diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java index 371cfb1d7..42e9bf25d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java @@ -50,7 +50,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** - * the AttributeCollector Action tries to get all requested attributes from a set of {@link AttributeProvider} Plugins. + * The AttributeCollector Action tries to get all requested attributes from a set of {@link AttributeProvider} Plugins. * The class is called whenever the {@link AuthenticationRequest} Action is invoked and checks for missing attributes. * Furthermore, the class can handle direct posts. That is when the class triggers an attribute query which needs user * interaction, redirect to another portal, etc. The redirect will hit here and the class can continue to fetch attributes. @@ -80,8 +80,6 @@ public class AttributeCollector implements IAction { } - // TODO extract attribute response and check if it corresponds to the container - if (httpReq.getParameter("SAMLResponse") != null) { Logger.info("Got SAML response from external attribute provider."); @@ -106,7 +104,7 @@ public class AttributeCollector implements IAction { STORKAuthnResponse authnResponse = null; - // check if valid authn request is contained + // check if valid authn response is contained try { authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, httpReq.getRemoteAddr()); } catch (STORKSAMLEngineException ex) { @@ -115,6 +113,22 @@ public class AttributeCollector implements IAction { STORK2Response.setSTORKAuthnResponseToken(decSamlToken); + // check if the attributes are provided for the same person from request + // requires presence of eIdentifier for unambigious correlation + Logger.debug("Checking if the attribute relates to the correct person.."); + try { + String remoteEIdentifier= authnResponse.getPersonalAttributeList().get("eIdentifier").getValue().get(0); + String localEidentifier= container.getResponse().getStorkAuthnResponse().getPersonalAttributeList().get("eIdentifier").getValue().get(0); + if (!remoteEIdentifier.equals(localEidentifier)) { + Logger.error("The attribute is not provided for the same person!"); + throw new MOAIDException("stork.25", null); + } + } catch (NullPointerException ex) { + Logger.warn("Could not check the correlation of attributes from external provider. Ignoring the check."); + //Logger.debug(ex); + //throw new MOAIDException("stork.04", null); // TODO revise message, raise exception when ehvd checked + } + if (authnResponse.getPersonalAttributeList().size() > 0) { Logger.info("Response from external attribute provider contains " + authnResponse.getPersonalAttributeList().size() + " attributes."); container.getResponse().setPersonalAttributeList(addOrUpdateAll(container.getResponse().getPersonalAttributeList(), authnResponse.getPersonalAttributeList())); |