diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java | 192 |
1 files changed, 189 insertions, 3 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java index 718f730b0..bded1943b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java @@ -33,12 +33,20 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.idp.auth.ISSOManager; +import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; +import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger; +import at.gv.egiz.eaaf.core.exceptions.EAAFSSOException; +import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException; import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; import at.gv.egiz.eaaf.core.impl.utils.Random; +import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions; +import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageException; @@ -46,12 +54,15 @@ import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.legacy.LegacyHelper; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @Service("MOAID_SSOManager") -public class SSOManager { +public class SSOManager implements ISSOManager { + private static final String HTMLTEMPLATESDIR = "htmlTemplates/"; private static final String HTMLTEMPLATEFULL = "slo_template.html"; public static String CONTEXTPATH = "contextPath"; @@ -62,9 +73,160 @@ public class SSOManager { private static final int INTERFEDERATIONCOOKIEMAXAGE = 5 * 60;// sec @Autowired private IAuthenticationSessionStoreage authenticatedSessionStore; - @Autowired protected AuthConfiguration authConfig; + @Autowired private AuthConfiguration authConfig; + @Autowired private IRevisionLogger revisionsLogger; + + //@Autowired private MOASessionDBUtils moaSessionDBUtils; + + public boolean checkAndValidateSSOSession(IRequest pendingReq, HttpServletRequest httpReq, HttpServletResponse httpResp) throws EAAFSSOException { + try { + //get SSO cookie from http request + String ssoId = getSSOSessionID(httpReq); + + //check if interfederation IDP is requested + checkInterfederationIsRequested(httpReq, httpResp, pendingReq); + + //check if SSO session cookie is already used + if (ssoId != null) { + String correspondingMOASession = existsOldSSOSession(ssoId); + + if (correspondingMOASession != null) { + Logger.warn("Request sends an old SSO Session ID("+ssoId+")! " + + "Invalidate the corresponding MOASession with ID="+ correspondingMOASession); + + revisionsLogger.logEvent(pendingReq, EVENT_SSO_SESSION_INVALID); + + //destroy internal SSO-session object and SSO-session cooky + authenticatedSessionStore.destroyInternalSSOSession(correspondingMOASession); + deleteSSOSessionID(httpReq, httpResp); + } + } + + //check if SSO Session is valid + boolean isSSOValid = isValidSSOSession(ssoId, pendingReq); + + if (isSSOValid) + pendingReq.setSSOSessionIdentifier(ssoId); + + return isSSOValid; + + + } catch (SessionDataStorageException | ConfigurationException | MOADatabaseException e) { + Logger.warn("Cann not process SSO session. Reason: " + e.getMessage(), e); + Logger.info("All SSO session will be ignored."); + + } + + return false; + + } + + + + public void isSSOAllowedForSP(IRequest pendingReq, HttpServletRequest httpReq) { + // check if Service-Provider allows SSO sessions + IOAAuthParameters oaConfig = pendingReq.getServiceProviderConfiguration(OAAuthParameterDecorator.class); + boolean useSSOOA = oaConfig.useSSO() || oaConfig.isInderfederationIDP(); + + //if a legacy request is used SSO should not be allowed in case of mandate authentication + boolean isUseMandateRequested = false; + try { + isUseMandateRequested = LegacyHelper.isUseMandateRequested(httpReq); + + //check if SSO is allowed for the actually executed request + //INFO: Actually, useMandate disables SSO functionality!!!!! + pendingReq.setNeedSingleSignOnFunctionality((useSSOOA && !isUseMandateRequested)); + + //check if current service provider needs user consent for SSO + pendingReq.setNeedUserConsent(oaConfig.useSSOQuestion()); + + } catch (WrongParametersException e) { + Logger.warn("Find suspect http parameter for mandates! Reason: " + e.getMessage()); + + } + + } + + public void populatePendingRequestWithSSOInformation(IRequest pendingReq) throws EAAFSSOException { + //populate pending request with eID data from SSO session if no userConsent is required + try { + AuthenticationSession ssoMOASession = getInternalMOASession(pendingReq.getSSOSessionIdentifier()); + + if (ssoMOASession == null) + Logger.info("No MOASession FOUND with provided SSO-Cookie."); + + else { + Logger.debug("Found authenticated MOASession with provided SSO-Cookie."); + revisionsLogger.logEvent(pendingReq, EVENT_SSO_SESSION_VALID); + + Logger.trace("Populatint pending request with SSO session information .... "); + pendingReq.setGenericDataToSession(ssoMOASession.getKeyValueRepresentationFromAuthSession()); + pendingReq.setAuthenticated(true); + + } + + } catch (EAAFStorageException e) { + Logger.warn("Can NOT populate pending request from SSO session.", e); + throw new EAAFSSOException("", new Object[] {}, + "Can NOT populate pending request from SSO session", e); + + } + + } + + + @Override + public boolean destroySSOSessionOnIDPOnly(HttpServletRequest httpReq, HttpServletResponse httpResp, IRequest pendingReq) throws EAAFSSOException { + //get SSO token from request + String ssoid = null; + if (pendingReq != null && MiscUtil.isNotEmpty(pendingReq.getSSOSessionIdentifier())) { + ssoid = pendingReq.getSSOSessionIdentifier(); + + } else { + ssoid = getSSOSessionID(httpReq); + + } + try { + if (isValidSSOSession(ssoid, null)) { + + //delete SSO session and MOA session + AuthenticationSession ssoSession = authenticatedSessionStore.getInternalMOASessionWithSSOID(ssoid); + + if (ssoSession == null) { + Logger.info("No internal MOA SSO-Session found. Nothing to destroy"); + return false; + + } + + + ssoSession.setAuthenticated(false); + + //log Session_Destroy to reversionslog + AuthenticationSessionExtensions sessionExtensions = + authenticatedSessionStore.getAuthenticationSessionExtensions(ssoSession.getSSOSessionID()); + revisionsLogger.logEvent(MOAIDEventConstants.SESSION_DESTROYED, sessionExtensions.getUniqueSessionId()); + authenticatedSessionStore.destroyInternalSSOSession(ssoSession.getSSOSessionID()); + } + + } catch (MOADatabaseException | ConfigurationException | SessionDataStorageException e) { + Logger.info("NO MOA Authentication data for ID " + ssoid); + return false; + + } + + + //Remove SSO token + deleteSSOSessionID(httpReq, httpResp); + + return true; + + } + + + //*********************************** old ************************************** + /** * Check if interfederation IDP is requested via HTTP GET parameter or if interfederation cookie exists. * Set the requested interfederation IDP as attribte of the {protocolRequest} @@ -209,7 +371,7 @@ public class SSOManager { if (MiscUtil.isNotEmpty(ssoSessionID)) { AuthenticationSession moaSession = authenticatedSessionStore.getInternalMOASessionWithSSOID(ssoSessionID); if (moaSession != null) { - AuthenticationSessionExtensions extSessionInformation = authenticatedSessionStore.getAuthenticationSessionExtensions(moaSession.getSessionID()); + AuthenticationSessionExtensions extSessionInformation = authenticatedSessionStore.getAuthenticationSessionExtensions(moaSession.getSSOSessionID()); return extSessionInformation.getUniqueSessionId(); } @@ -336,4 +498,28 @@ public class SSOManager { setCookie(httpReq, httpResp, cookieName, "", 0); } + + + @Override + public void createNewSSOSession(IRequest arg0, String arg1, SLOInformationInterface arg2) throws EAAFSSOException { + // TODO Auto-generated method stub + + } + + + + @Override + public String createNewSSOSessionCookie(HttpServletRequest arg0, HttpServletResponse arg1, IRequest arg2) + throws EAAFSSOException { + // TODO Auto-generated method stub + return null; + } + + + @Override + public void updateSSOSession(IRequest arg0, String arg1, SLOInformationInterface arg2) throws EAAFSSOException { + // TODO Auto-generated method stub + + } + } |