diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java | 34 |
1 files changed, 24 insertions, 10 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index a8349f0ef..544fd9925 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -85,6 +85,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestValidatorException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException; @@ -97,6 +98,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.validation.AuthnRequestValidator import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.util.ErrorResponseUtils; +import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.id.util.VelocityLogAdapter; import at.gv.egovernment.moa.logging.Logger; @@ -209,7 +211,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { if(METADATA.equals(action)) { - return new PVPTargetConfiguration(); + return new PVPTargetConfiguration(request); } @@ -386,7 +388,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { samlResponse.setIssueInstant(new DateTime()); Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); - nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + nissuer.setValue(pvpRequest.getAuthURLWithOutSlash()); nissuer.setFormat(NameID.ENTITY); samlResponse.setIssuer(nissuer); @@ -459,7 +461,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { HttpServletResponse response, InboundMessage inMsg, String sessionId, String transactionId) throws MOAIDException { - PVPTargetConfiguration config = new PVPTargetConfiguration(); + PVPTargetConfiguration config = new PVPTargetConfiguration(request); MOARequest msg; if (inMsg instanceof MOARequest && @@ -495,13 +497,24 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { Logger.debug("PreProcess SLO Response from " + resp.getIssuer()); - if (!resp.getDestination().startsWith( - PVPConfiguration.getInstance().getIDPPublicPath())) { + List<String> allowedPublicURLPrefix = + AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); + boolean isAllowedDestination = false; + + for (String prefix : allowedPublicURLPrefix) { + if (!resp.getDestination().startsWith( + prefix)) { + isAllowedDestination = true; + break; + } + } + + if (!isAllowedDestination) { Logger.warn("PVP 2.1 single logout response destination does not match to IDP URL"); throw new AssertionValidationExeption("PVP 2.1 single logout response destination does not match to IDP URL", null); } - + //TODO: check if relayState exists inMsg.getRelayState(); @@ -532,7 +545,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { //validate destination String destinaten = attrQuery.getDestination(); - if (!PVPConfiguration.getInstance().getIDPAttributeQueryService().equals(destinaten)) { + if (!PVPConfiguration.getInstance().getIDPAttributeQueryService(HTTPUtils.extractAuthURLFromRequest(request)).equals(destinaten)) { Logger.warn("AttributeQuery destination does not match IDP AttributeQueryService URL"); throw new AttributQueryException("AttributeQuery destination does not match IDP AttributeQueryService URL", null); @@ -557,7 +570,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { } - PVPTargetConfiguration config = new PVPTargetConfiguration(); + PVPTargetConfiguration config = new PVPTargetConfiguration(request); config.setRequest(moaRequest); config.setOAURL(moaRequest.getEntityID()); config.setOnlineApplicationConfiguration(oa); @@ -585,7 +598,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { if(!(samlReq instanceof AuthnRequest)) { throw new MOAIDException("Unsupported request", new Object[] {}); } - + EntityDescriptor metadata = moaRequest.getEntityMetadata(); if(metadata == null) { throw new NoMetadataInformationException(); @@ -606,6 +619,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { } + //parse AssertionConsumerService AssertionConsumerService consumerService = null; if (MiscUtil.isNotEmpty(authnRequest.getAssertionConsumerServiceURL()) && @@ -668,7 +682,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { Logger.info("Dispatch PVP2 AuthnRequest: OAURL=" + oaURL + " Binding=" + consumerService.getBinding()); - PVPTargetConfiguration config = new PVPTargetConfiguration(); + PVPTargetConfiguration config = new PVPTargetConfiguration(request); config.setOAURL(oaURL); config.setOnlineApplicationConfiguration(oa); config.setBinding(consumerService.getBinding()); |