diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java')
| -rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java | 299 |
1 files changed, 31 insertions, 268 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index e8564ad3c..25f0ba1d3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -94,7 +94,6 @@ import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator; import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils; -import at.gv.egovernment.moa.id.auth.validator.parep.ParepValidator; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.CreateIdentityLinkResponse; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClient; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException; @@ -324,7 +323,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * @throws BKUException */ public String verifyIdentityLink(AuthenticationSession session, - Map infoboxReadResponseParameters) throws AuthenticationException, + Map<String, String> infoboxReadResponseParameters) throws AuthenticationException, BuildException, ParseException, ConfigurationException, ValidateException, ServiceException, BKUException { @@ -399,7 +398,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.setIdentityLink(identityLink); // now validate the extended infoboxes - verifyInfoboxes(session, infoboxReadResponseParameters, false); + //Removed in MOA-ID 2.0 + //verifyInfoboxes(session, infoboxReadResponseParameters, false); return "found!"; } @@ -634,7 +634,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * @throws BKUException */ public X509Certificate verifyXMLSignature(String sessionID, - Map createXMLSignatureResponseParameters) + Map<String, String> createXMLSignatureResponseParameters) throws AuthenticationException, BuildException, ParseException, ConfigurationException, ValidateException, ServiceException, BKUException { @@ -694,7 +694,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * @throws BKUException */ public X509Certificate getCertificate(String sessionID, - Map readInfoboxResponseParameters) throws AuthenticationException, + Map<String, String> readInfoboxResponseParameters) throws AuthenticationException, BuildException, ParseException, ConfigurationException, ValidateException, ServiceException, BKUException { @@ -784,7 +784,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { // (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105) // String oaURL = session.getPublicOAURLPrefix(); - List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); + List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); if (session.isSsoRequested()) { @@ -812,254 +812,10 @@ public class AuthenticationServer implements MOAIDAuthConstants { identificationType, oaURL, gebDat, extendedSAMLAttributes, session, oaParam); return authBlock; - } - - - - - + } } - /** - * Verifies the infoboxes (except of the identity link infobox) returned by - * the BKU by calling appropriate validator classes. - * - * @param session - * The actual authentication session. - * @param infoboxReadResponseParams - * The parameters returned from the BKU as response to an infobox - * read request (including the infobox tokens to be verified). - * @param hideStammzahl - * Indicates whether source pins (<code>Stammzahl</code>en) - * should be hidden in any SAML attribute that may be returned by - * a validator. - * - * @throws AuthenticationException - * If the verification of at least one infobox fails. - * @throws ConfigurationException - * If the OAuthParameter cannot be extracted. - */ - private void verifyInfoboxes(AuthenticationSession session, - Map infoboxReadResponseParams, boolean hideStammzahl) - throws ValidateException, ConfigurationException { - - AuthConfigurationProvider authConfigurationProvider = AuthConfigurationProvider - .getInstance(); - // get the default VerifyInfobox parameters - Map defaultInfoboxParameters = null; - - //removed in MOA-ID 2.0 -// VerifyInfoboxParameters defaultVerifyInfoboxParameters = authConfigurationProvider -// .getDefaultVerifyInfoboxParameters(); -// if (defaultVerifyInfoboxParameters != null) { -// defaultInfoboxParameters = defaultVerifyInfoboxParameters -// .getInfoboxParameters(); -// } - - // get the OA specific VerifyInfobox parameters - Map infoboxParameters = null; - OAAuthParameter oaParam = authConfigurationProvider - .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - - //removed in MOAID 2.0 -// VerifyInfoboxParameters verifyInfoboxParameters = oaParam -// .getVerifyInfoboxParameters(); -// VerifyInfoboxParameters verifyInfoboxParameters = null; - - session.setExtendedSAMLAttributesAUTH(new Vector()); // Initialize SAML - // Attributes - session.setExtendedSAMLAttributesOA(new Vector()); - // System.out.println("SAML set: " + - // session.getExtendedSAMLAttributesAUTH().size()); - - //removed in MOAID 2.0 -// if (verifyInfoboxParameters != null) { -// -// infoboxParameters = verifyInfoboxParameters.getInfoboxParameters(); -// // get the list of infobox identifiers -// List identifiers = verifyInfoboxParameters.getIdentifiers(); -// if (identifiers != null) { -// // step through the identifiers and verify the infoboxes -// Iterator it = identifiers.iterator(); -// while (it.hasNext()) { -// String identifier = (String) it.next(); -// // get the infobox read response from the map of parameters -// String infoboxReadResponse = (String) infoboxReadResponseParams -// .get(identifier); -// // get the configuration parameters -// VerifyInfoboxParameter verifyInfoboxParameter = null; -// Object object = infoboxParameters.get(identifier); -// // if not present, use default -// if ((object == null) && (defaultInfoboxParameters != null)) { -// object = defaultInfoboxParameters.get(identifier); -// } -// if (object != null) { -// verifyInfoboxParameter = (VerifyInfoboxParameter) object; -// } -// if (infoboxReadResponse != null) { -// if (verifyInfoboxParameter == null) { -// // should not happen because of the pushinfobox -// // mechanism; check it anyway -// Logger.error("No validator for verifying \"" -// + identifier + "\"-infobox configured."); -// throw new ValidateException("validator.41", -// new Object[] { identifier }); -// } else { -// String friendlyName = verifyInfoboxParameter -// .getFriendlyName(); -// boolean isParepRequest = false; -// -// // parse the infobox read reponse -// List infoboxTokenList = null; -// try { -// infoboxTokenList = ExtendedInfoboxReadResponseParser -// .parseInfoboxReadResponse( -// infoboxReadResponse, -// friendlyName); -// } catch (ParseException e) { -// Logger -// .error("InfoboxReadResponse for \"" -// + identifier -// + "\"-infobox could not be parsed successfully: " -// + e.getMessage()); -// throw new ValidateException("validator.43", -// new Object[] { friendlyName }); -// } -// // set compatibility mode for mandates infobox and -// // all infoboxes (it is possible to be a parep -// // infobox) -// // session.setMandateCompatibilityMode(ParepConfiguration.isMandateCompatibilityMode(verifyInfoboxParameter.getApplicationSpecificParams())); -// // check for party representation in mandates -// // infobox -// if (Constants.INFOBOXIDENTIFIER_MANDATES -// .equalsIgnoreCase(identifier) -// && !((infoboxTokenList == null || infoboxTokenList -// .size() == 0))) { -// // We need app specific parameters -// if (null == verifyInfoboxParameter -// .getApplicationSpecificParams()) { -// throw new ValidateException("validator.66", -// new Object[] { friendlyName }); -// } -// Element mandate = ParepValidator -// .extractPrimaryToken(infoboxTokenList); -// // ParepUtils.serializeElement(mandate, -// // System.out); -// String mandateID = ParepUtils -// .extractRepresentativeID(mandate); -// if (!isEmpty(mandateID) -// && ("*".equals(mandateID) || mandateID -// .startsWith(MOAIDAuthConstants.PARTY_REPRESENTATION_OID_NUMBER))) { -// isParepRequest = true; -// } -// if (!isParepRequest) { -// // if mandates validator is disabled we must -// // throw an error in this case -// if (!ParepUtils -// .isValidatorEnabled(verifyInfoboxParameter -// .getApplicationSpecificParams())) { -// throw new ValidateException( -// "validator.60", -// new Object[] { friendlyName }); -// } -// } -// } -// -// // get the class for validating the infobox -// InfoboxValidator infoboxValidator = null; -// try { -// Class validatorClass = null; -// if (isParepRequest) { -// // Mandates infobox in party representation -// // mode -// validatorClass = Class -// .forName("at.gv.egovernment.moa.id.auth.validator.parep.ParepValidator"); -// } else { -// validatorClass = Class -// .forName(verifyInfoboxParameter -// .getValidatorClassName()); -// } -// infoboxValidator = (InfoboxValidator) validatorClass -// .newInstance(); -// } catch (Exception e) { -// Logger -// .error("Could not load validator class \"" -// + verifyInfoboxParameter -// .getValidatorClassName() -// + "\" for \"" -// + identifier -// + "\"-infobox: " -// + e.getMessage()); -// throw new ValidateException("validator.42", -// new Object[] { friendlyName }); -// } -// Logger -// .debug("Successfully loaded validator class \"" -// + verifyInfoboxParameter -// .getValidatorClassName() -// + "\" for \"" -// + identifier -// + "\"-infobox."); -// // build the parameters for validating the infobox -// InfoboxValidatorParams infoboxValidatorParams = InfoboxValidatorParamsBuilder -// .buildInfoboxValidatorParams(session, -// verifyInfoboxParameter, -// infoboxTokenList, oaParam); -// -// // now validate the infobox -// InfoboxValidationResult infoboxValidationResult = null; -// try { -// infoboxValidationResult = infoboxValidator -// .validate(infoboxValidatorParams); -// } catch (ValidateException e) { -// Logger.error("Error validating " + identifier -// + " infobox:" + e.getMessage()); -// throw new ValidateException("validator.44", -// new Object[] { friendlyName }); -// } -// if (!infoboxValidationResult.isValid()) { -// Logger.info("Validation of " + identifier -// + " infobox failed."); -// throw new ValidateException("validator.40", -// new Object[] { -// friendlyName, -// infoboxValidationResult -// .getErrorMessage() }); -// } -// -// Logger.info(identifier -// + " infobox successfully validated."); -// // store the validator for post processing -// session.addInfoboxValidator(identifier, -// friendlyName, infoboxValidator); -// -// // get the SAML attributes to be appended to the -// // AUTHBlock or to the final -// // SAML Assertion -// AddAdditionalSAMLAttributes(session, -// infoboxValidationResult -// .getExtendedSamlAttributes(), -// identifier, friendlyName); -// } -// } else { -// if ((verifyInfoboxParameter != null) -// && (verifyInfoboxParameter.isRequired())) { -// Logger -// .info("Infobox \"" -// + identifier -// + "\" is required, but not returned from the BKU"); -// throw new ValidateException("validator.48", -// new Object[] { verifyInfoboxParameter -// .getFriendlyName() }); -// } -// Logger.debug("Infobox \"" + identifier -// + "\" not returned from BKU."); -// } -// } -// } -// } - } /** * Verifies the infoboxes (except of the identity link infobox) returned by @@ -1090,7 +846,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { for (int i = 0; i < length; i++) { ExtendedSAMLAttribute samlAttribute = extendedSAMLAttributes[i]; - Object value = verifySAMLAttribute(samlAttribute, i, "MISService", + verifySAMLAttribute(samlAttribute, i, "MISService", "MISService"); } @@ -1145,12 +901,12 @@ public class AuthenticationServer implements MOAIDAuthConstants { String friendlyName) throws ValidateException { if (extendedSAMLAttributes == null) return; - List oaAttributes = session.getExtendedSAMLAttributesOA(); + List<ExtendedSAMLAttribute> oaAttributes = session.getExtendedSAMLAttributesOA(); if (oaAttributes == null) - oaAttributes = new Vector(); - List authAttributes = session.getExtendedSAMLAttributesAUTH(); + oaAttributes = new Vector<ExtendedSAMLAttribute>(); + List<ExtendedSAMLAttribute> authAttributes = session.getExtendedSAMLAttributesAUTH(); if (authAttributes == null) - authAttributes = new Vector(); + authAttributes = new Vector<ExtendedSAMLAttribute>(); int length = extendedSAMLAttributes.length; for (int i = 0; i < length; i++) { ExtendedSAMLAttribute samlAttribute = extendedSAMLAttributes[i]; @@ -1211,7 +967,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { MISMandate mandate, boolean business, boolean provideStammzahl) throws SAXException, IOException, ParserConfigurationException, TransformerException { - Vector extendedSamlAttributes = new Vector(); + Vector<ExtendedSAMLAttribute> extendedSamlAttributes = new Vector<ExtendedSAMLAttribute>(); extendedSamlAttributes.clear(); @@ -1229,7 +985,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { // Mandate extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( - ParepValidator.EXT_SAML_MANDATE_RAW, domMandate, + EXT_SAML_MANDATE_RAW, domMandate, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); @@ -1242,14 +998,14 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (!ParepUtils.isEmpty(idType) && idType.startsWith(Constants.URN_PREFIX_BASEID)) { extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( - ParepValidator.EXT_SAML_MANDATE_CB_BASE_ID, + EXT_SAML_MANDATE_CB_BASE_ID, ParepUtils.getRegisterString(idType) + ": " + wbpk, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY)); } } else if (business) { extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( - ParepValidator.EXT_SAML_MANDATE_WBPK, wbpk, + EXT_SAML_MANDATE_WBPK, wbpk, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY)); } @@ -1277,14 +1033,14 @@ public class AuthenticationServer implements MOAIDAuthConstants { MISMandate mandate, boolean business) throws SAXException, IOException, ParserConfigurationException, TransformerException { - Vector extendedSamlAttributes = new Vector(); + Vector<ExtendedSAMLAttribute> extendedSamlAttributes = new Vector<ExtendedSAMLAttribute>(); extendedSamlAttributes.clear(); // RepresentationType extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( - ParepValidator.EXT_SAML_MANDATE_REPRESENTATIONTYPE, - ParepValidator.EXT_SAML_MANDATE_REPRESENTATIONTEXT, + EXT_SAML_MANDATE_REPRESENTATIONTYPE, + EXT_SAML_MANDATE_REPRESENTATIONTEXT, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); @@ -1292,12 +1048,12 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (oid != null) { extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( - ParepValidator.EXT_SAML_MANDATE_OID, oid, + EXT_SAML_MANDATE_OID, oid, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); String oidDescription = mandate.getTextualDescriptionOfOID(); extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl( - ParepValidator.EXT_SAML_MANDATE_OIDTEXTUALDESCRIPTION, + EXT_SAML_MANDATE_OIDTEXTUALDESCRIPTION, oidDescription, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); @@ -1327,10 +1083,10 @@ public class AuthenticationServer implements MOAIDAuthConstants { return doc.getDocumentElement(); } - protected static void replaceExtendedSAMLAttribute(List attributes, + protected static void replaceExtendedSAMLAttribute(List<ExtendedSAMLAttribute> attributes, ExtendedSAMLAttribute samlAttribute) { if (null == attributes) { - attributes = new Vector(); + attributes = new Vector<ExtendedSAMLAttribute>(); } else { String id = samlAttribute.getName(); int length = attributes.size(); @@ -1723,6 +1479,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW"); authData.setIdentityLink(identityLink); + Logger.trace("Authenticated User is OW: " + mandate.getOWbPK()); + } else { if (businessService) { @@ -1747,8 +1505,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { } else { authData.setBPK(identityLink.getIdentificationValue()); authData.setBPKType(identityLink.getIdentificationType()); + } - + + Logger.trace("Authenticate user with wbPK " + authData.getBPK()); + Element idlassertion = session.getIdentityLink().getSamlAssertion(); //set bpk/wpbk; Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); @@ -1770,6 +1531,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); } + Logger.trace("Authenticate user with bPK " + authData.getBPK()); + authData.setIdentityLink(identityLink); } } |