diff options
Diffstat (limited to 'id.server/src/at/gv/egovernment/moa/id/auth')
25 files changed, 1855 insertions, 137 deletions
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 8359623b1..cd4b26df3 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -10,8 +10,10 @@ import java.util.Date; import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; +import java.util.List; import java.util.Map; import java.util.Set; +import java.util.Vector; import javax.xml.transform.TransformerException; @@ -23,36 +25,42 @@ import at.gv.egovernment.moa.id.ParseException; import at.gv.egovernment.moa.id.ServiceException; import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder; import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder; +import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.builder.CertInfoVerifyXMLSignatureRequestBuilder; import at.gv.egovernment.moa.id.auth.builder.CreateXMLSignatureRequestBuilder; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; import at.gv.egovernment.moa.id.auth.builder.GetIdentityLinkFormBuilder; import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilder; +import at.gv.egovernment.moa.id.auth.builder.InfoboxValidatorParamsBuilder; import at.gv.egovernment.moa.id.auth.builder.PersonDataBuilder; import at.gv.egovernment.moa.id.auth.builder.SAMLArtifactBuilder; import at.gv.egovernment.moa.id.auth.builder.SelectBKUFormBuilder; -import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; import at.gv.egovernment.moa.id.auth.parser.CreateXMLSignatureResponseParser; +import at.gv.egovernment.moa.id.auth.parser.ExtendedInfoboxReadResponseParser; import at.gv.egovernment.moa.id.auth.parser.InfoboxReadResponseParser; import at.gv.egovernment.moa.id.auth.parser.SAMLArtifactParser; import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; import at.gv.egovernment.moa.id.auth.validator.CreateXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator; +import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; import at.gv.egovernment.moa.id.auth.validator.ValidateException; import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.ConfigurationProvider; import at.gv.egovernment.moa.id.config.ConnectionParameter; -import at.gv.egovernment.moa.id.config.OAParameter; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameter; +import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameters; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; @@ -65,7 +73,6 @@ import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.DateTimeUtils; import at.gv.egovernment.moa.util.FileUtils; -import at.gv.egovernment.moa.util.OutputXML2File; import at.gv.egovernment.moa.util.StringUtils; /** @@ -338,6 +345,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { ex); } } + String pushInfobox = ""; + VerifyInfoboxParameters verifyInfoboxParameters = oaParam.getVerifyInfoboxParameters(); + if (verifyInfoboxParameters != null) { + pushInfobox = verifyInfoboxParameters.getPushInfobox(); + } String certInfoRequest = new CertInfoVerifyXMLSignatureRequestBuilder().build(oaParam.getSlVersion12()); String certInfoDataURL = new DataURLBuilder().buildDataURL( @@ -351,7 +363,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { infoboxReadRequest, dataURL, certInfoRequest, - certInfoDataURL); + certInfoDataURL, + pushInfobox); return htmlForm; } /** @@ -363,6 +376,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * <li>Verifies identity link by calling the MOA SP component</li> * <li>Checks certificate authority of identity link</li> * <li>Stores identity link in the session</li> + * <li>Verifies all additional infoboxes returned from the BKU</li> * <li>Creates an authentication block to be signed by the user</li> * <li>Creates and returns a <code><CreateXMLSignatureRequest></code> * containg the authentication block, meant to be returned to the @@ -370,13 +384,14 @@ public class AuthenticationServer implements MOAIDAuthConstants { * </ul> * * @param sessionID ID of associated authentication session data - * @param xmlInfoboxReadResponse String representation of the - * <code><InfoboxReadResponse></code> + * @param infoboxReadResponseParameters The parameters from the response returned from + * the BKU including the <code><InfoboxReadResponse></code> * @return String representation of the <code><CreateXMLSignatureRequest></code> */ - public String verifyIdentityLink(String sessionID, String xmlInfoboxReadResponse) + public String verifyIdentityLink(String sessionID, Map infoboxReadResponseParameters) throws AuthenticationException, + BuildException, ParseException, ConfigurationException, ValidateException, @@ -384,8 +399,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (isEmpty(sessionID)) throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_IDENTITY_LINK, PARAM_SESSIONID}); + + String xmlInfoboxReadResponse = (String)infoboxReadResponseParameters.get(PARAM_XMLRESPONSE); if (isEmpty(xmlInfoboxReadResponse)) throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_IDENTITY_LINK, PARAM_XMLRESPONSE}); + AuthenticationSession session = getSession(sessionID); if (session.getTimestampIdentityLink() != null) throw new AuthenticationException("auth.01", new Object[] { sessionID }); @@ -427,6 +445,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { ignoreManifestValidationResult); session.setIdentityLink(identityLink); + // now validate the extended infoboxes + verifyInfoboxes(session, infoboxReadResponseParameters); // builds the AUTH-block String authBlock = buildAuthenticationBlock(session); // session.setAuthBlock(authBlock); @@ -446,29 +466,222 @@ public class AuthenticationServer implements MOAIDAuthConstants { /** * Builds an authentication block <code><saml:Assertion></code> from given session data. * @param session authentication session + * * @return <code><saml:Assertion></code> as a String + * + * @throws BuildException If an error occurs on serializing an extended SAML attribute + * to be appended to the AUTH-Block. */ - private String buildAuthenticationBlock(AuthenticationSession session) { + private String buildAuthenticationBlock(AuthenticationSession session) throws BuildException { IdentityLink identityLink = session.getIdentityLink(); String issuer = identityLink.getName(); String gebDat = identityLink.getDateOfBirth(); String identificationValue = identityLink.getIdentificationValue(); String identificationType = identityLink.getIdentificationType(); String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance()); + session.setIssueInstant(issueInstant); String authURL = session.getAuthURL(); String target = session.getTarget(); String oaURL = session.getPublicOAURLPrefix(); - String authBlock = new AuthenticationBlockAssertionBuilder().buildAuthBlock(issuer, - issueInstant, - authURL, - target, - identificationValue, - identificationType, - oaURL, - gebDat); + List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); + String authBlock = new AuthenticationBlockAssertionBuilder().buildAuthBlock( + issuer, + issueInstant, + authURL, + target, + identificationValue, + identificationType, + oaURL, + gebDat, + extendedSAMLAttributes); return authBlock; } + + /** + * Verifies the infoboxes (except of the identity link infobox) returned by the BKU by + * calling appropriate validator classes. + * + * @param session The actual authentication session. + * @param infoboxReadResponseParams The parameters returned from the BKU as response + * to an infobox read request (including the infobox + * tokens to be verified). + * + * @throws AuthenticationException If the verification of at least one infobox fails. + * @throws ConfigurationException If the OAuthParameter cannot be extracted. + */ + private void verifyInfoboxes( + AuthenticationSession session, Map infoboxReadResponseParams) + throws ValidateException, ConfigurationException + { + + AuthConfigurationProvider authConfigurationProvider = AuthConfigurationProvider.getInstance(); + // get the default VerifyInfobox parameters + Map defaultInfoboxParameters = null; + VerifyInfoboxParameters defaultVerifyInfoboxParameters = + authConfigurationProvider.getDefaultVerifyInfoboxParameters(); + if (defaultVerifyInfoboxParameters != null) { + defaultInfoboxParameters = defaultVerifyInfoboxParameters.getInfoboxParameters(); + } + // get the OA specific VerifyInfobox parameters + Map infoboxParameters = null; + OAAuthParameter oaParam = + authConfigurationProvider.getOnlineApplicationParameter(session.getPublicOAURLPrefix()); + VerifyInfoboxParameters verifyInfoboxParameters = oaParam.getVerifyInfoboxParameters(); + if (verifyInfoboxParameters != null) { + Vector authAttributes = new Vector(); + Vector oaAttributes = new Vector(); + infoboxParameters = verifyInfoboxParameters.getInfoboxParameters(); + // get the list of infobox identifiers + List identifiers = verifyInfoboxParameters.getIdentifiers(); + if (identifiers != null) { + // step through the identifiers and verify the infoboxes + Iterator it = identifiers.iterator(); + while (it.hasNext()) { + String identifier = (String)it.next(); + // get the infobox read response from the map of parameters + String infoboxReadResponse = (String)infoboxReadResponseParams.get(identifier); + // get the configuration parameters + VerifyInfoboxParameter verifyInfoboxParameter = null; + Object object = infoboxParameters.get(identifier); + // if not present, use default + if ((object == null) && (defaultInfoboxParameters != null)) { + object = defaultInfoboxParameters.get(identifier); + } + if (object != null) { + verifyInfoboxParameter = (VerifyInfoboxParameter)object; + } + if (infoboxReadResponse != null) { + if (verifyInfoboxParameter == null) { + // should not happen because of the pushinfobox mechanism; check it anyway + Logger.error("No validator for verifying \"" + identifier + "\"-infobox configured."); + throw new ValidateException("validator.41", new Object[] {identifier}); + } else { + String friendlyName = verifyInfoboxParameter.getFriendlyName(); + // get the class for validating the infobox + InfoboxValidator infoboxValidator = null; + try { + Class validatorClass = Class.forName(verifyInfoboxParameter.getValidatorClassName()); + infoboxValidator = (InfoboxValidator) validatorClass.newInstance(); + } catch (Exception e) { + Logger.error("Could not load validator class \"" + verifyInfoboxParameter.getValidatorClassName() + + "\" for \"" + identifier + "\"-infobox: " + e.getMessage()); + throw new ValidateException("validator.42", new Object[] {friendlyName}); + } + Logger.debug("Successfully loaded validator class \"" + verifyInfoboxParameter.getValidatorClassName() + + "\" for \"" + identifier + "\"-infobox."); + // parse the infobox read reponse + List infoboxTokenList = null; + try { + infoboxTokenList = + ExtendedInfoboxReadResponseParser.parseInfoboxReadResponse(infoboxReadResponse, friendlyName); + } catch (ParseException e) { + Logger.error("InfoboxReadResponse for \"" + identifier + + "\"-infobox could not be parsed successfully: " + e.getMessage()); + throw new ValidateException("validator.43", new Object[] {friendlyName}); + } + // build the parameters for validating the infobox + InfoboxValidatorParams infoboxValidatorParams = + InfoboxValidatorParamsBuilder.buildInfoboxValidatorParams( + session, verifyInfoboxParameter, infoboxTokenList); + // now validate the infobox + boolean infoboxValid = false; + try { + infoboxValid = infoboxValidator.validate(infoboxValidatorParams); + } catch (ValidateException e) { + Logger.error("Error validating " + identifier + " infobox:" + e.getMessage()); + throw new ValidateException( + "validator.44", new Object[] {friendlyName}); + } + if (!infoboxValid) { + Logger.info("Validation of " + identifier + " infobox failed."); + throw new ValidateException( + "validator.40", new Object[] {friendlyName, infoboxValidator.getErrorMessage()}); + } + + Logger.info(identifier + " infobox successfully validated."); + + // get the SAML attributes to be appended to the AUTHBlock or to the final + // SAML Assertion + ExtendedSAMLAttribute[] extendedSAMLAttributes = infoboxValidator.getExtendedSamlAttributes(); + if (extendedSAMLAttributes != null) { + int length = extendedSAMLAttributes.length; + for (int i=0; i<length; i++) { + ExtendedSAMLAttribute samlAttribute = extendedSAMLAttributes[i]; + String name = samlAttribute.getName(); + if (name == null) { + Logger.info("The name of SAML-Attribute number " + (i+1) + " returned from " + + identifier + "-infobox validator is null."); + throw new ValidateException( + "validator.45", new Object[] {friendlyName, "Name", String.valueOf((i+1)), "null"}); + } + if (name == "") { + Logger.info("The name of SAML-Attribute number " + (i+1) + " returned from " + + identifier + "-infobox validator is empty."); + throw new ValidateException( + "validator.45", new Object[] {friendlyName, "Name", String.valueOf((i+1)), "leer"}); + } + if (samlAttribute.getNameSpace() == null) { + Logger.info("The namespace of SAML-Attribute number " + (i+1) + " returned from " + + identifier + "-infobox validator is null."); + throw new ValidateException( + "validator.45", new Object[] {friendlyName, "Namespace", String.valueOf((i+1)), "null"}); + } + Object value = samlAttribute.getValue(); + if (value == null) { + Logger.info("The value of SAML-Attribute number " + (i+1) + " returned from " + + identifier + "-infobox validator is null."); + throw new ValidateException( + "validator.45", new Object[] {friendlyName ,"Wert", String.valueOf((i+1)), "null"}); + } + if ((value instanceof String) || (value instanceof Element)) { + + switch (samlAttribute.getAddToAUTHBlock()) { + case ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK: + authAttributes.add(samlAttribute); + oaAttributes.add(samlAttribute); + break; + case ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY: + authAttributes.add(samlAttribute); + break; + case ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK: + oaAttributes.add(samlAttribute); + break; + default: + Logger.info("Invalid return value from method \"getAddToAUTHBlock()\" (" + + samlAttribute.getAddToAUTHBlock() + ") in SAML attribute number " + + (i+1) + " for infobox " + identifier); + throw new ValidateException( + "validator.47", new Object[] {friendlyName, String.valueOf((i+1))}); + } + } else { + Logger.info("The type of SAML-Attribute number " + (i+1) + " returned from " + + identifier + "-infobox validator is not valid. Must be either \"java.Lang.String\"" + + " or \"org.w3c.dom.Element\""); + throw new ValidateException( + "validator.46", new Object[] {identifier, String.valueOf((i+1))}); + + } + } + + } + } + } else { + if ((verifyInfoboxParameter !=null) && (verifyInfoboxParameter.isRequired())) { + Logger.info("Infobox \"" + identifier + "\" is required, but not returned from the BKU"); + throw new ValidateException( + "validator.48", new Object[] {verifyInfoboxParameter.getFriendlyName()}); + + } + Logger.debug("Infobox \"" + identifier + "\" not returned from BKU."); + } + } + session.setExtendedSAMLAttributesAUTH(authAttributes); + session.setExtendedSAMLAttributesOA(oaAttributes); + } + } + } + /** * Processes a <code><CreateXMLSignatureResponse></code> sent by the * security layer implementation.<br> @@ -630,13 +843,15 @@ public class AuthenticationServer implements MOAIDAuthConstants { } String authBlock = oaParam.getProvideAuthBlock() ? session.getAuthBlock() : ""; String samlAssertion = - new AuthenticationDataAssertionBuilder().build(authData, - prPerson, - authBlock, - ilAssertion, - session.getBkuURL(), - signerCertificateBase64, - businessService); + new AuthenticationDataAssertionBuilder().build( + authData, + prPerson, + authBlock, + ilAssertion, + session.getBkuURL(), + signerCertificateBase64, + businessService, + session.getExtendedSAMLAttributesOA()); authData.setSamlAssertion(samlAssertion); return authData; } catch (Throwable ex) { diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java new file mode 100644 index 000000000..241cf0afc --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java @@ -0,0 +1,88 @@ +package at.gv.egovernment.moa.id.auth.builder; + +import java.io.IOException; +import java.text.MessageFormat; +import java.util.Iterator; +import java.util.List; + +import javax.xml.transform.TransformerException; + +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.id.ParseException; +import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.StringUtils; + +/** + * Base class for building authentication the AUTHBlock and final OA data SAML assertions. + * Encapsulates methods used by the two specific builders + * {@link at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder AuthenticationBlockAssertionBuilder} + * and + * {@link at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder AuthenticationDataAssertionBuilder} + * + * @author Harald Bratko + */ +public class AuthenticationAssertionBuilder { + + /** the NewLine representation in Java*/ + protected static String NL = "\n"; + + protected static String SAML_ATTRIBUTE = + " <saml:Attribute AttributeName=''{0}'' AttributeNamespace=''{1}''>" + NL + + " <saml:AttributeValue>{2}</saml:AttributeValue>" + NL + + " </saml:Attribute>"+ NL; + + /** + * Empty constructor + */ + public AuthenticationAssertionBuilder() { + } + + /** + * Builds the SAML attributes to be appended to the AUTHBlock or to the SAML assertion + * delivered to the online application. + * The method traverses through the list of given SAML attribute objects and builds an + * XML structure (String representation) for each of the attributes. + * + * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock or + * to the SAML assertion delivered to the online application. + * @return A string representation including the XML structures of + * the SAML attributes. + * + * @throws ParseException If an error occurs on serializing an SAML attribute. + */ + protected String buildExtendedSAMLAttributes(List extendedSAMLAttributes) throws ParseException + { + StringBuffer sb = new StringBuffer(); + if (extendedSAMLAttributes!=null) { + Iterator it = extendedSAMLAttributes.iterator(); + while (it.hasNext()) { + ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next(); + Object value = extendedSAMLAttribute.getValue(); + String name = extendedSAMLAttribute.getName(); + String namespace = extendedSAMLAttribute.getNameSpace(); + if (value instanceof String) { + sb.append(MessageFormat.format( SAML_ATTRIBUTE, new Object[] {name, namespace, value})); + } else if (value instanceof Element) { + try { + String serializedValue = DOMUtils.serializeNode((Element)(value)); + serializedValue = StringUtils.removeXMLDeclaration(serializedValue); + sb.append(MessageFormat.format( SAML_ATTRIBUTE, new Object[] {name, namespace, serializedValue})); + } catch (TransformerException e) { + Logger.error("Error on serializing SAML attribute \"" + name + + " (namespace: \"" + namespace + "\"."); + throw new ParseException("parser.05", new Object[] { name, namespace}); + } catch (IOException e) { + Logger.error("Error on serializing SAML attribute \"" + name + + " (namespace: \"" + namespace + "\"."); + throw new ParseException("parser.05", new Object[] { name, namespace}); + } + } + } + } + return sb.toString(); + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index b1fe0a6df..ef50acb3f 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -1,7 +1,11 @@ package at.gv.egovernment.moa.id.auth.builder; import java.text.MessageFormat; +import java.util.List; +import at.gv.egovernment.moa.id.BuildException; +import at.gv.egovernment.moa.id.ParseException; +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; /** @@ -11,41 +15,46 @@ import at.gv.egovernment.moa.util.Constants; * @author Paul Ivancsics * @version $Id$ */ -public class AuthenticationBlockAssertionBuilder implements Constants { - /** the NewLine representation in Java*/ - private static String nl = "\n"; +public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertionBuilder implements Constants { + /** template for the Auth-Block */ private static String AUTH_BLOCK = - "<saml:Assertion xmlns:saml=''" + SAML_NS_URI + "''{0} MajorVersion=''1'' MinorVersion=''0'' AssertionID=''any'' Issuer=''{1}'' IssueInstant=''{2}''>" + nl + - " <saml:AttributeStatement>" + nl + - " <saml:Subject>" + nl + - " <saml:NameIdentifier>{3}</saml:NameIdentifier>" + nl + - " </saml:Subject>" + nl + + "<saml:Assertion xmlns:saml=''" + SAML_NS_URI + "''{0} MajorVersion=''1'' MinorVersion=''0'' AssertionID=''any'' Issuer=''{1}'' IssueInstant=''{2}''>" + NL + + " <saml:AttributeStatement>" + NL + + " <saml:Subject>" + NL + + " <saml:NameIdentifier>{3}</saml:NameIdentifier>" + NL + + " </saml:Subject>" + NL + "{4}" + - " <saml:Attribute AttributeName=''OA'' AttributeNamespace=''" + MOA_NS_URI + "''>" + nl + - " <saml:AttributeValue>{5}</saml:AttributeValue>" + nl + - " </saml:Attribute>" + nl + - " <saml:Attribute AttributeName=''Geburtsdatum'' AttributeNamespace=''" + MOA_NS_URI + "''>" + nl + - " <saml:AttributeValue>{6}</saml:AttributeValue>" + nl + - " </saml:Attribute>" + nl + - " </saml:AttributeStatement>" + nl + + " <saml:Attribute AttributeName=''OA'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{5}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''Geburtsdatum'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{6}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + "{7}" + + " </saml:AttributeStatement>" + NL + "</saml:Assertion>"; private static String GESCHAEFTS_BEREICH_ATTRIBUTE = - " <saml:Attribute AttributeName=''Geschaeftsbereich'' AttributeNamespace=''" + MOA_NS_URI + "''>" + nl + - " <saml:AttributeValue>{0}</saml:AttributeValue>" + nl + - " </saml:Attribute>" + nl; + " <saml:Attribute AttributeName=''Geschaeftsbereich'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{0}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL; private static String WBPK_ATTRIBUTE = - " <saml:Attribute AttributeName=''wbPK'' AttributeNamespace=''" + MOA_NS_URI + "''>" + nl + - " <saml:AttributeValue>" + nl + - " <pr:Identification>" + nl + - " <pr:Value>{0}</pr:Value>" + nl + - " <pr:Type>{1}</pr:Type>" + nl + - " </pr:Identification>" + nl + - " </saml:AttributeValue>" + nl + - " </saml:Attribute>" + nl; - + " <saml:Attribute AttributeName=''wbPK'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>" + NL + + " <pr:Identification>" + NL + + " <pr:Value>{0}</pr:Value>" + NL + + " <pr:Type>{1}</pr:Type>" + NL + + " </pr:Identification>" + NL + + " </saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL; + + /** + * The number of SAML attributes included in this AUTH-Block (without the extended SAML attributes). + */ + public static final int NUM_OF_SAML_ATTRIBUTES = 3; + /** * Constructor for AuthenticationBlockAssertionBuilder. */ @@ -73,17 +82,26 @@ public class AuthenticationBlockAssertionBuilder implements Constants { * application used as input for wbPK computation; * maybe <code>null</code> if the application is a public service * @param oaURL public URL of online application requested + * @param gebDat The date of birth from the identity link. + * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock. + * * @return String representation of authentication block * <code><saml:Assertion></code> built + * + * @throws BuildException If an error occurs on serializing an extended SAML attribute + * to be appended to the AUTH-Block. */ - public String buildAuthBlock(String issuer, - String issueInstant, - String authURL, - String target, - String identityLinkValue, - String identityLinkType, - String oaURL, - String GebDat) + public String buildAuthBlock( + String issuer, + String issueInstant, + String authURL, + String target, + String identityLinkValue, + String identityLinkType, + String oaURL, + String gebDat, + List extendedSAMLAttributes) + throws BuildException { String gebeORwbpk = ""; @@ -97,8 +115,23 @@ public class AuthenticationBlockAssertionBuilder implements Constants { GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target }); } - String assertion = MessageFormat.format( - AUTH_BLOCK, new Object[] { wbpkNSDeclaration, issuer, issueInstant, authURL, gebeORwbpk, oaURL, GebDat}); + String assertion; + try { + assertion = MessageFormat.format( + AUTH_BLOCK, new Object[] { + wbpkNSDeclaration, + issuer, + issueInstant, + authURL, + gebeORwbpk, + oaURL, + gebDat, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } catch (ParseException e) { + Logger.error("Error on building AUTH-Block: " + e.getMessage()); + throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); + } + return assertion; } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java index 7e866089d..53520c846 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java @@ -1,10 +1,14 @@ package at.gv.egovernment.moa.id.auth.builder; import java.text.MessageFormat; +import java.util.List; import at.gv.egovernment.moa.id.BuildException; +import at.gv.egovernment.moa.id.ParseException; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.StringUtils; /** * Builder for the authentication data <code><saml:Assertion></code> @@ -13,7 +17,7 @@ import at.gv.egovernment.moa.util.Constants; * @author Paul Ivancsics * @version $Id$ */ -public class AuthenticationDataAssertionBuilder implements Constants { +public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionBuilder implements Constants { /** private static String NL contains the NewLine representation in Java*/ private static final String NL = "\n"; /** @@ -38,11 +42,12 @@ public class AuthenticationDataAssertionBuilder implements Constants { " <saml:Attribute AttributeName=''isQualifiedCertificate'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + " <saml:AttributeValue>{8}</saml:AttributeValue>" + NL + " </saml:Attribute>" + NL + - " <saml:Attribute AttributeName=''bkuURL'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + - " <saml:AttributeValue>{9}</saml:AttributeValue>" + NL + - " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''bkuURL'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{9}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + "{10}" + - "{11}" + + "{11}" + + "{12}" + " </saml:AttributeStatement>" + NL + "</saml:Assertion>"; /** @@ -54,10 +59,10 @@ public class AuthenticationDataAssertionBuilder implements Constants { " <saml:AttributeValue>{0}</saml:AttributeValue>" + NL + " </saml:Attribute>" + NL; - private static final String SIGNER_CERTIFICATE_ATT = - " <saml:Attribute AttributeName=''SignerCertificate'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + - " <saml:AttributeValue>{0}</saml:AttributeValue>" + NL + - " </saml:Attribute>" + NL; + private static final String SIGNER_CERTIFICATE_ATT = + " <saml:Attribute AttributeName=''SignerCertificate'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{0}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL; /** * Constructor for AuthenticationDataAssertionBuilder. @@ -92,7 +97,10 @@ public class AuthenticationDataAssertionBuilder implements Constants { String xmlIdentityLink, String bkuURL, String signerCertificateBase64, - boolean businessService) throws BuildException { + boolean businessService, + List extendedSAMLAttributes) + throws BuildException + { String isQualifiedCertificate = authData.isQualifiedCertificate() ? "true" : "false"; String publicAuthorityAttribute = ""; @@ -122,33 +130,27 @@ public class AuthenticationDataAssertionBuilder implements Constants { pkValue = authData.getBPK(); } - String assertion = MessageFormat.format(AUTH_DATA, new Object[] { - authData.getAssertionID(), - authData.getIssuer(), - authData.getIssueInstant(), - pkType, - pkValue, - removeXMLDeclaration(xmlAuthBlock), - removeXMLDeclaration(xmlIdentityLink), - removeXMLDeclaration(xmlPersonData), - isQualifiedCertificate, - bkuURL, - publicAuthorityAttribute, - signerCertificateAttribute}); + String assertion; + try { + assertion = MessageFormat.format(AUTH_DATA, new Object[] { + authData.getAssertionID(), + authData.getIssuer(), + authData.getIssueInstant(), + pkType, + pkValue, + StringUtils.removeXMLDeclaration(xmlAuthBlock), + StringUtils.removeXMLDeclaration(xmlIdentityLink), + StringUtils.removeXMLDeclaration(xmlPersonData), + isQualifiedCertificate, + bkuURL, + publicAuthorityAttribute, + signerCertificateAttribute, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } catch (ParseException e) { + Logger.error("Error on building Authentication Data Assertion: " + e.getMessage()); + throw new BuildException("builder.00", new Object[] { "Authentication Data Assertion", e.toString()}); + } return assertion; } - - /** - * Removes the XML declaration from an XML expression. - * @param xmlString XML expression as String - * @return XML expression, XML declaration removed - */ - private String removeXMLDeclaration(String xmlString) { - if (xmlString.startsWith("<?xml")) { - int firstElement = xmlString.indexOf("<", 1); - return xmlString.substring(firstElement); - } - else return xmlString; - } } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java index 03895a38e..06c81f49e 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/CertInfoVerifyXMLSignatureRequestBuilder.java @@ -73,7 +73,7 @@ public class CertInfoVerifyXMLSignatureRequestBuilder extends Builder implements try { String dsigSignature = FileUtils.readResource(resDsigSignature, "UTF-8"); - certInfoRequest = replaceTag(certInfoRequest, SIGNATURE_TAG, dsigSignature, 1); + certInfoRequest = replaceTag(certInfoRequest, SIGNATURE_TAG, dsigSignature, true, 1); return certInfoRequest; } catch (IOException ex) { diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java index 9baa71612..0d0595b69 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java @@ -26,6 +26,8 @@ public class GetIdentityLinkFormBuilder extends Builder { private static final String CERTINFO_XMLREQUEST_TAG = "<CertInfoXMLRequest>"; /** special tag in the HTML template to be substituted for the certificate info data URL */ private static final String CERTINFO_DATAURL_TAG = "<CertInfoDataURL>"; + /** special tag in the HTML template to be substituted for the infoboxes to be pushed from the BKU */ + private static final String PUSHINFOBOX_TAG = "<PushInfobox>"; /** private static int all contains the representation to replace all tags*/ private static final int ALL = -1; @@ -46,6 +48,9 @@ public class GetIdentityLinkFormBuilder extends Builder { " <input type=\"hidden\" " + nl + " name=\"DataURL\"" + nl + " value=\"" + DATAURL_TAG + "\"/>" + nl + + " <input type=\"hidden\" " + nl + + " name=\"PushInfobox\"" + nl + + " value=\"" + PUSHINFOBOX_TAG + "\"/>" + nl + " <input type=\"submit\" value=\"Anmeldung mit Bürgerkarte\"/>" + nl + "</form>" + nl + "<form name=\"CertificateInfoForm\"" + nl + @@ -80,17 +85,24 @@ public class GetIdentityLinkFormBuilder extends Builder { * @param dataURL DataURL to be sent as a parameter in the form */ public String build( - String htmlTemplate, String bkuURL, String xmlRequest, String dataURL, String certInfoXMLRequest, String certInfoDataURL) - throws BuildException { - + String htmlTemplate, + String bkuURL, + String xmlRequest, + String dataURL, + String certInfoXMLRequest, + String certInfoDataURL, + String pushInfobox) + throws BuildException + { String htmlForm = htmlTemplate == null ? DEFAULT_HTML_TEMPLATE : htmlTemplate; // String bku = bkuURL == null ? DEFAULT_BKU : bkuURL; - htmlForm = replaceTag(htmlForm, BKU_TAG, bkuURL, ALL); - htmlForm = replaceTag(htmlForm, XMLREQUEST_TAG, encodeParameter(xmlRequest), ALL); - htmlForm = replaceTag(htmlForm, DATAURL_TAG, dataURL, ALL); + htmlForm = replaceTag(htmlForm, BKU_TAG, bkuURL, true, ALL); + htmlForm = replaceTag(htmlForm, XMLREQUEST_TAG, encodeParameter(xmlRequest), true, ALL); + htmlForm = replaceTag(htmlForm, DATAURL_TAG, dataURL, true, ALL); + htmlForm = replaceTag(htmlForm, PUSHINFOBOX_TAG, pushInfobox, false, ALL); //new:wird oben mitreplaced htmlForm = replaceTag(htmlForm, BKU_TAG, bkuURL); - htmlForm = replaceTag(htmlForm, CERTINFO_XMLREQUEST_TAG, encodeParameter(certInfoXMLRequest), ALL); - htmlForm = replaceTag(htmlForm, CERTINFO_DATAURL_TAG, certInfoDataURL, ALL); + htmlForm = replaceTag(htmlForm, CERTINFO_XMLREQUEST_TAG, encodeParameter(certInfoXMLRequest), true, ALL); + htmlForm = replaceTag(htmlForm, CERTINFO_DATAURL_TAG, certInfoDataURL, true, ALL); return htmlForm; } /** diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java new file mode 100644 index 000000000..2d9837f9a --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java @@ -0,0 +1,78 @@ +package at.gv.egovernment.moa.id.auth.builder; + +import java.util.List; + +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams; +import at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParamsImpl; +import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; +import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameter; +import at.gv.egovernment.moa.util.XPathUtils; + +/** + * This class provides one method for building parameters needed for + * validating an infobox token. + * + * @author Harald Bratko + */ +public class InfoboxValidatorParamsBuilder { + + // hide the default constructor + private InfoboxValidatorParamsBuilder() { + } + + /** + * Builds the parameters passed to the validator class for validating an infobox token. + * + * @param session The actual Authentication session. + * @param verifyInfoboxParameter The configuration parameters for the infobox. + * @param infoboxTokenList Contains the infobox token to be validated. + * + * @return Parameters for validating an infobox token. + */ + public static InfoboxValidatorParams buildInfoboxValidatorParams( + AuthenticationSession session, + VerifyInfoboxParameter verifyInfoboxParameter, + List infoboxTokenList) + { + InfoboxValidatorParamsImpl infoboxValidatorParams = new InfoboxValidatorParamsImpl(); + IdentityLink identityLink = session.getIdentityLink(); + + // the infobox token to validate + infoboxValidatorParams.setInfoboxTokenList(infoboxTokenList); + // configuration parameters + infoboxValidatorParams.setTrustProfileID(verifyInfoboxParameter.getTrustProfileID()); + infoboxValidatorParams.setSchemaLocations(verifyInfoboxParameter.getSchemaLocations()); + infoboxValidatorParams.setApplicationSpecificParams(verifyInfoboxParameter.getApplicationSpecificParams()); + // authentication session parameters + infoboxValidatorParams.setBkuURL(session.getBkuURL()); + infoboxValidatorParams.setTarget(session.getTarget()); + infoboxValidatorParams.setBusinessApplication(session.getBusinessService()); + // parameters from the identity link + infoboxValidatorParams.setFamilyName(identityLink.getFamilyName()); + infoboxValidatorParams.setGivenName(identityLink.getGivenName()); + infoboxValidatorParams.setDateOfBirth(identityLink.getDateOfBirth()); + if (verifyInfoboxParameter.getProvideStammzahl()) { + infoboxValidatorParams.setIdentificationValue(identityLink.getIdentificationValue()); + } + infoboxValidatorParams.setIdentificationType(identityLink.getIdentificationType()); + infoboxValidatorParams.setPublicKeys(identityLink.getPublicKey()); + if (verifyInfoboxParameter.getProvideIdentityLink()) { + Element identityLinkElem = (Element)identityLink.getSamlAssertion().cloneNode(true); + if (!verifyInfoboxParameter.getProvideStammzahl()) { + Element identificationValueElem = + (Element)XPathUtils.selectSingleNode(identityLinkElem, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); + if (identificationValueElem != null) { + identificationValueElem.getFirstChild().setNodeValue(""); + } + } + infoboxValidatorParams.setIdentityLink(identityLinkElem); + } + + return infoboxValidatorParams; + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/SelectBKUFormBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/SelectBKUFormBuilder.java index 72ecb53af..312179e73 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/SelectBKUFormBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/SelectBKUFormBuilder.java @@ -55,8 +55,8 @@ public class SelectBKUFormBuilder extends Builder { throws BuildException { String htmlForm = htmlTemplate == null ? DEFAULT_HTML_TEMPLATE : htmlTemplate; - htmlForm = replaceTag(htmlForm, ACTION_TAG, startAuthenticationURL, 1); - htmlForm = replaceTag(htmlForm, SELECT_TAG, bkuSelectTag, 1); + htmlForm = replaceTag(htmlForm, ACTION_TAG, startAuthenticationURL, true, 1); + htmlForm = replaceTag(htmlForm, SELECT_TAG, bkuSelectTag, true, 1); return htmlForm; } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/VerifyXMLSignatureRequestBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/VerifyXMLSignatureRequestBuilder.java index b98b87dee..e38ccc62a 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/VerifyXMLSignatureRequestBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/VerifyXMLSignatureRequestBuilder.java @@ -6,7 +6,7 @@ import java.io.InputStream; import org.w3c.dom.Element; import org.w3c.dom.Text; -import at.gv.egovernment.moa.id.*; +import at.gv.egovernment.moa.id.ParseException; import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.util.Base64Utils; @@ -24,6 +24,8 @@ import at.gv.egovernment.moa.util.XPathUtils; public class VerifyXMLSignatureRequestBuilder { /** The MOA-Prefix */ private static final String MOA = Constants.MOA_PREFIX + ":"; + /** The DSIG-Prefix */ + private static final String DSIG = Constants.DSIG_PREFIX + ":"; /** the request as string */ private String request; /** the request as DOM-Element */ @@ -53,7 +55,7 @@ public class VerifyXMLSignatureRequestBuilder { + " <Base64Content>" + " </Base64Content>" + " </VerifySignatureEnvironment>" - + " <VerifySignatureLocation>//dsig:Signature</VerifySignatureLocation>" + + " <VerifySignatureLocation>" + DSIG + "Signature</VerifySignatureLocation>" + " </VerifySignatureInfo>" + " <SignatureManifestCheckParams ReturnReferenceInputData=\"false\">" // True bei CreateXMLSig Überprüfung +" <ReferenceInfo>" + " <VerifyTransformsInfoProfile/>" @@ -160,7 +162,7 @@ public class VerifyXMLSignatureRequestBuilder { + " <VerifySignatureEnvironment>" + " <XMLContent xml:space=\"preserve\"/>" + " </VerifySignatureEnvironment>" - + " <VerifySignatureLocation>//dsig:Signature</VerifySignatureLocation>" + + " <VerifySignatureLocation>" + DSIG + "Signature</VerifySignatureLocation>" + " </VerifySignatureInfo>" + " <SignatureManifestCheckParams ReturnReferenceInputData=\"true\">" + " <ReferenceInfo>"; diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 74e31e45e..50d15007e 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -1,6 +1,7 @@ package at.gv.egovernment.moa.id.auth.data; import java.util.Date; +import java.util.List; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; @@ -12,6 +13,9 @@ import at.gv.egovernment.moa.util.Constants; * @version $Id$ */ public class AuthenticationSession { + + private static String TARGET_PREFIX_ = Constants.URN_PREFIX_CDID + "+"; + /** * session ID */ @@ -63,7 +67,22 @@ public class AuthenticationSession { */ private boolean businessService; - private static String TARGET_PREFIX_ = Constants.URN_PREFIX_CDID + "+"; + /** + * SAML attributes from an extended infobox validation to be appended + * to the SAML assertion delivered to the final online application. + */ + private List extendedSAMLAttributesOA; + + /** + * SAML attributes from an extended infobox validation to be appended + * to the SAML assertion of the AUTHBlock. + */ + private List extendedSAMLAttributesAUTH; + + /** + * The issuing time of the AUTH-Block SAML assertion. + */ + private String issueInstant; /** * Constructor for AuthenticationSession. @@ -273,4 +292,64 @@ public class AuthenticationSession { templateURL = string; } + /** + * Returns the SAML Attributes to be appended to the AUTHBlock. Maybe <code>null</code>. + * + * @return The SAML Attributes to be appended to the AUTHBlock. Maybe <code>null</code>. + */ + public List getExtendedSAMLAttributesAUTH() { + return extendedSAMLAttributesAUTH; + } + + /** + * Sets the SAML Attributes to be appended to the AUTHBlock. + * + * @param extendedSAMLAttributesAUTH The SAML Attributes to be appended to the AUTHBlock. + */ + public void setExtendedSAMLAttributesAUTH( + List extendedSAMLAttributesAUTH) { + this.extendedSAMLAttributesAUTH = extendedSAMLAttributesAUTH; + } + + /** + * Returns the SAML Attributes to be appended to the SAML assertion + * delivered to the online application. Maybe <code>null</code>. + * + * @return The SAML Attributes to be appended to the SAML assertion + * delivered to the online application + */ + public List getExtendedSAMLAttributesOA() { + return extendedSAMLAttributesOA; + } + + /** + * Sets the SAML Attributes to be appended to the SAML assertion + * delivered to the online application. + * + * @param extendedSAMLAttributesOA The SAML Attributes to be appended to the SAML + * assertion delivered to the online application. + */ + public void setExtendedSAMLAttributesOA( + List extendedSAMLAttributesOA) { + this.extendedSAMLAttributesOA = extendedSAMLAttributesOA; + } + + /** + * Returns the issuing time of the AUTH-Block SAML assertion. + * + * @return The issuing time of the AUTH-Block SAML assertion. + */ + public String getIssueInstant() { + return issueInstant; + } + + /** + * Sets the issuing time of the AUTH-Block SAML assertion. + * + * @param issueInstant The issueInstant to set. + */ + public void setIssueInstant(String issueInstant) { + this.issueInstant = issueInstant; + } + } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttribute.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttribute.java new file mode 100644 index 000000000..795079227 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttribute.java @@ -0,0 +1,73 @@ +package at.gv.egovernment.moa.id.auth.data; + +/** + * A SAML-Attribute to be appended to the final SAML-Assertion + * that will be passed to the online application. + */ +public interface ExtendedSAMLAttribute { + /** + * Add this attribute only to the SAML-Assertion + * passed to the online application, but not to + * the AUTH-Block. + */ + public final static int NOT_ADD_TO_AUTHBLOCK = 0; + /** + * Add this attribute to both, the AUTH-Block and the + * final SAML-Assertion passed to the online application. + */ + public final static int ADD_TO_AUTHBLOCK = 1; + /** + * Add this attribute to only the AUTH-Block, but not + * to the final SAML-Assertion passed to the online application. + */ + public final static int ADD_TO_AUTHBLOCK_ONLY = 2; + + /** + * The value of the SAML-Attribute. This must be either a + * <code>org.w3c.Element</code> or a <code>java.lang.String</code> + * object. Each other type will be ignored. <br> + * If, for example, the type of the actual SAML-Attribute is a + * <code><xsd:boolean></code> the value must be either the String + * <code>"true"</code> or <code>"false"</code>. + * Or the <code><xsd:integer></code> number <code>273</code> + * has to be the String <code>"273"</code>. + * + * @return The value of the SAML-Attribute. Must not be <code>null</code>. + */ + public Object getValue(); + + /** + * The name of the SAML-Attribute. + * + * @return The name of the SAML-Attribute. Must not be <code>null</code>. + */ + public String getName(); + + /** + * The namespace of the SAML-Attribute. + * An application will use the context specific namespace URI for the attribute it returns. + * However, if the application cannot explicitely assign a namespace URI, the + * {@link at.gv.egovernment.moa.util.Constants#MOA_NS_URI default} MOA namespace URI + * should be used. + * + * @return The namespace of the SAML-Attribute. Must not be <code>null</code>. + */ + public String getNameSpace(); + + /** + * Specifies if this SAML-Attribute should be added to the AUTH-Block. + * <br> + * Depending on the returned value, this SAML-Attribute should be only added to the + * final SAML-Assertion passed to the online application (0), to both, the final + * assertion and the AUTH-Block (1) or to the AUTH-Block only (2). + * + * @return <ul> + * <li>0 - add this SAML-Attribute to the final SAML-Assertion only</li> + * <li>1 - add this SAML-Attribute to both, the final SAML-Assertion and the + * AUTH-Block</li> + * <li>2 - add this SAML-Attribute to the AUTH-Block only + * </ul> + */ + public int getAddToAUTHBlock(); + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttributeImpl.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttributeImpl.java new file mode 100644 index 000000000..9aedd86e6 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttributeImpl.java @@ -0,0 +1,137 @@ +package at.gv.egovernment.moa.id.auth.data; + +/** + * This class contains SAML attributes to be appended to the SAML assertion delivered to + * the Online application. + * + * @author Harald Bratko + */ +public class ExtendedSAMLAttributeImpl implements ExtendedSAMLAttribute { + + /** + * The value of this SAML attribute. Must be either of type <code>java.lang.String</code> + * or <code>org.w3c.Element</code>. + */ + private Object value_; + + /** + * The name of this SAML attribute. + */ + private String name_; + + /** + * The namespace URI of this SAML attribute. + */ + private String namespace_; + + /** + * Specifies whether this SAML attribute should be appended to AUTH Block. + */ + private int addToAUTHBlock_; + + /** + * Sets this ExtendedSAMLAttribute. + * @param name The name of this SAML Attribute. + * @param value The value of this SAML Attribute. Must be either of type + * <code>java.lang.String</code> or <code>org.w3c.dom.Element</code>. + * @param namespace The namespace of this SAML Attribute. + * @param addToAUTHBlock Specifies if this SAML Attribute should be added to the AUTHBlock. + * The following values are allowed: + * <ul> + * <li> + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#ADD_TO_AUTHBLOCK} + * </li> + * <li> + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#NOT_ADD_TO_AUTHBLOCK} + * </li> + * <li> + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#ADD_TO_AUTHBLOCK_ONLY} + * </li> + * </ul> + * + */ + public ExtendedSAMLAttributeImpl(String name, Object value, String namespace, int addToAUTHBlock) { + name_ = name; + value_ = value; + namespace_ = namespace; + addToAUTHBlock_ = addToAUTHBlock; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#getValue() + */ + public Object getValue() { + return value_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#getName() + */ + public String getName() { + return name_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#getNameSpace() + */ + public String getNameSpace() { + return namespace_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#getAddToAUTHBlock() + */ + public int getAddToAUTHBlock() { + return addToAUTHBlock_; + } + + /** + * Specifies if this SAML Attribute should be added to the AUTHBlock. + * + * @param addToAUTHBlock One of the following values: + * <ul> + * <li> + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#ADD_TO_AUTHBLOCK} + * </li> + * <li> + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#NOT_ADD_TO_AUTHBLOCK} + * </li> + * <li> + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#ADD_TO_AUTHBLOCK_ONLY} + * </li> + * </ul> + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#ADD_TO_AUTHBLOCK) + */ + public void setAddToAUTHBlock(int addToAUTHBlock) { + addToAUTHBlock_ = addToAUTHBlock; + } + + /** + * Sets the name of this SAML attribute. + * + * @param name The name of this SAML attribute. + */ + public void setName(String name) { + name_ = name; + } + + /** + * Sets the namespace of this SAML attribute. + * + * @param namespace The namespace to set. + */ + public void setNamespace(String namespace) { + namespace_ = namespace; + } + + /** + * Sets the value of this SAML attribute. + * + * @param value The value of this SAML Attribute. Must be either of type + * <code>java.lang.String</code> or <code>org.w3c.dom.Element</code>. + */ + public void setValue(Object value) { + value_ = value; + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxToken.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxToken.java new file mode 100644 index 000000000..6b1f24aba --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxToken.java @@ -0,0 +1,65 @@ +package at.gv.egovernment.moa.id.auth.data; + +import org.w3c.dom.Element; + +/** + * Contains an infobox token included in an <code>InfoboxReadResponse</code>. + * Depending on whether the token is extracted from an <code>XMLContent</code> or a + * <code>Base64Content</code> it is either returned as DOM element + * ({@link #getXMLToken()}) or base64 encoded string ({@link #getBase64Token()}). + * + * @author Harald Bratko + */ +public interface InfoboxToken { + + /** + * The key of the corresponding infobox. + * This is the value of <code>Key</code> attribute of the <code><Pair></code> child + * element in an <code><AssocArrayData></code> content of an InfoboxReadResponse. + * Maybe <code>null</code> if the InfoboxReadResponse conatains <code>BinaryFileData</code>. + * + * + * @return The key identifier of the corresponding infobox. + */ + public String getKey(); + + /** + * Specifies if this token is the first token (e.g in an array of tokens) included in an + * <code>InfoboxReadResponse</code>. If <code>true</code> this token is the token to be + * validated by a corresponding + * {@link at.gv.egovernment.moa.id.auth.validator.InfoboxValidator InfoboxValidator}. + * If <code>false</code> this token maybe needed to validate the primary token. + * + * @return <code>True</code> if this token is the first token. + */ + public boolean isPrimary(); + + /** + * Returns the infobox token. + * Maybe <code>null</code> if the token is returned by method {@link #getBase64Token()} + * as base64 encoded string. + * <br> + * Note that this token is <code><i><b>not</b></i></code> validated against the + * application specific schema (e.g. Mandates schema in the mandates context). + * Thus the validating application <code><i><b>has to</b></i></code> validate the token + * against the appropriate schema. + * + * @return The infobox token. If <code>null</code> the token is returned by method + * {@link #getBase64Token()} as base64 encoded string. + */ + public Element getXMLToken(); + + /** + * Returns the infobox token. + * Maybe <code>null</code> if the token is returned by method {@link #getXMLToken()} + * as a DOM element. + * <br> + * Note, that the base64 encoded string actually may include more than one infobox + * elements. + * + * @return The infobox token. If <code>null</code> the token is returned by method + * {@link #getBase64Token()} as base64 encoded string. + */ + public String getBase64Token(); + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxTokenImpl.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxTokenImpl.java new file mode 100644 index 000000000..f1ff30a8a --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxTokenImpl.java @@ -0,0 +1,129 @@ +package at.gv.egovernment.moa.id.auth.data; + +import org.w3c.dom.Element; + +/** + * This class contains an infobox token. + * + * @see at.gv.egovernment.moa.id.auth.data.InfoboxToken + * + * @author Harald Bratko + */ +public class InfoboxTokenImpl implements InfoboxToken { + + /** + * The key of the infobox token. + */ + private String key_; + + /** + * Specifies whether this token is the primary (first in an array) token. + */ + private boolean primary_; + + /** + * The infobox token. + */ + private Element xmlToken_; + + /** + * The base64 encoded infobox token. + */ + private String base64Token_; + + /** + * Sets an XML infobox token. + * + * @param key The key of the infobox token. + * @param primary <code>True</code> this token is the primary (e.g .first in an array) + * token, otherwise <code>false</code> + * @param xmlToken The infobox token. + */ + public InfoboxTokenImpl(String key, boolean primary, Element xmlToken) { + key_ = key; + primary_ = primary; + xmlToken_ = xmlToken; + base64Token_ = null; + } + + /** + * Sets a base64 encoded infobox token. + * + * @param key The key of the infobox token. + * @param primary <code>True</code> this token is the primary (e.g .first in an array) + * token, otherwise <code>false</code> + * @param base64Token The base64 encoded infobox token. + */ + public InfoboxTokenImpl(String key, boolean primary, String base64Token) { + key_ = key; + primary_ = primary; + base64Token_ = base64Token; + xmlToken_ = null; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxToken#getKey() + */ + public String getKey() { + return key_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxToken#isPrimary() + */ + public boolean isPrimary() { + return primary_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxToken#getXMLToken() + */ + public Element getXMLToken() { + return xmlToken_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxToken#getBase64Token() + */ + public String getBase64Token() { + return base64Token_; + } + + /** + * Sets the key of the infobox token. + * + * @param key The key of the infobox token. + */ + public void setKey(String key) { + key_ = key; + } + + /** + * Specifies whether this token is the primary (e.g. first in an array) token. + * + * @param primary <code>True</code> this token is the primary (e.g .first in an array) + * token, otherwise <code>false</code>. + */ + public void setPrimary(boolean primary) { + primary_ = primary; + } + + /** + * Sets the base64 encoded token. + * + * @param base64Token The base64 encoded token. + */ + public void setBase64Token(String base64Token) { + base64Token_ = base64Token; + } + + /** + * Sets the infobox token. + * + * @param xmlToken The infobox token. + */ + public void setXmlToken(Element xmlToken) { + xmlToken_ = xmlToken; + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParams.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParams.java new file mode 100644 index 000000000..26070dc51 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParams.java @@ -0,0 +1,159 @@ + +package at.gv.egovernment.moa.id.auth.data; + +import java.security.PublicKey; +import java.util.List; + +import org.w3c.dom.Element; + +/** + * Parameters for validating an infobox. + * + * This interface is used by MOA-ID to provide parameters to an + * {link at.gv.egovernment.moa.id.auth.validator.InfoboxValidator + * InfoboxValidator}. + * + * @author Harald Bratko + */ +public interface InfoboxValidatorParams { + + /** + * Returns a list of {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken} + * objects. The first token in this list is the one to be validated. Each further token + * maybe needed to validate this first token. + * + * @return A list of {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken} + * objects. + */ + public List getInfoboxTokenList(); + + /** + * Returns the ID of the trust profile to be used for validating + * certificates. Maybe ignored by a validator, if no certificates + * has to be validated. + * + * @return The ID of a trust profile. + */ + public String getTrustProfileID(); + + /** + * Returns schema location URIs that may be needed by the + * validator to parse infobox tokens. + * Each entry in the list is a {@link Schema} specifying the location + * of an XML schema. + * + * @return A list of {@link Schema} objects each of them specifying the + * location of an XML schema. + */ + public List getSchemaLocations(); + + /** + * Returns the URL of the BKU. + * Maybe needed by a validator. + * + * @return The url of the BKU. + */ + public String getBkuURL(); + + /** + * Returns the target parameter. + * <code>null</code> in the case of a business service. + * + * @return The target parameter. + */ + public String getTarget(); + + /** + * Returns <code>true</code> if the application is a business + * service, otherwise <code>false</code>. This may be useful + * for the validating application. + * + * @return <code>True</code> if the application is a business + * service, otherwise <code>false</code> + */ + public boolean getBusinessApplication(); + + /** + * Returns the family name from the identity link. + * Maybe needed by a validator. + * + * @return The family name from the identity link. + */ + public String getFamilyName(); + + /** + * Returns the given name from the identity link. + * Maybe needed by a validator. + * + * @return The given name from the identity link. + */ + public String getGivenName(); + + /** + * The date of birth from the identity link. + * The method returns the value of the <pr:DateOfBirth> + * element from the identity link. + * Maybe needed by a validator. + * + * @return The date of birth from the identity link. + */ + public String getDateOfBirth(); + + /** + * Returns he identification value from the identity + * link. This may be the <code>Stammzahl</code> + * in the case of a public application or the + * <code>wbPK</code> in the case of a business + * application. This parameter is only returned + * if specified within the config file. + * + * @return The identification value from the identity link. + */ + public String getIdentificationValue(); + + /** + * Returns the type of the identification value + * from the identity link. This may be + * especially of interest for business + * applications. + * + * @return The type of the identification value + * from the identity link. + */ + public String getIdentificationType(); + + /** + * Returns the public keys from the identity link. + * Maybe needed by the application. + * + * @return PublicKey[] The public keys from the + * identity link. + */ + public PublicKey[] getPublicKeys(); + + /** + * Returns the identity link. + * A validator may need other data from the identity link, than + * family name, given name, date of birth and identification value. + * The identity link element is only returned if specified within the + * config file. + * + * @return The identity link. + */ + public Element getIdentityLink(); + + /** + * Returns application specific parameters. + * Each child element of this element contains + * a validating application specific parameter. The + * element is passed as specified within the config + * file and its up to the implementing class to + * parse and interprete its children. + * + * @return Application specific parameters. + */ + public Element getApplicationSpecificParams(); + +} + + diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParamsImpl.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParamsImpl.java new file mode 100644 index 000000000..46a67d48b --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParamsImpl.java @@ -0,0 +1,326 @@ +package at.gv.egovernment.moa.id.auth.data; + +import java.security.PublicKey; +import java.util.List; + +import org.w3c.dom.Element; + +/** + * Parameters for validating an infobox. + * + * This interface is used by MOA-ID to provide parameters to an + * {link at.gv.egovernment.moa.id.auth.validator.InfoboxValidator + * InfoboxValidator}. + * + * @author Harald Bratko + */ +public class InfoboxValidatorParamsImpl implements InfoboxValidatorParams { + + /** + * A list of {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken} objects. + * The first token in this list is the one to be validated. Each further token + * maybe needed to validate this first token. + */ + private List infoboxTokenList_; + + /** + * The ID of the trust profile used for validating certificates. + */ + private String trustProfileID_; + + /** + * The locations of schemas that maybe needed for validating infobox tokens. + */ + private List schemaLocations_; + + /** + * The URL of the BKU. + */ + private String bkuURL_; + + /** + * Specifies whether the current online application is a business or a public application. + */ + private boolean businessApplication_; + + /** + * The target parameter. + */ + private String target_; + + /** + * The family name from the identity link. + */ + private String familyName_; + + /** + * The given name from the identity link. + */ + private String givenName_; + + /** + * The date of birth from the identity link. + */ + private String dateOfBirth_; + + /** + * The date of identification value. + */ + private String identificationValue_; + + /** + * The identification type. + */ + private String identificationType_; + + /** + * The public keys from the identity link. + */ + private PublicKey[] publicKeys_; + + /** + * The identity link. + */ + private Element identityLink_; + + /** + * Application specific parameters. + */ + private Element applicationSpecificParams_; + + /** + * Empty constructor. + */ + public InfoboxValidatorParamsImpl() { + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getInfoboxTokenList() + */ + public List getInfoboxTokenList() { + return infoboxTokenList_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getTrustProfileID() + */ + public String getTrustProfileID() { + return trustProfileID_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getSchemaLocations() + */ + public List getSchemaLocations() { + return schemaLocations_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getBkuURL() + */ + public String getBkuURL() { + return bkuURL_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getTarget() + */ + public String getTarget() { + return target_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getBusinessApplication() + */ + public boolean getBusinessApplication() { + return businessApplication_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getFamilyName() + */ + public String getFamilyName() { + return familyName_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getGivenName() + */ + public String getGivenName() { + return givenName_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getDateOfBirth() + */ + public String getDateOfBirth() { + return dateOfBirth_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getIdentificationValue() + */ + public String getIdentificationValue() { + return identificationValue_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getIdentificationType() + */ + public String getIdentificationType() { + return identificationType_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getPublicKeys() + */ + public PublicKey[] getPublicKeys() { + return publicKeys_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getIdentityLink() + */ + public Element getIdentityLink() { + return identityLink_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getApplicationSpecificParams() + */ + public Element getApplicationSpecificParams() { + return applicationSpecificParams_; + } + + /** + * Sets the application specific parameters. + * + * @param applicationSpecificParams The application specific parameters to set. + */ + public void setApplicationSpecificParams(Element applicationSpecificParams) { + applicationSpecificParams_ = applicationSpecificParams; + } + + /** + * Sets the bku URL. + * + * @param bkuURL The bku URL to set. + */ + public void setBkuURL(String bkuURL) { + bkuURL_ = bkuURL; + } + + /** + * Sets the business application parameter. + * + * @param businessApplication The business application parameter to set. + * (<code>True</code> if the application is a business + * application, otherwies <code>false</code>). + */ + public void setBusinessApplication(boolean businessApplication) { + businessApplication_ = businessApplication; + } + + /** + * Sets the date of birth. + * + * @param dateOfBirth The date of birth. + */ + public void setDateOfBirth(String dateOfBirth) { + dateOfBirth_ = dateOfBirth; + } + + /** + * Sets the family name. + * + * @param familyName The family name. + */ + public void setFamilyName(String familyName) { + familyName_ = familyName; + } + + /** + * Sets the given name. + * + * @param givenName The given name. + */ + public void setGivenName(String givenName) { + givenName_ = givenName; + } + + /** + * Sets the identification type. + * + * @param identificationType The identification type. + */ + public void setIdentificationType(String identificationType) { + identificationType_ = identificationType; + } + + /** + * Sets the identification value. + * + * @param identificationValue The identification value. + */ + public void setIdentificationValue(String identificationValue) { + identificationValue_ = identificationValue; + } + + /** + * Sets the identity link. + * + * @param identityLink The identity link. + */ + public void setIdentityLink(Element identityLink) { + identityLink_ = identityLink; + } + + /** + * Sets the infobox token to be validated. + * + * @param infoboxTokenList A list {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken} + * objects. + */ + public void setInfoboxTokenList(List infoboxTokenList) { + infoboxTokenList_ = infoboxTokenList; + } + + /** + * Sets the public Keys. + * + * @param publicKeys The public keys. + */ + public void setPublicKeys(PublicKey[] publicKeys) { + publicKeys_ = publicKeys; + } + + /** + * Sets the schema locations. + * + * @param schemaLocations The schema locations. A list of + * {@link Schema} objects. + */ + public void setSchemaLocations(List schemaLocations) { + schemaLocations_ = schemaLocations; + } + + /** + * Sets the target. + * + * @param target The target. + */ + public void setTarget(String target) { + target_ = target; + } + + + /** + * Sets the ID of the trust profile used for validating certificates. + * + * @param trustProfileID the ID of the trust profile used for validating certificates. + */ + public void setTrustProfileID(String trustProfileID) { + trustProfileID_ = trustProfileID; + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/Schema.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/Schema.java new file mode 100644 index 000000000..c113f16b8 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/Schema.java @@ -0,0 +1,26 @@ +package at.gv.egovernment.moa.id.auth.data; + +/** + * Specifies the location of a schema. + * + * @author Harald Bratko + */ +public interface Schema { + + /** + * The namespace URI of this schema. + * + * @return The namespace of this schema. + */ + public String getNamespace(); + + /** + * The location URI of this schema. + * Relative paths have to be interpreted relative to the + * location of the MOA-ID config file. + * + * @return The location URI of this schema. + */ + public String getSchemaLocation(); + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/SchemaImpl.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/SchemaImpl.java new file mode 100644 index 000000000..e6755b58c --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/SchemaImpl.java @@ -0,0 +1,63 @@ +package at.gv.egovernment.moa.id.auth.data; + +/** + * This class specifies the location of a schema. + * + * @author Harald Bratko + */ +public class SchemaImpl implements Schema { + + /** + * The namespace of this schema. + */ + private String namespace_; + + /** + * The location (URI) of this schema; + */ + private String schemaLocation_; + + /** + * Sets the namespace and schema location URIS of this schema. + * + * @param namespace The namespace URI of this schema. + * @param schemaLocation The location URI of this schema. + */ + public SchemaImpl(String namespace, String schemaLocation) { + namespace_ = namespace; + schemaLocation_ = schemaLocation; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.Schema#getNamespace() + */ + public String getNamespace() { + return namespace_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.Schema#getSchemaLocation() + */ + public String getSchemaLocation() { + return schemaLocation_; + } + + /** + * Sets the namespace. + * + * @param namespace The namespace to set. + */ + public void setNamespace(String namespace) { + namespace_ = namespace; + } + + /** + * Sets the location URI of this schema. + * + * @param schemaLocation The schemaLocation to set. + */ + public void setSchemaLocation(String schemaLocation) { + schemaLocation_ = schemaLocation; + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java index eb7d76fda..6287c99dd 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java @@ -137,11 +137,10 @@ public class CreateXMLSignatureResponseParser { String attrName = XPathUtils.getAttributeValue(samlAttr, "@AttributeName", ""); String attrNamespace = XPathUtils.getAttributeValue(samlAttr, "@AttributeNamespace", ""); Object attrValue; - if ("wbPK".equals(attrName)) { - Element attrValueElem = (Element)XPathUtils.selectSingleNode(samlAttr, SAML_ATTRIBUTE_VALUE_XPATH); - attrValue = DOMUtils.getElementFromNodeList(attrValueElem.getChildNodes()); - } else { - attrValue = XPathUtils.getElementValue(samlAttr, SAML_ATTRIBUTE_VALUE_XPATH, ""); + Element attrValueElem = (Element)XPathUtils.selectSingleNode(samlAttr, SAML_ATTRIBUTE_VALUE_XPATH); + attrValue = DOMUtils.getElementFromNodeList(attrValueElem.getChildNodes()); + if (attrValue == null) { + attrValue = attrValueElem.getFirstChild().getNodeValue(); } samlAttributes.add(new SAMLAttribute(attrName, attrNamespace, attrValue)); } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/ExtendedInfoboxReadResponseParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/ExtendedInfoboxReadResponseParser.java new file mode 100644 index 000000000..e493f07fb --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/ExtendedInfoboxReadResponseParser.java @@ -0,0 +1,157 @@ +package at.gv.egovernment.moa.id.auth.parser; + +import java.util.Iterator; +import java.util.List; +import java.util.Vector; + +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.id.ParseException; +import at.gv.egovernment.moa.id.auth.data.InfoboxToken; +import at.gv.egovernment.moa.id.auth.data.InfoboxTokenImpl; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DOMUtils; + +/** + * Parses and unmarshales <code>InfoboxReadResponse<code>. + * This parser is especially used for parsing additional responses (additional to that + * one containing the <code>IdentityLink</code> retuned from the BKU as an answer of + * a <code><PushInfobox></code> request. + */ +public class ExtendedInfoboxReadResponseParser { + + /** + * Hide default constructor. + */ + private ExtendedInfoboxReadResponseParser() { + } + + /** + * Parses and unmarshales the given <code>infoboxReadResponse</code> to a list of + * {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken} objects. + * The method parses the given <code>infoboxReadResponse</code> + * + * @param infoboxReadResponse The infobox read response to be unmarshaled. + * @param infoboxName The name of the infobox the reponse corresponds to. + * + * @return A list of {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken} + * objects. Maybe empty. + * + * @throws ParseException If an error occurs on parsing and unmarshaling the response. + */ + public static List parseInfoboxReadResponse(String infoboxReadResponse, String infoboxName) + throws ParseException + { + Element infoboxReadResponseElem = null; + try { + Document doc = + DOMUtils.parseDocument(infoboxReadResponse, true, Constants.ALL_SCHEMA_LOCATIONS, null); + infoboxReadResponseElem = doc.getDocumentElement(); + } catch (Exception e) { + Logger.error("InfoboxReadResponse for \"" + infoboxName + + "\"-infobox could not be parsed successfully: " + e.getMessage()); + throw new ParseException("parser.01", new Object[] {infoboxName + "-InfoboxReadResponse"}); + } + + Vector infoboxTokenList = new Vector(); + + if (infoboxReadResponseElem != null) { + // avoid using namespace URI or prefix, because it might change within the response + // (e.g.: sl11-namespace, some child sl10-namespace + List infoboxReadResponseChildren = DOMUtils.getChildElements(infoboxReadResponseElem); + String key = null; + boolean primary = true; + Element infoboxReadResponseChild = (Element)infoboxReadResponseChildren.get(0); + String infoboxReadResponseChildName = infoboxReadResponseChild.getLocalName(); + if (infoboxReadResponseChildName.equals("AssocArrayData")) { + // get the <Pair> child elements from the <AssocArrayData> element + List assocArrayPairs = DOMUtils.getChildElements(infoboxReadResponseChild); + Iterator assocArrayPairIt = assocArrayPairs.iterator(); + int pairCount = 0; + // step through the <Pair> elemnts + while (assocArrayPairIt.hasNext()) { + Element assocArrayPair = (Element)assocArrayPairIt.next(); + // check if the element actually a "Pair" element and not only a "key" + if (assocArrayPair.getLocalName().equals("Key")) { + // do not accept only a Key + throw new ParseException("parser.07", new Object[] {infoboxName}); + } + key = assocArrayPair.getAttribute("Key"); + if (pairCount > 0) { + primary = false; + } + pairCount++; + infoboxTokenList.addAll(getTokenFromXMLOrBase64Content(assocArrayPair, infoboxName, key, primary)); + } + + } else if (infoboxReadResponseChildName.equals("BinaryFileData")) { + infoboxTokenList.addAll(getTokenFromXMLOrBase64Content(infoboxReadResponseChild, infoboxName, null, true)); + } + } + return infoboxTokenList; + } + + /** + * Unmarshales the <code><XMLContent></code> or + * <code><Base64Content></code> child of the given element to a list of + * infobox token. + * + * @param contentParent The elment including the <code><XMLContent></code> or + * <code><Base64Content></code> child to unmarshal the + * infobox token from. + * @param infoboxName The name of the infobox. + * @param key The key of an <code>AssocArrayData-Pair</code>. + * Maybe <code>null</code>. + * @param primary Specifies whether this token is the first (e.g. in an + * AssocArrayData) token. + * + * @return A infobox token list. + * + * @throws ParseException If the <code>contentParent</code> has no <code><XMLContent></code> + * or <code><Base64Content></code> child or the + * <code><XMLContent></code> is empty. + */ + public static List getTokenFromXMLOrBase64Content( + Element contentParent, + String infoboxName, + String key, + boolean primary) + throws ParseException + { + Vector tokenList = new Vector(); + // get the <XMLContent> or <Base64Content> + List content = DOMUtils.getChildElements(contentParent); + if (content.size() == 1) { + Element contentElem = (Element)content.get(0); + if (contentElem.getLocalName().equals("XMLContent")) { + List xmlContentChildren = DOMUtils.getChildElements(contentElem); + if (xmlContentChildren.size() == 0) { + throw new ParseException("parser.06", new Object[] {infoboxName, "Inhalt", "XMLContent"}); + } + int xmlCount = 0; + Iterator contentIt = xmlContentChildren.iterator(); + while (contentIt.hasNext()) { + Element xmlToken = (Element)contentIt.next(); + if (xmlCount > 0) { + primary = false; + } + InfoboxToken infoboxToken = new InfoboxTokenImpl(key, primary, xmlToken); + tokenList.add(infoboxToken); + xmlCount++; + } + } else { + String base64Token = contentElem.getFirstChild().getNodeValue(); + InfoboxToken infoboxToken = new InfoboxTokenImpl(key, primary, base64Token); + tokenList.add(infoboxToken); + } + } else { + throw new ParseException("parser.06", + new Object[] {infoboxName, "XMLContent oder Base64Content", contentParent.getLocalName()}); + } + return tokenList; + } + + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java index 092bc68c9..9d8cff6f5 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java @@ -89,7 +89,7 @@ public class IdentityLinkAssertionParser { + "Identification"; /** Xpath expression to the Identification Value element */ - private static final String PERSON_IDENT_VALUE_XPATH = + public static final String PERSON_IDENT_VALUE_XPATH = PERSON_XPATH + "/" + PDATA diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java b/id.server/src/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java index 70e53d83e..96e8e6dd6 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java @@ -131,7 +131,7 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants { { // request is encoded as mulitpart/form-data FileItemFactory factory = new DiskFileItemFactory(); - ServletFileUpload upload = null;; + ServletFileUpload upload = null; upload = new ServletFileUpload(factory); List items = null; items = upload.parseRequest(req); diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java index 9d5c4b191..2134c1444 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java @@ -2,11 +2,14 @@ package at.gv.egovernment.moa.id.auth.servlet; import java.io.IOException; import java.io.OutputStream; +import java.util.Enumeration; import java.util.Map; +import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import org.apache.commons.fileupload.FileUploadException; @@ -75,29 +78,30 @@ public class VerifyIdentityLinkServlet extends AuthServlet { throw new IOException(e.getMessage()); } String sessionID = req.getParameter(PARAM_SESSIONID); - String infoboxReadResponse = (String)parameters.get(PARAM_XMLRESPONSE); - try { - String createXMLSignatureRequest = - AuthenticationServer.getInstance().verifyIdentityLink(sessionID, infoboxReadResponse); - AuthenticationSession session = AuthenticationServer.getSession(sessionID); - resp.setStatus(307); - String dataURL = new DataURLBuilder().buildDataURL( - session.getAuthURL(), AuthenticationServer.REQ_VERIFY_AUTH_BLOCK, sessionID); - resp.addHeader("Location", dataURL); - - //TODO test impact of explicit setting charset with older versions of BKUs (HotSign) - resp.setContentType("text/xml;charset=UTF-8"); + + try { + AuthenticationSession session = AuthenticationServer.getSession(sessionID); + + String createXMLSignatureRequest = + AuthenticationServer.getInstance().verifyIdentityLink(sessionID, parameters); + resp.setStatus(307); + String dataURL = new DataURLBuilder().buildDataURL( + session.getAuthURL(), AuthenticationServer.REQ_VERIFY_AUTH_BLOCK, sessionID); + resp.addHeader("Location", dataURL); + + //TODO test impact of explicit setting charset with older versions of BKUs (HotSign) + resp.setContentType("text/xml;charset=UTF-8"); OutputStream out = resp.getOutputStream(); out.write(createXMLSignatureRequest.getBytes("UTF-8")); - out.flush(); + out.flush(); out.close(); - Logger.debug("Finished POST VerifyIdentityLink"); - } - catch (MOAIDException ex) { - handleError(null, ex, req, resp); - } + Logger.debug("Finished POST VerifyIdentityLink"); + } + catch (MOAIDException ex) { + handleError(null, ex, req, resp); + } } } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java index 0bd45e3e9..444f706e4 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java @@ -153,7 +153,7 @@ public class IdentityLinkValidator implements Constants { //Check if dsig:Signature exists Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion,ROOT + DSIG + "Signature"); - if (dsigSignature==null) throw new ValidateException("validator.05", null); + if (dsigSignature==null) throw new ValidateException("validator.05", new Object[] {"in der Personenbindung"}); } } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java new file mode 100644 index 000000000..e17e03a20 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java @@ -0,0 +1,71 @@ +package at.gv.egovernment.moa.id.auth.validator; + +import at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams; +import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; + +/** + * Validates an InfoboxReadResponse. + * An implementing class has to validate the content of the InfoboxReadResponse + * according to the type specific rules and guidelines of the underlying + * application. + * If validation succeeds, the class may provide an array of + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute + * ExtendedSAMLAttributes}. Each of these SAML-Attributes will be either appended to the + * final SAML-Assertion passed to the online application or to the AUTH-Block, + * or to both. + * <br> + * If validation fails the implementing class has to provide a short error message. + */ +public interface InfoboxValidator { + + /** + * This method validates an InfoboxReadResponse. + * The method validates the content of the passed <code>infoboxReadResponse</code> + * according to the type specific rules and guidelines of the underlying + * application. + * <br> + * The method returns <code>true</code> if validation succeeds. In that case + * method {@link #getExtendedSamlAttributes()} may provide an array of + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute + * ExtendedSAMLAttributes} that should be appended to the final SAML-Assertion or the + * AUTH-Block or to both. + * <br> + * The method returns <code>false</code> if validation fails. In that case + * method {@link #getErrorMessage()} has to provide a short error description. + * + * @param params {@link at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams + * Parameters} needed by the validator. + * + * @return <code>True</code> if validation succeeds, + * otherwise <code>false</code>. + * + * @throws ValidateException If an error occurs on validating the + * InfoboxReadResponse. + */ + public boolean validate (InfoboxValidatorParams params) + throws ValidateException; + + /** + * Returns an array of {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute + * ExtendedSAMLAttributes} that should be added to the SAML-Assertion + * provided to the online application. + * The SAML-Attributes in that array will be added to the final + * SAML-Assertion, the AUTH-Block, or both, exactly in the order as they are arranged + * in the array this method returns. + * + * @return An array of {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute + * ExtendedSAMLAttributes} that should be added to the SAML-Assertion + * provided to the online application, the AUTH-Block, or both. If no attributes should + * be added this array maybe <code>null</code> or empty. + */ + public ExtendedSAMLAttribute[] getExtendedSamlAttributes(); + + /** + * A short error description that should be displayed by MOA-ID if + * validation of the InfoBoxReadResponse fails. + * + * @return An short error message if validation fails. + */ + public String getErrorMessage(); + +} |