aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java258
1 files changed, 140 insertions, 118 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java
index 3048ccbee..dcd1a8a1a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/PEPSConnectorAssertionVerifier.java
@@ -1,58 +1,80 @@
-/*
- * Copyright 2011 by Graz University of Technology, Austria
- * The Austrian STORK Modules have been developed by the E-Government
- * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
- * Austria and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-
-
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ ******************************************************************************/
+/*
+ * Copyright 2011 by Graz University of Technology, Austria
+ * The Austrian STORK Modules have been developed by the E-Government
+ * Innovation Center EGIZ, a joint initiative of the Federal Chancellery
+ * Austria and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
/**
*
*/
package at.gv.egovernment.moa.id.auth.stork;
-import java.util.List;
-
-import org.joda.time.DateTime;
-import org.opensaml.saml2.core.Assertion;
-import org.opensaml.saml2.core.Attribute;
-import org.opensaml.saml2.core.Audience;
-import org.opensaml.saml2.core.AudienceRestriction;
-import org.opensaml.saml2.core.Conditions;
-import org.opensaml.saml2.core.SubjectConfirmation;
-import org.opensaml.saml2.core.SubjectConfirmationData;
-import org.opensaml.saml2.metadata.RequestedAttribute;
-
-import at.gv.egovernment.moa.logging.Logger;
-import eu.stork.vidp.messages.saml.STORKAttribute;
-import eu.stork.vidp.messages.util.SAMLUtil;
+import java.util.List;
+
+import org.joda.time.DateTime;
+import org.opensaml.saml2.core.Assertion;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.Audience;
+import org.opensaml.saml2.core.AudienceRestriction;
+import org.opensaml.saml2.core.Conditions;
+import org.opensaml.saml2.core.SubjectConfirmation;
+import org.opensaml.saml2.core.SubjectConfirmationData;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+
+import at.gv.egovernment.moa.logging.Logger;
+import eu.stork.vidp.messages.saml.STORKAttribute;
+import eu.stork.vidp.messages.util.SAMLUtil;
/**
- * Verifies the SAML assertion according to the STORK specification
+ * Verifies the SAML assertion according to the STORK specification
* @author bzwattendorfer
*
*/
public class PEPSConnectorAssertionVerifier implements AssertionVerifier {
- private static final int CLOCK_SKEW_MINUTES = 5;
-
+ private static final int CLOCK_SKEW_MINUTES = 5;
+
private static final boolean IS_USERS_CLIENT_IP_ADDRESS_TO_VERIFY = false;
/* (non-Javadoc)
@@ -63,13 +85,13 @@ public class PEPSConnectorAssertionVerifier implements AssertionVerifier {
//SAML assertion need not to be signed, skipping signature validation
- verifySubjectConfirmation(assertion, reqIPAddress, authnRequestID, recipient);
-
- Logger.debug("SubjectConfirmationData successfully verified");
+ verifySubjectConfirmation(assertion, reqIPAddress, authnRequestID, recipient);
+
+ Logger.debug("SubjectConfirmationData successfully verified");
verifyConditions(assertion, audience);
-
- Logger.debug("Conditions successfully verified");
+
+ Logger.debug("Conditions successfully verified");
}
@@ -82,21 +104,21 @@ public class PEPSConnectorAssertionVerifier implements AssertionVerifier {
private void verifySubjectConfirmationData(SubjectConfirmationData scData, String reqAddress, String requestID, String recipient) throws SecurityException {
//NotBefore not allowed in SSO profile
- verifyNotOnOrAfter(scData.getNotOnOrAfter());
-
+ verifyNotOnOrAfter(scData.getNotOnOrAfter());
+
Logger.trace("NotOnOrAfter successfully verified");
if(IS_USERS_CLIENT_IP_ADDRESS_TO_VERIFY) {
- verifyClientAddress(scData, reqAddress);
+ verifyClientAddress(scData, reqAddress);
Logger.trace("User's client IP address successfully verified.");
} else {
Logger.warn("User's client IP address will not be verified.");
}
- verifyRecipient(scData, recipient);
- Logger.trace("Recipient successfully verified");
+ verifyRecipient(scData, recipient);
+ Logger.trace("Recipient successfully verified");
- verifyInResponseTo(scData, requestID);
+ verifyInResponseTo(scData, requestID);
Logger.trace("InResponseTo successfully verified");
}
@@ -167,75 +189,75 @@ public class PEPSConnectorAssertionVerifier implements AssertionVerifier {
private void verifyConditions(Assertion assertion, String reqAudience) throws SecurityException {
Conditions conditions = assertion.getConditions();
- verifyNotBefore(conditions.getNotBefore());
- Logger.trace("NotBefore successfully verified");
+ verifyNotBefore(conditions.getNotBefore());
+ Logger.trace("NotBefore successfully verified");
- verifyNotOnOrAfter(conditions.getNotOnOrAfter());
+ verifyNotOnOrAfter(conditions.getNotOnOrAfter());
Logger.trace("NotOnOrAfter successfully verified");
- verifyAudience(conditions.getAudienceRestrictions().get(0), reqAudience);
-
+ verifyAudience(conditions.getAudienceRestrictions().get(0), reqAudience);
+
Logger.trace("Audience successfully verified");
- }
-
- public static void validateRequiredAttributes(
- List<RequestedAttribute> reqAttrList,
- List<Attribute> attrList)
- throws STORKException {
-
- Logger.debug("Starting required attribute validation");
-
- if (reqAttrList == null || reqAttrList.isEmpty()) {
- Logger.error("Requested Attributes list is empty.");
- throw new STORKException("No attributes have been requested");
- }
-
- if (attrList == null || attrList.isEmpty()) {
- Logger.error("STORK AttributeStatement is empty.");
- throw new STORKException("No attributes have been received");
- }
-
- Logger.trace("These attributes have been requested and received: ");
- int count = 0;
- for (RequestedAttribute reqAttr : reqAttrList) {
- Logger.trace("Requested attribute: " + reqAttr.getName() + " isRequired: " + reqAttr.isRequired());
- for(Attribute attr : attrList) {
- if (verifyRequestedAttribute(reqAttr, attr))
- count++;
- }
- }
-
- int numRequiredReqAttr = getNumberOfRequiredAttributes(reqAttrList);
- Logger.trace("Number of requested required attributes: " + numRequiredReqAttr);
- Logger.trace("Number of received required attributes: " + count);
-
- if (count != numRequiredReqAttr) {
- Logger.error("Not all required attributes have been received");
- throw new STORKException("Not all required attributes have been received");
- }
- Logger.debug("Received all required attributes!");
-
- }
-
- private static boolean verifyRequestedAttribute(RequestedAttribute reqAttr, Attribute attr) {
-
- if ((reqAttr.getName()).equals(attr.getName())) {
- if (reqAttr.isRequired() && SAMLUtil.getStatusFromAttribute(attr).equals(STORKAttribute.ALLOWED_ATTRIBUTE_STATUS_AVAIL)) {
- Logger.trace("Received required attribute " + attr.getName() + " status: " + SAMLUtil.getStatusFromAttribute(attr));
- return true;
- }
- }
- return false;
- }
-
- private static int getNumberOfRequiredAttributes(List<RequestedAttribute> reqAttrList) {
- int count = 0;
- for (RequestedAttribute reqAttr : reqAttrList)
- if (reqAttr.isRequired()) count++;
-
- return count;
- }
+ }
+
+ public static void validateRequiredAttributes(
+ List<RequestedAttribute> reqAttrList,
+ List<Attribute> attrList)
+ throws STORKException {
+
+ Logger.debug("Starting required attribute validation");
+
+ if (reqAttrList == null || reqAttrList.isEmpty()) {
+ Logger.error("Requested Attributes list is empty.");
+ throw new STORKException("No attributes have been requested");
+ }
+
+ if (attrList == null || attrList.isEmpty()) {
+ Logger.error("STORK AttributeStatement is empty.");
+ throw new STORKException("No attributes have been received");
+ }
+
+ Logger.trace("These attributes have been requested and received: ");
+ int count = 0;
+ for (RequestedAttribute reqAttr : reqAttrList) {
+ Logger.trace("Requested attribute: " + reqAttr.getName() + " isRequired: " + reqAttr.isRequired());
+ for(Attribute attr : attrList) {
+ if (verifyRequestedAttribute(reqAttr, attr))
+ count++;
+ }
+ }
+
+ int numRequiredReqAttr = getNumberOfRequiredAttributes(reqAttrList);
+ Logger.trace("Number of requested required attributes: " + numRequiredReqAttr);
+ Logger.trace("Number of received required attributes: " + count);
+
+ if (count != numRequiredReqAttr) {
+ Logger.error("Not all required attributes have been received");
+ throw new STORKException("Not all required attributes have been received");
+ }
+ Logger.debug("Received all required attributes!");
+
+ }
+
+ private static boolean verifyRequestedAttribute(RequestedAttribute reqAttr, Attribute attr) {
+
+ if ((reqAttr.getName()).equals(attr.getName())) {
+ if (reqAttr.isRequired() && SAMLUtil.getStatusFromAttribute(attr).equals(STORKAttribute.ALLOWED_ATTRIBUTE_STATUS_AVAIL)) {
+ Logger.trace("Received required attribute " + attr.getName() + " status: " + SAMLUtil.getStatusFromAttribute(attr));
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private static int getNumberOfRequiredAttributes(List<RequestedAttribute> reqAttrList) {
+ int count = 0;
+ for (RequestedAttribute reqAttr : reqAttrList)
+ if (reqAttr.isRequired()) count++;
+
+ return count;
+ }
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-27 05:55:49 +0000