diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java | 680 |
1 files changed, 77 insertions, 603 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 7f183c5eb..77abe07af 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -22,491 +22,82 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.moduls; -import java.io.IOException; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.Collection; import java.util.Enumeration; -import java.util.Iterator; import java.util.List; -import java.util.Map.Entry; -import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringEscapeUtils; +import org.apache.commons.lang3.StringUtils; import org.opensaml.saml2.core.LogoutRequest; -import org.opensaml.saml2.core.LogoutResponse; -import org.opensaml.saml2.core.StatusCode; -import org.opensaml.saml2.metadata.SingleLogoutService; -import org.opensaml.ws.soap.common.SOAPException; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.api.idp.slo.ISLOInformationContainer; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.core.impl.idp.auth.AbstractAuthenticationManager; +import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; +import at.gv.egiz.eaaf.core.impl.utils.Random; +import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PVPSProfilePendingRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileRequest; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; -import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; -import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions; -import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; -import at.gv.egovernment.moa.id.auth.frontend.builder.DefaultGUIFormBuilderConfiguration; -import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder; -import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException; -import at.gv.egovernment.moa.id.auth.modules.SingleSignOnConsentsModuleImpl; -import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; -import at.gv.egovernment.moa.id.auth.modules.registration.ModuleRegistration; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; -import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; import at.gv.egovernment.moa.id.data.SLOInformationContainer; -import at.gv.egovernment.moa.id.data.SLOInformationImpl; -import at.gv.egovernment.moa.id.process.ExecutionContextImpl; -import at.gv.egovernment.moa.id.process.ProcessEngine; -import at.gv.egovernment.moa.id.process.ProcessExecutionException; -import at.gv.egovernment.moa.id.process.api.ExecutionContext; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; -import at.gv.egovernment.moa.id.storage.ITransactionStorage; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; -import at.gv.egovernment.moa.id.util.Random; -import at.gv.egovernment.moa.id.util.legacy.LegacyHelper; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @Service("MOAID_AuthenticationManager") -public class AuthenticationManager extends MOAIDAuthConstants { +public class AuthenticationManager extends AbstractAuthenticationManager { - private static List<String> reqParameterWhiteListeForModules = new ArrayList<String>(); + public static final String eIDAS_GENERIC_REQ_DATA_LEVELOFASSURENCE = "eIDAS_LoA"; + public static final String DATAID_REQUESTED_ATTRIBUTES = "requestedAttributes"; public static final String MOA_SESSION = "MoaAuthenticationSession"; public static final String MOA_AUTHENTICATED = "MoaAuthenticated"; - public static final int SLOTIMEOUT = 30 * 1000; //30 sec + @Autowired private IAuthenticationSessionStoreage authenticatedSessionStore; + @Autowired private SingleLogOutBuilder sloBuilder;; - @Autowired private ProcessEngine processEngine; - @Autowired private SSOManager ssoManager; - @Autowired private IRequestStorage requestStoreage; - @Autowired private ITransactionStorage transactionStorage; - @Autowired private IAuthenticationSessionStoreage authenticatedSessionStore; - @Autowired private MOAReversionLogger revisionsLogger; - @Autowired protected AuthConfiguration authConfig; - @Autowired private SingleLogOutBuilder sloBuilder; - @Autowired private SAMLVerificationEngineSP samlVerificationEngine; - @Autowired private IGUIFormBuilder guiBuilder; - @Autowired(required=true) private MOAMetadataProvider metadataProvider; - public void performSingleLogOut(HttpServletRequest httpReq, - HttpServletResponse httpResp, IAuthenticationSession session, PVPTargetConfiguration pvpReq) throws MOAIDException { - performSingleLogOut(httpReq, httpResp, session, pvpReq, null); - - } - - public void performSingleLogOut(HttpServletRequest httpReq, - HttpServletResponse httpResp, IAuthenticationSession session, String authURL) throws MOAIDException { - performSingleLogOut(httpReq, httpResp, session, null, authURL); - - } - - /** - * @param req - * @param resp - * @param moasessionid - */ - public void performOnlyIDPLogOut(AuthenticationSession authSession) { - - if (authSession == null) { - Logger.info("No internal MOA SSO-Session found. Nothing to destroy"); - return; - - } - - try { - - authSession.setAuthenticated(false); - //HTTPSessionUtils.setHTTPSessionString(session, MOA_SESSION, null); // remove moa session from HTTP Session - - //log Session_Destroy to reversionslog - AuthenticationSessionExtensions sessionExtensions = authenticatedSessionStore.getAuthenticationSessionExtensions(authSession.getSessionID()); - revisionsLogger.logEvent(MOAIDEventConstants.SESSION_DESTROYED, sessionExtensions.getUniqueSessionId()); - - authenticatedSessionStore.destroyInternalSSOSession(authSession.getSessionID()); - - //session.invalidate(); - - } catch (MOADatabaseException e) { - Logger.info("NO MOA Authentication data for ID " + authSession.getSessionID()); - return; - } - - } - - - public void performOnlyIDPLogOut(HttpServletRequest request, - HttpServletResponse response, String internalMOASsoSessionID) { - Logger.info("Remove active user-session"); - - if(internalMOASsoSessionID == null) { - internalMOASsoSessionID = StringEscapeUtils.escapeHtml((String) request.getParameter(PARAM_SESSIONID)); - } - - if(internalMOASsoSessionID == null) { - Logger.info("NO MOA Session to logout"); - return; - } - - AuthenticationSession authSession; - try { - authSession = authenticatedSessionStore.getInternalSSOSession(internalMOASsoSessionID); - - if(authSession == null) { - Logger.info("NO MOA Authentication data for ID " + internalMOASsoSessionID); - return; - } - - performOnlyIDPLogOut(authSession); - - } catch (MOADatabaseException e) { - Logger.info("NO MOA Authentication data for ID " + internalMOASsoSessionID); - return; - } - - } - - - /** - * Authenticates the authentication request {pendingReq}, which is actually processed - * - * @param httpReq HttpServletRequest - * @param httpResp HttpServletResponse - * @param protocolRequest Authentication request which is actually in process - * - * @return Return already authenticated MOASession if exists, otherwise return null - * @throws MOADatabaseException - * @throws MOAIDException - * @throws IOException - * @throws ServletException - * - */ - public AuthenticationSession doAuthentication(HttpServletRequest httpReq, - HttpServletResponse httpResp, RequestImpl pendingReq) throws MOADatabaseException, ServletException, IOException, MOAIDException { - - //load OA configuration from pending request - IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); - - //set logging context and log unique OA identifier to revision log - TransactionIDUtils.setServiceProviderId(pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix()); - revisionsLogger.logEvent(oaParam, - pendingReq, MOAIDEventConstants.AUTHPROCESS_SERVICEPROVIDER, pendingReq.getOAURL()); - - //generic authentication request validation - if (pendingReq.isPassiv() - && pendingReq.forceAuth()) { - // conflict! - throw new NoPassivAuthenticationException(); - } - - //get SSO cookie from http request - String ssoId = ssoManager.getSSOSessionID(httpReq); - - //check if interfederation IDP is requested - ssoManager.checkInterfederationIsRequested(httpReq, httpResp, pendingReq); - - //check if SSO session cookie is already used - if (ssoId != null) { - String correspondingMOASession = ssoManager.existsOldSSOSession(ssoId); - - if (correspondingMOASession != null) { - Logger.warn("Request sends an old SSO Session ID("+ssoId+")! " + - "Invalidate the corresponding MOASession with ID="+ correspondingMOASession); - - revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), - pendingReq, MOAIDEventConstants.AUTHPROCESS_SSO_INVALID); - - //destroy internal SSO-session object and SSO-session cooky - authenticatedSessionStore.destroyInternalSSOSession(correspondingMOASession); - ssoManager.deleteSSOSessionID(httpReq, httpResp); - } - } - - //check if SSO Session is valid - boolean isValidSSOSession = ssoManager.isValidSSOSession(ssoId, pendingReq); - - // check if Service-Provider allows SSO sessions - boolean useSSOOA = oaParam.useSSO() || oaParam.isInderfederationIDP(); - - //if a legacy request is used SSO should not be allowed in case of mandate authentication - boolean isUseMandateRequested = LegacyHelper.isUseMandateRequested(httpReq); - - //check if SSO is allowed for the actually executed request - //INFO: Actually, useMandate disables SSO functionality!!!!! - boolean isSSOAllowed = (useSSOOA && !isUseMandateRequested); - pendingReq.setNeedSingleSignOnFunctionality(isSSOAllowed); - - //get MOASession from SSO-Cookie if SSO is allowed - AuthenticationSession ssoMOASession = null; - if (isValidSSOSession && isSSOAllowed) { - ssoMOASession = ssoManager.getInternalMOASession(ssoId); - - if (ssoMOASession == null) - Logger.info("No MOASession FOUND with provided SSO-Cookie."); - - else { - Logger.debug("Found authenticated MOASession with provided SSO-Cookie."); - revisionsLogger.logEvent(oaParam, pendingReq, MOAIDEventConstants.AUTHPROCESS_SSO); - - } - } - - //check if session is already authenticated - boolean isSessionAuthenticated = tryPerformAuthentication((RequestImpl) pendingReq, ssoMOASession); - - //force new authentication authentication process - if (pendingReq.forceAuth()) { - startAuthenticationProcess(httpReq, httpResp, pendingReq); - return null; - - //perform SSO-Consents evaluation if it it required - } else if (isSessionAuthenticated && oaParam.useSSOQuestion()) { - sendSingleSignOnConsentsEvaluation(httpReq, httpResp, pendingReq); - return null; - - } else if (pendingReq.isPassiv()) { - if (isSessionAuthenticated) { - // Passive authentication ok! - revisionsLogger.logEvent(oaParam, pendingReq, MOAIDEventConstants.AUTHPROCESS_FINISHED); - return ssoMOASession; - - } else { - throw new NoPassivAuthenticationException(); - - } - } else { - if (isSessionAuthenticated) { - // Is authenticated .. proceed - revisionsLogger.logEvent(oaParam, - pendingReq, MOAIDEventConstants.AUTHPROCESS_FINISHED); - return ssoMOASession; - - } else { - // Start authentication! - startAuthenticationProcess(httpReq, httpResp, pendingReq); - return null; - } - } - } - - /** - * Add a request parameter to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext} - * - * @param httpReqParam http parameter name, but never null - */ - public void addParameterNameToWhiteList(String httpReqParam) { - if (MiscUtil.isNotEmpty(httpReqParam)) - reqParameterWhiteListeForModules.add(httpReqParam); - - } - - - /** - * Checks if a authenticated MOASession already exists and if {protocolRequest} is authenticated - * - * @param protocolRequest Authentication request which is actually in process - * @param moaSession MOASession with authentication information or null if no active MOASession exists - * - * @return true if session is already authenticated, otherwise false - * @throws MOAIDException - */ - private boolean tryPerformAuthentication(RequestImpl protocolRequest, AuthenticationSession ssoMOASession) { - - //if no MOASession exist -> authentication is required - if (ssoMOASession == null) { - return false; - - } else { - //if MOA SSO-Session is found but not authenticated --> authentication is required - if (!ssoMOASession.isAuthenticated()) { - return false; - } - - //if MOASession is already authenticated and protocol-request is authenticated - // --> no authentication is required any more - else if (ssoMOASession.isAuthenticated() && protocolRequest.isAuthenticated()) { - protocolRequest.setInternalSSOSessionIdentifier(ssoMOASession.getSessionID()); - return true; - - // if MOASession is authenticated and SSO is allowed --> authenticate pendingRequest - } else if (!protocolRequest.isAuthenticated() - && ssoMOASession.isAuthenticated() && protocolRequest.needSingleSignOnFunctionality()) { - Logger.debug("Found active MOASession and SSO is allowed --> pendingRequest is authenticted"); - protocolRequest.setAuthenticated(true); - protocolRequest.setInternalSSOSessionIdentifier(ssoMOASession.getSessionID()); - return true; - - } - - // force authentication as backup solution - else { - Logger.warn("Authentication-required check find an unsuspected state --> force authentication"); - return false; - - } - } - } - - private void startAuthenticationProcess(HttpServletRequest httpReq, - HttpServletResponse httpResp, RequestImpl pendingReq) - throws ServletException, IOException, MOAIDException { - - Logger.info("Starting authentication ..."); - revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), - pendingReq, MOAIDEventConstants.AUTHPROCESS_START); - - //is legacy allowed - List<String> legacyallowed_prot = authConfig.getLegacyAllowedProtocols(); - boolean legacyallowed = legacyallowed_prot.contains(pendingReq.requestedModule()); - - //check legacy request parameter - boolean legacyparamavail = ParamValidatorUtils.areAllLegacyParametersAvailable(httpReq); - - //create authentication process execution context - ExecutionContext executionContext = new ExecutionContextImpl(); - - //set oaIdentifeir - executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_UNIQUE_OA_IDENTFIER, - pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix()); - - //set interfederation authentication flag - executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH, - MiscUtil.isNotEmpty( - pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class))); - - //set legacy mode or BKU-selection flags - boolean leagacyMode = (legacyallowed && legacyparamavail); - executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_ISLEGACYREQUEST, leagacyMode); - executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, !leagacyMode - && MiscUtil.isEmpty(pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class))); - - //add X509 SSL client certificate if exist - if (httpReq.getAttribute("javax.servlet.request.X509Certificate") != null) { - Logger.debug("Find SSL-client-certificate on request --> Add it to context"); - executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE, - ((X509Certificate[])httpReq.getAttribute("javax.servlet.request.X509Certificate"))); - - } - - //add additional http request parameter to context - if (!reqParameterWhiteListeForModules.isEmpty() || leagacyMode) { - Enumeration<String> reqParamNames = httpReq.getParameterNames(); - while(reqParamNames.hasMoreElements()) { - String paramName = reqParamNames.nextElement(); - if (MiscUtil.isNotEmpty(paramName) && - ( MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName) - || reqParameterWhiteListeForModules.contains(paramName) )) - executionContext.put(paramName, - StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName))); - } - } - - //start process engine - startProcessEngine(pendingReq, executionContext); - - } - - private void sendSingleSignOnConsentsEvaluation(HttpServletRequest request, - HttpServletResponse response, RequestImpl pendingReq) - throws ServletException, IOException, MOAIDException { - - Logger.info("Start SSO user-consents evaluation ..."); - - //set authenticated flag to false, because user consents is required - pendingReq.setAuthenticated(false); - - //create execution context - ExecutionContext executionContext = new ExecutionContextImpl(); - executionContext.put(SingleSignOnConsentsModuleImpl.PARAM_SSO_CONSENTS_EVALUATION, true); - - //start process engine - startProcessEngine(pendingReq, executionContext); - - } - - private void startProcessEngine(RequestImpl pendingReq, ExecutionContext executionContext) throws MOAIDException { - try { - //put pending-request ID on execurtionContext - executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, pendingReq.getRequestID()); - - // create process instance - String processDefinitionId = ModuleRegistration.getInstance().selectProcess(executionContext); - - if (processDefinitionId == null) { - Logger.warn("No suitable process found for SessionID " + pendingReq.getRequestID() ); - throw new MOAIDException("process.02",new Object[] { - pendingReq.getRequestID()}); - } - - String processInstanceId = processEngine.createProcessInstance(processDefinitionId, executionContext); - - // keep process instance id in protocol pending-request - pendingReq.setProcessInstanceId(processInstanceId); - - //store pending-request - requestStoreage.storePendingRequest(pendingReq); - - // start process - processEngine.start(pendingReq); - - } catch (ProcessExecutionException e) { - Throwable cause = e.getCause(); - if (cause != null && cause instanceof TaskExecutionException) { - Throwable taskCause = cause.getCause(); - if (taskCause != null && taskCause instanceof MOAIDException) { - MOAIDException moaTaskCause = (MOAIDException) taskCause; - Logger.warn(taskCause); - throw moaTaskCause; - - } - } - - throw new MOAIDException("process.01", new Object[] { pendingReq.getProcessInstanceId(), pendingReq.getRequestID() }, e); - } - } - - private void performSingleLogOut(HttpServletRequest httpReq, - HttpServletResponse httpResp, IAuthenticationSession session, PVPTargetConfiguration pvpReq, String authURL) throws MOAIDException { + @Override + public ISLOInformationContainer performSingleLogOut(HttpServletRequest httpReq, HttpServletResponse httpResp, IRequest pendingReq, String internalSSOId) + throws EAAFException { String pvpSLOIssuer = null; - String inboundRelayState = null; String uniqueSessionIdentifier = "notSet"; String uniqueTransactionIdentifier = "notSet"; - + PVPSProfilePendingRequest pvpReq = null; Logger.debug("Start technical Single LogOut process ... "); - if (pvpReq != null) { - MOARequest samlReq = (MOARequest) pvpReq.getRequest(); - LogoutRequest logOutReq = (LogoutRequest) samlReq.getSamlRequest(); - pvpSLOIssuer = logOutReq.getIssuer().getValue(); - inboundRelayState = samlReq.getRelayState(); - uniqueSessionIdentifier = pvpReq.getUniqueSessionIdentifier(); - uniqueTransactionIdentifier = pvpReq.getUniqueTransactionIdentifier(); + + if (pendingReq != null) { + uniqueSessionIdentifier = pendingReq.getUniqueSessionIdentifier(); + uniqueTransactionIdentifier = pendingReq.getUniqueTransactionIdentifier(); + + if (pendingReq instanceof PVPSProfileRequest) { + pvpReq = ((PVPSProfilePendingRequest)pendingReq); + PVPSProfileRequest samlReq = (PVPSProfileRequest) pvpReq.getRequest(); + LogoutRequest logOutReq = (LogoutRequest) samlReq.getSamlRequest(); + pvpSLOIssuer = logOutReq.getIssuer().getValue(); + } + if (MiscUtil.isEmpty(internalSSOId)) + internalSSOId = pendingReq.getInternalSSOSessionIdentifier(); + } else { AuthenticationSessionExtensions sessionExt; try { - sessionExt = authenticatedSessionStore.getAuthenticationSessionExtensions(session.getSessionID()); + sessionExt = authenticatedSessionStore.getAuthenticationSessionExtensions(internalSSOId); if (sessionExt != null) uniqueSessionIdentifier = sessionExt.getUniqueSessionId(); @@ -520,8 +111,8 @@ public class AuthenticationManager extends MOAIDAuthConstants { } //store active OAs to SLOContaine - List<OASessionStore> dbOAs = authenticatedSessionStore.getAllActiveOAFromMOASession(session); - List<InterfederationSessionStore> dbIDPs = authenticatedSessionStore.getAllActiveIDPsFromMOASession(session); + List<OASessionStore> dbOAs = authenticatedSessionStore.getAllActiveOAFromMOASession(internalSSOId); + List<InterfederationSessionStore> dbIDPs = authenticatedSessionStore.getAllActiveIDPsFromMOASession(internalSSOId); SLOInformationContainer sloContainer = new SLOInformationContainer(); sloContainer.setTransactionID(uniqueTransactionIdentifier); sloContainer.setSessionID(uniqueSessionIdentifier); @@ -534,13 +125,13 @@ public class AuthenticationManager extends MOAIDAuthConstants { + " BackChannel:" + sloContainer.getActiveBackChannelOAs().size() + " FrontChannel:" + sloContainer.getActiveFrontChannalOAs().size() + " NO_SLO_Support:" + sloContainer.getSloFailedOAs().size()); - + + //terminate MOASession try { - authenticatedSessionStore.destroyInternalSSOSession(session.getSessionID()); - ssoManager.deleteSSOSessionID(httpReq, httpResp); + authenticatedSessionStore.destroyInternalSSOSession(internalSSOId); + ssoManager.destroySSOSessionOnIDPOnly(httpReq, httpResp, pendingReq); revisionsLogger.logEvent(MOAIDEventConstants.SESSION_DESTROYED, uniqueSessionIdentifier); - Logger.debug("Active SSO Session on IDP is remove."); } catch (MOADatabaseException e) { @@ -549,165 +140,48 @@ public class AuthenticationManager extends MOAIDAuthConstants { } - Logger.trace("Starting Service-Provider logout process ... "); - revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_STARTED); - //start service provider back channel logout process - Iterator<String> nextOAInterator = sloContainer.getNextBackChannelOA(); - while (nextOAInterator.hasNext()) { - SLOInformationImpl sloDescr = sloContainer.getBackChannelOASessionDescripten(nextOAInterator.next()); - LogoutRequest sloReq = sloBuilder.buildSLORequestMessage(sloDescr); - - try { - Logger.trace("Send backchannel SLO Request to " + sloDescr.getSpEntityID()); - List<XMLObject> soapResp = MOASAMLSOAPClient.send(sloDescr.getServiceURL(), sloReq); - - LogoutResponse sloResp = null; - for (XMLObject el : soapResp) { - if (el instanceof LogoutResponse) - sloResp = (LogoutResponse) el; - } - - if (sloResp == null) { - Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID() - + " FAILED. NO LogOut response received."); - sloContainer.putFailedOA(sloDescr.getSpEntityID()); - - } else { - samlVerificationEngine.verifySLOResponse(sloResp, - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - - } - - sloBuilder.checkStatusCode(sloContainer, sloResp); - - } catch (SOAPException e) { - Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID() - + " FAILED.", e); - sloContainer.putFailedOA(sloDescr.getSpEntityID()); - - } catch (SecurityException | InvalidProtocolRequestException e) { - Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID() - + " FAILED.", e); - sloContainer.putFailedOA(sloDescr.getSpEntityID()); - - } - } - - //start service provider front channel logout process - try { - if (sloContainer.hasFrontChannelOA()) { - String relayState = Random.nextRandom(); - - Collection<Entry<String, SLOInformationImpl>> sloDescr = sloContainer.getFrontChannelOASessionDescriptions(); - List<String> sloReqList = new ArrayList<String>(); - for (Entry<String, SLOInformationImpl> el : sloDescr) { - Logger.trace("Build frontChannel SLO Request for " + el.getValue().getSpEntityID()); - - LogoutRequest sloReq = sloBuilder.buildSLORequestMessage(el.getValue()); - try { - sloReqList.add(sloBuilder.getFrontChannelSLOMessageURL(el.getValue().getServiceURL(), el.getValue().getBinding(), - sloReq, httpReq, httpResp, relayState)); - - } catch (Exception e) { - Logger.warn("Failed to build SLO request for OA:" + el.getKey()); - sloContainer.putFailedOA(el.getKey()); - - } - } - - //put SLO process-information into transaction storage - transactionStorage.put(relayState, sloContainer, -1); - - if (MiscUtil.isEmpty(authURL)) - authURL = pvpReq.getAuthURL(); - - String timeOutURL = authURL - + "/idpSingleLogout" - + "?restart=" + relayState; - - DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( - authURL, - DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT, - null); - - config.putCustomParameterWithOutEscaption("redirectURLs", sloReqList); - config.putCustomParameterWithOutEscaption("timeoutURL", timeOutURL); - config.putCustomParameter("timeout", String.valueOf(SLOTIMEOUT)); - - guiBuilder.build(httpResp, config, "Single-LogOut GUI"); - - - } else { - if (pvpReq != null) { - //send SLO response to SLO request issuer - SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs()); - sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq); - - } else { - //print SLO information directly - DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( - authURL, - DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT, - null); - - if (sloContainer.getSloFailedOAs() == null || - sloContainer.getSloFailedOAs().size() == 0) { - revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_ALL_VALID); - config.putCustomParameter("successMsg", - MOAIDMessageProvider.getInstance().getMessage("slo.00", null)); - - } else { - revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); - config.putCustomParameterWithOutEscaption("errorMsg", - MOAIDMessageProvider.getInstance().getMessage("slo.01", null)); - - } - guiBuilder.build(httpResp, config, "Single-LogOut GUI"); - - } - - } + return sloContainer; - } catch (GUIBuildException e) { - Logger.warn("Can not build GUI:'Single-LogOut'. Msg:" + e.getMessage()); - throw new MOAIDException("builder.09", new Object[]{e.getMessage()}, e); + } + + @Override + protected void populateExecutionContext(ExecutionContext executionContext, RequestImpl pendingReq, HttpServletRequest httpReq) + throws EAAFException { + //is legacy allowed + boolean legacyallowed = false; + if (authConfig instanceof AuthConfiguration) { + List<String> legacyallowed_prot = ((AuthConfiguration)authConfig).getLegacyAllowedProtocols(); + legacyallowed = legacyallowed_prot.contains(pendingReq.requestedModule()); - } catch (MOADatabaseException e) { - Logger.error("MOA AssertionDatabase ERROR", e); - if (pvpReq != null) { - SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); - sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq); + } else + Logger.info("Base configuration is NOT of type 'AuthConfiguration'. LegacyMode is disabled"); + - revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); + //check legacy request parameter + boolean legacyparamavail = ParamValidatorUtils.areAllLegacyParametersAvailable(httpReq); - }else { - //print SLO information directly - DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( - authURL, - DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT, - null); + + //set interfederation authentication flag + executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH, + MiscUtil.isNotEmpty( + pendingReq.getRawData(SSOManager.DATAID_INTERFEDERATIOIDP_URL, String.class))); + + //set legacy mode or BKU-selection flags + boolean leagacyMode = (legacyallowed && legacyparamavail); + executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_ISLEGACYREQUEST, leagacyMode); + executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, !leagacyMode + && MiscUtil.isEmpty(pendingReq.getRawData(SSOManager.DATAID_INTERFEDERATIOIDP_URL, String.class))); - revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); - config.putCustomParameterWithOutEscaption("errorMsg", - MOAIDMessageProvider.getInstance().getMessage("slo.01", null)); - - try { - guiBuilder.build(httpResp, config, "Single-LogOut GUI"); - - } catch (GUIBuildException e1) { - Logger.warn("Can not build GUI:'Single-LogOut'. Msg:" + e.getMessage()); - throw new MOAIDException("builder.09", new Object[]{e.getMessage()}, e); - - } - - } - - } catch (Exception e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } + //add additional http request parameter to context + if (leagacyMode) { + Enumeration<String> reqParamNames = httpReq.getParameterNames(); + while(reqParamNames.hasMoreElements()) { + String paramName = reqParamNames.nextElement(); + if (StringUtils.isNotEmpty(paramName) && MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName) ) + executionContext.put(paramName, StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName))); + } + } + } } |