diff options
| -rw-r--r-- | id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java | 82 | 
1 files changed, 44 insertions, 38 deletions
| diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 2eafaa297..7693c3170 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -1,12 +1,13 @@  package at.gv.egovernment.moa.id.auth.validator;  import org.w3c.dom.Element; +import org.w3c.dom.NodeList;  import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;  import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.data.IdentityLink;  import at.gv.egovernment.moa.id.auth.data.SAMLAttribute;  import at.gv.egovernment.moa.util.Constants; -import at.gv.egovernment.moa.util.XPathUtils;  /**   *  @@ -17,24 +18,6 @@ import at.gv.egovernment.moa.util.XPathUtils;   * @version $Id$   */  public class CreateXMLSignatureResponseValidator { - -  /** Xpath prefix for reaching SAML Namespaces */ -  private static final String SAML = Constants.SAML_PREFIX + ":"; -  /** Xpath prefix for reaching XML-DSIG Namespaces */ -  private static final String DSIG = Constants.DSIG_PREFIX + ":"; -  /** Xpath expression to the SAML:Assertion element */ -  private static final String  ROOT =  SAML + "Assertion"; -  /** Xpath expression to the SAML:NameIdentifier element */ -  private static final String SAML_SUBJECT_NAME_IDENTIFIER_XPATH =  -     SAML + "AttributeStatement/" + SAML + "Subject/" +  -     SAML + "NameIdentifier"; -  /** Xpath expression to the SAML:Attribute element */      -  private static final String SAML_ATTRIBUTE_XPATH =  -     ROOT + "/" + SAML + "AttributeStatement/" + SAML + "Attribute"; -  /** Xpath expression to the SAML:AttributeValue element */      -  private static final String SAML_ATTRIBUTE_VALUE_XPATH =  -     SAML + "AttributeValue"; -        /** Singleton instance. <code>null</code>, if none has been created. */    private static CreateXMLSignatureResponseValidator instance; @@ -69,52 +52,75 @@ public class CreateXMLSignatureResponseValidator {      String oaURL = session.getPublicOAURLPrefix();       boolean businessService = session.getBusinessService(); -//    XPathUtils.selectNodeList(createXMLSignatureResponse.getSamlAssertion(),SAML_SUBJECT_NAME_IDENTIFIER_XPATH); +    IdentityLink identityLink = session.getIdentityLink(); +     +    String issuer = createXMLSignatureResponse.getSamlAssertion().getAttribute("Issuer");     +    if (issuer == null) { +      // should not happen, because parser would dedect this +      throw new ValidateException("validator.32", null); +    } +    String name = identityLink.getName(); +    if (!issuer.equals(name)) { +      throw new ValidateException("validator.33", new Object[] {issuer, name}); +    } +     -    SAMLAttribute[] samlattributes = createXMLSignatureResponse.getSamlAttributes(); +    SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();      boolean foundOA = false;      boolean foundGB = false;      boolean foundWBPK = false; -    for (int i = 0; i < samlattributes.length; i++) { -      if (samlattributes[i].getName().equals("Geschaeftsbereich")) {  +    for (int i = 0; i < samlAttributes.length; i++) { +      SAMLAttribute samlAttribute = samlAttributes[i]; +      if (samlAttribute.getName().equals("Geschaeftsbereich")) {           if (businessService) {            throw new ValidateException("validator.26", null);          } -        if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {           +        if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {                      foundGB = true;              -          if (!gbTarget.equals((String)samlattributes[i].getValue())) { +          if (!gbTarget.equals((String)samlAttribute.getValue())) {              throw new ValidateException("validator.13", null);             }                       } else {            throw new ValidateException("validator.12", null);          }        } -      if (samlattributes[i].getName().equals("OA")) { -        if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { +      if (samlAttribute.getName().equals("OA")) { +        if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {            foundOA = true;             -          if (!oaURL.equals((String)samlattributes[i].getValue())) {  // CHECKS für die AttributeVALUES fehlen noch              -            throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlattributes[i].getValue()});  +          if (!oaURL.equals((String)samlAttribute.getValue())) {  // CHECKS für die AttributeVALUES fehlen noch              +            throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});             }                       } else {            throw new ValidateException("validator.15", null);          }        } -      if (samlattributes[i].getName().equals("wbPK")) {  +      if (samlAttribute.getName().equals("Geburtsdatum")) {  +        if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { +          String samlDateOfBirth = (String)samlAttribute.getValue(); +          String dateOfBirth = identityLink.getDateOfBirth(); +          if (!samlDateOfBirth.equals(dateOfBirth)) { +            throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth}); +          } +        } else { +          throw new ValidateException("validator.35", null); +        } +      } +      if (samlAttribute.getName().equals("wbPK")) {           if (!businessService) {            throw new ValidateException("validator.27", null);          } -        if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {           +        if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {                      foundWBPK = true;            try { -            Element attrValue = (Element)samlattributes[i].getValue(); +            Element attrValue = (Element)samlAttribute.getValue();              String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();              String type =  ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); -            if (!value.equals(session.getIdentityLink().getIdentificationValue())) { +            if (!value.equals(identityLink.getIdentificationValue())) {                throw new ValidateException("validator.28", null);               } -            if (!type.equals(session.getIdentityLink().getIdentificationType())) { +            if (!type.equals(identityLink.getIdentificationType())) {                throw new ValidateException("validator.28", null);               }            } catch (Exception ex) { @@ -134,9 +140,9 @@ public class CreateXMLSignatureResponseValidator {      }       //Check if dsig:Signature exists -     Element dsigSignature = (Element) XPathUtils.selectSingleNode(createXMLSignatureResponse.getSamlAssertion(),DSIG + "Signature"); -     if (dsigSignature==null) throw new ValidateException("validator.05", null); -   -     +    NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); +    if (nl.getLength() != 1) { +      throw new ValidateException("validator.05", null); +    }    }  } | 
