diff options
20 files changed, 337 insertions, 258 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java index cb60a21a0..0e65b7dca 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java @@ -30,17 +30,16 @@ import java.util.Map; import javax.servlet.http.HttpServletRequest; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; -import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentOA; import at.gv.egovernment.moa.id.commons.db.dao.config.BKUURLS; import at.gv.egovernment.moa.id.commons.db.dao.config.DefaultBKUs; import at.gv.egovernment.moa.id.commons.db.dao.config.MOAIDConfiguration; import at.gv.egovernment.moa.id.commons.db.dao.config.MOAKeyBoxSelector; import at.gv.egovernment.moa.id.commons.db.dao.config.Mandates; -import at.gv.egovernment.moa.id.commons.db.dao.config.MandatesProfileNameItem; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; import at.gv.egovernment.moa.id.commons.db.dao.config.TemplatesType; +import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentials; import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType; import at.gv.egovernment.moa.id.configuration.Constants; import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; @@ -70,6 +69,9 @@ public class OAAuthenticationData implements IOnlineApplicationData { private Map<String, byte[]> transformations; + private boolean enableTestCredentials = false; + private List<String> testCredentialOIDs = null; + /** * */ @@ -204,6 +206,12 @@ public class OAAuthenticationData implements IOnlineApplicationData { } } + if (oaauth.getTestCredentials() != null) { + enableTestCredentials = oaauth.getTestCredentials().isEnableTestCredentials(); + testCredentialOIDs = oaauth.getTestCredentials().getCredentialOID(); + + } + return null; } @@ -305,6 +313,16 @@ public class OAAuthenticationData implements IOnlineApplicationData { } + if (enableTestCredentials) { + TestCredentials testing = authoa.getTestCredentials(); + if (testing == null) + testing = new TestCredentials(); + + testing.setEnableTestCredentials(enableTestCredentials); + testing.setCredentialOID(testCredentialOIDs); + + } + return null; } @@ -538,5 +556,51 @@ public class OAAuthenticationData implements IOnlineApplicationData { SLTemplates = new ArrayList<String>(); SLTemplates.add(sLTemplateURL3); } + + /** + * @return the enableTestCredentials + */ + public boolean isEnableTestCredentials() { + return enableTestCredentials; + } + + /** + * @param enableTestCredentials the enableTestCredentials to set + */ + public void setEnableTestCredentials(boolean enableTestCredentials) { + this.enableTestCredentials = enableTestCredentials; + } + + /** + * @return the testCredentialOIDs + */ + public String getTestCredentialOIDs() { + String value = null; + for (String el : testCredentialOIDs) { + if (value == null) + value = el; + else + value += "," + el; + + } + + return value; + } + + public List<String> getTestCredialOIDList() { + return this.testCredentialOIDs; + } + + /** + * @param testCredentialOIDs the testCredentialOIDs to set + */ + public void setTestCredentialOIDs(String testCredentialOIDs) { + String[] oidList = testCredentialOIDs.split(","); + + this.testCredentialOIDs = new ArrayList<String>(); + for (int i=0; i<oidList.length; i++) + this.testCredentialOIDs.add(oidList[i].trim()); + } + } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java index 0bbf2116d..fd40bd447 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java @@ -30,6 +30,7 @@ import javax.servlet.http.HttpServletRequest; import org.apache.log4j.Logger; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.validation.ValidationHelper; import at.gv.egovernment.moa.id.configuration.data.oa.OAAuthenticationData; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; @@ -145,6 +146,17 @@ public class OAAuthenticationDataValidation { new Object[] {ValidationHelper.getPotentialCSSCharacter(true)}, request )); } } + + if (form.isEnableTestCredentials()) { + for (String el : form.getTestCredialOIDList()) { + if (!el.startsWith(MOAIDAuthConstants.TESTCREDENTIALROOTOID)) + log.warn("Test credential OID does not start with test credential root OID"); + errors.add(LanguageHelper.getErrorString("validation.general.testcredentials.oid.valid", + new Object[] {el}, request )); + } + + + } return errors; } diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties index a4e5a5d05..06c22972d 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties @@ -259,6 +259,10 @@ webpages.oaconfig.general.BKUSelection.fonttype.list=Formularschrifttypen webpages.oaconfig.general.BKUSelection.header.applet.height=Appleth\u00F6he webpages.oaconfig.general.BKUSelection.header.applet.width=Appletbreite +webpages.oaconfig.general.testing.header=Test Identitu\00E4ten +webpages.oaconfig.general.testing.usetesting=Test Identitu\00E4ten erlauben +webpages.oaconfig.general.testing.oids=OIDs f\u00FCr Test Identitu\00E4ten einschr\u00E4nken. + webpages.oaconfig.sso.header=Single Sign-On webpages.oaconfig.sso.singlelogouturl=Single Log-Out URL webpages.oaconfig.sso.useauthdataframe=Zus\u00E4tzliche Userabfrage @@ -442,6 +446,7 @@ validation.general.bkuselection.file.selected=Es kann nur EIN BKU-Selektion Temp validation.general.sendassertion.filename.valid=Der Dateiname des Send-Assertion Templates enth\u00E4lt nicht erlaubte Zeichen. Folgende Zeichen sind nicht erlaubt\: {0} validation.general.sendassertion.file.valid=Das Send-Assertion Templates konnte nicht geladen werden. validation.general.sendassertion.file.selected=Es kann nur EIN Send-Assertion Template angegeben werden. +validation.general.testcredentials.oid.valid=Die Testdaten OID {0} ist ung\u00FCltig. validation.stork.cpeps.cc=CPEPS L\u00E4ndercode folgt nicht ISO 3166-2 diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties index c9f4e1eb2..cc6e98964 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties @@ -190,6 +190,10 @@ webpages.oaconfig.general.bku.sltemplate.first=SecurityLayer Template webpages.oaconfig.general.bku.sltemplate.second=SecurityLayer Template (WhiteList) webpages.oaconfig.general.bku.sltemplate.third=SecurityLayer Template (WhiteList) +webpages.oaconfig.general.testing.header=Test Credentials +webpages.oaconfig.general.testing.usetesting=Allow test credentials +webpages.oaconfig.general.testing.oids=Use special test credential OIDs + webpages.oaconfig.general.bku.delete=Remove webpages.oaconfig.general.bku.bkuselection.header=CCE-Selection Template webpages.oaconfig.general.bku.bkuselection.filename=File name @@ -440,7 +444,7 @@ validation.general.bkuselection.file.selected=Only one CCE-selection template ca validation.general.sendassertion.filename.valid=The file name of Send-Assertion Templates contains forbidden characters. The following characters are not allowed\: {0} validation.general.sendassertion.file.valid=Send-Assertion Templates could not be loaded. validation.general.sendassertion.file.selected=Only one Send-Assertion Template can be provided. - +validation.general.testcredentials.oid.valid=The OID {0} for test credentials is not a valid. validation.stork.cpeps.cc=CPEPS country code is not based on 3166-2 validation.stork.cpeps.empty=CPEPS configuration is incomplete diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/authentication.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/authentication.jsp index a659104ed..3dda0c0a4 100644 --- a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/authentication.jsp +++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/authentication.jsp @@ -67,6 +67,26 @@ </div> </s:if> + <div class="oa_config_block"> + <h3><%=LanguageHelper.getGUIString("webpages.oaconfig.general.testing.header", request) %></h3> + + + <s:checkbox name="authOA.enableTestCredentials" + value="%{authOA.enableTestCredentials}" + labelposition="left" + key="webpages.oaconfig.general.testing.usetesting" + cssClass="checkbox"> + </s:checkbox> + + <s:textfield name="authOA.testCredentialOIDs" + value="%{authOA.testCredentialOIDs}" + labelposition="left" + key="webpages.oaconfig.general.testing.oids" + cssClass="textfield_long"> + </s:textfield> + </div> + + <div class="oa_config_block"> <h3><%=LanguageHelper.getGUIString("webpages.oaconfig.general.mandate.header", request) %></h3> diff --git a/id/readme_2.1.0.txt b/id/readme_2.1.0.txt deleted file mode 100644 index 19ccdb4b8..000000000 --- a/id/readme_2.1.0.txt +++ /dev/null @@ -1,172 +0,0 @@ -=============================================================================== -MOA ID Version Release 2.1.0 - Wichtige Informationen zur Installation -=============================================================================== - -------------------------------------------------------------------------------- -A. Neuerungen/Änderungen -------------------------------------------------------------------------------- - -Mit MOA ID Version 2.0.1 wurden folgende Neuerungen eingeführt, die jetzt -erstmals in der Veröffentlichung enthalten sind (siehe auch history.txt im -gleichen Verzeichnis): - -- Neuerungen: - - IDP Interfederation für Single Sign-On - - MOA-ID Truststore wird auch für Bezug PVP 2.1 metadaten über https verwendet. - - Definition neuer Fehlercodes - -- Änderungen - - Anpassung VIDP Code für STORK - - MOA-ID-Konfigurationstool mit überarbeiteter Online-Applikationskonfiguration - - Kleinere Bug-Fixes - - Anpassung der protokollspezifischen Fehlerrückgabe - -------------------------------------------------------------------------------- -B. Durchführung eines Updates -------------------------------------------------------------------------------- - -Es wird generell eine Neuinstallation lt. Handbuch empfohlen! Dennoch ist auch -eine Aktualisierung bestehender Installationen möglich. - -............................................................................... -B.1 Durchführung eines Updates von Version 2.0.1 -............................................................................... - 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. - Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. - -2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.0.zip) in - ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST - bezeichnet. - -3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth - beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, - wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation - für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als - auch das komplette Verzeichnis moa-id-auth. - -4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach - CATALINA_HOME_ID/webapps. - -5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach - CATALINA_HOME_ID/webapps. - -6. Update der STORK Konfiguration - a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork - in das Verzeichnis CATALINA_HOME\conf\moa-id\stork. - b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration -> - 2.4 Konfiguration des SamlEngines an. - -7. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Configuration Konfigurationsdatei - CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties - a.) general.ssl.certstore=certs/certstore - b.) general.ssl.truststore=certs/truststore - -8. Kopieren des folgenden zusätzlichen Ordners MOA_ID_AUTH_INST/conf/moa-id-configuration/certs - nach CATALINA_HOME\conf\moa-id-configuration\ - -9. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei - CATALINA_HOME\conf\moa-id\moa-id.properties und Anpassung an das zu verwendeten Schlüsselpaar. - a.) protocols.pvp2.idp.ks.assertion.encryption.alias=pvp_assertion - protocols.pvp2.idp.ks.assertion.encryption.keypassword=password - -10. Kopieren der folgenden zusätzlichen Ordner aus MOA_ID_AUTH_INST/conf/moa-id/ - nach CATALINA_HOME\conf\moa-id\ - a.) MOA_ID_AUTH_INST/conf/moa-id/SLTemplates -> CATALINA_HOME\conf\moa-id\ - -8. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im - Logging von MOA ID beim Einlesen der Konfiguration. - - -............................................................................... -B.2 Durchführung eines Updates von Version 2.0-RC1 -............................................................................... - -1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. - Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. - -2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.0.1.zip) in - ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST - bezeichnet. - Für MOA ID Proxy: - Entpacken Sie die Distribution von MOA-ID-Proxy (moa-id-proxy-2.0.1.zip) in - ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_PROXY_INST - bezeichnet. - -3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth - beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, - wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation - für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als - auch das komplette Verzeichnis moa-id-auth. - -4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach - CATALINA_HOME_ID/webapps. - -5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach - CATALINA_HOME_ID/webapps. - -6. Update des Cert-Stores. - Kopieren Sie den Inhalt des Verzeichnisses - MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis - CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie - vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann - bejahen sie das. - -7. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen - wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile - beibehalten wollen, dann gehen Sie vor, wie in Punkt b). - - a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen: - - 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles. - 2) Kopieren Sie das Verzeichnis - MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis - CATALINA_HOME\conf\moa-spss. - - b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie - folgt vor, um die Profile auf den aktuellen Stand zu bringen: - - 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den - entsprechenden Profilen im Verzeichnis - MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren - Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt - der einzelnen Profile aus der Distribution - (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden - Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles) - kopieren und dabei die vorhandenen gleichnamigen Zertifikate - überschreiben), also z.B: Kopieren des Inhalts von - MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\ - MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach - CATALINA_HOME\conf\moa-spss\trustProfiles\ - MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw. - -8. Update der Default html-Templates für die Bürgerkartenauswahl. - - a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates - in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates. - b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates - in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates. - -9. Update der STORK Konfiguration - a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork - in das Verzeichnis CATALINA_HOME\conf\moa-id\stork. - b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration -> - 2.4 Konfiguration des SamlEngines an. - -10. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei - CATALINA_HOME\conf\moa-id\moa-id.properties - - a.) configuration.validation.certificate.QC.ignore=false - b.) protocols.pvp2.assertion.encryption.active=false - -11. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im - Logging von MOA ID beim Einlesen der Konfiguration. - - -............................................................................... -B.3 Durchführung eines Updates von Version <= 1.5.1 -............................................................................... - -Bitte führen Sie eine Neuinstallation von MOA ID laut Handbuch durch und passen -Sie die mitgelieferte Musterkonfiguration entsprechend Ihren Bedürfnissen unter -Zuhilfenahme Ihrer bisherigen Konfiguration an. - diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index e7abf0f9a..a8cf5014f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -414,17 +414,12 @@ public class AuthenticationServer implements MOAIDAuthConstants { OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - // if OA is type is business service the manifest validation result has - // to be ignored - boolean ignoreManifestValidationResult = (oaParam.getBusinessService()) ? true - : false; - // validates the <VerifyXMLSignatureResponse> VerifyXMLSignatureResponseValidator.getInstance().validate( verifyXMLSignatureResponse, authConf.getIdentityLinkX509SubjectNames(), VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK, - ignoreManifestValidationResult); + oaParam); session.setIdentityLink(identityLink); // now validate the extended infoboxes @@ -1214,10 +1209,13 @@ public class AuthenticationServer implements MOAIDAuthConstants { } } + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() + .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); + // validates the <VerifyXMLSignatureResponse> VerifyXMLSignatureResponseValidator.getInstance().validate(vsresp, null, VerifyXMLSignatureResponseValidator.CHECK_AUTH_BLOCK, - false); + oaParam); // Compare AuthBlock Data with information stored in session, especially // date and time @@ -1468,7 +1466,6 @@ public class AuthenticationServer implements MOAIDAuthConstants { */ public static AuthenticationSession getSession(String id) throws AuthenticationException { - AuthenticationSession session; try { session = AuthenticationSessionStoreage.getSession(id); @@ -1478,7 +1475,10 @@ public class AuthenticationServer implements MOAIDAuthConstants { return session; } catch (MOADatabaseException e) { - throw new AuthenticationException("parser.04", new Object[]{id}); + throw new AuthenticationException("auth.02", new Object[]{id}); + + } catch (Exception e) { + throw new AuthenticationException("parser.04", new Object[]{id}); } } @@ -1757,8 +1757,12 @@ public class AuthenticationServer implements MOAIDAuthConstants { String issuerValue = AuthConfigurationProvider.getInstance().getPublicURLPrefix(); - String acsURL = new DataURLBuilder().buildDataURL(issuerValue, - PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN, moasession.getSessionID()); +// String acsURL = new DataURLBuilder().buildDataURL(issuerValue, +// PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN, moasession.getSessionID()); + + //solve Problem with sessionIDs + String acsURL = issuerValue + PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN; + Logger.debug("MOA Assertion Consumer URL (PEPSConnctor): " + acsURL); String providerName = oaParam.getFriendlyName(); @@ -1862,10 +1866,10 @@ public class AuthenticationServer implements MOAIDAuthConstants { //send moasession.setStorkAuthnRequest(authnRequest); - HttpSession httpSession = req.getSession(); - httpSession.setAttribute("MOA-Session-ID", moasession.getSessionID()); - + AuthenticationSessionStoreage.changeSessionID(moasession, authnRequest.getSamlId()); + + Logger.info("Preparing to send STORK AuthnRequest."); Logger.info("prepared STORKAuthnRequest: "); Logger.info(new String(authnRequest.getTokenSaml())); @@ -1888,8 +1892,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { } catch (Exception e) { Logger.error("Error sending STORK SAML AuthnRequest.", e); - httpSession.invalidate(); throw new MOAIDException("stork.02", new Object[]{destination}); + } Logger.info("STORK AuthnRequest successfully successfully prepared for client with target location: " + authnRequest.getDestination()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index e2c0c1f18..497c79c1e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -142,6 +142,10 @@ public interface MOAIDAuthConstants { public static final String PARAM_APPLET_HEIGTH = "heigth"; public static final String PARAM_APPLET_WIDTH = "width"; + //TODO: set correct OID!!! + public static final String TESTCREDENTIALROOTOID = "1.2.40.0.10.1"; + + public static final Map<String, String> COUNTRYCODE_XX_TO_NAME = Collections.unmodifiableMap(new HashMap<String, String>() { private static final long serialVersionUID = 1L; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java index 8a5782bcf..e5b2c598c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java @@ -78,6 +78,7 @@ import at.gv.egovernment.moa.id.storage.DBExceptionStoreImpl; import at.gv.egovernment.moa.id.storage.IExceptionStore; import at.gv.egovernment.moa.id.util.ServletUtils; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.URLDecoder; /** @@ -197,7 +198,7 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants { IExceptionStore store = DBExceptionStoreImpl.getStore(); String id = store.storeException(exceptionThrown); - if (id != null) { + if (id != null && MiscUtil.isNotEmpty(pendingRequestID)) { String redirectURL = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 25749c8bc..93ac84381 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -113,16 +113,50 @@ public class PEPSConnectorServlet extends AuthServlet { //check if https or only http
super.checkIfHTTPisAllowed(request.getRequestURL().toString());
+
+ Logger.debug("Beginning to extract SAMLResponse out of HTTP Request");
+
+ //extract STORK Response from HTTP Request
+ //Decodes SAML Response
+ byte[] decSamlToken;
+ try {
+ decSamlToken = PEPSUtil.decodeSAMLToken(request.getParameter("SAMLResponse"));
+ } catch(NullPointerException e) {
+ Logger.error("Unable to retrieve STORK Response", e);
+ throw new MOAIDException("stork.04", null);
+ }
+
+ //Get SAMLEngine instance
+ STORKSAMLEngine engine = STORKSAMLEngine.getInstance("outgoing");
+
+ STORKAuthnResponse authnResponse = null;
+ try {
+ //validate SAML Token
+ Logger.debug("Starting validation of SAML response");
+ authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost());
+ Logger.info("SAML response succesfully verified!");
+ }catch(STORKSAMLEngineException e){
+ Logger.error("Failed to verify STORK SAML Response", e);
+ throw new MOAIDException("stork.05", null);
+ }
+
+ Logger.info("STORK SAML Response message succesfully extracted");
+ Logger.debug("STORK response: ");
+ Logger.debug(authnResponse.toString());
Logger.debug("Trying to find MOA Session-ID ...");
- String moaSessionID = request.getParameter(PARAM_SESSIONID);
-
+ //String moaSessionID = request.getParameter(PARAM_SESSIONID);
+ //first use SAML2 relayState
+ String moaSessionID = request.getParameter("RelayState");
+
// escape parameter strings
moaSessionID= StringEscapeUtils.escapeHtml(moaSessionID);
+ //check if SAML2 relaystate includes a MOA sessionID
if (StringUtils.isEmpty(moaSessionID)) {
- //check if SAML2 relaystate includes a MOA sessionID
- moaSessionID = request.getParameter("RelayState");
+ //if relaystate is emtpty, use SAML response -> inResponseTo element as session identifier
+
+ moaSessionID = authnResponse.getInResponseTo();
moaSessionID= StringEscapeUtils.escapeHtml(moaSessionID);
if (StringUtils.isEmpty(moaSessionID)) {
@@ -132,13 +166,19 @@ public class PEPSConnectorServlet extends AuthServlet { throw new AuthenticationException("auth.02", new Object[] { moaSessionID });
} else
- Logger.trace("MOA SessionID " + moaSessionID + " is found in SAML2 relayState.");
+ Logger.trace("Use MOA SessionID " + moaSessionID + " from AuthnResponse->inResponseTo attribute.");
} else
- Logger.trace("MOA SessionID " + moaSessionID + " is found in http GET parameter.");
+ //Logger.trace("MOA SessionID " + moaSessionID + " is found in http GET parameter.");
+ Logger.trace("MOA SessionID " + moaSessionID + " is found in SAML2 relayState.");
- if (!ParamValidatorUtils.isValidSessionID(moaSessionID))
- throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_SESSIONID, "auth.12");
+ /*INFO!!!!
+ * SAML message IDs has an different format then MOASessionIDs
+ * This is only a workaround because many PEPS does not support SAML2 relayState or
+ * MOASessionID as AttributConsumerServiceURL GET parameter
+ */
+// if (!ParamValidatorUtils.isValidSessionID(moaSessionID))
+// throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_SESSIONID, "auth.12");
pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(moaSessionID);
@@ -150,35 +190,7 @@ public class PEPSConnectorServlet extends AuthServlet { Logger.info("Found MOA sessionID: " + moaSessionID);
- Logger.debug("Beginning to extract SAMLResponse out of HTTP Request");
- //extract STORK Response from HTTP Request
- //Decodes SAML Response
- byte[] decSamlToken;
- try {
- decSamlToken = PEPSUtil.decodeSAMLToken(request.getParameter("SAMLResponse"));
- } catch(NullPointerException e) {
- Logger.error("Unable to retrieve STORK Response", e);
- throw new MOAIDException("stork.04", null);
- }
-
- //Get SAMLEngine instance
- STORKSAMLEngine engine = STORKSAMLEngine.getInstance("outgoing");
-
- STORKAuthnResponse authnResponse = null;
- try {
- //validate SAML Token
- Logger.debug("Starting validation of SAML response");
- authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost());
- Logger.info("SAML response succesfully verified!");
- }catch(STORKSAMLEngineException e){
- Logger.error("Failed to verify STORK SAML Response", e);
- throw new MOAIDException("stork.05", null);
- }
-
- Logger.info("STORK SAML Response message succesfully extracted");
- Logger.debug("STORK response: ");
- Logger.debug(authnResponse.toString());
String statusCodeValue = authnResponse.getStatusCode();
@@ -272,17 +284,17 @@ public class PEPSConnectorServlet extends AuthServlet { Logger.debug("fetching OAParameters from database");
- //read configuration paramters of OA
- AuthenticationSession moasession;
- try {
- moasession = AuthenticationSessionStoreage.getSession(moaSessionID);
- } catch (MOADatabaseException e2) {
- Logger.error("could not retrieve moa session");
- throw new AuthenticationException("auth.01", null);
- }
- OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moasession.getPublicOAURLPrefix());
+// //read configuration paramters of OA
+// AuthenticationSession moasession;
+// try {
+// moasession = AuthenticationSessionStoreage.getSession(moaSessionID);
+// } catch (MOADatabaseException e2) {
+// Logger.error("could not retrieve moa session");
+// throw new AuthenticationException("auth.01", null);
+// }
+ OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moaSession.getPublicOAURLPrefix());
if (oaParam == null)
- throw new AuthenticationException("auth.00", new Object[] { moasession.getPublicOAURLPrefix() });
+ throw new AuthenticationException("auth.00", new Object[] { moaSession.getPublicOAURLPrefix() });
// retrieve target
//TODO: check in case of SSO!!!
@@ -293,7 +305,7 @@ public class PEPSConnectorServlet extends AuthServlet { if (id.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
targetValue = id.substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length());
else
- targetValue = moasession.getDomainIdentifier();
+ targetValue = moaSession.getDomainIdentifier();
targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_;
} else {
targetType = AuthenticationSession.TARGET_PREFIX_;
@@ -365,13 +377,13 @@ public class PEPSConnectorServlet extends AuthServlet { //TODO: found better solution, but QAA Level in response could be not supported yet
try {
- moasession.setQAALevel(authnResponse.getAssertions().get(0).
+ moaSession.setQAALevel(authnResponse.getAssertions().get(0).
getAuthnStatements().get(0).getAuthnContext().
getAuthnContextClassRef().getAuthnContextClassRef());
} catch (Throwable e) {
Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level");
- moasession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel());
+ moaSession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel());
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index 4fd7fa965..2b687a0c8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -46,6 +46,7 @@ package at.gv.egovernment.moa.id.auth.validator; +import iaik.asn1.ObjectID; import iaik.asn1.structures.Name; import iaik.security.ecc.ecdsa.ECPublicKey; import iaik.utils.RFC2253NameParserException; @@ -54,7 +55,10 @@ import iaik.x509.X509ExtensionInitException; import java.security.PublicKey; import java.security.interfaces.RSAPublicKey; +import java.util.ArrayList; +import java.util.Iterator; import java.util.List; +import java.util.Set; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.IdentityLink; @@ -62,6 +66,7 @@ import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.exception.ValidateException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.logging.Logger; @@ -99,7 +104,7 @@ public class VerifyXMLSignatureResponseValidator { * @param verifyXMLSignatureResponse the <code><VerifyXMLSignatureResponse></code> * @param identityLinkSignersSubjectDNNames subject names configured * @param whatToCheck is used to identify whether the identityLink or the Auth-Block is validated - * @param ignoreManifestValidationResult specifies whether the validation result of the + * @param oaParam specifies whether the validation result of the * manifest has to be ignored (identityLink validation if * the OA is a business service) or not * @throws ValidateException on any validation error @@ -108,7 +113,7 @@ public class VerifyXMLSignatureResponseValidator { public void validate(VerifyXMLSignatureResponse verifyXMLSignatureResponse, List<String> identityLinkSignersSubjectDNNames, String whatToCheck, - boolean ignoreManifestValidationResult) + IOAAuthParameters oaParam) throws ValidateException, ConfigurationException { if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) @@ -137,8 +142,49 @@ public class VerifyXMLSignatureResponseValidator { //check QC if (AuthConfigurationProvider.getInstance().isCertifiacteQCActive() && !whatToCheck.equals(CHECK_IDENTITY_LINK) && - !verifyXMLSignatureResponse.isQualifiedCertificate()) - throw new ValidateException("validator.71", null); + !verifyXMLSignatureResponse.isQualifiedCertificate()) { + + //check if testcards are active and certificate has an extension for test credentials + if (oaParam.isTestCredentialEnabled()) { + boolean foundTestCredentialOID = false; + try { + X509Certificate signerCert = verifyXMLSignatureResponse.getX509certificate(); + + List<String> validOIDs = new ArrayList<String>(); + if (oaParam.getTestCredentialOIDs() != null) + validOIDs.addAll(oaParam.getTestCredentialOIDs()); + else + validOIDs.add(MOAIDAuthConstants.TESTCREDENTIALROOTOID); + + Set<String> extentsions = signerCert.getCriticalExtensionOIDs(); + extentsions.addAll(signerCert.getNonCriticalExtensionOIDs()); + Iterator<String> extit = extentsions.iterator(); + while(extit.hasNext()) { + String certOID = extit.next(); + for (String el : validOIDs) { + if (certOID.startsWith(el)) + foundTestCredentialOID = true; + } + } + + } catch (Exception e) { + Logger.warn("Test credential OID extraction FAILED.", e); + + } + //throw Exception if not TestCredentialOID is found + if (!foundTestCredentialOID) + throw new ValidateException("validator.72", null); + + } else + throw new ValidateException("validator.71", null); + } + + // if OA is type is business service the manifest validation result has + // to be ignored + boolean ignoreManifestValidationResult = false; + if (whatToCheck.equals(CHECK_IDENTITY_LINK)) + ignoreManifestValidationResult = (oaParam.getBusinessService()) ? true + : false; if (ignoreManifestValidationResult) { Logger.debug("OA type is business service, thus ignoring DSIG manifest validation result"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index dca0958f3..6fc1d28c1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -279,7 +279,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider { //Load MOAID-2.0 properties file File propertiesFile = new File(fileName); - FileInputStream fis; + FileInputStream fis = null; props = new Properties(); // determine the directory of the root config file @@ -364,6 +364,11 @@ public class AuthConfigurationProvider extends ConfigurationProvider { } catch (ExceptionInInitializerError e) { throw new ConfigurationException("config.17", null, e); + + } finally { + if (fis != null) + fis.close(); + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java index a59cc10e0..6398de34f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java @@ -144,5 +144,9 @@ public interface IOAAuthParameters { * @return */ boolean isOutboundSSOInterfederationAllowed(); + + boolean isTestCredentialEnabled(); + List<String> getTestCredentialOIDs(); + }
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 7fc5746ee..f6360f4cf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -67,6 +67,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; import at.gv.egovernment.moa.id.commons.db.dao.config.TemplatesType; +import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentials; import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType; import at.gv.egovernment.moa.id.config.ConfigurationUtils; import at.gv.egovernment.moa.id.config.OAParameter; @@ -520,4 +521,30 @@ public boolean isIDPPublicService() { } + +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isTestCredentialEnabled() + */ +@Override +public boolean isTestCredentialEnabled() { + TestCredentials testing = oa_auth.getTestCredentials(); + if (testing != null && testing.isEnableTestCredentials()) + return true; + else + return false; +} + + +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTestCredentialOIDs() + */ +@Override +public List<String> getTestCredentialOIDs() { + TestCredentials testing = oa_auth.getTestCredentials(); + if (testing != null && testing.getCredentialOID().size() > 0) + return testing.getCredentialOID(); + else + return null; +} + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java index 02ac09d70..eddf605a6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -381,6 +381,24 @@ public class DynamicOAAuthParameters implements IOAAuthParameters { return false; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isTestCredentialEnabled() + */ + @Override + public boolean isTestCredentialEnabled() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTestCredentialOIDs() + */ + @Override + public List<String> getTestCredentialOIDs() { + // TODO Auto-generated method stub + return null; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java index 6c2f3e75a..b5220914c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java @@ -38,6 +38,8 @@ import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator; import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -75,12 +77,14 @@ public class IdentityLinkTestModule implements TestModuleInterface { VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser( domVerifyXMLSignatureResponse).parseData(); - + DynamicOAAuthParameters oaParam = new DynamicOAAuthParameters(); + oaParam.setBusinessService(true); + VerifyXMLSignatureResponseValidator.getInstance().validate( verifyXMLSignatureResponse, config.getIdentityLinkX509SubjectNames(), VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK, - true); + oaParam); } catch (ValidateException e) { //check if default Monitoring IDL is used then error is ignored diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 27f53feed..350c4e9da 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -174,21 +174,19 @@ public class AuthenticationSessionStoreage { } - public static String changeSessionID(AuthenticationSession session) - throws AuthenticationException, BuildException { - - try { + public static String changeSessionID(AuthenticationSession session, String newSessionID) throws BuildException, AuthenticationException { + try { AuthenticatedSessionStore dbsession = searchInDatabase(session.getSessionID(), true); - String id = Random.nextRandom(); + Logger.debug("Change SessionID from " + session.getSessionID() - + "to " + id); + + "to " + newSessionID); - session.setSessionID(id); + session.setSessionID(newSessionID); encryptSession(session, dbsession); - dbsession.setSessionid(id); + dbsession.setSessionid(newSessionID); dbsession.setAuthenticated(session.isAuthenticated()); //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 @@ -198,11 +196,21 @@ public class AuthenticationSessionStoreage { Logger.trace("Change SessionID complete."); - return id; + return newSessionID; } catch (MOADatabaseException e) { throw new AuthenticationException("TODO!", null); } + + + + } + + public static String changeSessionID(AuthenticationSession session) + throws AuthenticationException, BuildException { + String id = Random.nextRandom(); + return changeSessionID(session, id); + } public static void setAuthenticated(String moaSessionID, boolean value) { diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 232411fd8..0f9792e79 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -201,6 +201,7 @@ validator.68=SigningTime im AUTH-Block konnte nicht eruiert werden. validator.69=SigningTime im AUTH-Block und Serverzeit weichen zu stark ab ({0}).
validator.70=Das einmale Tokken im signierten AuthBlock ({0}) stimmt nicht mit dem von generierten Tokken ({1}) \u00FCberein.
validator.71=Das Signaturzertifikat ist nicht qualifiziert.
+validator.72=Das Signaturzertifikat ist nicht qualifiziert und es wurde keine OID f\u00FCr Test Identit\u00E4ten gefunden.
ssl.01=Validierung des SSL-Server-Endzertifikates hat fehlgeschlagen
diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationTest.java index 14bb1e4cc..0876cfac6 100644 --- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationTest.java +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationTest.java @@ -61,6 +61,7 @@ import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.config.ConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters; import at.gv.egovernment.moa.util.DOMUtils; @@ -130,7 +131,10 @@ System.setProperty( VerifyXMLSignatureResponseParser vParser = new VerifyXMLSignatureResponseParser(response); VerifyXMLSignatureResponse vData = vParser.parseData(); VerifyXMLSignatureResponseValidator vValidate = VerifyXMLSignatureResponseValidator.getInstance(); - vValidate.validate(vData, authConf.getIdentityLinkX509SubjectNames(), VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK, true); + + DynamicOAAuthParameters oaParam = new DynamicOAAuthParameters(); + oaParam.setBusinessService(true); + vValidate.validate(vData, authConf.getIdentityLinkX509SubjectNames(), VerifyXMLSignatureResponseValidator.CHECK_IDENTITY_LINK, oaParam); vValidate.validateCertificate(vData,idl); // check the result diff --git a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd index 3a2914cb4..2d5542b98 100644 --- a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd +++ b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd @@ -484,7 +484,7 @@ <xsd:complexType name="InterfederationIDPType"> <xsd:sequence> <xsd:element name="attributeQueryURL" type="xsd:string" minOccurs="0" maxOccurs="1"/> - <xsd:element name="storeSSOSession" type="xsd:boolean" minOccurs="1" maxOccurs="1" default="true"/> + <xsd:element name="storeSSOSession" type="xsd:boolean" default="true" minOccurs="1" maxOccurs="1"/> </xsd:sequence> <xsd:attribute name="inboundSSO" type="xsd:boolean" default="true"/> <xsd:attribute name="outboundSSO" type="xsd:boolean" default="true"/> @@ -530,6 +530,14 @@ </xsd:sequence> </xsd:complexType> </xsd:element> + <xsd:element name="testCredentials" minOccurs="0" maxOccurs="1"> + <xsd:complexType> + <xsd:sequence> + <xsd:element name="credentialOID" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/> + </xsd:sequence> + <xsd:attribute name="enableTestCredentials" type="xsd:boolean" default="false"/> + </xsd:complexType> + </xsd:element> <xsd:element ref="OA_STORK" minOccurs="0"/> <xsd:element name="OA_SSO" minOccurs="0"> <xsd:complexType> |