2 files changed, 61 insertions, 100 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 0b4b6b4af..b412b9964 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -311,27 +311,28 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 	}
 
 	/**
-	 * Processes an <code>&lt;InfoboxReadResponse&gt;</code> sent by the
-	 * security layer implementation.<br>
+	 * Processes an <code>&lt;InfoboxReadResponse&gt;</code> sent by the security layer implementation.<br>
 	 * <ul>
 	 * <li>Validates given <code>&lt;InfoboxReadResponse&gt;</code></li>
-	 * <li>Parses identity link enclosed in
-	 * <code>&lt;InfoboxReadResponse&gt;</code></li>
+	 * <li>Parses identity link enclosed in <code>&lt;InfoboxReadResponse&gt;</code></li>
 	 * <li>Verifies identity link by calling the MOA SP component</li>
 	 * <li>Checks certificate authority of identity link</li>
 	 * <li>Stores identity link in the session</li>
 	 * <li>Verifies all additional infoboxes returned from the BKU</li>
 	 * <li>Creates an authentication block to be signed by the user</li>
-	 * <li>Creates and returns a <code>&lt;CreateXMLSignatureRequest&gt;</code>
-	 * containg the authentication block, meant to be returned to the security
-	 * layer implementation</li>
+	 * <li>Creates and returns a <code>&lt;CreateXMLSignatureRequest&gt;</code> containg the authentication block, meant
+	 * to be returned to the security layer implementation</li>
 	 * </ul>
-	 *
-	 * @param sessionID                     ID of associated authentication session data
-	 * @param infoboxReadResponseParameters The parameters from the response returned from the BKU
-	 *                                      including the <code>&lt;InfoboxReadResponse&gt;</code>
-	 * @return String representation of the
-	 * <code>&lt;CreateXMLSignatureRequest&gt;</code>
+	 * 
+	 * @param sessionID
+	 *            ID of associated authentication session data
+	 * @param infoboxReadResponseParameters
+	 *            The parameters from the response returned from the BKU including the
+	 *            <code>&lt;InfoboxReadResponse&gt;</code>
+	 * @return String "found!" in case the identity link could be retrieved and successfully validated, {@code null} in
+	 *         case the identity link could not be retrieved (indicates that the card did not contain an identity link
+	 *         which might indicate a foreign identity). Note that failing to parse or failing to validate the identity
+	 *         link results in an Exception being thrown.
 	 * @throws BKUException
 	 */
 	public String verifyIdentityLink(AuthenticationSession session,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyIdentityLinkTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyIdentityLinkTask.java
index c24e42b3a..09dd9e1f7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyIdentityLinkTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyIdentityLinkTask.java
@@ -20,7 +20,6 @@ import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.ParseException;

 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;

 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;

-import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;

 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;

 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;

 import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;

@@ -76,6 +75,11 @@ public class VerifyIdentityLinkTask extends AbstractAuthServletTask {
 

 		Logger.debug("POST VerifyIdentityLink");

 

+		resp.setHeader(HEADER_EXPIRES, HEADER_VALUE_EXPIRES);

+		resp.setHeader(HEADER_PRAGMA, HEADER_VALUE_PRAGMA);

+		resp.setHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL);

+		resp.addHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL_IE);

+		

 		Map<String, String> parameters;

 		String pendingRequestID = null;

 

@@ -85,111 +89,67 @@ public class VerifyIdentityLinkTask extends AbstractAuthServletTask {
 			Logger.error("Parsing mulitpart/form-data request parameters failed: " + e.getMessage());

 			throw new IOException(e.getMessage());

 		}

-		String sessionID = req.getParameter(PARAM_SESSIONID);

-

-		// escape parameter strings

-		sessionID = StringEscapeUtils.escapeHtml(sessionID);

-

-		pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);

-

-		resp.setHeader(HEADER_EXPIRES, HEADER_VALUE_EXPIRES);

-		resp.setHeader(HEADER_PRAGMA, HEADER_VALUE_PRAGMA);

-		resp.setHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL);

-		resp.addHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL_IE);

-

+		

 		try {

+			

+			String sessionID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_SESSIONID));

+			

 			// check parameter

-			if (!ParamValidatorUtils.isValidSessionID(sessionID))

+			if (!ParamValidatorUtils.isValidSessionID(sessionID)) {

 				throw new WrongParametersException("VerifyIdentityLink", PARAM_SESSIONID, "auth.12");

+			}

+

+			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);

 

 			AuthenticationSession session = AuthenticationServer.getSession(sessionID);

 

 			// change MOASessionID

 			sessionID = AuthenticationSessionStoreage.changeSessionID(session);

 

-			String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().verifyIdentityLink(session,

-					parameters);

-

-			Logger.debug(createXMLSignatureRequestOrRedirect);

-

-			if (createXMLSignatureRequestOrRedirect == null) {

-				// no identity link found

-

-				boolean useMandate = session.getUseMandate();

-				if (useMandate) {

-					Logger.error("Online-Mandate Mode for foreign citizencs not supported.");

-					throw new AuthenticationException("auth.13", null);

-				}

-				// TODO[branch]: Foreign citizen; respond with IRR for certificates, dataURL = "/VerifyCertificate"

-

-				try {

-

-					Logger.info("Send InfoboxReadRequest to BKU to get signer certificate.");

-

-					// create the InfoboxReadRequest to get the certificate

-					String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);

-

-					// build dataurl (to the VerifyCertificateSerlvet)

-					String dataurl = new DataURLBuilder().buildDataURL(session.getAuthURL(), REQ_VERIFY_CERTIFICATE,

-							session.getSessionID());

+			boolean identityLinkFound = AuthenticationServer.getInstance().verifyIdentityLink(session, parameters) != null;

+			boolean useMandate = session.getUseMandate();

+			

+			if (!identityLinkFound && useMandate) {

+				Logger.error("Online-Mandate Mode for foreign citizencs not supported.");

+				throw new AuthenticationException("auth.13", null);

+			}

+			

+			if (!identityLinkFound || useMandate) {

+			

+				// TODO[branch]: Foreign citizen or mandate mode; respond with IRR for certificates, dataURL = "/VerifyCertificate"

+				Logger.info("Send InfoboxReadRequest to BKU to get signer certificate.");

 

-					ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest,

-							AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);

+				// create the InfoboxReadRequest to get the certificate

+				String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);

 

-				} catch (Exception e) {

-					handleError(null, e, req, resp, pendingRequestID);

-				}

+				// build dataurl (to the VerifyCertificateSerlvet)

+				String dataurl = new DataURLBuilder().buildDataURL(session.getAuthURL(), REQ_VERIFY_CERTIFICATE,

+						session.getSessionID());

 

+				AuthenticationSessionStoreage.storeSession(session);

+				

+				ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest,

+						AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);

 			} else {

-				boolean useMandate = session.getUseMandate();

-

-				if (useMandate) { // Mandate modus

-

-					// TODO[branch]: Mandate; respond with IRR for certificates, dataURL = "/VerifyCertificate"

-

-					// read certificate and set dataurl to

-					Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate.");

-

-					String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);

+				

+				Logger.info("Normal");

 

-					// build dataurl (to the GetForeignIDSerlvet)

-					String dataurl = new DataURLBuilder().buildDataURL(session.getAuthURL(), REQ_VERIFY_CERTIFICATE,

-							session.getSessionID());

+				// TODO[branch]: Default behaviour; respond with CXSR for authblock signature, dataURL "/VerifyAuthBlock"

 

-					// Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)");

-					// ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest,

-					// AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);

+				OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(

+						session.getPublicOAURLPrefix());

+				AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();

 

-					Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)");

-					ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest,

-							AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);

+				String createXMLSignatureRequest = AuthenticationServer.getInstance()

+						.getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam);

 

-				} else {

-					Logger.info("Normal");

-

-					// TODO[branch]: Default behaviour; respond with CXSR for authblock signature, dataURL

-					// "/VerifyAuthBlock"

-

-					OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(

-							session.getPublicOAURLPrefix());

-					AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();

-

-					createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance()

-							.getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam);

-

-					ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session,

-							createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT,

-							"VerifyIdentityLink");

-				}

-			}

-

-			try {

 				AuthenticationSessionStoreage.storeSession(session);

-

-			} catch (MOADatabaseException e) {

-				Logger.info("No valid MOA session found. Authentification process is abourted.");

-				throw new AuthenticationException("auth.20", null);

+				

+				ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session,

+						createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT,

+						"VerifyIdentityLink");

 			}

+

 		} catch (ParseException ex) {

 			handleError(null, ex, req, resp, pendingRequestID);