diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java | 258 |
1 files changed, 140 insertions, 118 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java index 3048ccbee..dcd1a8a1a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java @@ -1,58 +1,80 @@ -/* - * Copyright 2011 by Graz University of Technology, Austria - * The Austrian STORK Modules have been developed by the E-Government - * Innovation Center EGIZ, a joint initiative of the Federal Chancellery - * Austria and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - +/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ ******************************************************************************/
+/*
+ * Copyright 2011 by Graz University of Technology, Austria
+ * The Austrian STORK Modules have been developed by the E-Government
+ * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
+ * Austria and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
/**
*
*/
package at.gv.egovernment.moa.id.auth.stork;
-import java.util.List; - -import org.joda.time.DateTime; -import org.opensaml.saml2.core.Assertion; -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.core.Audience; -import org.opensaml.saml2.core.AudienceRestriction; -import org.opensaml.saml2.core.Conditions; -import org.opensaml.saml2.core.SubjectConfirmation; -import org.opensaml.saml2.core.SubjectConfirmationData; -import org.opensaml.saml2.metadata.RequestedAttribute; - -import at.gv.egovernment.moa.logging.Logger; -import eu.stork.vidp.messages.saml.STORKAttribute; -import eu.stork.vidp.messages.util.SAMLUtil; +import java.util.List;
+
+import org.joda.time.DateTime;
+import org.opensaml.saml2.core.Assertion;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.Audience;
+import org.opensaml.saml2.core.AudienceRestriction;
+import org.opensaml.saml2.core.Conditions;
+import org.opensaml.saml2.core.SubjectConfirmation;
+import org.opensaml.saml2.core.SubjectConfirmationData;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+
+import at.gv.egovernment.moa.logging.Logger;
+import eu.stork.vidp.messages.saml.STORKAttribute;
+import eu.stork.vidp.messages.util.SAMLUtil;
/**
- * Verifies the SAML assertion according to the STORK specification + * Verifies the SAML assertion according to the STORK specification
* @author bzwattendorfer
*
*/
public class PEPSConnectorAssertionVerifier implements AssertionVerifier {
- private static final int CLOCK_SKEW_MINUTES = 5; - + private static final int CLOCK_SKEW_MINUTES = 5;
+
private static final boolean IS_USERS_CLIENT_IP_ADDRESS_TO_VERIFY = false;
/* (non-Javadoc)
@@ -63,13 +85,13 @@ public class PEPSConnectorAssertionVerifier implements AssertionVerifier { //SAML assertion need not to be signed, skipping signature validation
- verifySubjectConfirmation(assertion, reqIPAddress, authnRequestID, recipient); - - Logger.debug("SubjectConfirmationData successfully verified"); + verifySubjectConfirmation(assertion, reqIPAddress, authnRequestID, recipient);
+
+ Logger.debug("SubjectConfirmationData successfully verified");
verifyConditions(assertion, audience);
- - Logger.debug("Conditions successfully verified"); +
+ Logger.debug("Conditions successfully verified");
}
@@ -82,21 +104,21 @@ public class PEPSConnectorAssertionVerifier implements AssertionVerifier { private void verifySubjectConfirmationData(SubjectConfirmationData scData, String reqAddress, String requestID, String recipient) throws SecurityException {
//NotBefore not allowed in SSO profile
- verifyNotOnOrAfter(scData.getNotOnOrAfter()); - + verifyNotOnOrAfter(scData.getNotOnOrAfter());
+
Logger.trace("NotOnOrAfter successfully verified");
if(IS_USERS_CLIENT_IP_ADDRESS_TO_VERIFY) {
- verifyClientAddress(scData, reqAddress); + verifyClientAddress(scData, reqAddress);
Logger.trace("User's client IP address successfully verified.");
} else {
Logger.warn("User's client IP address will not be verified.");
}
- verifyRecipient(scData, recipient); - Logger.trace("Recipient successfully verified"); + verifyRecipient(scData, recipient);
+ Logger.trace("Recipient successfully verified");
- verifyInResponseTo(scData, requestID); + verifyInResponseTo(scData, requestID);
Logger.trace("InResponseTo successfully verified");
}
@@ -167,75 +189,75 @@ public class PEPSConnectorAssertionVerifier implements AssertionVerifier { private void verifyConditions(Assertion assertion, String reqAudience) throws SecurityException {
Conditions conditions = assertion.getConditions();
- verifyNotBefore(conditions.getNotBefore()); - Logger.trace("NotBefore successfully verified"); + verifyNotBefore(conditions.getNotBefore());
+ Logger.trace("NotBefore successfully verified");
- verifyNotOnOrAfter(conditions.getNotOnOrAfter()); + verifyNotOnOrAfter(conditions.getNotOnOrAfter());
Logger.trace("NotOnOrAfter successfully verified");
- verifyAudience(conditions.getAudienceRestrictions().get(0), reqAudience); - + verifyAudience(conditions.getAudienceRestrictions().get(0), reqAudience);
+
Logger.trace("Audience successfully verified");
- } - - public static void validateRequiredAttributes( - List<RequestedAttribute> reqAttrList, - List<Attribute> attrList) - throws STORKException { - - Logger.debug("Starting required attribute validation"); - - if (reqAttrList == null || reqAttrList.isEmpty()) { - Logger.error("Requested Attributes list is empty."); - throw new STORKException("No attributes have been requested"); - } - - if (attrList == null || attrList.isEmpty()) { - Logger.error("STORK AttributeStatement is empty."); - throw new STORKException("No attributes have been received"); - } - - Logger.trace("These attributes have been requested and received: "); - int count = 0; - for (RequestedAttribute reqAttr : reqAttrList) { - Logger.trace("Requested attribute: " + reqAttr.getName() + " isRequired: " + reqAttr.isRequired()); - for(Attribute attr : attrList) { - if (verifyRequestedAttribute(reqAttr, attr)) - count++; - } - } - - int numRequiredReqAttr = getNumberOfRequiredAttributes(reqAttrList); - Logger.trace("Number of requested required attributes: " + numRequiredReqAttr); - Logger.trace("Number of received required attributes: " + count); - - if (count != numRequiredReqAttr) { - Logger.error("Not all required attributes have been received"); - throw new STORKException("Not all required attributes have been received"); - } - Logger.debug("Received all required attributes!"); - - } - - private static boolean verifyRequestedAttribute(RequestedAttribute reqAttr, Attribute attr) { - - if ((reqAttr.getName()).equals(attr.getName())) { - if (reqAttr.isRequired() && SAMLUtil.getStatusFromAttribute(attr).equals(STORKAttribute.ALLOWED_ATTRIBUTE_STATUS_AVAIL)) { - Logger.trace("Received required attribute " + attr.getName() + " status: " + SAMLUtil.getStatusFromAttribute(attr)); - return true; - } - } - return false; - } - - private static int getNumberOfRequiredAttributes(List<RequestedAttribute> reqAttrList) { - int count = 0; - for (RequestedAttribute reqAttr : reqAttrList) - if (reqAttr.isRequired()) count++; - - return count; - } + }
+
+ public static void validateRequiredAttributes(
+ List<RequestedAttribute> reqAttrList,
+ List<Attribute> attrList)
+ throws STORKException {
+
+ Logger.debug("Starting required attribute validation");
+
+ if (reqAttrList == null || reqAttrList.isEmpty()) {
+ Logger.error("Requested Attributes list is empty.");
+ throw new STORKException("No attributes have been requested");
+ }
+
+ if (attrList == null || attrList.isEmpty()) {
+ Logger.error("STORK AttributeStatement is empty.");
+ throw new STORKException("No attributes have been received");
+ }
+
+ Logger.trace("These attributes have been requested and received: ");
+ int count = 0;
+ for (RequestedAttribute reqAttr : reqAttrList) {
+ Logger.trace("Requested attribute: " + reqAttr.getName() + " isRequired: " + reqAttr.isRequired());
+ for(Attribute attr : attrList) {
+ if (verifyRequestedAttribute(reqAttr, attr))
+ count++;
+ }
+ }
+
+ int numRequiredReqAttr = getNumberOfRequiredAttributes(reqAttrList);
+ Logger.trace("Number of requested required attributes: " + numRequiredReqAttr);
+ Logger.trace("Number of received required attributes: " + count);
+
+ if (count != numRequiredReqAttr) {
+ Logger.error("Not all required attributes have been received");
+ throw new STORKException("Not all required attributes have been received");
+ }
+ Logger.debug("Received all required attributes!");
+
+ }
+
+ private static boolean verifyRequestedAttribute(RequestedAttribute reqAttr, Attribute attr) {
+
+ if ((reqAttr.getName()).equals(attr.getName())) {
+ if (reqAttr.isRequired() && SAMLUtil.getStatusFromAttribute(attr).equals(STORKAttribute.ALLOWED_ATTRIBUTE_STATUS_AVAIL)) {
+ Logger.trace("Received required attribute " + attr.getName() + " status: " + SAMLUtil.getStatusFromAttribute(attr));
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private static int getNumberOfRequiredAttributes(List<RequestedAttribute> reqAttrList) {
+ int count = 0;
+ for (RequestedAttribute reqAttr : reqAttrList)
+ if (reqAttr.isRequired()) count++;
+
+ return count;
+ }
}
|