diff options
Diffstat (limited to 'id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action')
8 files changed, 1580 insertions, 193 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java index 3f6005b97..bad522a4b 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java @@ -10,6 +10,7 @@ import java.util.Set; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import org.apache.log4j.Logger; import org.apache.struts2.interceptor.ServletRequestAware; @@ -53,6 +54,7 @@ import at.gv.egovernment.moa.id.configuration.data.GeneralMOAIDConfig; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; import at.gv.egovernment.moa.id.configuration.validation.moaconfig.MOAConfigValidator; import at.gv.egovernment.moa.id.configuration.validation.moaconfig.PVP2ContactValidator; +import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.util.MiscUtil; import com.opensymphony.xwork2.ActionSupport; @@ -67,12 +69,18 @@ public class EditGeneralConfigAction extends ActionSupport private HttpServletResponse response; private AuthenticatedUser authUser; - private GeneralMOAIDConfig moaconfig; + private String formID; + public String loadConfig() { + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; if (authUser.isAdmin()) { @@ -84,6 +92,9 @@ public class EditGeneralConfigAction extends ActionSupport ConfigurationDBUtils.closeSession(); + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); + return Constants.STRUTS_SUCCESS; } else { @@ -93,11 +104,30 @@ public class EditGeneralConfigAction extends ActionSupport } public String saveConfig() { + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); - + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; + Object formidobj = session.getAttribute(Constants.SESSION_FORMID); + if (formidobj != null && formidobj instanceof String) { + String formid = (String) formidobj; + if (!formid.equals(formID)) { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + } else { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + session.setAttribute(Constants.SESSION_FORMID, null); + if (authUser.isAdmin()) { MOAConfigValidator validator = new MOAConfigValidator(); @@ -109,6 +139,8 @@ public class EditGeneralConfigAction extends ActionSupport for (String el : errors) addActionError(el); + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } @@ -505,6 +537,20 @@ public class EditGeneralConfigAction extends ActionSupport public void setMoaconfig(GeneralMOAIDConfig moaconfig) { this.moaconfig = moaconfig; } + + /** + * @return the formID + */ + public String getFormID() { + return formID; + } + + /** + * @param formID the formID to set + */ + public void setFormID(String formID) { + this.formID = formID; + } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java index 297d80726..8d20fe118 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java @@ -8,6 +8,7 @@ import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import org.apache.log4j.Logger; import org.apache.struts2.interceptor.ServletRequestAware; @@ -38,13 +39,17 @@ import at.gv.egovernment.moa.id.configuration.data.oa.OAPVP2Config; import at.gv.egovernment.moa.id.configuration.data.oa.OASAML1Config; import at.gv.egovernment.moa.id.configuration.data.oa.OASSOConfig; import at.gv.egovernment.moa.id.configuration.data.oa.OASTORKConfig; +import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; +import at.gv.egovernment.moa.id.configuration.helper.MailHelper; +import at.gv.egovernment.moa.id.configuration.validation.TargetValidator; import at.gv.egovernment.moa.id.configuration.validation.ValidationHelper; import at.gv.egovernment.moa.id.configuration.validation.oa.OAGeneralConfigValidation; import at.gv.egovernment.moa.id.configuration.validation.oa.OAPVP2ConfigValidation; import at.gv.egovernment.moa.id.configuration.validation.oa.OASAML1ConfigValidation; import at.gv.egovernment.moa.id.configuration.validation.oa.OASSOConfigValidation; import at.gv.egovernment.moa.id.configuration.validation.oa.OASTORKConfigValidation; +import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.util.MiscUtil; import com.opensymphony.xwork2.ActionSupport; @@ -63,6 +68,9 @@ ServletResponseAware { private String oaidobj; private boolean newOA; + private String formID; + + private String nextPage; private OAGeneralConfig generalOA = new OAGeneralConfig(); private OAPVP2Config pvp2OA = new OAPVP2Config(); @@ -72,11 +80,16 @@ ServletResponseAware { //STRUTS actions public String inital() { + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; - + long oaid = -1; if (!ValidationHelper.validateOAID(oaidobj)) { @@ -88,8 +101,15 @@ ServletResponseAware { OnlineApplication onlineapplication = null;; if (authUser.isAdmin()) onlineapplication = ConfigurationDBRead.getOnlineApplication(oaid); + else { UserDatabase userdb = ConfigurationDBRead.getUserWithID(authUser.getUserID()); + + if (!userdb.isIsMailAddressVerified() && !authUser.isAdmin()) { + log.info("Online-Applikation managemant disabled. Mail address is not verified."); + addActionError(LanguageHelper.getErrorString("error.editoa.mailverification")); + } + List<OnlineApplication> oas = userdb.getOnlineApplication(); for (OnlineApplication oa : oas) { if (oa.getHjid() == oaid) { @@ -115,7 +135,10 @@ ServletResponseAware { ConfigurationDBUtils.closeSession(); - request.getSession().setAttribute(Constants.SESSION_OAID, oaid); + session.setAttribute(Constants.SESSION_OAID, oaid); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); newOA = false; @@ -124,24 +147,66 @@ ServletResponseAware { public String newOA() { log.debug("insert new Online-Application"); + + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } + + session.setAttribute(Constants.SESSION_OAID, null); + nextPage = Constants.STRUTS_RETURNAREA_VALUES.main.name(); - request.getSession().setAttribute(Constants.SESSION_OAID, null); - - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; + UserDatabase userdb = ConfigurationDBRead.getUserWithID(authUser.getUserID()); + if (!userdb.isIsMailAddressVerified() && !authUser.isAdmin()) { + log.info("Online-Applikation managemant disabled. Mail address is not verified."); + addActionError(LanguageHelper.getErrorString("error.editoa.mailverification")); + } + newOA = true; + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); + return Constants.STRUTS_OA_EDIT; } public String saveOA() { - - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; + Object formidobj = session.getAttribute(Constants.SESSION_FORMID); + if (formidobj != null && formidobj instanceof String) { + String formid = (String) formidobj; + if (!formid.equals(formID)) { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + } else { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + session.setAttribute(Constants.SESSION_FORMID, null); + + UserDatabase userdb = ConfigurationDBRead.getUserWithID(authUser.getUserID()); + if (!authUser.isAdmin() && !userdb.isIsMailAddressVerified()) { + log.info("Online-Applikation managemant disabled. Mail address is not verified."); + addActionError(LanguageHelper.getErrorString("error.editoa.mailverification")); + return Constants.STRUTS_SUCCESS; + } + OnlineApplication onlineapplication = null; List<String> errors = new ArrayList<String>(); @@ -170,15 +235,15 @@ ServletResponseAware { } else { - //TODO: oaidentifier has to be a URL according to PVP2.1 specification - if (ValidationHelper.isValidOAIdentifier(oaidentifier)) { - log.warn("IdentificationNumber contains potentail XSS characters: " + oaidentifier); + if (!ValidationHelper.validateURL(oaidentifier)) { + log.warn("OnlineapplikationIdentifier is not a valid URL: " + oaidentifier); errors.add(LanguageHelper.getErrorString("validation.general.oaidentifier.valid", new Object[] {ValidationHelper.getNotValidOAIdentifierCharacters()} )); } else { if (oaid == -1) { onlineapplication = ConfigurationDBRead.getOnlineApplication(oaidentifier); + newOA = true; if (onlineapplication != null) { log.info("The OAIdentifier is not unique"); errors.add(LanguageHelper.getErrorString("validation.general.oaidentifier.notunique")); @@ -215,23 +280,108 @@ ServletResponseAware { for (String el : errors) addActionError(el); + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } else { - String error = saveOAConfigToDatabase(onlineapplication); + boolean newentry = false; + + if (onlineapplication == null) { + onlineapplication = new OnlineApplication(); + newentry = true; + onlineapplication.setIsActive(false); + + if (!authUser.isAdmin()) { + onlineapplication.setIsAdminRequired(true); + } + + } else { + if (!authUser.isAdmin() && + !onlineapplication.getPublicURLPrefix(). + equals(generalOA.getIdentifier())) { + + onlineapplication.setIsAdminRequired(true); + onlineapplication.setIsActive(false); + log.info("User with ID " + authUser.getUserID() + + " change OA-PublicURLPrefix. Reaktivation is required."); + } + + } + + if ( (onlineapplication.isIsAdminRequired() == null) || + (authUser.isAdmin() && generalOA.isActive() + && onlineapplication.isIsAdminRequired()) ) { + + onlineapplication.setIsAdminRequired(false); + + UserDatabase user = ConfigurationDBRead.getUsersWithOADBID(onlineapplication.getHjid()); + if (user != null) { + try { + MailHelper.sendUserOnlineApplicationActivationMail( + user.getGivenname(), + user.getFamilyname(), + user.getInstitut(), + onlineapplication.getPublicURLPrefix(), + user.getMail()); + } catch (ConfigurationException e) { + log.warn("Sending Mail to User " + user.getMail() + " failed", e); + } + } + + } + + + String error = saveOAConfigToDatabase(onlineapplication, newentry); if (MiscUtil.isNotEmpty(error)) { log.warn("OA configuration can not be stored!"); - addActionError(error); + addActionError(error); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } } + Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA); + if (nextPageAttr != null && nextPageAttr instanceof String) { + nextPage = (String) nextPageAttr; + session.setAttribute(Constants.SESSION_RETURNAREA, null); + + } else { + nextPage = Constants.STRUTS_RETURNAREA_VALUES.main.name(); + } - request.getSession().setAttribute(Constants.SESSION_OAID, null); - addActionMessage(LanguageHelper.getGUIString("webpages.oaconfig.success", generalOA.getIdentifier(), request)); + if (onlineapplication.isIsAdminRequired()) { + int numoas = 0; + int numusers = 0; + + List<OnlineApplication> openOAs = ConfigurationDBRead.getAllNewOnlineApplications(); + if (openOAs != null) + numoas = openOAs.size(); + + List<UserDatabase> openUsers = ConfigurationDBRead.getAllNewUsers(); + if (openUsers != null) + numusers = openUsers.size(); + try { + + addActionMessage(LanguageHelper.getGUIString("webpages.oaconfig.success.admin", generalOA.getIdentifier(), request)); + + if (numusers > 0 || numoas > 0) + MailHelper.sendAdminMail(numoas, numusers); + + } catch (ConfigurationException e) { + log.warn("Sending Mail to Admin failed.", e); + } + + } else + addActionMessage(LanguageHelper.getGUIString("webpages.oaconfig.success", generalOA.getIdentifier(), request)); + + + request.getSession().setAttribute(Constants.SESSION_OAID, null); ConfigurationDBUtils.closeSession(); return Constants.STRUTS_SUCCESS; @@ -239,7 +389,22 @@ ServletResponseAware { public String cancleAndBackOA() { - request.getSession().setAttribute(Constants.SESSION_OAID, null); + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } + + Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA); + if (nextPageAttr != null && nextPageAttr instanceof String) { + nextPage = (String) nextPageAttr; + session.setAttribute(Constants.SESSION_RETURNAREA, null); + + } else { + nextPage = Constants.STRUTS_RETURNAREA_VALUES.main.name(); + } + + session.setAttribute(Constants.SESSION_OAID, null); addActionMessage(LanguageHelper.getGUIString("webpages.oaconfig.cancle", generalOA.getIdentifier(), request)); @@ -249,15 +414,52 @@ ServletResponseAware { } public String deleteOA() { + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); - + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; + Object formidobj = session.getAttribute(Constants.SESSION_FORMID); + if (formidobj != null && formidobj instanceof String) { + String formid = (String) formidobj; + if (!formid.equals(formID)) { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + } else { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + session.setAttribute(Constants.SESSION_FORMID, null); + + Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA); + if (nextPageAttr != null && nextPageAttr instanceof String) { + nextPage = (String) nextPageAttr; + + } else { + nextPage = Constants.STRUTS_RETURNAREA_VALUES.main.name(); + } + + UserDatabase userdb = ConfigurationDBRead.getUserWithID(authUser.getUserID()); + if (!authUser.isAdmin() && !userdb.isIsMailAddressVerified()) { + log.info("Online-Applikation managemant disabled. Mail address is not verified."); + addActionError(LanguageHelper.getErrorString("error.editoa.mailverification")); + return Constants.STRUTS_SUCCESS; + } + String oaidentifier = generalOA.getIdentifier(); if (MiscUtil.isEmpty(oaidentifier)) { log.info("Empty OA identifier"); addActionError(LanguageHelper.getErrorString("validation.general.oaidentifier.empty")); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } else { @@ -265,6 +467,9 @@ ServletResponseAware { log.warn("IdentificationNumber contains potentail XSS characters: " + oaidentifier); addActionError(LanguageHelper.getErrorString("validation.general.oaidentifier.valid", new Object[] {ValidationHelper.getNotValidOAIdentifierCharacters()} )); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } } @@ -310,16 +515,8 @@ ServletResponseAware { } - private String saveOAConfigToDatabase(OnlineApplication dboa) { - - boolean newentry = false; - - if (dboa == null) { - dboa = new OnlineApplication(); - newentry = true; - dboa.setIsActive(false); - } - + private String saveOAConfigToDatabase(OnlineApplication dboa, boolean newentry) { + AuthComponentOA authoa = dboa.getAuthComponentOA(); if (authoa == null) { authoa = new AuthComponentOA(); @@ -331,72 +528,134 @@ ServletResponseAware { dboa.setFriendlyName(generalOA.getFriendlyName()); dboa.setCalculateHPI(generalOA.isCalculateHPI()); - dboa.setKeyBoxIdentifier(MOAKeyBoxSelector.fromValue(generalOA.getKeyBoxIdentifier())); + dboa.setRemoveBPKFromAuthBlock(generalOA.isHideBPKAuthBlock()); + + if (authUser.isAdmin()) + dboa.setKeyBoxIdentifier(MOAKeyBoxSelector.fromValue(generalOA.getKeyBoxIdentifier())); + else { + if (newentry) + dboa.setKeyBoxIdentifier(MOAKeyBoxSelector.SECURE_SIGNATURE_KEYPAIR); + } + dboa.setPublicURLPrefix(generalOA.getIdentifier()); if (generalOA.isBusinessService()) { dboa.setType(Constants.MOA_CONFIG_BUSINESSSERVICE); + String num = generalOA.getIdentificationNumber().replaceAll(" ", ""); + if (num.startsWith(Constants.IDENIFICATIONTYPE_FN)) + num = num.substring(Constants.IDENIFICATIONTYPE_FN.length()); + + if (num.startsWith(Constants.IDENIFICATIONTYPE_ZVR)) + num = num.substring(Constants.IDENIFICATIONTYPE_ZVR.length()); + + if (num.startsWith(Constants.IDENIFICATIONTYPE_ERSB)) + num = num.substring(Constants.IDENIFICATIONTYPE_ERSB.length()); + IdentificationNumber idnumber = new IdentificationNumber(); - idnumber.setValue(generalOA.getIdentificationNumber()); + idnumber.setValue( + Constants.PREFIX_WPBK + + generalOA.getIdentificationType() + + "+" + + num); + authoa.setIdentificationNumber(idnumber); } else { dboa.setType(null); - dboa.setTarget(generalOA.getTarget()); - dboa.setTargetFriendlyName(generalOA.getTargetFriendlyName()); + if (authUser.isAdmin()) { + if (MiscUtil.isNotEmpty(generalOA.getTarget_admin()) && + generalOA.isAdminTarget() ) { + dboa.setTarget(generalOA.getTarget_admin()); + dboa.setTargetFriendlyName(generalOA.getTargetFriendlyName()); + + } else { + String target_full = generalOA.getTarget(); + String[] target_split = target_full.split("-"); + if (MiscUtil.isNotEmpty(generalOA.getTarget_subsector())) + dboa.setTarget(target_split[0] + "-" + generalOA.getTarget_subsector()); + else + dboa.setTarget(target_full); + + String targetname = TargetValidator.getTargetFriendlyName(target_full); + if (MiscUtil.isNotEmpty(targetname)) + dboa.setTargetFriendlyName(targetname); + else + dboa.setTargetFriendlyName(TargetValidator.getTargetFriendlyName(target_split[0])); + } + + } else { + if (MiscUtil.isNotEmpty(generalOA.getTarget())) { + String target_full = generalOA.getTarget(); + String[] target_split = target_full.split("-"); + dboa.setTarget(target_split[0] + "-" + generalOA.getTarget_subsector()); + + if (MiscUtil.isNotEmpty(generalOA.getTarget_subsector())) + dboa.setTarget(target_split[0] + "-" + generalOA.getTarget_subsector()); + + else + dboa.setTarget(target_full); + + String targetname = TargetValidator.getTargetFriendlyName(target_full); + if (MiscUtil.isNotEmpty(targetname)) + dboa.setTargetFriendlyName(targetname); + else + dboa.setTargetFriendlyName(TargetValidator.getTargetFriendlyName(target_split[0])); + } + } } BKUURLS bkuruls = new BKUURLS(); authoa.setBKUURLS(bkuruls); - bkuruls.setHandyBKU(generalOA.getBkuHandyURL()); - bkuruls.setLocalBKU(generalOA.getBkuLocalURL()); - bkuruls.setOnlineBKU(generalOA.getBkuOnlineURL()); + if (authUser.isAdmin()) { + bkuruls.setHandyBKU(generalOA.getBkuHandyURL()); + bkuruls.setLocalBKU(generalOA.getBkuLocalURL()); + bkuruls.setOnlineBKU(generalOA.getBkuOnlineURL()); + } Mandates mandates = new Mandates(); mandates.setProfiles(generalOA.getMandateProfiles()); authoa.setMandates(mandates); - - authoa.setSlVersion(generalOA.getSlVersion()); - authoa.setUseIFrame(generalOA.isUseIFrame()); - authoa.setUseUTC(generalOA.isUseUTC()); - + TemplatesType templates = authoa.getTemplates(); if (templates == null) { templates = new TemplatesType(); authoa.setTemplates(templates); } - templates.setAditionalAuthBlockText(generalOA.getAditionalAuthBlockText()); - List<TemplateType> template = templates.getTemplate(); - if (generalOA.isLegacy()) { + if (authUser.isAdmin()) { + templates.setAditionalAuthBlockText(generalOA.getAditionalAuthBlockText()); + + List<TemplateType> template = templates.getTemplate(); + if (generalOA.isLegacy()) { - if (template == null) - template = new ArrayList<TemplateType>(); - else - template.clear(); + if (template == null) + template = new ArrayList<TemplateType>(); + else + template.clear(); - if (MiscUtil.isNotEmpty(generalOA.getSLTemplateURL1())) { - TemplateType el = new TemplateType(); - el.setURL(generalOA.getSLTemplateURL1()); - template.add(el); - } - if (MiscUtil.isNotEmpty(generalOA.getSLTemplateURL2())) { - TemplateType el = new TemplateType(); - el.setURL(generalOA.getSLTemplateURL2()); - template.add(el); - } - if (MiscUtil.isNotEmpty(generalOA.getSLTemplateURL3())) { - TemplateType el = new TemplateType(); - el.setURL(generalOA.getSLTemplateURL3()); - template.add(el); + if (MiscUtil.isNotEmpty(generalOA.getSLTemplateURL1())) { + TemplateType el = new TemplateType(); + el.setURL(generalOA.getSLTemplateURL1()); + template.add(el); + } + if (MiscUtil.isNotEmpty(generalOA.getSLTemplateURL2())) { + TemplateType el = new TemplateType(); + el.setURL(generalOA.getSLTemplateURL2()); + template.add(el); + } + if (MiscUtil.isNotEmpty(generalOA.getSLTemplateURL3())) { + TemplateType el = new TemplateType(); + el.setURL(generalOA.getSLTemplateURL3()); + template.add(el); + } + + } else { + if (template != null && template.size() > 0) + template.clear(); } - - } else { - if (template != null && template.size() > 0) - template.clear(); } //set default transformation if it is empty @@ -609,4 +868,28 @@ ServletResponseAware { this.newOA = newOA; } + /** + * @return the nextPage + */ + public String getNextPage() { + return nextPage; + } + + /** + * @return the formID + */ + public String getFormID() { + return formID; + } + + /** + * @param formID the formID to set + */ + public void setFormID(String formID) { + this.formID = formID; + } + + + + } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java index 1cb4fa802..d3d00186f 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java @@ -3,26 +3,21 @@ package at.gv.egovernment.moa.id.configuration.struts.action; import java.io.File; import java.io.IOException; import java.io.InputStream; -import java.io.OutputStream; -import java.io.StringReader; import java.io.StringWriter; -import java.net.MalformedURLException; import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBException; import javax.xml.bind.Marshaller; import javax.xml.bind.Unmarshaller; -import javax.xml.transform.Result; import org.apache.commons.io.IOUtils; import org.apache.log4j.Logger; import org.apache.struts2.interceptor.ServletRequestAware; import org.apache.struts2.interceptor.ServletResponseAware; -import org.hibernate.lob.ReaderInputStream; -import org.w3c.dom.Node; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; @@ -35,7 +30,7 @@ import at.gv.egovernment.moa.id.configuration.Constants; import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; -import at.iaik.commons.util.IOUtil; +import at.gv.egovernment.moa.id.util.Random; import com.opensymphony.xwork2.ActionSupport; @@ -51,6 +46,7 @@ implements ServletRequestAware, ServletResponseAware { private HttpServletResponse response; private AuthenticatedUser authUser; + private String formID; private File fileUpload = null; private String fileUploadContentType = null; @@ -59,13 +55,20 @@ implements ServletRequestAware, ServletResponseAware { private InputStream fileInputStream; public String init() { + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); - + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; if (authUser.isAdmin()) { - + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); + return Constants.STRUTS_SUCCESS; } else { @@ -76,16 +79,39 @@ implements ServletRequestAware, ServletResponseAware { } public String importLegacyConfig() { - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; + Object formidobj = session.getAttribute(Constants.SESSION_FORMID); + if (formidobj != null && formidobj instanceof String) { + String formid = (String) formidobj; + if (!formid.equals(formID)) { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + } else { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + session.setAttribute(Constants.SESSION_FORMID, null); + if (authUser.isAdmin()) { //load legacy config if it is configured if (fileUpload == null) { addActionError(LanguageHelper.getErrorString("errors.importexport.nofile")); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } @@ -97,6 +123,9 @@ implements ServletRequestAware, ServletResponseAware { } catch (org.opensaml.xml.ConfigurationException e1) { log.info("Legacy configuration has an Import Error", e1); addActionError(LanguageHelper.getErrorString("errors.importexport.legacyimport", new Object[] {e1.getMessage()})); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } log.debug("OpenSAML successfully initialized"); @@ -108,26 +137,24 @@ implements ServletRequestAware, ServletResponseAware { try { log.warn("WARNING! The legacy import deletes the hole old config"); - String rootConfigFileDir = new File(ConfigurationProvider.getInstance().getConfigFile()).getParent(); - - try { - rootConfigFileDir = new File(rootConfigFileDir).toURL().toString(); - - } catch (MalformedURLException t) { - log.warn("RootConfiguration Directory is not found"); - rootConfigFileDir = ""; - } - + String rootConfigFileDir = ConfigurationProvider.getInstance().getConfigRootDir(); + moaconfig = BuildFromLegacyConfig.build(fileUpload, rootConfigFileDir, moaidconfig); } catch (ConfigurationException e) { log.info("Legacy configuration has an Import Error", e); addActionError(LanguageHelper.getErrorString("errors.importexport.legacyimport", new Object[] {e.getMessage()})); ConfigurationDBUtils.closeSession(); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } catch (at.gv.egovernment.moa.id.configuration.exception.ConfigurationException e) { ConfigurationDBUtils.closeSession(); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } @@ -155,6 +182,9 @@ implements ServletRequestAware, ServletResponseAware { } catch (MOADatabaseException e) { log.warn("General MOA-ID config can not be stored in Database"); addActionError(e.getMessage()); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } @@ -174,10 +204,30 @@ implements ServletRequestAware, ServletResponseAware { } public String downloadXMLConfig() { - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; + Object formidobj = session.getAttribute(Constants.SESSION_FORMID); + if (formidobj != null && formidobj instanceof String) { + String formid = (String) formidobj; + if (!formid.equals(formID)) { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + } else { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + session.setAttribute(Constants.SESSION_FORMID, null); + if (authUser.isAdmin()) { log.info("Write MOA-ID 2.x xml config"); @@ -194,6 +244,9 @@ implements ServletRequestAware, ServletResponseAware { if (moaidconfig == null) { log.info("No MOA-ID 2.x configruation available"); addActionError(LanguageHelper.getErrorString("errors.importexport.export.noconfig")); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } @@ -208,11 +261,17 @@ implements ServletRequestAware, ServletResponseAware { log.info("MOA-ID 2.x configruation could not be exported into a XML file.", e); addActionError(LanguageHelper.getErrorString("errors.importexport.export", new Object[]{e.getMessage()})); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } catch (IOException e) { log.info("MOA-ID 2.x configruation could not be exported into a XML file.", e); addActionError(LanguageHelper.getErrorString("errors.importexport.export", new Object[]{e.getMessage()})); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } @@ -230,10 +289,30 @@ implements ServletRequestAware, ServletResponseAware { public String importXMLConfig() { - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; + Object formidobj = session.getAttribute(Constants.SESSION_FORMID); + if (formidobj != null && formidobj instanceof String) { + String formid = (String) formidobj; + if (!formid.equals(formID)) { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + } else { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + session.setAttribute(Constants.SESSION_FORMID, null); + if (authUser.isAdmin()) { if (fileUpload == null) { @@ -271,6 +350,9 @@ implements ServletRequestAware, ServletResponseAware { log.warn("MOA-ID XML configuration can not be loaded from File.", e); addActionError(LanguageHelper.getErrorString("errors.importexport.import", new Object[]{e.getMessage()})); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } @@ -360,4 +442,19 @@ implements ServletRequestAware, ServletResponseAware { public InputStream getFileInputStream() { return fileInputStream; } + + /** + * @return the formID + */ + public String getFormID() { + return formID; + } + + /** + * @param formID the formID to set + */ + public void setFormID(String formID) { + this.formID = formID; + } + } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java index 6078caa87..545a84800 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java @@ -1,34 +1,77 @@ package at.gv.egovernment.moa.id.configuration.struts.action; +import java.util.ArrayList; import java.util.Date; +import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; +import org.apache.commons.lang.StringEscapeUtils; import org.apache.log4j.Logger; import org.apache.struts2.interceptor.ServletRequestAware; import org.apache.struts2.interceptor.ServletResponseAware; +import org.joda.time.DateTime; +import org.opensaml.common.SAMLObject; +import org.opensaml.common.binding.BasicSAMLMessageContext; +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.binding.decoding.HTTPPostDecoder; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeStatement; +import org.opensaml.saml2.core.Conditions; +import org.opensaml.saml2.core.NameID; +import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.StatusCode; +import org.opensaml.saml2.core.Subject; +import org.opensaml.saml2.core.SubjectConfirmation; +import org.opensaml.saml2.core.SubjectConfirmationData; +import org.opensaml.saml2.metadata.IDPSSODescriptor; +import org.opensaml.security.MetadataCredentialResolver; +import org.opensaml.security.MetadataCredentialResolverFactory; +import org.opensaml.security.MetadataCriteria; +import org.opensaml.security.SAMLSignatureProfileValidator; +import org.opensaml.ws.transport.http.HttpServletRequestAdapter; +import org.opensaml.xml.parse.BasicParserPool; +import org.opensaml.xml.security.CriteriaSet; +import org.opensaml.xml.security.credential.UsageType; +import org.opensaml.xml.security.criteria.EntityIDCriteria; +import org.opensaml.xml.security.criteria.UsageCriteria; +import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver; +import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver; +import org.opensaml.xml.security.keyinfo.KeyInfoProvider; +import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider; +import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider; +import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider; +import org.opensaml.xml.signature.Signature; +import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine; import com.opensymphony.xwork2.ActionSupport; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.configuration.Constants; import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider; +import at.gv.egovernment.moa.id.configuration.data.UserDatabaseFrom; import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException; import at.gv.egovernment.moa.id.configuration.helper.AuthenticationHelper; +import at.gv.egovernment.moa.id.configuration.helper.DateTimeHelper; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; -import at.gv.egovernment.moa.id.configuration.validation.UserDatabaseFormValidator; +import at.gv.egovernment.moa.id.configuration.helper.MailHelper; import at.gv.egovernment.moa.id.configuration.validation.ValidationHelper; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.util.MiscUtil; public class IndexAction extends ActionSupport implements ServletRequestAware, ServletResponseAware { + private static final long serialVersionUID = -2781497863862504896L; + private static final Logger log = Logger.getLogger(IndexAction.class); private HttpServletRequest request; @@ -36,6 +79,11 @@ public class IndexAction extends ActionSupport implements ServletRequestAware, private String password; private String username; + private UserDatabaseFrom user = null; + private AuthenticatedUser authUser = null; + private String formID; + + private String ssologouturl; public String start() { @@ -80,12 +128,12 @@ public class IndexAction extends ActionSupport implements ServletRequestAware, return Constants.STRUTS_ERROR; } else { - if (!dbuser.isIsActive()) { - log.warn("Username " + dbuser.getUsername() + " is not active"); + if (!dbuser.isIsActive() || !dbuser.isIsUsernamePasswordAllowed()) { + log.warn("Username " + dbuser.getUsername() + " is not active or Username/Password login is not allowed"); addActionError(LanguageHelper.getErrorString("webpages.index.login.notallowed")); return Constants.STRUTS_ERROR; } - + if (!dbuser.getPassword().equals(key)) { log.warn("Username " + dbuser.getUsername() + " use a false password"); addActionError(LanguageHelper.getErrorString("webpages.index.login.notallowed")); @@ -96,13 +144,18 @@ public class IndexAction extends ActionSupport implements ServletRequestAware, dbuser.getHjid(), dbuser.getGivenname(), dbuser.getFamilyname(), + dbuser.getInstitut(), dbuser.getUsername(), true, - dbuser.isIsAdmin()); + dbuser.isIsAdmin(), + dbuser.isIsMandateUser(), + false); - authuser.setLastLogin(dbuser.getLastLoginItem()); + Date date = DateTimeHelper.parseDateTime(dbuser.getLastLogin()); + if (date != null) + authuser.setLastLogin(date);; - dbuser.setLastLoginItem(new Date()); + dbuser.setLastLogin(DateTimeHelper.getDateTime(new Date())); try { ConfigurationDBUtils.saveOrUpdate(dbuser); @@ -120,13 +173,515 @@ public class IndexAction extends ActionSupport implements ServletRequestAware, } } + public String pvp2login() { + + String method = request.getMethod(); + HttpSession session = request.getSession(); + if (session == null) { + log.info("NO HTTP Session"); + return Constants.STRUTS_ERROR; + } + + String authID = (String) session.getAttribute(Constants.SESSION_PVP2REQUESTID); + session.setAttribute(Constants.SESSION_PVP2REQUESTID, null); + + if (method.equals("POST")) { + + try { + ConfigurationProvider config = ConfigurationProvider.getInstance(); + + //Decode with HttpPost Binding + HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool()); + BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>(); + messageContext + .setInboundMessageTransport(new HttpServletRequestAdapter( + request)); + decode.decode(messageContext); + + Response samlResponse = (Response) messageContext.getInboundMessage(); + + Signature sign = samlResponse.getSignature(); + if (sign == null) { + log.info("Only http POST Requests can be used"); + addActionError(LanguageHelper.getErrorString("error.login")); + return Constants.STRUTS_ERROR; + } + + //Validate Signature + SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); + profileValidator.validate(sign); + + //Verify Signature + List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>(); + keyInfoProvider.add(new DSAKeyValueProvider()); + keyInfoProvider.add(new RSAKeyValueProvider()); + keyInfoProvider.add(new InlineX509DataProvider()); + + KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( + keyInfoProvider); + + MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory(); + MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(config.getMetaDataProvier()); + + CriteriaSet criteriaSet = new CriteriaSet(); + criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS)); + criteriaSet.add(new EntityIDCriteria(config.getPVP2IDPMetadataEntityName())); + criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); + + ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver); + trustEngine.validate(sign, criteriaSet); + + log.info("PVP2 Assertion is valid"); + + if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { + + List<org.opensaml.saml2.core.Assertion> saml2assertions = samlResponse.getAssertions(); + + if (MiscUtil.isEmpty(authID)) { + log.info("NO AuthRequestID"); + return Constants.STRUTS_ERROR; + } + + for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { + + Subject subject = saml2assertion.getSubject(); + List<SubjectConfirmation> subjectconformlist = subject.getSubjectConfirmations(); + for (SubjectConfirmation el : subjectconformlist) { + if (el.getMethod().equals(SubjectConfirmation.METHOD_BEARER)) { + SubjectConfirmationData date = el.getSubjectConfirmationData(); + + if (!authID.equals(date.getInResponseTo())) { + log.warn("PVPRequestID does not match PVP2 Assertion ID!"); + return Constants.STRUTS_ERROR; + + } + } + } + + Conditions conditions = saml2assertion.getConditions(); + DateTime notbefore = conditions.getNotBefore(); + DateTime notafter = conditions.getNotOnOrAfter(); + if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { + log.warn("PVP2 Assertion is out of Date"); + return Constants.STRUTS_ERROR; + + } + + NameID nameID = subject.getNameID(); + if (nameID == null) { + log.warn("No NameID element in PVP2 assertion!"); + return Constants.STRUTS_ERROR; + } + + String bpkwbpk = nameID.getNameQualifier() + "+" + nameID.getValue(); + + //search user + UserDatabase dbuser = ConfigurationDBRead.getUserWithUserBPKWBPK(bpkwbpk); + if (dbuser == null) { + log.info("No user found with bpk/wbpk " + bpkwbpk); + + //read PVP2 assertion attributes; + user = new UserDatabaseFrom(); + user.setActive(false); + user.setAdmin(false); + user.setBpk(bpkwbpk); + user.setIsusernamepasswordallowed(false); + user.setIsmandateuser(false); + user.setPVPGenerated(true); + + authUser = new AuthenticatedUser(); + authUser.setAdmin(false); + authUser.setAuthenticated(false); + authUser.setLastLogin(null); + authUser.setUserID(-1); + authUser.setUserName(null); + authUser.setPVP2Login(true); + authUser.setMandateUser(false); + + //loop through the nodes to get what we want + List<AttributeStatement> attributeStatements = saml2assertion.getAttributeStatements(); + for (int i = 0; i < attributeStatements.size(); i++) + { + List<Attribute> attributes = attributeStatements.get(i).getAttributes(); + for (int x = 0; x < attributes.size(); x++) + { + String strAttributeName = attributes.get(x).getDOM().getAttribute("Name"); + + if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME)) { + user.setFamilyName(attributes.get(x).getAttributeValues().get(0).getDOM().getTextContent()); + authUser.setFamilyName(user.getFamilyName()); + } + + if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME)) { + user.setGivenName(attributes.get(x).getAttributeValues().get(0).getDOM().getTextContent()); + authUser.setGivenName(user.getGivenName()); + } + + if (strAttributeName.equals(PVPConstants.MANDATE_TYPE_NAME)) { + authUser.setMandateUser(true); + user.setIsmandateuser(true); + } + + if (strAttributeName.equals(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME)) { + user.setInstitut(attributes.get(x).getAttributeValues().get(0).getDOM().getTextContent()); + authUser.setInstitute(user.getInstitut()); + } + } + } + + //set Random value + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); + session.setAttribute(Constants.SESSION_FORM, user); + session.setAttribute(Constants.SESSION_AUTH, authUser); + + ConfigurationDBUtils.closeSession(); + + return Constants.STRUTS_NEWUSER; + + } else { + if (!dbuser.isIsActive()) { + + if (!dbuser.isIsMailAddressVerified()) { + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); + + user = new UserDatabaseFrom(dbuser); + authUser = new AuthenticatedUser( + dbuser.getHjid(), + dbuser.getGivenname(), + dbuser.getFamilyname(), + dbuser.getInstitut(), + dbuser.getUsername(), + false, + false, + dbuser.isIsMandateUser(), + true); + session.setAttribute(Constants.SESSION_FORM, user); + session.setAttribute(Constants.SESSION_AUTH, authUser); + + return Constants.STRUTS_NEWUSER; + + } + + log.info("User with bpk/wbpk " + bpkwbpk + " is not active"); + addActionError(LanguageHelper.getErrorString("webpages.index.username.notactive")); + return Constants.STRUTS_ERROR; + } + + authUser = new AuthenticatedUser( + dbuser.getHjid(), + dbuser.getGivenname(), + dbuser.getFamilyname(), + dbuser.getInstitut(), + dbuser.getUsername(), + true, + dbuser.isIsAdmin(), + dbuser.isIsMandateUser(), + true); + + Date date = DateTimeHelper.parseDateTime(dbuser.getLastLogin()); + if (date != null) + authUser.setLastLogin(date);; + + dbuser.setLastLogin(DateTimeHelper.getDateTime(new Date())); + + try { + ConfigurationDBUtils.saveOrUpdate(dbuser); + + } catch (MOADatabaseException e) { + log.warn("UserDatabase communicaton error", e); + addActionError(LanguageHelper.getErrorString("error.login")); + return Constants.STRUTS_ERROR; + } + finally { + ConfigurationDBUtils.closeSession(); + } + session.setAttribute(Constants.SESSION_AUTH, authUser); + return Constants.STRUTS_SUCCESS; + + } + } + + log.info("PVP2 Assertion was maybe not well formed, because no Assertion element could be found."); + addActionError(LanguageHelper.getErrorString("error.login")); + return Constants.STRUTS_ERROR; + + } else { + log.info("Receive Error Assertion."); + return Constants.STRUTS_ERROR; + } + + } catch (Exception e) { + log.warn("Only http POST Requests can be used", e); + addActionError(LanguageHelper.getErrorString("error.login")); + return Constants.STRUTS_ERROR; + } + + } else { + log.info("Only http POST Requests can be used"); + addActionError(LanguageHelper.getErrorString("error.login")); + return Constants.STRUTS_ERROR; + } + } + + public String requestNewUser() { + + HttpSession session = request.getSession(); + if (session == null) { + log.warn("No active Session found"); + return Constants.STRUTS_ERROR; + } + + Object formidobj = session.getAttribute(Constants.SESSION_FORMID); + if (formidobj != null && formidobj instanceof String) { + String formid = (String) formidobj; + if (!formid.equals(formID)) { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + } else { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + session.setAttribute(Constants.SESSION_FORMID, null); + + Object sessionformobj = session.getAttribute(Constants.SESSION_FORM); + if (sessionformobj != null && sessionformobj instanceof UserDatabaseFrom) { + UserDatabaseFrom sessionform = (UserDatabaseFrom) sessionformobj; + + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); + authUser = (AuthenticatedUser) authUserObj; + + if (user == null) { + log.warn("No form transmited"); + return Constants.STRUTS_ERROR; + } + + //get UserID + String useridobj = user.getUserID(); + long userID = -1; + if (MiscUtil.isEmpty(useridobj)) { + userID = -1; + + } else { + if (!ValidationHelper.validateOAID(useridobj)){ + log.warn("User with ID " + authUser.getUserID() + + " would access UserDatabase ID " + useridobj); + addActionError(LanguageHelper.getErrorString("errors.edit.user.notallowed", request)); + return Constants.STRUTS_ERROR; + } + userID = Long.valueOf(useridobj); + } + + String check; + if (!sessionform.isIsmandateuser()) { + check = user.getInstitut(); + if (MiscUtil.isNotEmpty(check)) { + if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + log.warn("Organisation contains potentail XSS characters: " + check); + addActionError(LanguageHelper.getErrorString("validation.edituser.institut.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + } + } else { + log.warn("Organisation is empty"); + addActionError(LanguageHelper.getErrorString("validation.edituser.institut.empty")); + } + } + + check = user.getMail(); + if (MiscUtil.isNotEmpty(check)) { + if (!ValidationHelper.isEmailAddressFormat(check)) { + log.warn("Mailaddress is not valid: " + check); + addActionError(LanguageHelper.getErrorString("validation.edituser.mail.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + } + } else { + log.warn("Mailaddress is empty"); + addActionError(LanguageHelper.getErrorString("validation.edituser.mail.empty")); + } + + check = user.getPhone(); + if (MiscUtil.isNotEmpty(check)) { + if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + log.warn("Phonenumber contains potentail XSS characters: " + check); + addActionError(LanguageHelper.getErrorString("validation.edituser.phone.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + } + } else { + log.warn("Phonenumber is empty"); + addActionError(LanguageHelper.getErrorString("validation.edituser.phone.empty")); + } + + if (hasActionErrors()) { + log.info("Some form errors found. Send user back to form"); + + user.setPVPGenerated(true); + user.setFamilyName(sessionform.getFamilyName()); + user.setGivenName(sessionform.getGivenName()); + user.setIsmandateuser(sessionform.isIsmandateuser()); + user.setBpk(sessionform.getBpk()); + + if (sessionform.isIsmandateuser()) + user.setInstitut(sessionform.getInstitut()); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); + + return Constants.STRUTS_NEWUSER; + } + + UserDatabase dbuser; + + if (userID < 0) { + dbuser = new UserDatabase(); + dbuser.setBpk(sessionform.getBpk()); + dbuser.setFamilyname(sessionform.getFamilyName()); + dbuser.setGivenname(sessionform.getGivenName()); + + if (sessionform.isIsmandateuser()) + dbuser.setInstitut(sessionform.getInstitut()); + else + dbuser.setInstitut(user.getInstitut()); + + dbuser.setIsPVP2Generated(true); + dbuser.setLastLogin(DateTimeHelper.getDateTime(new Date())); + dbuser.setIsActive(false); + dbuser.setIsAdmin(false); + dbuser.setIsMandateUser(sessionform.isIsmandateuser()); + dbuser.setIsUsernamePasswordAllowed(false); + + } else + dbuser = ConfigurationDBRead.getUserWithID(userID); + + dbuser.setMail(user.getMail()); + dbuser.setPhone(user.getPhone()); + dbuser.setIsAdminRequest(true); + dbuser.setIsMailAddressVerified(false); + dbuser.setUserRequestTokken(Random.nextRandom()); + + try { + ConfigurationDBUtils.saveOrUpdate(dbuser); + + MailHelper.sendUserMailAddressVerification(dbuser); + + } catch (MOADatabaseException e) { + log.warn("New UserRequest can not be stored in database", e); + return Constants.STRUTS_ERROR; + + } catch (ConfigurationException e) { + log.warn("Sending of mailaddress verification mail failed.", e); + addActionError(LanguageHelper.getErrorString("error.mail.send")); + return Constants.STRUTS_NEWUSER; + } + + finally { + session.setAttribute(Constants.SESSION_FORM, null); + session.setAttribute(Constants.SESSION_AUTH, null); + ConfigurationDBUtils.closeSession(); + } + + addActionMessage(LanguageHelper.getGUIString("webpages.edituser.changemailaddress.verify")); + + session.invalidate(); + + return Constants.STRUTS_SUCCESS; + + } else { + log.warn("No SessionForm found"); + return Constants.STRUTS_ERROR; + } + + } + + public String mailAddressVerification() { + + String userrequesttokken = request.getParameter(Constants.REQUEST_USERREQUESTTOKKEN); + if (MiscUtil.isNotEmpty(userrequesttokken)) { + + userrequesttokken = StringEscapeUtils.escapeHtml(userrequesttokken); + + try { + Long.parseLong(userrequesttokken); + + } catch (NumberFormatException e) { + log.warn("Verificationtokken has no number format."); + return Constants.STRUTS_ERROR; + } + + UserDatabase dbuser = ConfigurationDBRead.getNewUserWithTokken(userrequesttokken); + if (dbuser != null) { + dbuser.setUserRequestTokken(null); + dbuser.setIsMailAddressVerified(true); + + if (dbuser.isIsActive()) + dbuser.setIsAdminRequest(false); + + try { + ConfigurationDBUtils.saveOrUpdate(dbuser); + + int numoas = 0; + int numusers = 0; + + List<OnlineApplication> openOAs = ConfigurationDBRead.getAllNewOnlineApplications(); + if (openOAs != null) + numoas = openOAs.size(); + + List<UserDatabase> openUsers = ConfigurationDBRead.getAllNewUsers(); + if (openUsers != null) + numusers = openUsers.size(); + + if (numusers > 0 || numoas > 0) + MailHelper.sendAdminMail(numoas, numusers); + + } catch (MOADatabaseException e) { + log.warn("Userinformation can not be stored in Database.", e); + addActionError(LanguageHelper.getErrorString("error.mail.verification")); + + } catch (ConfigurationException e) { + log.warn("Send mail to admin failed.", e); + } + + finally { + ConfigurationDBUtils.closeSession(); + } + + addActionMessage(LanguageHelper.getGUIString("validation.newuser.mailaddress")); + return Constants.STRUTS_SUCCESS; + } + } + + return Constants.STRUTS_ERROR; + } + public String logout() { HttpSession session = request.getSession(); + + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); + authUser = (AuthenticatedUser) authUserObj; if (session != null) session.invalidate(); + try { + ConfigurationProvider config = ConfigurationProvider.getInstance(); + String ssologout = config.getSSOLogOutURL(); + + if (MiscUtil.isNotEmpty(ssologout) && authUser != null && authUser.isPVP2Login()) { + ssologouturl = ssologout + config.getPublicUrlPreFix(request); + return Constants.STRUTS_SSOLOGOUT; + + } + + } catch (ConfigurationException e) { + log.warn("Configuration can not be loaded.", e); + + } + return Constants.STRUTS_SUCCESS; } @@ -164,7 +719,46 @@ public class IndexAction extends ActionSupport implements ServletRequestAware, public void setUsername(String username) { this.username = username; } - - + /** + * @return the authUser + */ + public AuthenticatedUser getAuthUser() { + return authUser; + } + + /** + * @return the user + */ + public UserDatabaseFrom getUser() { + return user; + } + + /** + * @param user the user to set + */ + public void setUser(UserDatabaseFrom user) { + this.user = user; + } + + /** + * @return the ssologouturl + */ + public String getSsologouturl() { + return ssologouturl; + } + + /** + * @return the formID + */ + public String getFormID() { + return formID; + } + + /** + * @param formID the formID to set + */ + public void setFormID(String formID) { + this.formID = formID; + } } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java index f5f265ea6..da3c99714 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java @@ -5,6 +5,7 @@ import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import org.apache.log4j.Logger; import org.apache.struts2.interceptor.ServletRequestAware; @@ -22,6 +23,7 @@ import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider; import at.gv.egovernment.moa.id.configuration.data.OAListElement; import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException; +import at.gv.egovernment.moa.id.configuration.helper.FormDataHelper; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; import at.gv.egovernment.moa.id.configuration.validation.ValidationHelper; import at.gv.egovernment.moa.util.MiscUtil; @@ -48,8 +50,13 @@ public class ListOAsAction extends ActionSupport implements ServletRequestAware, public String listAllOnlineAppliactions() { + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; @@ -65,8 +72,16 @@ public class ListOAsAction extends ActionSupport implements ServletRequestAware, dbOAs = authUserDB.getOnlineApplication(); } - addFormOAs(dbOAs); - + if (dbOAs == null || dbOAs.size() == 0) { + addActionError(LanguageHelper.getErrorString("errors.listOAs.noOA")); + + } else { + formOAs = FormDataHelper.addFormOAs(dbOAs); + } + + session.setAttribute(Constants.SESSION_RETURNAREA, + Constants.STRUTS_RETURNAREA_VALUES.main.name()); + ConfigurationDBUtils.closeSession(); return Constants.STRUTS_SUCCESS; @@ -86,8 +101,13 @@ public class ListOAsAction extends ActionSupport implements ServletRequestAware, } public String searchOA() { + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; @@ -125,32 +145,23 @@ public class ListOAsAction extends ActionSupport implements ServletRequestAware, } } - addFormOAs(dbOAs); - - ConfigurationDBUtils.closeSession(); - - return Constants.STRUTS_SUCCESS; - } - - private void addFormOAs(List<OnlineApplication> dbOAs) { - - formOAs = new ArrayList<OAListElement>(); if (dbOAs == null || dbOAs.size() == 0) { - addActionError(LanguageHelper.getErrorString("errors.listOAs.noOA", request)); + log.debug("No OAs found with Identifier " + friendlyname); + addActionError(LanguageHelper.getErrorString("errors.listOAs.noOA")); } else { - for (OnlineApplication dboa : dbOAs) { - OAListElement listoa = new OAListElement(); - listoa.setActive(dboa.isIsActive()); - listoa.setDataBaseID(dboa.getHjid()); - listoa.setOaFriendlyName(dboa.getFriendlyName()); - listoa.setOaIdentifier(dboa.getPublicURLPrefix()); - listoa.setOaType(dboa.getType()); - formOAs.add(listoa); - } + + formOAs = FormDataHelper.addFormOAs(dbOAs); + session.setAttribute(Constants.SESSION_RETURNAREA, + Constants.STRUTS_RETURNAREA_VALUES.main.name()); + } - } + + ConfigurationDBUtils.closeSession(); + return Constants.STRUTS_SUCCESS; + } + public void setServletResponse(HttpServletResponse arg0) { this.response = arg0; } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/MainAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/MainAction.java index aeafe9548..c80d5484d 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/MainAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/MainAction.java @@ -2,7 +2,9 @@ package at.gv.egovernment.moa.id.configuration.struts.action; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; +import org.apache.log4j.Logger; import org.apache.struts2.interceptor.ServletRequestAware; import org.apache.struts2.interceptor.ServletResponseAware; @@ -14,6 +16,8 @@ import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException; public class MainAction implements ServletRequestAware, ServletResponseAware { + private static final Logger log = Logger.getLogger(MainAction.class); + private HttpServletRequest request; private HttpServletResponse response; @@ -30,8 +34,17 @@ public class MainAction implements ServletRequestAware, public String generateMainFrame() { - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } + + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; + + session.setAttribute(Constants.SESSION_RETURNAREA, null); + return Constants.STRUTS_SUCCESS; } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/OpenAdminRequestsAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/OpenAdminRequestsAction.java new file mode 100644 index 000000000..aa36d768a --- /dev/null +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/OpenAdminRequestsAction.java @@ -0,0 +1,106 @@ +package at.gv.egovernment.moa.id.configuration.struts.action; + +import java.util.List; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; + +import org.apache.log4j.Logger; +import org.apache.struts2.interceptor.ServletRequestAware; +import org.apache.struts2.interceptor.ServletResponseAware; + +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; +import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; +import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; +import at.gv.egovernment.moa.id.configuration.Constants; +import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; +import at.gv.egovernment.moa.id.configuration.data.OAListElement; +import at.gv.egovernment.moa.id.configuration.helper.FormDataHelper; + +import com.opensymphony.xwork2.ActionSupport; + +public class OpenAdminRequestsAction extends ActionSupport + implements ServletRequestAware, ServletResponseAware { + + private static final Logger log = Logger.getLogger(OpenAdminRequestsAction.class); + + private static final long serialVersionUID = 1L; + + private HttpServletRequest request; + private HttpServletResponse response; + + private AuthenticatedUser authUser = null; + private List<OAListElement> formOAs = null; + private List<AuthenticatedUser> userlist = null; + + + public String init() { + + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } + + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); + + authUser = (AuthenticatedUser) authUserObj; + + if (authUser.isAdmin()) { + + List<OnlineApplication> dbOAs = ConfigurationDBRead.getAllNewOnlineApplications(); + if (dbOAs != null) { + formOAs = FormDataHelper.addFormOAs(dbOAs); + } + + List<UserDatabase> dbUsers = ConfigurationDBRead.getAllNewUsers(); + if (dbUsers != null){ + userlist = FormDataHelper.addFormUsers(dbUsers); + } + + session.setAttribute(Constants.SESSION_RETURNAREA, + Constants.STRUTS_RETURNAREA_VALUES.adminRequestsInit.name()); + + return Constants.STRUTS_SUCCESS; + } else { + log.info("Access to OpenAdminRequest area is not allowed for user with ID" + authUser.getUserID()); + return Constants.STRUTS_NOTALLOWED; + } + + } + + + public void setServletResponse(HttpServletResponse response) { + this.response = response; + } + + public void setServletRequest(HttpServletRequest request) { + this.request = request; + } + + + /** + * @return the authUser + */ + public AuthenticatedUser getAuthUser() { + return authUser; + } + + + /** + * @return the formOAs + */ + public List<OAListElement> getFormOAs() { + return formOAs; + } + + + /** + * @return the userlist + */ + public List<AuthenticatedUser> getUserlist() { + return userlist; + } + +} diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/UserManagementAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/UserManagementAction.java index 2a9ec038f..6bc90a417 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/UserManagementAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/UserManagementAction.java @@ -1,11 +1,12 @@ package at.gv.egovernment.moa.id.configuration.struts.action; -import java.util.ArrayList; -import java.util.Date; +import java.io.ByteArrayInputStream; +import java.io.InputStream; import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import org.apache.log4j.Logger; import org.apache.struts2.interceptor.ServletRequestAware; @@ -18,10 +19,14 @@ import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.configuration.Constants; import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; import at.gv.egovernment.moa.id.configuration.data.UserDatabaseFrom; +import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException; import at.gv.egovernment.moa.id.configuration.helper.AuthenticationHelper; +import at.gv.egovernment.moa.id.configuration.helper.FormDataHelper; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; +import at.gv.egovernment.moa.id.configuration.helper.MailHelper; import at.gv.egovernment.moa.id.configuration.validation.UserDatabaseFormValidator; import at.gv.egovernment.moa.id.configuration.validation.ValidationHelper; +import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.util.MiscUtil; import com.opensymphony.xwork2.ActionSupport; @@ -43,30 +48,34 @@ public class UserManagementAction extends ActionSupport private String useridobj = null; private static boolean newUser = false; + private InputStream stream; + private String nextPage; + private String formID; public String init() { - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; - + if (authUser.isAdmin()) { + log.info("Show NewserRequests"); + log.info("Show UserList"); List<UserDatabase> dbuserlist = ConfigurationDBRead.getAllUsers(); + if (dbuserlist != null) { - userlist = new ArrayList<AuthenticatedUser>(); - - for (UserDatabase dbuser : dbuserlist) { - userlist.add(new AuthenticatedUser( - dbuser.getHjid(), - dbuser.getGivenname(), - dbuser.getFamilyname(), - dbuser.getUsername(), - dbuser.isIsActive(), - dbuser.isIsAdmin())); - } + userlist = FormDataHelper.addFormUsers(dbuserlist); } + + session.setAttribute(Constants.SESSION_RETURNAREA, + Constants.STRUTS_RETURNAREA_VALUES.usermanagementInit.name()); ConfigurationDBUtils.closeSession(); return Constants.STRUTS_SUCCESS; @@ -79,20 +88,37 @@ public class UserManagementAction extends ActionSupport } user = new UserDatabaseFrom(dbuser); ConfigurationDBUtils.closeSession(); + + session.setAttribute(Constants.SESSION_RETURNAREA, + Constants.STRUTS_RETURNAREA_VALUES.main.name()); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); + return Constants.STRUTS_NOTALLOWED; } } public String createuser() { - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } + + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; + nextPage = Constants.STRUTS_RETURNAREA_VALUES.usermanagementInit.name(); if (authUser.isAdmin()) { user = new UserDatabaseFrom(); newUser = true; + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_SUCCESS; } else { @@ -101,10 +127,27 @@ public class UserManagementAction extends ActionSupport } public String edituser() { - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; + Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA); + if (nextPageAttr != null && nextPageAttr instanceof String + && MiscUtil.isNotEmpty((String)nextPageAttr) ) { + nextPage = (String) nextPageAttr; + + } else { + nextPage = Constants.STRUTS_RETURNAREA_VALUES.usermanagementInit.name(); + } + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); + if (authUser.isAdmin()) { long userid = -1; @@ -136,11 +179,31 @@ public class UserManagementAction extends ActionSupport } } - public String saveuser() { - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + public String saveuser() { + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; + Object formidobj = session.getAttribute(Constants.SESSION_FORMID); + if (formidobj != null && formidobj instanceof String) { + String formid = (String) formidobj; + if (!formid.equals(formID)) { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + } else { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + session.setAttribute(Constants.SESSION_FORMID, null); + String useridobj = user.getUserID(); long userID = -1; if (MiscUtil.isEmpty(useridobj)) { @@ -156,9 +219,30 @@ public class UserManagementAction extends ActionSupport userID = Long.valueOf(useridobj); } + UserDatabase dbuser = ConfigurationDBRead.getUserWithID(userID); + + if( dbuser == null) { + dbuser = new UserDatabase(); + dbuser.setIsMandateUser(false); + dbuser.setIsAdminRequest(false); + dbuser.setIsPVP2Generated(false); + dbuser.setUserRequestTokken(null); + dbuser.setIsMailAddressVerified(false); + dbuser.setUsername(user.getUsername()); + } + List<String> errors; UserDatabaseFormValidator validator = new UserDatabaseFormValidator(); - errors = validator.validate(user, userID); + + boolean ispvp2 = false; + boolean ismandate = false; + if (dbuser.isIsPVP2Generated() != null) + ispvp2 = dbuser.isIsPVP2Generated(); + + if (dbuser.isIsMandateUser() != null) + ismandate = dbuser.isIsMandateUser(); + + errors = validator.validate(user, userID, ispvp2, ismandate); if (errors.size() > 0) { log.info("UserDataForm has some erros."); @@ -169,6 +253,14 @@ public class UserManagementAction extends ActionSupport if (MiscUtil.isEmpty(user.getUsername())) newUser = true; + user.setIsmandateuser(ismandate); + user.setPVPGenerated(ispvp2); + if (dbuser.isIsUsernamePasswordAllowed() != null) + user.setIsusernamepasswordallowed(dbuser.isIsUsernamePasswordAllowed()); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); + return Constants.STRUTS_ERROR_VALIDATION; } @@ -181,8 +273,49 @@ public class UserManagementAction extends ActionSupport } } - - String error = saveFormToDB(); + + if (!user.getMail().equals(dbuser.getMail()) && !authUser.isAdmin()) { + dbuser.setIsMailAddressVerified(false); + dbuser.setUserRequestTokken(Random.nextRandom()); + + try { + MailHelper.sendUserMailAddressVerification(dbuser); + addActionMessage(LanguageHelper.getGUIString("webpages.edituser.changemailaddress.verify")); + + } catch (ConfigurationException e) { + log.warn("Sending of mailaddress verification mail failed.", e); + addActionError(LanguageHelper.getErrorString("error.mail.send")); + } + } + + Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA); + if (nextPageAttr != null && nextPageAttr instanceof String + && MiscUtil.isNotEmpty((String)nextPageAttr) ) { + nextPage = (String) nextPageAttr; + + if (nextPage.equals(Constants.STRUTS_RETURNAREA_VALUES.adminRequestsInit.name()) && + user.isActive()) { + dbuser.setIsAdminRequest(false); + try { + if (dbuser.isIsMandateUser()) + MailHelper.sendUserAccountActivationMail(dbuser.getGivenname(), dbuser.getFamilyname(), + dbuser.getInstitut(), user.getMail()); + else + MailHelper.sendUserAccountActivationMail(dbuser.getGivenname(), dbuser.getFamilyname(), + null, user.getMail()); + + } catch (ConfigurationException e) { + log.warn("Send UserAccountActivation mail failed", e); + } + } + session.setAttribute(Constants.SESSION_RETURNAREA, null); + + } else { + nextPage = Constants.STRUTS_RETURNAREA_VALUES.usermanagementInit.name(); + } + + String error = saveFormToDB(dbuser); + if (error != null) { log.warn("UserData can not be stored in Database"); addActionError(error); @@ -194,10 +327,30 @@ public class UserManagementAction extends ActionSupport } public String deleteuser() { - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; - + + Object formidobj = session.getAttribute(Constants.SESSION_FORMID); + if (formidobj != null && formidobj instanceof String) { + String formid = (String) formidobj; + if (!formid.equals(formID)) { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + } else { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + session.setAttribute(Constants.SESSION_FORMID, null); + String useridobj = user.getUserID(); long userID = -1; if (MiscUtil.isEmpty(useridobj)) { @@ -222,6 +375,16 @@ public class UserManagementAction extends ActionSupport } } + Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA); + if (nextPageAttr != null && nextPageAttr instanceof String + && MiscUtil.isNotEmpty((String)nextPageAttr) ) { + nextPage = (String) nextPageAttr; + session.setAttribute(Constants.SESSION_RETURNAREA, null); + + } else { + nextPage = Constants.STRUTS_RETURNAREA_VALUES.usermanagementInit.name(); + } + UserDatabase dbuser = ConfigurationDBRead.getUserWithID(userID); if (dbuser != null) { dbuser.setOnlineApplication(null); @@ -230,8 +393,22 @@ public class UserManagementAction extends ActionSupport ConfigurationDBUtils.saveOrUpdate(dbuser); ConfigurationDBUtils.delete(dbuser); + if (authUser.isAdmin()) { + MailHelper.sendUserAccountRevocationMail(dbuser); + } + + if (dbuser.getHjid() == authUser.getUserID()) { + ConfigurationDBUtils.closeSession(); + return Constants.STRUTS_REAUTHENTICATE; + } + } catch (MOADatabaseException e) { - log.warn("UserData can not be deleted from Database"); + log.warn("UserData can not be deleted from Database", e); + addActionError(e.getMessage()); + return Constants.STRUTS_SUCCESS; + + } catch (ConfigurationException e) { + log.warn("Information mail sending failed.", e); addActionError(e.getMessage()); return Constants.STRUTS_SUCCESS; } @@ -242,39 +419,93 @@ public class UserManagementAction extends ActionSupport } ConfigurationDBUtils.closeSession(); + return Constants.STRUTS_SUCCESS; } - private String saveFormToDB() { + public String sendVerificationMail () { + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } - UserDatabase dbuser = ConfigurationDBRead.getUserWithUserName(user.getUsername()); + String message = LanguageHelper.getErrorString("error.mail.verification"); - if( dbuser == null) { - dbuser = new UserDatabase(); + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); + authUser = (AuthenticatedUser) authUserObj; + + if (authUser != null) { + UserDatabase dbuser = ConfigurationDBRead.getUserWithID(authUser.getUserID()); + + if (dbuser != null) { + dbuser.setIsMailAddressVerified(false); + dbuser.setUserRequestTokken(Random.nextRandom()); + + try { + ConfigurationDBUtils.saveOrUpdate(dbuser); + + MailHelper.sendUserMailAddressVerification(dbuser); + + message = LanguageHelper.getErrorString("webpages.edituser.verify.mail.message"); + + } catch (ConfigurationException e) { + log.warn("Sending of mailaddress verification mail failed.", e); + message = LanguageHelper.getErrorString("error.mail.send"); + + } catch (MOADatabaseException e) { + log.warn("Access UserInformationDatabase failed.", e); + } + } } - dbuser.setBpk(user.getBpk()); - dbuser.setFamilyname(user.getFamilyName()); - dbuser.setGivenname(user.getGivenName()); - dbuser.setInstitut(user.getInstitut()); + stream = new ByteArrayInputStream(message.getBytes()); + + return SUCCESS; + } + + private String saveFormToDB(UserDatabase dbuser) { + dbuser.setMail(user.getMail()); dbuser.setPhone(user.getPhone()); - dbuser.setUsername(user.getUsername()); - if (authUser.isAdmin()) { - dbuser.setIsActive(user.isActive()); - dbuser.setIsAdmin(user.isAdmin()); + if (authUser.isAdmin() || dbuser.isIsUsernamePasswordAllowed()) { + dbuser.setIsUsernamePasswordAllowed(user.isIsusernamepasswordallowed()); + + if (authUser.isAdmin()) { + dbuser.setIsActive(user.isActive()); + dbuser.setIsAdmin(user.isAdmin()); + + } } - if (MiscUtil.isNotEmpty(user.getPassword())) { - String key = AuthenticationHelper.generateKeyFormPassword(user.getPassword()); - if (key == null) { - return LanguageHelper.getErrorString("errors.edit.user.save"); + if (dbuser.isIsPVP2Generated() == null || !dbuser.isIsPVP2Generated()) { + dbuser.setFamilyname(user.getFamilyName()); + dbuser.setGivenname(user.getGivenName()); + dbuser.setInstitut(user.getInstitut()); + + if (authUser.isAdmin()) + dbuser.setBpk(user.getBpk()); + + } else { + if (!dbuser.isIsMandateUser()) + dbuser.setInstitut(user.getInstitut()); + } + + if (dbuser.isIsUsernamePasswordAllowed()) { + + if (MiscUtil.isNotEmpty(user.getUsername()) && MiscUtil.isEmpty(dbuser.getUsername())) + dbuser.setUsername(user.getUsername()); + + if (MiscUtil.isNotEmpty(user.getPassword())) { + String key = AuthenticationHelper.generateKeyFormPassword(user.getPassword()); + if (key == null) { + return LanguageHelper.getErrorString("errors.edit.user.save"); + } + dbuser.setPassword(key); } - dbuser.setPassword(key); } - try { ConfigurationDBUtils.saveOrUpdate(dbuser); } catch (MOADatabaseException e) { @@ -284,27 +515,7 @@ public class UserManagementAction extends ActionSupport return null; } - -// public String createTestUser() throws MOADatabaseException { -// -// UserDatabase user = new UserDatabase(); -// user.setBpk(""); -// user.setFamilyname("Max"); -// user.setGivenname("Mustermann"); -// user.setIsActive(true); -// user.setIsAdmin(false); -// user.setInstitut("EGIZ"); -// user.setLastLoginItem(new Date()); -// user.setMail("masdf@amfasdf.com"); -// user.setPhone("00660011542"); -// user.setUsername("testuser"); -// -// ConfigurationDBUtils.save(user); -// -// return Constants.STRUTS_SUCCESS; -// } - - + public void setServletResponse(HttpServletResponse response) { this.response = response; @@ -370,7 +581,33 @@ public class UserManagementAction extends ActionSupport public boolean isNewUser() { return newUser; } - - + + /** + * @return the nextPage + */ + public String getNextPage() { + return nextPage; + } + + /** + * @return the stream + */ + public InputStream getStream() { + return stream; + } + + /** + * @return the formID + */ + public String getFormID() { + return formID; + } + + /** + * @param formID the formID to set + */ + public void setFormID(String formID) { + this.formID = formID; + } } |