aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java50
1 files changed, 37 insertions, 13 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index 257f9dac4..70b778c49 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -38,7 +38,6 @@ import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusResponseType;
-import org.opensaml.saml2.core.validator.AuthnRequestSchemaValidator;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
@@ -68,25 +67,50 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationExcep
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
public class SAMLVerificationEngine {
public void verify(InboundMessage msg, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception {
- if (msg instanceof MOARequest &&
- ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType)
- verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine);
-
- else
- verifyResponse(((MOAResponse)msg).getResponse(), sigTrustEngine);
+ try {
+ if (msg instanceof MOARequest &&
+ ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType)
+ verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine);
+ else
+ verifyResponse(((MOAResponse)msg).getResponse(), sigTrustEngine);
+
+ } catch (InvalidProtocolRequestException e) {
+ if (MiscUtil.isEmpty(msg.getEntityID())) {
+ throw e;
+
+ }
+ Logger.debug("PVP2X message validation FAILED. Relead metadata for entityID: " + msg.getEntityID());
+ if (!MOAMetadataProvider.getInstance().refreshMetadataProvider(msg.getEntityID()))
+ throw e;
+
+ else {
+ Logger.trace("PVP2X metadata reload finished. Check validate message again.");
+
+ if (msg instanceof MOARequest &&
+ ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType)
+ verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine);
+
+ else
+ verifyResponse(((MOAResponse)msg).getResponse(), sigTrustEngine);
+
+ }
+ Logger.trace("Second PVP2X message validation finished");
+ }
}
- public void verifyResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception {
+ public void verifyResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine ) throws InvalidProtocolRequestException{
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
try {
profileValidator.validate(samlObj.getSignature());
@@ -110,13 +134,13 @@ public class SAMLVerificationEngine {
if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) {
throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
}
- } catch (SecurityException e) {
- e.printStackTrace();
+ } catch (org.opensaml.xml.security.SecurityException e) {
+ Logger.warn("PVP2x message signature validation FAILED.", e);
throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
}
}
- public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception {
+ public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws InvalidProtocolRequestException {
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
try {
profileValidator.validate(samlObj.getSignature());
@@ -140,8 +164,8 @@ public class SAMLVerificationEngine {
if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) {
throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
}
- } catch (SecurityException e) {
- e.printStackTrace();
+ } catch (org.opensaml.xml.security.SecurityException e) {
+ Logger.warn("PVP2x message signature validation FAILED.", e);
throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-30 01:36:30 +0000