +30,9 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPers
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
import at.gv.egovernment.moa.id.util.MandateBuilder;
@@ -74,24 +76,16 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui
}
try {
- if (id.getType().equals(Constants.URN_PREFIX_BASEID)) {
-
- /*TODO: some updates are required if we support bPKs in eIDAS context, because
- * BPKBuilder().buildWBPK only supports Austrian wbPKs
- */
- if (oaParam.getBusinessService()) {
- bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier());
-
- } else {
- bpk = new BPKBuilder().buildBPK(id.getValue().getValue(), oaParam.getTarget());
-
- }
-
+ if (id.getType().equals(Constants.URN_PREFIX_BASEID)) {
+ Pair<String, String> calcResult = new BPKBuilder().generateAreaSpecificPersonIdentifier(id.getValue().getValue(),
+ oaParam.getAreaSpecificTargetIdentifier());
+ bpk = calcResult.getFirst();
+
} else
bpk = id.getValue().getValue();
}
- catch (BuildException e) {
+ catch (BuildException | ConfigurationException e) {
Logger.error("Failed to generate IdentificationType");
throw new NoMandateDataAttributeException();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
index 69a731e53..82ebbb2b5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
@@ -27,10 +27,7 @@ import org.w3c.dom.Element;
import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
-import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException;
@@ -64,7 +61,7 @@ public class MandateNaturalPersonSourcePinAttributeBuilder implements IPVPAttri
IdentificationType id = null;
id = physicalPerson.getIdentification().get(0);
- if(oaParam.getBusinessService()) {
+ if(authData.isBaseIDTransferRestrication()) {
throw new AttributePolicyException(this.getName());
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
index 643e30ac9..72691a034 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
@@ -227,9 +227,9 @@ public class AttributQueryAction implements IAction {
}
//check next IDP service area policy. BusinessService IDPs can only request wbPKs
- if (!spConfig.getBusinessService() && !idp.isIDPPublicService()) {
+ if (!spConfig.hasBaseIdTransferRestriction() && !idp.isIDPPublicService()) {
Logger.error("Interfederated IDP " + idp.getPublicURLPrefix()
- + " has a BusinessService-IDP but requests PublicService attributes.");
+ + " is a BusinessService-IDP but requests PublicService attributes.");
throw new MOAIDException("auth.34", new Object[]{nextIDPInformation.getIdpurlprefix()});
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
index 2df72637d..4aa4f7419 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
@@ -59,7 +59,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableEx
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.Constants;
/**
* @author tlenz
@@ -70,7 +69,7 @@ public class AttributQueryBuilder {
@Autowired IDPCredentialProvider credentialProvider;
- public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) {
+ public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) throws ConfigurationException {
Logger.debug("Build OA specific Attributes for AttributQuery request");
@@ -87,17 +86,13 @@ public class AttributQueryBuilder {
} else {
//add OA specific information
if (rA.equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
- if (oa.getBusinessService())
- attr = generator.buildStringAttribute(attr.getFriendlyName(),
- attr.getName(), oa.getIdentityLinkDomainIdentifier());
- else
- attr = generator.buildStringAttribute(attr.getFriendlyName(),
- attr.getName(), Constants.URN_PREFIX_CDID + "+" + oa.getTarget());
+ attr = generator.buildStringAttribute(attr.getFriendlyName(),
+ attr.getName(), oa.getAreaSpecificTargetIdentifier());
+
}
//TODO: add attribute values for SSO with mandates (ProfileList)
-
-
+
attrList.add(attr);
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 55d8fa1ff..45539da3f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -60,11 +60,11 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBod
import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.data.SLOInformationImpl;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
@@ -338,20 +338,8 @@ public class PVP2AssertionBuilder implements PVPConstants {
}
//set bPK-Type from configuration, because it MUST be equal to service-provider type
- if (oaParam.getBusinessService()) {
- if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
- bpktype = oaParam.getIdentityLinkDomainIdentifier();
- else
- bpktype = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier();
-
- } else {
- if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+"))
- bpktype = oaParam.getTarget();
- else
- bpktype = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget();
-
- }
-
+ bpktype = oaParam.getAreaSpecificTargetIdentifier();
+
} else {
//sourcePin is include --> check sourcePinType
if (MiscUtil.isEmpty(bpktype))
@@ -365,21 +353,10 @@ public class PVP2AssertionBuilder implements PVPConstants {
}
- if (bpktype.equals(Constants.URN_PREFIX_BASEID)) {
- if (oaParam.getBusinessService()) {
- subjectNameID.setValue(new BPKBuilder().buildWBPK(bpk, oaParam.getIdentityLinkDomainIdentifier()));
- if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
- subjectNameID.setNameQualifier(oaParam.getIdentityLinkDomainIdentifier());
- else
- subjectNameID.setNameQualifier(Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier());
-
- } else {
- subjectNameID.setValue(new BPKBuilder().buildBPK(bpk, oaParam.getTarget()));
- if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+"))
- subjectNameID.setNameQualifier(oaParam.getTarget());
- else
- subjectNameID.setNameQualifier(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
- }
+ if (bpktype.equals(Constants.URN_PREFIX_BASEID)) {
+ Pair<String, String> calcbPK = new BPKBuilder().generateAreaSpecificPersonIdentifier(bpk, oaParam.getAreaSpecificTargetIdentifier());
+ subjectNameID.setValue(calcbPK.getFirst());
+ subjectNameID.setNameQualifier(calcbPK.getSecond());
} else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index 5380d7f53..ab355646c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -217,6 +217,9 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
Logger.warn("Refresh PVP2X metadata for onlineApplication: "
+ entityID + " FAILED.", e);
+ } catch (ConfigurationException e) {
+ Logger.warn("Refresh PVP2X metadata for onlineApplication: "
+ + entityID + " FAILED.", e);
}
return false;
@@ -484,13 +487,13 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
}
- private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException {
+ private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException, ConfigurationException {
PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate);
filterChain.getFilters().add(new SchemaValidationFilter());
if (oaParam.isInderfederationIDP()) {
Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies");
- filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.getBusinessService()));
+ filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.hasBaseIdTransferRestriction()));
}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
index f53bfd90c..6f6735d48 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
@@ -192,9 +192,12 @@ public class MOAIDAuthConstants extends MOAIDConstants{
public static final String PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE = MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE;
//General protocol-request data-store keys
+ public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate";
+
+ @Deprecated
public static final String AUTHPROCESS_DATA_TARGET = "authProces_Target";
+ @Deprecated
public static final String AUTHPROCESS_DATA_TARGETFRIENDLYNAME = "authProces_TargetFriendlyName";
- public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate";
}
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
index e9f9a7e80..98f0616a5 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java
@@ -28,6 +28,8 @@ import java.util.Hashtable;
import java.util.List;
import java.util.Map;
+import at.gv.egovernment.moa.util.Constants;
+
/**
* @author tlenz
*
@@ -40,9 +42,15 @@ public class MOAIDConstants {
public static final String FILE_URI_PREFIX = "file:/";
- public static final String PREFIX_WPBK = "urn:publicid:gv.at:wbpk+";
- public static final String PREFIX_STORK = "urn:publicid:gv.at:storkid+";
- public static final String PREFIX_EIDAS = "urn:publicid:gv.at:eidasid+";
+ public static final String PREFIX_BASEID = Constants.URN_PREFIX_BASEID;
+ public static final String PREFIX_PBK = Constants.URN_PREFIX_BPK;
+ public static final String PREFIX_HPI = Constants.URN_PREFIX_HPI;
+
+ public static final String PREFIX_CDID = Constants.URN_PREFIX_CDID + "+";
+ public static final String PREFIX_WPBK = Constants.URN_PREFIX_WBPK + "+";
+ public static final String PREFIX_STORK = Constants.URN_PREFIX_STORK + "+";
+ public static final String PREFIX_EIDAS = Constants.URN_PREFIX_EIDAS + "+";
+
public static final String IDENIFICATIONTYPE_FN = "FN";
public static final String IDENIFICATIONTYPE_ERSB = "ERSB";
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
index 298d3e84e..1e1bfa94b 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
@@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.commons.api.data.CPEPS;
import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters;
import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute;
import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
/**
* @author tlenz
@@ -38,6 +39,9 @@ import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
*/
public interface IOAAuthParameters {
+ public static final String CONFIG_KEY_RESTRICTIONS_BASEID_INTERNAL = "configuration.restrictions.baseID.idpProcessing";
+ public static final String CONFIG_KEY_RESTRICTIONS_BASEID_TRANSMISSION = "configuration.restrictions.baseID.spTransmission";
+
public static final String THIRDBKU = "thirdBKU";
public static final String HANDYBKU = "handy";
public static final String LOCALBKU = "local";
@@ -67,20 +71,52 @@ public interface IOAAuthParameters {
public String getFriendlyName();
public String getPublicURLPrefix();
-
- public String getOaType();
- public boolean getBusinessService();
+ /**
+ * Indicates if this online applications has private area restrictions that disallow baseId processing in general
+ * This restriction is evaluated from area-identifier of this online application and a policy from configuration.
+ * The configuration key 'configuration.restrictions.baseID.idpProcessing' specifies a list of comma-separated values
+ * of area-identifier prefixes that are allowed to receive a baseID. By default only the prefix
+ * 'urn:publicid:gv.at:cdid+' is allowed to receive baseIDs
+ *
+ * @return true if there is a restriction, otherwise false
+ * @throws ConfigurationException In case of online-application configuration has public and private identifies
+ */
+ public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException;
+
/**
- * Get target of a public service-provider
+ * Indicates if this online applications has private area restrictions that disallow baseId transfer to OA
+ * This restriction is evaluated from area-identifier of this online application and a policy from configuration.
+ * The configuration key 'configuration.restrictions.baseID.spTransmission' specifies a list of comma-separated values
+ * of area-identifier prefixes that are allowed to receive a baseID. By default only the prefix
+ * 'urn:publicid:gv.at:cdid+' is allowed to receive baseIDs
*
- * @return target identifier without prefix
+ * @return true if there is a restriction, otherwise false
+ * @throws ConfigurationException In case of online-application configuration has public and private identifies
*/
- public String getTarget();
+ public boolean hasBaseIdTransferRestriction() throws ConfigurationException;
- public String getTargetFriendlyName();
+ /**
+ * Get the full area-identifier for this online application to calculate the
+ * area-specific unique person identifier (bPK, wbPK, eIDAS unique identifier, ...).
+ * This identifier always contains the full prefix
+ *
+ * @return area identifier with prefix
+ * @throws ConfigurationException In case of online-application configuration has public and private identifies
+ */
+ public String getAreaSpecificTargetIdentifier() throws ConfigurationException;
+
+ /**
+ * Get a friendly name for the specific area-identifier of this online application
+ *
+ * @return fiendly name of the area-identifier
+ * @throws ConfigurationException In case of online-application configuration has public and private identifies
+ */
+ public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException;
+
+
public boolean isInderfederationIDP();
public boolean isSTORKPVPGateway();
@@ -88,13 +124,6 @@ public interface IOAAuthParameters {
public boolean isRemovePBKFromAuthBlock();
/**
- * Return the private-service domain-identifier with PreFix
- *
- * @return the identityLinkDomainIdentifier
- */
- public String getIdentityLinkDomainIdentifier();
-
- /**
* @return the keyBoxIdentifier
*/
public String getKeyBoxIdentifier();
@@ -142,11 +171,6 @@ public interface IOAAuthParameters {
*/
public List<String> getMandateProfiles();
- /**
- * @return the identityLinkDomainIdentifierType
- */
- public String getIdentityLinkDomainIdentifierType();
-
public boolean isShowMandateCheckBox();
public boolean isOnlyMandateAllowed();
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
index 2a4e3b362..1d94e5da0 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
@@ -454,7 +454,6 @@ public interface Constants {
/** URN prefix for context dependent id (stork). */
public static final String URN_PREFIX_STORK = URN_PREFIX + ":storkid";
- //TODO: update to eIDAS prefix
/** URN prefix for context dependent id (eIDAS). */
public static final String URN_PREFIX_EIDAS = URN_PREFIX + ":eidasid";
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 9294f3658..0a2371575 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -65,6 +65,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IMISMandate;
import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.util.XMLUtil;
import at.gv.egovernment.moa.logging.Logger;
@@ -192,8 +193,8 @@ public class AuthenticationServer extends BaseAuthenticationServer {
Logger.debug("Non-SSO Login requested or SSO not allowed/possible");
//build ReadInfobox request
infoboxReadRequest = new InfoboxReadRequestBuilder().build(
- oaParam.getBusinessService(), oaParam
- .getIdentityLinkDomainIdentifier());
+ oaParam.hasBaseIdInternalProcessingRestriction(), oaParam
+ .getAreaSpecificTargetIdentifier());
}
@@ -401,9 +402,9 @@ public class AuthenticationServer extends BaseAuthenticationServer {
try {
// sets the extended SAML attributes for OID (Organwalter)
setExtendedSAMLAttributeForMandatesOID(session, mandate, oaParam
- .getBusinessService());
+ .hasBaseIdTransferRestriction());
- validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService());
+ validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.hasBaseIdTransferRestriction());
} catch (SAXException e) {
@@ -523,9 +524,10 @@ public class AuthenticationServer extends BaseAuthenticationServer {
* @return <code>&lt;saml:Assertion&gt;</code> as a String
* @throws BuildException If an error occurs on serializing an extended SAML attribute
* to be appended to the AUTH-Block.
+ * @throws ConfigurationException
*/
private String buildAuthenticationBlock(IAuthenticationSession session,
- IOAAuthParameters oaParam, IRequest pendingReq) throws BuildException {
+ IOAAuthParameters oaParam, IRequest pendingReq) throws BuildException, ConfigurationException {
IIdentityLink identityLink = session.getIdentityLink();
String issuer = identityLink.getName();
@@ -533,12 +535,16 @@ public class AuthenticationServer extends BaseAuthenticationServer {
String identificationValue = null;
String identificationType = null;
+ String identificationTypeFriendlyName = null;
//get processing data from pending-request
String authURL = pendingReq.getAuthURL();
- String requestedTarget = pendingReq.getGenericData(
- MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
- String targetFriendlyName = pendingReq.getGenericData(
+
+ @Deprecated
+ String saml1RequestedTarget = pendingReq.getGenericData(
+ MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
+ @Deprecated
+ String saml1RequestedFriendlyName = pendingReq.getGenericData(
MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class);
@@ -546,45 +552,45 @@ public class AuthenticationServer extends BaseAuthenticationServer {
if (session.isOW() || pendingReq.needSingleSignOnFunctionality() || oaParam.isRemovePBKFromAuthBlock()) {
identificationType = "";
identificationValue = "";
-
+
} else if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
- if (oaParam.getBusinessService()) {
-
- String bpkBase64 = new BPKBuilder().buildWBPK(identityLink
- .getIdentificationValue(), oaParam.getIdentityLinkDomainIdentifier());
- identificationValue = bpkBase64;
-
- if (oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_WBPK + "+"))
- identificationType = oaParam.getIdentityLinkDomainIdentifier();
- else
- identificationType = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier();
-
- } else {
- String bpkBase64 = new BPKBuilder().buildBPK(identityLink
- .getIdentificationValue(), requestedTarget);
- identificationValue = bpkBase64;
- identificationType = Constants.URN_PREFIX_CDID + "+" + requestedTarget;
+ if (MiscUtil.isNotEmpty(saml1RequestedTarget)) {
+ Logger.debug("Build AuthBlock bPK from SAML1 requested target");
+ Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+ identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
+ saml1RequestedTarget);
+ identificationValue = calcId.getFirst();
+ identificationType = calcId.getSecond();
+ identificationTypeFriendlyName = saml1RequestedFriendlyName;
+
+ } else {
+ Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+ identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
+ oaParam.getAreaSpecificTargetIdentifier());
+ identificationValue = calcId.getFirst();
+ identificationType = calcId.getSecond();
+ identificationTypeFriendlyName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
}
-
} else {
identificationValue = identityLink.getIdentificationValue();
identificationType = identityLink.getIdentificationType();
+ identificationTypeFriendlyName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
}
//set AuthBlock generation time to session
- String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar
- .getInstance());
+ String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar.getInstance());
session.setIssueInstant(issueInstant);
- // Bug #485
- // (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105)
- // String oaURL = session.getPublicOAURLPrefix();
-
+ //load extend attributes
List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
+ //load special authblock text patterns for replacement
+ Map<String, String> authBlockTextPatterns = AuthenticationBlockAssertionBuilder.
+ generateSpezialAuthBlockPatternMap(pendingReq, issuer, gebDat, issueInstant);
+
String authBlock = null;
if (pendingReq.needSingleSignOnFunctionality()) {
String oaURL = pendingReq.getAuthURL();
@@ -592,19 +598,20 @@ public class AuthenticationServer extends BaseAuthenticationServer {
oaURL = oaURL.replaceAll("&", "&amp;");
authBlock = new AuthenticationBlockAssertionBuilder()
- .buildAuthBlockSSO(issuer, issueInstant, authURL, requestedTarget,
- targetFriendlyName, identificationValue,
- identificationType, oaURL, gebDat,
- extendedSAMLAttributes, session, oaParam);
-
+ .buildAuthBlockSSO(issuer, issueInstant, authURL,
+ oaURL, gebDat,
+ extendedSAMLAttributes, session, oaParam, authBlockTextPatterns);
} else {
String oaURL = oaParam.getPublicURLPrefix().replaceAll("&", "&amp;");
authBlock = new AuthenticationBlockAssertionBuilder()
- .buildAuthBlock(issuer, issueInstant, authURL, requestedTarget,
- targetFriendlyName, identificationValue,
- identificationType, oaURL, gebDat,
- extendedSAMLAttributes, session, oaParam);
+ .buildAuthBlock(issuer, issueInstant, authURL,
+ identificationValue,
+ identificationType,
+ gebDat,
+ oaURL,
+ identificationTypeFriendlyName,
+ extendedSAMLAttributes, session, oaParam, authBlockTextPatterns);
}
@@ -1062,9 +1069,10 @@ public class AuthenticationServer extends BaseAuthenticationServer {
Element valueBpK = mandatePerson.getOwnerDocument().createElementNS(
Constants.PD_NS_URI, "Value");
- String bpkBase64 = new BPKBuilder().buildBPK(baseid, target);
+ Pair<String, String> targedId = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseid, target);
+
valueBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode(
- bpkBase64));
+ targedId.getFirst()));
Element typeBpK = mandatePerson.getOwnerDocument().createElementNS(
Constants.PD_NS_URI, "Type");
typeBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode(
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
index ecc91991e..80702795b 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
@@ -28,7 +28,11 @@ import java.io.StringWriter;
import java.text.MessageFormat;
import java.text.SimpleDateFormat;
import java.util.Calendar;
+import java.util.HashMap;
+import java.util.Iterator;
import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
import javax.xml.bind.DatatypeConverter;
import javax.xml.transform.Result;
@@ -46,7 +50,9 @@ import org.w3c.dom.Node;
import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.ParseException;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.commons.api.data.ExtendedSAMLAttribute;
import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
@@ -126,6 +132,15 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
public static final int NUM_OF_SAML_ATTRIBUTES = 5;
public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 4;
+ public static final String bPKwbPKNSDECLARATION = " xmlns:pr=\"" + PD_NS_URI + "\"";
+
+ public static final String AUTHBLOCK_TEXT_PATTERN_NAME = "#NAME#";
+ public static final String AUTHBLOCK_TEXT_PATTERN_BIRTHDAY = "#BIRTHDAY#";
+ public static final String AUTHBLOCK_TEXT_PATTERN_DATE = "#DATE#";
+ public static final String AUTHBLOCK_TEXT_PATTERN_TIME = "#TIME#";
+
+ public static final String PENDING_REQ_AUTHBLOCK_TEXT_KEY = "specialAuthBlockTextKeyValueMap";
+
/**
* Constructor for AuthenticationBlockAssertionBuilder.
*/
@@ -133,322 +148,210 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
super();
}
+ public static Map<String, String> generateSpezialAuthBlockPatternMap(IRequest pendingReq, String issuer, String gebDat, String issueInstant) {
+ Map<String, String> result = new HashMap<String, String>();
+
+ //convert issueInstant
+ Calendar datetime = DatatypeConverter.parseDateTime(issueInstant);
+ SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy");
+ SimpleDateFormat timeformat = new SimpleDateFormat("HH:mm:ss");
+
+ //set default values
+ result.put(AUTHBLOCK_TEXT_PATTERN_NAME, issuer);
+ result.put(AUTHBLOCK_TEXT_PATTERN_BIRTHDAY, gebDat);
+ result.put(AUTHBLOCK_TEXT_PATTERN_DATE, dateformat.format(datetime.getTime()));
+ result.put(AUTHBLOCK_TEXT_PATTERN_TIME, timeformat.format(datetime.getTime()));
+
+ //set other values from pendingReq if exists
+ Map<?,?> processSpecificElements = pendingReq.getGenericData(PENDING_REQ_AUTHBLOCK_TEXT_KEY, Map.class);
+ if (processSpecificElements != null && !processSpecificElements.isEmpty()) {
+ Logger.debug("Find process-specific patterns for 'special AuthBlock-Text'. Start processing ...");
+ Iterator<?> mapIterator = processSpecificElements.entrySet().iterator();
+ while (mapIterator.hasNext()) {
+ Object objEl = mapIterator.next();
+ if (objEl instanceof Entry<?, ?>) {
+ try {
+ @SuppressWarnings("unchecked")
+ Entry<String, String> el = (Entry<String, String>) objEl;
+ Logger.trace(" Add pattern-> Key: " + el.getKey() + " Value:" + el.getValue());
+ if (result.containsKey(el.getKey()))
+ Logger.warn(" Can not add pattern: " + el.getKey() + " , because it already exists.");
+ else
+ result.put(el.getKey(), el.getValue());
+
+ } catch (Exception e) {
+ Logger.warn("A pendingReq. specific 'special AuthBlock-Text' element has a suspect type. Ignore it!", e);
+
+ }
+ }
+ }
+ }
+
+ return result;
+ }
+
+
/**
- * Builds the authentication block <code>&lt;saml:Assertion&gt;</code>
- *
- * @param issuer authentication block issuer; <code>"GivenName FamilyName"</code>
- * @param issueInstant current timestamp
- * @param authURL URL of MOA-ID authentication component
- * @param target "Gesch&auml;ftsbereich"; maybe <code>null</code> if the application
- * is a business application
- * @param identityLinkValue the content of the <code>&lt;pr:Value&gt;</code>
- * child element of the <code>&lt;pr:Identification&gt;</code>
- * element derived from the Identitylink; this is the
- * value of the <code>wbPK</code>;
- * maybe <code>null</code> if the application is a public service
- * @param identityLinkType the content of the <code>&lt;pr:Type&gt;</code>
- * child element of the <code>&lt;pr:Identification&gt;</code>
- * element derived from the Identitylink; this includes the
- * URN prefix and the identification number of the business
- * application used as input for wbPK computation;
- * maybe <code>null</code> if the application is a public service
- * @param oaURL public URL of online application requested
- * @param gebDat The date of birth from the identity link.
- * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock.
*
- * @return String representation of authentication block
- * <code>&lt;saml:Assertion&gt;</code> built
- *
- * @throws BuildException If an error occurs on serializing an extended SAML attribute
- * to be appended to the AUTH-Block.
+ * @param issuer
+ * @param issueInstant
+ * @param authURL
+ * @param sectorSpecificUniqueId
+ * @param sectorSpecificUniqueIdType
+ * @param gebDat
+ * @param oaURL
+ * @param spTargetAreaFriendlyName
+ * @param extendedSAMLAttributes
+ * @param session
+ * @param oaParam
+ * @return
+ * @throws BuildException
+ * @throws ConfigurationException
*/
public String buildAuthBlock(
String issuer,
String issueInstant,
- String authURL,
- String target,
- String targetFriendlyName,
- String identityLinkValue,
- String identityLinkType,
- String oaURL,
- String gebDat,
+ String authURL,
+ String sectorSpecificUniqueId,
+ String sectorSpecificUniqueIdType,
+ String gebDat,
+ String oaURL,
+ String spTargetAreaFriendlyName,
List<ExtendedSAMLAttribute> extendedSAMLAttributes,
IAuthenticationSession session,
- IOAAuthParameters oaParam)
- throws BuildException
-
- {
- session.setSAMLAttributeGebeORwbpk(true);
- String gebeORwbpk = "";
- String wbpkNSDeclaration = "";
-
- if (target == null) {
-
- // OA is a business application
- if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) {
- // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator
- gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
- wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
+ IOAAuthParameters oaParam,
+ Map<String, String> specialAuthBlockTextPatterns)
+ throws BuildException, ConfigurationException {
+
+ //initialize state
+ session.setSAMLAttributeGebeORwbpk(true);
+ String usedwbPKbPKNamespaceDeclaration = org.apache.commons.lang3.StringUtils.EMPTY;
+ String publicSectorIdOrwbPK = org.apache.commons.lang3.StringUtils.EMPTY;
+
+
+ if (!sectorSpecificUniqueIdType.startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+ //service provider has not an sector Id from Austrian public-domain --> build AuthBlock like a wbPK
+
+ if (!Constants.URN_PREFIX_HPI.equals(sectorSpecificUniqueIdType)) {
+ //Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator
+ publicSectorIdOrwbPK = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] {sectorSpecificUniqueId, sectorSpecificUniqueIdType});
+ usedwbPKbPKNamespaceDeclaration = bPKwbPKNSDECLARATION;
- //adding type of wbPK domain identifier
- ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute =
- new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
+ //adding type of wbPK domain identifier
+ ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute =
+ new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", spTargetAreaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
- extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute);
+ extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute);
- } else {
- // We do not have a wbPK, therefore no SAML-Attribute is provided
- session.setSAMLAttributeGebeORwbpk(false);
- }
+ } else {
+ // We do not have a wbPK, therefore no SAML-Attribute is provided
+ session.setSAMLAttributeGebeORwbpk(false);
+
+ }
+ } else {
+ // OA is a govermental application
+
+ //convert sector identifier into friendly name and add it to AuthBlock
+ String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(sectorSpecificUniqueIdType);
+ if (StringUtils.isEmpty(sectorName)) {
+ if (spTargetAreaFriendlyName != null)
+ sectorName = spTargetAreaFriendlyName;
+
+ }
+ publicSectorIdOrwbPK = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE,
+ new Object[] {sectorSpecificUniqueIdType.substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")" });
- } else {
- // OA is a govermental application
- String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);
- if (StringUtils.isEmpty(sectorName)) {
- if (targetFriendlyName != null)
- sectorName = targetFriendlyName;
- }
-
-
- //gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target });
- gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" });
-
- //no business service, adding bPK
- if (identityLinkValue != null) {
- Element bpkSamlValueElement;
- try {
- bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement();
- } catch (Exception e) {
- Logger.error("Error on building AUTH-Block: " + e.getMessage());
- throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
- }
-
- // String s = xmlToString(bpkSamlValueElement);
- // System.out.println("bpkSamlValueElement: " + s);
-
- ExtendedSAMLAttribute bpkAttribute =
- new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
- extendedSAMLAttributes.add(bpkAttribute);
- }
-
- boolean useMandate = session.isMandateUsed();
- if (useMandate) {
- //String mandateReferenceValue = Random.nextRandom();
- String mandateReferenceValue = Random.nextProcessReferenceValue();
- // remove leading "-"
- if (mandateReferenceValue.startsWith("-"))
- mandateReferenceValue = mandateReferenceValue.substring(1);
-
- session.setMandateReferenceValue(mandateReferenceValue);
-
- ExtendedSAMLAttribute mandateReferenceValueAttribute =
- new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK);
-
- extendedSAMLAttributes.add(mandateReferenceValueAttribute);
- }
-
-
-
- //gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
- wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
- }
-
- //adding friendly name of OA
- String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName();
-
- ExtendedSAMLAttribute oaFriendlyNameAttribute =
- new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-
- extendedSAMLAttributes.add(oaFriendlyNameAttribute);
+ //add bPK to AuthBlock if it is not empty
+ if (MiscUtil.isNotEmpty(sectorSpecificUniqueId)) {
+ Element bpkSamlValueElement;
+ try {
+ bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { sectorSpecificUniqueId, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement();
+
+ } catch (Exception e) {
+ Logger.error("Error on building AUTH-Block: " + e.getMessage());
+ throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
+
+ }
+
+ ExtendedSAMLAttribute bpkAttribute =
+ new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
+ extendedSAMLAttributes.add(bpkAttribute);
+ }
+
+ usedwbPKbPKNamespaceDeclaration = bPKwbPKNSDECLARATION;
+ }
+ //check if mandates should be used
+ if (session.isMandateUsed()) {
+
+ //generate mandate reference value
+ String mandateReferenceValue = Random.nextProcessReferenceValue();
+ session.setMandateReferenceValue(mandateReferenceValue);
+
+ ExtendedSAMLAttribute mandateReferenceValueAttribute =
+ new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK);
+
+ extendedSAMLAttributes.add(mandateReferenceValueAttribute);
+ }
+
+ //adding friendly name of OA
+ String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName();
+ ExtendedSAMLAttribute oaFriendlyNameAttribute =
+ new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
+ extendedSAMLAttributes.add(oaFriendlyNameAttribute);
- String text = "";
- if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
- Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
- text = oaParam.getAditionalAuthBlockText();
- }
- String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE,
- new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) });
+ //generate special AuthBlock text
+ String text = "";
+ if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
+ Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
+ text = oaParam.getAditionalAuthBlockText();
+ }
+ String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE,
+ new Object[] { generateSpecialText(text, specialAuthBlockTextPatterns) });
- //generate unique AuthBlock tokken
- String uniquetokken = Random.nextRandom();
- session.setAuthBlockTokken(uniquetokken);
+
+ //generate unique AuthBlock tokken
+ String uniquetokken = Random.nextProcessReferenceValue();
+ session.setAuthBlockTokken(uniquetokken);
String assertion;
try {
assertion = MessageFormat.format(
AUTH_BLOCK, new Object[] {
- wbpkNSDeclaration,
+ usedwbPKbPKNamespaceDeclaration,
issuer,
issueInstant,
authURL,
- gebeORwbpk,
+ publicSectorIdOrwbPK,
oaURL,
gebDat,
specialText,
- MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE,
- new Object[] { uniquetokken }),
+ MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, new Object[] {uniquetokken}),
buildExtendedSAMLAttributes(extendedSAMLAttributes)});
- } catch (ParseException e) {
- Logger.error("Error on building AUTH-Block: " + e.getMessage());
- throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
- }
-
- return assertion;
-
- }
-
- /**
- * Builds the authentication block <code>&lt;saml:Assertion&gt;</code>
- *
- * @param issuer authentication block issuer; <code>"GivenName FamilyName"</code>
- * @param issueInstant current timestamp
- * @param authURL URL of MOA-ID authentication component
- * @param target "Gesch&auml;ftsbereich"; maybe <code>null</code> if the application
- * is a business application
- * @param identityLinkValue the content of the <code>&lt;pr:Value&gt;</code>
- * child element of the <code>&lt;pr:Identification&gt;</code>
- * element derived from the Identitylink; this is the
- * value of the <code>wbPK</code>;
- * maybe <code>null</code> if the application is a public service
- * @param identityLinkType the content of the <code>&lt;pr:Type&gt;</code>
- * child element of the <code>&lt;pr:Identification&gt;</code>
- * element derived from the Identitylink; this includes the
- * URN prefix and the identification number of the business
- * application used as input for wbPK computation;
- * maybe <code>null</code> if the application is a public service
- * @param oaURL public URL of online application requested
- * @param gebDat The date of birth from the identity link.
- * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock.
- *
- * @return String representation of authentication block
- * <code>&lt;saml:Assertion&gt;</code> built
- *
- * @throws BuildException If an error occurs on serializing an extended SAML attribute
- * to be appended to the AUTH-Block.
- */
- public String buildAuthBlockForeignID(
- String issuer,
- String issueInstant,
- String authURL,
- String target,
- String identityLinkValue,
- String identityLinkType,
- String oaURL,
- String gebDat,
- List<ExtendedSAMLAttribute> extendedSAMLAttributes,
- IAuthenticationSession session,
- IOAAuthParameters oaParam)
- throws BuildException
- {
- session.setSAMLAttributeGebeORwbpk(true);
- String gebeORwbpk = "";
- String wbpkNSDeclaration = "";
-
- if (target == null) {
- // OA is a business application
- if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) {
- // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator
- gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
- wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
-
- //BZ.., adding type of wbPK domain identifier
- ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute =
- new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-
- extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute);
- //..BZ
-
- } else {
- // We do not have a wbPK, therefore no SAML-Attribute is provided
- session.setSAMLAttributeGebeORwbpk(false);
- }
- } else {
- // OA is a govermental application
- //BZ..
- String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);
- //gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target });
- gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" });
- //..BZ
-
- //BZ.., no business service, adding bPK
- Element bpkSamlValueElement;
- try {
- bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement();
- } catch (Exception e) {
- Logger.error("Error on building AUTH-Block: " + e.getMessage());
- throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
- }
-
- ExtendedSAMLAttribute bpkAttribute =
- new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-
- extendedSAMLAttributes.add(bpkAttribute);
- //gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
- wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
- //..BZ
- }
-
- //BZ.., adding friendly name of OA
- String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName();
-
- ExtendedSAMLAttribute oaFriendlyNameAttribute =
- new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-
- extendedSAMLAttributes.add(oaFriendlyNameAttribute);
- //..BZ
-
- String text = "";
- if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
- Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
- text = oaParam.getAditionalAuthBlockText();
- }
-
- String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE,
- new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) });
-
- //generate unique AuthBlock tokken
- String uniquetokken = Random.nextRandom();
- session.setAuthBlockTokken(uniquetokken);
-
- String assertion;
- try {
- assertion = MessageFormat.format(
- AUTH_BLOCK, new Object[] {
- wbpkNSDeclaration,
- issuer,
- issueInstant,
- authURL,
- gebeORwbpk,
- oaURL,
- gebDat,
- specialText,
- MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE,
- new Object[] { uniquetokken }),
- buildExtendedSAMLAttributes(extendedSAMLAttributes)});
} catch (ParseException e) {
Logger.error("Error on building AUTH-Block: " + e.getMessage());
throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
+
}
return assertion;
}
- public static String generateSpecialText(String inputtext, String issuer, String gebDat, String issueInstant) {
- Calendar datetime = DatatypeConverter.parseDateTime(issueInstant);
- SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy");
- SimpleDateFormat timeformat = new SimpleDateFormat("HH:mm:ss");
-
- String text = inputtext.replaceAll("#NAME#", issuer);
- text = text.replaceAll("#BIRTHDAY#", gebDat);
- text = text.replaceAll("#DATE#", dateformat.format(datetime.getTime()));
- text = text.replaceAll("#TIME#", timeformat.format(datetime.getTime()));
-
- return text;
+ public static String generateSpecialText(String inputtext, Map<String, String> specialAuthBlockTextPatterns) {
+ Iterator<Entry<String, String>> it = specialAuthBlockTextPatterns.entrySet().iterator();
+ String text = inputtext;
+ while (it.hasNext()) {
+ Entry<String, String> el = it.next();
+ text = text.replaceAll(el.getKey(), el.getValue());
+
+ }
+
+ return text;
+
}
public static String xmlToString(Node node) {
@@ -472,65 +375,52 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
String issuer,
String issueInstant,
String authURL,
- String target,
- String targetFriendlyName,
- String identityLinkValue,
- String identityLinkType,
String oaURL,
String gebDat,
List<ExtendedSAMLAttribute> extendedSAMLAttributes,
IAuthenticationSession session,
- IOAAuthParameters oaParam)
+ IOAAuthParameters oaParam,
+ Map<String, String> specialAuthBlockTextPatterns)
throws BuildException
{
session.setSAMLAttributeGebeORwbpk(true);
String gebeORwbpk = "";
String wbpkNSDeclaration = "";
-
- if (target != null) {
-
- boolean useMandate = session.isMandateUsed();
- if (useMandate) {
- //String mandateReferenceValue = Random.nextRandom();
- String mandateReferenceValue = Random.nextProcessReferenceValue();
- // remove leading "-"
- if (mandateReferenceValue.startsWith("-"))
- mandateReferenceValue = mandateReferenceValue.substring(1);
-
- session.setMandateReferenceValue(mandateReferenceValue);
+
+ //add mandate reference-value if mandates are used
+ if (session.isMandateUsed()) {
+ String mandateReferenceValue = Random.nextProcessReferenceValue();
+ session.setMandateReferenceValue(mandateReferenceValue);
- ExtendedSAMLAttribute mandateReferenceValueAttribute =
- new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK);
+ ExtendedSAMLAttribute mandateReferenceValueAttribute =
+ new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK);
- extendedSAMLAttributes.add(mandateReferenceValueAttribute);
- }
+ extendedSAMLAttributes.add(mandateReferenceValueAttribute);
}
+
//adding friendly name of OA
String friendlyname;
try {
- friendlyname = AuthConfigurationProviderFactory.getInstance().getSSOFriendlyName();
-
- ExtendedSAMLAttribute oaFriendlyNameAttribute =
- new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-
- extendedSAMLAttributes.add(oaFriendlyNameAttribute);
-
-
- String text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText();
+ friendlyname = AuthConfigurationProviderFactory.getInstance().getSSOFriendlyName();
+ ExtendedSAMLAttribute oaFriendlyNameAttribute =
+ new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
+ extendedSAMLAttributes.add(oaFriendlyNameAttribute);
+
+ //generate special AuthBlock text
+ String text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText();
if (MiscUtil.isEmpty(text))
text="";
String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE,
- new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) });
+ new Object[] { generateSpecialText(text, specialAuthBlockTextPatterns) });
+
//generate unique AuthBlock tokken
- String uniquetokken = Random.nextRandom();
+ String uniquetokken = Random.nextProcessReferenceValue();
session.setAuthBlockTokken(uniquetokken);
- String assertion;
-
- assertion = MessageFormat.format(
+ String assertion = MessageFormat.format(
AUTH_BLOCK, new Object[] {
wbpkNSDeclaration,
issuer,
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
index 608f50200..88a235978 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
@@ -120,12 +120,11 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
//get Target from config or from request in case of SAML 1
String target = null;
- if (MiscUtil.isNotEmpty(pendingReq.getGenericData("target", String.class)) &&
+ if (MiscUtil.isNotEmpty(pendingReq.getGenericData("saml1_target", String.class)) &&
pendingReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol"))
- target = pendingReq.getGenericData("target", String.class);
- else
- target = oaParam.getTarget();
-
+ target = pendingReq.getGenericData("saml1_target", String.class);
+
+
String bkuURL = oaParam.getBKUURL(bkuid);
if (MiscUtil.isEmpty(bkuURL)) {
Logger.info("No OA specific BKU defined. Use BKU from default configuration");
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java
index 975dec429..d2fd4d1de 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java
@@ -35,7 +35,6 @@ import org.w3c.dom.Element;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.MISSimpleClientException;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
@@ -100,14 +99,7 @@ public class PrepareGetMISMandateTask extends AbstractAuthServletTask {
byte[] authBlock = moasession.getAuthBlock().getBytes("UTF-8");
//TODO: check in case of SSO!!!
- String targetType = null;
- if(oaParam.getBusinessService()){
- targetType = oaParam.getIdentityLinkDomainIdentifier();
-
- } else {
- targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget();
-
- }
+ String targetType = oaParam.getAreaSpecificTargetIdentifier();
revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(),
pendingReq, MOAIDEventConstants.AUTHPROCESS_MANDATE_SERVICE_REQUESTED, mandateReferenceValue);
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index a227ab5be..da96bfe54 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -57,8 +57,10 @@ import org.jaxen.SimpleNamespaceContext;
import org.w3c.dom.Element;
import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder;
+import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
import at.gv.egovernment.moa.id.auth.data.SAMLAttribute;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.ValidateException;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
@@ -69,6 +71,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -128,42 +131,46 @@ public class CreateXMLSignatureResponseValidator {
* @param session
* @param pendingReq
* @throws ValidateException
+ * @throws BuildException
+ * @throws ConfigurationException
*/
public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq)
- throws ValidateException {
+ throws ValidateException, BuildException, ConfigurationException {
// A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
-
- String gbTarget = pendingReq.getGenericData(
- MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
- String targetFriendlyName = pendingReq.getGenericData(
- MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class);
String oaURL = oaParam.getPublicURLPrefix();
- boolean businessService = oaParam.getBusinessService();
-
IIdentityLink identityLink = session.getIdentityLink();
+ @Deprecated
+ String saml1RequestedTarget = pendingReq.getGenericData(
+ MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
+ @Deprecated
+ String saml1RequestedFriendlyName = pendingReq.getGenericData(
+ MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class);
+
+
Element samlAssertion = createXMLSignatureResponse.getSamlAssertion();
+
+ //validate issuer
String issuer = samlAssertion.getAttribute("Issuer");
if (issuer == null) {
// should not happen, because parser would dedect this
throw new ValidateException("validator.32", null);
}
// replace ' in name with &#39;
- issuer = issuer.replaceAll("'", "&#39;");
+ issuer = issuer.replaceAll("'", "&#39;");
+ if (!issuer.equals(identityLink.getName()))
+ throw new ValidateException("validator.33", new Object[] {issuer, identityLink.getName()});
+
+ //validate issuerInstant
String issueInstant = samlAssertion.getAttribute("IssueInstant");
- if (!issueInstant.equals(session.getIssueInstant())) {
- throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
- }
+ if (!issueInstant.equals(session.getIssueInstant()))
+ throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
- String name = identityLink.getName();
- if (!issuer.equals(name)) {
- throw new ValidateException("validator.33", new Object[] {issuer, name});
- }
-
+ //validate extended attributes
SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();
boolean foundOA = false;
@@ -171,241 +178,253 @@ public class CreateXMLSignatureResponseValidator {
boolean foundWBPK = false;
int offset = 0;
- // check number of SAML aatributes
+ // check number of SAML attributes
List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
int extendedSAMLAttributesNum = 0;
if (extendedSAMLAttributes != null) {
- extendedSAMLAttributesNum = extendedSAMLAttributes.size();
+ extendedSAMLAttributesNum = extendedSAMLAttributes.size();
}
- int expectedSAMLAttributeNumber =
- AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum;
+ int expectedSAMLAttributeNumber = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum;
+
+ //remove one attribute from expected attributes if public SP target or wbPK is not part of AuthBlock
if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
+
+ //check number of attributes in AuthBlock response against expected number of attributes
int actualSAMLAttributeNumber = samlAttributes.length;
if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
- Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " +
- expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
- throw new ValidateException(
- "validator.36",
- new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
+ Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " +
+ expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
+ throw new ValidateException("validator.36",
+ new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
+
}
- SAMLAttribute samlAttribute;
- if (session.getSAMLAttributeGebeORwbpk()) {
- // check the first attribute ("Geschaeftsbereich" or "wbPK")
- samlAttribute = samlAttributes[0];
- if (businessService) {
- if (!samlAttribute.getName().equals("wbPK")) {
- if (samlAttribute.getName().equals("Geschaeftsbereich")) {
- throw new ValidateException("validator.26", null);
- } else {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)});
- }
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundWBPK = true;
- try {
- Element attrValue = (Element)samlAttribute.getValue();
- String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
- String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
- if (!value.equals(identityLink.getIdentificationValue())) {
- throw new ValidateException("validator.28", null);
- }
- if (!type.equals(identityLink.getIdentificationType())) {
- throw new ValidateException("validator.28", null);
- }
- } catch (Exception ex) {
- throw new ValidateException("validator.29", null);
- }
- } else {
- throw new ValidateException("validator.30", null);
- }
- } else {
- if (!samlAttribute.getName().equals("Geschaeftsbereich")) {
- if (samlAttribute.getName().equals("wbPK")) {
- throw new ValidateException("validator.26", null);
- } else {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)});
- }
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundGB = true;
- String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(gbTarget);
- if (StringUtils.isEmpty(sectorName)) {
- if (targetFriendlyName != null)
- sectorName = targetFriendlyName;
- }
- gbTarget = gbTarget + " (" + sectorName + ")";
- //gbTarget = gbTarget + " (" + TargetToSectorNameMapper.getSectorNameViaTarget(gbTarget) + ")";
+ //now check every single attribute
+ SAMLAttribute samlAttribute = null;
+ Pair<String, String> userSectorId = null;
+ if (session.getSAMLAttributeGebeORwbpk()) {
+ //check the first attribute ("Geschaeftsbereich" or "wbPK")
+ samlAttribute = samlAttributes[0];
+
+ //calculate bPK or wbPK as reference value for validation
+ if (MiscUtil.isNotEmpty(saml1RequestedTarget))
+ userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+ identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
+ saml1RequestedTarget);
+ else
+ userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+ identityLink.getIdentificationValue(), identityLink.getIdentificationType(),
+ oaParam.getAreaSpecificTargetIdentifier());
+
+ //every sector specific identifier that has not 'urn:publicid:gv.at:cdid+' as prefix
+ // is internally handled as an AuthBlock with wbPK
+ if (!userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+ if (!samlAttribute.getName().equals("wbPK")) {
+ if (samlAttribute.getName().equals("Geschaeftsbereich")) {
+ throw new ValidateException("validator.26", null);
+
+ } else {
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)});
+ }
+ }
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundWBPK = true;
+ try {
+ Element attrValue = (Element)samlAttribute.getValue();
+ String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
+ String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
+ if (!value.equals(userSectorId.getFirst()))
+ throw new ValidateException("validator.28", null);
- if (!gbTarget.equals((String)samlAttribute.getValue())) {
- throw new ValidateException("validator.13", null);
- }
- } else {
- throw new ValidateException("validator.12", null);
- }
- }
- } else {
- offset--;
- }
+ if (!type.equals(userSectorId.getSecond()))
+ throw new ValidateException("validator.28", null);
+
+ } catch (Exception ex) {
+ throw new ValidateException("validator.29", null);
+ }
+
+ } else
+ throw new ValidateException("validator.30", null);
+
+ } else {
+ if (!samlAttribute.getName().equals("Geschaeftsbereich")) {
+ if (samlAttribute.getName().equals("wbPK"))
+ throw new ValidateException("validator.26", null);
+
+ else
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)});
+ }
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundGB = true;
+
+ String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(userSectorId.getSecond());
+ if (StringUtils.isEmpty(sectorName)) {
+ if (saml1RequestedFriendlyName != null)
+ sectorName = saml1RequestedFriendlyName;
+ else
+ sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+ }
+
+ String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
+ if (!refValueSector.equals((String)samlAttribute.getValue()))
+ throw new ValidateException("validator.13", null);
+
+ } else
+ throw new ValidateException("validator.12", null);
+
+ }
+
+ } else
+ //check nothing if wbPK or public SP target is not part of AuthBlock
+ offset--;
+
+ // check the second attribute (must be "OA")
+ samlAttribute = samlAttributes[1 + offset];
+ if (!samlAttribute.getName().equals("OA"))
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundOA = true;
+ if (!oaURL.equals((String)samlAttribute.getValue()))
+ throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});
+
+ } else
+ throw new ValidateException("validator.15", null);
- // check the second attribute (must be "OA")
- samlAttribute = samlAttributes[1 + offset];
- if (!samlAttribute.getName().equals("OA")) {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundOA = true;
- if (!oaURL.equals((String)samlAttribute.getValue())) { // CHECKS für die AttributeVALUES fehlen noch
- throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});
- }
- } else {
- throw new ValidateException("validator.15", null);
- }
- // check the third attribute (must be "Geburtsdatum")
- samlAttribute = samlAttributes[2 + offset];
- if (!samlAttribute.getName().equals("Geburtsdatum")) {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String samlDateOfBirth = (String)samlAttribute.getValue();
- String dateOfBirth = identityLink.getDateOfBirth();
- if (!samlDateOfBirth.equals(dateOfBirth)) {
- throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
- }
- } else {
- throw new ValidateException("validator.35", null);
- }
+ // check the third attribute (must be "Geburtsdatum")
+ samlAttribute = samlAttributes[2 + offset];
+ if (!samlAttribute.getName().equals("Geburtsdatum"))
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String samlDateOfBirth = (String)samlAttribute.getValue();
+ String dateOfBirth = identityLink.getDateOfBirth();
+ if (!samlDateOfBirth.equals(dateOfBirth))
+ throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
+
+ } else
+ throw new ValidateException("validator.35", null);
- // check four attribute could be a special text
- samlAttribute = samlAttributes[3 + offset];
- if (!samlAttribute.getName().equals("SpecialText")) {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String samlSpecialText = (String)samlAttribute.getValue();
- samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
+ // check four attribute could be a special text
+ samlAttribute = samlAttributes[3 + offset];
+ if (!samlAttribute.getName().equals("SpecialText"))
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)});
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String samlSpecialText = (String)samlAttribute.getValue();
+ samlSpecialText = samlSpecialText.replaceAll("'", "&#39;");
- String text = "";
- if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
- Logger.info("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
- text = oaParam.getAditionalAuthBlockText();
- }
+ String text = "";
+ if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
+ Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
+ text = oaParam.getAditionalAuthBlockText();
+
+ }
- String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant);
- if (!samlSpecialText.equals(specialText)) {
- throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
- }
- } else {
- throw new ValidateException("validator.35", null);
+ String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text,
+ AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
+ pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
+ if (!samlSpecialText.equals(specialText))
+ throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
+
+ } else
+ throw new ValidateException("validator.35", null);
- }
-
-
- //check unique AuthBlock tokken
- samlAttribute = samlAttributes[4 + offset];
- if (!samlAttribute.getName().equals("UniqueTokken")) {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- String uniquetokken = (String)samlAttribute.getValue();
+
+ //check unique AuthBlock tokken
+ samlAttribute = samlAttributes[4 + offset];
+ if (!samlAttribute.getName().equals("UniqueTokken"))
+ throw new ValidateException("validator.37",
+ new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)});
+
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String uniquetokken = (String)samlAttribute.getValue();
- if (!uniquetokken.equals(session.getAuthBlockTokken())) {
- throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
- }
- } else {
- throw new ValidateException("validator.35", null);
- }
-
-
- // now check the extended SAML attributes
- int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset;
- if (extendedSAMLAttributes != null) {
- Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
- while (it.hasNext()) {
- ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
- samlAttribute = samlAttributes[i];
- String actualName = samlAttribute.getName();
- String expectedName = extendedSAMLAttribute.getName();
- if (!actualName.equals(expectedName)) {
- throw new ValidateException(
- "validator.38",
- new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
- }
- String actualNamespace = samlAttribute.getNamespace();
- String expectedNamespace = extendedSAMLAttribute.getNameSpace();
- if (!actualNamespace.equals(expectedNamespace)) {
- throw new ValidateException(
- "validator.38",
- new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
- }
- Object expectedValue = extendedSAMLAttribute.getValue();
- Object actualValue = samlAttribute.getValue();
- try {
- if (expectedValue instanceof String) {
- // replace \r\n because text might be base64-encoded
- String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
- expValue = StringUtils.replaceAll(expValue,"\n","");
- String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
- actValue = StringUtils.replaceAll(actValue,"\n","");
- if (!expValue.equals(actValue)) {
- throw new ValidateException(
- "validator.38",
- new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });
- }
- } else if (expectedValue instanceof Element) {
- // only check the name of the element
- String actualElementName = ((Element)actualValue).getNodeName();
- String expectedElementName = ((Element)expectedValue).getNodeName();
- if (!(expectedElementName.equals(actualElementName))){
- throw new ValidateException(
- "validator.38",
- new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});
- }
- } else {
- // should not happen
- throw new ValidateException(
- "validator.38",
- new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
- }
- } catch (ClassCastException e) {
- throw new ValidateException(
- "validator.38",
- new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
- }
- i++;
- }
- }
-
+ if (!uniquetokken.equals(session.getAuthBlockTokken()))
+ throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()});
+ } else
+ throw new ValidateException("validator.35", null);
- if (!foundOA) throw new ValidateException("validator.14", null);
- if (businessService) {
- if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) throw new ValidateException("validator.31", null);
- } else {
- if (!foundGB) throw new ValidateException("validator.11", null);
- }
+
+ // now check the extended SAML attributes
+ int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset;
+ if (extendedSAMLAttributes != null) {
+ Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator();
+ while (it.hasNext()) {
+ ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
+ samlAttribute = samlAttributes[i];
+ String actualName = samlAttribute.getName();
+ String expectedName = extendedSAMLAttribute.getName();
+ if (!actualName.equals(expectedName))
+ throw new ValidateException("validator.38",
+ new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
+
+ String actualNamespace = samlAttribute.getNamespace();
+ String expectedNamespace = extendedSAMLAttribute.getNameSpace();
+ if (!actualNamespace.equals(expectedNamespace))
+ throw new ValidateException("validator.38",
+ new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
+
+ Object expectedValue = extendedSAMLAttribute.getValue();
+ Object actualValue = samlAttribute.getValue();
+ try {
+ if (expectedValue instanceof String) {
+ // replace \r\n because text might be base64-encoded
+ String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
+ expValue = StringUtils.replaceAll(expValue,"\n","");
+ String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
+ actValue = StringUtils.replaceAll(actValue,"\n","");
+ if (!expValue.equals(actValue))
+ throw new ValidateException("validator.38",
+ new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });
+
+ } else if (expectedValue instanceof Element) {
+ // only check the name of the element
+ String actualElementName = ((Element)actualValue).getNodeName();
+ String expectedElementName = ((Element)expectedValue).getNodeName();
+ if (!(expectedElementName.equals(actualElementName)))
+ throw new ValidateException("validator.38",
+ new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});
+
+ } else
+ // should not happen
+ throw new ValidateException("validator.38",
+ new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
+
+ } catch (ClassCastException e) {
+ throw new ValidateException("validator.38",
+ new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
+ }
+
+ i++;
+ }
+ }
+
+ if (!foundOA)
+ throw new ValidateException("validator.14", null);
+
+ if (userSectorId != null && !userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+ if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK)
+ throw new ValidateException("validator.31", null);
+
+ } else {
+ if (!foundGB)
+ throw new ValidateException("validator.11", null);
+ }
- //Check if dsig:Signature exists
-// NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature");
-// if (nl.getLength() != 1) {
-// throw new ValidateException("validator.05", null);
-// }
- Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
- if (dsigSignature == null) {
- throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
- }
+ //Check if dsig:Signature exists
+ Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
+ if (dsigSignature == null)
+ throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
+
}
/**
@@ -521,7 +540,7 @@ public class CreateXMLSignatureResponseValidator {
try {
if (MiscUtil.isNotEmpty(AuthConfigurationProviderFactory.getInstance().getSSOSpecialText())) {
text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText();
- Logger.info("Use addional AuthBlock Text from SSO=" +text);
+ Logger.debug("Use addional AuthBlock Text from SSO=" +text);
}
else
@@ -531,7 +550,9 @@ public class CreateXMLSignatureResponseValidator {
}
- String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant);
+ String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text,
+ AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap(
+ pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant));
if (!samlSpecialText.equals(specialText)) {
throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
index 4953dad02..c4ea80df9 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
@@ -183,7 +183,7 @@ public class VerifyXMLSignatureResponseValidator {
// to be ignored
boolean ignoreManifestValidationResult = false;
if (whatToCheck.equals(CHECK_IDENTITY_LINK))
- ignoreManifestValidationResult = (oaParam.getBusinessService()) ? true
+ ignoreManifestValidationResult = (oaParam.hasBaseIdInternalProcessingRestriction()) ? true
: false;
if (ignoreManifestValidationResult) {
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
index 55562176d..09c64c267 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
@@ -66,10 +66,10 @@ import org.w3c.dom.NodeList;
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.ParseException;
-import at.gv.egovernment.moa.id.auth.exception.ValidateException;
import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException;
import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.BoolUtils;
import at.gv.egovernment.moa.util.Constants;
@@ -688,7 +688,7 @@ public class ParepUtils {
* <code>false</code> calculates (w)bPKs and changes also the <code>pr:Identifivation/pr:Type</code> elements.
* @return The element where Stammzahlen are hidden.
*/
- public static Element HideStammZahlen(Element hideElement, boolean businessApplication, String target, String registerID, boolean blank)
+ public static Element HideStammZahlen(Element hideElement, boolean businessApplication, String oaTargetAreaId, boolean blank)
throws BuildException {
try {
if (hideElement != null) {
@@ -706,20 +706,11 @@ public class ParepUtils {
}
if (blank) {
idValueNode.setNodeValue("");
- } else {
- String idValue = idValueNode.getNodeValue();
- if (businessApplication) {
- // wbPK berechnen
- idTypeNode.setNodeValue(Constants.URN_PREFIX_WBPK + "+" + registerID);
- String bpkBase64 = new BPKBuilder().buildWBPK(idValueNode.getNodeValue(), registerID);
- idValueNode.setNodeValue(bpkBase64);
-
- } else {
- // bPK berechnen
- idTypeNode.setNodeValue(Constants.URN_PREFIX_BPK);
- String bpkBase64 = new BPKBuilder().buildBPK(idValueNode.getNodeValue(), target);
- idValueNode.setNodeValue(bpkBase64);
- }
+
+ } else {
+ Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier(idValueNode.getNodeValue(), oaTargetAreaId);
+ idValueNode.setNodeValue(calcId.getFirst());
+
}
}
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
index c55b5a749..154006ed8 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
@@ -227,7 +227,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
authnRequestBuilder.levelOfAssuranceComparison(LevelOfAssuranceComparison.MINIMUM);
//set correct SPType for this online application
- if (oaConfig.getBusinessService())
+ if (oaConfig.hasBaseIdTransferRestriction())
authnRequestBuilder.spType(SpType.PRIVATE.getValue());
else
authnRequestBuilder.spType(SpType.PUBLIC.getValue());
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 4b67370d6..1ce900ebb 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -270,7 +270,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
//validate request country-code against eIDAS node config
String reqCC = samlReq.getOriginCountryCode();
- String eIDASTarget = oaConfig.getIdentityLinkDomainIdentifier();
+ String eIDASTarget = oaConfig.getAreaSpecificTargetIdentifier();
//validate eIDAS target
Pattern pattern = Pattern.compile("^" + at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
index d65d74c3f..299eb442e 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
@@ -48,6 +48,7 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAuthnRequestBuilder;
@@ -150,7 +151,8 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask {
String sourcePinType = moasession.getIdentityLink().getIdentificationType();
String sourcePinValue = moasession.getIdentityLink().getIdentificationValue();
if (sourcePinType.startsWith(Constants.URN_PREFIX_BASEID)) {
- representativeBPK = new BPKBuilder().buildBPK(sourcePinValue, configTarget);
+ Pair<String, String> userId = new BPKBuilder().generateAreaSpecificPersonIdentifier(sourcePinValue, configTarget);
+ representativeBPK = userId.getFirst();
} else {
Logger.debug("No 'SourcePin' found for representative. "
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
index 2f6a54027..4ce77d861 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
@@ -75,14 +75,6 @@ public class SSOTransferAuthenticationData implements IAuthData {
}
/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService()
- */
- @Override
- public boolean isBusinessService() {
- return this.isIDPPrivateService;
- }
-
- /* (non-Javadoc)
* @see at.gv.egovernment.moa.id.data.IAuthData#isSsoSession()
*/
@Override
@@ -362,4 +354,13 @@ public class SSOTransferAuthenticationData implements IAuthData {
return this.authSession.getGenericDataFromSession(key, clazz);
}
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.data.IAuthData#isBaseIDTransferRestrication()
+ */
+ @Override
+ public boolean isBaseIDTransferRestrication() {
+ return this.isIDPPrivateService;
+ }
+
}
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java
index 3affa17b3..c2132c1f9 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java
@@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.api.data.CPEPS;
import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters;
import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute;
import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
/**
* @author tlenz
@@ -42,15 +43,7 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters {
public SSOTransferOnlineApplication() {
}
-
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService()
- */
- @Override
- public boolean getBusinessService() {
- return false;
- }
-
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#useSSO()
*/
@@ -107,33 +100,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters {
}
/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType()
- */
- @Override
- public String getOaType() {
- // TODO Auto-generated method stub
- return null;
- }
-
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget()
- */
- @Override
- public String getTarget() {
- // TODO Auto-generated method stub
- return null;
- }
-
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName()
- */
- @Override
- public String getTargetFriendlyName() {
- // TODO Auto-generated method stub
- return null;
- }
-
- /* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInderfederationIDP()
*/
@Override
@@ -151,14 +117,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters {
return false;
}
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier()
- */
- @Override
- public String getIdentityLinkDomainIdentifier() {
- // TODO Auto-generated method stub
- return null;
- }
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getKeyBoxIdentifier()
@@ -226,15 +184,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters {
}
/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType()
- */
- @Override
- public String getIdentityLinkDomainIdentifierType() {
- // TODO Auto-generated method stub
- return null;
- }
-
- /* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isShowMandateCheckBox()
*/
@Override
@@ -441,4 +390,38 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters {
return false;
}
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdInternalProcessingRestriction()
+ */
+ @Override
+ public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException {
+ return false;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdTransferRestriction()
+ */
+ @Override
+ public boolean hasBaseIdTransferRestriction() throws ConfigurationException {
+ return false;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifier()
+ */
+ @Override
+ public String getAreaSpecificTargetIdentifier() throws ConfigurationException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifierFriendlyName()
+ */
+ @Override
+ public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
}
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
index d3ebffdfd..9981e8156 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
@@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.data.SLOInformationImpl;
import at.gv.egovernment.moa.id.data.SLOInformationInterface;
import at.gv.egovernment.moa.id.moduls.IAction;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moa.util.URLEncoder;
@Service("SAML1_GetArtifactAction")
@@ -84,10 +85,12 @@ public class GetArtifactAction implements IAction {
String samlArtifactBase64 = saml1server.BuildSAMLArtifact(oaParam, authData, sourceID);
+ String oaTargetArea = req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class);
+
if (authData.isSsoSession()) {
String url = req.getAuthURL() + "/RedirectServlet";
url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8"));
- if (!oaParam.getBusinessService())
+ if (MiscUtil.isNotEmpty(oaTargetArea))
url = addURLParameter(url, MOAIDAuthConstants.PARAM_TARGET,
URLEncoder.encode(req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class), "UTF-8"));
url = addURLParameter(url, MOAIDAuthConstants.PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8"));
@@ -99,7 +102,7 @@ public class GetArtifactAction implements IAction {
} else {
String redirectURL = oaURL;
- if (!oaParam.getBusinessService()) {
+ if (MiscUtil.isNotEmpty(oaTargetArea)) {
redirectURL = addURLParameter(redirectURL, MOAIDAuthConstants.PARAM_TARGET,
URLEncoder.encode(req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class), "UTF-8"));
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
index df8f13544..bf4a55e46 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
@@ -48,7 +48,6 @@ import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder;
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
import at.gv.egovernment.moa.id.auth.builder.PersonDataBuilder;
import at.gv.egovernment.moa.id.auth.builder.SAMLArtifactBuilder;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.ParseException;
@@ -65,6 +64,7 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.storage.ITransactionStorage;
import at.gv.egovernment.moa.id.util.Random;
@@ -239,7 +239,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
//set prPersion
boolean provideStammzahl = saml1parameter.isProvideStammzahl()
- || oaParam.getBusinessService();
+ || oaParam.hasBaseIdTransferRestriction();
String prPerson = "";
String ilAssertion = "";
@@ -268,7 +268,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
id.setValue(value );
if ( MiscUtil.isNotEmpty(authData.getIdentificationValue()) &&
- saml1parameter.isProvideIdentityLink() && !authData.isBusinessService()) {
+ saml1parameter.isProvideIdentityLink() && !authData.isBaseIDTransferRestrication()) {
//add baseID if it is requested and available and SP is publicService
value.setValue(authData.getIdentificationValue());
id.setType(authData.getIdentificationType());
@@ -332,7 +332,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
try {
ExtendedSAMLAttribute[] extendedSAMLAttributes = addExtendedSamlAttributes(
- authData.getMISMandate(), oaParam.getBusinessService(),
+ authData.getMISMandate(), oaParam.hasBaseIdTransferRestriction(),
saml1parameter.isProvideStammzahl());
if (extendedSAMLAttributes != null) {
@@ -406,7 +406,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
ilAssertion,
authData.getBkuURL(),
signerCertificateBase64,
- oaParam.getBusinessService(),
+ oaParam.hasBaseIdTransferRestriction(),
oaAttributes,
useCondition,
conditionLength);
@@ -419,7 +419,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
ilAssertion,
authData.getBkuURL(),
signerCertificateBase64,
- oaParam.getBusinessService(),
+ oaParam.hasBaseIdTransferRestriction(),
authData.getExtendedSAMLAttributesOA(),
useCondition,
conditionLength);
@@ -486,27 +486,20 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
prPerson = ParepUtils.extractPrPersonOfMandate(mandate);
if (physical
- && oaParam.getBusinessService()
+ && oaParam.hasBaseIdTransferRestriction()
&& identificationType != null
&& Constants.URN_PREFIX_BASEID
.equals(identificationType)) {
// now we calculate the wbPK and do so if we got it from the
// BKU
-
- //load IdentityLinkDomainType from OAParam
- String type = oaParam.getIdentityLinkDomainIdentifier();
- if (type.startsWith(Constants.URN_PREFIX_WBPK + "+"))
- identificationType = type;
- else
- identificationType = Constants.URN_PREFIX_WBPK + "+"
- + type;
-
-
- identificationValue = new BPKBuilder().buildWBPK(
- identificationValue, identificationType);
- ParepUtils
- .HideStammZahlen(prPerson, true, null, null, true);
+ //load IdentityLinkDomainType from OAParam
+ Pair<String, String> targedId = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+ identificationValue, oaParam.getAreaSpecificTargetIdentifier());
+ identificationValue = targedId.getFirst();
+ identificationType = targedId.getSecond();
+
+ ParepUtils.HideStammZahlen(prPerson, true, null, true);
}
}
@@ -520,18 +513,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
try {
boolean provideStammzahl = oaParam.getSAML1Parameter().isProvideStammzahl();
- String oatargetType;
- if(oaParam.getBusinessService()) {
- if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
- oatargetType = oaParam.getIdentityLinkDomainIdentifier();
- else
- oatargetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+oaParam.getIdentityLinkDomainIdentifier();
-
- } else {
- oatargetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget();
-
- }
-
+ String oatargetType = oaParam.getAreaSpecificTargetIdentifier();
Element prIdentification = (Element) prPerson.
getElementsByTagNameNS(Constants.PD_NS_URI,"Identification").item(0);
@@ -544,7 +526,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
String baseid = getBaseId(prPerson);
Element identificationBpK;
if (MiscUtil.isNotEmpty(baseid)) {
- identificationBpK = createIdentificationBPK(prPerson, baseid, oaParam.getTarget());
+ identificationBpK = createIdentificationBPK(prPerson, baseid, oatargetType);
if (!provideStammzahl) {
prIdentification.getFirstChild().setTextContent("");
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
index 37d66d29b..19fadb318 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
@@ -40,6 +40,7 @@ import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters;
@@ -118,7 +119,7 @@ public class SAML1Protocol extends AbstractAuthProtocolModulController {
//preProcess SAML1 Request
preProcess(req, resp, pendingReq);
-
+
performAuthentication(req, resp, pendingReq);
return;
@@ -190,14 +191,19 @@ public class SAML1Protocol extends AbstractAuthProtocolModulController {
if (MiscUtil.isNotEmpty(target)) {
pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, target);
- pendingRequest.setTarget(target);
+ pendingRequest.setTarget(MOAIDAuthConstants.PREFIX_CDID + target);
+
+ } else {
+ String targetArea = oaParam.getAreaSpecificTargetIdentifier();
+ pendingRequest.setTarget(targetArea);
+
+ if (targetArea.startsWith(MOAIDAuthConstants.PREFIX_CDID))
+ pendingRequest.setGenericDataToSession(REQ_DATA_TARGET,
+ targetArea.substring(MOAIDAuthConstants.PREFIX_CDID.length()));
- }
- else {
- pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, oaParam.getTarget());
- pendingRequest.setTarget(oaParam.getTarget());
}
+
//AuthnRequest needs authentication
pendingRequest.setNeedAuthentication(true);
diff --git a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java
index 6372fefa8..a56be1f46 100644
--- a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java
+++ b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java
@@ -78,7 +78,8 @@ public class IdentityLinkTestModule implements TestModuleInterface {
domVerifyXMLSignatureResponse).parseData();
DynamicOAAuthParameters oaParam = new DynamicOAAuthParameters();
- oaParam.setBusinessService(true);
+ oaParam.setHasBaseIdProcessingRestriction(true);
+ oaParam.setHasBaseIdTransfergRestriction(true);
VerifyXMLSignatureResponseValidator.getInstance().validate(
verifyXMLSignatureResponse,