aboutsummaryrefslogtreecommitdiff
path: root/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java
diff options
context:
space:
mode:
Diffstat (limited to 'id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java')
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java433
1 files changed, 221 insertions, 212 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java
index c70d34d7e..a880e800b 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java
@@ -62,217 +62,226 @@ import at.gv.egovernment.moa.util.MiscUtil;
*
*/
public class SLOBasicServlet extends HttpServlet {
- private static final long serialVersionUID = -4547240664871845098L;
- private static final Logger log = LoggerFactory
- .getLogger(SLOBasicServlet.class);
-
- private ConfigurationProvider config;
-
- public SLOBasicServlet() throws ConfigurationException {
- config = ConfigurationProvider.getInstance();
- config.initializePVP2Login();
- }
-
- protected LogoutRequest createLogOutRequest(String nameID, String nameIDFormat, HttpServletRequest request) throws SLOException {
- try {
- LogoutRequest sloReq = SAML2Utils.createSAMLObject(LogoutRequest.class);
- SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
- sloReq.setID(gen.generateIdentifier());
- sloReq.setIssueInstant(new DateTime());
- NameID name = SAML2Utils.createSAMLObject(NameID.class);
- Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
-
- String serviceURL = config.getPublicUrlPreFix(request);
- if (!serviceURL.endsWith("/"))
- serviceURL = serviceURL + "/";
- name.setValue(serviceURL);
- issuer.setValue(serviceURL);
- issuer.setFormat(NameIDType.ENTITY);
- sloReq.setIssuer(issuer);
-
- NameID userNameID = SAML2Utils.createSAMLObject(NameID.class);
- sloReq.setNameID(userNameID);
- userNameID.setFormat(nameIDFormat);
- userNameID.setValue(nameID);
-
- return sloReq;
-
- } catch (NoSuchAlgorithmException e) {
- log.warn("Single LogOut request createn FAILED. ", e);
- throw new SLOException();
-
- }
-
- }
-
- protected LogoutResponse processLogOutRequest(LogoutRequest sloReq, HttpServletRequest request) throws NoSuchAlgorithmException {
- //check response destination
- String serviceURL = config.getPublicUrlPreFix(request);
- if (!serviceURL.endsWith("/"))
- serviceURL = serviceURL + "/";
-
- String responseDestination = sloReq.getDestination();
- if (MiscUtil.isEmpty(responseDestination) ||
- !responseDestination.startsWith(serviceURL)) {
- log.warn("PVPResponse destination does not match requested destination");
- return createSLOResponse(sloReq, StatusCode.REQUESTER_URI, request);
- }
-
- AuthenticationManager authManager = AuthenticationManager.getInstance();
- if (authManager.isActiveUser(sloReq.getNameID().getValue())) {
- AuthenticatedUser authUser = authManager.getActiveUser(sloReq.getNameID().getValue());
- log.info("User " + authUser.getGivenName() + " " + authUser.getFamilyName() + " with nameID:"
- + authUser.getNameID() + " get logged out by Single LogOut request.");
- authManager.removeActiveUser(authUser);
- HttpSession session = request.getSession(false);
- if (session != null)
- session.invalidate();
- return createSLOResponse(sloReq, StatusCode.SUCCESS_URI, request);
-
- } else {
- log.debug("Single LogOut not possible! User with nameID:" + sloReq.getNameID().getValue() + " is not found.");
- return createSLOResponse(sloReq, StatusCode.SUCCESS_URI, request);
-
- }
-
- }
-
- protected LogoutResponse createSLOResponse(LogoutRequest sloReq, String statusCodeURI, HttpServletRequest request) throws NoSuchAlgorithmException {
- LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class);
- SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
- sloResp.setID(gen.generateIdentifier());
- sloResp.setInResponseTo(sloReq.getID());
- sloResp.setIssueInstant(new DateTime());
- NameID name = SAML2Utils.createSAMLObject(NameID.class);
- Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
-
- String serviceURL = config.getPublicUrlPreFix(request);
- if (!serviceURL.endsWith("/"))
- serviceURL = serviceURL + "/";
- name.setValue(serviceURL);
- issuer.setValue(serviceURL);
- issuer.setFormat(NameIDType.ENTITY);
- sloResp.setIssuer(issuer);
-
- Status status = SAML2Utils.createSAMLObject(Status.class);
- sloResp.setStatus(status);
- StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class);
- statusCode.setValue(statusCodeURI);
- status.setStatusCode(statusCode );
-
- return sloResp;
- }
-
- protected void validateLogOutResponse(LogoutResponse sloResp, String reqID, HttpServletRequest request, HttpServletResponse response) throws PVP2Exception {
- //ckeck InResponseTo matchs requestID
- if (MiscUtil.isEmpty(reqID)) {
- log.info("NO Sigle LogOut request ID");
- throw new PVP2Exception("NO Sigle LogOut request ID");
- }
-
- if (!reqID.equals(sloResp.getInResponseTo())) {
- log.warn("SLORequestID does not match SLO Response ID!");
- throw new PVP2Exception("SLORequestID does not match SLO Response ID!");
-
- }
-
- //check response destination
- String serviceURL = config.getPublicUrlPreFix(request);
- if (!serviceURL.endsWith("/"))
- serviceURL = serviceURL + "/";
-
- String responseDestination = sloResp.getDestination();
- if (MiscUtil.isEmpty(responseDestination) ||
- !responseDestination.startsWith(serviceURL)) {
- log.warn("PVPResponse destination does not match requested destination");
- throw new PVP2Exception("SLO response destination does not match requested destination");
- }
-
- request.getSession().invalidate();
-
- if (sloResp.getStatus().getStatusCode().getValue().equals(StatusCode.PARTIAL_LOGOUT_URI)) {
- log.warn("Single LogOut process is not completed.");
- request.getSession().setAttribute(Constants.SESSION_SLOERROR,
- LanguageHelper.getErrorString("webpages.slo.error", request));
-
-
- } else if (sloResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
-
- if (sloResp.getStatus().getStatusCode().getStatusCode() != null &&
- !sloResp.getStatus().getStatusCode().getStatusCode().equals(StatusCode.PARTIAL_LOGOUT_URI)) {
- log.info("Single LogOut process complete.");
- request.getSession().setAttribute(Constants.SESSION_SLOSUCCESS,
- LanguageHelper.getErrorString("webpages.slo.success", request));
-
- } else {
- log.warn("Single LogOut process is not completed.");
- request.getSession().setAttribute(Constants.SESSION_SLOERROR,
- LanguageHelper.getErrorString("webpages.slo.error", request));
-
- }
-
- } else {
- log.warn("Single LogOut response sends an unsupported statustype " + sloResp.getStatus().getStatusCode().getValue());
- request.getSession().setAttribute(Constants.SESSION_SLOERROR,
- LanguageHelper.getErrorString("webpages.slo.error", request));
-
- }
- String redirectURL = serviceURL + Constants.SERVLET_LOGOUT;
- redirectURL = response.encodeRedirectURL(redirectURL);
- response.setContentType("text/html");
- response.setStatus(302);
- response.addHeader("Location", redirectURL);
-
- }
-
- protected SingleLogoutService findIDPFrontChannelSLOService() throws
- ConfigurationException, SLOException {
-
- String entityname = config.getPVP2IDPMetadataEntityName();
- if (MiscUtil.isEmpty(entityname)) {
- log.info("No IDP EntityName configurated");
- throw new ConfigurationException("No IDP EntityName configurated");
- }
-
- //get IDP metadata from metadataprovider
- HTTPMetadataProvider idpmetadata = config.getMetaDataProvier();
- try {
- EntityDescriptor idpEntity = idpmetadata.getEntityDescriptor(entityname);
- if (idpEntity == null) {
- log.info("IDP EntityName is not found in IDP Metadata");
- throw new ConfigurationException("IDP EntityName is not found in IDP Metadata");
-
- }
-
- //select authentication-service url from metadata
- SingleLogoutService redirectEndpoint = null;
- for (SingleLogoutService sss :
- idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleLogoutServices()) {
-
- //Get the service address for the binding you wish to use
- if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI))
- redirectEndpoint = sss;
-
- else if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI) &&
- redirectEndpoint == null)
- redirectEndpoint = sss;
- }
-
- if (redirectEndpoint == null) {
- log.warn("Single LogOut FAILED: IDP implements no frontchannel SLO service.");
- throw new SLOException("Single LogOut FAILED: IDP implements no frontchannel SLO service.");
- }
-
- return redirectEndpoint;
- } catch (MetadataProviderException e) {
- log.info("IDP EntityName is not found in IDP Metadata", e);
- throw new ConfigurationException("IDP EntityName is not found in IDP Metadata");
-
- }
- }
-
- protected ConfigurationProvider getConfig() {
- return config;
- }
+ private static final long serialVersionUID = -4547240664871845098L;
+ private static final Logger log = LoggerFactory
+ .getLogger(SLOBasicServlet.class);
+
+ private final ConfigurationProvider config;
+
+ public SLOBasicServlet() throws ConfigurationException {
+ config = ConfigurationProvider.getInstance();
+ config.initializePVP2Login();
+ }
+
+ protected LogoutRequest createLogOutRequest(String nameID, String nameIDFormat, HttpServletRequest request)
+ throws SLOException {
+ try {
+ final LogoutRequest sloReq = SAML2Utils.createSAMLObject(LogoutRequest.class);
+ final SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
+ sloReq.setID(gen.generateIdentifier());
+ sloReq.setIssueInstant(new DateTime());
+ final NameID name = SAML2Utils.createSAMLObject(NameID.class);
+ final Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
+
+ String serviceURL = config.getPublicUrlPreFix(request);
+ if (!serviceURL.endsWith("/")) {
+ serviceURL = serviceURL + "/";
+ }
+ name.setValue(serviceURL);
+ issuer.setValue(serviceURL);
+ issuer.setFormat(NameIDType.ENTITY);
+ sloReq.setIssuer(issuer);
+
+ final NameID userNameID = SAML2Utils.createSAMLObject(NameID.class);
+ sloReq.setNameID(userNameID);
+ userNameID.setFormat(nameIDFormat);
+ userNameID.setValue(nameID);
+
+ return sloReq;
+
+ } catch (final NoSuchAlgorithmException e) {
+ log.warn("Single LogOut request createn FAILED. ", e);
+ throw new SLOException();
+
+ }
+
+ }
+
+ protected LogoutResponse processLogOutRequest(LogoutRequest sloReq, HttpServletRequest request)
+ throws NoSuchAlgorithmException {
+ // check response destination
+ String serviceURL = config.getPublicUrlPreFix(request);
+ if (!serviceURL.endsWith("/")) {
+ serviceURL = serviceURL + "/";
+ }
+
+ final String responseDestination = sloReq.getDestination();
+ if (MiscUtil.isEmpty(responseDestination) ||
+ !responseDestination.startsWith(serviceURL)) {
+ log.warn("PVPResponse destination does not match requested destination");
+ return createSLOResponse(sloReq, StatusCode.REQUESTER_URI, request);
+ }
+
+ final AuthenticationManager authManager = AuthenticationManager.getInstance();
+ if (authManager.isActiveUser(sloReq.getNameID().getValue())) {
+ final AuthenticatedUser authUser = authManager.getActiveUser(sloReq.getNameID().getValue());
+ log.info("User " + authUser.getGivenName() + " " + authUser.getFamilyName() + " with nameID:"
+ + authUser.getNameID() + " get logged out by Single LogOut request.");
+ authManager.removeActiveUser(authUser);
+ final HttpSession session = request.getSession(false);
+ if (session != null) {
+ session.invalidate();
+ }
+ return createSLOResponse(sloReq, StatusCode.SUCCESS_URI, request);
+
+ } else {
+ log.debug("Single LogOut not possible! User with nameID:" + sloReq.getNameID().getValue()
+ + " is not found.");
+ return createSLOResponse(sloReq, StatusCode.SUCCESS_URI, request);
+
+ }
+
+ }
+
+ protected LogoutResponse createSLOResponse(LogoutRequest sloReq, String statusCodeURI,
+ HttpServletRequest request) throws NoSuchAlgorithmException {
+ final LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class);
+ final SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
+ sloResp.setID(gen.generateIdentifier());
+ sloResp.setInResponseTo(sloReq.getID());
+ sloResp.setIssueInstant(new DateTime());
+ final NameID name = SAML2Utils.createSAMLObject(NameID.class);
+ final Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
+
+ String serviceURL = config.getPublicUrlPreFix(request);
+ if (!serviceURL.endsWith("/")) {
+ serviceURL = serviceURL + "/";
+ }
+ name.setValue(serviceURL);
+ issuer.setValue(serviceURL);
+ issuer.setFormat(NameIDType.ENTITY);
+ sloResp.setIssuer(issuer);
+
+ final Status status = SAML2Utils.createSAMLObject(Status.class);
+ sloResp.setStatus(status);
+ final StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class);
+ statusCode.setValue(statusCodeURI);
+ status.setStatusCode(statusCode);
+
+ return sloResp;
+ }
+
+ protected void validateLogOutResponse(LogoutResponse sloResp, String reqID, HttpServletRequest request,
+ HttpServletResponse response) throws PVP2Exception {
+ // ckeck InResponseTo matchs requestID
+ if (MiscUtil.isEmpty(reqID)) {
+ log.info("NO Sigle LogOut request ID");
+ throw new PVP2Exception("NO Sigle LogOut request ID");
+ }
+
+ if (!reqID.equals(sloResp.getInResponseTo())) {
+ log.warn("SLORequestID does not match SLO Response ID!");
+ throw new PVP2Exception("SLORequestID does not match SLO Response ID!");
+
+ }
+
+ // check response destination
+ String serviceURL = config.getPublicUrlPreFix(request);
+ if (!serviceURL.endsWith("/")) {
+ serviceURL = serviceURL + "/";
+ }
+
+ final String responseDestination = sloResp.getDestination();
+ if (MiscUtil.isEmpty(responseDestination) ||
+ !responseDestination.startsWith(serviceURL)) {
+ log.warn("PVPResponse destination does not match requested destination");
+ throw new PVP2Exception("SLO response destination does not match requested destination");
+ }
+
+ request.getSession().invalidate();
+
+ if (sloResp.getStatus().getStatusCode().getValue().equals(StatusCode.PARTIAL_LOGOUT_URI)) {
+ log.warn("Single LogOut process is not completed.");
+ request.getSession().setAttribute(Constants.SESSION_SLOERROR,
+ LanguageHelper.getErrorString("webpages.slo.error", request));
+
+ } else if (sloResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+
+ if (sloResp.getStatus().getStatusCode().getStatusCode() != null &&
+ !sloResp.getStatus().getStatusCode().getStatusCode().equals(StatusCode.PARTIAL_LOGOUT_URI)) {
+ log.info("Single LogOut process complete.");
+ request.getSession().setAttribute(Constants.SESSION_SLOSUCCESS,
+ LanguageHelper.getErrorString("webpages.slo.success", request));
+
+ } else {
+ log.warn("Single LogOut process is not completed.");
+ request.getSession().setAttribute(Constants.SESSION_SLOERROR,
+ LanguageHelper.getErrorString("webpages.slo.error", request));
+
+ }
+
+ } else {
+ log.warn("Single LogOut response sends an unsupported statustype " + sloResp.getStatus().getStatusCode()
+ .getValue());
+ request.getSession().setAttribute(Constants.SESSION_SLOERROR,
+ LanguageHelper.getErrorString("webpages.slo.error", request));
+
+ }
+ String redirectURL = serviceURL + Constants.SERVLET_LOGOUT;
+ redirectURL = response.encodeRedirectURL(redirectURL);
+ response.setContentType("text/html");
+ response.setStatus(302);
+ response.addHeader("Location", redirectURL);
+
+ }
+
+ protected SingleLogoutService findIDPFrontChannelSLOService() throws ConfigurationException, SLOException {
+
+ final String entityname = config.getPVP2IDPMetadataEntityName();
+ if (MiscUtil.isEmpty(entityname)) {
+ log.info("No IDP EntityName configurated");
+ throw new ConfigurationException("No IDP EntityName configurated");
+ }
+
+ // get IDP metadata from metadataprovider
+ final HTTPMetadataProvider idpmetadata = config.getMetaDataProvier();
+ try {
+ final EntityDescriptor idpEntity = idpmetadata.getEntityDescriptor(entityname);
+ if (idpEntity == null) {
+ log.info("IDP EntityName is not found in IDP Metadata");
+ throw new ConfigurationException("IDP EntityName is not found in IDP Metadata");
+
+ }
+
+ // select authentication-service url from metadata
+ SingleLogoutService redirectEndpoint = null;
+ for (final SingleLogoutService sss : idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS)
+ .getSingleLogoutServices()) {
+
+ // Get the service address for the binding you wish to use
+ if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
+ redirectEndpoint = sss;
+ } else if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI) &&
+ redirectEndpoint == null) {
+ redirectEndpoint = sss;
+ }
+ }
+
+ if (redirectEndpoint == null) {
+ log.warn("Single LogOut FAILED: IDP implements no frontchannel SLO service.");
+ throw new SLOException("Single LogOut FAILED: IDP implements no frontchannel SLO service.");
+ }
+
+ return redirectEndpoint;
+ } catch (final MetadataProviderException e) {
+ log.info("IDP EntityName is not found in IDP Metadata", e);
+ throw new ConfigurationException("IDP EntityName is not found in IDP Metadata");
+
+ }
+ }
+
+ protected ConfigurationProvider getConfig() {
+ return config;
+ }
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-02 13:46:48 +0000