aboutsummaryrefslogtreecommitdiff
path: root/id.server/src/at/gv/egovernment/moa/id/auth
diff options
context:
space:
mode:
Diffstat (limited to 'id.server/src/at/gv/egovernment/moa/id/auth')
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java3
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java19
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java30
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java111
4 files changed, 103 insertions, 60 deletions
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index cd4b26df3..2baa172f1 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -493,7 +493,8 @@ public class AuthenticationServer implements MOAIDAuthConstants {
identificationType,
oaURL,
gebDat,
- extendedSAMLAttributes);
+ extendedSAMLAttributes,
+ session);
return authBlock;
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
index ef50acb3f..4493333c2 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
@@ -5,6 +5,7 @@ import java.util.List;
import at.gv.egovernment.moa.id.BuildException;
import at.gv.egovernment.moa.id.ParseException;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
@@ -100,19 +101,25 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
String identityLinkType,
String oaURL,
String gebDat,
- List extendedSAMLAttributes)
+ List extendedSAMLAttributes,
+ AuthenticationSession session)
throws BuildException
{
-
+ session.setSAMLAttributeGebeORwbpk(true);
String gebeORwbpk = "";
String wbpkNSDeclaration = "";
if (target == null) {
// OA is a business application
- gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
- wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
+ if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) {
+ // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator
+ gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
+ wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
+ } else {
+ // We do not have a wbPK, therefore no SAML-Attribute is provided
+ session.setSAMLAttributeGebeORwbpk(false);
+ }
} else {
- gebeORwbpk = MessageFormat.format(
- GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target });
+ gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target });
}
String assertion;
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
index 50d15007e..12d29ba82 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
@@ -66,13 +66,19 @@ public class AuthenticationSession {
* service or not
*/
private boolean businessService;
-
+
/**
* SAML attributes from an extended infobox validation to be appended
* to the SAML assertion delivered to the final online application.
*/
private List extendedSAMLAttributesOA;
+ /**
+ * The boolean value for either a target or a wbPK is provided as
+ * SAML Attribute in the SAML Assertion or not.
+ */
+ private boolean samlAttributeGebeORwbpk;
+
/**
* SAML attributes from an extended infobox validation to be appended
* to the SAML assertion of the AUTHBlock.
@@ -335,6 +341,28 @@ public class AuthenticationSession {
}
/**
+ * Returns the boolean value for either a target or a wbPK is
+ * provided as SAML Attribute in the SAML Assertion or not.
+ *
+ * @return true either a target or a wbPK is provided as SAML Attribute
+ * in the SAML Assertion or false if not.
+ */
+ public boolean getSAMLAttributeGebeORwbpk() {
+ return this.samlAttributeGebeORwbpk;
+ }
+
+ /**
+ * Sets the boolean value for either a target or a wbPK is
+ * provided as SAML Attribute in the SAML Assertion or not.
+ *
+ * @param samlAttributeGebeORwbpk The boolean for value either a target or
+ * wbPK is provided as SAML Attribute in the SAML Assertion or not.
+ */
+ public void setSAMLAttributeGebeORwbpk(boolean samlAttributeGebeORwbpk) {
+ this.samlAttributeGebeORwbpk = samlAttributeGebeORwbpk;
+ }
+
+ /**
* Returns the issuing time of the AUTH-Block SAML assertion.
*
* @return The issuing time of the AUTH-Block SAML assertion.
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index 78f62de50..efb33ea59 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -87,6 +87,7 @@ public class CreateXMLSignatureResponseValidator {
boolean foundOA = false;
boolean foundGB = false;
boolean foundWBPK = false;
+ int offset = 0;
// check number of SAML aatributes
List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
@@ -96,6 +97,7 @@ public class CreateXMLSignatureResponseValidator {
}
int expectedSAMLAttributeNumber =
AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum;
+ if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
int actualSAMLAttributeNumber = samlAttributes.length;
if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " +
@@ -105,58 +107,63 @@ public class CreateXMLSignatureResponseValidator {
new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
}
- // check the first attribute ("Geschaeftsbereich" or "wbPK")
- SAMLAttribute samlAttribute = samlAttributes[0];
- if (businessService) {
- if (!samlAttribute.getName().equals("wbPK")) {
- if (samlAttribute.getName().equals("Geschaeftsbereich")) {
- throw new ValidateException("validator.26", null);
- } else {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)});
- }
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundWBPK = true;
- try {
- Element attrValue = (Element)samlAttribute.getValue();
- String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
- String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
- if (!value.equals(identityLink.getIdentificationValue())) {
- throw new ValidateException("validator.28", null);
- }
- if (!type.equals(identityLink.getIdentificationType())) {
- throw new ValidateException("validator.28", null);
- }
- } catch (Exception ex) {
- throw new ValidateException("validator.29", null);
- }
- } else {
- throw new ValidateException("validator.30", null);
- }
+ SAMLAttribute samlAttribute;
+ if (session.getSAMLAttributeGebeORwbpk()) {
+ // check the first attribute ("Geschaeftsbereich" or "wbPK")
+ samlAttribute = samlAttributes[0];
+ if (businessService) {
+ if (!samlAttribute.getName().equals("wbPK")) {
+ if (samlAttribute.getName().equals("Geschaeftsbereich")) {
+ throw new ValidateException("validator.26", null);
+ } else {
+ throw new ValidateException(
+ "validator.37",
+ new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)});
+ }
+ }
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundWBPK = true;
+ try {
+ Element attrValue = (Element)samlAttribute.getValue();
+ String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
+ String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
+ if (!value.equals(identityLink.getIdentificationValue())) {
+ throw new ValidateException("validator.28", null);
+ }
+ if (!type.equals(identityLink.getIdentificationType())) {
+ throw new ValidateException("validator.28", null);
+ }
+ } catch (Exception ex) {
+ throw new ValidateException("validator.29", null);
+ }
+ } else {
+ throw new ValidateException("validator.30", null);
+ }
+ } else {
+ if (!samlAttribute.getName().equals("Geschaeftsbereich")) {
+ if (samlAttribute.getName().equals("wbPK")) {
+ throw new ValidateException("validator.26", null);
+ } else {
+ throw new ValidateException(
+ "validator.37",
+ new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)});
+ }
+ }
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundGB = true;
+ if (!gbTarget.equals((String)samlAttribute.getValue())) {
+ throw new ValidateException("validator.13", null);
+ }
+ } else {
+ throw new ValidateException("validator.12", null);
+ }
+ }
} else {
- if (!samlAttribute.getName().equals("Geschaeftsbereich")) {
- if (samlAttribute.getName().equals("wbPK")) {
- throw new ValidateException("validator.26", null);
- } else {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)});
- }
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundGB = true;
- if (!gbTarget.equals((String)samlAttribute.getValue())) {
- throw new ValidateException("validator.13", null);
- }
- } else {
- throw new ValidateException("validator.12", null);
- }
+ offset--;
}
-
+
// check the second attribute (must be "OA")
- samlAttribute = samlAttributes[1];
+ samlAttribute = samlAttributes[1 + offset];
if (!samlAttribute.getName().equals("OA")) {
throw new ValidateException(
"validator.37",
@@ -172,7 +179,7 @@ public class CreateXMLSignatureResponseValidator {
}
// check the third attribute (must be "Geburtsdatum")
- samlAttribute = samlAttributes[2];
+ samlAttribute = samlAttributes[2 + offset];
if (!samlAttribute.getName().equals("Geburtsdatum")) {
throw new ValidateException(
"validator.37",
@@ -189,7 +196,7 @@ public class CreateXMLSignatureResponseValidator {
}
// now check the extended SAML attributes
- int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES;
+ int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset;
if (extendedSAMLAttributes != null) {
Iterator it = extendedSAMLAttributes.iterator();
while (it.hasNext()) {
@@ -250,7 +257,7 @@ public class CreateXMLSignatureResponseValidator {
if (!foundOA) throw new ValidateException("validator.14", null);
if (businessService) {
- if (!foundWBPK) throw new ValidateException("validator.31", null);
+ if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) throw new ValidateException("validator.31", null);
} else {
if (!foundGB) throw new ValidateException("validator.11", null);
}