diff options
-rw-r--r-- | id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java | 82 |
1 files changed, 44 insertions, 38 deletions
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 2eafaa297..7693c3170 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -1,12 +1,13 @@ package at.gv.egovernment.moa.id.auth.validator; import org.w3c.dom.Element; +import org.w3c.dom.NodeList; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.SAMLAttribute; import at.gv.egovernment.moa.util.Constants; -import at.gv.egovernment.moa.util.XPathUtils; /** * @@ -17,24 +18,6 @@ import at.gv.egovernment.moa.util.XPathUtils; * @version $Id$ */ public class CreateXMLSignatureResponseValidator { - - /** Xpath prefix for reaching SAML Namespaces */ - private static final String SAML = Constants.SAML_PREFIX + ":"; - /** Xpath prefix for reaching XML-DSIG Namespaces */ - private static final String DSIG = Constants.DSIG_PREFIX + ":"; - /** Xpath expression to the SAML:Assertion element */ - private static final String ROOT = SAML + "Assertion"; - /** Xpath expression to the SAML:NameIdentifier element */ - private static final String SAML_SUBJECT_NAME_IDENTIFIER_XPATH = - SAML + "AttributeStatement/" + SAML + "Subject/" + - SAML + "NameIdentifier"; - /** Xpath expression to the SAML:Attribute element */ - private static final String SAML_ATTRIBUTE_XPATH = - ROOT + "/" + SAML + "AttributeStatement/" + SAML + "Attribute"; - /** Xpath expression to the SAML:AttributeValue element */ - private static final String SAML_ATTRIBUTE_VALUE_XPATH = - SAML + "AttributeValue"; - /** Singleton instance. <code>null</code>, if none has been created. */ private static CreateXMLSignatureResponseValidator instance; @@ -69,52 +52,75 @@ public class CreateXMLSignatureResponseValidator { String oaURL = session.getPublicOAURLPrefix(); boolean businessService = session.getBusinessService(); -// XPathUtils.selectNodeList(createXMLSignatureResponse.getSamlAssertion(),SAML_SUBJECT_NAME_IDENTIFIER_XPATH); + IdentityLink identityLink = session.getIdentityLink(); + + String issuer = createXMLSignatureResponse.getSamlAssertion().getAttribute("Issuer"); + if (issuer == null) { + // should not happen, because parser would dedect this + throw new ValidateException("validator.32", null); + } + String name = identityLink.getName(); + if (!issuer.equals(name)) { + throw new ValidateException("validator.33", new Object[] {issuer, name}); + } + - SAMLAttribute[] samlattributes = createXMLSignatureResponse.getSamlAttributes(); + SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes(); boolean foundOA = false; boolean foundGB = false; boolean foundWBPK = false; - for (int i = 0; i < samlattributes.length; i++) { - if (samlattributes[i].getName().equals("Geschaeftsbereich")) { + for (int i = 0; i < samlAttributes.length; i++) { + SAMLAttribute samlAttribute = samlAttributes[i]; + if (samlAttribute.getName().equals("Geschaeftsbereich")) { if (businessService) { throw new ValidateException("validator.26", null); } - if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { foundGB = true; - if (!gbTarget.equals((String)samlattributes[i].getValue())) { + if (!gbTarget.equals((String)samlAttribute.getValue())) { throw new ValidateException("validator.13", null); } } else { throw new ValidateException("validator.12", null); } } - if (samlattributes[i].getName().equals("OA")) { - if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + if (samlAttribute.getName().equals("OA")) { + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { foundOA = true; - if (!oaURL.equals((String)samlattributes[i].getValue())) { // CHECKS für die AttributeVALUES fehlen noch - throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlattributes[i].getValue()}); + if (!oaURL.equals((String)samlAttribute.getValue())) { // CHECKS für die AttributeVALUES fehlen noch + throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); } } else { throw new ValidateException("validator.15", null); } } - if (samlattributes[i].getName().equals("wbPK")) { + if (samlAttribute.getName().equals("Geburtsdatum")) { + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String samlDateOfBirth = (String)samlAttribute.getValue(); + String dateOfBirth = identityLink.getDateOfBirth(); + if (!samlDateOfBirth.equals(dateOfBirth)) { + throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth}); + } + } else { + throw new ValidateException("validator.35", null); + } + } + if (samlAttribute.getName().equals("wbPK")) { if (!businessService) { throw new ValidateException("validator.27", null); } - if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { foundWBPK = true; try { - Element attrValue = (Element)samlattributes[i].getValue(); + Element attrValue = (Element)samlAttribute.getValue(); String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); - if (!value.equals(session.getIdentityLink().getIdentificationValue())) { + if (!value.equals(identityLink.getIdentificationValue())) { throw new ValidateException("validator.28", null); } - if (!type.equals(session.getIdentityLink().getIdentificationType())) { + if (!type.equals(identityLink.getIdentificationType())) { throw new ValidateException("validator.28", null); } } catch (Exception ex) { @@ -134,9 +140,9 @@ public class CreateXMLSignatureResponseValidator { } //Check if dsig:Signature exists - Element dsigSignature = (Element) XPathUtils.selectSingleNode(createXMLSignatureResponse.getSamlAssertion(),DSIG + "Signature"); - if (dsigSignature==null) throw new ValidateException("validator.05", null); - - + NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); + if (nl.getLength() != 1) { + throw new ValidateException("validator.05", null); + } } } |