diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding')
7 files changed, 110 insertions, 60 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java index 8f83812a6..1d51d91f1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java @@ -1,12 +1,5 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding; -import java.io.FileNotFoundException; -import java.io.IOException; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.UnrecoverableKeyException; -import java.security.cert.CertificateException; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -14,6 +7,7 @@ import org.apache.velocity.app.VelocityEngine; import org.apache.velocity.runtime.RuntimeConstants; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; +import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.encoding.HTTPArtifactEncoder; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.StatusResponseType; @@ -68,11 +62,10 @@ public class ArtifactBinding implements IDecoder, IEncoder { BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); SingleSignOnService service = new SingleSignOnServiceBuilder() .buildObject(); - service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"); + service.setBinding(SAMLConstants.SAML2_ARTIFACT_BINDING_URI); service.setLocation(targetLocation); context.setOutboundSAMLMessageSigningCredential(credentials); context.setPeerEntityEndpoint(service); - // context.setOutboundMessage(authReq); context.setOutboundSAMLMessage(response); context.setOutboundMessageTransport(responseAdapter); @@ -97,7 +90,7 @@ public class ArtifactBinding implements IDecoder, IEncoder { return null; } - public boolean handleDecode(String action) { + public boolean handleDecode(String action, HttpServletRequest req) { // TODO Auto-generated method stub return false; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java index 2778016ba..0f82d9a3f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java @@ -6,14 +6,16 @@ import javax.servlet.http.HttpServletResponse; import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.xml.security.SecurityException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; + public interface IDecoder { public MOARequest decodeRequest(HttpServletRequest req, HttpServletResponse resp) - throws MessageDecodingException, SecurityException; + throws MessageDecodingException, SecurityException, PVP2Exception; public MOAResponse decodeRespone(HttpServletRequest req, HttpServletResponse resp) - throws MessageDecodingException, SecurityException; + throws MessageDecodingException, SecurityException, PVP2Exception; - public boolean handleDecode(String action); + public boolean handleDecode(String action, HttpServletRequest req); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java index f2c392a2a..66526534d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java @@ -8,12 +8,23 @@ import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; + public interface IEncoder { public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, RequestAbstractType request, String targetLocation) - throws MessageEncodingException, SecurityException; + throws MessageEncodingException, SecurityException, PVP2Exception; + /** + * Encoder SAML Response + * @param req The http request + * @param resp The http response + * @param response The repsonse object + * @param targetLocation + * @throws MessageEncodingException + * @throws SecurityException + */ public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, StatusResponseType response, String targetLocation) - throws MessageEncodingException, SecurityException; + throws MessageEncodingException, SecurityException, PVP2Exception; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java new file mode 100644 index 000000000..513939e5d --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java @@ -0,0 +1,12 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.binding; + +import org.opensaml.common.binding.decoding.URIComparator; + +public class MOAURICompare implements URIComparator { + + public boolean compare(String uri1, String uri2) { + // TODO: implement proper equalizer for rewritten URLS + return true; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index c7d779fa2..6e826005d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -7,13 +7,16 @@ import org.apache.velocity.app.VelocityEngine; import org.apache.velocity.runtime.RuntimeConstants; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; +import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.decoding.HTTPPostDecoder; import org.opensaml.saml2.binding.encoding.HTTPPostEncoder; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.ws.transport.http.HttpServletRequestAdapter; @@ -21,11 +24,11 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; -import org.opensaml.xml.signature.Signature; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.logging.Logger; public class PostBinding implements IDecoder, IEncoder { @@ -44,9 +47,6 @@ public class PostBinding implements IDecoder, IEncoder { Credential credentials = CredentialProvider .getIDPSigningCredential(); - Signature signer = CredentialProvider.getIDPSignature(credentials); - response.setSignature(signer); - VelocityEngine engine = new VelocityEngine(); engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8"); engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8"); @@ -63,7 +63,7 @@ public class PostBinding implements IDecoder, IEncoder { BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); SingleSignOnService service = new SingleSignOnServiceBuilder() .buildObject(); - service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT"); + service.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); service.setLocation(targetLocation); context.setOutboundSAMLMessageSigningCredential(credentials); context.setPeerEntityEndpoint(service); @@ -86,13 +86,24 @@ public class PostBinding implements IDecoder, IEncoder { BasicSAMLMessageContext<RequestAbstractType, ?, ?> messageContext = new BasicSAMLMessageContext<RequestAbstractType, SAMLObject, SAMLObject>(); messageContext .setInboundMessageTransport(new HttpServletRequestAdapter(req)); + decode.setURIComparator(new MOAURICompare()); + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + + try { + messageContext.setMetadataProvider(new MOAMetadataProvider()); + } catch (MetadataProviderException e) { + Logger.error("Failed to get Metadata Provider"); + throw new SecurityException("Failed to get Metadata Provider"); + } + decode.decode(messageContext); RequestAbstractType inboundMessage = (RequestAbstractType) messageContext .getInboundMessage(); - + MOARequest request = new MOARequest(inboundMessage); - + request.setVerified(false); + request.setEntityMetadata(messageContext.getPeerEntityMetadata()); return request; } @@ -105,16 +116,21 @@ public class PostBinding implements IDecoder, IEncoder { BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>(); messageContext .setInboundMessageTransport(new HttpServletRequestAdapter(req)); + + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.decode(messageContext); Response inboundMessage = (Response) messageContext.getInboundMessage(); - + MOAResponse moaResponse = new MOAResponse(inboundMessage); + moaResponse.setVerified(false); + moaResponse.setEntityMetadata(messageContext.getPeerEntityMetadata()); return moaResponse; } - public boolean handleDecode(String action) { - return (action.equals(PVP2XProtocol.POST)); + public boolean handleDecode(String action, HttpServletRequest req) { + return (req.getMethod().equals("POST")); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 92a6b6002..4e7b08b21 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -5,6 +5,7 @@ import javax.servlet.http.HttpServletResponse; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; +import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder; import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule; @@ -25,20 +26,20 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; -import org.opensaml.xml.signature.Signature; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; +import at.gv.egovernment.moa.logging.Logger; public class RedirectBinding implements IDecoder, IEncoder { public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, RequestAbstractType request, String targetLocation) throws MessageEncodingException, SecurityException { - + //TODO: implement } public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, @@ -48,17 +49,13 @@ public class RedirectBinding implements IDecoder, IEncoder { Credential credentials = CredentialProvider .getIDPSigningCredential(); - Signature signer = CredentialProvider.getIDPSignature(credentials); - response.setSignature(signer); - - HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder(); HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( resp, true); BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); SingleSignOnService service = new SingleSignOnServiceBuilder() .buildObject(); - service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT"); + service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); service.setLocation(targetLocation); context.setOutboundSAMLMessageSigningCredential(credentials); context.setPeerEntityEndpoint(service); @@ -79,6 +76,7 @@ public class RedirectBinding implements IDecoder, IEncoder { HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( new BasicParserPool()); + decode.setURIComparator(new MOAURICompare()); BasicSAMLMessageContext<RequestAbstractType, ?, ?> messageContext = new BasicSAMLMessageContext<RequestAbstractType, SAMLObject, SAMLObject>(); messageContext .setInboundMessageTransport(new HttpServletRequestAdapter(req)); @@ -86,8 +84,8 @@ public class RedirectBinding implements IDecoder, IEncoder { try { messageContext.setMetadataProvider(new MOAMetadataProvider()); } catch (MetadataProviderException e) { - // TODO Auto-generated catch block - e.printStackTrace(); + Logger.error("Failed to get Metadata Provider"); + throw new SecurityException("Failed to get Metadata Provider"); } SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( @@ -99,6 +97,7 @@ public class RedirectBinding implements IDecoder, IEncoder { policy); messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); messageContext.setSecurityPolicyResolver(resolver); + decode.decode(messageContext); signatureRule.evaluate(messageContext); @@ -121,7 +120,6 @@ public class RedirectBinding implements IDecoder, IEncoder { messageContext .setInboundMessageTransport(new HttpServletRequestAdapter(req)); - // TODO: used to verify signature! SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( TrustEngineFactory.getSignatureKnownKeysTrustEngine()); @@ -132,6 +130,14 @@ public class RedirectBinding implements IDecoder, IEncoder { policy); messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); messageContext.setSecurityPolicyResolver(resolver); + MOAMetadataProvider provider = null; + try { + provider = new MOAMetadataProvider(); + } catch (MetadataProviderException e) { + Logger.error("Failed to get Metadata Provider"); + throw new SecurityException("Failed to get Metadata Provider"); + } + messageContext.setMetadataProvider(provider); decode.decode(messageContext); @@ -143,7 +149,7 @@ public class RedirectBinding implements IDecoder, IEncoder { return moaResponse; } - public boolean handleDecode(String action) { - return (action.equals(PVP2XProtocol.REDIRECT)); + public boolean handleDecode(String action, HttpServletRequest req) { + return (action.equals(PVP2XProtocol.REDIRECT) && req.getMethod().equals("GET")); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index 027dab15a..04ec3eaee 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -5,23 +5,31 @@ import javax.servlet.http.HttpServletResponse; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; +import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder; import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.saml2.metadata.SingleSignOnService; +import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder; import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.ws.soap.soap11.decoder.http.HTTPSOAP11Decoder; import org.opensaml.ws.transport.http.HttpServletRequestAdapter; +import org.opensaml.ws.transport.http.HttpServletResponseAdapter; import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.credential.Credential; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; public class SoapBinding implements IDecoder, IEncoder { public MOARequest decodeRequest(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, - SecurityException { + SecurityException, PVP2Exception { HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder(); BasicSAMLMessageContext<RequestAbstractType, ?, ?> messageContext = new BasicSAMLMessageContext<RequestAbstractType, SAMLObject, SAMLObject>(); @@ -40,38 +48,40 @@ public class SoapBinding implements IDecoder, IEncoder { public MOAResponse decodeRespone(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, - SecurityException { - HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder(); - BasicSAMLMessageContext<Response, ?, ?> messageContext = - new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>(); - messageContext - .setInboundMessageTransport(new HttpServletRequestAdapter( - req)); - soapDecoder.decode(messageContext); - - Response inboundMessage = (Response) messageContext - .getInboundMessage(); - - MOAResponse moaResponse = new MOAResponse(inboundMessage); - return moaResponse; + SecurityException, PVP2Exception { + throw new BindingNotSupportedException(SAMLConstants.SAML2_SOAP11_BINDING_URI + " response"); } - public boolean handleDecode(String action) { + public boolean handleDecode(String action, HttpServletRequest req) { return (action.equals(PVP2XProtocol.SOAP)); } public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, RequestAbstractType request, String targetLocation) - throws MessageEncodingException, SecurityException { - // TODO Auto-generated method stub + throws MessageEncodingException, SecurityException, PVP2Exception { } public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, StatusResponseType response, String targetLocation) - throws MessageEncodingException, SecurityException { - HTTPSOAP11Encoder encoder = new HTTPSOAP11Encoder(); - + throws MessageEncodingException, SecurityException, PVP2Exception { + try { + Credential credentials = CredentialProvider + .getIDPSigningCredential(); + + HTTPSOAP11Encoder encoder = new HTTPSOAP11Encoder(); + HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( + resp, true); + BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); + context.setOutboundSAMLMessageSigningCredential(credentials); + context.setOutboundSAMLMessage(response); + context.setOutboundMessageTransport(responseAdapter); + + encoder.encode(context); + } catch (CredentialsNotAvailableException e) { + e.printStackTrace(); + throw new SecurityException(e); + } } } |