aboutsummaryrefslogtreecommitdiff
path: root/id.server
diff options
context:
space:
mode:
Diffstat (limited to 'id.server')
-rw-r--r--id.server/doc/MOA-ID-Configuration-1.4.xsd1
-rw-r--r--id.server/doc/moa_id/id-admin_2.htm7
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java3
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java19
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java30
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java111
-rw-r--r--id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java9
-rw-r--r--id.server/src/test/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilderTest.java2
8 files changed, 120 insertions, 62 deletions
diff --git a/id.server/doc/MOA-ID-Configuration-1.4.xsd b/id.server/doc/MOA-ID-Configuration-1.4.xsd
index c39c2845e..66a9c0ed4 100644
--- a/id.server/doc/MOA-ID-Configuration-1.4.xsd
+++ b/id.server/doc/MOA-ID-Configuration-1.4.xsd
@@ -139,6 +139,7 @@
</xsd:restriction>
</xsd:simpleType>
</xsd:attribute>
+ <xsd:attribute name="calculateHPI" type="xsd:boolean" use="optional" default="false"/>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
diff --git a/id.server/doc/moa_id/id-admin_2.htm b/id.server/doc/moa_id/id-admin_2.htm
index 8b7b61697..0773198ee 100644
--- a/id.server/doc/moa_id/id-admin_2.htm
+++ b/id.server/doc/moa_id/id-admin_2.htm
@@ -569,6 +569,13 @@ Projekt <span style="font-size:48pt; ">moa</span>&#160;
die Werte <tt>publicService</tt> f&uuml;r eine Applikation
aus dem &ouml;ffentlichen Bereich und <tt>businessService</tt>
für eine Anwendung aus dem privatwirtschaftlichen Bereich annehmen.
+ Ab Version 1.4 kann im Modus <tt>businessService</tt> ein zus&auml;tzliches
+ logisches Attribut <tt>OnlineApplication/@calculateHPI</tt> angegeben werden.
+ Dadurch wird im Falle von <tt>calculateHPI="true"</tt> im privatwirtschaftlichen
+ Bereich zur Identifikation der Health Professional Identifier HPI anstatt des wbPKs (siehe
+ <a href="#OnlineApplication/AuthComponent/IdentificationNumber">
+ OnlineApplication/AuthComponent/IdentificationNumber</a>) berechnet
+ und zur Anmeldung weiterverwendet.
Ist dieses Attribut nicht gesetzt, so wird der Typ <tt>publicService</tt>
vorausgesetzt. <br />
<br />
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index cd4b26df3..2baa172f1 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -493,7 +493,8 @@ public class AuthenticationServer implements MOAIDAuthConstants {
identificationType,
oaURL,
gebDat,
- extendedSAMLAttributes);
+ extendedSAMLAttributes,
+ session);
return authBlock;
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
index ef50acb3f..4493333c2 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
@@ -5,6 +5,7 @@ import java.util.List;
import at.gv.egovernment.moa.id.BuildException;
import at.gv.egovernment.moa.id.ParseException;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
@@ -100,19 +101,25 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
String identityLinkType,
String oaURL,
String gebDat,
- List extendedSAMLAttributes)
+ List extendedSAMLAttributes,
+ AuthenticationSession session)
throws BuildException
{
-
+ session.setSAMLAttributeGebeORwbpk(true);
String gebeORwbpk = "";
String wbpkNSDeclaration = "";
if (target == null) {
// OA is a business application
- gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
- wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
+ if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) {
+ // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator
+ gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
+ wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
+ } else {
+ // We do not have a wbPK, therefore no SAML-Attribute is provided
+ session.setSAMLAttributeGebeORwbpk(false);
+ }
} else {
- gebeORwbpk = MessageFormat.format(
- GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target });
+ gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target });
}
String assertion;
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
index 50d15007e..12d29ba82 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
@@ -66,13 +66,19 @@ public class AuthenticationSession {
* service or not
*/
private boolean businessService;
-
+
/**
* SAML attributes from an extended infobox validation to be appended
* to the SAML assertion delivered to the final online application.
*/
private List extendedSAMLAttributesOA;
+ /**
+ * The boolean value for either a target or a wbPK is provided as
+ * SAML Attribute in the SAML Assertion or not.
+ */
+ private boolean samlAttributeGebeORwbpk;
+
/**
* SAML attributes from an extended infobox validation to be appended
* to the SAML assertion of the AUTHBlock.
@@ -335,6 +341,28 @@ public class AuthenticationSession {
}
/**
+ * Returns the boolean value for either a target or a wbPK is
+ * provided as SAML Attribute in the SAML Assertion or not.
+ *
+ * @return true either a target or a wbPK is provided as SAML Attribute
+ * in the SAML Assertion or false if not.
+ */
+ public boolean getSAMLAttributeGebeORwbpk() {
+ return this.samlAttributeGebeORwbpk;
+ }
+
+ /**
+ * Sets the boolean value for either a target or a wbPK is
+ * provided as SAML Attribute in the SAML Assertion or not.
+ *
+ * @param samlAttributeGebeORwbpk The boolean for value either a target or
+ * wbPK is provided as SAML Attribute in the SAML Assertion or not.
+ */
+ public void setSAMLAttributeGebeORwbpk(boolean samlAttributeGebeORwbpk) {
+ this.samlAttributeGebeORwbpk = samlAttributeGebeORwbpk;
+ }
+
+ /**
* Returns the issuing time of the AUTH-Block SAML assertion.
*
* @return The issuing time of the AUTH-Block SAML assertion.
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index 78f62de50..efb33ea59 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -87,6 +87,7 @@ public class CreateXMLSignatureResponseValidator {
boolean foundOA = false;
boolean foundGB = false;
boolean foundWBPK = false;
+ int offset = 0;
// check number of SAML aatributes
List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
@@ -96,6 +97,7 @@ public class CreateXMLSignatureResponseValidator {
}
int expectedSAMLAttributeNumber =
AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum;
+ if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
int actualSAMLAttributeNumber = samlAttributes.length;
if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " +
@@ -105,58 +107,63 @@ public class CreateXMLSignatureResponseValidator {
new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
}
- // check the first attribute ("Geschaeftsbereich" or "wbPK")
- SAMLAttribute samlAttribute = samlAttributes[0];
- if (businessService) {
- if (!samlAttribute.getName().equals("wbPK")) {
- if (samlAttribute.getName().equals("Geschaeftsbereich")) {
- throw new ValidateException("validator.26", null);
- } else {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)});
- }
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundWBPK = true;
- try {
- Element attrValue = (Element)samlAttribute.getValue();
- String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
- String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
- if (!value.equals(identityLink.getIdentificationValue())) {
- throw new ValidateException("validator.28", null);
- }
- if (!type.equals(identityLink.getIdentificationType())) {
- throw new ValidateException("validator.28", null);
- }
- } catch (Exception ex) {
- throw new ValidateException("validator.29", null);
- }
- } else {
- throw new ValidateException("validator.30", null);
- }
+ SAMLAttribute samlAttribute;
+ if (session.getSAMLAttributeGebeORwbpk()) {
+ // check the first attribute ("Geschaeftsbereich" or "wbPK")
+ samlAttribute = samlAttributes[0];
+ if (businessService) {
+ if (!samlAttribute.getName().equals("wbPK")) {
+ if (samlAttribute.getName().equals("Geschaeftsbereich")) {
+ throw new ValidateException("validator.26", null);
+ } else {
+ throw new ValidateException(
+ "validator.37",
+ new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)});
+ }
+ }
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundWBPK = true;
+ try {
+ Element attrValue = (Element)samlAttribute.getValue();
+ String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
+ String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
+ if (!value.equals(identityLink.getIdentificationValue())) {
+ throw new ValidateException("validator.28", null);
+ }
+ if (!type.equals(identityLink.getIdentificationType())) {
+ throw new ValidateException("validator.28", null);
+ }
+ } catch (Exception ex) {
+ throw new ValidateException("validator.29", null);
+ }
+ } else {
+ throw new ValidateException("validator.30", null);
+ }
+ } else {
+ if (!samlAttribute.getName().equals("Geschaeftsbereich")) {
+ if (samlAttribute.getName().equals("wbPK")) {
+ throw new ValidateException("validator.26", null);
+ } else {
+ throw new ValidateException(
+ "validator.37",
+ new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)});
+ }
+ }
+ if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+ foundGB = true;
+ if (!gbTarget.equals((String)samlAttribute.getValue())) {
+ throw new ValidateException("validator.13", null);
+ }
+ } else {
+ throw new ValidateException("validator.12", null);
+ }
+ }
} else {
- if (!samlAttribute.getName().equals("Geschaeftsbereich")) {
- if (samlAttribute.getName().equals("wbPK")) {
- throw new ValidateException("validator.26", null);
- } else {
- throw new ValidateException(
- "validator.37",
- new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)});
- }
- }
- if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
- foundGB = true;
- if (!gbTarget.equals((String)samlAttribute.getValue())) {
- throw new ValidateException("validator.13", null);
- }
- } else {
- throw new ValidateException("validator.12", null);
- }
+ offset--;
}
-
+
// check the second attribute (must be "OA")
- samlAttribute = samlAttributes[1];
+ samlAttribute = samlAttributes[1 + offset];
if (!samlAttribute.getName().equals("OA")) {
throw new ValidateException(
"validator.37",
@@ -172,7 +179,7 @@ public class CreateXMLSignatureResponseValidator {
}
// check the third attribute (must be "Geburtsdatum")
- samlAttribute = samlAttributes[2];
+ samlAttribute = samlAttributes[2 + offset];
if (!samlAttribute.getName().equals("Geburtsdatum")) {
throw new ValidateException(
"validator.37",
@@ -189,7 +196,7 @@ public class CreateXMLSignatureResponseValidator {
}
// now check the extended SAML attributes
- int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES;
+ int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset;
if (extendedSAMLAttributes != null) {
Iterator it = extendedSAMLAttributes.iterator();
while (it.hasNext()) {
@@ -250,7 +257,7 @@ public class CreateXMLSignatureResponseValidator {
if (!foundOA) throw new ValidateException("validator.14", null);
if (businessService) {
- if (!foundWBPK) throw new ValidateException("validator.31", null);
+ if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) throw new ValidateException("validator.31", null);
} else {
if (!foundGB) throw new ValidateException("validator.11", null);
}
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
index ebb29c26d..43c018e76 100644
--- a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
+++ b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
@@ -472,7 +472,14 @@ public class ConfigurationBuilder {
Logger.error("Missing \"IdentificationNumber\" for OA of type \"businessService\"");
throw new ConfigurationException("config.02", null);
}
- oap.setIdentityLinkDomainIdentifier(buildIdentityLinkDomainIdentifier(identificationNumberChild));
+ if ("false".equalsIgnoreCase(oAElem.getAttribute("calculateHPI"))) {
+ oap.setIdentityLinkDomainIdentifier(buildIdentityLinkDomainIdentifier(identificationNumberChild));
+ } else {
+ // If we have business service and want to dealt with GDA, the security layer can be advised to calulate
+ // the Health Professional Identifier HPI instead of the wbPK
+ Logger.info("OA uses HPI for Identification");
+ oap.setIdentityLinkDomainIdentifier(Constants.URN_PREFIX_HPI);
+ }
// if OA type is "businessSErvice" set slVersion to 1.2 and ignore parameter in config file
Logger.info("OA type is \"businessService\"; setting Security Layer version to 1.2");
diff --git a/id.server/src/test/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilderTest.java b/id.server/src/test/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilderTest.java
index 68f7ba973..8cc8797ef 100644
--- a/id.server/src/test/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilderTest.java
+++ b/id.server/src/test/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilderTest.java
@@ -39,7 +39,7 @@ public class AuthenticationBlockAssertionBuilderTest extends UnitTestCase {
public void testBuild() throws Exception {
AuthenticationBlockAssertionBuilder builder = new AuthenticationBlockAssertionBuilder();
- String assertionBuilt = builder.buildAuthBlock(ISSUER, ISSUE_INSTANT, AUTH_URL, TARGET, "", "", OA_URL, GEB_DAT, null);
+ String assertionBuilt = builder.buildAuthBlock(ISSUER, ISSUE_INSTANT, AUTH_URL, TARGET, "", "", OA_URL, GEB_DAT, null, null);
assertionBuilt = XML_DECL + assertionBuilt;
String assertionShould = XML_DECL + ASSERTION_SHOULD;
assertXmlEquals(assertionShould, assertionBuilt);