diff options
33 files changed, 3315 insertions, 126 deletions
diff --git a/0001-fix-problems-with-OracleDB-and-configuration-storage.patch b/0001-fix-problems-with-OracleDB-and-configuration-storage.patch new file mode 100644 index 000000000..c03696599 --- /dev/null +++ b/0001-fix-problems-with-OracleDB-and-configuration-storage.patch @@ -0,0 +1,1158 @@ +From fa3f73a46151d06c4f80eb0c43d3eda6c23c3709 Mon Sep 17 00:00:00 2001 +From: Thomas Lenz <tlenz@iaik.tugraz.at> +Date: Tue, 15 Sep 2015 12:55:30 +0200 +Subject: [PATCH 1/3] fix problems with OracleDB and configuration storage + implementation + +--- + .../config/ConfigurationProvider.java | 7 + + .../validation/oa/OAPVP2ConfigValidation.java | 6 +- + .../moa-id-configtool.properties | 1 + + .../data/deploy/conf/moa-id/moa-id.properties | 1 + + .../PropertyBasedAuthConfigurationProvider.java | 12 +- + .../id/storage/AuthenticationSessionStoreage.java | 569 ++++++++++++--------- + .../main/resources/moaid.configuration.beans.xml | 2 +- + .../config/persistence/MOAIDConfiguration.java | 12 + + .../config/persistence/MOAIDConfigurationImpl.java | 110 ++-- + .../moa/id/commons/db/MOASessionDBUtils.java | 10 +- + .../moa/id/commons/db/NewConfigurationDBRead.java | 7 +- + .../db/dao/config/DatabaseConfigPropertyImpl.java | 35 +- + .../src/main/resources/moaid.migration.beans.xml | 2 +- + 13 files changed, 494 insertions(+), 280 deletions(-) + +diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java +index 849e819..e2a55db 100644 +--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java ++++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java +@@ -188,6 +188,13 @@ public class ConfigurationProvider { + + + /** ++ * @return the props ++ */ ++ public Properties getConfigurationProperties() { ++ return props; ++ } ++ ++ /** + * @return the deprecatedDBWrite + */ + public FileBasedUserConfiguration getUserManagement() { +diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java +index 18452ed..35b6927 100644 +--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java ++++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java +@@ -76,7 +76,11 @@ public class OAPVP2ConfigValidation { + + else { + try { +- Map<String, String> oa = ConfigurationProvider.getInstance().getDbRead().getOnlineApplicationKeyValueWithId(oaID); ++ //OracleDB does not allow the selection of a lob in SQL where expression ++ String dbDriver = ConfigurationProvider.getInstance().getConfigurationProperties().getProperty("hibernate.connection.driver_class"); ++ boolean backupVersion = MiscUtil.isNotEmpty(dbDriver) && dbDriver.startsWith("oracle.jdbc."); ++ ++ Map<String, String> oa = ConfigurationProvider.getInstance().getDbRead().getOnlineApplicationKeyValueWithId(oaID, backupVersion); + if (oa != null && + MiscUtil.isNotEmpty(oa.get(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE))) { + certSerialized = Base64Utils.decode(oa.get(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE), false); +diff --git a/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties +index 9a3b367..825a9f1 100644 +--- a/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties ++++ b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties +@@ -35,6 +35,7 @@ dbcp.maxWaitMillis=-1 + dbcp.testOnBorrow=true + dbcp.testOnReturn=false + dbcp.testWhileIdle=false ++dbcp.validationQuery=SELECT 1 + + ##Mail + general.mail.host=smtp.localhost... +diff --git a/id/server/data/deploy/conf/moa-id/moa-id.properties b/id/server/data/deploy/conf/moa-id/moa-id.properties +index 66f9afa..49e69c5 100644 +--- a/id/server/data/deploy/conf/moa-id/moa-id.properties ++++ b/id/server/data/deploy/conf/moa-id/moa-id.properties +@@ -107,6 +107,7 @@ configuration.dbcp.maxWaitMillis=-1 + configuration.dbcp.testOnBorrow=true + configuration.dbcp.testOnReturn=false + configuration.dbcp.testWhileIdle=false ++configuration.dbcp.validationQuery=SELECT 1 + + # + #Hibnerate configuration for MOA-ID 2.0 advanced statistic logging +diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java +index 190c5f0..6458314 100644 +--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java ++++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java +@@ -980,9 +980,17 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide + * @return the requested online application or {@code null} + */ + public Map<String, String> getActiveOnlineApplication(String id) { +- Logger.trace("Get active OnlineApplication with ID " + id + " from database."); ++ Logger.trace("Get active OnlineApplication with ID " + id + " from database."); ++ Map<String, String> oaConfig = null; + try { +- Map<String, String> oaConfig = configuration.getOnlineApplication(id); ++ //OracleDB does not allow the selection of a lob in SQL where expression ++ String dbDriver = properties.getProperty("configuration.hibernate.connection.driver_class"); ++ if (MiscUtil.isNotEmpty(dbDriver) && dbDriver.startsWith("oracle.jdbc.")) ++ oaConfig = configuration.getOnlineApplicationBackupVersion(id); ++ ++ else ++ oaConfig = configuration.getOnlineApplication(id); ++ + if (oaConfig != null) { + String isActiveString = oaConfig.get(MOAIDConfigurationConstants.SERVICE_ISACTIVE); + if (isActiveString != null && Boolean.valueOf(isActiveString)) +diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +index 4b4b5dd..829383c 100644 +--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java ++++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +@@ -206,26 +206,34 @@ public class AuthenticationSessionStoreage { + Session session = MOASessionDBUtils.getCurrentSession(); + + List<AuthenticatedSessionStore> result; +- +- synchronized (session) { +- +- session.beginTransaction(); +- Query query = session.getNamedQuery("getSessionWithID"); +- query.setParameter("sessionid", moaSessionID); +- result = query.list(); +- +- +- Logger.trace("Found entries: " + result.size()); ++ Transaction tx = null; ++ try { ++ synchronized (session) { ++ ++ tx = session.beginTransaction(); ++ Query query = session.getNamedQuery("getSessionWithID"); ++ query.setParameter("sessionid", moaSessionID); ++ result = query.list(); ++ + +- //Assertion requires an unique artifact +- if (result.size() != 1) { +- Logger.trace("No entries found."); +- throw new MOADatabaseException("No session found with this sessionID"); ++ Logger.trace("Found entries: " + result.size()); ++ ++ //Assertion requires an unique artifact ++ if (result.size() != 1) { ++ Logger.trace("No entries found."); ++ throw new MOADatabaseException("No session found with this sessionID"); ++ } ++ ++ AuthenticatedSessionStore dbsession = (AuthenticatedSessionStore) result.get(0); ++ tx.commit(); ++ cleanDelete(dbsession); + } + +- AuthenticatedSessionStore dbsession = (AuthenticatedSessionStore) result.get(0); +- session.getTransaction().commit(); +- cleanDelete(dbsession); ++ } catch (Exception e) { ++ if (tx != null && !tx.wasCommitted()) ++ tx.rollback(); ++ throw e; ++ + } + + } +@@ -290,28 +298,36 @@ public class AuthenticationSessionStoreage { + Session session = MOASessionDBUtils.getCurrentSession(); + + List<AuthenticatedSessionStore> result; +- +- synchronized (session) { +- session.beginTransaction(); +- Query query = session.getNamedQuery("getSessionWithSSOID"); +- query.setParameter("sessionid", SSOSessionID); +- result = query.list(); ++ Transaction tx = null; ++ try { ++ synchronized (session) { ++ ++ tx = session.beginTransaction(); ++ Query query = session.getNamedQuery("getSessionWithSSOID"); ++ query.setParameter("sessionid", SSOSessionID); ++ result = query.list(); + +- //send transaction +- session.getTransaction().commit(); +- } ++ //send transaction ++ tx.commit(); ++ ++ } + +- Logger.trace("Found entries: " + result.size()); ++ Logger.trace("Found entries: " + result.size()); + +- //Assertion requires an unique artifact +- if (result.size() != 1) { +- Logger.trace("No entries found."); +- return null; ++ //Assertion requires an unique artifact ++ if (result.size() != 1) { ++ Logger.trace("No entries found."); ++ return null; + +- } else { +- return result.get(0).getSessionid(); ++ } else { ++ return result.get(0).getSessionid(); + +- } ++ } ++ } catch (Exception e) { ++ if (tx != null && !tx.wasCommitted()) ++ tx.rollback(); ++ throw e; ++ } + } + + public static boolean isSSOSession(String sessionID) throws MOADatabaseException { +@@ -331,27 +347,33 @@ public class AuthenticationSessionStoreage { + Session session = MOASessionDBUtils.getCurrentSession(); + + List<AuthenticatedSessionStore> result; +- +- synchronized (session) { +- session.beginTransaction(); +- Query query = session.getNamedQuery("getSessionWithSSOID"); +- query.setParameter("sessionid", SSOId); +- result = query.list(); ++ Transaction tx = null; ++ try { ++ synchronized (session) { ++ tx = session.beginTransaction(); ++ Query query = session.getNamedQuery("getSessionWithSSOID"); ++ query.setParameter("sessionid", SSOId); ++ result = query.list(); ++ ++ //send transaction ++ tx.commit(); ++ } ++ ++ Logger.trace("Found entries: " + result.size()); + +- //send transaction +- session.getTransaction().commit(); ++ //Assertion requires an unique artifact ++ if (result.size() != 1) { ++ Logger.trace("No entries found."); ++ return null; ++ ++ } else { ++ return result.get(0); ++ } ++ } catch (Exception e) { ++ if (tx != null && !tx.wasCommitted()) ++ tx.rollback(); ++ throw e; + } +- +- Logger.trace("Found entries: " + result.size()); +- +- //Assertion requires an unique artifact +- if (result.size() != 1) { +- Logger.trace("No entries found."); +- return null; +- +- } else { +- return result.get(0); +- } + } + + public static void addSSOInformation(String moaSessionID, String SSOSessionID, +@@ -453,13 +475,15 @@ public class AuthenticationSessionStoreage { + + } catch(HibernateException e) { + Logger.warn("Error during database saveOrUpdate. Rollback.", e); +- tx.rollback(); +- throw new AuthenticationException("SSO Session information can not be stored! --> SSO is deactivated", null); +- } ++ if (tx != null && !tx.wasCommitted()) ++ tx.rollback(); ++ throw new AuthenticationException("SSO Session information can not be stored! --> SSO is deactivated", null); ++ } + } + + public static List<OASessionStore> getAllActiveOAFromMOASession(AuthenticationSession moaSession) { + MiscUtil.assertNotNull(moaSession, "MOASession"); ++ Session session = null; + + try { + List<OASessionStore> oas = new ArrayList<OASessionStore>(); +@@ -467,7 +491,7 @@ public class AuthenticationSessionStoreage { + AuthenticatedSessionStore dbsession = searchInDatabase(moaSession.getSessionID(), false); + oas.addAll(dbsession.getActiveOAsessions()); + +- Session session = MOASessionDBUtils.getCurrentSession(); ++ session = MOASessionDBUtils.getCurrentSession(); + session.getTransaction().commit(); + + return oas; +@@ -475,6 +499,14 @@ public class AuthenticationSessionStoreage { + } catch (MOADatabaseException e) { + Logger.warn("NO session information found for sessionID " + moaSession.getSessionID(), e); + ++ } catch (Exception e) { ++ if (session != null && session.getTransaction() != null ++ && !session.getTransaction().wasCommitted()) { ++ session.getTransaction().rollback(); ++ throw e; ++ ++ } ++ + } + + return null; +@@ -482,13 +514,13 @@ public class AuthenticationSessionStoreage { + + public static List<InterfederationSessionStore> getAllActiveIDPsFromMOASession(AuthenticationSession moaSession) { + MiscUtil.assertNotNull(moaSession, "MOASession"); +- ++ Session session = null; + try { + List<InterfederationSessionStore> idps = new ArrayList<InterfederationSessionStore>(); + AuthenticatedSessionStore dbsession = searchInDatabase(moaSession.getSessionID(), false); + idps.addAll(dbsession.getInderfederation()); + +- Session session = MOASessionDBUtils.getCurrentSession(); ++ session = MOASessionDBUtils.getCurrentSession(); + session.getTransaction().commit(); + + return idps; +@@ -496,6 +528,14 @@ public class AuthenticationSessionStoreage { + } catch (MOADatabaseException e) { + Logger.warn("NO session information found for sessionID " + moaSession.getSessionID(), e); + ++ } catch (Exception e) { ++ if (session != null && session.getTransaction() != null ++ && !session.getTransaction().wasCommitted()) { ++ session.getTransaction().rollback(); ++ throw e; ++ ++ } ++ + } + + return null; +@@ -507,35 +547,42 @@ public class AuthenticationSessionStoreage { + Logger.trace("Get moaSession for userNameID " + userNameID + " and OA " + + oaID + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); +- +- List<AuthenticatedSessionStore> result; ++ Transaction tx = null; + +- synchronized (session) { +- session.beginTransaction(); +- Query query = session.getNamedQuery("getMOASessionWithNameIDandOAID"); +- query.setParameter("oaID", oaID); +- query.setParameter("nameID", userNameID); +- result = query.list(); ++ List<AuthenticatedSessionStore> result = null;; ++ try { ++ synchronized (session) { ++ tx = session.beginTransaction(); ++ Query query = session.getNamedQuery("getMOASessionWithNameIDandOAID"); ++ query.setParameter("oaID", oaID); ++ query.setParameter("nameID", userNameID); ++ result = query.list(); ++ ++ //send transaction ++ tx.commit(); ++ } + +- //send transaction +- session.getTransaction().commit(); +- } +- +- Logger.trace("Found entries: " + result.size()); +- +- //Assertion requires an unique artifact +- if (result.size() != 1) { +- Logger.trace("No unique entry found."); +- return null; +- +- } +- try { +- return decryptSession(result.get(0)); ++ Logger.trace("Found entries: " + result.size()); ++ ++ //Assertion requires an unique artifact ++ if (result.size() != 1) { ++ Logger.trace("No unique entry found."); ++ return null; ++ ++ } ++ ++ return decryptSession(result.get(0)); + + } catch (BuildException e) { +- Logger.warn("MOASession deserialization-exception by using MOASessionID=" + result.get(0).getSessionid(), e); ++ Logger.warn("MOASession deserialization-exception by using MOASessionID=" + result.get(0).getSessionid(), e); + return null; ++ ++ } catch (Exception e) { ++ if (tx != null && !tx.wasCommitted()) ++ tx.rollback(); ++ throw e; + } ++ + } + + public static OASessionStore searchActiveOASSOSession(AuthenticationSession moaSession, String oaID, String protocolType) { +@@ -547,29 +594,36 @@ public class AuthenticationSessionStoreage { + Session session = MOASessionDBUtils.getCurrentSession(); + + List<AuthenticatedSessionStore> result; +- +- synchronized (session) { +- session.beginTransaction(); +- Query query = session.getNamedQuery("getActiveOAWithSessionIDandOAIDandProtocol"); +- query.setParameter("sessionID", moaSession.getSessionID()); +- query.setParameter("oaID", oaID); +- query.setParameter("protocol", protocolType); +- result = query.list(); ++ Transaction tx = null; ++ try { ++ synchronized (session) { ++ tx = session.beginTransaction(); ++ Query query = session.getNamedQuery("getActiveOAWithSessionIDandOAIDandProtocol"); ++ query.setParameter("sessionID", moaSession.getSessionID()); ++ query.setParameter("oaID", oaID); ++ query.setParameter("protocol", protocolType); ++ result = query.list(); ++ ++ //send transaction ++ tx.commit(); ++ } + +- //send transaction +- session.getTransaction().commit(); +- } +- +- Logger.trace("Found entries: " + result.size()); +- +- //Assertion requires an unique artifact +- if (result.size() == 0) { +- Logger.trace("No entries found."); +- return null; +- +- } +- +- return result.get(0).getActiveOAsessions().get(0); ++ Logger.trace("Found entries: " + result.size()); ++ ++ //Assertion requires an unique artifact ++ if (result.size() == 0) { ++ Logger.trace("No entries found."); ++ return null; ++ ++ } ++ ++ return result.get(0).getActiveOAsessions().get(0); ++ ++ } catch (Exception e) { ++ if (tx != null && !tx.wasCommitted()) ++ tx.rollback(); ++ throw e; ++ } + } + + public static String getPendingRequestID(String sessionID) { +@@ -584,6 +638,7 @@ public class AuthenticationSessionStoreage { + } + + public static AuthenticationSession getSessionWithPendingRequestID(String pedingRequestID) { ++ Transaction tx = null; + try { + MiscUtil.assertNotNull(pedingRequestID, "pedingRequestID"); + Logger.trace("Get authenticated session with pedingRequestID " + pedingRequestID + " from database."); +@@ -592,13 +647,13 @@ public class AuthenticationSessionStoreage { + List<AuthenticatedSessionStore> result; + + synchronized (session) { +- session.beginTransaction(); ++ tx = session.beginTransaction(); + Query query = session.getNamedQuery("getSessionWithPendingRequestID"); + query.setParameter("sessionid", pedingRequestID); + result = query.list(); + + //send transaction +- session.getTransaction().commit(); ++ tx.commit(); + } + + Logger.trace("Found entries: " + result.size()); +@@ -613,8 +668,13 @@ public class AuthenticationSessionStoreage { + + } catch (Throwable e) { + Logger.warn("MOASession deserialization-exception by using MOASessionID=" + pedingRequestID); ++ ++ if (tx != null && !tx.wasCommitted()) ++ tx.rollback(); ++ + return null; +- } ++ ++ } + } + + public static boolean deleteSessionWithPendingRequestID(String id) { +@@ -623,34 +683,39 @@ public class AuthenticationSessionStoreage { + Session session = MOASessionDBUtils.getCurrentSession(); + + List<AuthenticatedSessionStore> result; +- +- synchronized (session) { +- session.beginTransaction(); +- Query query = session.getNamedQuery("getSessionWithPendingRequestID"); +- query.setParameter("sessionid", id); +- result = query.list(); ++ Transaction tx = null; ++ try { ++ synchronized (session) { ++ tx = session.beginTransaction(); ++ Query query = session.getNamedQuery("getSessionWithPendingRequestID"); ++ query.setParameter("sessionid", id); ++ result = query.list(); ++ ++ //send transaction ++ tx.commit(); ++ } + +- //send transaction +- session.getTransaction().commit(); +- } +- +- Logger.trace("Found entries: " + result.size()); +- +- //Assertion requires an unique artifact +- if (result.size() != 1) { +- Logger.trace("No entries found."); +- return false; +- +- } else { +- cleanDelete(result.get(0)); +- return true; +- } +- +- ++ Logger.trace("Found entries: " + result.size()); ++ ++ //Assertion requires an unique artifact ++ if (result.size() != 1) { ++ Logger.trace("No entries found."); ++ return false; ++ ++ } else { ++ cleanDelete(result.get(0)); ++ return true; ++ } ++ } catch (Exception e) { ++ if (tx != null && !tx.wasCommitted()) ++ tx.rollback(); ++ throw e; ++ } + } + + public static AuthenticationSession getSessionWithUserNameID(String nameID) { + ++ Transaction tx = null; + try { + MiscUtil.assertNotNull(nameID, "nameID"); + Logger.trace("Get authenticated session with pedingRequestID " + nameID + " from database."); +@@ -659,13 +724,13 @@ public class AuthenticationSessionStoreage { + List<AuthenticatedSessionStore> result; + + synchronized (session) { +- session.beginTransaction(); ++ tx = session.beginTransaction(); + Query query = session.getNamedQuery("getMOAISessionWithUserNameID"); + query.setParameter("usernameid", StringEscapeUtils.escapeHtml(nameID)); + result = query.list(); + + //send transaction +- session.getTransaction().commit(); ++ tx.commit(); + } + + Logger.trace("Found entries: " + result.size()); +@@ -679,7 +744,9 @@ public class AuthenticationSessionStoreage { + return decryptSession(result.get(0)); + + } catch (Throwable e) { +- Logger.warn("MOASession deserialization-exception by using MOASessionID=" + nameID); ++ Logger.warn("MOASession deserialization-exception by using MOASessionID=" + nameID); ++ if (tx != null && !tx.wasCommitted()) ++ tx.rollback(); + return null; + } + +@@ -691,27 +758,33 @@ public class AuthenticationSessionStoreage { + Session session = MOASessionDBUtils.getCurrentSession(); + + List<AuthenticatedSessionStore> result; +- +- synchronized (session) { +- session.beginTransaction(); +- Query query = session.getNamedQuery("getInterfederatedIDPForSSOWithSessionID"); +- query.setParameter("sessionID", sessionID); +- result = query.list(); ++ Transaction tx = null; ++ try { ++ synchronized (session) { ++ tx = session.beginTransaction(); ++ Query query = session.getNamedQuery("getInterfederatedIDPForSSOWithSessionID"); ++ query.setParameter("sessionID", sessionID); ++ result = query.list(); ++ ++ //send transaction ++ tx.commit(); ++ } + +- //send transaction +- session.getTransaction().commit(); +- } +- +- Logger.trace("Found entries: " + result.size()); +- +- //Assertion requires an unique artifact +- if (result.size() == 0) { +- Logger.trace("No entries found."); +- return null; +- +- } +- +- return result.get(0).getInderfederation().get(0); ++ Logger.trace("Found entries: " + result.size()); ++ ++ //Assertion requires an unique artifact ++ if (result.size() == 0) { ++ Logger.trace("No entries found."); ++ return null; ++ ++ } ++ ++ return result.get(0).getInderfederation().get(0); ++ } catch (Exception e) { ++ if (tx != null && !tx.wasCommitted()) ++ tx.rollback(); ++ throw e; ++ } + } + + public static InterfederationSessionStore searchInterfederatedIDPFORSSOWithMOASessionIDPID(String sessionID, String idpID) { +@@ -721,28 +794,34 @@ public class AuthenticationSessionStoreage { + Session session = MOASessionDBUtils.getCurrentSession(); + + List<AuthenticatedSessionStore> result; +- +- synchronized (session) { +- session.beginTransaction(); +- Query query = session.getNamedQuery("getInterfederatedIDPForSSOWithSessionIDIDPID"); +- query.setParameter("sessionID", sessionID); +- query.setParameter("idpID", idpID); +- result = query.list(); ++ Transaction tx = null; ++ try { ++ synchronized (session) { ++ tx = session.beginTransaction(); ++ Query query = session.getNamedQuery("getInterfederatedIDPForSSOWithSessionIDIDPID"); ++ query.setParameter("sessionID", sessionID); ++ query.setParameter("idpID", idpID); ++ result = query.list(); ++ ++ //send transaction ++ tx.commit(); ++ } + +- //send transaction +- session.getTransaction().commit(); +- } +- +- Logger.trace("Found entries: " + result.size()); +- +- //Assertion requires an unique artifact +- if (result.size() == 0) { +- Logger.trace("No entries found."); +- return null; +- +- } +- +- return result.get(0).getInderfederation().get(0); ++ Logger.trace("Found entries: " + result.size()); ++ ++ //Assertion requires an unique artifact ++ if (result.size() == 0) { ++ Logger.trace("No entries found."); ++ return null; ++ ++ } ++ ++ return result.get(0).getInderfederation().get(0); ++ } catch (Exception e) { ++ if (tx != null && !tx.wasCommitted()) ++ tx.rollback(); ++ throw e; ++ } + } + + public static String createInterfederatedSession(IRequest req, boolean isAuthenticated, String ssoID) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException { +@@ -847,27 +926,33 @@ public class AuthenticationSessionStoreage { + Session session = MOASessionDBUtils.getCurrentSession(); + + List<AuthenticatedSessionStore> result; +- +- synchronized (session) { +- session.beginTransaction(); +- Query query = session.getNamedQuery("getInterfederatedIDPForAttributeQueryWithSessionID"); +- query.setParameter("sessionID", moaSession.getSessionID()); +- result = query.list(); ++ Transaction tx = null; ++ try { ++ synchronized (session) { ++ tx = session.beginTransaction(); ++ Query query = session.getNamedQuery("getInterfederatedIDPForAttributeQueryWithSessionID"); ++ query.setParameter("sessionID", moaSession.getSessionID()); ++ result = query.list(); ++ ++ //send transaction ++ tx.commit(); ++ } + +- //send transaction +- session.getTransaction().commit(); +- } +- +- Logger.trace("Found entries: " + result.size()); +- +- //Assertion requires an unique artifact +- if (result.size() == 0) { +- Logger.trace("No entries found."); +- return null; +- +- } +- +- return result.get(0).getInderfederation().get(0); ++ Logger.trace("Found entries: " + result.size()); ++ ++ //Assertion requires an unique artifact ++ if (result.size() == 0) { ++ Logger.trace("No entries found."); ++ return null; ++ ++ } ++ ++ return result.get(0).getInderfederation().get(0); ++ } catch (Exception e) { ++ if (tx != null && !tx.wasCommitted()) ++ tx.rollback(); ++ throw e; ++ } + } + + /** +@@ -930,28 +1015,34 @@ public class AuthenticationSessionStoreage { + + List<AuthenticatedSessionStore> results; + Session session = MOASessionDBUtils.getCurrentSession(); +- +- synchronized (session) { +- session.beginTransaction(); +- Query query = session.getNamedQuery("getMOAISessionsWithTimeOut"); +- query.setTimestamp("timeoutcreate", expioredatecreate); +- query.setTimestamp("timeoutupdate", expioredateupdate); +- results = query.list(); +- session.getTransaction().commit(); +- } +- +- if (results.size() != 0) { +- for(AuthenticatedSessionStore result : results) { +- try { +- cleanDelete(result); +- Logger.info("Authenticated session with sessionID=" + result.getSessionid() +- + " after session timeout."); +- +- } catch (HibernateException e){ +- Logger.warn("Authenticated session with sessionID=" + result.getSessionid() +- + " not removed after timeout! (Error during Database communication)", e); +- } +- } ++ Transaction tx = null; ++ try { ++ synchronized (session) { ++ tx = session.beginTransaction(); ++ Query query = session.getNamedQuery("getMOAISessionsWithTimeOut"); ++ query.setTimestamp("timeoutcreate", expioredatecreate); ++ query.setTimestamp("timeoutupdate", expioredateupdate); ++ results = query.list(); ++ tx.commit(); ++ } ++ ++ if (results.size() != 0) { ++ for(AuthenticatedSessionStore result : results) { ++ try { ++ cleanDelete(result); ++ Logger.info("Authenticated session with sessionID=" + result.getSessionid() ++ + " after session timeout."); ++ ++ } catch (HibernateException e){ ++ Logger.warn("Authenticated session with sessionID=" + result.getSessionid() ++ + " not removed after timeout! (Error during Database communication)", e); ++ } ++ } ++ } ++ } catch (Exception e) { ++ if (tx != null && !tx.wasCommitted()) ++ tx.rollback(); ++ throw e; + } + } + +@@ -1004,26 +1095,32 @@ public class AuthenticationSessionStoreage { + Session session = MOASessionDBUtils.getCurrentSession(); + + List result; +- +- synchronized (session) { +- session.beginTransaction(); +- Query query = session.getNamedQuery("getSessionWithID"); +- query.setParameter("sessionid", sessionID); +- result = query.list(); ++ Transaction tx = null; ++ try { ++ synchronized (session) { ++ tx = session.beginTransaction(); ++ Query query = session.getNamedQuery("getSessionWithID"); ++ query.setParameter("sessionid", sessionID); ++ result = query.list(); ++ ++ //send transaction ++ if (commit) ++ tx.commit(); ++ } + +- //send transaction +- if (commit) +- session.getTransaction().commit(); +- } +- +- Logger.trace("Found entries: " + result.size()); +- +- //Assertion requires an unique artifact +- if (result.size() != 1) { +- Logger.trace("No entries found."); +- throw new MOADatabaseException("No session found with this sessionID"); +- } +- +- return (AuthenticatedSessionStore) result.get(0); ++ Logger.trace("Found entries: " + result.size()); ++ ++ //Assertion requires an unique artifact ++ if (result.size() != 1) { ++ Logger.trace("No entries found."); ++ throw new MOADatabaseException("No session found with this sessionID"); ++ } ++ ++ return (AuthenticatedSessionStore) result.get(0); ++ } catch (Exception e) { ++ if (tx != null && !tx.wasCommitted() && commit) ++ tx.rollback(); ++ throw e; ++ } + } + } +diff --git a/id/server/idserverlib/src/main/resources/moaid.configuration.beans.xml b/id/server/idserverlib/src/main/resources/moaid.configuration.beans.xml +index 206fde8..7e319e2 100644 +--- a/id/server/idserverlib/src/main/resources/moaid.configuration.beans.xml ++++ b/id/server/idserverlib/src/main/resources/moaid.configuration.beans.xml +@@ -29,7 +29,7 @@ + <property name="testOnBorrow" value="${configuration.dbcp.testOnBorrow}" /> + <property name="testOnReturn" value="${configuration.dbcp.testOnReturn}" /> + <property name="testWhileIdle" value="${configuration.dbcp.testWhileIdle}" /> +- <property name="validationQuery" value="SELECT 1" /> ++ <property name="validationQuery" value="${configuration.dbcp.validationQuery}" /> + </bean> + + <bean id="jpaVendorAdapter" class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"> +diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/persistence/MOAIDConfiguration.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/persistence/MOAIDConfiguration.java +index 223f29a..4bd459f 100644 +--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/persistence/MOAIDConfiguration.java ++++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/persistence/MOAIDConfiguration.java +@@ -61,4 +61,16 @@ public interface MOAIDConfiguration extends Configuration { + * @throws ConfigurationException in case of an configuration access error + */ + public Map<String, String> getOnlineApplication(String publicURLPrefix) throws ConfigurationException; ++ ++ ++ /** ++ * Load an OnlineApplication configuration and remove the OA key prefix ++ * This is a backup version if direct UniqueID selection does not work ++ * ++ * @param publicURLPrefix: Unique identifier of online application ++ * @return Properties of the online application or null if no OA is found ++ * @throws ConfigurationException in case of an configuration access error ++ */ ++ public Map<String, String> getOnlineApplicationBackupVersion(String publicURLPrefix) throws ConfigurationException; ++ + } +\ No newline at end of file +diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/persistence/MOAIDConfigurationImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/persistence/MOAIDConfigurationImpl.java +index 297c63d..b9b5ad6 100644 +--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/persistence/MOAIDConfigurationImpl.java ++++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/persistence/MOAIDConfigurationImpl.java +@@ -1,5 +1,7 @@ + package at.gv.egovernment.moa.id.commons.config.persistence; + ++import java.sql.SQLSyntaxErrorException; ++import java.util.ArrayList; + import java.util.HashMap; + import java.util.Iterator; + import java.util.List; +@@ -131,13 +133,88 @@ public class MOAIDConfigurationImpl extends DatabaseConfigPropertyImpl implement + String keyId = MOAIDConfigurationConstants.PREFIX_MOAID_SERVICES + + ".%." + + MOAIDConfigurationConstants.SERVICE_UNIQUEIDENTIFIER; +- ++ ++ List<ConfigProperty> oaSearchResult = null; + TypedQuery<ConfigProperty> oaSearchQuery = em.createQuery("select dbconfig from ConfigProperty dbconfig where dbconfig.key like :key and dbconfig.value = SUBSTRING(:uniqueID, 1, LENGTH(dbconfig.value))", ConfigProperty.class); + oaSearchQuery.setParameter("key", keyId); + oaSearchQuery.setParameter("uniqueID", publicURLPrefix); +- List<ConfigProperty> oaSearchResult = oaSearchQuery.getResultList(); ++ oaSearchResult = oaSearchQuery.getResultList(); ++ ++ return postProcessLoadOnlineApplication(em, oaSearchResult); ++ ++ } ++ ++ /* (non-Javadoc) ++ * @see at.gv.egovernment.moa.id.commons.config.persistence.MOAIDConfiguration#getOnlineApplicationBackupVersion(java.lang.String) ++ */ ++ @Override ++ public Map<String, String> getOnlineApplicationBackupVersion( ++ String publicURLPrefix) throws ConfigurationException { ++ Logger.debug("Use backup implementation to query configuration database"); ++ ++ EntityManager em = this.getPersistenceContext(); ++ if (null == em) { ++ Logger.error("No EntityManager set!"); ++ throw new ConfigurationException("No EntityManager set!"); ++ ++ } ++ ++ //search key prefix for online application with this publicURLPrefix ++ String keyId = MOAIDConfigurationConstants.PREFIX_MOAID_SERVICES ++ + ".%." ++ + MOAIDConfigurationConstants.SERVICE_UNIQUEIDENTIFIER; + +- if (oaSearchResult.size() == 0) { ++ List<ConfigProperty> oaSearchResult = new ArrayList<ConfigProperty>(); ++ ++ TypedQuery<ConfigProperty> oaSearchQuery = em.createQuery("select dbconfig from ConfigProperty dbconfig where dbconfig.key like :key", ConfigProperty.class); ++ oaSearchQuery.setParameter("key", keyId); ++ List<ConfigProperty> intermResult = oaSearchQuery.getResultList(); ++ if (intermResult != null) { ++ for (ConfigProperty el : intermResult) { ++ if (publicURLPrefix.startsWith(el.getValue())) ++ oaSearchResult.add(el); ++ ++ } ++ } ++ ++ return postProcessLoadOnlineApplication(em, oaSearchResult); ++ ++ } ++ ++ /** ++ * Small helper method. NOTE: may return empty configuration properties, but never {@code null}. ++ * ++ * @param propPrefix: the prefix of the desired property. ++ * @param input: List of database objects with key/value information. ++ * @param removePrefix: Indicates if the prefix should be removed from the result key ++ * @return the {@link Map} of configuration properties ++ */ ++ private Map<String, String> getKeyValueFromDatabaseDAO(Iterator<ConfigProperty> input, final String prefix, boolean removePrefix) { ++ Map<String, String> configProp = new HashMap<String, String>(); ++ while (input.hasNext()) { ++ ConfigProperty el = input.next(); ++ if (removePrefix) { ++ if (el.getKey().startsWith(prefix)) { ++ String propertyName = KeyValueUtils.removePrefixFromKey(el.getKey(), prefix); ++ configProp.put(propertyName, el.getValue()); ++ ++ } ++ } else ++ configProp.put(el.getKey(), el.getValue()); ++ ++ } ++ return configProp; ++ } ++ ++ /** ++ * Online-Application load operation post-processing ++ * ++ * @param em EntityManager for Database access ++ * @param oaSearchResult Search result of first OA selection operation ++ * @return Map of post-processed OA configuration key/value pairs ++ */ ++ private Map<String, String> postProcessLoadOnlineApplication(EntityManager em, List<ConfigProperty> oaSearchResult) { ++ if (oaSearchResult == null || oaSearchResult.size() == 0) { + Logger.debug("No entries found."); + return null; } + +@@ -170,31 +247,6 @@ public class MOAIDConfigurationImpl extends DatabaseConfigPropertyImpl implement + result.put(MOAIDConfigurationConstants.PREFIX_MOAID_SERVICES, oaType); + + return result; ++ + } +- +- /** +- * Small helper method. NOTE: may return empty configuration properties, but never {@code null}. +- * +- * @param propPrefix: the prefix of the desired property. +- * @param input: List of database objects with key/value information. +- * @param removePrefix: Indicates if the prefix should be removed from the result key +- * @return the {@link Map} of configuration properties +- */ +- private Map<String, String> getKeyValueFromDatabaseDAO(Iterator<ConfigProperty> input, final String prefix, boolean removePrefix) { +- Map<String, String> configProp = new HashMap<String, String>(); +- while (input.hasNext()) { +- ConfigProperty el = input.next(); +- if (removePrefix) { +- if (el.getKey().startsWith(prefix)) { +- String propertyName = KeyValueUtils.removePrefixFromKey(el.getKey(), prefix); +- configProp.put(propertyName, el.getValue()); +- +- } +- } else +- configProp.put(el.getKey(), el.getValue()); +- +- } +- return configProp; +- } +- + } +diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/MOASessionDBUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/MOASessionDBUtils.java +index 7621552..49e0634 100644 +--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/MOASessionDBUtils.java ++++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/MOASessionDBUtils.java +@@ -163,8 +163,9 @@ public final class MOASessionDBUtils { + + } catch(HibernateException e) { + Logger.warn("Error during MOASession database saveOrUpdate. Rollback.", e); +- tx.rollback(); +- throw new MOADatabaseException(e); ++ if (tx != null) ++ tx.rollback(); ++ throw new MOADatabaseException(e); + } + } + +@@ -183,8 +184,9 @@ public final class MOASessionDBUtils { + + } catch(HibernateException e) { + Logger.warn("Error during MOASession database delete. Rollback.", e); +- tx.rollback(); +- return false; ++ if (tx != null) ++ tx.rollback(); ++ return false; + } + } + +diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/NewConfigurationDBRead.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/NewConfigurationDBRead.java +index 0f157f1..c049eeb 100644 +--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/NewConfigurationDBRead.java ++++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/NewConfigurationDBRead.java +@@ -41,9 +41,12 @@ public class NewConfigurationDBRead { + + } + +- public Map<String, String> getOnlineApplicationKeyValueWithId(String id) { ++ public Map<String, String> getOnlineApplicationKeyValueWithId(String id, boolean backupVersion) { + try { +- return conf.getOnlineApplication(id); ++ if (backupVersion) ++ return conf.getOnlineApplicationBackupVersion(id); ++ else ++ return conf.getOnlineApplication(id); + + } catch (ConfigurationException e) { + Logger.warn("OnlineApplication with Id: " + id + " not found.", e); +diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/DatabaseConfigPropertyImpl.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/DatabaseConfigPropertyImpl.java +index f59e39a..aad830d 100644 +--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/DatabaseConfigPropertyImpl.java ++++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/DatabaseConfigPropertyImpl.java +@@ -1,6 +1,10 @@ + package at.gv.egovernment.moa.id.commons.db.dao.config; + ++import java.util.ArrayList; ++import java.util.Iterator; + import java.util.List; ++import java.util.Map.Entry; ++import java.util.regex.Pattern; + + import javax.persistence.EntityManager; + import javax.persistence.PersistenceContext; +@@ -137,10 +141,33 @@ public class DatabaseConfigPropertyImpl extends AbstractConfigurationImpl { + throw new ConfigurationException("No EntityManager set!"); + } + +- TypedQuery<String> query = em.createQuery("select key from ConfigProperty dbconfig where dbconfig.value like :value", String.class); +- query.setParameter("value", searchString.replace("*", "%")); +- List<String> result = query.getResultList(); +- return result.toArray(new String[result.size()]); ++ TypedQuery<ConfigProperty> query = em.createQuery("select * from ConfigProperty dbconfig", ConfigProperty.class); ++ List<ConfigProperty> all = query.getResultList(); ++ ++ searchString = searchString.replace(".", "\\."); ++ String regex = searchString.replace("*", ".*"); ++ regex = regex.replace("%", "\\w*"); ++ log.debug("Searching with regex: {}", regex); ++ Pattern pattern = Pattern.compile(regex); ++ ++ List<String> keyList = new ArrayList<String>(); ++ Iterator<ConfigProperty> keyIt; ++ if (all != null) { ++ keyIt = all.iterator(); ++ while(keyIt.hasNext()) { ++ ConfigProperty entry = keyIt.next(); ++ String value = entry.getValue(); ++ String key = entry.getKey(); ++ ++ if(pattern.matcher(value).matches()) { ++ keyList.add(key); ++ } ++ } ++ } ++ ++ String[] result = new String[keyList.size()]; ++ return keyList.toArray(result); ++ + } + + /* (non-Javadoc) +diff --git a/id/server/moa-id-commons/src/main/resources/moaid.migration.beans.xml b/id/server/moa-id-commons/src/main/resources/moaid.migration.beans.xml +index 3bd1222..c758e23 100644 +--- a/id/server/moa-id-commons/src/main/resources/moaid.migration.beans.xml ++++ b/id/server/moa-id-commons/src/main/resources/moaid.migration.beans.xml +@@ -31,7 +31,7 @@ + <property name="testOnBorrow" value="${dbcp.testOnBorrow}" /> + <property name="testOnReturn" value="${dbcp.testOnReturn}" /> + <property name="testWhileIdle" value="${dbcp.testWhileIdle}" /> +- <property name="validationQuery" value="SELECT 1" /> ++ <property name="validationQuery" value="${dbcp.validationQuery}" /> + </bean> + + +-- +1.9.5.msysgit.0 + diff --git a/0002-change-default-filename-in-configuration-download-di.patch b/0002-change-default-filename-in-configuration-download-di.patch new file mode 100644 index 000000000..d95f57e38 --- /dev/null +++ b/0002-change-default-filename-in-configuration-download-di.patch @@ -0,0 +1,25 @@ +From 2362892f59b8daccb8c0a2155048c5adc7a1a7ea Mon Sep 17 00:00:00 2001 +From: Thomas Lenz <tlenz@iaik.tugraz.at> +Date: Tue, 15 Sep 2015 12:56:17 +0200 +Subject: [PATCH 2/3] change default filename in configuration download dialog + +--- + id/ConfigWebTool/src/main/resources/struts.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/id/ConfigWebTool/src/main/resources/struts.xml b/id/ConfigWebTool/src/main/resources/struts.xml +index 701cc99..f978e93 100644 +--- a/id/ConfigWebTool/src/main/resources/struts.xml ++++ b/id/ConfigWebTool/src/main/resources/struts.xml +@@ -284,7 +284,7 @@ + <result name="success" type="stream"> + <param name="contentType">application/octet-stream</param> + <param name="inputName">fileInputStream</param> +- <param name="contentDisposition">attachment;filename="MOAID-2.0_config.xml"</param> ++ <param name="contentDisposition">attachment;filename="MOAID-3.0_config.properties"</param> + <param name="bufferSize">1024</param> + </result> + <result name="reauthentication" type="redirectAction"> +-- +1.9.5.msysgit.0 + diff --git a/0003-update-handbook-and-release-information.patch b/0003-update-handbook-and-release-information.patch new file mode 100644 index 000000000..6c8a4ee2a --- /dev/null +++ b/0003-update-handbook-and-release-information.patch @@ -0,0 +1,752 @@ +From 8149f22dc110b82ef2910db0037d037062628dd5 Mon Sep 17 00:00:00 2001 +From: Thomas Lenz <tlenz@iaik.tugraz.at> +Date: Tue, 15 Sep 2015 13:02:59 +0200 +Subject: [PATCH 3/3] - update handbook and release information - change + version to 3.0.2 + +--- + id/history.txt | 7 + + id/readme_3.0.2.txt | 644 ++++++++++++++++++++++++++++++ + id/server/doc/handbook/config/config.html | 16 +- + pom.xml | 12 +- + 4 files changed, 672 insertions(+), 7 deletions(-) + create mode 100644 id/readme_3.0.2.txt + +diff --git a/id/history.txt b/id/history.txt +index f1b9adf..6ad08d9 100644 +--- a/id/history.txt ++++ b/id/history.txt +@@ -1,5 +1,12 @@ + Dieses Dokument zeigt die Veränderungen und Erweiterungen von MOA-ID auf. + ++Version MOA-ID Release 3.0.2: Änderungen seit Version MOA-ID 3.0.1 ++- Änderungen ++ - Bug-Fix für Zugriff auf Oracle Datenbanken ++ - ++ ++ ++ ------------------------------------------------------------------------------ + Version MOA-ID Release 3.0.1: Änderungen seit Version MOA-ID 3.0.0 + - Änderungen + - Bug-Fix für Testkarten mit Testkarten-OID +diff --git a/id/readme_3.0.2.txt b/id/readme_3.0.2.txt +new file mode 100644 +index 0000000..cd752a6 +--- /dev/null ++++ b/id/readme_3.0.2.txt +@@ -0,0 +1,644 @@ ++=============================================================================== ++MOA ID Version Release 3.0.2 - Wichtige Informationen zur Installation ++=============================================================================== ++ ++------------------------------------------------------------------------------- ++A. Neuerungen/Änderungen ++------------------------------------------------------------------------------- ++ ++Mit MOA ID Version 3.0.2 wurden folgende Neuerungen und Änderungen eingeführt, ++die jetzt erstmals in der Veröffentlichung enthalten sind (siehe auch ++history.txt im gleichen Verzeichnis). Da es sich bei der Version 3.0.2 nur um ++Version mit minimaler Fehlerbereinigung handelt sind zusätzlich auch alle ++Änderungen aus der Version 3.0.0 und 3.0.1 zur Information gelisted: ++ ++- Änderungen ++ - Bug-Fix für Zugriff auf Oracle Datenbanken ++ ++Anpassungen aus MOA-ID 3.0.0 und 3.0.1 ++- Änderungen ++ - Redesign des Datenmodels für die Configuration ++ - Redesign des Authentifizierungsprozessmanagment ++ - Anpassung VIDP Code für STORK ++ - Update von TrustStore und CertSTore ++ - Kleinere Bug-Fixes ++ - Update von Libraries ++ - Bug-Fix für Testkarten mit Testkarten-OID ++ ++------------------------------------------------------------------------------- ++B. Durchführung eines Updates ++------------------------------------------------------------------------------- ++ ++Es wird generell eine Neuinstallation lt. Handbuch empfohlen! Dennoch ist auch ++eine Aktualisierung bestehender Installationen möglich. Je nachdem von welcher ++MOA-ID Version ausgegangen wird ergibt sich eine Kombination der nachfolgend ++angebebenen Updateschritte. ++ ++Hinweis: Wenn Sie die bestehende Konfiguration von MOA-ID 2.x.x in MOA-ID 3.0.x ++reimportieren möchten, so muss diese vor dem Update mit Hilfe der import/export ++Funktion der grafischen Konfigurationsoberfläche in eine Datei exportiert werden. ++Diese Datei dient dann als Basis für den Import in MOA-ID 3.0.x. ++ ++............................................................................... ++B.0 Durchführung eines Updates von Version 3.0.1 auf Version 3.0.2 ++............................................................................... ++1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. ++ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. ++ ++2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.0.0.zip) in ++ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST ++ bezeichnet. ++ ++3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth ++ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, ++ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation ++ für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war ++ als auch das komplette Verzeichnis moa-id-auth. ++ ++4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach ++ CATALINA_HOME_ID/webapps. ++ ++5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach ++ CATALINA_HOME_ID/webapps. ++ ++6. Hinzufügen der zusätzlichen Konfigurationsparameter in der ++ MOA-ID-Configuration Konfigurationsdatei ++ CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties ++ a.) dbcp.validationQuery=..... (SQL Query zum Validieren der ++ Datenbankverbindung ++ z.B: "SELECT 1" für mySQL ++ "select 1 from dual" für OracleDB) ++ ++7. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth ++ Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties ++ a.) configuration.dbcp.validationQuery=..... (SQL Query zum ++ Validieren der Datenbankverbindung ++ z.B: "SELECT 1" für mySQL ++ "select 1 from dual" für OracleDB) ++ ++8. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im ++ Logging von MOA ID beim Einlesen der Konfiguration. ++ ++ ++............................................................................... ++B.1 Durchführung eines Updates von Version 3.0.0 auf Version 3.0.2 ++............................................................................... ++1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. ++ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. ++ ++2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.0.0.zip) in ++ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST ++ bezeichnet. ++ ++3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth ++ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, ++ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation ++ für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war ++ als auch das komplette Verzeichnis moa-id-auth. ++ ++4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach ++ CATALINA_HOME_ID/webapps. ++ ++5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach ++ CATALINA_HOME_ID/webapps. ++ ++6. Update der TrustStores für WebService Zugriffe. ++ a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\certs\ca-certs ++ in das Verzeichnis CATALINA_HOME\conf\moa-id\certs\ca-certs. ++ b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\certs\certstore\toBeAdded ++ in das Verzeichnis CATALINA_HOME\conf\moa-id\certs\certstore\toBeAdded. ++ ++7. Hinzufügen der zusätzlichen Konfigurationsparameter in der ++ MOA-ID-Configuration Konfigurationsdatei ++ CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties ++ a.) dbcp.validationQuery=..... (SQL Query zum Validieren der ++ Datenbankverbindung ++ z.B: "SELECT 1" für mySQL ++ "select 1 from dual" für OracleDB) ++ ++8. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth ++ Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties ++ a.) configuration.dbcp.validationQuery=..... (SQL Query zum ++ Validieren der Datenbankverbindung ++ z.B: "SELECT 1" für mySQL ++ "select 1 from dual" für OracleDB) ++ ++9. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im ++ Logging von MOA ID beim Einlesen der Konfiguration. ++ ++............................................................................... ++B.2 Durchführung eines Updates von Version 2.2.1 auf Version 3.0.2 ++............................................................................... ++ ++1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. ++ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. ++ ++2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.0.0.zip) in ++ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST ++ bezeichnet. ++ ++3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth ++ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, ++ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation ++ für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war und ++ moa-id-configuration.war als auch das komplette Verzeichnis moa-id-auth ++ und das komplette Verzeichnis moa-id-configuration. ++ ++4. Erstellen Sie eine Sicherungskopie aller "*.jar"-Dateien im Verzeichnis ++ CATALINA_HOME_ID\endorsed und loeschen Sie diese Dateien danach. ++ ++5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach ++ CATALINA_HOME_ID/webapps. ++ ++6. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach ++ CATALINA_HOME_ID/webapps. ++ ++7. Update des Cert-Stores. ++ Kopieren Sie den Inhalt des Verzeichnisses ++ MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis ++ CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie ++ vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann ++ bejahen sie das. ++ ++8. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen ++ wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile ++ beibehalten wollen, dann gehen Sie vor, wie in Punkt b). ++ ++ a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen: ++ ++ 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles. ++ 2) Kopieren Sie das Verzeichnis ++ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis ++ CATALINA_HOME\conf\moa-spss. ++ ++ b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie ++ folgt vor, um die Profile auf den aktuellen Stand zu bringen: ++ ++ 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den ++ entsprechenden Profilen im Verzeichnis ++ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren ++ Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt ++ der einzelnen Profile aus der Distribution ++ (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden ++ Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles) ++ kopieren und dabei die vorhandenen gleichnamigen Zertifikate ++ überschreiben), also z.B: Kopieren des Inhalts von ++ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\ ++ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach ++ CATALINA_HOME\conf\moa-spss\trustProfiles\ ++ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw. ++ ++9. Update der Default html-Templates für die Bürgerkartenauswahl. ++ ++ a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates ++ in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates. ++ b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates ++ in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates. ++ ++10. Update der STORK Konfiguration ++ a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork ++ in das Verzeichnis CATALINA_HOME\conf\moa-id\stork. ++ b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration -> ++ 2.4 Konfiguration des SamlEngines an. ++ ++11. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei ++ CATALINA_HOME\conf\moa-id\moa-id.properties ++ ++12. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Configration Konfigurationsdatei ++ CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties ++ ++13. Hinzufügen der zusätzlichen Konfigurationsdatei in der MOA-ID-Configuration ++ CATALINA_HOME\conf\moa-id-configuration\userdatabase.properties ++ ++14. Update der Tomcat Start-Skripts: ++ - Die Konfigurationsdateien für MOA-ID-Auth und MOA-ID-Configuration müssen ++ nur als URI (file:/...) übergeben werden. ++ ++15. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im ++ Logging von MOA ID beim Einlesen der Konfiguration. ++ ++ ++............................................................................... ++B.1 Durchführung eines Updates von Version 2.2.0 auf Version 2.2.1 ++............................................................................... ++1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. ++ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. ++ ++2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.2.1.zip) in ++ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST ++ bezeichnet. ++ ++3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth ++ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, ++ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation ++ für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war und ++ moa-id-configuration.war als auch das komplette Verzeichnis moa-id-auth ++ und das komplette Verzeichnis moa-id-configuration. ++ ++4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach ++ CATALINA_HOME_ID/webapps. ++ ++5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach ++ CATALINA_HOME_ID/webapps. ++ ++6. Update des Cert-Stores. ++ Kopieren Sie den Inhalt des Verzeichnisses ++ MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis ++ CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie ++ vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann ++ bejahen sie das. ++ ++7. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen ++ wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile ++ beibehalten wollen, dann gehen Sie vor, wie in Punkt b). ++ ++ a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen: ++ ++ 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles. ++ 2) Kopieren Sie das Verzeichnis ++ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis ++ CATALINA_HOME\conf\moa-spss. ++ ++ b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie ++ folgt vor, um die Profile auf den aktuellen Stand zu bringen: ++ ++ 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den ++ entsprechenden Profilen im Verzeichnis ++ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren ++ Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt ++ der einzelnen Profile aus der Distribution ++ (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden ++ Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles) ++ kopieren und dabei die vorhandenen gleichnamigen Zertifikate ++ überschreiben), also z.B: Kopieren des Inhalts von ++ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\ ++ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach ++ CATALINA_HOME\conf\moa-spss\trustProfiles\ ++ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw. ++ ++8. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im ++ Logging von MOA ID beim Einlesen der Konfiguration. ++ ++............................................................................... ++B.1 Durchführung eines Updates von Version 2.1.2 auf Version 2.2.0 ++............................................................................... ++ 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. ++ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. ++ ++2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.2.0.zip) in ++ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST ++ bezeichnet. ++ ++3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth ++ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, ++ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation ++ für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war und ++ moa-id-configuration.war als auch das komplette Verzeichnis moa-id-auth ++ und das komplette Verzeichnis moa-id-configuration. ++ ++4. Erstellen Sie eine Sicherungskopie aller "*.jar"-Dateien im Verzeichnis ++ CATALINA_HOME_ID\endorsed und loeschen Sie diese Dateien danach. ++ ++6. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach ++ CATALINA_HOME_ID/webapps. ++ ++7. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach ++ CATALINA_HOME_ID/webapps. ++ ++8. Kopieren der folgenden Dateien: ++ Sollte die Datei bereits vorhanden sein erstellen Sie ein Backup der ++ Datei bevor Sie diese durch die neue Version ersetzen. ++ a.) MOA_ID_AUTH_INST/conf/moa-id/stork/StorkSamlEngine_VIDP.xml -> ++ CATALINA_HOME/conf/moa-id/stork/StorkSamlEngine_VIDP.xml ++ b.) MOA_ID_AUTH_INST/conf/moa-id/stork/StorkSamlEngine_outgoing.xml -> ++ CATALINA_HOME/conf/moa-id/stork/StorkSamlEngine_outgoing.xml ++ ++9. Dem STORK KeyStores unter MOA_ID_AUTH_INST/conf/moa-id/keys/storkDemoKeys.jks ++ (Passwort=local-demo) wurden neue vertrauenswürdige Zertifikate hinzugefügt. ++ Gleichen Sie bei Bedarf die Zertifikate dieses KeyStores mit Ihrem aktuell ++ verwendeten KeyStore ab. ++ ++10. Update des Cert-Stores. ++ Kopieren Sie den Inhalt des Verzeichnisses ++ MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis ++ CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie ++ vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann ++ bejahen sie das. ++ ++11. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen ++ wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile ++ beibehalten wollen, dann gehen Sie vor, wie in Punkt b). ++ ++ a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen: ++ ++ 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles. ++ 2) Kopieren Sie das Verzeichnis ++ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis ++ CATALINA_HOME\conf\moa-spss. ++ ++ b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie ++ folgt vor, um die Profile auf den aktuellen Stand zu bringen: ++ ++ 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den ++ entsprechenden Profilen im Verzeichnis ++ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren ++ Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt ++ der einzelnen Profile aus der Distribution ++ (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden ++ Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles) ++ kopieren und dabei die vorhandenen gleichnamigen Zertifikate ++ überschreiben), also z.B: Kopieren des Inhalts von ++ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\ ++ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach ++ CATALINA_HOME\conf\moa-spss\trustProfiles\ ++ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw. ++ ++ ++12. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im ++ Logging von MOA ID beim Einlesen der Konfiguration. ++ ++............................................................................... ++B.2 Durchführung eines Updates von Version 2.1.1 auf Version 2.1.2 ++............................................................................... ++ 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. ++ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. ++ ++2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.2.zip) in ++ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST ++ bezeichnet. ++ ++3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth ++ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, ++ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation ++ für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war und ++ moa-id-configuration.war als auch das komplette Verzeichnis moa-id-auth ++ und das komplette Verzeichnis moa-id-configuration. ++ ++4. Erstellen Sie eine Sicherungskopie aller "*.jar"-Dateien im Verzeichnis ++ CATALINA_HOME_ID\endorsed und loeschen Sie diese Dateien danach. ++ ++5. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\endorsed in das ++ Verzeichnis CATALINA_HOME_ID\endorsed ++ ++6. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach ++ CATALINA_HOME_ID/webapps. ++ ++7. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach ++ CATALINA_HOME_ID/webapps. ++ ++8. Kopieren der folgenden Dateien ++ a.) MOA_ID_AUTH_INST/conf/moa-id/stork/StorkSamlEngine_VIDP.xml -> ++ CATALINA_HOME/conf/moa-id/stork/StorkSamlEngine_VIDP.xml ++ Sollte die Datei bereits vorhanden sein erstellen Sie ein Backup der ++ Datei slo_template.html bevor Sie diese durch die neue Version ersetzen. ++ ++9. Dem STORK KeyStores unter MOA_ID_AUTH_INST/conf/moa-id/keys/storkDemoKeys.jks ++ (Passwort=local-demo) wurden neue vertrauenswürdige Zertifikate hinzugefügt. ++ Gleichen Sie bei Bedarf die Zertifikate dieses KeyStores mit Ihrem aktuell ++ verwendeten KeyStore ab. ++ ++10. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im ++ Logging von MOA ID beim Einlesen der Konfiguration. ++ ++ ++............................................................................... ++B.3 Durchführung eines Updates von Version 2.1.0 auf Version 2.1.1 ++............................................................................... ++ 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. ++ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. ++ ++2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.0.zip) in ++ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST ++ bezeichnet. ++ ++3. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis ++ JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach. ++ ++4. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das ++ Verzeichnis JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr ++ unterstuetzt). ++ ++5. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth ++ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, ++ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation ++ für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als ++ auch das komplette Verzeichnis moa-id-auth. ++ ++6. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach ++ CATALINA_HOME_ID/webapps. ++ ++7. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach ++ CATALINA_HOME_ID/webapps. ++ ++8. Hinzufügen der zusätzlichen Konfigurationsparameter in der ++ MOA-ID-Configuration Konfigurationsdatei ++ CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties ++ a.) general.moaconfig.key=..... (Passwort zum Ver- und ++ Entschlüsseln von Konfigurationsparametern in der Datenbank) ++ ++9. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth ++ Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties ++ a.) configuration.moaconfig.key=..... (Passwort zum Ver- und ++ Entschlüsseln von Konfigurationsparametern in der Datenbank) ++ ++10. Kopieren der folgenden Dateien ++ a.) MOA_ID_AUTH_INST/conf/moa-id/htmlTemplates/slo_template.html -> ++ CATALINA_HOME/conf/moa-id/htmlTemplates/slo_template.html ++ Sollte die Datei bereits vorhanden sein erstellen Sie ein Backup der ++ Datei slo_template.html bevor Sie diese durch die neue Version ersetzen. ++ ++11. Update des Cert-Stores. ++ Kopieren Sie den Inhalt des Verzeichnisses ++ MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis ++ CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie ++ vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann ++ bejahen sie das. ++ ++12. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen ++ wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile ++ beibehalten wollen, dann gehen Sie vor, wie in Punkt b). ++ ++ a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen: ++ ++ 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles. ++ 2) Kopieren Sie das Verzeichnis ++ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis ++ CATALINA_HOME\conf\moa-spss. ++ ++ b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie ++ folgt vor, um die Profile auf den aktuellen Stand zu bringen: ++ ++ 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den ++ entsprechenden Profilen im Verzeichnis ++ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren ++ Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt ++ der einzelnen Profile aus der Distribution ++ (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden ++ Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles) ++ kopieren und dabei die vorhandenen gleichnamigen Zertifikate ++ überschreiben), also z.B: Kopieren des Inhalts von ++ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\ ++ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach ++ CATALINA_HOME\conf\moa-spss\trustProfiles\ ++ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw. ++ ++13. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im ++ Logging von MOA ID beim Einlesen der Konfiguration. ++ ++ ++............................................................................... ++B.4 Durchführung eines Updates von Version 2.0.1 auf Version 2.1.0 ++............................................................................... ++ 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. ++ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. ++ ++2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.0.zip) in ++ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST ++ bezeichnet. ++ ++3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth ++ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, ++ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation ++ für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als ++ auch das komplette Verzeichnis moa-id-auth. ++ ++4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach ++ CATALINA_HOME_ID/webapps. ++ ++5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach ++ CATALINA_HOME_ID/webapps. ++ ++6. Update der STORK Konfiguration ++ a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork ++ in das Verzeichnis CATALINA_HOME\conf\moa-id\stork. ++ b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration -> ++ 2.4 Konfiguration des SamlEngines an. ++ ++7. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Configuration Konfigurationsdatei ++ CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties ++ a.) general.ssl.certstore=certs/certstore ++ b.) general.ssl.truststore=certs/truststore ++ ++8. Kopieren des folgenden zusätzlichen Ordners MOA_ID_AUTH_INST/conf/moa-id-configuration/certs ++ nach CATALINA_HOME\conf\moa-id-configuration\ ++ ++9. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei ++ CATALINA_HOME\conf\moa-id\moa-id.properties und Anpassung an das zu verwendeten Schlüsselpaar. ++ a.) protocols.pvp2.idp.ks.assertion.encryption.alias=pvp_assertion ++ protocols.pvp2.idp.ks.assertion.encryption.keypassword=password ++ ++10. Kopieren der folgenden zusätzlichen Ordner aus MOA_ID_AUTH_INST/conf/moa-id/ ++ nach CATALINA_HOME\conf\moa-id\ ++ a.) MOA_ID_AUTH_INST/conf/moa-id/SLTemplates -> CATALINA_HOME\conf\moa-id\ ++ b.) MOA_ID_AUTH_INST/conf/moa-id/htmlTemplates/slo_template.html -> ++ CATALINA_HOME/conf/moa-id/htmlTemplates/slo_template.html ++ ++11. Neuinitialisieren des Datenbank Schema für die MOA-Session. Hierfür stehen ++ zwei Varianten zur Verfügung. ++ a.) Ändern Sie in der Konfigurationsdatei für das Modul MOA-ID-Auth ++ CATALINA_HOME\conf\moa-id\moa-id.properties die Zeile ++ moasession.hibernate.hbm2ddl.auto=update ++ zu ++ moasession.hibernate.hbm2ddl.auto=create ++ Danach werden die Tabellen beim nächsten Startvorgang neu generiert. ++ ++ b.) Löschen Sie alle Tabellen aus dem Datenbank Schema für die MOA-Sessixson ++ Informationen per Hand. Alle Tabellen werden beim nächsten Start autmatisch neu generiert. ++ ++12 . Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im ++ Logging von MOA ID beim Einlesen der Konfiguration. ++ ++ ++............................................................................... ++B.5 Durchführung eines Updates von Version 2.0-RC1 auf Version 2.0.1 ++............................................................................... ++ ++1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. ++ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. ++ ++2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.0.1.zip) in ++ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST ++ bezeichnet. ++ Für MOA ID Proxy: ++ Entpacken Sie die Distribution von MOA-ID-Proxy (moa-id-proxy-2.0.1.zip) in ++ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_PROXY_INST ++ bezeichnet. ++ ++3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth ++ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, ++ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation ++ für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als ++ auch das komplette Verzeichnis moa-id-auth. ++ ++4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach ++ CATALINA_HOME_ID/webapps. ++ ++5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach ++ CATALINA_HOME_ID/webapps. ++ ++6. Update des Cert-Stores. ++ Kopieren Sie den Inhalt des Verzeichnisses ++ MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis ++ CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie ++ vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann ++ bejahen sie das. ++ ++7. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen ++ wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile ++ beibehalten wollen, dann gehen Sie vor, wie in Punkt b). ++ ++ a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen: ++ ++ 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles. ++ 2) Kopieren Sie das Verzeichnis ++ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis ++ CATALINA_HOME\conf\moa-spss. ++ ++ b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie ++ folgt vor, um die Profile auf den aktuellen Stand zu bringen: ++ ++ 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den ++ entsprechenden Profilen im Verzeichnis ++ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren ++ Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt ++ der einzelnen Profile aus der Distribution ++ (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden ++ Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles) ++ kopieren und dabei die vorhandenen gleichnamigen Zertifikate ++ überschreiben), also z.B: Kopieren des Inhalts von ++ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\ ++ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach ++ CATALINA_HOME\conf\moa-spss\trustProfiles\ ++ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw. ++ ++8. Update der Default html-Templates für die Bürgerkartenauswahl. ++ ++ a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates ++ in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates. ++ b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates ++ in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates. ++ ++9. Update der STORK Konfiguration ++ a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork ++ in das Verzeichnis CATALINA_HOME\conf\moa-id\stork. ++ b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration -> ++ 2.4 Konfiguration des SamlEngines an. ++ ++10. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei ++ CATALINA_HOME\conf\moa-id\moa-id.properties ++ ++ a.) configuration.validation.certificate.QC.ignore=false ++ b.) protocols.pvp2.assertion.encryption.active=false ++ ++11. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im ++ Logging von MOA ID beim Einlesen der Konfiguration. ++ ++ ++............................................................................... ++B.6 Durchführung eines Updates von Version <= 1.5.1 ++............................................................................... ++ ++Bitte führen Sie eine Neuinstallation von MOA ID laut Handbuch durch und passen ++Sie die mitgelieferte Musterkonfiguration entsprechend Ihren Bedürfnissen unter ++Zuhilfenahme Ihrer bisherigen Konfiguration an. ++ +diff --git a/id/server/doc/handbook/config/config.html b/id/server/doc/handbook/config/config.html +index 6f6d13d..4eb5ea2 100644 +--- a/id/server/doc/handbook/config/config.html ++++ b/id/server/doc/handbook/config/config.html +@@ -259,6 +259,13 @@ UNIX: -Duser.properties=file:C:/Programme/apache/tomcat-8.x.x/conf/moa-id-config + <td>moaconfigpassword</td> + <td>Passwort für den Zugriff auf das Datenbank Schema</td> + </tr> ++ <tr> ++ <td><p>dbcp.validationQuery</p></td> ++ <td>SELECT 1</td> ++ <td><p>SQL Query zum Validieren der Datenbank Verbindung</p> ++ <p><strong>mySQL:</strong> SELECT 1</p> ++ <p><strong>Oracle:</strong> select 1 from dual</p></td> ++ </tr> + </table> + <p> </p> + <p>Die Beispielkonfiguration beinhaltet noch zusätzliche Konfigurationsparameter für den Datenbankzugriff welche direkt aus der Beispielkonfiguration übernommen werden können. Eine detaillierte Beschreibung der einzelnen Einstellungsparameter kann der <a href="http://docs.jboss.org/hibernate/core/4.2/manual/en-US/html/">Hibernate Dokumention</a> entnommen werden.</p> +@@ -612,10 +619,17 @@ https://<host>:<port>/moa-id-auth/MonitoringServlet</pre> + <td>Benutzername für den Zugriff auf das Datenbank Schema</td> + </tr> + <tr> +- <td><p>configuration.hibernate.connection.password</p></td> ++ <td>configuration.hibernate.connection.password</td> + <td>moaconfigpassword</td> + <td>Passwort für den Zugriff auf das Datenbank Schema</td> + </tr> ++ <tr> ++ <td><p>configuration.dbcp.validationQuery</p></td> ++ <td>SELECT 1</td> ++ <td><p>SQL Query zum Validieren der Datenbank Verbindung</p> ++ <p><strong>mySQL:</strong> SELECT 1</p> ++ <p><strong>Oracle:</strong> select 1 from dual</p></td> ++ </tr> + </table> + <p> </p> + <h6><a name="basisconfig_moa_id_auth_param_database_session" id="uebersicht_bekanntmachung13"></a>2.2.2.4.2 Session Informationen</h6> +diff --git a/pom.xml b/pom.xml +index cdffb90..3e7e4ea 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -22,12 +22,12 @@ + --> + + <!-- Project Version --> +- <moa-commons-version>3.0.1-Snapshot</moa-commons-version> +- <moa-id-version>3.0.2-Snapshot</moa-id-version> ++ <moa-commons-version>3.0.2</moa-commons-version> ++ <moa-id-version>3.0.2</moa-id-version> + <moa-id-proxy-version>2.0.1-Snapshot</moa-id-proxy-version> +- <moa-spss-version>2.0.5-Snapshot</moa-spss-version> +- <configtool-version>2.0.1-Snapshot</configtool-version> +- <demo-oa-version>2.0.5-Snapshot</demo-oa-version> ++ <moa-spss-version>2.0.5</moa-spss-version> ++ <configtool-version>2.0.2</configtool-version> ++ <demo-oa-version>2.0.5</demo-oa-version> + + <!-- Library Versions --> + <org.springframework.version>4.1.6.RELEASE</org.springframework.version> +@@ -236,7 +236,7 @@ + </goals> + </execution> + </executions> +- </ plugin>--> ++ </plugin> --> + + </plugins> + +-- +1.9.5.msysgit.0 + diff --git a/common/src/main/resources/resources/schemas/ts_119612v010201_additionaltypes_xsd.xsd b/common/src/main/resources/resources/schemas/ts_119612v010201_additionaltypes_xsd.xsd new file mode 100644 index 000000000..4af373cf0 --- /dev/null +++ b/common/src/main/resources/resources/schemas/ts_119612v010201_additionaltypes_xsd.xsd @@ -0,0 +1,35 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- ****** NOTICE ****** +This document is part of ETSI TS 119 612. In the event that any +part of this document in conflict with the text of TS 119 612 +then that text shall prevail as the authoritative source +--> +<xsd:schema targetNamespace="http://uri.etsi.org/02231/v2/additionaltypes#" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:tslx="http://uri.etsi.org/02231/v2/additionaltypes#" xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" xmlns:tsl="http://uri.etsi.org/02231/v2#" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" elementFormDefault="qualified" attributeFormDefault="unqualified"> + <xsd:import namespace="http://uri.etsi.org/02231/v2#" schemaLocation="http://uri.etsi.org/19612/v1.2.1/tsl.xsd"/> + <xsd:import namespace="http://uri.etsi.org/01903/v1.3.2#" schemaLocation="http://uri.etsi.org/01903/v1.3.2/XAdES.xsd"/> + <xsd:element name="MimeType" type="xsd:string"/> + <xsd:element name="X509CertificateLocation" type="tsl:NonEmptyURIType"/> + <xsd:element name="PublicKeyLocation" type="tsl:NonEmptyURIType"/> + <xsd:element name="ExtendedKeyUsage" type="tslx:ExtendedKeyUsageType"/> + <xsd:complexType name="ExtendedKeyUsageType"> + <xsd:sequence maxOccurs="unbounded"> + <xsd:element name="KeyPurposeId" type="xades:ObjectIdentifierType"/> + </xsd:sequence> + </xsd:complexType> + <xsd:element name="TakenOverBy" type="tslx:TakenOverByType"/> + <xsd:complexType name="TakenOverByType"> + <xsd:sequence> + <xsd:element name="URI" type="tsl:NonEmptyMultiLangURIType"/> + <xsd:element name="TSPName" type="tsl:InternationalNamesType"/> + <xsd:element ref="tsl:SchemeOperatorName"/> + <xsd:element ref="tsl:SchemeTerritory"/> + <xsd:element name="OtherQualifier" type="tsl:AnyType" minOccurs="0" maxOccurs="unbounded"/> + </xsd:sequence> + </xsd:complexType> + <xsd:element name="CertSubjectDNAttribute" type="tslx:CertSubjectDNAttributeType"/> + <xsd:complexType name="CertSubjectDNAttributeType"> + <xsd:sequence maxOccurs="unbounded"> + <xsd:element name="AttributeOID" type="xades:ObjectIdentifierType"/> + </xsd:sequence> + </xsd:complexType> +</xsd:schema> diff --git a/common/src/main/resources/resources/schemas/ts_119612v010201_sie_xsd.xsd b/common/src/main/resources/resources/schemas/ts_119612v010201_sie_xsd.xsd new file mode 100644 index 000000000..42a96b78c --- /dev/null +++ b/common/src/main/resources/resources/schemas/ts_119612v010201_sie_xsd.xsd @@ -0,0 +1,81 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- ****** NOTICE ****** +This document is part of ETSI TS 119 612. In the event that any +part of this document in conflict with the text of TS 119 612 +then that text shall prevail as the authoritative source +--> +<xsd:schema targetNamespace="http://uri.etsi.org/TrstSvc/SvcInfoExt/eSigDir-1999-93-EC-TrustedList/#" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://uri.etsi.org/TrstSvc/SvcInfoExt/eSigDir-1999-93-EC-TrustedList/#" xmlns:tsl="http://uri.etsi.org/02231/v2#" xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" elementFormDefault="qualified" attributeFormDefault="unqualified"> + <xsd:import namespace="http://uri.etsi.org/01903/v1.3.2#" schemaLocation="http://uri.etsi.org/01903/v1.3.2/XAdES.xsd"/> + <xsd:element name="Qualifications" type="tns:QualificationsType"/> + <xsd:complexType name="QualificationsType"> + <xsd:sequence maxOccurs="unbounded"> + <xsd:element name="QualificationElement" type="tns:QualificationElementType"/> + </xsd:sequence> + </xsd:complexType> + <xsd:complexType name="QualificationElementType"> + <xsd:sequence> + <xsd:element name="Qualifiers" type="tns:QualifiersType"/> + <xsd:element name="CriteriaList" type="tns:CriteriaListType"/> + </xsd:sequence> + </xsd:complexType> + <xsd:complexType name="CriteriaListType"> + <xsd:annotation> + <xsd:documentation>Please first try to use the CriteriaList before doing the OtherCriteria extension point.</xsd:documentation> + </xsd:annotation> + <xsd:sequence> + <xsd:element name="KeyUsage" type="tns:KeyUsageType" minOccurs="0" maxOccurs="unbounded"/> + <xsd:element name="PolicySet" type="tns:PoliciesListType" minOccurs="0" maxOccurs="unbounded"/> + <xsd:element name="CriteriaList" type="tns:CriteriaListType" minOccurs="0" maxOccurs="unbounded"/> + <xsd:element name="Description" type="xsd:string" minOccurs="0"/> + <xsd:element name="otherCriteriaList" type="xades:AnyType" minOccurs="0"/> + </xsd:sequence> + <xsd:attribute name="assert"> + <xsd:simpleType> + <xsd:restriction base="xsd:string"> + <xsd:enumeration value="all"/> + <xsd:enumeration value="atLeastOne"/> + <xsd:enumeration value="none"/> + </xsd:restriction> + </xsd:simpleType> + </xsd:attribute> + </xsd:complexType> + <xsd:complexType name="QualifiersType"> + <xsd:sequence maxOccurs="unbounded"> + <xsd:element name="Qualifier" type="tns:QualifierType"/> + </xsd:sequence> + </xsd:complexType> + <xsd:complexType name="QualifierType"> + <xsd:attribute name="uri" type="anyURI"/> + </xsd:complexType> + <xsd:complexType name="PoliciesListType"> + <xsd:sequence maxOccurs="unbounded"> + <xsd:element name="PolicyIdentifier" type="xades:ObjectIdentifierType"/> + </xsd:sequence> + </xsd:complexType> + <xsd:complexType name="KeyUsageType"> + <xsd:sequence maxOccurs="9"> + <xsd:element name="KeyUsageBit" type="tns:KeyUsageBitType"/> + </xsd:sequence> + </xsd:complexType> + <xsd:complexType name="KeyUsageBitType"> + <xsd:simpleContent> + <xsd:extension base="xsd:boolean"> + <xsd:attribute name="name"> + <xsd:simpleType> + <xsd:restriction base="xsd:string"> + <xsd:enumeration value="digitalSignature"/> + <xsd:enumeration value="nonRepudiation"/> + <xsd:enumeration value="keyEncipherment"/> + <xsd:enumeration value="dataEncipherment"/> + <xsd:enumeration value="keyAgreement"/> + <xsd:enumeration value="keyCertSign"/> + <xsd:enumeration value="crlSign"/> + <xsd:enumeration value="encipherOnly"/> + <xsd:enumeration value="decipherOnly"/> + </xsd:restriction> + </xsd:simpleType> + </xsd:attribute> + </xsd:extension> + </xsd:simpleContent> + </xsd:complexType> +</xsd:schema> diff --git a/common/src/main/resources/resources/schemas/ts_119612v010201_xsd.xsd b/common/src/main/resources/resources/schemas/ts_119612v010201_xsd.xsd new file mode 100644 index 000000000..fb1852ec0 --- /dev/null +++ b/common/src/main/resources/resources/schemas/ts_119612v010201_xsd.xsd @@ -0,0 +1,337 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- ****** NOTICE ****** +This document is part of ETSI TS 119 612. In the event that any +part of this document in conflict with the text of TS 119 612 +then that text shall prevail as the authoritative source + +This is a review done in October 2013 as a result of mismatches between the XML Schema and the specification of some data types within TS 119 612, +--> +<xsd:schema targetNamespace="http://uri.etsi.org/02231/v2#" xmlns:tsl="http://uri.etsi.org/02231/v2#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" elementFormDefault="qualified" attributeFormDefault="unqualified"> + <!-- Imports --> + <xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/> + <xsd:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/> + <!-- Begin auxiliary types --> + <!--InternationalNamesType--> + <xsd:complexType name="InternationalNamesType"> + <xsd:sequence> + <xsd:element name="Name" type="tsl:MultiLangNormStringType" maxOccurs="unbounded"/> + </xsd:sequence> + </xsd:complexType> + <xsd:complexType name="MultiLangNormStringType"> + <xsd:simpleContent> + <xsd:extension base="tsl:NonEmptyNormalizedString"> + <xsd:attribute ref="xml:lang" use="required"/> + </xsd:extension> + </xsd:simpleContent> + </xsd:complexType> + <xsd:complexType name="MultiLangStringType"> + <xsd:simpleContent> + <xsd:extension base="tsl:NonEmptyString"> + <xsd:attribute ref="xml:lang" use="required"/> + </xsd:extension> + </xsd:simpleContent> + </xsd:complexType> + <xsd:simpleType name="NonEmptyString"> + <xsd:restriction base="xsd:string"> + <xsd:minLength value="1"/> + </xsd:restriction> + </xsd:simpleType> + <xsd:simpleType name="NonEmptyNormalizedString"> + <xsd:restriction base="xsd:normalizedString"> + <xsd:minLength value="1"/> + </xsd:restriction> + </xsd:simpleType> + <!-- AddressType --> + <xsd:complexType name="AddressType"> + <xsd:sequence> + <xsd:element ref="tsl:PostalAddresses"/> + <xsd:element ref="tsl:ElectronicAddress"/> + </xsd:sequence> + </xsd:complexType> + <!--PostalAddressList Type--> + <xsd:element name="PostalAddresses" type="tsl:PostalAddressListType"/> + <xsd:complexType name="PostalAddressListType"> + <xsd:sequence> + <xsd:element ref="tsl:PostalAddress" maxOccurs="unbounded"/> + </xsd:sequence> + </xsd:complexType> + <!--PostalAddress Type--> + <xsd:element name="PostalAddress" type="tsl:PostalAddressType"/> + <xsd:complexType name="PostalAddressType"> + <xsd:sequence> + <xsd:element name="StreetAddress" type="tsl:NonEmptyString"/> + <xsd:element name="Locality" type="tsl:NonEmptyString"/> + <xsd:element name="StateOrProvince" type="tsl:NonEmptyString" minOccurs="0"/> + <xsd:element name="PostalCode" type="tsl:NonEmptyString" minOccurs="0"/> + <xsd:element name="CountryName" type="tsl:NonEmptyString"/> + </xsd:sequence> + <xsd:attribute ref="xml:lang" use="required"/> + </xsd:complexType> + <!--ElectronicAddressType--> + <!-- 2013-10. XML Schema CHANGE--> + <!-- ElectronicAddress changed to include MultilLan URIs for e-mails and web sites URIs as specified in TS 119 612--> + <xsd:element name="ElectronicAddress" type="tsl:ElectronicAddressType"/> + <xsd:complexType name="ElectronicAddressType"> + <xsd:sequence> + <xsd:element name="URI" type="tsl:NonEmptyMultiLangURIType" maxOccurs="unbounded"/> + </xsd:sequence> + </xsd:complexType> + <!-- Types for extensions in TSL --> + <xsd:complexType name="AnyType" mixed="true"> + <xsd:sequence minOccurs="0" maxOccurs="unbounded"> + <xsd:any processContents="lax"/> + </xsd:sequence> + </xsd:complexType> + <xsd:element name="Extension" type="tsl:ExtensionType"/> + <xsd:complexType name="ExtensionType"> + <xsd:complexContent> + <xsd:extension base="tsl:AnyType"> + <xsd:attribute name="Critical" type="xsd:boolean" use="required"/> + </xsd:extension> + </xsd:complexContent> + </xsd:complexType> + <xsd:complexType name="ExtensionsListType"> + <xsd:sequence> + <xsd:element ref="tsl:Extension" maxOccurs="unbounded"/> + </xsd:sequence> + </xsd:complexType> + <!--NonEmptyURIType--> + <xsd:simpleType name="NonEmptyURIType"> + <xsd:restriction base="xsd:anyURI"> + <xsd:minLength value="1"/> + </xsd:restriction> + </xsd:simpleType> + <!--NonEmptyURIType with language indication--> + <xsd:complexType name="NonEmptyMultiLangURIType"> + <xsd:simpleContent> + <xsd:extension base="tsl:NonEmptyURIType"> + <xsd:attribute ref="xml:lang" use="required"/> + </xsd:extension> + </xsd:simpleContent> + </xsd:complexType> + <!--List of NonEmptyURIType with language indication--> + <xsd:complexType name="NonEmptyMultiLangURIListType"> + <xsd:sequence> + <xsd:element name="URI" type="tsl:NonEmptyMultiLangURIType" maxOccurs="unbounded"/> + </xsd:sequence> + </xsd:complexType> + <!--List of NonEmptyURIType--> + <xsd:complexType name="NonEmptyURIListType"> + <xsd:sequence> + <xsd:element name="URI" type="tsl:NonEmptyURIType" maxOccurs="unbounded"/> + </xsd:sequence> + </xsd:complexType> + <!-- End auxiliary types --> + <!-- ROOT Element --> + <xsd:element name="TrustServiceStatusList" type="tsl:TrustStatusListType"/> + <!-- Trust Status List Type Definition --> + <!-- 2013-10. XML Schema CHANGE--> + <!-- Attribute TSLTag declared as xsd:anyURI --> + <xsd:complexType name="TrustStatusListType"> + <xsd:sequence> + <xsd:element ref="tsl:SchemeInformation"/> + <xsd:element ref="tsl:TrustServiceProviderList" minOccurs="0"/> + <xsd:element ref="ds:Signature" minOccurs="0"/> + </xsd:sequence> + <xsd:attribute name="TSLTag" type="xsd:anyURI" use="required"/> + <xsd:attribute name="Id" type="xsd:ID" use="optional"/> + </xsd:complexType> + <!-- 2013-10. XML Schema CHANGE--> + <!-- Supressed the type TSLTagType that served to restrict the value of TSLTag by XML Schema--> + <!-- In this way, the XML Schema is independent of the TSLTag value and this may change from version to version--> + <!-- TrustServiceProviderListType--> + <xsd:element name="TrustServiceProviderList" type="tsl:TrustServiceProviderListType"/> + <xsd:complexType name="TrustServiceProviderListType"> + <xsd:sequence> + <xsd:element ref="tsl:TrustServiceProvider" maxOccurs="unbounded"/> + </xsd:sequence> + </xsd:complexType> + <!-- TSL Scheme Information --> + <xsd:element name="SchemeInformation" type="tsl:TSLSchemeInformationType"/> + <xsd:complexType name="TSLSchemeInformationType"> + <xsd:sequence> + <xsd:element name="TSLVersionIdentifier" type="xsd:integer"/> + <xsd:element name="TSLSequenceNumber" type="xsd:positiveInteger"/> + <xsd:element ref="tsl:TSLType"/> + <xsd:element ref="tsl:SchemeOperatorName"/> + <xsd:element name="SchemeOperatorAddress" type="tsl:AddressType"/> + <xsd:element ref="tsl:SchemeName"/> + <xsd:element ref="tsl:SchemeInformationURI"/> + <xsd:element name="StatusDeterminationApproach" type="tsl:NonEmptyURIType"/> + <xsd:element ref="tsl:SchemeTypeCommunityRules" minOccurs="0"/> + <xsd:element ref="tsl:SchemeTerritory" minOccurs="0"/> + <xsd:element ref="tsl:PolicyOrLegalNotice" minOccurs="0"/> + <xsd:element name="HistoricalInformationPeriod" type="xsd:nonNegativeInteger"/> + <xsd:element ref="tsl:PointersToOtherTSL" minOccurs="0"/> + <xsd:element name="ListIssueDateTime" type="xsd:dateTime"/> + <xsd:element ref="tsl:NextUpdate"/> + <xsd:element ref="tsl:DistributionPoints" minOccurs="0"/> + <xsd:element name="SchemeExtensions" type="tsl:ExtensionsListType" minOccurs="0"/> + </xsd:sequence> + </xsd:complexType> + <xsd:element name="TSLType" type="tsl:NonEmptyURIType"/> + <xsd:element name="SchemeOperatorName" type="tsl:InternationalNamesType"/> + <xsd:element name="SchemeName" type="tsl:InternationalNamesType"/> + <xsd:element name="SchemeInformationURI" type="tsl:NonEmptyMultiLangURIListType"/> + <!-- 2013-10. XML Schema CHANGE--> + <!-- SchemeTypeCommunityRules changed to include MultilLang URIs for e-mails and web sites URIs as specified in TS 119 612--> + <xsd:element name="SchemeTypeCommunityRules" type="tsl:NonEmptyMultiLangURIListType"/> + <!-- SchemeTerritory --> + <!-- 2014-04. XML Schema CHANGE--> + <!-- element SchemeTerritory is now of type xsd:string. Suppressed the restriction of having only 2 characters, + as this element may contain other values than the country codes--> + <xsd:element name="SchemeTerritory" type="xsd:string"/> + <!-- Policy or Legal Notice --> + <xsd:element name="PolicyOrLegalNotice" type="tsl:PolicyOrLegalnoticeType"/> + <xsd:complexType name="PolicyOrLegalnoticeType"> + <xsd:choice> + <xsd:element name="TSLPolicy" type="tsl:NonEmptyMultiLangURIType" maxOccurs="unbounded"/> + <xsd:element name="TSLLegalNotice" type="tsl:MultiLangStringType" maxOccurs="unbounded"/> + </xsd:choice> + </xsd:complexType> + <xsd:element name="NextUpdate" type="tsl:NextUpdateType"/> + <xsd:complexType name="NextUpdateType"> + <xsd:sequence> + <xsd:element name="dateTime" type="xsd:dateTime" minOccurs="0"/> + </xsd:sequence> + </xsd:complexType> + <!--OtherTSLPointersType--> + <xsd:element name="PointersToOtherTSL" type="tsl:OtherTSLPointersType"/> + <xsd:complexType name="OtherTSLPointersType"> + <xsd:sequence> + <xsd:element ref="tsl:OtherTSLPointer" maxOccurs="unbounded"/> + </xsd:sequence> + </xsd:complexType> + <xsd:element name="OtherTSLPointer" type="tsl:OtherTSLPointerType"/> + <xsd:complexType name="OtherTSLPointerType"> + <xsd:sequence> + <xsd:element ref="tsl:ServiceDigitalIdentities" minOccurs="0"/> + <xsd:element name="TSLLocation" type="tsl:NonEmptyURIType"/> + <xsd:element ref="tsl:AdditionalInformation" minOccurs="0"/> + </xsd:sequence> + </xsd:complexType> + <xsd:element name="ServiceDigitalIdentities" type="tsl:ServiceDigitalIdentityListType"/> + <xsd:complexType name="ServiceDigitalIdentityListType"> + <xsd:sequence> + <xsd:element ref="tsl:ServiceDigitalIdentity" maxOccurs="unbounded"/> + </xsd:sequence> + </xsd:complexType> + <xsd:element name="AdditionalInformation" type="tsl:AdditionalInformationType"/> + <xsd:complexType name="AdditionalInformationType"> + <xsd:choice maxOccurs="unbounded"> + <xsd:element name="TextualInformation" type="tsl:MultiLangStringType"/> + <xsd:element name="OtherInformation" type="tsl:AnyType"/> + </xsd:choice> + </xsd:complexType> + <!--DistributionPoints element--> + <!-- 2013-10. XML Schema CHANGE--> + <!-- DistributionPointschanged from ElectronicAddress to nonEmptyURIListType as ElectronicAddress does + now contain a list of multilang URIs, which is not required for distribution points--> + <xsd:element name="DistributionPoints" type="tsl:NonEmptyURIListType"/> + <!-- TSPType --> + <xsd:element name="TrustServiceProvider" type="tsl:TSPType"/> + <xsd:complexType name="TSPType"> + <xsd:sequence> + <xsd:element ref="tsl:TSPInformation"/> + <xsd:element ref="tsl:TSPServices"/> + </xsd:sequence> + </xsd:complexType> + <!-- TSPInformationType --> + <xsd:element name="TSPInformation" type="tsl:TSPInformationType"/> + <xsd:complexType name="TSPInformationType"> + <xsd:sequence> + <xsd:element name="TSPName" type="tsl:InternationalNamesType"/> + <xsd:element name="TSPTradeName" type="tsl:InternationalNamesType" minOccurs="0"/> + <xsd:element name="TSPAddress" type="tsl:AddressType"/> + <xsd:element name="TSPInformationURI" type="tsl:NonEmptyMultiLangURIListType"/> + <xsd:element name="TSPInformationExtensions" type="tsl:ExtensionsListType" minOccurs="0"/> + </xsd:sequence> + </xsd:complexType> + <!-- TSP Services--> + <xsd:element name="TSPServices" type="tsl:TSPServicesListType"/> + <xsd:complexType name="TSPServicesListType"> + <xsd:sequence> + <xsd:element ref="tsl:TSPService" maxOccurs="unbounded"/> + </xsd:sequence> + </xsd:complexType> + <xsd:element name="TSPService" type="tsl:TSPServiceType"/> + <xsd:complexType name="TSPServiceType"> + <xsd:sequence> + <xsd:element ref="tsl:ServiceInformation"/> + <xsd:element ref="tsl:ServiceHistory" minOccurs="0"/> + </xsd:sequence> + </xsd:complexType> + <!-- TSPServiceInformationType --> + <xsd:element name="ServiceInformation" type="tsl:TSPServiceInformationType"/> + <xsd:complexType name="TSPServiceInformationType"> + <xsd:sequence> + <xsd:element ref="tsl:ServiceTypeIdentifier"/> + <xsd:element name="ServiceName" type="tsl:InternationalNamesType"/> + <xsd:element ref="tsl:ServiceDigitalIdentity"/> + <xsd:element ref="tsl:ServiceStatus"/> + <xsd:element name="StatusStartingTime" type="xsd:dateTime"/> + <xsd:element name="SchemeServiceDefinitionURI" type="tsl:NonEmptyMultiLangURIListType" minOccurs="0"/> + <xsd:element ref="tsl:ServiceSupplyPoints" minOccurs="0"/> + <xsd:element name="TSPServiceDefinitionURI" type="tsl:NonEmptyMultiLangURIListType" minOccurs="0"/> + <xsd:element name="ServiceInformationExtensions" type="tsl:ExtensionsListType" minOccurs="0"/> + </xsd:sequence> + </xsd:complexType> + <!-- Service status --> + <xsd:element name="ServiceStatus" type="tsl:NonEmptyURIType"/> + <!-- Type for Service Supply Points --> + <xsd:element name="ServiceSupplyPoints" type="tsl:ServiceSupplyPointsType"/> + <xsd:complexType name="ServiceSupplyPointsType"> + <xsd:sequence maxOccurs="unbounded"> + <xsd:element name="ServiceSupplyPoint" type="tsl:NonEmptyURIType"/> + </xsd:sequence> + </xsd:complexType> + <!-- TSPServiceIdentifier --> + <xsd:element name="ServiceTypeIdentifier" type="tsl:NonEmptyURIType"/> + <!-- DigitalIdentityType --> + <xsd:element name="ServiceDigitalIdentity" type="tsl:DigitalIdentityListType"/> + <xsd:complexType name="DigitalIdentityListType"> + <xsd:sequence> + <xsd:element name="DigitalId" type="tsl:DigitalIdentityType" minOccurs="0" maxOccurs="unbounded"/> + </xsd:sequence> + </xsd:complexType> + <xsd:complexType name="DigitalIdentityType"> + <xsd:choice> + <xsd:element name="X509Certificate" type="xsd:base64Binary"/> + <xsd:element name="X509SubjectName" type="xsd:string"/> + <xsd:element ref="ds:KeyValue"/> + <xsd:element name="X509SKI" type="xsd:base64Binary"/> + <xsd:element name="Other" type="tsl:AnyType" minOccurs="0"/> + </xsd:choice> + </xsd:complexType> + <!-- ServiceHistory element--> + <xsd:element name="ServiceHistory" type="tsl:ServiceHistoryType"/> + <xsd:complexType name="ServiceHistoryType"> + <xsd:sequence> + <xsd:element ref="tsl:ServiceHistoryInstance" minOccurs="0" maxOccurs="unbounded"/> + </xsd:sequence> + </xsd:complexType> + <xsd:element name="ServiceHistoryInstance" type="tsl:ServiceHistoryInstanceType"/> + <xsd:complexType name="ServiceHistoryInstanceType"> + <xsd:sequence> + <xsd:element ref="tsl:ServiceTypeIdentifier"/> + <xsd:element name="ServiceName" type="tsl:InternationalNamesType"/> + <xsd:element ref="tsl:ServiceDigitalIdentity"/> + <xsd:element ref="tsl:ServiceStatus"/> + <xsd:element name="StatusStartingTime" type="xsd:dateTime"/> + <xsd:element name="ServiceInformationExtensions" type="tsl:ExtensionsListType" minOccurs="0"/> + </xsd:sequence> + </xsd:complexType> + <!-- Elements and types for Extensions --> + <!-- Extensions children of tsl:VaExtension--> + <!-- Element ExpiredCertsRevocationInfo --> + <xsd:element name="ExpiredCertsRevocationInfo" type="xsd:dateTime"/> + <!-- Element additionalServiceInformation --> + <xsd:element name="AdditionalServiceInformation" type="tsl:AdditionalServiceInformationType"/> + <xsd:complexType name="AdditionalServiceInformationType"> + <xsd:sequence> + <xsd:element name="URI" type="tsl:NonEmptyMultiLangURIType"/> + <xsd:element name="InformationValue" type="xsd:string" minOccurs="0"/> + <xsd:element name="OtherInformation" type="tsl:AnyType" minOccurs="0"/> + </xsd:sequence> + </xsd:complexType> +</xsd:schema> diff --git a/id/server/data/deploy/conf/moa-id/moa-id.properties b/id/server/data/deploy/conf/moa-id/moa-id.properties index aefc0801a..09568ce68 100644 --- a/id/server/data/deploy/conf/moa-id/moa-id.properties +++ b/id/server/data/deploy/conf/moa-id/moa-id.properties @@ -52,7 +52,7 @@ stork.documentservice.url= moa.id.protocols.eIDAS.samlengine.config.file=eIDAS/SamlEngine_basics.xml moa.id.protocols.eIDAS.samlengine.sign.config.file=eIDAS/SignModule.xml moa.id.protocols.eIDAS.samlengine.enc.config.file=eIDAS/EncryptModule.xml - +moa.id.protocols.eIDAS.metadata.validation.truststore=eIDAS_metadata ##Protocol configuration## #PVP2 diff --git a/id/server/data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml b/id/server/data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml index 9d130971d..ce5a21d57 100644 --- a/id/server/data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml +++ b/id/server/data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml @@ -47,6 +47,10 @@ <cfg:Id>C-PEPS</cfg:Id> <cfg:TrustAnchorsLocation>trustProfiles/C-PEPS</cfg:TrustAnchorsLocation> </cfg:TrustProfile> + <cfg:TrustProfile> + <cfg:Id>eIDAS_metadata</cfg:Id> + <cfg:TrustAnchorsLocation>trustProfiles/eIDAS_metadata</cfg:TrustAnchorsLocation> + </cfg:TrustProfile> </cfg:PathValidation> <cfg:RevocationChecking> <cfg:EnableChecking>true</cfg:EnableChecking> diff --git a/id/server/data/deploy/conf/moa-spss/trustProfiles/eIDAS_metadata/eIDAS_test_node.crt b/id/server/data/deploy/conf/moa-spss/trustProfiles/eIDAS_metadata/eIDAS_test_node.crt new file mode 100644 index 000000000..14e5e5cb5 --- /dev/null +++ b/id/server/data/deploy/conf/moa-spss/trustProfiles/eIDAS_metadata/eIDAS_test_node.crt @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIFMTCCAxkCBFYbwMgwDQYJKoZIhvcNAQENBQAwXTELMAkGA1UEBhMCQkUxCzAJBgNVBAgMAkVV +MREwDwYDVQQHDAhCcnVzc2VsczELMAkGA1UECgwCRUMxDjAMBgNVBAsMBURJR0lUMREwDwYDVQQD +DAhtZXRhZGF0YTAeFw0xNTEwMTIxNDE2NDBaFw0xNjEwMTExNDE2NDBaMF0xCzAJBgNVBAYTAkJF +MQswCQYDVQQIDAJFVTERMA8GA1UEBwwIQnJ1c3NlbHMxCzAJBgNVBAoMAkVDMQ4wDAYDVQQLDAVE +SUdJVDERMA8GA1UEAwwIbWV0YWRhdGEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCN +5mYsOKzSJ9ksT9dHtFOztF1M8GIMeBLm6chIvtKHwXVLzO53RKhcOwt0j847VL6m5PcAAp57SutC +DeukA8p6UCUA905p+m7+dt7iEsUV3yje4M8dDFS/LwEF9GhFm3v471ZRYPDW769v14QkmnA9vxWB +WAj4WcMRMats9choHJdnRa1xUnVjx8yMojoVaPwt1tkG/rRnPev2o0g+VI63XkYd1pLKAU5Pt+n7 +LevLPJsvgkKLQhEB7bvMG1tZ1P4fJ0n3FOHmfLHJ/yEWA+hHXorX5T3G8Fq6GsI5O/c1zkZ7QMSw +WwzXDbq5qrfyzesdlTPfdsPnFIRddCgx8NuVwI+brlYDSdLGEm+byfM9W4WmfDN6SK1oGMSibuz7 +K49Xh0MFVKNyxT9hCz309UiV71RGnveZxdMGu4vdzP74Ll3G48IIgQ4ymFPMONYBesuorxDunSqs +R2F1+Th7k7UXL1xblFRaEyqdHlvhVrJqDP6sM9k3lM75aN4L4QMOyKRAqar+Q7f7NoUcx8cvHfqD +GLJUPcqn2msMa3mAXO5ihA2ERN41wmnmeJzsd/UiFkaqIvXUTZVwxUfQWn3D9uCg2lRAvOTHydkP +Cfwj4BtL0P9L3eSZ9NM8IGlTmlyApp2bPlzO92BsE8RE7feOmSLZESDKosqkQzZo2CMr/7V9XQID +AQABMA0GCSqGSIb3DQEBDQUAA4ICAQALfSi+sa90MbJkAeTIA/la1ibtRkPX6jIjHBvkeq8IYEZi +XxjJvI4CuQY6WSPMoDY0w9iJvKIygCxRlVi77CtFzu/otOLrXb8ozInopykRMIH4TyVmKYf//CoE +fkQ3vThaf1JLpKpLuhtqHwV03f7jwODaJBqvqdaBX3VHHMPDOeAWQTAd2abMoHgYRlUgB9TKcbJ1 +akWUyX7hnwZSCiKWbL4nrwsFJc0skFVkfjEQxlZUeRXj/bKgnb0BYUsPsFfxXKJIsIc8CmXGvxKz +B5TSpYIR79WliT9Fo8T1dJ9a/wr+bOXeM/aSUxLechCl+uDuP8yI2iRz9LT++/16HOrRSUuefHpo +7wJLJnALMABW21eMwS2XBInUBrBN9CVGAJUDF6GQWMbfxA8x0uh4oKoa/4stP5maaf/FBe52pNNv +Tacb7P3xJc0mS7jatuAHH0UfXy3+3D3z+SJY4Vy2a1cj5U1nUuxxwIRwsoRtWph0BER4RlOz4lXS +N8ZK9ahgmCsndm+eDvIJm706s7bd8m/X8Xc/lMK+eKhrK6uIIMmkwbdzbgsOS7Plj9IMGm0S4Kdb +rnAKhkhAXUi4zbd55aTx1kDodpid/dYPiqxSauyYmCXKbyFCAfY76Zw9SuFBRJClx4h5Mxb/EEpq +1WHM9IyZshufnuZ587WzqtGmJJubTA== +-----END CERTIFICATE-----
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java new file mode 100644 index 000000000..e321c9d05 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java @@ -0,0 +1,172 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.builder; + +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; + +import org.w3c.dom.Document; +import org.w3c.dom.Element; +import org.w3c.dom.Node; + +import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.exception.ParseException; +import at.gv.egovernment.moa.id.auth.exception.ServiceException; +import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; +import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.Constants; + +/** + * @author tlenz + * + */ +public class SignatureVerificationUtils { + /** shortcut for XMLNS namespace URI */ + private static final String XMLNS_NS_URI = Constants.XMLNS_NS_URI; + /** shortcut for MOA namespace URI */ + private static final String MOA_NS_URI = Constants.MOA_NS_URI; + /** The DSIG-Prefix */ + private static final String DSIG = Constants.DSIG_PREFIX + ":"; + + /** The document containing the <code>VerifyXMLsignatureRequest</code> */ + private Document requestDoc_; + /** the <code>VerifyXMLsignatureRequest</code> root element */ + private Element requestElem_; + + + public SignatureVerificationUtils() throws BuildException { + try { + DocumentBuilder docBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); + requestDoc_ = docBuilder.newDocument(); + requestElem_ = requestDoc_.createElementNS(MOA_NS_URI, "VerifyXMLSignatureRequest"); + requestElem_.setAttributeNS(XMLNS_NS_URI, "xmlns", MOA_NS_URI); + requestElem_.setAttributeNS(XMLNS_NS_URI, "xmlns:" + Constants.DSIG_PREFIX, Constants.DSIG_NS_URI); + requestDoc_.appendChild(requestElem_); + + } catch (Throwable t) { + throw new BuildException( + "builder.00", + new Object[] {"VerifyXMLSignatureRequest", t.toString()}, + t); + } + } + + public VerifyXMLSignatureResponse verify(byte[] signature, String trustProfileID) throws MOAIDException { + try { + //build signature-verification request + Element domVerifyXMLSignatureRequest = build(signature, trustProfileID); + + //send signature-verification to MOA-SP + Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker() + .verifyXMLSignature(domVerifyXMLSignatureRequest); + + // parses the <VerifyXMLSignatureResponse> + VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser( + domVerifyXMLSignatureResponse).parseData(); + + return verifyXMLSignatureResponse; + + } catch (ParseException e) { + Logger.error("Build signature-verification request FAILED." ,e); + throw e; + + } catch (ServiceException e) { + Logger.error("MOA-SP signature verification FAILED." ,e); + throw e; + + } + + } + + /** + * Builds a <code><VerifyXMLSignatureRequest></code> + * from an IdentityLink with a known trustProfileID which + * has to exist in MOA-SP + * @param signature - The XML signature as byte[] + * @param trustProfileID - a preconfigured TrustProfile at MOA-SP + * + * @return Element - The complete request as Dom-Element + * + * @throws ParseException + */ + private Element build(byte[] signature, String trustProfileID) + throws ParseException + { + try { + // build the request + Element verifiySignatureInfoElem = + requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureInfo"); + requestElem_.appendChild(verifiySignatureInfoElem); + Element verifySignatureEnvironmentElem = + requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureEnvironment"); + verifiySignatureInfoElem.appendChild(verifySignatureEnvironmentElem); + Element base64ContentElem = requestDoc_.createElementNS(MOA_NS_URI, "Base64Content"); + verifySignatureEnvironmentElem.appendChild(base64ContentElem); + + // insert the base64 encoded signature + String base64EncodedAssertion = Base64Utils.encode(signature); + //replace all '\r' characters by no char. + StringBuffer replaced = new StringBuffer(); + for (int i = 0; i < base64EncodedAssertion.length(); i ++) { + char c = base64EncodedAssertion.charAt(i); + if (c != '\r') { + replaced.append(c); + } + } + base64EncodedAssertion = replaced.toString(); + Node base64Content = requestDoc_.createTextNode(base64EncodedAssertion); + base64ContentElem.appendChild(base64Content); + + // specify the signature location + Element verifySignatureLocationElem = + requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureLocation"); + verifiySignatureInfoElem.appendChild(verifySignatureLocationElem); + Node signatureLocation = requestDoc_.createTextNode(DSIG + "Signature"); + verifySignatureLocationElem.appendChild(signatureLocation); + + // signature manifest params + Element signatureManifestCheckParamsElem = + requestDoc_.createElementNS(MOA_NS_URI, "SignatureManifestCheckParams"); + requestElem_.appendChild(signatureManifestCheckParamsElem); + signatureManifestCheckParamsElem.setAttribute("ReturnReferenceInputData", "false"); + + Element returnHashInputDataElem = + requestDoc_.createElementNS(MOA_NS_URI, "ReturnHashInputData"); + requestElem_.appendChild(returnHashInputDataElem); + + //add trustProfileID + Element trustProfileIDElem = requestDoc_.createElementNS(MOA_NS_URI, "TrustProfileID"); + trustProfileIDElem.appendChild(requestDoc_.createTextNode(trustProfileID)); + requestElem_.appendChild(trustProfileIDElem); + } catch (Throwable t) { + throw new ParseException("builder.00", + new Object[] { "VerifyXMLSignatureRequest (IdentityLink)" }, t); + } + + return requestElem_; + } +} diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java index 72a7d3ba1..72a7d3ba1 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java index 7bce406e0..7bce406e0 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/VerifyXMLSignatureResponseParser.java diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java index ad3268b90..1d8ea4cd4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java @@ -89,6 +89,11 @@ public interface AuthConfiguration extends ConfigurationProvider{ public boolean isAdvancedLoggingActive(); + /** + * Returns the PublicURLPrefix. NOTE: returns {@code null} if no PublicURLPrefix is set. + * + * @return the PublicURLPrefix without trailing slash or {@code null} + */ public String getPublicURLPrefix(); public boolean isPVP2AssertionEncryptionActive(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAStringRedirectDeflateEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAStringRedirectDeflateEncoder.java index ece1a805d..acbb67b34 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAStringRedirectDeflateEncoder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAStringRedirectDeflateEncoder.java @@ -27,6 +27,7 @@ import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; import org.opensaml.ws.message.MessageContext; import org.opensaml.ws.message.encoder.MessageEncodingException; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; import at.gv.egovernment.moa.logging.Logger; /** @@ -45,6 +46,9 @@ public class MOAStringRedirectDeflateEncoder extends HTTPRedirectDeflateEncoder "Invalid message context type, this encoder only support SAMLMessageContext"); } + //load default PVP security configurations + MOADefaultBootstrap.initializeDefaultPVPConfiguration(); + SAMLMessageContext samlMsgCtx = (SAMLMessageContext) messageContext; String endpointURL = getEndpointURL(samlMsgCtx).buildURL(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 5402e3dce..65400444d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -28,6 +28,7 @@ import javax.servlet.http.HttpServletResponse; import org.apache.velocity.app.VelocityEngine; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; +import org.opensaml.common.binding.SAMLMessageContext; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.decoding.HTTPPostDecoder; import org.opensaml.saml2.binding.encoding.HTTPPostEncoder; @@ -51,6 +52,7 @@ import org.opensaml.xml.security.x509.X509Credential; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; @@ -74,6 +76,9 @@ public class PostBinding implements IDecoder, IEncoder { X509Credential credentials = CredentialProvider .getIDPAssertionSigningCredential(); + //load default PVP security configurations + MOADefaultBootstrap.initializeDefaultPVPConfiguration(); + VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine(); HTTPPostEncoder encoder = new HTTPPostEncoder(engine, "resources/templates/pvp_postbinding_template.html"); @@ -109,6 +114,9 @@ public class PostBinding implements IDecoder, IEncoder { X509Credential credentials = CredentialProvider .getIDPAssertionSigningCredential(); + //load default PVP security configurations + MOADefaultBootstrap.initializeDefaultPVPConfiguration(); + Logger.debug("create SAML POSTBinding response"); VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 81863f48f..9a505a7b0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -27,6 +27,7 @@ import javax.servlet.http.HttpServletResponse; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; +import org.opensaml.common.binding.SAMLMessageContext; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder; import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; @@ -51,6 +52,7 @@ import org.opensaml.xml.security.x509.X509Credential; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; @@ -73,6 +75,9 @@ public class RedirectBinding implements IDecoder, IEncoder { X509Credential credentials = CredentialProvider .getIDPAssertionSigningCredential(); + //load default PVP security configurations + MOADefaultBootstrap.initializeDefaultPVPConfiguration(); + Logger.debug("create SAML RedirectBinding response"); HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder(); @@ -103,6 +108,9 @@ public class RedirectBinding implements IDecoder, IEncoder { X509Credential credentials = CredentialProvider .getIDPAssertionSigningCredential(); + //load default PVP security configurations + MOADefaultBootstrap.initializeDefaultPVPConfiguration(); + Logger.debug("create SAML RedirectBinding response"); HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index a2583c706..fee508d33 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -29,6 +29,7 @@ import javax.servlet.http.HttpServletResponse; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; +import org.opensaml.common.binding.SAMLMessageContext; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder; import org.opensaml.saml2.core.RequestAbstractType; @@ -48,6 +49,7 @@ import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.signature.SignableXMLObject; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; @@ -130,6 +132,9 @@ public class SoapBinding implements IDecoder, IEncoder { Credential credentials = CredentialProvider .getIDPAssertionSigningCredential(); + //load default PVP security configurations + MOADefaultBootstrap.initializeDefaultPVPConfiguration(); + HTTPSOAP11Encoder encoder = new HTTPSOAP11Encoder(); HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( resp, true); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java index 80789cd12..b731e2a95 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java @@ -50,7 +50,10 @@ public class MOADefaultBootstrap extends DefaultBootstrap { } - + public static void initializeDefaultPVPConfiguration() { + initializeGlobalSecurityConfiguration(); + + } /** * Initializes the default global security configuration. diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index f33cadc41..f4c099878 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -60,7 +60,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPMetadataFilterChain; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; @@ -422,8 +422,8 @@ public class MOAMetadataProvider implements ObservableMetadataProvider{ internalProvider = chainProvider; } - private MetadataFilterChain buildMetadataFilterChain(OAAuthParameter oaParam, String metadataURL, byte[] certificate) throws CertificateException { - MetadataFilterChain filterChain = new MetadataFilterChain(metadataURL, certificate); + private PVPMetadataFilterChain buildMetadataFilterChain(OAAuthParameter oaParam, String metadataURL, byte[] certificate) throws CertificateException { + PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate); filterChain.getFilters().add(new SchemaValidationFilter()); if (oaParam.isInderfederationIDP()) { @@ -435,7 +435,7 @@ public class MOAMetadataProvider implements ObservableMetadataProvider{ return filterChain; } - private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName, MetadataFilterChain filter) { + private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName, PVPMetadataFilterChain filter) { HTTPMetadataProvider httpProvider = null; Timer timer= null; MOAHttpClient httpClient = null; @@ -470,7 +470,7 @@ public class MOAMetadataProvider implements ObservableMetadataProvider{ //httpProvider.setRefreshDelayFactor(0.1F); if (filter == null) { - filter = new MetadataFilterChain(metadataURL, certificate); + filter = new PVPMetadataFilterChain(metadataURL, certificate); } httpProvider.setMetadataFilter(filter); httpProvider.initialize(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPMetadataFilterChain.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPMetadataFilterChain.java new file mode 100644 index 000000000..4c1da747b --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPMetadataFilterChain.java @@ -0,0 +1,54 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; + +import java.security.cert.CertificateException; + +import at.gv.egovernment.moa.id.saml2.MetadataFilterChain; + +/** + * @author tlenz + * + */ +public class PVPMetadataFilterChain extends MetadataFilterChain { + + + /** + * @throws CertificateException + * + */ + public PVPMetadataFilterChain(String url, byte[] certificate) throws CertificateException { + addDefaultFilters(url, certificate); + } + + public void addDefaultFilters(String url, byte[] certificate) throws CertificateException { + addFilter(new MetadataSignatureFilter(url, certificate)); + + } + + + + + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/saml2/MetadataFilterChain.java index 4e1d939ff..e7412a0fc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/saml2/MetadataFilterChain.java @@ -20,9 +20,8 @@ * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. */ -package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; +package at.gv.egovernment.moa.id.saml2; -import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.List; @@ -39,25 +38,23 @@ import at.gv.egovernment.moa.logging.Logger; public class MetadataFilterChain implements MetadataFilter { private List<MetadataFilter> filters = new ArrayList<MetadataFilter>(); - + /** - * @throws CertificateException + * Return all actually used Metadata filters * + * @return List of Metadata filters */ - public MetadataFilterChain(String url, byte[] certificate) throws CertificateException { - addDefaultFilters(url, certificate); - } - - public void addDefaultFilters(String url, byte[] certificate) throws CertificateException { - filters.add(new MetadataSignatureFilter(url, certificate)); - + public List<MetadataFilter> getFilters() { + return filters; } /** - * @return the filter + * Add a new Metadata filter to filterchain + * + * @param filter */ - public List<MetadataFilter> getFilters() { - return filters; + public void addFilter(MetadataFilter filter) { + filters.add(filter); } @@ -67,16 +64,10 @@ public class MetadataFilterChain implements MetadataFilter { @Override public void doFilter(XMLObject arg0) throws FilterException { for (MetadataFilter filter : filters) { - Logger.trace("Use MOAMetadatafilter " + filter.getClass().getName()); + Logger.trace("Use MOAMetadataFilter " + filter.getClass().getName()); filter.doFilter(arg0); } } - - - - - - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java index d0da0003f..099a70470 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java @@ -102,7 +102,7 @@ public class PVPtoSTORKMapper { public String mapeIDASQAAToSTORKQAA(String qaaLevel) { if (mapping != null) { String input = qaaLevel.substring(eIDAS_QAA_PREFIX.length()); - String mappedQAA = mapping.getProperty(MAPPING_EIDAS_PREFIX + input); + String mappedQAA = mapping.getProperty(input); if (MiscUtil.isNotEmpty(mappedQAA)) { Logger.info("Map eIDAS-QAA " + qaaLevel + " to STORK-QAA " + mappedQAA); return mappedQAA; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java index 9f347b4ee..1d4556459 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java @@ -28,8 +28,8 @@ package at.gv.egovernment.moa.id.auth.modules.eidas; */ public class Constants { - //public static final String eIDAS_SAML_ENGINE_NAME = "MOA_eIDASEninge"; public static final String eIDAS_SAML_ENGINE_NAME = "default"; + public static final String SSLSOCKETFACTORYNAME = "eIDASMetadataSSLSocketFactory"; //default keys for eIDAS SAML-engine configuration public static final String eIDAS_SAML_ENGINE_NAME_ID_BASICCONFIG = "SamlEngineConf"; @@ -45,20 +45,30 @@ public class Constants { public static final String CONIG_PROPS_EIDAS_PREFIX="moa.id.protocols.eIDAS"; public static final String CONIG_PROPS_EIDAS_SAMLENGINE="samlengine"; public static final String CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX=CONIG_PROPS_EIDAS_PREFIX + "." + CONIG_PROPS_EIDAS_SAMLENGINE; - public static final String CONIG_PROPS_EIDAS_SAMLENGINE_BASIC_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + ".config.file"; - + public static final String CONIG_PROPS_EIDAS_SAMLENGINE_BASIC_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + ".config.file"; public static final String CONIG_PROPS_EIDAS_SAMLENGINE_SIGN="sign"; public static final String CONIG_PROPS_EIDAS_SAMLENGINE_ENCRYPT="enc"; public static final String CONIG_PROPS_EIDAS_SAMLENGINE_SIGN_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + "." + CONIG_PROPS_EIDAS_SAMLENGINE_SIGN + ".config.file"; public static final String CONIG_PROPS_EIDAS_SAMLENGINE_ENC_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + "." - + CONIG_PROPS_EIDAS_SAMLENGINE_ENCRYPT + ".config.file"; + + CONIG_PROPS_EIDAS_SAMLENGINE_ENCRYPT + ".config.file"; + public static final String CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE = CONIG_PROPS_EIDAS_PREFIX + ".metadata.validation.truststore"; - public static final long CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000; //2 minutes skew time for response validation + //timeouts and clock skews + public static final long CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000; //2 minutes skew time for response validation + public static final int CONFIG_PROPS_METADATA_SOCKED_TIMEOUT = 20 * 1000; //20 seconds metadata socked timeout + //eIDAS attribute names public static final String eIDAS_ATTR_PERSONALIDENTIFIER = "PersonIdentifier"; public static final String eIDAS_ATTR_DATEOFBIRTH = "DateOfBirth"; public static final String eIDAS_ATTR_CURRENTGIVENNAME = "CurrentGivenName"; public static final String eIDAS_ATTR_CURRENTFAMILYNAME = "CurrentFamilyName"; + + //http endpoint descriptions + public static final String eIDAS_HTTP_ENDPOINT_SP_POST = "/eidas/sp/post"; + public static final String eIDAS_HTTP_ENDPOINT_SP_REDIRECT = "/eidas/sp/redirect"; + public static final String eIDAS_HTTP_ENDPOINT_IDP_POST = "/eidas/idp/post"; + public static final String eIDAS_HTTP_ENDPOINT_IDP_REDIRECT = "/eidas/idp/redirect"; + public static final String eIDAS_HTTP_ENDPOINT_METADATA = "/eidas/metadata"; } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java index 556947572..49f0451cb 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java @@ -22,30 +22,19 @@ */ package at.gv.egovernment.moa.id.auth.modules.eidas; -import java.io.ByteArrayInputStream; - import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServletRequest; -import javax.xml.xpath.XPath; -import javax.xml.xpath.XPathConstants; -import javax.xml.xpath.XPathExpression; -import javax.xml.xpath.XPathFactory; import org.apache.commons.lang.StringEscapeUtils; -import org.apache.commons.lang3.StringUtils; -import org.springframework.util.xml.SimpleNamespaceContext; -import org.w3c.dom.Document; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.servlet.ProcessEngineSignalServlet; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.Base64Utils; /** * @author tlenz * */ -@WebServlet(urlPatterns = { "/eidas/post", "/eidas/redirect"}, loadOnStartup = 1) +@WebServlet(urlPatterns = { "/eidas/sp/post", "/eidas/sp/redirect"}, loadOnStartup = 1) public class eIDASSignalServlet extends ProcessEngineSignalServlet { private static final long serialVersionUID = 8215688005533754459L; @@ -53,7 +42,7 @@ public class eIDASSignalServlet extends ProcessEngineSignalServlet { public eIDASSignalServlet() { super(); Logger.debug("Registering servlet " + getClass().getName() + - " with mappings '/eidas/post' and '/eidas/redirect'."); + " with mappings '/eidas/sp/post' and '/eidas/sp/redirect'."); } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java new file mode 100644 index 000000000..f1b14015b --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java @@ -0,0 +1,290 @@ +package at.gv.egovernment.moa.id.auth.modules.eidas.engine; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Timer; + +import javax.net.ssl.SSLHandshakeException; +import javax.xml.namespace.QName; + +import org.apache.commons.httpclient.MOAHttpClient; +import org.apache.commons.httpclient.params.HttpClientParams; +import org.opensaml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.RoleDescriptor; +import org.opensaml.saml2.metadata.provider.ChainingMetadataProvider; +import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.saml2.metadata.provider.MetadataProvider; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider; +import org.opensaml.xml.XMLObject; + +import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; +import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; +import at.gv.egovernment.moa.id.saml2.MetadataFilterChain; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; +import eu.eidas.auth.engine.AbstractSAMLEngine; + +public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvider { + + private static MOAeIDASChainingMetadataProvider instance = null; + private static Object mutex = new Object(); + + private MetadataProvider internalProvider; + + + public static MOAeIDASChainingMetadataProvider getInstance() { + if (instance == null) { + synchronized (mutex) { + if (instance == null) { + instance = new MOAeIDASChainingMetadataProvider(); + } + } + } + return instance; + } + + + private MOAeIDASChainingMetadataProvider() { + internalProvider = new ChainingMetadataProvider(); + + } + + private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL) { + HTTPMetadataProvider httpProvider = null; + Timer timer= null; + MOAHttpClient httpClient = null; + try { + AuthConfiguration authConfig = AuthConfigurationProviderFactory.getInstance(); + + httpClient = new MOAHttpClient(); + + HttpClientParams httpClientParams = new HttpClientParams(); + httpClientParams.setSoTimeout(Constants.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT); + httpClient.setParams(httpClientParams); + + if (metadataURL.startsWith("https:")) { + try { + MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( + Constants.SSLSOCKETFACTORYNAME, + authConfig.getCertstoreDirectory(), + authConfig.getTrustedCACertificates(), + null, + AuthConfiguration.DEFAULT_X509_CHAININGMODE, + authConfig.isTrustmanagerrevoationchecking()); + + httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); + + } catch (MOAHttpProtocolSocketFactoryException e) { + Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore."); + + } + } + + timer = new Timer(); + httpProvider = new HTTPMetadataProvider(timer, httpClient, + metadataURL); + httpProvider.setParserPool(AbstractSAMLEngine.getNewBasicSecuredParserPool()); + httpProvider.setRequireValidMetadata(true); + httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes + httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours + //httpProvider.setRefreshDelayFactor(0.1F); + + //add Metadata filters + MetadataFilterChain filter = new MetadataFilterChain(); + filter.addFilter(new MOAeIDASMetadataSignatureFilter( + authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE))); + httpProvider.setMetadataFilter(filter); + + httpProvider.initialize(); + + return httpProvider; + + } catch (Throwable e) { + if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { + Logger.warn("SSL-Server certificate for metadata " + + metadataURL + " not trusted.", e); + + } if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) { + Logger.warn("Signature verification for metadata" + + metadataURL + " FAILED.", e); + + } if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) { + Logger.warn("Schema validation for metadata " + + metadataURL + " FAILED.", e); + } + + Logger.error( + "Failed to add Metadata file for " + + metadataURL + "[ " + + e.getMessage() + " ]", e); + + if (httpProvider != null) { + Logger.debug("Destroy failed Metadata provider"); + httpProvider.destroy(); + } + + if (timer != null) { + Logger.debug("Destroy Timer."); + timer.cancel(); + } + + + } + + return null; + } + + private Map<String, HTTPMetadataProvider> getAllActuallyLoadedProviders() { + Map<String, HTTPMetadataProvider> loadedproviders = new HashMap<String, HTTPMetadataProvider>(); + ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; + + //make a Map of all actually loaded HTTPMetadataProvider + List<MetadataProvider> providers = chainProvider.getProviders(); + for (MetadataProvider provider : providers) { + if (provider instanceof HTTPMetadataProvider) { + HTTPMetadataProvider httpprovider = (HTTPMetadataProvider) provider; + loadedproviders.put(httpprovider.getMetadataURI(), httpprovider); + + } + } + + return loadedproviders; + } + + public boolean refreshMetadataProvider(String metadataURL) { + try { + if (MiscUtil.isNotEmpty(metadataURL)) { + Map<String, HTTPMetadataProvider> actuallyLoadedProviders = getAllActuallyLoadedProviders(); + + // check if MetadataProvider is actually loaded + if (actuallyLoadedProviders.containsKey(metadataURL)) { + actuallyLoadedProviders.get(metadataURL).refresh(); + Logger.info("eIDAS metadata for " + + metadataURL + " is refreshed."); + return true; + + } else { + //load new Metadata Provider + ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; + HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL); + chainProvider.addMetadataProvider(newMetadataProvider); + + emitChangeEvent(); + Logger.info("eIDAS metadata for " + + metadataURL + " is added."); + return true; + + } + + } else + Logger.debug("Can not refresh eIDAS metadata: NO eIDAS metadata URL."); + + } catch (MetadataProviderException e) { + Logger.warn("Refresh eIDAS metadata for " + + metadataURL + " FAILED.", e); + + } + + return false; + + } + + + public boolean requireValidMetadata() { + return internalProvider.requireValidMetadata(); + } + + public void setRequireValidMetadata(boolean requireValidMetadata) { + internalProvider.setRequireValidMetadata(requireValidMetadata); + } + + public MetadataFilter getMetadataFilter() { + return internalProvider.getMetadataFilter(); + } + + public void setMetadataFilter(MetadataFilter newFilter) + throws MetadataProviderException { + internalProvider.setMetadataFilter(newFilter); + } + + public XMLObject getMetadata() throws MetadataProviderException { + return internalProvider.getMetadata(); + } + + public EntitiesDescriptor getEntitiesDescriptor(String entitiesID) + throws MetadataProviderException { + Logger.warn("eIDAS metadata not support 'EntitiesDescriptor' elements!"); + return null; + + } + + public EntityDescriptor getEntityDescriptor(String entityID) + throws MetadataProviderException { + EntityDescriptor entityDesc = null; + try { + entityDesc = internalProvider.getEntityDescriptor(entityID); + if (entityDesc == null) { + Logger.debug("Can not find eIDAS metadata for entityID: " + entityID + + " Start refreshing process ..."); + if (refreshMetadataProvider(entityID)) + return internalProvider.getEntityDescriptor(entityID); + + } else { + if (!entityDesc.isValid()) + if (refreshMetadataProvider(entityID)) + return internalProvider.getEntityDescriptor(entityID); + + } + + + } catch (MetadataProviderException e) { + Logger.debug("Can not find eIDAS metadata for entityID: " + entityID + + " Start refreshing process ..."); + if (refreshMetadataProvider(entityID)) + return internalProvider.getEntityDescriptor(entityID); + + } + + return entityDesc; + } + + public List<RoleDescriptor> getRole(String entityID, QName roleName) + throws MetadataProviderException { + return internalProvider.getRole(entityID, roleName); + } + + public RoleDescriptor getRole(String entityID, QName roleName, + String supportedProtocol) throws MetadataProviderException { + return internalProvider.getRole(entityID, roleName, supportedProtocol); + } + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.ObservableMetadataProvider#getObservers() + */ + @Override + public List<Observer> getObservers() { + return ((ChainingMetadataProvider) internalProvider).getObservers(); + } + + protected void emitChangeEvent() { + if ((getObservers() == null) || (getObservers().size() == 0)) { + return; + } + + List<Observer> tempObserverList = new ArrayList<Observer>(getObservers()); + for (ObservableMetadataProvider.Observer observer : tempObserverList) + if (observer != null) + observer.onEvent(this); + } +} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java new file mode 100644 index 000000000..e3ae5c046 --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java @@ -0,0 +1,120 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidas.engine; + +import java.security.KeyStore; + +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.IDPSSODescriptor; +import org.opensaml.saml2.metadata.RoleDescriptor; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.provider.MetadataProvider; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; + +import eu.eidas.auth.engine.EIDASSAMLEngine; +import eu.eidas.auth.engine.metadata.MetadataProcessorI; +import eu.eidas.engine.exceptions.SAMLEngineException; + +/** + * @author tlenz + * + */ +public class MOAeIDASMetadataProviderDecorator implements MetadataProcessorI { + + private MetadataProvider metadataprovider = null; + + /** + * + */ + public MOAeIDASMetadataProviderDecorator(MetadataProvider metadataprovider) { + this.metadataprovider = metadataprovider; + + } + + /* (non-Javadoc) + * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getEntityDescriptor(java.lang.String) + */ + @Override + public EntityDescriptor getEntityDescriptor(String url) + throws SAMLEngineException { + try { + return this.metadataprovider.getEntityDescriptor(url); + + } catch (MetadataProviderException e) { + throw new SAMLEngineException("eIDAS Metadata processing FAILED.", e); + + } + } + + /* (non-Javadoc) + * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getSPSSODescriptor(java.lang.String) + */ + @Override + public SPSSODescriptor getSPSSODescriptor(String url) + throws SAMLEngineException { + return getFirstRoleDescriptor(getEntityDescriptor(url), SPSSODescriptor.class); + + } + + /* (non-Javadoc) + * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getIDPSSODescriptor(java.lang.String) + */ + @Override + public IDPSSODescriptor getIDPSSODescriptor(String url) + throws SAMLEngineException { + return getFirstRoleDescriptor(getEntityDescriptor(url), IDPSSODescriptor.class); + + } + + /* (non-Javadoc) + * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, eu.eidas.auth.engine.EIDASSAMLEngine) + */ + @Override + public void checkValidMetadataSignature(String url, EIDASSAMLEngine engine) + throws SAMLEngineException { + //Do nothing, because metadata signature is already validated during + //metadata provider initialization + + } + + /* (non-Javadoc) + * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, java.security.KeyStore) + */ + @Override + public void checkValidMetadataSignature(String url, KeyStore trustStore) + throws SAMLEngineException { + //Do nothing, because metadata signature is already validated during + //metadata provider initialization + + } + + protected <T extends RoleDescriptor> T getFirstRoleDescriptor(EntityDescriptor entityDescriptor, final Class<T> clazz){ + for(RoleDescriptor rd:entityDescriptor.getRoleDescriptors()){ + if(clazz.isInstance(rd)){ + return (T)rd; + } + } + return null; + } + +} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java new file mode 100644 index 000000000..c9f3e5bcd --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java @@ -0,0 +1,132 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidas.engine; + +import java.io.IOException; +import java.io.StringWriter; + +import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerConfigurationException; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactory; +import javax.xml.transform.TransformerFactoryConfigurationError; +import javax.xml.transform.dom.DOMSource; +import javax.xml.transform.stream.StreamResult; + +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.provider.FilterException; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.xml.XMLObject; + +import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils; +import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class MOAeIDASMetadataSignatureFilter implements MetadataFilter { + + private String trustProfileID = null; + + /** + * + */ + public MOAeIDASMetadataSignatureFilter(String trustProfileID) { + this.trustProfileID = trustProfileID; + + } + + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) + */ + @Override + public void doFilter(XMLObject metadata) throws FilterException { + if (metadata instanceof EntityDescriptor) { + if (((EntityDescriptor) metadata).isSigned()) { + EntityDescriptor entityDes = (EntityDescriptor) metadata; + //check signature; + try { + Transformer transformer = TransformerFactory.newInstance() + .newTransformer(); + StringWriter sw = new StringWriter(); + StreamResult sr = new StreamResult(sw); + DOMSource source = new DOMSource(metadata.getDOM()); + transformer.transform(source, sr); + sw.close(); + String metadataXML = sw.toString(); + + SignatureVerificationUtils sigVerify = + new SignatureVerificationUtils(); + VerifyXMLSignatureResponse result = sigVerify.verify( + metadataXML.getBytes(), trustProfileID); + + //check signature-verification result + if (result.getSignatureCheckCode() != 0) { + Logger.warn("eIDAS Metadata signature-verification FAILED!" + + " Metadata: " + entityDes.getEntityID() + + " StatusCode:" + result.getSignatureCheckCode()); + throw new FilterException("eIDAS Metadata signature-verification FAILED!" + + " Metadata: " + entityDes.getEntityID() + + " StatusCode:" + result.getSignatureCheckCode()); + + } + + if (result.getCertificateCheckCode() != 0) { + Logger.warn("eIDAS Metadata certificate-verification FAILED!" + + " Metadata: " + entityDes.getEntityID() + + " StatusCode:" + result.getCertificateCheckCode()); + throw new FilterException("eIDAS Metadata certificate-verification FAILED!" + + " Metadata: " + entityDes.getEntityID() + + " StatusCode:" + result.getCertificateCheckCode()); + + } + + + } catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) { + Logger.error("eIDAS Metadata verification has an interal error.", e); + throw new FilterException("eIDAS Metadata verification has an interal error." + + " Message:" + e.getMessage()); + + } + + + } else { + Logger.warn("eIDAS Metadata root-element MUST be signed."); + throw new FilterException("eIDAS Metadata root-element MUST be signed.'"); + + } + + } else { + Logger.warn("eIDAS Metadata root-element is not of type 'EntityDescriptor'"); + throw new FilterException("eIDAS Metadata root-element is not of type 'EntityDescriptor'"); + + } + + } + +} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java deleted file mode 100644 index 2aec81db5..000000000 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java +++ /dev/null @@ -1,50 +0,0 @@ -package at.gv.egovernment.moa.id.auth.modules.eidas.engine; - -import java.security.KeyStore; - -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.IDPSSODescriptor; -import org.opensaml.saml2.metadata.SPSSODescriptor; - -import at.gv.egovernment.moa.logging.Logger; -import eu.eidas.auth.engine.EIDASSAMLEngine; -import eu.eidas.auth.engine.metadata.SimpleMetadataProcessor; -import eu.eidas.engine.exceptions.SAMLEngineException; - -public class MOAeIDASSimpleMetadataProvider extends SimpleMetadataProcessor { - - @Override - public EntityDescriptor getEntityDescriptor(String url) { - EntityDescriptor entityDescriptor=getEntityDescriptorHelper(url); - - if(Logger.isDebugEnabled()){ - Logger.debug("got entityDescriptor: " + entityDescriptor); - } - return entityDescriptor; - } - - @Override - public SPSSODescriptor getSPSSODescriptor(String url) throws SAMLEngineException { - return getFirstRoleDescriptor(getEntityDescriptor(url), SPSSODescriptor.class); - - } - - @Override - public IDPSSODescriptor getIDPSSODescriptor(String url) throws SAMLEngineException { - return getFirstRoleDescriptor(getEntityDescriptor(url), IDPSSODescriptor.class); - - } - - @Override - public void checkValidMetadataSignature(String url, EIDASSAMLEngine engine) throws SAMLEngineException { - //TODO: implement Metadata signature validation - Logger.warn("MetadataProcessor in demo SP does not actually check the signature of metadata"); - - } - @Override - public void checkValidMetadataSignature(String url, KeyStore store) throws SAMLEngineException { - //not implemented - - } - -} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index 57588287d..963fe70c1 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -142,7 +142,11 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { EIDASAuthnRequest authnRequest = new EIDASAuthnRequest(); authnRequest.setProviderName(moaconfig.getPublicURLPrefix()); authnRequest.setPersonalAttributeList(pAttList); + authnRequest.setIssuer(moaconfig.getPublicURLPrefix() + "/eidas/metadata"); + //TODO: only for development and reverse proxy + authnRequest.setIssuer("http://localhost:12343/moa-id-auth/eidas/metadata"); + authnRequest.setDestination(destination); authnRequest.setEidasNameidFormat(EIDASAuthnRequest.NAMEID_FORMAT_UNSPECIFIED); authnRequest.setEidasLoA(EidasLoaLevels.LOW.stringValue()); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java index 6a573d0f2..d1bc02766 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java @@ -29,7 +29,10 @@ import javax.servlet.http.HttpServletResponse; import org.slf4j.Logger; +import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import eu.eidas.auth.engine.EIDASSAMLEngine; import eu.eidas.auth.engine.metadata.MetadataConfigParams; import eu.eidas.auth.engine.metadata.MetadataGenerator; @@ -49,13 +52,21 @@ public class EidasMetaDataServlet extends HttpServlet { */ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - logger.info("EidasMetaDataServlet GET"); + logger.debug("EidasMetaDataServlet GET"); - String metadata_url = "http://localhost:12344/moa-id-auth/eidas/metadata"; - String sp_return_url = "http://localhost:12344/moa-id-auth/eidas/metadata"; + AuthConfiguration config = AuthConfigurationProviderFactory.getInstance(); + String pubURLPrefix = config.getPublicURLPrefix(); + + + String metadata_url = pubURLPrefix + Constants.eIDAS_HTTP_ENDPOINT_METADATA; + + //TODO: only for development and reverse proxy + metadata_url = "http://localhost:12343/moa-id-auth/eidas/metadata"; + + String sp_return_url = pubURLPrefix + Constants.eIDAS_HTTP_ENDPOINT_SP_POST; String metaData = generateMetadata(metadata_url, sp_return_url); - logger.debug(metaData); + logger.trace(metaData); response.setContentType("text/xml"); response.getWriter().print(metaData); @@ -69,13 +80,13 @@ public class EidasMetaDataServlet extends HttpServlet { String metadata="invalid metadata"; // FIXME workaround!? - Security.removeProvider("IAIK"); - Security.removeProvider("IAIK_ECC"); +// Security.removeProvider("IAIK"); +// Security.removeProvider("IAIK_ECC"); EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(); - IAIK.addAsProvider(); - ECCProvider.addAsProvider(true); +// IAIK.addAsProvider(); +// ECCProvider.addAsProvider(true); MetadataGenerator generator = new MetadataGenerator(); MetadataConfigParams mcp=new MetadataConfigParams(); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java index 2c2435ff6..8e46f0ef1 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java @@ -24,7 +24,8 @@ package at.gv.egovernment.moa.id.auth.modules.eidas.utils; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.config.MOAIDCertificateManagerConfigurationImpl; -import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASSimpleMetadataProvider; +import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider; +import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASMetadataProviderDecorator; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException; import at.gv.egovernment.moa.logging.Logger; import eu.eidas.auth.engine.EIDASSAMLEngine; @@ -37,28 +38,34 @@ import eu.eidas.samlengineconfig.CertificateConfigurationManager; */ public class SAMLEngineUtils { - public static EIDASSAMLEngine createSAMLEngine() throws EIDASEngineException{ + private static EIDASSAMLEngine eIDASEngine = null; + + public static synchronized EIDASSAMLEngine createSAMLEngine() throws EIDASEngineException{ - try { - //get eIDAS SAMLengine configuration from MOA-ID configuration - CertificateConfigurationManager configManager = new MOAIDCertificateManagerConfigurationImpl(); - - //initial eIDAS SAMLengine - EIDASSAMLEngine engine = EIDASSAMLEngine.createSAMLEngine(Constants.eIDAS_SAML_ENGINE_NAME, - configManager); - - //set Metadata managment to eIDAS SAMLengine - //TODO: implement final Metadata processor (this is only a first solution!!!) - engine.setMetadataProcessor(new MOAeIDASSimpleMetadataProvider()); - - return engine; - - } catch (EIDASSAMLEngineException e) { - Logger.error("eIDAS SAMLengine initialization FAILED!", e); - throw new EIDASEngineException("eIDAS SAMLengine initialization FAILED!", e); - + if (eIDASEngine == null) { + try { + //get eIDAS SAMLengine configuration from MOA-ID configuration + CertificateConfigurationManager configManager = new MOAIDCertificateManagerConfigurationImpl(); + + //initial eIDAS SAMLengine + EIDASSAMLEngine engine = EIDASSAMLEngine.createSAMLEngine(Constants.eIDAS_SAML_ENGINE_NAME, + configManager); + + //set Metadata managment to eIDAS SAMLengine + engine.setMetadataProcessor( + new MOAeIDASMetadataProviderDecorator( + MOAeIDASChainingMetadataProvider.getInstance())); + + eIDASEngine = engine; + + } catch (EIDASSAMLEngineException e) { + Logger.error("eIDAS SAMLengine initialization FAILED!", e); + throw new EIDASEngineException("eIDAS SAMLengine initialization FAILED!", e); + + } } - + + return eIDASEngine; } } diff --git a/repository/iaik/iaik_eccelerate/2.51/iaik_eccelerate-2.51.jar b/repository/iaik/iaik_eccelerate/2.51/iaik_eccelerate-2.51.jar Binary files differnew file mode 100644 index 000000000..d53fcb398 --- /dev/null +++ b/repository/iaik/iaik_eccelerate/2.51/iaik_eccelerate-2.51.jar diff --git a/repository/iaik/iaik_eccelerate/2.51/iaik_eccelerate-2.51.pom b/repository/iaik/iaik_eccelerate/2.51/iaik_eccelerate-2.51.pom new file mode 100644 index 000000000..21a800dd7 --- /dev/null +++ b/repository/iaik/iaik_eccelerate/2.51/iaik_eccelerate-2.51.pom @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="UTF-8"?> +<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <modelVersion>4.0.0</modelVersion> + <groupId>iaik</groupId> + <artifactId>iaik_eccelerate</artifactId> + <version>2.51</version> + <description>POM was created by Sonatype Nexus</description> +</project>
\ No newline at end of file |