1 files changed, 39 insertions, 12 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index ab0a1ec40..aff2c83ad 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -23,6 +23,7 @@
 package at.gv.egovernment.moa.id.moduls;
 
 import java.io.IOException;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Enumeration;
@@ -47,6 +48,7 @@ import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
+import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions;
 import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
@@ -89,6 +91,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
 @Service("MOAID_AuthenticationManager")
 public class AuthenticationManager extends MOAIDAuthConstants {
 
+	private static List<String> reqParameterWhiteListeForModules = new ArrayList<String>();
 	
 	public static final String MOA_SESSION = "MoaAuthenticationSession";
 	public static final String MOA_AUTHENTICATED = "MoaAuthenticated";
@@ -202,6 +205,14 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 	public AuthenticationSession doAuthentication(HttpServletRequest httpReq,
 			HttpServletResponse httpResp, RequestImpl pendingReq) throws MOADatabaseException, ServletException, IOException, MOAIDException {
 	
+		//load OA configuration from pending request
+		IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
+				
+		//set logging context and log unique OA identifier to revision log 
+		TransactionIDUtils.setServiceProviderId(pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix());
+		revisionsLogger.logEvent(oaParam, 
+				pendingReq, MOAIDEventConstants.AUTHPROCESS_SERVICEPROVIDER, pendingReq.getOAURL());
+			
 		//generic authentication request validation 
 		if (pendingReq.isPassiv()
 				&& pendingReq.forceAuth()) {
@@ -236,12 +247,8 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 		boolean isValidSSOSession = ssoManager.isValidSSOSession(ssoId, pendingReq);
 		
 		// check if Service-Provider allows SSO sessions
-		IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
 		boolean useSSOOA = oaParam.useSSO() || oaParam.isInderfederationIDP();		
-		
-		revisionsLogger.logEvent(oaParam, 
-				pendingReq, MOAIDEventConstants.AUTHPROCESS_SERVICEPROVIDER, pendingReq.getOAURL());
-		
+				
 		//if a legacy request is used SSO should not be allowed in case of mandate authentication
 		boolean isUseMandateRequested = LegacyHelper.isUseMandateRequested(httpReq);
 			
@@ -304,6 +311,18 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 	}
 	
 	/**
+	 * Add a request parameter to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext} 
+	 * 
+	 * @param httpReqParam http parameter name, but never null
+	 */
+	public void addParameterNameToWhiteList(String httpReqParam) {
+		if (MiscUtil.isNotEmpty(httpReqParam))
+			reqParameterWhiteListeForModules.add(httpReqParam);
+		
+	}
+	
+	
+	/**
 	 * Checks if a authenticated MOASession already exists and if {protocolRequest} is authenticated
 	 * 
 	 * @param protocolRequest Authentication request which is actually in process
@@ -381,17 +400,25 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 		executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_ISLEGACYREQUEST, leagacyMode);
 		executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, !leagacyMode 
 				&& MiscUtil.isEmpty(pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class)));
+		
+		//add X509 SSL client certificate if exist
+		if (httpReq.getAttribute("javax.servlet.request.X509Certificate") != null) {
+			Logger.debug("Find SSL-client-certificate on request --> Add it to context");
+			executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE, 
+					((X509Certificate[])httpReq.getAttribute("javax.servlet.request.X509Certificate")));
+			
+		}
 						
-		//add leagcy parameters to context
-		if (leagacyMode) {
+		//add additional http request parameter to context
+		if (!reqParameterWhiteListeForModules.isEmpty() || leagacyMode) {
 			Enumeration<String> reqParamNames = httpReq.getParameterNames();
 			while(reqParamNames.hasMoreElements()) {
 				String paramName = reqParamNames.nextElement();
 				if (MiscUtil.isNotEmpty(paramName) && 
-						MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName))
+						( MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName) 
+								|| reqParameterWhiteListeForModules.contains(paramName) ))
 					executionContext.put(paramName, 
-							StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName)));
-				
+							StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName)));				
 			}			
 		}
 		
@@ -615,7 +642,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 					//send SLO response to SLO request issuer
 					SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq);
 					LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs());
-					sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);
+					sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq);
 					
 				} else {
 					//print SLO information directly
@@ -651,7 +678,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 			if (pvpReq != null) {
 				SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq);
 				LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
-				sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);
+				sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq);
 
 				revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID);