diff options
Diffstat (limited to 'id.server/src/at/gv/egovernment')
6 files changed, 260 insertions, 62 deletions
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index a79cba4d7..5f4ec2d29 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -40,6 +40,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.id.auth.data.InfoboxValidationResult; import at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; @@ -589,25 +590,25 @@ public class AuthenticationServer implements MOAIDAuthConstants { InfoboxValidatorParamsBuilder.buildInfoboxValidatorParams( session, verifyInfoboxParameter, infoboxTokenList, hideStammzahl); // now validate the infobox - boolean infoboxValid = false; + InfoboxValidationResult infoboxValidationResult = null; try { - infoboxValid = infoboxValidator.validate(infoboxValidatorParams); + infoboxValidationResult = infoboxValidator.validate(infoboxValidatorParams); } catch (ValidateException e) { Logger.error("Error validating " + identifier + " infobox:" + e.getMessage()); throw new ValidateException( "validator.44", new Object[] {friendlyName}); } - if (!infoboxValid) { + if (!infoboxValidationResult.isValid()) { Logger.info("Validation of " + identifier + " infobox failed."); throw new ValidateException( - "validator.40", new Object[] {friendlyName, infoboxValidator.getErrorMessage()}); + "validator.40", new Object[] {friendlyName, infoboxValidationResult.getErrorMessage()}); } Logger.info(identifier + " infobox successfully validated."); // get the SAML attributes to be appended to the AUTHBlock or to the final // SAML Assertion - ExtendedSAMLAttribute[] extendedSAMLAttributes = infoboxValidator.getExtendedSamlAttributes(); + ExtendedSAMLAttribute[] extendedSAMLAttributes = infoboxValidationResult.getExtendedSamlAttributes(); if (extendedSAMLAttributes != null) { int length = extendedSAMLAttributes.length; for (int i=0; i<length; i++) { diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidationResult.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidationResult.java new file mode 100644 index 000000000..0ee2f21d5 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidationResult.java @@ -0,0 +1,76 @@ +package at.gv.egovernment.moa.id.auth.data; + +import org.w3c.dom.Element; + +/** + * Includes the result of an extended infobox validation. + * + * If validation succeeds, an array of + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute ExtendedSAMLAttributes} + * maybe provided. Each of these SAML-Attributes will be either appended to the + * final SAML-Assertion passed to the online application or to the AUTH-Block, + * or to both. + * <br> + * If validation fails the implementing class has to provide a short error message. + * <br> + * If the corresponding infobox validator runs in the so called <code>compatibility mode</code> + * a <code>pr:Persondata</code> element to be used in the final <code>saml:Assertion</code> + * ({@see #getPersonData()}) + * + * @author Harald Bratko + */ +public interface InfoboxValidationResult { + + /** + * The method returns <code>true</code> if validation succeeds. In that case + * method {@link #getExtendedSamlAttributes()} may provide an array of + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute + * ExtendedSAMLAttributes} that should be appended to the final SAML-Assertion or the + * AUTH-Block or to both. + * <br> + * The method returns <code>false</code> if validation fails. In that case + * method {@link #getErrorMessage()} has to provide a short error description. + * + * @return <code>True</code> if validation succeeds, + * otherwise <code>false</code>. + */ + public boolean isValid(); + + /** + * Returns an array of {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute + * ExtendedSAMLAttributes} that should be added to the SAML-Assertion + * provided to the online application. + * The SAML-Attributes in that array will be added to the final + * SAML-Assertion, the AUTH-Block, or both, exactly in the order as they are arranged + * in the array this method returns. + * + * @return An array of {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute + * ExtendedSAMLAttributes} that should be added to the SAML-Assertion + * provided to the online application, the AUTH-Block, or both. If no attributes should + * be added this array maybe <code>null</code> or empty. + */ + public ExtendedSAMLAttribute[] getExtendedSamlAttributes(); + + /** + * A short error description that should be displayed by MOA-ID if + * validation of the InfoBoxReadResponse fails. + * + * @return An short error message if validation fails. + */ + public String getErrorMessage(); + + /** + * Returns a <code><pr:PersonData></code> element to be used in the final + * <code><saml:Assertion></code>. + * <br> + * If the corresponding infobox validator runs in the so called <code>compatibility mode</code> + * the method must return a <code><pr:PersonData></code> element to be used within + * the final <code><saml:Assertion></code> sent to the online application instead of + * the original <code><pr:PersonData></code> element derived from the <code><Identitylink></code>. + * + * @return A <code><pr:PersonData></code> element if the corresponding infobox validator + * runs in the <code>compatibility mode</code>, otherwise <code>null</code>. + */ + public Element getPersonData(); + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidationresultImpl.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidationresultImpl.java new file mode 100644 index 000000000..24eb01e95 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidationresultImpl.java @@ -0,0 +1,122 @@ +package at.gv.egovernment.moa.id.auth.data; + +import org.w3c.dom.Element; + +/** + * Default implementation of the {@link InfoboxValidationresult} interface. + * + * @author Harald Bratko + */ +public class InfoboxValidationresultImpl implements InfoboxValidationResult { + + /** + * Indicates whether the validation was successful or not. + */ + protected boolean valid_; + + /** + * The error message. + */ + protected String errorMessage_; + + /** + * The SAML attributes returned by the infobox validator. + */ + protected ExtendedSAMLAttribute[] extendedSamlAttributes_; + + /** + * The <code><pr:PersonData></code> element to be used in the final + * <code><saml:Assertion></code>, if the validator runs in the + * <code>compatibility mode</code>. + */ + protected Element personData_; + + /** + * Constructor. + * + * @param valid + * @param extendedSamlAttributes + * @param errorMessage + * @param personData + */ + public InfoboxValidationresultImpl( + boolean valid, + ExtendedSAMLAttribute[] extendedSamlAttributes, + String errorMessage, + Element personData) + { + valid_ = valid; + extendedSamlAttributes_ = extendedSamlAttributes; + errorMessage_ = errorMessage; + personData_ = personData; + } + + + + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidationResult#getErrorMessage() + */ + public String getErrorMessage() { + return errorMessage_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidationResult#getExtendedSamlAttributes() + */ + public ExtendedSAMLAttribute[] getExtendedSamlAttributes() { + return extendedSamlAttributes_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidationResult#getPersonData() + */ + public Element getPersonData() { + return personData_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidationResult#isValid() + */ + public boolean isValid() { + return valid_; + } + + /** + * Sets the errorMessage. + * + * @param errorMessage The errorMessage to set. + */ + public void setErrorMessage(String errorMessage) { + errorMessage_ = errorMessage; + } + + /** + * Sets the extendedSamlAttributes. + * + * @param extendedSamlAttributes The extendedSamlAttributes to set. + */ + public void setExtendedSamlAttributes(ExtendedSAMLAttribute[] extendedSamlAttributes) { + extendedSamlAttributes_ = extendedSamlAttributes; + } + + /** + * Sets the <code><pr:PersonData></code> element. + * + * @param personData <code><pr:PersonData></code> to set. + */ + public void setPersonData(Element personData) { + personData_ = personData; + } + + /** + * Specify whether the result is valid or not. + * + * @param valid <code>True</code> if the infobox could be validated successfully, + * otherwise <code>false</code>. + */ + public void setValid(boolean valid) { + valid_ = valid; + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParams.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParams.java index 381815258..71d675259 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParams.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParams.java @@ -157,6 +157,21 @@ public interface InfoboxValidatorParams { public boolean getHideStammzahl(); /** + * Indicates if the infobox validator has to run in the so called <code>compatibility mode</code>. + * <br> + * The <code>compatibility mode</code> is used when the final <code><saml:Assertion></code> + * sent to the online application should be rather built on the basis of a <code><pr:PersonData></code> + * structure returned by the infobox validator instead of the original identity link. + * This mode is mainly used within the <code>Mandates</code> context + * (please refer MOA-ID specification for more details). + * + * @return <code>True</code> the infobox validator has to run in the so called + * <code>compatibility mode</code>, otherwise <code>false</code>. The default value + * <i>should</i> be </code>false</code>. + */ + public boolean getCompMode(); + + /** * Returns application specific parameters. * Each child element of this element contains * a validating application specific parameter. The diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParamsImpl.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParamsImpl.java index 123d57157..e524ff5f5 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParamsImpl.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParamsImpl.java @@ -21,76 +21,80 @@ public class InfoboxValidatorParamsImpl implements InfoboxValidatorParams { * The first token in this list is the one to be validated. Each further token * maybe needed to validate this first token. */ - private List infoboxTokenList_; + protected List infoboxTokenList_; /** * The ID of the trust profile used for validating certificates. */ - private String trustProfileID_; + protected String trustProfileID_; /** * The locations of schemas that maybe needed for validating infobox tokens. */ - private List schemaLocations_; + protected List schemaLocations_; /** * The URL of the BKU. */ - private String bkuURL_; + protected String bkuURL_; /** * Specifies whether the current online application is a business or a public application. */ - private boolean businessApplication_; + protected boolean businessApplication_; /** * The target parameter. */ - private String target_; + protected String target_; /** * The family name from the identity link. */ - private String familyName_; + protected String familyName_; /** * The given name from the identity link. */ - private String givenName_; + protected String givenName_; /** * The date of birth from the identity link. */ - private String dateOfBirth_; + protected String dateOfBirth_; /** * The date of identification value. */ - private String identificationValue_; + protected String identificationValue_; /** * The identification type. */ - private String identificationType_; + protected String identificationType_; /** * The public keys from the identity link. */ - private PublicKey[] publicKeys_; + protected PublicKey[] publicKeys_; /** * The identity link. */ - private Element identityLink_; + protected Element identityLink_; + /** + * Indicates if the infobox validator has to run in the so called <code>compatibility mode</code>. + */ + protected boolean compMode_; /** * Indicates whether source pins (<code>Stammzahl</code>en) must be hidden or not. */ - private boolean hideStammzahl_; + protected boolean hideStammzahl_; /** * Application specific parameters. */ - private Element applicationSpecificParams_; + protected Element applicationSpecificParams_; /** * Empty constructor. @@ -190,6 +194,13 @@ public class InfoboxValidatorParamsImpl implements InfoboxValidatorParams { } /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getCompMode() + */ + public boolean getCompMode() { + return compMode_; + } + + /** * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getHideStammzahl() */ public boolean getHideStammzahl() { @@ -332,16 +343,27 @@ public class InfoboxValidatorParamsImpl implements InfoboxValidatorParams { public void setTrustProfileID(String trustProfileID) { trustProfileID_ = trustProfileID; } + + /** + * Sets the {@link #compMode_} parameter. Indicates whether the infobox + * validator has to run in the so called <code>compatibility mode</code>. + * + * @param compMode <code>True</code> if the infobox validator has to run in the so + * called <code>compatibility mode</code>, otherwise <code>false</code>. + */ + public void setCompMode(boolean compMode) { + compMode_ = compMode; + } /** - * Sets the hideStammzahl_ parameter. This indicates whether source pins + * Sets the {@link #hideStammzahl_} parameter. This indicates whether source pins * (<code>Stammzahl</code>en) must be hidden or not. * * @param hideStammzahl <code>True</code> if source pins (<code>Stammzahl</code>en) should * be hidden, otherwise <code>false</code>. */ public void setHideStammzahl(boolean hideStammzahl) { - this.hideStammzahl_ = hideStammzahl; + hideStammzahl_ = hideStammzahl; } } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java index e17e03a20..2f14eb3c9 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java @@ -1,5 +1,6 @@ package at.gv.egovernment.moa.id.auth.validator; +import at.gv.egovernment.moa.id.auth.data.InfoboxValidationResult; import at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; @@ -8,13 +9,6 @@ import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; * An implementing class has to validate the content of the InfoboxReadResponse * according to the type specific rules and guidelines of the underlying * application. - * If validation succeeds, the class may provide an array of - * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute - * ExtendedSAMLAttributes}. Each of these SAML-Attributes will be either appended to the - * final SAML-Assertion passed to the online application or to the AUTH-Block, - * or to both. - * <br> - * If validation fails the implementing class has to provide a short error message. */ public interface InfoboxValidator { @@ -23,15 +17,6 @@ public interface InfoboxValidator { * The method validates the content of the passed <code>infoboxReadResponse</code> * according to the type specific rules and guidelines of the underlying * application. - * <br> - * The method returns <code>true</code> if validation succeeds. In that case - * method {@link #getExtendedSamlAttributes()} may provide an array of - * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute - * ExtendedSAMLAttributes} that should be appended to the final SAML-Assertion or the - * AUTH-Block or to both. - * <br> - * The method returns <code>false</code> if validation fails. In that case - * method {@link #getErrorMessage()} has to provide a short error description. * * @param params {@link at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams * Parameters} needed by the validator. @@ -42,30 +27,7 @@ public interface InfoboxValidator { * @throws ValidateException If an error occurs on validating the * InfoboxReadResponse. */ - public boolean validate (InfoboxValidatorParams params) + public InfoboxValidationResult validate (InfoboxValidatorParams params) throws ValidateException; - - /** - * Returns an array of {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute - * ExtendedSAMLAttributes} that should be added to the SAML-Assertion - * provided to the online application. - * The SAML-Attributes in that array will be added to the final - * SAML-Assertion, the AUTH-Block, or both, exactly in the order as they are arranged - * in the array this method returns. - * - * @return An array of {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute - * ExtendedSAMLAttributes} that should be added to the SAML-Assertion - * provided to the online application, the AUTH-Block, or both. If no attributes should - * be added this array maybe <code>null</code> or empty. - */ - public ExtendedSAMLAttribute[] getExtendedSamlAttributes(); - - /** - * A short error description that should be displayed by MOA-ID if - * validation of the InfoBoxReadResponse fails. - * - * @return An short error message if validation fails. - */ - public String getErrorMessage(); } |