diff options
Diffstat (limited to 'id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action')
4 files changed, 90 insertions, 40 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java index 989641f36..b77b47d15 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java @@ -36,6 +36,7 @@ import org.apache.struts2.interceptor.ServletResponseAware; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentGeneral; +import at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS; import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType; import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModes; import at.gv.egovernment.moa.id.commons.db.dao.config.ConnectionParameterClientAuthType; @@ -57,6 +58,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.SLRequestTemplates; import at.gv.egovernment.moa.id.commons.db.dao.config.SSO; import at.gv.egovernment.moa.id.commons.db.dao.config.STORK; import at.gv.egovernment.moa.id.commons.db.dao.config.SecurityLayer; +import at.gv.egovernment.moa.id.commons.db.dao.config.StorkAttribute; import at.gv.egovernment.moa.id.commons.db.dao.config.TimeOuts; import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType; import at.gv.egovernment.moa.id.commons.db.dao.config.TrustAnchor; @@ -68,6 +70,7 @@ import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; import at.gv.egovernment.moa.id.configuration.data.GeneralMOAIDConfig; import at.gv.egovernment.moa.id.configuration.data.GeneralStorkConfig; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; +import at.gv.egovernment.moa.id.configuration.helper.StringHelper; import at.gv.egovernment.moa.id.configuration.validation.ValidationHelper; import at.gv.egovernment.moa.id.configuration.validation.moaconfig.MOAConfigValidator; import at.gv.egovernment.moa.id.configuration.validation.moaconfig.StorkConfigValidator; @@ -352,9 +355,10 @@ public class EditGeneralConfigAction extends ActionSupport pvp2.setOrganization(pvp2org); } if (MiscUtil.isNotEmpty(moaconfig.getPvp2OrgDisplayName())) - pvp2org.setDisplayName(moaconfig.getPvp2OrgDisplayName()); + pvp2org.setDisplayName(StringHelper.getUTF8String( + moaconfig.getPvp2OrgDisplayName())); if (MiscUtil.isNotEmpty(moaconfig.getPvp2OrgName())) - pvp2org.setName(moaconfig.getPvp2OrgName()); + pvp2org.setName(StringHelper.getUTF8String(moaconfig.getPvp2OrgName())); if (MiscUtil.isNotEmpty(moaconfig.getPvp2OrgURL())) pvp2org.setURL(moaconfig.getPvp2OrgURL()); @@ -363,22 +367,30 @@ public class EditGeneralConfigAction extends ActionSupport pvp2cont = new ArrayList<Contact>(); pvp2.setContact(pvp2cont); } - Contact cont = new Contact(); - pvp2cont.add(cont); + + if (pvp2cont.size() == 0) { + Contact cont = new Contact(); + pvp2cont.add(cont); + } + + Contact cont = pvp2cont.get(0); if (MiscUtil.isNotEmpty(moaconfig.getPvp2Contact().getCompany())) - cont.setCompany(moaconfig.getPvp2Contact().getCompany()); + cont.setCompany(StringHelper.getUTF8String( + moaconfig.getPvp2Contact().getCompany())); if (MiscUtil.isNotEmpty(moaconfig.getPvp2Contact().getGivenname())) - cont.setGivenName(moaconfig.getPvp2Contact().getGivenname()); + cont.setGivenName(StringHelper.getUTF8String( + moaconfig.getPvp2Contact().getGivenname())); //TODO: change to list if required if (MiscUtil.isNotEmpty(moaconfig.getPvp2Contact().getMail())) cont.setMail(Arrays.asList(moaconfig.getPvp2Contact().getMail())); if (MiscUtil.isNotEmpty(moaconfig.getPvp2Contact().getPhone())) cont.setPhone(Arrays.asList(moaconfig.getPvp2Contact().getPhone())); - + if (MiscUtil.isNotEmpty(moaconfig.getPvp2Contact().getSurname())) - cont.setSurName(moaconfig.getPvp2Contact().getSurname()); + cont.setSurName(StringHelper.getUTF8String( + moaconfig.getPvp2Contact().getSurname())); if (MiscUtil.isNotEmpty(moaconfig.getPvp2Contact().getType())) cont.setType(moaconfig.getPvp2Contact().getType()); @@ -389,9 +401,11 @@ public class EditGeneralConfigAction extends ActionSupport } if (MiscUtil.isNotEmpty(moaconfig.getSsoFriendlyName())) - dbsso.setFriendlyName(moaconfig.getSsoFriendlyName()); + dbsso.setFriendlyName(StringHelper.getUTF8String( + moaconfig.getSsoFriendlyName())); if (MiscUtil.isNotEmpty(moaconfig.getSsoSpecialText())) - dbsso.setSpecialText(moaconfig.getSsoSpecialText()); + dbsso.setSpecialText(StringHelper.getUTF8String( + moaconfig.getSsoSpecialText())); // if (MiscUtil.isNotEmpty(moaconfig.getSsoPublicUrl())) // dbsso.setPublicURL(moaconfig.getSsoPublicUrl()); @@ -501,14 +515,25 @@ public class EditGeneralConfigAction extends ActionSupport ForeignIdentities oldforeign = oldauth.getForeignIdentities(); if (oldforeign != null) { STORK oldstork = oldforeign.getSTORK(); - if (oldstork == null) - oldstork = new STORK(); + if (oldstork == null) + oldstork = new STORK(); try { log.error("QAAAA " + storkconfig.getDefaultQaa()); oldstork.setQualityAuthenticationAssuranceLevel(storkconfig.getDefaultQaa()); - oldstork.setAttributes(storkconfig.getAttributes()); - oldstork.setCPEPS(storkconfig.getCpepslist()); + + if (storkconfig.getAttributes() != null) + oldstork.setAttributes(storkconfig.getAttributes()); + + else + oldstork.setAttributes((List<StorkAttribute>) (new ArrayList<StorkAttribute>())); + + if (storkconfig.getCpepslist() != null) + oldstork.setCPEPS(storkconfig.getCpepslist()); + + else + oldstork.setCPEPS((List<CPEPS>) (new ArrayList<CPEPS>())); + dbforeign.setSTORK(oldstork); } catch (Exception e) { e.printStackTrace(); diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java index f8a12e58b..e5d84d461 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java @@ -35,6 +35,7 @@ import at.gv.egovernment.moa.id.configuration.data.oa.*; import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; import at.gv.egovernment.moa.id.configuration.helper.MailHelper; +import at.gv.egovernment.moa.id.configuration.helper.StringHelper; import at.gv.egovernment.moa.id.configuration.validation.FormularCustomizationValitator; import at.gv.egovernment.moa.id.configuration.validation.TargetValidator; import at.gv.egovernment.moa.id.configuration.validation.ValidationHelper; diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java index 3bc2d4ac5..655ce7a59 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java @@ -198,6 +198,10 @@ implements ServletRequestAware, ServletResponseAware { ConfigurationDBUtils.closeSession(); } + //set new formID + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); + log.info("Legacy Configuration load is completed."); addActionMessage(LanguageHelper.getGUIString("webpages.inportexport.success")); return Constants.STRUTS_SUCCESS; @@ -285,6 +289,11 @@ implements ServletRequestAware, ServletResponseAware { ConfigurationDBUtils.closeSession(); } + + //set new formID + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); + return Constants.STRUTS_SUCCESS; } else { log.info("No access to Import/Export for User with ID" + authUser.getUserID()); @@ -317,15 +326,20 @@ implements ServletRequestAware, ServletResponseAware { + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); return Constants.STRUTS_ERROR; } + session.setAttribute(Constants.SESSION_FORMID, null); if (authUser.isAdmin()) { if (fileUpload == null) { addActionError(LanguageHelper.getErrorString("errors.importexport.nofile")); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); + return Constants.STRUTS_ERROR_VALIDATION; } - + log.info("Load configuration from MOA-ID 2.x XML configuration"); try { @@ -367,6 +381,10 @@ implements ServletRequestAware, ServletResponseAware { ConfigurationDBUtils.closeSession(); } + //set new formID + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); + log.info("XML Configuration load is completed."); addActionMessage(LanguageHelper.getGUIString("webpages.inportexport.success")); return Constants.STRUTS_SUCCESS; diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java index ee9b38f74..8004ab520 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java @@ -127,7 +127,14 @@ public class IndexAction extends ActionSupport implements ServletRequestAware, try { ConfigurationProvider config = ConfigurationProvider.getInstance(); pvp2LoginActiv = config.isPVP2LoginActive(); - return Constants.STRUTS_SUCCESS; + + if (config.isLoginDeaktivated()) { + return "loginWithOutAuth"; + + } else { + return Constants.STRUTS_SUCCESS; + + } } catch (ConfigurationException e) { log.warn("An internal error occurs.", e); @@ -271,6 +278,18 @@ public class IndexAction extends ActionSupport implements ServletRequestAware, Response samlResponse = (Response) messageContext.getInboundMessage(); + //ckeck InResponseTo matchs requestID + if (MiscUtil.isEmpty(authID)) { + log.info("NO AuthRequestID"); + return Constants.STRUTS_ERROR; + } + + if (!authID.equals(samlResponse.getInResponseTo())) { + log.warn("PVPRequestID does not match PVP2 Assertion ID!"); + return Constants.STRUTS_ERROR; + + } + Signature sign = samlResponse.getSignature(); if (sign == null) { log.info("Only http POST Requests can be used"); @@ -345,29 +364,9 @@ public class IndexAction extends ActionSupport implements ServletRequestAware, saml2assertions = samlResponse.getAssertions(); } - - - if (MiscUtil.isEmpty(authID)) { - log.info("NO AuthRequestID"); - return Constants.STRUTS_ERROR; - } - + for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { - - Subject subject = saml2assertion.getSubject(); - List<SubjectConfirmation> subjectconformlist = subject.getSubjectConfirmations(); - for (SubjectConfirmation el : subjectconformlist) { - if (el.getMethod().equals(SubjectConfirmation.METHOD_BEARER)) { - SubjectConfirmationData date = el.getSubjectConfirmationData(); - - if (!authID.equals(date.getInResponseTo())) { - log.warn("PVPRequestID does not match PVP2 Assertion ID!"); - return Constants.STRUTS_ERROR; - - } - } - } - + Conditions conditions = saml2assertion.getConditions(); DateTime notbefore = conditions.getNotBefore(); DateTime notafter = conditions.getNotOnOrAfter(); @@ -376,6 +375,13 @@ public class IndexAction extends ActionSupport implements ServletRequestAware, return Constants.STRUTS_ERROR; } + + Subject subject = saml2assertion.getSubject(); + if (subject == null) { + log.warn("Assertion has no Subject element"); + return Constants.STRUTS_ERROR; + + } NameID nameID = subject.getNameID(); if (nameID == null) { @@ -624,8 +630,8 @@ public class IndexAction extends ActionSupport implements ServletRequestAware, check = user.getPhone(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { - log.warn("Phonenumber contains potentail XSS characters: " + check); + if (!ValidationHelper.validatePhoneNumber(check)) { + log.warn("No valid Phone Number: " + check); addActionError(LanguageHelper.getErrorString("validation.edituser.phone.valid", new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); } |