aboutsummaryrefslogtreecommitdiff
path: root/id/ConfigWebTool/src/main
diff options
context:
space:
mode:
Diffstat (limited to 'id/ConfigWebTool/src/main')
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java15
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java5
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/Authenticate.java51
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java13
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java48
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java2
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java26
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java6
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java29
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java3
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java2
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java6
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java57
-rw-r--r--id/ConfigWebTool/src/main/resources/applicationResources_de.properties4
-rw-r--r--id/ConfigWebTool/src/main/resources/applicationResources_en.properties4
15 files changed, 189 insertions, 82 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java
index 332adaa80..104ea51f5 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java
@@ -32,6 +32,7 @@ import org.opensaml.xml.XMLObject;
import org.opensaml.xml.security.x509.BasicX509Credential;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier;
public class MetaDataVerificationFilter implements MetadataFilter {
@@ -43,31 +44,31 @@ public class MetaDataVerificationFilter implements MetadataFilter {
}
- public void doFilter(XMLObject metadata) throws FilterException {
+ public void doFilter(XMLObject metadata) throws SignatureValidationException {
+
if (metadata instanceof EntitiesDescriptor) {
EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata;
-
if(entitiesDescriptor.getSignature() == null) {
- throw new FilterException("Root element of metadata file has to be signed", null);
+ throw new SignatureValidationException("Root element of metadata file has to be signed");
}
try {
processEntitiesDescriptor(entitiesDescriptor);
} catch (MOAIDException e) {
- throw new FilterException("Invalid Metadata file Root element is no EntitiesDescriptor", null);
+ throw new SignatureValidationException("Invalid signature element in EntitiesDescriptor");
}
- } if (metadata instanceof EntityDescriptor) {
+ } if (metadata instanceof EntityDescriptor) {
try {
EntityDescriptor entity = (EntityDescriptor) metadata;
if (entity.getSignature() != null)
EntityVerifier.verify(entity, this.credential);
else
- throw new FilterException("Root element of metadata file has to be signed", null);
+ throw new SignatureValidationException("Root element of metadata file has to be signed", null);
} catch (MOAIDException e) {
- throw new FilterException("Invalid Metadata file Root element is no EntitiesDescriptor", null);
+ throw new SignatureValidationException("Invalid signature element in EntityDescriptor", null);
}
}
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java
index 3d66a4b19..3b2e0bd08 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java
@@ -125,7 +125,10 @@ public class PVP2Utils {
log.warn("Encode PVP 2.1 message FAILED.", e);
throw new PVP2Exception("Encode PVP 2.1 message FAILED.", e);
- }
+ } catch (Exception ex) {
+ log.warn("Initialization exception", ex);
+ throw new PVP2Exception("Initializing Velocity engine FAILED.", ex);
+ }
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/Authenticate.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/Authenticate.java
index 390b8c476..a511a3c88 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/Authenticate.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/Authenticate.java
@@ -75,33 +75,42 @@ public class Authenticate extends HttpServlet {
private static final long serialVersionUID = 1L;
private static final Logger log = LoggerFactory
- .getLogger(Authenticate.class);
- /**
- * @see HttpServlet#HttpServlet()
- */
- public Authenticate() {
- super();
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ .getLogger(Authenticate.class);
+
+ private static DocumentBuilderFactory factory = null;
+
+ static {
+ initialDocumentBuilderFactory();
+ }
+
+ synchronized private static void initialDocumentBuilderFactory() {
+ factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
+
+ }
+
+ public Document asDOMDocument(XMLObject object) throws IOException,
+ MarshallingException, TransformerException, ParserConfigurationException {
try {
- builder = factory.newDocumentBuilder();
+ DocumentBuilder builder = null;
+ synchronized (factory) {
+ builder = factory.newDocumentBuilder();
+
+ }
+
+ Document document = builder.newDocument();
+ Marshaller out = Configuration.getMarshallerFactory().getMarshaller(
+ object);
+ out.marshall(object, document);
+ return document;
+
} catch (ParserConfigurationException e) {
log.warn("PVP2 AuthenticationServlet can not be initialized.", e);
-
+ throw e;
}
+
}
-
- DocumentBuilder builder;
-
- public Document asDOMDocument(XMLObject object) throws IOException,
- MarshallingException, TransformerException {
- Document document = builder.newDocument();
- Marshaller out = Configuration.getMarshallerFactory().getMarshaller(
- object);
- out.marshall(object, document);
- return document;
- }
-
+
protected void process(HttpServletRequest request,
HttpServletResponse response, Map<String,String> legacyParameter) throws ServletException, IOException {
try {
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
index 957479b29..8ac7b40d4 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
@@ -437,23 +437,23 @@ public class ConfigurationProvider {
return parseVersionFromManifest();
}
- public String getCertStoreDirectory() throws CertificateException {
+ public String getCertStoreDirectory() throws ConfigurationException {
String dir = props.getProperty("general.ssl.certstore");
if (MiscUtil.isNotEmpty(dir))
return FileUtils.makeAbsoluteURL(dir, configRootDir);
else
- throw new CertificateException("No SSLCertStore configured use default JAVA TrustStore.");
+ throw new ConfigurationException("No SSLCertStore configured use default JAVA TrustStore.");
}
- public String getTrustStoreDirectory() throws CertificateException {
+ public String getTrustStoreDirectory() throws ConfigurationException {
String dir = props.getProperty("general.ssl.truststore");
if (MiscUtil.isNotEmpty(dir))
return FileUtils.makeAbsoluteURL(dir, configRootDir);
else
- throw new CertificateException("No SSLTrustStore configured use default JAVA TrustStore.");
+ throw new ConfigurationException("No SSLTrustStore configured use default JAVA TrustStore.");
}
@@ -462,6 +462,11 @@ public class ConfigurationProvider {
}
+ public boolean isPVPMetadataSchemaValidationActive() {
+ return Boolean.parseBoolean(props.getProperty("general.pvp.schemavalidation", "true"));
+
+ }
+
private void initalPVP2Login() throws ConfigurationException {
try {
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java
index 0e65b7dca..a9c914f74 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java
@@ -30,6 +30,7 @@ import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentOA;
import at.gv.egovernment.moa.id.commons.db.dao.config.BKUURLS;
import at.gv.egovernment.moa.id.commons.db.dao.config.DefaultBKUs;
@@ -40,6 +41,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType;
import at.gv.egovernment.moa.id.commons.db.dao.config.TemplatesType;
import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentials;
+import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentialsCredentialOIDItem;
import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType;
import at.gv.egovernment.moa.id.configuration.Constants;
import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser;
@@ -207,8 +209,9 @@ public class OAAuthenticationData implements IOnlineApplicationData {
}
if (oaauth.getTestCredentials() != null) {
- enableTestCredentials = oaauth.getTestCredentials().isEnableTestCredentials();
- testCredentialOIDs = oaauth.getTestCredentials().getCredentialOID();
+ enableTestCredentials = oaauth.getTestCredentials().isEnableTestCredentials();
+ testCredentialOIDs = new ArrayList<String>();
+ testCredentialOIDs.addAll(oaauth.getTestCredentials().getCredentialOID());
}
@@ -315,12 +318,20 @@ public class OAAuthenticationData implements IOnlineApplicationData {
if (enableTestCredentials) {
TestCredentials testing = authoa.getTestCredentials();
- if (testing == null)
- testing = new TestCredentials();
-
- testing.setEnableTestCredentials(enableTestCredentials);
+ if (testing != null)
+ ConfigurationDBUtils.delete(testing);
+
+ testing = new TestCredentials();
+ authoa.setTestCredentials(testing);
+ testing.setEnableTestCredentials(enableTestCredentials);
testing.setCredentialOID(testCredentialOIDs);
+ } else {
+ TestCredentials testing = authoa.getTestCredentials();
+ if (testing != null) {
+ testing.setEnableTestCredentials(false);
+ }
+
}
return null;
@@ -576,12 +587,14 @@ public class OAAuthenticationData implements IOnlineApplicationData {
*/
public String getTestCredentialOIDs() {
String value = null;
- for (String el : testCredentialOIDs) {
- if (value == null)
- value = el;
- else
- value += "," + el;
+ if (testCredentialOIDs != null) {
+ for (String el : testCredentialOIDs) {
+ if (value == null)
+ value = el;
+ else
+ value += "," + el;
+ }
}
return value;
@@ -595,12 +608,13 @@ public class OAAuthenticationData implements IOnlineApplicationData {
* @param testCredentialOIDs the testCredentialOIDs to set
*/
public void setTestCredentialOIDs(String testCredentialOIDs) {
- String[] oidList = testCredentialOIDs.split(",");
+ if (MiscUtil.isNotEmpty(testCredentialOIDs)) {
+ String[] oidList = testCredentialOIDs.split(",");
- this.testCredentialOIDs = new ArrayList<String>();
- for (int i=0; i<oidList.length; i++)
- this.testCredentialOIDs.add(oidList[i].trim());
+ this.testCredentialOIDs = new ArrayList<String>();
+ for (int i=0; i<oidList.length; i++)
+ this.testCredentialOIDs.add(oidList[i].trim());
+ }
}
-
-
+
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java
index 150cd959e..bb7bac4f8 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java
@@ -82,7 +82,7 @@ public class OATargetConfiguration implements IOnlineApplicationData {
*/
@Override
public List<String> parse(OnlineApplication dbOA,
- AuthenticatedUser authUser, HttpServletRequest request) {
+ AuthenticatedUser authUser, HttpServletRequest request) {
String target_full = dbOA.getTarget();
if (MiscUtil.isNotEmpty(target_full)) {
if (TargetValidator.isValidTarget(target_full)) {
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java
index d13696d51..8ddeb9ebc 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java
@@ -134,21 +134,20 @@ public class AuthenticationFilter implements Filter{
log.trace("Request URL: " + requestURL);
- AuthenticationManager authManager = AuthenticationManager.getInstance();
- if (!authManager.isActiveUser(authuser)) {
- //user is not active anymore. Invalidate session and reauthenticate user
- String authID = (String) session.getAttribute(Constants.SESSION_PVP2REQUESTID);
- session.invalidate();
- authuser = null;
+ AuthenticationManager authManager = AuthenticationManager.getInstance();
+ if (!authManager.isActiveUser(authuser) && !this.isExcluded(requestURL)) {
+ if (!this.isExcluded(requestURL)) {
+ //user is not active anymore. Invalidate session and reauthenticate user
+ String authID = (String) session.getAttribute(Constants.SESSION_PVP2REQUESTID);
+ session.invalidate();
+ authuser = null;
- //TODO: set infotext
-
- session = httpServletRequest.getSession(true);
- session.setAttribute(Constants.SESSION_PVP2REQUESTID, authID);
- }
-
- if (authuser == null && !this.isExcluded(requestURL)) {
+ //TODO: set infotext
+ session = httpServletRequest.getSession(true);
+ session.setAttribute(Constants.SESSION_PVP2REQUESTID, authID);
+ }
+
if (config.isLoginDeaktivated()) {
//add dummy Daten
log.warn("Authentication is deaktivated. Dummy authentication-information are used!");
@@ -178,6 +177,7 @@ public class AuthenticationFilter implements Filter{
}
} else {
+
if (MiscUtil.isNotEmpty(getAuthenticatedPage())) {
log.debug("Unable to find authentication data. Authenticated page is given so there is no need to save original request url. " + (loginPageForward ? "Forwarding" : "Redirecting") + " to login page \"" + loginPage + "\".");
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java
index 150483dd8..e5ee5ac09 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java
@@ -60,10 +60,12 @@ public class FormDataHelper {
for (OnlineApplication dboa : dbOAs) {
- if ( !((dboa.isIsInterfederationIDP() != null && dboa.isIsInterfederationIDP()) ||
+ if ( !((dboa.isIsInterfederationIDP() != null && dboa.isIsInterfederationIDP()) ||
+ (dboa.isIsInterfederationGateway() != null && dboa.isIsInterfederationGateway()) ||
(dboa.getAuthComponentOA().getOASTORK() != null
&& dboa.getAuthComponentOA().getOASTORK().isVidpEnabled() != null
- && dboa.getAuthComponentOA().getOASTORK().isVidpEnabled()))) {
+ && dboa.getAuthComponentOA().getOASTORK().isVidpEnabled()) ||
+ (dboa.isIsInterfederationGateway() != null && dboa.isIsInterfederationGateway() ))) {
formOAs.add(addOAFormListElement(dboa, ServiceType.OA));
}
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java
index 5a9787069..82390c49c 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java
@@ -291,8 +291,21 @@ public class BasicOAAction extends BasicAction {
} else {
- if (oaid == -1) {
- onlineapplication = ConfigurationDBRead.getOnlineApplication(oaidentifier);
+ if (oaid == -1) {
+ List<OnlineApplication> oaList = ConfigurationDBRead.getAllOnlineApplications();
+
+ if (oaList != null) {
+ for (OnlineApplication el : oaList) {
+ if (el.getPublicURLPrefix().startsWith(oaidentifier) )
+ onlineapplication = el;
+
+ }
+ }
+
+ if (onlineapplication == null) {
+ onlineapplication = ConfigurationDBRead.getOnlineApplication(oaidentifier);
+
+ }
setNewOA(true);
if (onlineapplication != null) {
log.info("The OAIdentifier is not unique");
@@ -306,7 +319,17 @@ public class BasicOAAction extends BasicAction {
onlineapplication = ConfigurationDBRead.getOnlineApplication(oaid);
if (!oaidentifier.equals(onlineapplication.getPublicURLPrefix())) {
- if (ConfigurationDBRead.getOnlineApplication(oaidentifier) != null) {
+ OnlineApplication dbOA = null;
+ List<OnlineApplication> oaList = ConfigurationDBRead.getAllOnlineApplications();
+ for (OnlineApplication el : oaList) {
+ if (el.getPublicURLPrefix().startsWith(oaidentifier) )
+ dbOA = el;
+
+ }
+ if (dbOA == null)
+ dbOA = ConfigurationDBRead.getOnlineApplication(oaidentifier);
+
+ if ( (dbOA != null && !dbOA.getHjid().equals(oaid))) {
log.info("The OAIdentifier is not unique");
throw new BasicOAActionException(
LanguageHelper.getErrorString("validation.general.oaidentifier.notunique", request),
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java
index 31c29aef0..4236c0d13 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java
@@ -241,6 +241,9 @@ public class EditGeneralConfigAction extends BasicAction {
}
MOAIDConfiguration dbconfig = ConfigurationDBRead.getMOAIDConfiguration();
+ if (dbconfig == null)
+ dbconfig = new MOAIDConfiguration();
+
AuthComponentGeneral dbauth = dbconfig.getAuthComponentGeneral();
if (dbauth == null) {
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java
index 7f7f083c9..335dbc91e 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java
@@ -133,7 +133,7 @@ public class ListOAsAction extends BasicAction {
} else {
if (ValidationHelper.containsPotentialCSSCharacter(friendlyname, false)) {
log.warn("SearchOA textfield contains potential XSS characters");
- addActionError(LanguageHelper.getErrorString("validation.general.oafriendlyname",
+ addActionError(LanguageHelper.getErrorString("validation.general.oafriendlyname.valid",
new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request));
return Constants.STRUTS_SUCCESS;
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java
index fd40bd447..fd4226c5b 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java
@@ -147,12 +147,14 @@ public class OAAuthenticationDataValidation {
}
}
- if (form.isEnableTestCredentials()) {
+ if (form.isEnableTestCredentials()
+ && form.getTestCredialOIDList() != null && !form.getTestCredialOIDList().isEmpty()) {
for (String el : form.getTestCredialOIDList()) {
- if (!el.startsWith(MOAIDAuthConstants.TESTCREDENTIALROOTOID))
+ if (!el.startsWith(MOAIDAuthConstants.TESTCREDENTIALROOTOID)) {
log.warn("Test credential OID does not start with test credential root OID");
errors.add(LanguageHelper.getErrorString("validation.general.testcredentials.oid.valid",
new Object[] {el}, request ));
+ }
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
index 40e243d0b..37a170267 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
@@ -36,8 +36,10 @@ import javax.servlet.http.HttpServletRequest;
import org.apache.commons.httpclient.MOAHttpClient;
import org.apache.log4j.Logger;
import org.opensaml.Configuration;
+import org.opensaml.common.xml.SAMLSchemaBuilder;
import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.saml2.metadata.provider.MetadataFilterChain;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.xml.io.Marshaller;
import org.opensaml.xml.io.MarshallerFactory;
@@ -58,6 +60,9 @@ import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
import at.gv.egovernment.moa.id.configuration.data.oa.OAPVP2Config;
import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter;
import at.gv.egovernment.moa.util.MiscUtil;
public class OAPVP2ConfigValidation {
@@ -126,17 +131,38 @@ public class OAPVP2ConfigValidation {
} catch (ConfigurationException e) {
log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.", e);
- }
+ }
+
+ List<MetadataFilter> filterList = new ArrayList<MetadataFilter>();
+ filterList.add(new MetaDataVerificationFilter(credential));
+
+ try {
+ filterList.add(new SchemaValidationFilter(
+ ConfigurationProvider.getInstance().isPVPMetadataSchemaValidationActive()));
+
+ } catch (ConfigurationException e) {
+ log.warn("Configuration access FAILED!", e);
+
+ }
+
+ MetadataFilterChain filter = new MetadataFilterChain();
+ filter.setFilters(filterList);
httpProvider =
new HTTPMetadataProvider(timer, httpClient, form.getMetaDataURL());
httpProvider.setParserPool(new BasicParserPool());
httpProvider.setRequireValidMetadata(true);
- httpProvider.setMetadataFilter(new MetaDataVerificationFilter(credential));
+ httpProvider.setMetadataFilter(filter);
httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
+
+ httpProvider.setRequireValidMetadata(true);
+
httpProvider.initialize();
+
+
+
if (httpProvider.getMetadata() == null) {
log.info("Metadata could be received but validation FAILED.");
errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.validation", request));
@@ -157,13 +183,28 @@ public class OAPVP2ConfigValidation {
} catch (MetadataProviderException e) {
- if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
- log.info("SSL Server certificate not trusted.", e);
- errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.ssl", request));
+ try {
+ if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
+ log.info("SSL Server certificate not trusted.", e);
+ errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.ssl", request));
+
+ } else if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) {
+ log.info("MetaDate verification failed", e);
+ errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.sig", request));
+
+ } else if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) {
+ log.info("MetaDate verification failed", e);
+ errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.schema", request));
+
+ } else {
+ log.info("MetaDate verification failed", e);
+ errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.general", request));
+ }
+
+ } catch (Exception e1) {
+ log.info("MetaDate verification failed", e1);
+ errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.general", request));
- } else {
- log.info("MetaDate verification failed", e);
- errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify", request));
}
} finally {
diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
index 072f44981..c888a2d77 100644
--- a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
+++ b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
@@ -487,7 +487,9 @@ validation.stork.ap.attributes.valid=Ung\u00FCltige Attributconfiguration f\u00F
validation.pvp2.metadataurl.empty=Keine Metadaten URL angegeben.
validation.pvp2.metadataurl.valid=Die Metadaten URL wei\u00DFt kein g\u00FCltiges URL Format auf.
validation.pvp2.metadataurl.read=Unter der angegebenen Metadaten URL konnten keine Informationen abgerufen werden.
-validation.pvp2.metadata.verify=Die Metadaten konnten nicht mit dem angegebenen Zertifikat verifziert werden.
+validation.pvp2.metadata.verify.sig=Die Metadaten konnten nicht mit dem angegebenen Zertifikat verifziert werden.
+validation.pvp2.metadata.verify.schema=Die Schema-Validierung der Metadaten ist fehlgeschlagen.
+validation.pvp2.metadata.verify.general=Bei der Validierung der Metadaten ist ein allgemeiner Fehler aufgetreten.
validation.pvp2.certificate.format=Das angegebene PVP2 Zertifikat wei\u00DFt kein g\u00FCltiges Format auf.
validation.pvp2.certificate.notfound=Kein PVP2 Zertifikat eingef\u00FCgt.
validation.pvp2.metadata.ssl=Das SSL Serverzertifikat des Metadaten Service ist nicht vertrauensw\u00FCrdig.
diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
index b717377e0..43dcfeac8 100644
--- a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
+++ b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
@@ -485,7 +485,9 @@ validation.stork.ap.attributes.valid=Invalid attribute configuration for Attribu
validation.pvp2.metadataurl.empty=There is no metadata URL provided.
validation.pvp2.metadataurl.valid=The metadata URL has invalid URL format .
validation.pvp2.metadataurl.read=No information could be found under provided URL.
-validation.pvp2.metadata.verify=The metadata could not be verified with the provided certificate.
+validation.pvp2.metadata.verify.sig=The metadata could not be verified with the provided certificate.
+validation.pvp2.metadata.verify.schema=Metadata schema validation FAILED.
+validation.pvp2.metadata.verify.general=Metadata validation has an generic error.
validation.pvp2.certificate.format=The provided PVP2 certificate has invalid format.
validation.pvp2.certificate.notfound=There is no PVP2 inserted.
validation.pvp2.metadata.ssl=The SSL server certificate is not trusted.