diff options
5 files changed, 50 insertions, 23 deletions
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java index fae1b6f4d..0bc4a4839 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java @@ -108,7 +108,7 @@ public class SSOTransferGUIServlet extends AuthServlet { String token = Random.nextRandom(); AssertionStorage.getInstance().put(token, encodedSSOContainer); - String containerURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() + String containerURL = authURL + SSOTransferConstants.SERVLET_SSOTRANSFER_TO_SMARTPHONE + "?"+ SSOTransferConstants.REQ_PARAM_TOKEN + "=" + token; diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java index 2f8b8fe2c..b82417ae6 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java @@ -22,7 +22,12 @@ */ package at.gv.egovernment.moa.id.auth.modules.ssotransfer.servlet; +import java.io.IOException; + +import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; import at.gv.egovernment.moa.id.auth.servlet.ProcessEngineSignalServlet; import at.gv.egovernment.moa.logging.Logger; @@ -42,4 +47,14 @@ public class SSOTransferSignalServlet extends ProcessEngineSignalServlet { } + protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { + Logger.debug("Receive http-POST request."); + super.doPost(req, resp); + + } + + protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { + Logger.debug("Receive http-GET request."); + super.doPost(req, resp); + } } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java index cebf8431b..67566afe5 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java @@ -24,35 +24,25 @@ package at.gv.egovernment.moa.id.auth.modules.ssotransfer.task; import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_SESSIONID; -import java.io.ByteArrayOutputStream; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.velocity.VelocityContext; -import net.glxn.qrgen.QRCode; -import net.glxn.qrgen.image.ImageType; - -import com.google.gson.JsonObject; - import at.gv.egovernment.moa.id.auth.BaseAuthenticationServer; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; -import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.RequestStorage; import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; -import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.Base64Utils; /** * @author tlenz @@ -69,6 +59,15 @@ public class InitializeRestoreSSOSessionTask extends AbstractAuthServletTask { throws TaskExecutionException { try { + //create first step of SSO Transfer GUI + String authURL = HTTPUtils.extractAuthURLFromRequest(request); + if (!AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(). + contains(authURL)) { + Logger.warn("Requested URL is not allowed.");; + response.sendError(500, "Requested URL is not allowed."); + + } + String sessionID = (String) executionContext.get(PARAM_SESSIONID); String pendingRequestID = (String) executionContext.get("pendingRequestID"); @@ -79,7 +78,7 @@ public class InitializeRestoreSSOSessionTask extends AbstractAuthServletTask { AuthenticationSession moasession = BaseAuthenticationServer.getSession(sessionID); IRequest pendingReq = RequestStorage.getPendingRequest(pendingRequestID); - VelocityContext context = GUIUtils.buildSSOTransferGUI(moasession); + VelocityContext context = GUIUtils.buildSSOTransferGUI(authURL, moasession); GUIUtils.printSSOTransferGUI(context, response); diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java index 270264099..006b27167 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java @@ -49,11 +49,13 @@ import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.SSOContainerUtils; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.RequestStorage; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -73,12 +75,13 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { throws TaskExecutionException { Logger.debug("Receive " + this.getClass().getName() + " request"); - + StringBuffer sb = new StringBuffer(); String receivedPostMessage = null; AuthenticationSession moasession = null; IRequest pendingReq = null; - try { + String authURL =null; + try { String sessionID = (String) request.getParameter(PARAM_SESSIONID); String pendingRequestID = (String) executionContext.get("pendingRequestID"); @@ -120,7 +123,7 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { " | validTo:" + validTo + " | entityIS:" + entityID); - if (PVPConfiguration.getInstance().getIDPPublicPath().equals(entityID)) { + if (PVPConfiguration.getInstance().getIDPPublicPath().contains(entityID)) { // stored SSO session data is from this IDP - start local session reconstruction Response ssoInformation = SSOContainerUtils.validateReceivedSSOContainer(sessionBlob); SSOContainerUtils.parseSSOContainerToMOASessionDataObject(pendingReq, moasession, ssoInformation); @@ -138,10 +141,12 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { executionContext.put(SSOTransferConstants.FLAG_SSO_SESSION_RESTORED, true); } else { - Logger.debug("Received SSO session-data is from IDP: " + entityID + Logger.info("Received SSO session-data is from IDP: " + entityID + ". Start inderfederation process to restore SSO session ... "); //change to inderfederated session reconstruction + Logger.warn("Device Session Transfer with interfederation is not implemented, yet!!!!"); + } } catch (Exception e) { @@ -173,7 +178,16 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { VelocityContext context; try { - context = GUIUtils.buildSSOTransferGUI(moasession); + //create first step of SSO Transfer GUI + authURL = HTTPUtils.extractAuthURLFromRequest(request); + if (!AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(). + contains(authURL)) { + Logger.warn("Requested URL is not allowed.");; + response.sendError(500, "Requested URL is not allowed."); + + } + + context = GUIUtils.buildSSOTransferGUI(authURL, moasession); GUIUtils.printSSOTransferGUI(context, response); } catch (IOException | MOAIDException e) { diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java index 1bbaf1dd9..310b8a813 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java @@ -34,9 +34,6 @@ import java.net.URI; import javax.servlet.http.HttpServletResponse; -import net.glxn.qrgen.QRCode; -import net.glxn.qrgen.image.ImageType; - import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; @@ -51,6 +48,8 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; +import net.glxn.qrgen.QRCode; +import net.glxn.qrgen.image.ImageType; /** * @author tlenz @@ -62,9 +61,9 @@ public class GUIUtils { public static final int REFESH_TIMEOUT = 5 * 1000; //5 sec - public static VelocityContext buildSSOTransferGUI(AuthenticationSession moasession) throws ConfigurationException, IOException { + public static VelocityContext buildSSOTransferGUI(String authURL, AuthenticationSession moasession) throws ConfigurationException, IOException { String token = moasession.getSessionID(); - String containerURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() + String containerURL = authURL + SSOTransferConstants.SERVLET_SSOTRANSFER_FROM_SMARTPHONE + "?" + MOAIDAuthConstants.PARAM_SESSIONID + "=" + token; |