diff options
Diffstat (limited to 'id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java')
| -rw-r--r-- | id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java | 538 |
1 files changed, 280 insertions, 258 deletions
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java index e36a880ba..e4acd8152 100644 --- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java +++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java @@ -33,7 +33,6 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; -import org.apache.log4j.Logger; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; import org.opensaml.common.xml.SAMLConstants; @@ -41,6 +40,7 @@ import org.opensaml.saml2.binding.decoding.HTTPPostDecoder; import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder; import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule; import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule; +import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.EncryptedAssertion; @@ -84,263 +84,285 @@ import at.gv.egovernment.moa.id.demoOA.Constants; import at.gv.egovernment.moa.id.demoOA.PVPConstants; import at.gv.egovernment.moa.id.demoOA.utils.ApplicationBean; import at.gv.egovernment.moa.id.demoOA.utils.SAML2Utils; +import lombok.extern.slf4j.Slf4j; +@Slf4j public class DemoApplication extends HttpServlet { - Logger log = Logger.getLogger(DemoApplication.class); - - private static final long serialVersionUID = -2129228304760706063L; - - - - private void process(HttpServletRequest request, - HttpServletResponse response) throws ServletException, IOException { - - - ApplicationBean bean = new ApplicationBean(); - - log.debug("Receive request on secure-area endpoint ..."); - - String method = request.getMethod(); - HttpSession session = request.getSession(); - if (session == null) { - log.info("NO HTTP Session"); - bean.setErrorMessage("NO HTTP session"); - setAnser(request, response, bean); - return; - } - - try { - Configuration config = Configuration.getInstance(); - Response samlResponse = null; - - if (method.equals("GET")) { - log.debug("Find possible SAML2 Redirect-Binding response ..."); - HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(new BasicParserPool()); - BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>(); - - messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request)); - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - - messageContext.setMetadataProvider(config.getMetaDataProvier()); - - MetadataCredentialResolver resolver = new MetadataCredentialResolver(config.getMetaDataProvier()); - List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>(); - keyInfoProvider.add(new DSAKeyValueProvider()); - keyInfoProvider.add(new RSAKeyValueProvider()); - keyInfoProvider.add(new InlineX509DataProvider()); - KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( - keyInfoProvider); - ExplicitKeySignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine( - resolver, keyInfoResolver); - - SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(engine); - SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule(); - BasicSecurityPolicy policy = new BasicSecurityPolicy(); - policy.getPolicyRules().add(signatureRule); - policy.getPolicyRules().add(signedRole); - SecurityPolicyResolver resolver1 = new StaticSecurityPolicyResolver(policy); - messageContext.setSecurityPolicyResolver(resolver1); - - decode.decode(messageContext); - - log.info("PVP2 Assertion with Redirect-Binding is valid"); - - } else if (method.equals("POST")) { - log.debug("Find possible SAML2 Post-Binding response ..."); - //Decode with HttpPost Binding - HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool()); - BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>(); - messageContext - .setInboundMessageTransport(new HttpServletRequestAdapter( - request)); - decode.decode(messageContext); - - samlResponse = (Response) messageContext.getInboundMessage(); - - Signature sign = samlResponse.getSignature(); - if (sign == null) { - log.info("Only http POST Requests can be used"); - bean.setErrorMessage("Only http POST Requests can be used"); - setAnser(request, response, bean); - return; - } - - //Validate Signature - SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); - profileValidator.validate(sign); - - //Verify Signature - List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>(); - keyInfoProvider.add(new DSAKeyValueProvider()); - keyInfoProvider.add(new RSAKeyValueProvider()); - keyInfoProvider.add(new InlineX509DataProvider()); - - KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( - keyInfoProvider); - - MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory(); - MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(config.getMetaDataProvier()); - - CriteriaSet criteriaSet = new CriteriaSet(); - criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS)); - criteriaSet.add(new EntityIDCriteria(config.getPVP2IDPMetadataEntityName())); - criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); - - ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver); - trustEngine.validate(sign, criteriaSet); - - log.info("PVP2 Assertion with POST-Binding is valid"); - - } else { - bean.setErrorMessage("Die Demoapplikation unterstützt nur SAML2 POST-Binding."); - setAnser(request, response, bean); - return; - - } - - - if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { - - List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>(); - - //check encrypted Assertion - List<EncryptedAssertion> encryAssertionList = samlResponse.getEncryptedAssertions(); - if (encryAssertionList != null && encryAssertionList.size() > 0) { - //decrypt assertions - - log.debug("Found encryped assertion. Start decryption ..."); - - KeyStore keyStore = config.getPVP2KeyStore(); - - X509Credential authDecCredential = new KeyStoreX509CredentialAdapter( - keyStore, - config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(), - config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray()); - - - StaticKeyInfoCredentialResolver skicr = - new StaticKeyInfoCredentialResolver(authDecCredential); - - ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); - encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); - encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); - encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); - - Decrypter samlDecrypter = - new Decrypter(null, skicr, encryptedKeyResolver); - - for (EncryptedAssertion encAssertion : encryAssertionList) { - saml2assertions.add(samlDecrypter.decrypt(encAssertion)); - - } - - log.debug("Assertion decryption finished. "); - - } else { - saml2assertions = samlResponse.getAssertions(); - - } - - samlResponse.getAssertions().clear(); - samlResponse.getAssertions().addAll(saml2assertions); - - //set assertion - org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse); - String assertion = DOMUtils.serializeNode(doc); - bean.setAssertion(assertion); - - String principleId = null; - String givenName = null; - String familyName = null; - String birthday = null; - - for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { - - try { - principleId = saml2assertion.getSubject().getNameID().getValue(); - - } catch (Exception e) { - log.warn("Can not read SubjectNameId", e); - } - - //loop through the nodes to get what we want - List<AttributeStatement> attributeStatements = saml2assertion.getAttributeStatements(); - for (int i = 0; i < attributeStatements.size(); i++) - { - List<Attribute> attributes = attributeStatements.get(i).getAttributes(); - for (int x = 0; x < attributes.size(); x++) - { - String strAttributeName = attributes.get(x).getDOM().getAttribute("Name"); - - if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME)) - familyName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue(); - if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME)) - givenName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue(); - - if (strAttributeName.equals(PVPConstants.BIRTHDATE_NAME)) { - birthday = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue(); - } - } - } - request.getSession().setAttribute(Constants.SESSION_NAMEIDFORMAT, - saml2assertion.getSubject().getNameID().getFormat()); - request.getSession().setAttribute(Constants.SESSION_NAMEID, - saml2assertion.getSubject().getNameID().getValue()); - - } - - bean.setPrincipleId(principleId); - bean.setDateOfBirth(birthday); - bean.setFamilyName(familyName); - bean.setGivenName(givenName); - bean.setLogin(true); - - setAnser(request, response, bean); - return; - - - } else { - bean.setErrorMessage("Der Anmeldevorgang wurde abgebrochen.<br>Eine genaue Beschreibung des Fehlers finden Sie in der darunterliegenden Assertion."); - setAnser(request, response, bean); - return; - - } - - } catch (Exception e) { - log.warn(e); - bean.setErrorMessage("Internal Error: " + e.getMessage()); - setAnser(request, response, bean); - return; - } - - } - - private void setAnser(HttpServletRequest request, HttpServletResponse response, ApplicationBean answersBean) throws ServletException, IOException { - // store bean in session - request.setAttribute("answers", answersBean); - - // you now can forward to some view, for example some results.jsp - request.getRequestDispatcher("demoapp.jsp").forward(request, response); - - } - - /** - * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse - * response) - */ - protected void doGet(HttpServletRequest request, - HttpServletResponse response) throws ServletException, IOException { - - process(request, response); - } - - - /** - * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse - * response) - */ - protected void doPost(HttpServletRequest request, - HttpServletResponse response) throws ServletException, IOException { - process(request, response); - } + + private static final long serialVersionUID = -2129228304760706063L; + + private void process(HttpServletRequest request, + HttpServletResponse response) throws ServletException, IOException { + + final ApplicationBean bean = new ApplicationBean(); + + log.debug("Receive request on secure-area endpoint ..."); + + final String method = request.getMethod(); + final HttpSession session = request.getSession(); + if (session == null) { + log.info("NO HTTP Session"); + bean.setErrorMessage("NO HTTP session"); + setAnser(request, response, bean); + return; + } + + try { + final Configuration config = Configuration.getInstance(); + Response samlResponse = null; + + if (method.equals("GET")) { + log.debug("Find possible SAML2 Redirect-Binding response ..."); + final HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(new BasicParserPool()); + final BasicSAMLMessageContext<Response, ?, ?> messageContext = + new BasicSAMLMessageContext<>(); + + messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request)); + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + + messageContext.setMetadataProvider(config.getMetaDataProvier()); + + final MetadataCredentialResolver resolver = new MetadataCredentialResolver(config + .getMetaDataProvier()); + final List<KeyInfoProvider> keyInfoProvider = new ArrayList<>(); + keyInfoProvider.add(new DSAKeyValueProvider()); + keyInfoProvider.add(new RSAKeyValueProvider()); + keyInfoProvider.add(new InlineX509DataProvider()); + final KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( + keyInfoProvider); + final ExplicitKeySignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine( + resolver, keyInfoResolver); + + final SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( + engine); + final SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule(); + final BasicSecurityPolicy policy = new BasicSecurityPolicy(); + policy.getPolicyRules().add(signatureRule); + policy.getPolicyRules().add(signedRole); + final SecurityPolicyResolver resolver1 = new StaticSecurityPolicyResolver(policy); + messageContext.setSecurityPolicyResolver(resolver1); + + decode.decode(messageContext); + + log.info("PVP2 Assertion with Redirect-Binding is valid"); + + } else if (method.equals("POST")) { + log.debug("Find possible SAML2 Post-Binding response ..."); + // Decode with HttpPost Binding + final HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool()); + final BasicSAMLMessageContext<Response, ?, ?> messageContext = + new BasicSAMLMessageContext<>(); + messageContext + .setInboundMessageTransport(new HttpServletRequestAdapter( + request)); + decode.decode(messageContext); + + samlResponse = (Response) messageContext.getInboundMessage(); + + final Signature sign = samlResponse.getSignature(); + if (sign == null) { + log.info("Only http POST Requests can be used"); + bean.setErrorMessage("Only http POST Requests can be used"); + setAnser(request, response, bean); + return; + } + + // Validate Signature + final SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); + profileValidator.validate(sign); + + // Verify Signature + final List<KeyInfoProvider> keyInfoProvider = new ArrayList<>(); + keyInfoProvider.add(new DSAKeyValueProvider()); + keyInfoProvider.add(new RSAKeyValueProvider()); + keyInfoProvider.add(new InlineX509DataProvider()); + + final KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( + keyInfoProvider); + + final MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory + .getFactory(); + final MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(config + .getMetaDataProvier()); + + final CriteriaSet criteriaSet = new CriteriaSet(); + criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, + SAMLConstants.SAML20P_NS)); + criteriaSet.add(new EntityIDCriteria(config.getPVP2IDPMetadataEntityName())); + criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); + + final ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine( + credentialResolver, keyInfoResolver); + trustEngine.validate(sign, criteriaSet); + + log.info("PVP2 Assertion with POST-Binding is valid"); + + } else { + bean.setErrorMessage("Die Demoapplikation unterstützt nur SAML2 POST-Binding."); + setAnser(request, response, bean); + return; + + } + + if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { + + final List<org.opensaml.saml2.core.Assertion> saml2assertions = + new ArrayList<>(); + + // check encrypted Assertion + final List<EncryptedAssertion> encryAssertionList = samlResponse.getEncryptedAssertions(); + if (encryAssertionList != null && encryAssertionList.size() > 0) { + // decrypt assertions + + log.debug("Found encryped assertion. Start decryption ..."); + + final KeyStore keyStore = config.getPVP2KeyStore(); + + final X509Credential authDecCredential = new KeyStoreX509CredentialAdapter( + keyStore, + config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(), + config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray()); + + final StaticKeyInfoCredentialResolver skicr = + new StaticKeyInfoCredentialResolver(authDecCredential); + + final ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); + encryptedKeyResolver.getResolverChain().add(new InlineEncryptedKeyResolver()); + encryptedKeyResolver.getResolverChain().add(new EncryptedElementTypeEncryptedKeyResolver()); + encryptedKeyResolver.getResolverChain().add(new SimpleRetrievalMethodEncryptedKeyResolver()); + + final Decrypter samlDecrypter = + new Decrypter(null, skicr, encryptedKeyResolver); + + for (final EncryptedAssertion encAssertion : encryAssertionList) { + final Assertion decryptedAssertion = samlDecrypter.decrypt(encAssertion); + samlResponse.getAssertions().add(decryptedAssertion); + log.debug("Decrypted Assertion: " + DOMUtils.serializeNode(SAML2Utils.asDOMDocument( + decryptedAssertion))); + + } + + log.debug("Assertion decryption finished. "); + + } else { + log.debug("Assertiojn is not encryted. Use it as it is"); + + } + + // set assertion + final org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse); + final String assertion = DOMUtils.serializeNode(doc); + bean.setAssertion(assertion); + + String principleId = null; + String givenName = null; + String familyName = null; + String birthday = null; + + log.debug("Find #" + samlResponse.getAssertions().size() + " assertions after decryption"); + + for (final org.opensaml.saml2.core.Assertion saml2assertion : samlResponse.getAssertions()) { + + try { + principleId = saml2assertion.getSubject().getNameID().getValue(); + + } catch (final Exception e) { + log.warn("Can not read SubjectNameId", e); + } + + // loop through the nodes to get what we want + final List<AttributeStatement> attributeStatements = saml2assertion.getAttributeStatements(); + for (final AttributeStatement attributeStatement : attributeStatements) { + final List<Attribute> attributes = attributeStatement.getAttributes(); + for (final Attribute attribute : attributes) { + + final String strAttributeName = attribute.getName(); + + log.debug("Find attribute with name: " + strAttributeName + " and value: " + + attribute.getAttributeValues().get(0).getDOM().getNodeValue()); + + if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME)) { + familyName = attribute.getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue(); + + } + + if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME)) { + givenName = attribute.getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue(); + + } + + if (strAttributeName.equals(PVPConstants.BIRTHDATE_NAME)) { + birthday = attribute.getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue(); + + } + + if (strAttributeName.equals(PVPConstants.BPK_NAME)) { + principleId = attribute.getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue(); + + } + } + } + request.getSession().setAttribute(Constants.SESSION_NAMEIDFORMAT, + saml2assertion.getSubject().getNameID().getFormat()); + request.getSession().setAttribute(Constants.SESSION_NAMEID, + saml2assertion.getSubject().getNameID().getValue()); + + } + + bean.setPrincipleId(principleId); + bean.setDateOfBirth(birthday); + bean.setFamilyName(familyName); + bean.setGivenName(givenName); + bean.setLogin(true); + + setAnser(request, response, bean); + return; + + } else { + bean.setErrorMessage( + "Der Anmeldevorgang wurde abgebrochen.<br>Eine genaue Beschreibung des Fehlers finden Sie in der darunterliegenden Assertion."); + setAnser(request, response, bean); + return; + + } + + } catch (final Exception e) { + log.warn(e.getMessage(), e); + bean.setErrorMessage("Internal Error: " + e.getMessage()); + setAnser(request, response, bean); + return; + } + + } + + private void setAnser(HttpServletRequest request, HttpServletResponse response, ApplicationBean answersBean) + throws ServletException, IOException { + // store bean in session + request.setAttribute("answers", answersBean); + + // you now can forward to some view, for example some results.jsp + request.getRequestDispatcher("demoapp.jsp").forward(request, response); + + } + + /** + * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse + * response) + */ + @Override + protected void doGet(HttpServletRequest request, + HttpServletResponse response) throws ServletException, IOException { + + process(request, response); + } + + /** + * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse + * response) + */ + @Override + protected void doPost(HttpServletRequest request, + HttpServletResponse response) throws ServletException, IOException { + process(request, response); + } } |