aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--common/src/main/resources/resources/schemas/MOA-ID-Configuration-1.4.3.xsd1
-rw-r--r--id/history.txt24
-rw-r--r--id/server/data/deploy/conf/moa-id/certs/ca-certs/gateway.stammzahlenregister.gv.at.cer31
-rw-r--r--id/server/doc/MOA-ID-Configuration-1.4.3.xsd1
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java55
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/CreateMandateRequest.java29
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWConstants.java2
7 files changed, 119 insertions, 24 deletions
diff --git a/common/src/main/resources/resources/schemas/MOA-ID-Configuration-1.4.3.xsd b/common/src/main/resources/resources/schemas/MOA-ID-Configuration-1.4.3.xsd
index 02183819c..570bebd37 100644
--- a/common/src/main/resources/resources/schemas/MOA-ID-Configuration-1.4.3.xsd
+++ b/common/src/main/resources/resources/schemas/MOA-ID-Configuration-1.4.3.xsd
@@ -179,6 +179,7 @@
<xsd:enumeration value="FrontendServlets.DataURLPrefix"/>
<xsd:enumeration value="AuthenticationServer.KeepAssertion"/>
<xsd:enumeration value="AuthenticationServer.WriteAssertionToFile"/>
+ <xsd:enumeration value="AuthenticationServer.SourceID"/>
</xsd:restriction>
</xsd:simpleType>
</xsd:attribute>
diff --git a/id/history.txt b/id/history.txt
index c0f80c7c6..95ea0c78d 100644
--- a/id/history.txt
+++ b/id/history.txt
@@ -3,13 +3,34 @@ von MOA-ID auf.
History MOA-ID:
=====
+Version MOA-ID 1.4.4: Änderungen seit Version MOA-ID 1.4.3:
+
+Verbesserungen/Erweiterungen:
+- Bei der beruflichen Parteienvertretung wurde das Stammzahlenregister in den
+ Beispielkonfigurationen vorkonfiguriert.
+
+- MOA-ID erlaubt ab sofort Load-Balancing. Dies wird durch die Konfigurations-
+ möglichkeit der Source-ID für das SAML-Artifact gewährleistet. Das Border-
+ Gateway kann dann anhand dieser Kennung an den zuständigen Server zur Abholung
+ der SAML-Assertion weiterleiten. Über den Konfigurationsparameter
+ <GenericConfiguration name="AuthenticationServer.SourceID" value="Cluster-A"/>
+ kann die authURL bei der Kodierung des SAML-Artifakts durch eine fix
+ definierte URI (z.B. "Cluster-A") ersetzt werden.
+
+Fixes:
+- In der Kommunikation mit dem Stammzahlenregistergateway die beim Einsatz der
+ beruflichen Parteienvertretung notwendig ist, verlangt das Service ein
+ adaptiertes Anfrageformat. MOA-ID wurde im Zuge dessen auf dieses Anfrage-
+ format umgestellt (Version SZR-GW-0.0.2.xsd).
+
+=====
Version MOA-ID 1.4.3-1 (Bugfix Release): Änderungen seit Version MOA-ID 1.4.3:
Verbesserungen/Erweiterungen:
- keine
Fixes:
-- Falscher Schemabenennung in Constants.java des common-Projekts wurde korrigiert.
+- Falsche Schemabenennung in Constants.java des common-Projekts wurde korrigiert.
=====
Version MOA-ID 1.4.3: Änderungen seit Version MOA-ID 1.4.2:
@@ -41,6 +62,7 @@ Fixes:
iaik-cms: Version 4.01_MOA
aik-moa: Version 1.23
iaik-ecc: Version 2.16
+
=====
Version MOA-ID 1.4.2: Änderungen seit Version MOA-ID 1.4.2 beta2:
diff --git a/id/server/data/deploy/conf/moa-id/certs/ca-certs/gateway.stammzahlenregister.gv.at.cer b/id/server/data/deploy/conf/moa-id/certs/ca-certs/gateway.stammzahlenregister.gv.at.cer
new file mode 100644
index 000000000..c3b67e05d
--- /dev/null
+++ b/id/server/data/deploy/conf/moa-id/certs/ca-certs/gateway.stammzahlenregister.gv.at.cer
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFSDCCBDCgAwIBAgIDA/o/MA0GCSqGSIb3DQEBBQUAMIGHMQswCQYDVQQGEwJB
+VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp
+bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRYwFAYDVQQLDA1hLXNpZ24tU1NM
+LTAzMRYwFAYDVQQDDA1hLXNpZ24tU1NMLTAzMB4XDTA4MDUxOTA4MzUzNloXDTEz
+MDUxOTA4MzUzNlowgZYxCzAJBgNVBAYTAkFUMR4wHAYDVQQKDBVEYXRlbnNjaHV0
+emtvbW1pc3Npb24xJDAiBgNVBAsMG1N0YW1temFobGVucmVnaXN0ZXJiZWhvZXJk
+ZTEqMCgGA1UEAwwhZ2F0ZXdheS5zdGFtbXphaGxlbnJlZ2lzdGVyLmd2LmF0MRUw
+EwYDVQQFEww2NTYwNzMwNDAyNjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCtAK7fsx5MgRrm7EIF3sxWKroNi+EBitJ1itnXix3L3npMIRUduDLIaMZm
+oLHSMkJmk0ePB74Wvsk/yJt2qTf6N0rDqmn9+lORF242cZeljJ9vVYhIRwbyj5IL
+Qng9vnIr0esCVadknSo357wQSss6oRBuclzf99cNt7zaPqT3+4kyLVtj3/N+ipgn
+8l5ZCNHq+kx+HjssXGARDUFgTFAFcJPDDR6bNWHjsa6Kq6DgXTqUX/tHaJATwkP8
+3bkn0ECAWF5hCVhzGd20MWzSVejkyWnjxxYSXVEsLM17hApDb5Ui01Qyb1RHyYuC
+hXpVuUqHXIZK4MyrUkfBcvMIExYJAgMBAAGjggGqMIIBpjATBgNVHSMEDDAKgAhA
+PqHTYrQD3TByBggrBgEFBQcBAQRmMGQwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3Nw
+LmEtdHJ1c3QuYXQvb2NzcDA5BggrBgEFBQcwAoYtaHR0cDovL3d3dy5hLXRydXN0
+LmF0L2NlcnRzL2Etc2lnbi1zc2wtMDMuY3J0MEsGA1UdIAREMEIwQAYGKigAEQEU
+MDYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuYS10cnVzdC5hdC9kb2NzL2NwL2Et
+c2lnbi1zc2wwgY8GA1UdHwSBhzCBhDCBgaB/oH2Ge2xkYXA6Ly9sZGFwLmEtdHJ1
+c3QuYXQvb3U9YS1zaWduLVNTTC0wMyxvPUEtVHJ1c3QsYz1BVD9jZXJ0aWZpY2F0
+ZXJldm9jYXRpb25saXN0P2Jhc2U/b2JqZWN0Y2xhc3M9ZWlkQ2VydGlmaWNhdGlv
+bkF1dGhvcml0eTARBgNVHQ4ECgQIT1qEKtHyOygwDgYDVR0PAQH/BAQDAgWgMAkG
+A1UdEwQCMAAwDgYHKigACgEBAQQDAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBtb/dG
+Qn/r/MTqnjwFeHTlGwsuKyzx13PE3ZxBa5Q1YvNO9IbTHEi7dIb7LjdFQkkzn/sa
+PREGTRdaukD6JiUNFP0FV1hTNOUfctjiLy212VupdIyC6GYouL11A5UzBoZ5l5xq
+IpYWGJq0JP26jYlu93sSY0m35vVX6FLxJAuy8zQpOoqP4XcIZE4qDC5SqTvmRtLR
+AFCQD3C59/SaBKc73z3GQrfkXfUqKLd+8l0b58FnLNKjHCUvTlt/egmqb6ar/rGj
+fD9pCROYB6H1ryYWTbqCYyG4oNuZ9AwodY7GcDWpIPBP/VVyARgF6V1pEhAdAXMH
+zh/WsPsLHrdYA0/3
+-----END CERTIFICATE-----
diff --git a/id/server/doc/MOA-ID-Configuration-1.4.3.xsd b/id/server/doc/MOA-ID-Configuration-1.4.3.xsd
index 02183819c..570bebd37 100644
--- a/id/server/doc/MOA-ID-Configuration-1.4.3.xsd
+++ b/id/server/doc/MOA-ID-Configuration-1.4.3.xsd
@@ -179,6 +179,7 @@
<xsd:enumeration value="FrontendServlets.DataURLPrefix"/>
<xsd:enumeration value="AuthenticationServer.KeepAssertion"/>
<xsd:enumeration value="AuthenticationServer.WriteAssertionToFile"/>
+ <xsd:enumeration value="AuthenticationServer.SourceID"/>
</xsd:restriction>
</xsd:simpleType>
</xsd:attribute>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java
index 27e19e830..b5d18b451 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java
@@ -4,6 +4,9 @@ import java.io.ByteArrayOutputStream;
import java.security.MessageDigest;
import at.gv.egovernment.moa.id.BuildException;
+import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
/**
@@ -16,6 +19,11 @@ import at.gv.egovernment.moa.util.Base64Utils;
public class SAMLArtifactBuilder {
/**
+ * The generic configuration parameter for an alternative SourceID.
+ */
+ private static final String GENERIC_CONFIG_PARAM_SOURCEID = "AuthenticationServer.SourceID";
+
+ /**
* Constructor for SAMLArtifactBuilder.
*/
public SAMLArtifactBuilder() {
@@ -36,25 +44,34 @@ public class SAMLArtifactBuilder {
* @return the 42-byte SAML artifact, encoded BASE64
*/
public String build(String authURL, String sessionID) throws BuildException {
- try {
- MessageDigest md = MessageDigest.getInstance("SHA-1");
- byte[] sourceID = md.digest(authURL.getBytes());
- byte[] assertionHandle = md.digest(sessionID.getBytes());
- ByteArrayOutputStream out = new ByteArrayOutputStream(42);
- out.write(0);
- out.write(1);
- out.write(sourceID, 0, 20);
- out.write(assertionHandle, 0, 20);
- byte[] samlArtifact = out.toByteArray();
- String samlArtifactBase64 = Base64Utils.encode(samlArtifact);
- return samlArtifactBase64;
- }
- catch (Throwable ex) {
- throw new BuildException(
- "builder.00",
- new Object[] {"SAML Artifact, MOASessionID=" + sessionID, ex.toString()},
- ex);
- }
+ try {
+ MessageDigest md = MessageDigest.getInstance("SHA-1");
+ byte[] sourceID;
+ // alternative sourceId
+ String alternativeSourceID = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter(GENERIC_CONFIG_PARAM_SOURCEID);
+ if (!ParepUtils.isEmpty(alternativeSourceID)) {
+ // if generic config parameter "AuthenticationServer.SourceID" is given, use that sourceID instead of authURL;
+ sourceID = md.digest(alternativeSourceID.getBytes());
+ Logger.info("Building SAMArtifact from sourceID \"" + alternativeSourceID + "\" instead of authURL \"" + authURL + "\".");
+ } else {
+ sourceID = md.digest(authURL.getBytes());
+ }
+ byte[] assertionHandle = md.digest(sessionID.getBytes());
+ ByteArrayOutputStream out = new ByteArrayOutputStream(42);
+ out.write(0);
+ out.write(1);
+ out.write(sourceID, 0, 20);
+ out.write(assertionHandle, 0, 20);
+ byte[] samlArtifact = out.toByteArray();
+ String samlArtifactBase64 = Base64Utils.encode(samlArtifact);
+ return samlArtifactBase64;
+ }
+ catch (Throwable ex) {
+ throw new BuildException(
+ "builder.00",
+ new Object[] {"SAML Artifact, MOASessionID=" + sessionID, ex.toString()},
+ ex);
+ }
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/CreateMandateRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/CreateMandateRequest.java
index fe8e263ff..3077ba185 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/CreateMandateRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/CreateMandateRequest.java
@@ -6,6 +6,7 @@ import java.util.List;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
+import org.apache.xpath.XPathAPI;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -204,11 +205,31 @@ public class CreateMandateRequest {
Element representativeElem = representativeDocument.createElementNS(SZRGWConstants.SZRGW_REQUEST_NS, SZRGWConstants.SZRGW_PREFIX + SZRGWConstants.REPRESENTATIVE);
// representativeElem.setAttribute("xmlns" + SZRGWConstants.PD_POSTFIX, Constants.PD_NS_URI);
// representativeElem.setAttribute("xmlns" + SZRGWConstants.SZRGW_POSTFIX, SZRGWConstants.SZRGW_REQUEST_NS);
+
+ //Old Version 0.0.1 of SZR-Gateway
+// representativeElem.appendChild(createIdentificationElem(representativeDocument, identificationType, identificationValue));
+// representativeElem.appendChild(createNameElem(representativeDocument, params.getGivenName(), params.getFamilyName()));
+// representativeElem.appendChild(createPersonDataElem(representativeDocument, SZRGWConstants.DATEOFBIRTH, params.getDateOfBirth()));
- representativeElem.appendChild(createIdentificationElem(representativeDocument, identificationType, identificationValue));
- representativeElem.appendChild(createNameElem(representativeDocument, params.getGivenName(), params.getFamilyName()));
- representativeElem.appendChild(createPersonDataElem(representativeDocument, SZRGWConstants.DATEOFBIRTH, params.getDateOfBirth()));
-
+ //New since version 0.0.2 of SZR-Gateway:
+ // we need to send an identity link and must replace its identification value
+ representativeElem.appendChild(representativeElem.getOwnerDocument().importNode(params.getIdentityLink(), true));
+ try {
+ Element nameSpaceNode = representativeElem.getOwnerDocument().createElement("NameSpaceNode");
+ nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.PD_POSTFIX, Constants.PD_NS_URI);
+ nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.SAML_POSTFIX, Constants.SAML_NS_URI);
+ nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.SZRGW_POSTFIX, SZRGWConstants.SZRGW_REQUEST_NS);
+ Element identificationValueElement = (Element) XPathAPI.selectSingleNode(representativeElem, "descendant-or-self::" + SZRGWConstants.SZRGW_PREFIX + SZRGWConstants.REPRESENTATIVE + "/" +SZRGWConstants.SAML_PREFIX + "Assertion/saml:AttributeStatement/saml:Subject/saml:SubjectConfirmation/saml:SubjectConfirmationData/pr:Person/pr:Identification/pr:Value", nameSpaceNode);
+ if (identificationValueElement != null) {
+ identificationValueElement.setTextContent(identificationValue);
+ }
+ Element identificationTypeElement = (Element) XPathAPI.selectSingleNode(representativeElem, "descendant-or-self::" + SZRGWConstants.SZRGW_PREFIX + SZRGWConstants.REPRESENTATIVE + "/" +SZRGWConstants.SAML_PREFIX + "Assertion/saml:AttributeStatement/saml:Subject/saml:SubjectConfirmation/saml:SubjectConfirmationData/pr:Person/pr:Identification/pr:Type", nameSpaceNode);
+ if (identificationTypeElement != null) {
+ identificationTypeElement.setTextContent(identificationType);
+ }
+ } catch (Exception e) {
+ throw new SZRGWClientException("validator.63", null);
+ }
this.representative = representativeElem;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWConstants.java
index 006b2b9f2..cc0cc4862 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWConstants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWConstants.java
@@ -10,6 +10,8 @@ public interface SZRGWConstants {
//PersonData
public static final String PD_PREFIX = "pr:";
public static final String PD_POSTFIX = ":pr";
+ public static final String SAML_PREFIX = "saml:";
+ public static final String SAML_POSTFIX = ":saml";
public static final String PERSON = "Person";
public static final String PHYSICALPERSON = "PhysicalPerson";
public static final String CORPORATEBODY = "CorporateBody";