aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java68
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java12
-rw-r--r--id/ConfigWebTool/src/main/resources/applicationResources_de.properties5
-rw-r--r--id/ConfigWebTool/src/main/resources/applicationResources_en.properties6
-rw-r--r--id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/authentication.jsp20
-rw-r--r--id/readme_2.1.0.txt172
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java34
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java110
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java54
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java27
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java18
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java26
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties1
-rw-r--r--id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationTest.java6
-rw-r--r--id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd10
20 files changed, 337 insertions, 258 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java
index cb60a21a0..0e65b7dca 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java
@@ -30,17 +30,16 @@ import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
-import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentOA;
import at.gv.egovernment.moa.id.commons.db.dao.config.BKUURLS;
import at.gv.egovernment.moa.id.commons.db.dao.config.DefaultBKUs;
import at.gv.egovernment.moa.id.commons.db.dao.config.MOAIDConfiguration;
import at.gv.egovernment.moa.id.commons.db.dao.config.MOAKeyBoxSelector;
import at.gv.egovernment.moa.id.commons.db.dao.config.Mandates;
-import at.gv.egovernment.moa.id.commons.db.dao.config.MandatesProfileNameItem;
import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType;
import at.gv.egovernment.moa.id.commons.db.dao.config.TemplatesType;
+import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentials;
import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType;
import at.gv.egovernment.moa.id.configuration.Constants;
import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser;
@@ -70,6 +69,9 @@ public class OAAuthenticationData implements IOnlineApplicationData {
private Map<String, byte[]> transformations;
+ private boolean enableTestCredentials = false;
+ private List<String> testCredentialOIDs = null;
+
/**
*
*/
@@ -204,6 +206,12 @@ public class OAAuthenticationData implements IOnlineApplicationData {
}
}
+ if (oaauth.getTestCredentials() != null) {
+ enableTestCredentials = oaauth.getTestCredentials().isEnableTestCredentials();
+ testCredentialOIDs = oaauth.getTestCredentials().getCredentialOID();
+
+ }
+
return null;
}
@@ -305,6 +313,16 @@ public class OAAuthenticationData implements IOnlineApplicationData {
}
+ if (enableTestCredentials) {
+ TestCredentials testing = authoa.getTestCredentials();
+ if (testing == null)
+ testing = new TestCredentials();
+
+ testing.setEnableTestCredentials(enableTestCredentials);
+ testing.setCredentialOID(testCredentialOIDs);
+
+ }
+
return null;
}
@@ -538,5 +556,51 @@ public class OAAuthenticationData implements IOnlineApplicationData {
SLTemplates = new ArrayList<String>();
SLTemplates.add(sLTemplateURL3);
}
+
+ /**
+ * @return the enableTestCredentials
+ */
+ public boolean isEnableTestCredentials() {
+ return enableTestCredentials;
+ }
+
+ /**
+ * @param enableTestCredentials the enableTestCredentials to set
+ */
+ public void setEnableTestCredentials(boolean enableTestCredentials) {
+ this.enableTestCredentials = enableTestCredentials;
+ }
+
+ /**
+ * @return the testCredentialOIDs
+ */
+ public String getTestCredentialOIDs() {
+ String value = null;
+ for (String el : testCredentialOIDs) {
+ if (value == null)
+ value = el;
+ else
+ value += "," + el;
+
+ }
+
+ return value;
+ }
+
+ public List<String> getTestCredialOIDList() {
+ return this.testCredentialOIDs;
+ }
+
+ /**
+ * @param testCredentialOIDs the testCredentialOIDs to set
+ */
+ public void setTestCredentialOIDs(String testCredentialOIDs) {
+ String[] oidList = testCredentialOIDs.split(",");
+
+ this.testCredentialOIDs = new ArrayList<String>();
+ for (int i=0; i<oidList.length; i++)
+ this.testCredentialOIDs.add(oidList[i].trim());
+ }
+
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java
index 0bbf2116d..fd40bd447 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java
@@ -30,6 +30,7 @@ import javax.servlet.http.HttpServletRequest;
import org.apache.log4j.Logger;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.validation.ValidationHelper;
import at.gv.egovernment.moa.id.configuration.data.oa.OAAuthenticationData;
import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper;
@@ -145,6 +146,17 @@ public class OAAuthenticationDataValidation {
new Object[] {ValidationHelper.getPotentialCSSCharacter(true)}, request ));
}
}
+
+ if (form.isEnableTestCredentials()) {
+ for (String el : form.getTestCredialOIDList()) {
+ if (!el.startsWith(MOAIDAuthConstants.TESTCREDENTIALROOTOID))
+ log.warn("Test credential OID does not start with test credential root OID");
+ errors.add(LanguageHelper.getErrorString("validation.general.testcredentials.oid.valid",
+ new Object[] {el}, request ));
+ }
+
+
+ }
return errors;
}
diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
index a4e5a5d05..06c22972d 100644
--- a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
+++ b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
@@ -259,6 +259,10 @@ webpages.oaconfig.general.BKUSelection.fonttype.list=Formularschrifttypen
webpages.oaconfig.general.BKUSelection.header.applet.height=Appleth\u00F6he
webpages.oaconfig.general.BKUSelection.header.applet.width=Appletbreite
+webpages.oaconfig.general.testing.header=Test Identitu\00E4ten
+webpages.oaconfig.general.testing.usetesting=Test Identitu\00E4ten erlauben
+webpages.oaconfig.general.testing.oids=OIDs f\u00FCr Test Identitu\00E4ten einschr\u00E4nken.
+
webpages.oaconfig.sso.header=Single Sign-On
webpages.oaconfig.sso.singlelogouturl=Single Log-Out URL
webpages.oaconfig.sso.useauthdataframe=Zus\u00E4tzliche Userabfrage
@@ -442,6 +446,7 @@ validation.general.bkuselection.file.selected=Es kann nur EIN BKU-Selektion Temp
validation.general.sendassertion.filename.valid=Der Dateiname des Send-Assertion Templates enth\u00E4lt nicht erlaubte Zeichen. Folgende Zeichen sind nicht erlaubt\: {0}
validation.general.sendassertion.file.valid=Das Send-Assertion Templates konnte nicht geladen werden.
validation.general.sendassertion.file.selected=Es kann nur EIN Send-Assertion Template angegeben werden.
+validation.general.testcredentials.oid.valid=Die Testdaten OID {0} ist ung\u00FCltig.
validation.stork.cpeps.cc=CPEPS L\u00E4ndercode folgt nicht ISO 3166-2
diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
index c9f4e1eb2..cc6e98964 100644
--- a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
+++ b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
@@ -190,6 +190,10 @@ webpages.oaconfig.general.bku.sltemplate.first=SecurityLayer Template
webpages.oaconfig.general.bku.sltemplate.second=SecurityLayer Template (WhiteList)
webpages.oaconfig.general.bku.sltemplate.third=SecurityLayer Template (WhiteList)
+webpages.oaconfig.general.testing.header=Test Credentials
+webpages.oaconfig.general.testing.usetesting=Allow test credentials
+webpages.oaconfig.general.testing.oids=Use special test credential OIDs
+
webpages.oaconfig.general.bku.delete=Remove
webpages.oaconfig.general.bku.bkuselection.header=CCE-Selection Template
webpages.oaconfig.general.bku.bkuselection.filename=File name
@@ -440,7 +444,7 @@ validation.general.bkuselection.file.selected=Only one CCE-selection template ca
validation.general.sendassertion.filename.valid=The file name of Send-Assertion Templates contains forbidden characters. The following characters are not allowed\: {0}
validation.general.sendassertion.file.valid=Send-Assertion Templates could not be loaded.
validation.general.sendassertion.file.selected=Only one Send-Assertion Template can be provided.
-
+validation.general.testcredentials.oid.valid=The OID {0} for test credentials is not a valid.
validation.stork.cpeps.cc=CPEPS country code is not based on 3166-2
validation.stork.cpeps.empty=CPEPS configuration is incomplete
diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/authentication.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/authentication.jsp
index a659104ed..3dda0c0a4 100644
--- a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/authentication.jsp
+++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/authentication.jsp
@@ -67,6 +67,26 @@
</div>
</s:if>
+ <div class="oa_config_block">
+ <h3><%=LanguageHelper.getGUIString("webpages.oaconfig.general.testing.header", request) %></h3>
+
+
+ <s:checkbox name="authOA.enableTestCredentials"
+ value="%{authOA.enableTestCredentials}"
+ labelposition="left"
+ key="webpages.oaconfig.general.testing.usetesting"
+ cssClass="checkbox">
+ </s:checkbox>
+
+ <s:textfield name="authOA.testCredentialOIDs"
+ value="%{authOA.testCredentialOIDs}"
+ labelposition="left"
+ key="webpages.oaconfig.general.testing.oids"
+ cssClass="textfield_long">
+ </s:textfield>
+ </div>
+
+
<div class="oa_config_block">
<h3><%=LanguageHelper.getGUIString("webpages.oaconfig.general.mandate.header", request) %></h3>
diff --git a/id/readme_2.1.0.txt b/id/readme_2.1.0.txt
deleted file mode 100644
index 19ccdb4b8..000000000
--- a/id/readme_2.1.0.txt
+++ /dev/null
@@ -1,172 +0,0 @@
-===============================================================================
-MOA ID Version Release 2.1.0 - Wichtige Informationen zur Installation
-===============================================================================
-
--------------------------------------------------------------------------------
-A. Neuerungen/Änderungen
--------------------------------------------------------------------------------
-
-Mit MOA ID Version 2.0.1 wurden folgende Neuerungen eingeführt, die jetzt
-erstmals in der Veröffentlichung enthalten sind (siehe auch history.txt im
-gleichen Verzeichnis):
-
-- Neuerungen:
- - IDP Interfederation für Single Sign-On
- - MOA-ID Truststore wird auch für Bezug PVP 2.1 metadaten über https verwendet.
- - Definition neuer Fehlercodes
-
-- Änderungen
- - Anpassung VIDP Code für STORK
- - MOA-ID-Konfigurationstool mit überarbeiteter Online-Applikationskonfiguration
- - Kleinere Bug-Fixes
- - Anpassung der protokollspezifischen Fehlerrückgabe
-
--------------------------------------------------------------------------------
-B. Durchführung eines Updates
--------------------------------------------------------------------------------
-
-Es wird generell eine Neuinstallation lt. Handbuch empfohlen! Dennoch ist auch
-eine Aktualisierung bestehender Installationen möglich.
-
-...............................................................................
-B.1 Durchführung eines Updates von Version 2.0.1
-...............................................................................
- 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
- Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
-
-2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.0.zip) in
- ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST
- bezeichnet.
-
-3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
- beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
- wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation
- für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als
- auch das komplette Verzeichnis moa-id-auth.
-
-4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
- CATALINA_HOME_ID/webapps.
-
-5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
- CATALINA_HOME_ID/webapps.
-
-6. Update der STORK Konfiguration
- a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork
- in das Verzeichnis CATALINA_HOME\conf\moa-id\stork.
- b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration ->
- 2.4 Konfiguration des SamlEngines an.
-
-7. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Configuration Konfigurationsdatei
- CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties
- a.) general.ssl.certstore=certs/certstore
- b.) general.ssl.truststore=certs/truststore
-
-8. Kopieren des folgenden zusätzlichen Ordners MOA_ID_AUTH_INST/conf/moa-id-configuration/certs
- nach CATALINA_HOME\conf\moa-id-configuration\
-
-9. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei
- CATALINA_HOME\conf\moa-id\moa-id.properties und Anpassung an das zu verwendeten Schlüsselpaar.
- a.) protocols.pvp2.idp.ks.assertion.encryption.alias=pvp_assertion
- protocols.pvp2.idp.ks.assertion.encryption.keypassword=password
-
-10. Kopieren der folgenden zusätzlichen Ordner aus MOA_ID_AUTH_INST/conf/moa-id/
- nach CATALINA_HOME\conf\moa-id\
- a.) MOA_ID_AUTH_INST/conf/moa-id/SLTemplates -> CATALINA_HOME\conf\moa-id\
-
-8. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
- Logging von MOA ID beim Einlesen der Konfiguration.
-
-
-...............................................................................
-B.2 Durchführung eines Updates von Version 2.0-RC1
-...............................................................................
-
-1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
- Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
-
-2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.0.1.zip) in
- ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST
- bezeichnet.
- Für MOA ID Proxy:
- Entpacken Sie die Distribution von MOA-ID-Proxy (moa-id-proxy-2.0.1.zip) in
- ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_PROXY_INST
- bezeichnet.
-
-3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
- beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
- wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation
- für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als
- auch das komplette Verzeichnis moa-id-auth.
-
-4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
- CATALINA_HOME_ID/webapps.
-
-5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
- CATALINA_HOME_ID/webapps.
-
-6. Update des Cert-Stores.
- Kopieren Sie den Inhalt des Verzeichnisses
- MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis
- CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie
- vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann
- bejahen sie das.
-
-7. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen
- wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile
- beibehalten wollen, dann gehen Sie vor, wie in Punkt b).
-
- a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen:
-
- 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles.
- 2) Kopieren Sie das Verzeichnis
- MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis
- CATALINA_HOME\conf\moa-spss.
-
- b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie
- folgt vor, um die Profile auf den aktuellen Stand zu bringen:
-
- 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den
- entsprechenden Profilen im Verzeichnis
- MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren
- Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt
- der einzelnen Profile aus der Distribution
- (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden
- Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles)
- kopieren und dabei die vorhandenen gleichnamigen Zertifikate
- überschreiben), also z.B: Kopieren des Inhalts von
- MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\
- MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach
- CATALINA_HOME\conf\moa-spss\trustProfiles\
- MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw.
-
-8. Update der Default html-Templates für die Bürgerkartenauswahl.
-
- a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates
- in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates.
- b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates
- in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates.
-
-9. Update der STORK Konfiguration
- a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork
- in das Verzeichnis CATALINA_HOME\conf\moa-id\stork.
- b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration ->
- 2.4 Konfiguration des SamlEngines an.
-
-10. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei
- CATALINA_HOME\conf\moa-id\moa-id.properties
-
- a.) configuration.validation.certificate.QC.ignore=false
- b.) protocols.pvp2.assertion.encryption.active=false
-
-11. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
- Logging von MOA ID beim Einlesen der Konfiguration.
-
-
-...............................................................................
-B.3 Durchführung eines Updates von Version <= 1.5.1
-...............................................................................
-
-Bitte führen Sie eine Neuinstallation von MOA ID laut Handbuch durch und passen
-Sie die mitgelieferte Musterkonfiguration entsprechend Ihren Bedürfnissen unter
-Zuhilfenahme Ihrer bisherigen Konfiguration an.
-
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index e7abf0f9a..a8cf5014f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -414,17 +414,12 @@ public class AuthenticationServer implements MOAIDAuthConstants {
OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
- // if OA is type is business service the manifest validation result has
- // to be ignored
- boolean ignoreManifestValidationResult = (oaParam.getBusinessService()) ? true
- : false;
-
// validates the <VerifyXMLSignatureResponse>
VerifyXMLSignatureResponseValidator.getInstance().validate(
verifyXMLSignatureResponse,
authConf.getIdentityLinkX509SubjectNames(),
VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK,
- ignoreManifestValidationResult);
+ oaParam);
session.setIdentityLink(identityLink);
// now validate the extended infoboxes
@@ -1214,10 +1209,13 @@ public class AuthenticationServer implements MOAIDAuthConstants {
}
}
+ OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
+ .getOnlineApplicationParameter(session.getPublicOAURLPrefix());
+
// validates the <VerifyXMLSignatureResponse>
VerifyXMLSignatureResponseValidator.getInstance().validate(vsresp,
null, VerifyXMLSignatureResponseValidator.CHECK_AUTH_BLOCK,
- false);
+ oaParam);
// Compare AuthBlock Data with information stored in session, especially
// date and time
@@ -1468,7 +1466,6 @@ public class AuthenticationServer implements MOAIDAuthConstants {
*/
public static AuthenticationSession getSession(String id)
throws AuthenticationException {
-
AuthenticationSession session;
try {
session = AuthenticationSessionStoreage.getSession(id);
@@ -1478,7 +1475,10 @@ public class AuthenticationServer implements MOAIDAuthConstants {
return session;
} catch (MOADatabaseException e) {
- throw new AuthenticationException("parser.04", new Object[]{id});
+ throw new AuthenticationException("auth.02", new Object[]{id});
+
+ } catch (Exception e) {
+ throw new AuthenticationException("parser.04", new Object[]{id});
}
}
@@ -1757,8 +1757,12 @@ public class AuthenticationServer implements MOAIDAuthConstants {
String issuerValue = AuthConfigurationProvider.getInstance().getPublicURLPrefix();
- String acsURL = new DataURLBuilder().buildDataURL(issuerValue,
- PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN, moasession.getSessionID());
+// String acsURL = new DataURLBuilder().buildDataURL(issuerValue,
+// PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN, moasession.getSessionID());
+
+ //solve Problem with sessionIDs
+ String acsURL = issuerValue + PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN;
+
Logger.debug("MOA Assertion Consumer URL (PEPSConnctor): " + acsURL);
String providerName = oaParam.getFriendlyName();
@@ -1862,10 +1866,10 @@ public class AuthenticationServer implements MOAIDAuthConstants {
//send
moasession.setStorkAuthnRequest(authnRequest);
- HttpSession httpSession = req.getSession();
- httpSession.setAttribute("MOA-Session-ID", moasession.getSessionID());
-
+ AuthenticationSessionStoreage.changeSessionID(moasession, authnRequest.getSamlId());
+
+
Logger.info("Preparing to send STORK AuthnRequest.");
Logger.info("prepared STORKAuthnRequest: ");
Logger.info(new String(authnRequest.getTokenSaml()));
@@ -1888,8 +1892,8 @@ public class AuthenticationServer implements MOAIDAuthConstants {
} catch (Exception e) {
Logger.error("Error sending STORK SAML AuthnRequest.", e);
- httpSession.invalidate();
throw new MOAIDException("stork.02", new Object[]{destination});
+
}
Logger.info("STORK AuthnRequest successfully successfully prepared for client with target location: " + authnRequest.getDestination());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
index e2c0c1f18..497c79c1e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
@@ -142,6 +142,10 @@ public interface MOAIDAuthConstants {
public static final String PARAM_APPLET_HEIGTH = "heigth";
public static final String PARAM_APPLET_WIDTH = "width";
+ //TODO: set correct OID!!!
+ public static final String TESTCREDENTIALROOTOID = "1.2.40.0.10.1";
+
+
public static final Map<String, String> COUNTRYCODE_XX_TO_NAME =
Collections.unmodifiableMap(new HashMap<String, String>() {
private static final long serialVersionUID = 1L;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
index 8a5782bcf..e5b2c598c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
@@ -78,6 +78,7 @@ import at.gv.egovernment.moa.id.storage.DBExceptionStoreImpl;
import at.gv.egovernment.moa.id.storage.IExceptionStore;
import at.gv.egovernment.moa.id.util.ServletUtils;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moa.util.URLDecoder;
/**
@@ -197,7 +198,7 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants {
IExceptionStore store = DBExceptionStoreImpl.getStore();
String id = store.storeException(exceptionThrown);
- if (id != null) {
+ if (id != null && MiscUtil.isNotEmpty(pendingRequestID)) {
String redirectURL = null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
index 25749c8bc..93ac84381 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
@@ -113,16 +113,50 @@ public class PEPSConnectorServlet extends AuthServlet {
//check if https or only http
super.checkIfHTTPisAllowed(request.getRequestURL().toString());
+
+ Logger.debug("Beginning to extract SAMLResponse out of HTTP Request");
+
+ //extract STORK Response from HTTP Request
+ //Decodes SAML Response
+ byte[] decSamlToken;
+ try {
+ decSamlToken = PEPSUtil.decodeSAMLToken(request.getParameter("SAMLResponse"));
+ } catch(NullPointerException e) {
+ Logger.error("Unable to retrieve STORK Response", e);
+ throw new MOAIDException("stork.04", null);
+ }
+
+ //Get SAMLEngine instance
+ STORKSAMLEngine engine = STORKSAMLEngine.getInstance("outgoing");
+
+ STORKAuthnResponse authnResponse = null;
+ try {
+ //validate SAML Token
+ Logger.debug("Starting validation of SAML response");
+ authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost());
+ Logger.info("SAML response succesfully verified!");
+ }catch(STORKSAMLEngineException e){
+ Logger.error("Failed to verify STORK SAML Response", e);
+ throw new MOAIDException("stork.05", null);
+ }
+
+ Logger.info("STORK SAML Response message succesfully extracted");
+ Logger.debug("STORK response: ");
+ Logger.debug(authnResponse.toString());
Logger.debug("Trying to find MOA Session-ID ...");
- String moaSessionID = request.getParameter(PARAM_SESSIONID);
-
+ //String moaSessionID = request.getParameter(PARAM_SESSIONID);
+ //first use SAML2 relayState
+ String moaSessionID = request.getParameter("RelayState");
+
// escape parameter strings
moaSessionID= StringEscapeUtils.escapeHtml(moaSessionID);
+ //check if SAML2 relaystate includes a MOA sessionID
if (StringUtils.isEmpty(moaSessionID)) {
- //check if SAML2 relaystate includes a MOA sessionID
- moaSessionID = request.getParameter("RelayState");
+ //if relaystate is emtpty, use SAML response -> inResponseTo element as session identifier
+
+ moaSessionID = authnResponse.getInResponseTo();
moaSessionID= StringEscapeUtils.escapeHtml(moaSessionID);
if (StringUtils.isEmpty(moaSessionID)) {
@@ -132,13 +166,19 @@ public class PEPSConnectorServlet extends AuthServlet {
throw new AuthenticationException("auth.02", new Object[] { moaSessionID });
} else
- Logger.trace("MOA SessionID " + moaSessionID + " is found in SAML2 relayState.");
+ Logger.trace("Use MOA SessionID " + moaSessionID + " from AuthnResponse->inResponseTo attribute.");
} else
- Logger.trace("MOA SessionID " + moaSessionID + " is found in http GET parameter.");
+ //Logger.trace("MOA SessionID " + moaSessionID + " is found in http GET parameter.");
+ Logger.trace("MOA SessionID " + moaSessionID + " is found in SAML2 relayState.");
- if (!ParamValidatorUtils.isValidSessionID(moaSessionID))
- throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_SESSIONID, "auth.12");
+ /*INFO!!!!
+ * SAML message IDs has an different format then MOASessionIDs
+ * This is only a workaround because many PEPS does not support SAML2 relayState or
+ * MOASessionID as AttributConsumerServiceURL GET parameter
+ */
+// if (!ParamValidatorUtils.isValidSessionID(moaSessionID))
+// throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_SESSIONID, "auth.12");
pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(moaSessionID);
@@ -150,35 +190,7 @@ public class PEPSConnectorServlet extends AuthServlet {
Logger.info("Found MOA sessionID: " + moaSessionID);
- Logger.debug("Beginning to extract SAMLResponse out of HTTP Request");
- //extract STORK Response from HTTP Request
- //Decodes SAML Response
- byte[] decSamlToken;
- try {
- decSamlToken = PEPSUtil.decodeSAMLToken(request.getParameter("SAMLResponse"));
- } catch(NullPointerException e) {
- Logger.error("Unable to retrieve STORK Response", e);
- throw new MOAIDException("stork.04", null);
- }
-
- //Get SAMLEngine instance
- STORKSAMLEngine engine = STORKSAMLEngine.getInstance("outgoing");
-
- STORKAuthnResponse authnResponse = null;
- try {
- //validate SAML Token
- Logger.debug("Starting validation of SAML response");
- authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost());
- Logger.info("SAML response succesfully verified!");
- }catch(STORKSAMLEngineException e){
- Logger.error("Failed to verify STORK SAML Response", e);
- throw new MOAIDException("stork.05", null);
- }
-
- Logger.info("STORK SAML Response message succesfully extracted");
- Logger.debug("STORK response: ");
- Logger.debug(authnResponse.toString());
String statusCodeValue = authnResponse.getStatusCode();
@@ -272,17 +284,17 @@ public class PEPSConnectorServlet extends AuthServlet {
Logger.debug("fetching OAParameters from database");
- //read configuration paramters of OA
- AuthenticationSession moasession;
- try {
- moasession = AuthenticationSessionStoreage.getSession(moaSessionID);
- } catch (MOADatabaseException e2) {
- Logger.error("could not retrieve moa session");
- throw new AuthenticationException("auth.01", null);
- }
- OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moasession.getPublicOAURLPrefix());
+// //read configuration paramters of OA
+// AuthenticationSession moasession;
+// try {
+// moasession = AuthenticationSessionStoreage.getSession(moaSessionID);
+// } catch (MOADatabaseException e2) {
+// Logger.error("could not retrieve moa session");
+// throw new AuthenticationException("auth.01", null);
+// }
+ OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moaSession.getPublicOAURLPrefix());
if (oaParam == null)
- throw new AuthenticationException("auth.00", new Object[] { moasession.getPublicOAURLPrefix() });
+ throw new AuthenticationException("auth.00", new Object[] { moaSession.getPublicOAURLPrefix() });
// retrieve target
//TODO: check in case of SSO!!!
@@ -293,7 +305,7 @@ public class PEPSConnectorServlet extends AuthServlet {
if (id.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
targetValue = id.substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length());
else
- targetValue = moasession.getDomainIdentifier();
+ targetValue = moaSession.getDomainIdentifier();
targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_;
} else {
targetType = AuthenticationSession.TARGET_PREFIX_;
@@ -365,13 +377,13 @@ public class PEPSConnectorServlet extends AuthServlet {
//TODO: found better solution, but QAA Level in response could be not supported yet
try {
- moasession.setQAALevel(authnResponse.getAssertions().get(0).
+ moaSession.setQAALevel(authnResponse.getAssertions().get(0).
getAuthnStatements().get(0).getAuthnContext().
getAuthnContextClassRef().getAuthnContextClassRef());
} catch (Throwable e) {
Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level");
- moasession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel());
+ moaSession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel());
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
index 4fd7fa965..2b687a0c8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
@@ -46,6 +46,7 @@
package at.gv.egovernment.moa.id.auth.validator;
+import iaik.asn1.ObjectID;
import iaik.asn1.structures.Name;
import iaik.security.ecc.ecdsa.ECPublicKey;
import iaik.utils.RFC2253NameParserException;
@@ -54,7 +55,10 @@ import iaik.x509.X509ExtensionInitException;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
+import java.util.ArrayList;
+import java.util.Iterator;
import java.util.List;
+import java.util.Set;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.data.IdentityLink;
@@ -62,6 +66,7 @@ import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
import at.gv.egovernment.moa.id.auth.exception.ValidateException;
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
import at.gv.egovernment.moa.logging.Logger;
@@ -99,7 +104,7 @@ public class VerifyXMLSignatureResponseValidator {
* @param verifyXMLSignatureResponse the <code>&lt;VerifyXMLSignatureResponse&gt;</code>
* @param identityLinkSignersSubjectDNNames subject names configured
* @param whatToCheck is used to identify whether the identityLink or the Auth-Block is validated
- * @param ignoreManifestValidationResult specifies whether the validation result of the
+ * @param oaParam specifies whether the validation result of the
* manifest has to be ignored (identityLink validation if
* the OA is a business service) or not
* @throws ValidateException on any validation error
@@ -108,7 +113,7 @@ public class VerifyXMLSignatureResponseValidator {
public void validate(VerifyXMLSignatureResponse verifyXMLSignatureResponse,
List<String> identityLinkSignersSubjectDNNames,
String whatToCheck,
- boolean ignoreManifestValidationResult)
+ IOAAuthParameters oaParam)
throws ValidateException, ConfigurationException {
if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0)
@@ -137,8 +142,49 @@ public class VerifyXMLSignatureResponseValidator {
//check QC
if (AuthConfigurationProvider.getInstance().isCertifiacteQCActive() &&
!whatToCheck.equals(CHECK_IDENTITY_LINK) &&
- !verifyXMLSignatureResponse.isQualifiedCertificate())
- throw new ValidateException("validator.71", null);
+ !verifyXMLSignatureResponse.isQualifiedCertificate()) {
+
+ //check if testcards are active and certificate has an extension for test credentials
+ if (oaParam.isTestCredentialEnabled()) {
+ boolean foundTestCredentialOID = false;
+ try {
+ X509Certificate signerCert = verifyXMLSignatureResponse.getX509certificate();
+
+ List<String> validOIDs = new ArrayList<String>();
+ if (oaParam.getTestCredentialOIDs() != null)
+ validOIDs.addAll(oaParam.getTestCredentialOIDs());
+ else
+ validOIDs.add(MOAIDAuthConstants.TESTCREDENTIALROOTOID);
+
+ Set<String> extentsions = signerCert.getCriticalExtensionOIDs();
+ extentsions.addAll(signerCert.getNonCriticalExtensionOIDs());
+ Iterator<String> extit = extentsions.iterator();
+ while(extit.hasNext()) {
+ String certOID = extit.next();
+ for (String el : validOIDs) {
+ if (certOID.startsWith(el))
+ foundTestCredentialOID = true;
+ }
+ }
+
+ } catch (Exception e) {
+ Logger.warn("Test credential OID extraction FAILED.", e);
+
+ }
+ //throw Exception if not TestCredentialOID is found
+ if (!foundTestCredentialOID)
+ throw new ValidateException("validator.72", null);
+
+ } else
+ throw new ValidateException("validator.71", null);
+ }
+
+ // if OA is type is business service the manifest validation result has
+ // to be ignored
+ boolean ignoreManifestValidationResult = false;
+ if (whatToCheck.equals(CHECK_IDENTITY_LINK))
+ ignoreManifestValidationResult = (oaParam.getBusinessService()) ? true
+ : false;
if (ignoreManifestValidationResult) {
Logger.debug("OA type is business service, thus ignoring DSIG manifest validation result");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index dca0958f3..6fc1d28c1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -279,7 +279,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
//Load MOAID-2.0 properties file
File propertiesFile = new File(fileName);
- FileInputStream fis;
+ FileInputStream fis = null;
props = new Properties();
// determine the directory of the root config file
@@ -364,6 +364,11 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
} catch (ExceptionInInitializerError e) {
throw new ConfigurationException("config.17", null, e);
+
+ } finally {
+ if (fis != null)
+ fis.close();
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java
index a59cc10e0..6398de34f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java
@@ -144,5 +144,9 @@ public interface IOAAuthParameters {
* @return
*/
boolean isOutboundSSOInterfederationAllowed();
+
+ boolean isTestCredentialEnabled();
+ List<String> getTestCredentialOIDs();
+
} \ No newline at end of file
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index 7fc5746ee..f6360f4cf 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -67,6 +67,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute;
import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType;
import at.gv.egovernment.moa.id.commons.db.dao.config.TemplatesType;
+import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentials;
import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType;
import at.gv.egovernment.moa.id.config.ConfigurationUtils;
import at.gv.egovernment.moa.id.config.OAParameter;
@@ -520,4 +521,30 @@ public boolean isIDPPublicService() {
}
+
+/* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isTestCredentialEnabled()
+ */
+@Override
+public boolean isTestCredentialEnabled() {
+ TestCredentials testing = oa_auth.getTestCredentials();
+ if (testing != null && testing.isEnableTestCredentials())
+ return true;
+ else
+ return false;
+}
+
+
+/* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTestCredentialOIDs()
+ */
+@Override
+public List<String> getTestCredentialOIDs() {
+ TestCredentials testing = oa_auth.getTestCredentials();
+ if (testing != null && testing.getCredentialOID().size() > 0)
+ return testing.getCredentialOID();
+ else
+ return null;
+}
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
index 02ac09d70..eddf605a6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
@@ -381,6 +381,24 @@ public class DynamicOAAuthParameters implements IOAAuthParameters {
return false;
}
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isTestCredentialEnabled()
+ */
+ @Override
+ public boolean isTestCredentialEnabled() {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTestCredentialOIDs()
+ */
+ @Override
+ public List<String> getTestCredentialOIDs() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java
index 6c2f3e75a..b5220914c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java
@@ -38,6 +38,8 @@ import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser;
import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator;
import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
+import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -75,12 +77,14 @@ public class IdentityLinkTestModule implements TestModuleInterface {
VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser(
domVerifyXMLSignatureResponse).parseData();
-
+ DynamicOAAuthParameters oaParam = new DynamicOAAuthParameters();
+ oaParam.setBusinessService(true);
+
VerifyXMLSignatureResponseValidator.getInstance().validate(
verifyXMLSignatureResponse,
config.getIdentityLinkX509SubjectNames(),
VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK,
- true);
+ oaParam);
} catch (ValidateException e) {
//check if default Monitoring IDL is used then error is ignored
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
index 27f53feed..350c4e9da 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
@@ -174,21 +174,19 @@ public class AuthenticationSessionStoreage {
}
- public static String changeSessionID(AuthenticationSession session)
- throws AuthenticationException, BuildException {
-
- try {
+ public static String changeSessionID(AuthenticationSession session, String newSessionID) throws BuildException, AuthenticationException {
+ try {
AuthenticatedSessionStore dbsession = searchInDatabase(session.getSessionID(), true);
- String id = Random.nextRandom();
+
Logger.debug("Change SessionID from " + session.getSessionID()
- + "to " + id);
+ + "to " + newSessionID);
- session.setSessionID(id);
+ session.setSessionID(newSessionID);
encryptSession(session, dbsession);
- dbsession.setSessionid(id);
+ dbsession.setSessionid(newSessionID);
dbsession.setAuthenticated(session.isAuthenticated());
//set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1
@@ -198,11 +196,21 @@ public class AuthenticationSessionStoreage {
Logger.trace("Change SessionID complete.");
- return id;
+ return newSessionID;
} catch (MOADatabaseException e) {
throw new AuthenticationException("TODO!", null);
}
+
+
+
+ }
+
+ public static String changeSessionID(AuthenticationSession session)
+ throws AuthenticationException, BuildException {
+ String id = Random.nextRandom();
+ return changeSessionID(session, id);
+
}
public static void setAuthenticated(String moaSessionID, boolean value) {
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 232411fd8..0f9792e79 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -201,6 +201,7 @@ validator.68=SigningTime im AUTH-Block konnte nicht eruiert werden.
validator.69=SigningTime im AUTH-Block und Serverzeit weichen zu stark ab ({0}).
validator.70=Das einmale Tokken im signierten AuthBlock ({0}) stimmt nicht mit dem von generierten Tokken ({1}) \u00FCberein.
validator.71=Das Signaturzertifikat ist nicht qualifiziert.
+validator.72=Das Signaturzertifikat ist nicht qualifiziert und es wurde keine OID f\u00FCr Test Identit\u00E4ten gefunden.
ssl.01=Validierung des SSL-Server-Endzertifikates hat fehlgeschlagen
diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationTest.java
index 14bb1e4cc..0876cfac6 100644
--- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationTest.java
+++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationTest.java
@@ -61,6 +61,7 @@ import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;
import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator;
import at.gv.egovernment.moa.id.config.ConfigurationProvider;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters;
import at.gv.egovernment.moa.util.DOMUtils;
@@ -130,7 +131,10 @@ System.setProperty(
VerifyXMLSignatureResponseParser vParser = new VerifyXMLSignatureResponseParser(response);
VerifyXMLSignatureResponse vData = vParser.parseData();
VerifyXMLSignatureResponseValidator vValidate = VerifyXMLSignatureResponseValidator.getInstance();
- vValidate.validate(vData, authConf.getIdentityLinkX509SubjectNames(), VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK, true);
+
+ DynamicOAAuthParameters oaParam = new DynamicOAAuthParameters();
+ oaParam.setBusinessService(true);
+ vValidate.validate(vData, authConf.getIdentityLinkX509SubjectNames(), VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK, oaParam);
vValidate.validateCertificate(vData,idl);
// check the result
diff --git a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd
index 3a2914cb4..2d5542b98 100644
--- a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd
+++ b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd
@@ -484,7 +484,7 @@
<xsd:complexType name="InterfederationIDPType">
<xsd:sequence>
<xsd:element name="attributeQueryURL" type="xsd:string" minOccurs="0" maxOccurs="1"/>
- <xsd:element name="storeSSOSession" type="xsd:boolean" minOccurs="1" maxOccurs="1" default="true"/>
+ <xsd:element name="storeSSOSession" type="xsd:boolean" default="true" minOccurs="1" maxOccurs="1"/>
</xsd:sequence>
<xsd:attribute name="inboundSSO" type="xsd:boolean" default="true"/>
<xsd:attribute name="outboundSSO" type="xsd:boolean" default="true"/>
@@ -530,6 +530,14 @@
</xsd:sequence>
</xsd:complexType>
</xsd:element>
+ <xsd:element name="testCredentials" minOccurs="0" maxOccurs="1">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="credentialOID" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>
+ </xsd:sequence>
+ <xsd:attribute name="enableTestCredentials" type="xsd:boolean" default="false"/>
+ </xsd:complexType>
+ </xsd:element>
<xsd:element ref="OA_STORK" minOccurs="0"/>
<xsd:element name="OA_SSO" minOccurs="0">
<xsd:complexType>