aboutsummaryrefslogtreecommitdiff
path: root/id.server/src/at/gv
diff options
context:
space:
mode:
Diffstat (limited to 'id.server/src/at/gv')
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java82
1 files changed, 44 insertions, 38 deletions
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index 2eafaa297..7693c3170 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -1,12 +1,13 @@
package at.gv.egovernment.moa.id.auth.validator;
import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
+import at.gv.egovernment.moa.id.auth.data.IdentityLink;
import at.gv.egovernment.moa.id.auth.data.SAMLAttribute;
import at.gv.egovernment.moa.util.Constants;
-import at.gv.egovernment.moa.util.XPathUtils;
/**
*
@@ -17,24 +18,6 @@ import at.gv.egovernment.moa.util.XPathUtils;
* @version $Id$
*/
public class CreateXMLSignatureResponseValidator {
-
- /** Xpath prefix for reaching SAML Namespaces */
- private static final String SAML = Constants.SAML_PREFIX + ":";
- /** Xpath prefix for reaching XML-DSIG Namespaces */
- private static final String DSIG = Constants.DSIG_PREFIX + ":";
- /** Xpath expression to the SAML:Assertion element */
- private static final String ROOT = SAML + "Assertion";
- /** Xpath expression to the SAML:NameIdentifier element */
- private static final String SAML_SUBJECT_NAME_IDENTIFIER_XPATH =
- SAML + "AttributeStatement/" + SAML + "Subject/" +
- SAML + "NameIdentifier";
- /** Xpath expression to the SAML:Attribute element */
- private static final String SAML_ATTRIBUTE_XPATH =
- ROOT + "/" + SAML + "AttributeStatement/" + SAML + "Attribute";
- /** Xpath expression to the SAML:AttributeValue element */
- private static final String SAML_ATTRIBUTE_VALUE_XPATH =
- SAML + "AttributeValue";
-
/** Singleton instance. <code>null</code>, if none has been created. */
private static CreateXMLSignatureResponseValidator instance;
@@ -69,52 +52,75 @@ public class CreateXMLSignatureResponseValidator {
String oaURL = session.getPublicOAURLPrefix();
boolean businessService = session.getBusinessService();
-// XPathUtils.selectNodeList(createXMLSignatureResponse.getSamlAssertion(),SAML_SUBJECT_NAME_IDENTIFIER_XPATH);
+ IdentityLink identityLink = session.getIdentityLink();
+
+ String issuer = createXMLSignatureResponse.getSamlAssertion().getAttribute("Issuer");
+ if (issuer == null) {
+ // should not happen, because parser would dedect this
+ throw new ValidateException("validator.32", null);
+ }
+ String name = identityLink.getName();
+ if (!issuer.equals(name)) {
+ throw new ValidateException("validator.33", new Object[] {issuer, name});
+ }
+
- SAMLAttribute[] samlattributes = createXMLSignatureResponse.getSamlAttributes();
+ SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();
boolean foundOA = false;
boolean foundGB = false;
boolean foundWBPK = false;
- for (int i = 0; i < samlattributes.length; i++) {
- if (samlattributes[i].getName().equals("Geschaeftsbereich")) {
+ for (int i = 0; i < samlAttributes.length; i++) {
+ SAMLAttribute samlAttribute = samlAttributes[i];
+ if (samlAttribute.getName().equals("Geschaeftsbereich")) {
if (businessService) {
throw new ValidateException("validator.26", null);
}
- if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
foundGB = true;
- if (!gbTarget.equals((String)samlattributes[i].getValue())) {
+ if (!gbTarget.equals((String)samlAttribute.getValue())) {
throw new ValidateException("validator.13", null);
}
} else {
throw new ValidateException("validator.12", null);
}
}
- if (samlattributes[i].getName().equals("OA")) {
- if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ if (samlAttribute.getName().equals("OA")) {
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
foundOA = true;
- if (!oaURL.equals((String)samlattributes[i].getValue())) { // CHECKS für die AttributeVALUES fehlen noch
- throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlattributes[i].getValue()});
+ if (!oaURL.equals((String)samlAttribute.getValue())) { // CHECKS für die AttributeVALUES fehlen noch
+ throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});
}
} else {
throw new ValidateException("validator.15", null);
}
}
- if (samlattributes[i].getName().equals("wbPK")) {
+ if (samlAttribute.getName().equals("Geburtsdatum")) {
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ String samlDateOfBirth = (String)samlAttribute.getValue();
+ String dateOfBirth = identityLink.getDateOfBirth();
+ if (!samlDateOfBirth.equals(dateOfBirth)) {
+ throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
+ }
+ } else {
+ throw new ValidateException("validator.35", null);
+ }
+ }
+ if (samlAttribute.getName().equals("wbPK")) {
if (!businessService) {
throw new ValidateException("validator.27", null);
}
- if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
foundWBPK = true;
try {
- Element attrValue = (Element)samlattributes[i].getValue();
+ Element attrValue = (Element)samlAttribute.getValue();
String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
- if (!value.equals(session.getIdentityLink().getIdentificationValue())) {
+ if (!value.equals(identityLink.getIdentificationValue())) {
throw new ValidateException("validator.28", null);
}
- if (!type.equals(session.getIdentityLink().getIdentificationType())) {
+ if (!type.equals(identityLink.getIdentificationType())) {
throw new ValidateException("validator.28", null);
}
} catch (Exception ex) {
@@ -134,9 +140,9 @@ public class CreateXMLSignatureResponseValidator {
}
//Check if dsig:Signature exists
- Element dsigSignature = (Element) XPathUtils.selectSingleNode(createXMLSignatureResponse.getSamlAssertion(),DSIG + "Signature");
- if (dsigSignature==null) throw new ValidateException("validator.05", null);
-
-
+ NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature");
+ if (nl.getLength() != 1) {
+ throw new ValidateException("validator.05", null);
+ }
}
}