aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java48
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java168
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java281
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java34
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java26
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java16
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java129
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java11
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java43
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java18
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java132
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java20
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java149
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java19
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java17
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java32
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java72
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java103
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java25
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java99
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java15
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java37
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java49
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java207
38 files changed, 1235 insertions, 578 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
index 55b1a7c9a..72aef5fed 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
@@ -116,16 +116,18 @@ public class StatisticLogger implements IStatisticLogger{
//set actual date and time
dblog.setTimestamp(new Date());
-
- //set OA databaseID
- //dblog.setOaID(dbOA.getHjid());
-
+
//log basic AuthInformation
dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH));
dblog.setOafriendlyName(dbOA.getFriendlyName());
- boolean isbusinessservice = isBusinessService(dbOA);
- dblog.setBusinessservice(isbusinessservice);
+ try {
+ dblog.setBusinessservice(dbOA.hasBaseIdTransferRestriction());
+
+ } catch (Exception e) {
+ Logger.warn("Can not extract some information for StatisticLogger.", e);
+ }
+
dblog.setOatarget(authData.getBPKType());
@@ -266,9 +268,14 @@ public class StatisticLogger implements IStatisticLogger{
if (dbOA != null) {
dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH));
dblog.setOafriendlyName(dbOA.getFriendlyName());
- dblog.setOatarget(dbOA.getTarget());
- //dblog.setOaID(dbOA.getHjid());
- dblog.setBusinessservice(isBusinessService(dbOA));
+
+ try {
+ dblog.setOatarget(dbOA.getAreaSpecificTargetIdentifier());
+ dblog.setBusinessservice(dbOA.hasBaseIdTransferRestriction());
+ } catch (Exception e) {
+ Logger.warn("Can not extract some information for StatisticLogger.", e);
+
+ }
IAuthenticationSession moasession = null;
if (MiscUtil.isNotEmpty(errorRequest.getInternalSSOSessionIdentifier())) {
@@ -314,15 +321,7 @@ public class StatisticLogger implements IStatisticLogger{
}
}
-
- private boolean isBusinessService(IOAAuthParameters dbOA) {
- if (dbOA.getOaType().equals("businessService"))
- return true;
- else
- return false;
- }
-
private String getMessageWithMaxLength(String msg, int maxlength) {
return getErrorMessageWithMaxLength(msg, maxlength);
@@ -391,15 +390,15 @@ public class StatisticLogger implements IStatisticLogger{
if (bkuURL.equals(dbOA.getBKUURL(OAAuthParameter.LOCALBKU)))
return IOAAuthParameters.LOCALBKU;
- if (bkuURL.equals(dbOA.getBKUURL(OAAuthParameter.ONLINEBKU)))
- return IOAAuthParameters.ONLINEBKU;
+ if (bkuURL.equals(dbOA.getBKUURL(OAAuthParameter.THIRDBKU)))
+ return IOAAuthParameters.THIRDBKU;
}
Logger.trace("Staticic Log search BKUType from DefaultBKUs");
try {
- if (bkuURL.equals(authConfig.getDefaultBKUURL(IOAAuthParameters.ONLINEBKU)))
- return IOAAuthParameters.ONLINEBKU;
+ if (bkuURL.equals(authConfig.getDefaultBKUURL(IOAAuthParameters.THIRDBKU)))
+ return IOAAuthParameters.THIRDBKU;
if (bkuURL.equals(authConfig.getDefaultBKUURL(IOAAuthParameters.LOCALBKU)))
return IOAAuthParameters.LOCALBKU;
@@ -422,12 +421,7 @@ public class StatisticLogger implements IStatisticLogger{
Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.HANDYBKU);
return IOAAuthParameters.HANDYBKU;
}
-
- if (bkuURL.contains(GENERIC_ONLINE_BKU)) {
- Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.ONLINEBKU);
- return IOAAuthParameters.ONLINEBKU;
- }
-
+
Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.AUTHTYPE_OTHERS);
return IOAAuthParameters.AUTHTYPE_OTHERS;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index cad3354f5..5a5d0bcf6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -267,9 +267,9 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
//####################################################
//set general authData info's
authData.setIssuer(protocolRequest.getAuthURL());
- authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality());
- authData.setIsBusinessService(oaParam.getBusinessService());
-
+ authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality());
+ authData.setBaseIDTransferRestrication(oaParam.hasBaseIdTransferRestriction());
+
//####################################################
//parse user info's from identityLink
@@ -816,21 +816,11 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
* @param oaParam Service-Provider configuration, never null
* @param bPKType bPK-Type to check
* @return true, if bPK-Type matchs to Service-Provider configuration, otherwise false
+ * @throws ConfigurationException
*/
- private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) {
- String oaTarget = null;
- if (oaParam.getBusinessService()) {
- oaTarget = oaParam.getIdentityLinkDomainIdentifier();
-
- } else {
- oaTarget = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget();
-
- }
-
- if (oaTarget.equals(bPKType))
- return true;
- else
- return false;
+ private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) throws ConfigurationException {
+ return oaParam.getAreaSpecificTargetIdentifier().equals(bPKType);
+
}
private void parseBasicUserInfosFromIDL(AuthenticationData authData, IIdentityLink identityLink, Collection<String> includedGenericSessionData) {
@@ -918,9 +908,10 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
*
* @return Pair<bPK, bPKType> which was received by PVP-Attribute and could be decrypted for this Service Provider,
* or <code>null</code> if no attribute exists or can not decrypted
+ * @throws ConfigurationException
*/
private Pair<String, String> getEncryptedbPKFromPVPAttribute(IAuthenticationSession session,
- AuthenticationData authData, IOAAuthParameters spConfig) {
+ AuthenticationData authData, IOAAuthParameters spConfig) throws ConfigurationException {
//set List of encrypted bPKs to authData DAO
String pvpEncbPKListAttr = session.getGenericDataFromSession(PVPConstants.ENC_BPK_LIST_NAME, String.class);
if (MiscUtil.isNotEmpty(pvpEncbPKListAttr)) {
@@ -935,35 +926,44 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
String second = fullEncbPK.substring(0, index);
int secIndex = second.indexOf("+");
if (secIndex >= 0) {
- if (spConfig.getTarget().equals(second.substring(secIndex+1))) {
- Logger.debug("Found encrypted bPK for online-application "
- + spConfig.getPublicURLPrefix()
- + " Start decryption process ...");
- PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey();
- if (privKey != null) {
- try {
- String bPK = BPKBuilder.decryptBPK(encbPK, spConfig.getTarget(), privKey);
- if (MiscUtil.isNotEmpty(bPK)) {
- Logger.info("bPK decryption process finished successfully.");
- return Pair.newInstance(bPK, Constants.URN_PREFIX_CDID + "+" + spConfig.getTarget());
-
- } else {
- Logger.error("bPK decryption FAILED.");
-
+ String oaTargetId = spConfig.getAreaSpecificTargetIdentifier();
+ if (oaTargetId.startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
+ String publicServiceShortTarget = oaTargetId.substring(MOAIDAuthConstants.PREFIX_CDID.length());
+ if (publicServiceShortTarget.equals(second.substring(secIndex+1))) {
+ Logger.debug("Found encrypted bPK for online-application "
+ + spConfig.getPublicURLPrefix()
+ + " Start decryption process ...");
+ PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey();
+ if (privKey != null) {
+ try {
+ String bPK = BPKBuilder.decryptBPK(encbPK, publicServiceShortTarget, privKey);
+ if (MiscUtil.isNotEmpty(bPK)) {
+ Logger.info("bPK decryption process finished successfully.");
+ return Pair.newInstance(bPK, oaTargetId);
+
+ } else {
+ Logger.error("bPK decryption FAILED.");
+
+ }
+ } catch (BuildException e) {
+ Logger.error("bPK decryption FAILED.", e);
+
}
- } catch (BuildException e) {
- Logger.error("bPK decryption FAILED.", e);
- }
+ } else {
+ Logger.info("bPK decryption FAILED, because no valid decryption key is found.");
+
+ }
} else {
- Logger.info("bPK decryption FAILED, because no valid decryption key is found.");
+ Logger.info("Found encrypted bPK but " +
+ "encrypted bPK target does not match to online-application target");
- }
+ }
} else {
- Logger.info("Found encrypted bPK but " +
- "encrypted bPK target does not match to online-application target");
+ Logger.info("Encrypted bPKs are only allowed for public services with prefix: " + MOAIDAuthConstants.PREFIX_CDID
+ + " BUT oaTarget is " + oaTargetId);
}
}
@@ -1066,7 +1066,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
}
private IIdentityLink buildOAspecificIdentityLink(IOAAuthParameters oaParam, IIdentityLink idl, String bPK, String bPKType) throws MOAIDException {
- if (oaParam.getBusinessService()) {
+ if (oaParam.hasBaseIdTransferRestriction()) {
Element idlassertion = idl.getSamlAssertion();
//set bpk/wpbk;
Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
@@ -1097,69 +1097,45 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
}
- private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException {
+ private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException, ConfigurationException {
- String bPK;
- String bPKType;
-
String baseID = authData.getIdentificationValue();
- String baseIDType = authData.getIdentificationType();
-
- if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) {
- //Calculate eIDAS identifier
- if (oaParam.getBusinessService() &&
- oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_EIDAS)) {
- String[] splittedTarget = oaParam.getIdentityLinkDomainIdentifier().split("\\+");
- String cititzenCountryCode = splittedTarget[1];
- String eIDASOutboundCountry = splittedTarget[2];
-
- if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) {
- Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry");
-
- }
-
- Pair<String, String> eIDASID = new BPKBuilder().buildeIDASIdentifer(baseIDType, baseID,
- cititzenCountryCode, eIDASOutboundCountry);
- Logger.debug("Authenticate user with bPK:" + eIDASID.getFirst() + " Type:" + eIDASID.getSecond());
- return eIDASID;
-
- } else if (oaParam.getBusinessService()) {
- //is Austrian private-service application
- String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier();
- bPK = new BPKBuilder().buildbPKorwbPK(baseID, registerAndOrdNr);
- bPKType = registerAndOrdNr;
-
- } else {
- // only compute bPK if online application is a public service and we have the Stammzahl
- String target = null;
- Class<?> saml1RequstTemplate = null;
- try {
- saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl");
- if (saml1RequstTemplate != null &&
- saml1RequstTemplate.isInstance(pendingReq)) {
- target = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq);
+ String baseIDType = authData.getIdentificationType();
+ Pair<String, String> sectorSpecId = null;
+
+ if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) {
+ //SAML1 legacy target parameter work-around
+ String oaTargetId = null;
+ Class<?> saml1RequstTemplate = null;
+ try {
+ saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl");
+ if (saml1RequstTemplate != null &&
+ saml1RequstTemplate.isInstance(pendingReq)) {
+ oaTargetId = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq);
- }
+ }
- } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) { }
+ } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) { }
+
+ if (MiscUtil.isEmpty(oaTargetId)) {
+ oaTargetId = oaParam.getAreaSpecificTargetIdentifier();
+ Logger.debug("Use OA target identifier '" + oaTargetId + "' from configuration");
- if (MiscUtil.isEmpty(target))
- target = oaParam.getTarget();
-
- bPK = new BPKBuilder().buildBPK(baseID, target);
- bPKType = Constants.URN_PREFIX_CDID + "+" + target;
-
- }
-
+ } else
+ Logger.info("Use OA target identifier '" + oaTargetId + "' from SAML1 request for bPK calculation");
+
+ //calculate sector specific unique identifier
+ sectorSpecId = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseID, oaTargetId);
+
+
} else {
- Logger.warn("!!!baseID-element does not include a baseID. This should not be happen any more!!!");
- bPK = baseID;
- bPKType = baseIDType;
-
+ Logger.fatal("!!!baseID-element does not include a baseID. This should not be happen any more!!!");
+ sectorSpecId = Pair.newInstance(baseID, baseIDType);
+
}
- Logger.trace("Authenticate user with bPK:" + bPK + " Type:" + bPKType);
- return Pair.newInstance(bPK, bPKType);
+ Logger.trace("Authenticate user with bPK:" + sectorSpecId.getFirst() + " Type:" + sectorSpecId.getSecond());
+ return sectorSpecId;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
index 32ac8ad68..a7f6e873f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java
@@ -60,6 +60,7 @@ import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
@@ -76,77 +77,192 @@ import at.gv.egovernment.moa.util.MiscUtil;
*/
public class BPKBuilder {
- /**
- * Builds the bPK from the given parameters.
- *
- * @param identificationValue Base64 encoded "Stammzahl"
- * @param target "Bereich lt. Verordnung des BKA"
- * @return bPK in a BASE64 encoding
- * @throws BuildException if an error occurs on building the bPK
- */
- public String buildBPK(String identificationValue, String target)
- throws BuildException {
-
- if ((identificationValue == null ||
- identificationValue.length() == 0 ||
- target == null ||
- target.length() == 0)) {
- throw new BuildException("builder.00",
- new Object[]{"BPK", "Unvollständige Parameterangaben: identificationValue=" +
- identificationValue + ",target=" + target});
- }
- String basisbegriff;
- if (target.startsWith(Constants.URN_PREFIX_CDID + "+"))
- basisbegriff = identificationValue + "+" + target;
- else
- basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target;
+ /**
+ * Calculates an area specific unique person-identifier from a baseID
+ *
+ * @param baseID baseId from user but never null
+ * @param targetIdentifier target identifier for area specific identifier calculation but never null
+ * @return Pair<unique person identifier for this target, targetArea> but never null
+ * @throws BuildException if some input data are not valid
+ */
+ public Pair<String, String> generateAreaSpecificPersonIdentifier(String baseID, String targetIdentifier) throws BuildException{
+ return generateAreaSpecificPersonIdentifier(baseID, Constants.URN_PREFIX_BASEID, targetIdentifier);
+
+ }
+
+ /**
+ * Calculates an area specific unique person-identifier from an unique identifier with a specific type
+ *
+ * @param baseID baseId from user but never null
+ * @param baseIdType Type of the baseID but never null
+ * @param targetIdentifier target identifier for area specific identifier calculation but never null
+ * @return Pair<unique person identifier for this target, targetArea> but never null
+ * @throws BuildException if some input data are not valid
+ */
+ public Pair<String, String> generateAreaSpecificPersonIdentifier(String baseID, String baseIdType, String targetIdentifier) throws BuildException{
+ if (MiscUtil.isEmpty(baseID))
+ throw new BuildException("builder.00", new Object[]{"baseID is empty or null"});
- return calculatebPKwbPK(basisbegriff);
- }
+ if (MiscUtil.isEmpty(baseIdType))
+ throw new BuildException("builder.00", new Object[]{"the type of baseID is empty or null"});
+
+ if (MiscUtil.isEmpty(targetIdentifier))
+ throw new BuildException("builder.00", new Object[]{"OA specific target identifier is empty or null"});
+ if (baseIdType.equals(Constants.URN_PREFIX_BASEID)) {
+ Logger.trace("Find baseID. Starting unique identifier caluclation for this target");
+
+ if (targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_CDID) ||
+ targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_WPBK) ||
+ targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_STORK)) {
+ Logger.trace("Calculate bPK, wbPK, or STORK identifier for target: " + targetIdentifier);
+ return Pair.newInstance(calculatebPKwbPK(baseID + "+" + targetIdentifier), targetIdentifier);
+
+ } else if (targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_EIDAS)) {
+ Logger.trace("Calculate eIDAS identifier for target: " + targetIdentifier);
+ String[] splittedTarget = targetIdentifier.split("\\+");
+ String cititzenCountryCode = splittedTarget[1];
+ String eIDASOutboundCountry = splittedTarget[2];
+
+ if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) {
+ Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry");
+
+ }
+ return buildeIDASIdentifer(baseID, baseIdType, cititzenCountryCode, eIDASOutboundCountry);
+
+
+ } else
+ throw new BuildException("builder.00",
+ new Object[]{"Target identifier: " + targetIdentifier + " is NOT allowed or unknown"});
+
+ } else {
+ Logger.trace("BaseID is not of type " + Constants.URN_PREFIX_BASEID + ". Check type against requested target ...");
+ if (baseIdType.equals(targetIdentifier)) {
+ Logger.debug("Unique identifier is already area specific. Is nothing todo");
+ return Pair.newInstance(baseID, targetIdentifier);
+
+ } else {
+ Logger.warn("Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required!");
+ throw new BuildException("builder.00",
+ new Object[]{"Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required"});
+
+ }
+ }
+ }
+
+
/**
- * Builds the wbPK from the given parameters.
+ * Builds the storkeid from the given parameters.
*
- * @param identificationValue Base64 encoded "Stammzahl"
- * @param registerAndOrdNr type of register + "+" + number in register.
- * @return wbPK in a BASE64 encoding
+ * @param baseID baseID of the citizen
+ * @param baseIDType Type of the baseID
+ * @param sourceCountry CountryCode of that country, which build the eIDAs ID
+ * @param destinationCountry CountryCode of that country, which receives the eIDAs ID
+ *
+ * @return Pair<eIDAs, bPKType> in a BASE64 encoding
* @throws BuildException if an error occurs on building the wbPK
*/
- public String buildWBPK(String identificationValue, String registerAndOrdNr)
- throws BuildException {
+ private Pair<String, String> buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry)
+ throws BuildException {
+ String bPK = null;
+ String bPKType = null;
+
+ // check if we have been called by public sector application
+ if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) {
+ bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry;
+ Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType);
+ bPK = calculatebPKwbPK(baseID + "+" + bPKType);
+
+ } else { // if not, sector identification value is already calculated by BKU
+ Logger.debug("eIDAS eIdentifier already provided by BKU");
+ bPK = baseID;
+ }
- if ((identificationValue == null ||
- identificationValue.length() == 0 ||
- registerAndOrdNr == null ||
- registerAndOrdNr.length() == 0)) {
+ if ((MiscUtil.isEmpty(bPK) ||
+ MiscUtil.isEmpty(sourceCountry) ||
+ MiscUtil.isEmpty(destinationCountry))) {
throw new BuildException("builder.00",
- new Object[]{"wbPK", "Unvollständige Parameterangaben: identificationValue=" +
- identificationValue + ",Register+Registernummer=" + registerAndOrdNr});
+ new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" +
+ bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry});
}
-
- String basisbegriff;
- if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+"))
- basisbegriff = identificationValue + "+" + registerAndOrdNr;
- else
- basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr;
-
- return calculatebPKwbPK(basisbegriff);
- }
-
- public String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException {
- if (MiscUtil.isEmpty(baseID) ||
- !(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") ||
- bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") ||
- bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) {
- throw new BuildException("builder.00",
- new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget
- + " has an unkown prefix."});
-
- }
-
- return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget);
-
+
+ Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]");
+ String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK;
+
+ return Pair.newInstance(eIdentifier, bPKType);
}
+
+// /**
+// * Builds the bPK from the given parameters.
+// *
+// * @param identificationValue Base64 encoded "Stammzahl"
+// * @param target "Bereich lt. Verordnung des BKA"
+// * @return bPK in a BASE64 encoding
+// * @throws BuildException if an error occurs on building the bPK
+// */
+// private String buildBPK(String identificationValue, String target)
+// throws BuildException {
+//
+// if ((identificationValue == null ||
+// identificationValue.length() == 0 ||
+// target == null ||
+// target.length() == 0)) {
+// throw new BuildException("builder.00",
+// new Object[]{"BPK", "Unvollständige Parameterangaben: identificationValue=" +
+// identificationValue + ",target=" + target});
+// }
+// String basisbegriff;
+// if (target.startsWith(Constants.URN_PREFIX_CDID + "+"))
+// basisbegriff = identificationValue + "+" + target;
+// else
+// basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target;
+//
+// return calculatebPKwbPK(basisbegriff);
+// }
+//
+// /**
+// * Builds the wbPK from the given parameters.
+// *
+// * @param identificationValue Base64 encoded "Stammzahl"
+// * @param registerAndOrdNr type of register + "+" + number in register.
+// * @return wbPK in a BASE64 encoding
+// * @throws BuildException if an error occurs on building the wbPK
+// */
+// private String buildWBPK(String identificationValue, String registerAndOrdNr)
+// throws BuildException {
+//
+// if ((identificationValue == null ||
+// identificationValue.length() == 0 ||
+// registerAndOrdNr == null ||
+// registerAndOrdNr.length() == 0)) {
+// throw new BuildException("builder.00",
+// new Object[]{"wbPK", "Unvollständige Parameterangaben: identificationValue=" +
+// identificationValue + ",Register+Registernummer=" + registerAndOrdNr});
+// }
+//
+// String basisbegriff;
+// if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+"))
+// basisbegriff = identificationValue + "+" + registerAndOrdNr;
+// else
+// basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr;
+//
+// return calculatebPKwbPK(basisbegriff);
+// }
+//
+// private String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException {
+// if (MiscUtil.isEmpty(baseID) ||
+// !(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") ||
+// bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") ||
+// bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) {
+// throw new BuildException("builder.00",
+// new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget
+// + " has an unkown prefix."});
+//
+// }
+//
+// return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget);
+//
+// }
public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException {
MiscUtil.assertNotNull(bpk, "BPK");
@@ -199,48 +315,7 @@ public class BPKBuilder {
return null;
}
}
-
- /**
- * Builds the storkeid from the given parameters.
- *
- * @param baseID baseID of the citizen
- * @param baseIDType Type of the baseID
- * @param sourceCountry CountryCode of that country, which build the eIDAs ID
- * @param destinationCountry CountryCode of that country, which receives the eIDAs ID
- *
- * @return Pair<eIDAs, bPKType> in a BASE64 encoding
- * @throws BuildException if an error occurs on building the wbPK
- */
- public Pair<String, String> buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry)
- throws BuildException {
- String bPK = null;
- String bPKType = null;
-
- // check if we have been called by public sector application
- if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) {
- bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry;
- Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType);
- bPK = calculatebPKwbPK(baseID + "+" + bPKType);
-
- } else { // if not, sector identification value is already calculated by BKU
- Logger.debug("eIDAS eIdentifier already provided by BKU");
- bPK = baseID;
- }
-
- if ((MiscUtil.isEmpty(bPK) ||
- MiscUtil.isEmpty(sourceCountry) ||
- MiscUtil.isEmpty(destinationCountry))) {
- throw new BuildException("builder.00",
- new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" +
- bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry});
- }
-
- Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]");
- String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK;
- return Pair.newInstance(eIdentifier, bPKType);
- }
-
private String calculatebPKwbPK(String basisbegriff) throws BuildException {
try {
MessageDigest md = MessageDigest.getInstance("SHA-1");
@@ -281,6 +356,4 @@ public class BPKBuilder {
result = cipher.doFinal(encryptedBytes);
return result;
}
-
-
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java
index 73fe961eb..4c4af4239 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java
@@ -53,9 +53,11 @@ import java.util.List;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DateTimeUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moa.util.StringUtils;
/**
@@ -156,8 +158,9 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
* @param oaParam parameter for the OA
* @param session current session
* @return String representation of <code>&lt;CreateXMLSignatureRequest&gt;</code>
+ * @throws ConfigurationException
*/
- public String buildForeignID(String subject, IRequest pendingReq) {
+ public String buildForeignID(String subject, IRequest pendingReq) throws ConfigurationException {
String request = "";
request += "<sl:CreateXMLSignatureRequest xmlns:sl=\"http://www.buergerkarte.at/namespaces/securitylayer/1.2#\">";
@@ -181,11 +184,22 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
return request;
}
- public static String buildForeignIDTextToBeSigned(String subject, IRequest pendingReq) {
+ public static String buildForeignIDTextToBeSigned(String subject, IRequest pendingReq) throws ConfigurationException {
IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
- String target = pendingReq.getGenericData(
- MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
- String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);
+ String target = null;
+ String sectorName = null;
+
+
+ String saml1Target = pendingReq.getGenericData(
+ MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class);
+ if (MiscUtil.isNotEmpty(saml1Target)) {
+ target = saml1Target;
+ sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(saml1Target);
+
+ } else {
+ target = oaParam.getAreaSpecificTargetIdentifier();
+ sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+ }
Calendar cal = Calendar.getInstance();
String date = DateTimeUtils.buildDate(cal);
@@ -243,11 +257,11 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
request += oaParam.getPublicURLPrefix();
request += "</td>";
request += "</tr>";
- boolean business = oaParam.getBusinessService();
- if (business) {
+
+ if (!target.startsWith(MOAIDAuthConstants.PREFIX_CDID)) {
// OA is businessservice
- String identifierType = oaParam.getIdentityLinkDomainIdentifierType();
- String identifier = oaParam.getIdentityLinkDomainIdentifier();
+ String identifierType = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+ String identifier = oaParam.getAreaSpecificTargetIdentifier();
request += "<tr>";
request += "<td class=\"italicstyle\">";
request += identifierType + ":";
@@ -263,7 +277,7 @@ public class CreateXMLSignatureRequestBuilder implements Constants {
request += "<td class=\"italicstyle\">";
request += "Sektor (Sector):</td>";
request += "<td class=\"normalstyle\">";
- request += target + " (" + sectorName + ")";
+ request += target.substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
request += "</td>";
request += "</tr>";
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
index f4f6e82ba..fc5489673 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
@@ -31,14 +31,10 @@ import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
-import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
-import at.gv.egovernment.moa.util.MiscUtil;
/**
* @author tlenz
@@ -57,13 +53,14 @@ public class DynamicOAAuthParameterBuilder {
if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
String attrValue = attr.getAttributeValues().get(0).getDOM().getTextContent();
if (attrValue.startsWith(Constants.URN_PREFIX_CDID)) {
- dynamicOA.setBusinessService(false);
- dynamicOA.setTarget(attrValue.substring((Constants.URN_PREFIX_CDID + "+").length()));
+ //dynamicOA.setBusinessService(false);
+ dynamicOA.setAreaSpecificTargetIdentifier(attrValue);
} else if( attrValue.startsWith(Constants.URN_PREFIX_WBPK) ||
- attrValue.startsWith(Constants.URN_PREFIX_STORK) ) {
- dynamicOA.setBusinessService(true);
- dynamicOA.setTarget(attrValue);
+ attrValue.startsWith(Constants.URN_PREFIX_STORK) ||
+ attrValue.startsWith(Constants.URN_PREFIX_EIDAS)) {
+ //dynamicOA.setBusinessService(true);
+ dynamicOA.setAreaSpecificTargetIdentifier(attrValue);
} else {
Logger.error("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea");
@@ -84,13 +81,16 @@ public class DynamicOAAuthParameterBuilder {
* @param oaParam
* @param protocolRequest
* @return
+ * @throws ConfigurationException
*/
public static IOAAuthParameters buildFromAuthnRequest(
- IOAAuthParameters oaParam, IRequest protocolRequest) {
+ IOAAuthParameters oaParam, IRequest protocolRequest) throws ConfigurationException {
DynamicOAAuthParameters dynOAParams = new DynamicOAAuthParameters();
dynOAParams.setApplicationID(oaParam.getPublicURLPrefix());
- dynOAParams.setBusinessService(oaParam.getBusinessService());
+
+ dynOAParams.setHasBaseIdProcessingRestriction(oaParam.hasBaseIdInternalProcessingRestriction());
+ dynOAParams.setHasBaseIdTransfergRestriction(oaParam.hasBaseIdTransferRestriction());
Object storkRequst = null;
try {
@@ -98,9 +98,9 @@ public class DynamicOAAuthParameterBuilder {
if (storkRequst != null &&
protocolRequest.getClass().isInstance(storkRequst)) {
- dynOAParams.setBusinessTarget(Constants.URN_PREFIX_STORK + "+" + "AT" + "+"
+ dynOAParams.setAreaSpecificTargetIdentifier(Constants.URN_PREFIX_STORK + "+" + "AT" + "+"
+ protocolRequest.getClass().getMethod("getSpCountry", null).invoke(protocolRequest, null));
- dynOAParams.setBusinessService(true);
+ //dynOAParams.setBusinessService(true);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java
index a82ba501c..d5ca89656 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java
@@ -56,12 +56,16 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.ConnectionParameterInterface;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.spss.MOAException;
import at.gv.egovernment.moa.spss.api.SignatureVerificationService;
+import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest;
+import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponse;
import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureRequestParser;
import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureResponseBuilder;
import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest;
import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse;
import at.gv.egovernment.moa.util.MiscUtil;
+import at.gv.egovernment.moaspss.logging.Logger;
/**
* Invoker of the <code>SignatureVerification</code> web service of MOA-SPSS.<br>
@@ -108,6 +112,18 @@ public class SignatureVerificationInvoker {
}
+ public VerifyCMSSignatureResponse verifyCMSSignature(VerifyCMSSignatureRequest cmsSigVerifyReq) throws ServiceException {
+ try {
+ return svs.verifyCMSSignature(cmsSigVerifyReq);
+
+ } catch (MOAException e) {
+ Logger.warn("CMS signature verification has an error.", e);
+ throw new ServiceException("service.03", new Object[] { e.toString()}, e);
+
+ }
+
+ }
+
/**
* Method verifyXMLSignature.
* @param request to be sent
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
index 92d76751f..b2db8d5a2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
@@ -52,7 +52,7 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
@Autowired AuthConfiguration authConfig;
public void parse(IAuthenticationSession moasession,
- String target,
+ String reqTarget,
String oaURL,
String bkuURL,
String templateURL,
@@ -61,10 +61,11 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
HttpServletRequest req,
IRequest protocolReq) throws WrongParametersException, MOAIDException {
- String targetFriendlyName = null;
-
+ String resultTargetFriendlyName = null;
+ String resultTarget = null;
+
// escape parameter strings
- target = StringEscapeUtils.escapeHtml(target);
+ reqTarget = StringEscapeUtils.escapeHtml(reqTarget);
bkuURL = StringEscapeUtils.escapeHtml(bkuURL);
templateURL = StringEscapeUtils.escapeHtml(templateURL);
useMandate = StringEscapeUtils.escapeHtml(useMandate);
@@ -102,66 +103,70 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
// get target and target friendly name from config
- String targetConfig = oaParam.getTarget();
- String targetFriendlyNameConfig = oaParam.getTargetFriendlyName();
+ String targetConfig = oaParam.getAreaSpecificTargetIdentifier();
+ String targetFriendlyNameConfig = oaParam.getAreaSpecificTargetIdentifierFriendlyName();
+
+ //SAML1 legacy work-around for public area targets in request
+ if (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") &&
+ !StringUtils.isEmpty(reqTarget)) {
+ //INFO: ONLY SAML1 legacy mode
+ // if SAML1 is used and target attribute is given in request
+ // use requested target
+ // check target parameter
+ if (!ParamValidatorUtils.isValidTarget(reqTarget)) {
+ Logger.error("Selected target is invalid. Used target: " + reqTarget);
+ throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12");
+ }
+ resultTarget = MOAIDAuthConstants.PREFIX_CDID + reqTarget;
- if (!oaParam.getBusinessService()) {
- if (StringUtils.isEmpty(targetConfig)
- || (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") &&
- !StringUtils.isEmpty(target))
- ) {
- //INFO: ONLY SAML1 legacy mode
- // if SAML1 is used and target attribute is given in request
- // use requested target
- // check target parameter
- if (!ParamValidatorUtils.isValidTarget(target)) {
- Logger.error("Selected target is invalid. Using target: " + target);
- throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12");
- }
- if (MiscUtil.isNotEmpty(targetConfig))
- targetFriendlyName = targetFriendlyNameConfig;
+ String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(reqTarget);
+ if (MiscUtil.isNotEmpty(sectorName))
+ resultTargetFriendlyName = sectorName;
+
+ else {
+ //check target contains subSector
+ int delimiter = reqTarget.indexOf("-");
+ if (delimiter > 0) {
+ resultTargetFriendlyName =
+ TargetToSectorNameMapper.getSectorNameViaTarget(reqTarget.substring(0, delimiter));
- else {
- String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);
- if (MiscUtil.isNotEmpty(sectorName))
- targetFriendlyName = sectorName;
-
- else {
- //check target contains subSector
- int delimiter = target.indexOf("-");
- if (delimiter > 0) {
- targetFriendlyName =
- TargetToSectorNameMapper.getSectorNameViaTarget(target.substring(0, delimiter));
-
- }
- }
- }
-
- } else {
- // use target from config
- target = targetConfig;
- targetFriendlyName = targetFriendlyNameConfig;
+ }
}
- if (isEmpty(target))
- throw new WrongParametersException("StartAuthentication",
- PARAM_TARGET, "auth.05");
-
- protocolReq.setGenericDataToSession(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, target);
+ if (MiscUtil.isNotEmpty(targetConfig) && MiscUtil.isEmpty(resultTargetFriendlyName))
+ resultTargetFriendlyName = targetFriendlyNameConfig;
+
+ //set info's into request-context. (It's required to support SAML1 requested target parameters)
+ protocolReq.setGenericDataToSession(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, resultTarget);
protocolReq.setGenericDataToSession(
- MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, targetFriendlyName);
- Logger.debug("Service-Provider is of type 'PublicService' with DomainIdentifier:" + target);
-
- } else {
- Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + oaParam.getIdentityLinkDomainIdentifier());
+ MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, resultTargetFriendlyName);
- if (useMandateBoolean) {
- Logger.error("Online-Mandate Mode for business application not supported.");
- throw new AuthenticationException("auth.17", null);
- }
+ } else {
+ Logger.trace("Use oa sector-identifier from configuration");
+ resultTarget = targetConfig;
+ resultTargetFriendlyName = targetFriendlyNameConfig;
}
-
+
+ //check if target is found
+ if (MiscUtil.isEmpty(resultTarget))
+ throw new WrongParametersException("StartAuthentication",
+ PARAM_TARGET, "auth.05");
+
+ //check if mandates are allowed
+ if (useMandateBoolean && oaParam.hasBaseIdInternalProcessingRestriction()) {
+ Logger.error("Online-Mandate Mode for business application not supported.");
+ throw new AuthenticationException("auth.17", null);
+
+ }
+
+ if (resultTarget.startsWith(MOAIDAuthConstants.PREFIX_CDID))
+ Logger.debug("Service-Provider is of type 'PublicService' with DomainIdentifier:" + resultTarget);
+ else
+ Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + resultTarget);
+
+
+
//Validate BKU URI
List<String> allowedbkus = oaParam.getBKUURL();
allowedbkus.addAll(authConfig.getDefaultBKUURLs());
@@ -247,16 +252,4 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, req, pendingReq);
}
-
- /**
- * Checks a parameter.
- *
- * @param param
- * parameter
- * @return true if the parameter is null or empty
- */
- private boolean isEmpty(String param) {
- return param == null || param.length() == 0;
- }
-
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
index 353261085..5f74d8fdd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
@@ -29,6 +29,7 @@ import java.io.StringWriter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang.StringEscapeUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.ExceptionHandler;
@@ -48,7 +49,6 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
-import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider;
import at.gv.egovernment.moa.id.data.ExceptionContainer;
import at.gv.egovernment.moa.id.moduls.IRequestStorage;
@@ -166,8 +166,9 @@ public abstract class AbstractController extends MOAIDAuthConstants {
return;
- } catch (MOADatabaseException e) {
- Logger.warn("Exception can not be stored to Database.", e);
+ } catch (Exception e) {
+ Logger.warn("Default error-handling FAILED. Exception can not be stored to Database.", e);
+ Logger.info("Switch to generic generic backup error-handling ... ");
handleErrorNoRedirect(loggedException, req, resp, true);
}
@@ -231,7 +232,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
ErrorResponseUtils utils = ErrorResponseUtils.getInstance();
String code = utils.mapInternalErrorToExternalError(
((InvalidProtocolRequestException)e).getMessageId());
- String descr = e.getMessage();
+ String descr = StringEscapeUtils.escapeHtml(e.getMessage());
resp.setContentType(MediaType.HTML_UTF_8.toString());
resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Protocol validation FAILED!" +
"(Errorcode=" + code +
@@ -248,7 +249,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
null);
//add errorcode and errormessage
- config.putCustomParameter("errorMsg", msg);
+ config.putCustomParameter("errorMsg", StringEscapeUtils.escapeHtml(msg));
config.putCustomParameter("errorCode", errorCode);
//add stacktrace if debug is enabled
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java
index 416e787a7..49145a850 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java
@@ -33,9 +33,11 @@ import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
+import at.gv.egovernment.moa.id.auth.frontend.builder.AbstractServiceProviderSpecificGUIFormBuilderConfiguration;
import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder;
import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.commons.MOAIDConstants;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.moduls.IRequestStorage;
@@ -52,6 +54,7 @@ public class GUILayoutBuilderServlet extends AbstractController {
public static final String ENDPOINT_CSS = "/css/buildCSS";
public static final String ENDPOINT_JS = "/js/buildJS";
+ public static final String ENDPOINT_BKUDETECTION = "/feature/bkuDetection";
@Autowired AuthConfiguration authConfig;
@Autowired IRequestStorage requestStoreage;
@@ -65,6 +68,41 @@ public class GUILayoutBuilderServlet extends AbstractController {
}
+ @RequestMapping(value = ENDPOINT_BKUDETECTION, method = {RequestMethod.GET})
+ public void buildBkuDetectionFrame(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ try {
+ IRequest pendingReq = extractPendingRequest(req);
+
+ //initialize GUI builder configuration
+ AbstractServiceProviderSpecificGUIFormBuilderConfiguration config = null;
+ if (pendingReq != null)
+ config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
+ pendingReq,
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_BKUDETECTION_SP_SPECIFIC,
+ null);
+
+ else {
+ config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
+ HTTPUtils.extractAuthURLFromRequest(req),
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_BKUDETECTION_GENERIC,
+ null);
+ config.setTemplateClasspahtDir(
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_MAINGUI_DIRECTORY);
+
+ }
+
+ //build GUI component
+ formBuilder.build(resp, config, MOAIDConstants.DEFAULT_CONTENT_TYPE_HTML_UTF8, "BKUDetection-Frame");
+
+
+ } catch (Exception e) {
+ Logger.warn("GUI ressource:'BKUDetection' generation FAILED.", e);
+ resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Created resource failed");
+
+ }
+
+ }
+
@RequestMapping(value = "/css/buildCSS", method = {RequestMethod.GET})
public void buildCSS(HttpServletRequest req, HttpServletResponse resp) throws IOException {
try {
@@ -88,7 +126,7 @@ public class GUILayoutBuilderServlet extends AbstractController {
formBuilder.build(resp, config, "text/css; charset=UTF-8", "CSS-Form");
} catch (Exception e) {
- Logger.warn("GUI ressource:'CSS' generation FAILED.");
+ Logger.warn("GUI ressource:'CSS' generation FAILED.", e);
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Created resource failed");
}
@@ -117,7 +155,7 @@ public class GUILayoutBuilderServlet extends AbstractController {
formBuilder.build(resp, config, "text/javascript; charset=UTF-8", "JavaScript");
} catch (Exception e) {
- Logger.warn("GUI ressource:'JavaScript' generation FAILED.");
+ Logger.warn("GUI ressource:'JavaScript' generation FAILED.", e);
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Created resource failed");
}
@@ -142,6 +180,7 @@ public class GUILayoutBuilderServlet extends AbstractController {
} catch (Exception e) {
Logger.warn("GUI-Layout builder-servlet has an error during request-preprocessing.", e);
+
}
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
index 1848fa6f7..be511d888 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
@@ -49,6 +49,8 @@ import at.gv.egovernment.moa.util.URLEncoder;
@Controller
public class RedirectServlet {
+ public static final String SERVICE_ENDPOINT = "/RedirectServlet";
+
public static final String REDIRCT_PARAM_URL = "redirecturl";
private static final String DEFAULT_REDIRECTTARGET = "_parent";
@@ -74,6 +76,8 @@ public class RedirectServlet {
//validate URL
new java.net.URL(url);
+ //url = URLDecoder.decode(url, "UTF-8");
+
oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(url);
String authURL = HTTPUtils.extractAuthURLFromRequest(req);
@@ -128,12 +132,24 @@ public class RedirectServlet {
resp.addHeader("Location", url);
} else {
- Logger.debug("Redirect to " + url);
+ Logger.debug("Redirect to " + url);
+
+ try {
+ String test = oa.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETREDIRECTTARGET);
+ if (MiscUtil.isNotEmpty(test))
+ redirectTarget = test;
+
+ } catch (Exception e) {
+ Logger.debug("Use default redirectTarget.");
+ }
+
DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration(
authURL,
DefaultGUIFormBuilderConfiguration.VIEW_REDIRECT,
null);
config.putCustomParameter(URL, StringEscapeUtils.escapeHtml(url));
+ config.putCustomParameter(TARGET, redirectTarget);
+
guiBuilder.build(resp, config, "RedirectForm.html");
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java
index c31666bbb..fc5cc0495 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java
@@ -52,6 +52,8 @@ package at.gv.egovernment.moa.id.config;
import java.util.HashMap;
import java.util.Map;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+
/**
* @author bzwattendorfer
*
@@ -106,6 +108,8 @@ public class TargetToSectorNameMapper implements TargetsAndSectorNames {
}
public static String getSectorNameViaTarget(String target) {
+ if (target.startsWith(MOAIDAuthConstants.PREFIX_CDID))
+ target = target.substring(MOAIDAuthConstants.PREFIX_CDID.length());
return targetMap.get(target) != null ? (String) targetMap.get(target) : "";
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index 6a6359058..99b4154e0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -60,7 +60,9 @@ import java.util.Set;
import org.apache.commons.lang.SerializationUtils;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.MOAIDConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IStorkConfig;
import at.gv.egovernment.moa.id.commons.api.data.BPKDecryptionParameters;
@@ -96,10 +98,31 @@ public class OAAuthParameter implements IOAAuthParameters, Serializable{
final public static String DEFAULT_KEYBOXIDENTIFIER = "SecureSignatureKeypair";
private Map<String, String> oaConfiguration;
+ private List<String> targetAreasWithNoInteralBaseIdRestriction = new ArrayList<String>();
+ private List<String> targetAreasWithNoBaseIdTransmissionRestriction = new ArrayList<String>();
-
- public OAAuthParameter(final Map<String, String> oa) {
+ public OAAuthParameter(final Map<String, String> oa, AuthConfiguration authConfig) {
this.oaConfiguration = oa;
+
+ //set oa specific restrictions
+ targetAreasWithNoInteralBaseIdRestriction = KeyValueUtils.getListOfCSVValues(
+ authConfig.getBasicMOAIDConfiguration(
+ CONFIG_KEY_RESTRICTIONS_BASEID_INTERNAL,
+ MOAIDAuthConstants.PREFIX_CDID));
+
+ targetAreasWithNoBaseIdTransmissionRestriction = KeyValueUtils.getListOfCSVValues(
+ authConfig.getBasicMOAIDConfiguration(
+ CONFIG_KEY_RESTRICTIONS_BASEID_TRANSMISSION,
+ MOAIDAuthConstants.PREFIX_CDID));
+
+ if (Logger.isTraceEnabled()) {
+ Logger.trace("Internal policy for OA: " + getPublicURLPrefix());
+ for (String el : targetAreasWithNoInteralBaseIdRestriction)
+ Logger.trace(" Allow baseID processing for prefix " + el);
+ for (String el : targetAreasWithNoBaseIdTransmissionRestriction)
+ Logger.trace(" Allow baseID transfer for prefix " + el);
+
+ }
}
@@ -111,12 +134,54 @@ public class OAAuthParameter implements IOAAuthParameters, Serializable{
return this.oaConfiguration.get(key);
}
+ @Override
+ public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException {
+ String targetAreaIdentifier = getAreaSpecificTargetIdentifier();
+ for (String el : targetAreasWithNoInteralBaseIdRestriction) {
+ if (targetAreaIdentifier.startsWith(el))
+ return false;
+
+ }
+ return true;
+
+ }
+
+ @Override
+ public boolean hasBaseIdTransferRestriction() throws ConfigurationException {
+ String targetAreaIdentifier = getAreaSpecificTargetIdentifier();
+ for (String el : targetAreasWithNoBaseIdTransmissionRestriction) {
+ if (targetAreaIdentifier.startsWith(el))
+ return false;
+
+ }
+ return true;
+
+ }
+
+ @Override
+ public String getAreaSpecificTargetIdentifier() throws ConfigurationException {
+ if (getBusinessService())
+ return getIdentityLinkDomainIdentifier();
+ else
+ return MOAIDAuthConstants.PREFIX_CDID + getTarget();
+
+ }
+
+ @Override
+ public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException{
+ if (getBusinessService())
+ return getIdentityLinkDomainIdentifierType();
+ else
+ return getTargetFriendlyName();
+
+ }
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier()
*/
-@Override
-public String getIdentityLinkDomainIdentifier() {
+//@Override
+private String getIdentityLinkDomainIdentifier() {
String type = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE);
String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE);
if (MiscUtil.isNotEmpty(type) && MiscUtil.isNotEmpty(value)) {
@@ -138,8 +203,8 @@ public String getIdentityLinkDomainIdentifier() {
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType()
*/
-@Override
-public String getIdentityLinkDomainIdentifierType() {
+//@Override
+private String getIdentityLinkDomainIdentifierType() {
String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE);
if (MiscUtil.isNotEmpty(value))
return MOAIDConfigurationConstants.BUSINESSSERVICENAMES.get(value);
@@ -151,8 +216,8 @@ public String getIdentityLinkDomainIdentifierType() {
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget()
*/
-@Override
-public String getTarget() {
+//@Override
+private String getTarget() {
if (Boolean.parseBoolean(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_USE_OWN)))
return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_TARGET);
@@ -171,8 +236,8 @@ public String getTarget() {
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName()
*/
-@Override
-public String getTargetFriendlyName() {
+//@Override
+private String getTargetFriendlyName() {
if (Boolean.parseBoolean(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_USE_OWN)))
return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_NAME);
@@ -265,8 +330,8 @@ public String getKeyBoxIdentifier() {
*/
@Override
public String getBKUURL(String bkutype) {
- if (bkutype.equals(ONLINEBKU)) {
- return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE);
+ if (bkutype.equals(THIRDBKU)) {
+ return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD);
} else if (bkutype.equals(HANDYBKU)) {
return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY);
@@ -274,10 +339,15 @@ public String getKeyBoxIdentifier() {
} else if (bkutype.equals(LOCALBKU)) {
return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL);
+ } else if (bkutype.equals(ONLINEBKU)) {
+ return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD);
+
}
+
+
Logger.warn("BKU Type does not match: "
- + ONLINEBKU + " or " + HANDYBKU + " or " + LOCALBKU);
+ + THIRDBKU + " or " + HANDYBKU + " or " + LOCALBKU);
return null;
}
@@ -288,8 +358,8 @@ public String getKeyBoxIdentifier() {
public List<String> getBKUURL() {
List<String> list = new ArrayList<String>();
- if (oaConfiguration.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE))
- list.add(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE));
+ if (oaConfiguration.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD))
+ list.add(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD));
if (oaConfiguration.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY))
list.add(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY));
@@ -572,7 +642,7 @@ public Collection<CPEPS> getPepsList() {
MOAIDConfigurationConstants.SERVICE_AUTH_STORK_COUNTRIES_LIST
+ "." + index + "."
+ MOAIDConfigurationConstants.SERVICE_AUTH_STORK_COUNTRIES_LIST_ENABLED))) {
- CPEPS availableCPEPS = availableSTORKConfig.getCPEPS(
+ CPEPS availableCPEPS = availableSTORKConfig.getCPEPSWithFullName(
oaConfiguration.get(
MOAIDConfigurationConstants.SERVICE_AUTH_STORK_COUNTRIES_LIST
+ "." + index + "."
@@ -648,8 +718,8 @@ public boolean isInterfederationSSOStorageAllowed() {
return false;
}
-public boolean isIDPPublicService() {
- return !getBusinessService();
+public boolean isIDPPublicService() throws ConfigurationException {
+ return !hasBaseIdTransferRestriction();
}
@@ -735,11 +805,7 @@ public String getPublicURLPrefix() {
}
-/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService()
- */
-@Override
-public boolean getBusinessService() {
+private boolean getBusinessService() {
String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_BUSINESSSERVICE);
if (MiscUtil.isNotEmpty(value))
return Boolean.parseBoolean(value);
@@ -780,16 +846,16 @@ public String getFriendlyName() {
}
-/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType()
- */
-@Override
-public String getOaType() {
- if (getBusinessService())
- return "businessService";
- else
- return "publicService";
-}
+///* (non-Javadoc)
+// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType()
+// */
+//@Override
+//public String getOaType() {
+// if (getBusinessService())
+// return "businessService";
+// else
+// return "publicService";
+//}
/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
index 35d052acd..332604257 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
@@ -412,7 +412,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
return null;
}
- return new OAAuthParameter(oa);
+ return new OAAuthParameter(oa, this);
}
/**
@@ -676,7 +676,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
templatesList.add(configuration.getStringValue(
MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL));
templatesList.add(configuration.getStringValue(
- MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE));
+ MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD));
templatesList.add(configuration.getStringValue(
MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_HANDY));
@@ -701,9 +701,9 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
try {
switch (type) {
- case IOAAuthParameters.ONLINEBKU:
+ case IOAAuthParameters.THIRDBKU:
slRequestTemplate = configuration.getStringValue(
- MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE);
+ MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD);
break;
case IOAAuthParameters.LOCALBKU:
slRequestTemplate = configuration.getStringValue(
@@ -714,7 +714,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_HANDY);
break;
default:
- Logger.warn("getSLRequestTemplates: BKU Type does not match: " + IOAAuthParameters.ONLINEBKU + " or " + IOAAuthParameters.HANDYBKU + " or "
+ Logger.warn("getSLRequestTemplates: BKU Type does not match: " + IOAAuthParameters.THIRDBKU + " or " + IOAAuthParameters.HANDYBKU + " or "
+ IOAAuthParameters.LOCALBKU);
}
@@ -736,7 +736,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
List<String> bkuurlsList = new ArrayList<String>();
try {
bkuurlsList.add(configuration.getStringValue(
- MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE));
+ MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD));
bkuurlsList.add(configuration.getStringValue(
MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL));
bkuurlsList.add(configuration.getStringValue(
@@ -762,9 +762,9 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
String defaultBKUUrl = null;
try {
switch (type) {
- case IOAAuthParameters.ONLINEBKU:
+ case IOAAuthParameters.THIRDBKU:
defaultBKUUrl = configuration.getStringValue(
- MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE);
+ MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD);
break;
case IOAAuthParameters.LOCALBKU:
defaultBKUUrl = configuration.getStringValue(
@@ -775,7 +775,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY);
break;
default:
- Logger.warn("getDefaultBKUURL: BKU Type does not match: " + IOAAuthParameters.ONLINEBKU + " or " + IOAAuthParameters.HANDYBKU + " or "
+ Logger.warn("getDefaultBKUURL: BKU Type does not match: " + IOAAuthParameters.THIRDBKU + " or " + IOAAuthParameters.HANDYBKU + " or "
+ IOAAuthParameters.LOCALBKU);
}
@@ -817,7 +817,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
public String getSSOFriendlyName() {
try {
return configuration.getStringValue(
- MOAIDConfigurationConstants.GENERAL_AUTH_SSO_TARGET, "Default MOA-ID friendly name for SSO");
+ MOAIDConfigurationConstants.GENERAL_AUTH_SSO_SERVICENAME, "Default MOA-ID friendly name for SSO");
} catch (at.gv.egiz.components.configuration.api.ConfigurationException e) {
Logger.warn("Single Sign-On FriendlyName can not be read from configuration.", e);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
index 9fd58b5c7..f3db82315 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java
@@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters;
import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute;
import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
/**
* @author tlenz
@@ -45,33 +46,84 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
private static final long serialVersionUID = 1648437815185614566L;
private String publicURLPrefix;
-
- private String businessTarget;
-
- private boolean businessService;
-
+
private boolean isInderfederationIDP;
-
private String IDPQueryURL;
- private String target;
-
+ private boolean hasBaseIdProcessingRestriction;
+ private boolean hasBaseIdTransfergRestriction;
+ private String oaTargetAreaIdentifier;
+
+
/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget()
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdInternalProcessingRestriction()
*/
@Override
- public String getTarget() {
- return this.target;
+ public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException {
+ return this.hasBaseIdProcessingRestriction;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdTransferRestriction()
+ */
+ @Override
+ public boolean hasBaseIdTransferRestriction() throws ConfigurationException {
+ return this.hasBaseIdTransfergRestriction;
}
/* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier()
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifier()
+ */
+ @Override
+ public String getAreaSpecificTargetIdentifier() throws ConfigurationException {
+ return this.oaTargetAreaIdentifier;
+ }
+
+ /**
+ * @param hasBaseIdProcessingRestriction the hasBaseIdProcessingRestriction to set
+ */
+ public void setHasBaseIdProcessingRestriction(boolean hasBaseIdProcessingRestriction) {
+ this.hasBaseIdProcessingRestriction = hasBaseIdProcessingRestriction;
+ }
+
+ /**
+ * @param hasBaseIdTransfergRestriction the hasBaseIdTransfergRestriction to set
+ */
+ public void setHasBaseIdTransfergRestriction(boolean hasBaseIdTransfergRestriction) {
+ this.hasBaseIdTransfergRestriction = hasBaseIdTransfergRestriction;
+ }
+
+ /**
+ * @param oaTargetAreaIdentifier the oaTargetAreaIdentifier to set
+ */
+ public void setAreaSpecificTargetIdentifier(String oaTargetAreaIdentifier) {
+ this.oaTargetAreaIdentifier = oaTargetAreaIdentifier;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifierFriendlyName()
*/
@Override
- public String getIdentityLinkDomainIdentifier() {
- return this.businessTarget;
+ public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException {
+ return null;
}
+// /* (non-Javadoc)
+// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget()
+// */
+// //@Override
+// public String getTarget() {
+// return this.target;
+// }
+//
+// /* (non-Javadoc)
+// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier()
+// */
+// //@Override
+// public String getIdentityLinkDomainIdentifier() {
+// return this.businessTarget;
+// }
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIDPAttributQueryServiceURL()
*/
@@ -164,7 +216,7 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType()
*/
- @Override
+ //@Override
public String getIdentityLinkDomainIdentifierType() {
// TODO Auto-generated method stub
return null;
@@ -251,26 +303,26 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
return null;
}
- /**
- * @param isBusinessService the isBusinessService to set
- */
- public void setBusinessService(boolean isBusinessService) {
- businessService = isBusinessService;
- }
-
- /**
- * @param target the target to set
- */
- public void setTarget(String target) {
- this.target = target;
- }
-
- /**
- * @param businessTarget the businessTarget to set
- */
- public void setBusinessTarget(String businessTarget) {
- this.businessTarget = businessTarget;
- }
+// /**
+// * @param isBusinessService the isBusinessService to set
+// */
+// public void setBusinessService(boolean isBusinessService) {
+// businessService = isBusinessService;
+// }
+
+// /**
+// * @param target the target to set
+// */
+// public void setTarget(String target) {
+// this.target = target;
+// }
+//
+// /**
+// * @param businessTarget the businessTarget to set
+// */
+// public void setBusinessTarget(String businessTarget) {
+// this.businessTarget = businessTarget;
+// }
/**
* @param inderfederatedIDP the inderfederatedIDP to set
@@ -400,27 +452,18 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
return this.publicURLPrefix;
}
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType()
- */
- @Override
- public String getOaType() {
- // TODO Auto-generated method stub
- return null;
- }
-
- /* (non-Javadoc)
- * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService()
- */
- @Override
- public boolean getBusinessService() {
- return this.businessService;
- }
+// /* (non-Javadoc)
+// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService()
+// */
+// //@Override
+// public boolean getBusinessService() {
+// return this.businessService;
+// }
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName()
*/
- @Override
+ //@Override
public String getTargetFriendlyName() {
// TODO Auto-generated method stub
return null;
@@ -487,4 +530,6 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{
// TODO Auto-generated method stub
return false;
}
+
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java
index b85938bb7..a04236288 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java
@@ -178,7 +178,7 @@ public class STORKConfig implements IStorkConfig {
* @see at.gv.egovernment.moa.id.config.stork.IStorkConfig#getCPEPS(java.lang.String)
*/
@Override
- public CPEPS getCPEPS(String ccc) {
+ public CPEPS getCPEPSWithFullName(String ccc) {
if (isSTORKAuthentication(ccc))
return this.cpepsMap.get(ccc);
else
@@ -186,6 +186,23 @@ public class STORKConfig implements IStorkConfig {
}
/* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.config.stork.IStorkConfig#getCPEPS(java.lang.String)
+ */
+ @Override
+ public CPEPS getCPEPSWithCC(String ccc) {
+ if (isSTORKAuthentication(ccc)) {
+ for (CPEPS el :this.cpepsMap.values()) {
+ if (el.getCountryCode().equals(ccc))
+ return el;
+
+ }
+ }
+
+ return null;
+ }
+
+
+ /* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.stork.IStorkConfig#getStorkAttributes()
*/
@Override
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
index f5f056ccc..7f56f519b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
@@ -120,7 +120,8 @@ public class AuthenticationData implements IAuthData, Serializable {
* the corresponding <code>lt;saml:Assertion&gt;</code>
*/
- private boolean businessService;
+ private boolean isBaseIDTransferRestrication = true;
+
/**
* STORK attributes from response
@@ -742,13 +743,15 @@ public class AuthenticationData implements IAuthData, Serializable {
* @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService()
*/
@Override
- public boolean isBusinessService() {
- return this.businessService;
+ public boolean isBaseIDTransferRestrication() {
+ return isBaseIDTransferRestrication;
}
-
- public void setIsBusinessService(boolean flag) {
- this.businessService = flag;
-
+
+ /**
+ * @param isBaseIDTransmittionAllowed the isBaseIDTransmittionAllowed to set
+ */
+ public void setBaseIDTransferRestrication(boolean isBaseIDTransferRestrication) {
+ this.isBaseIDTransferRestrication = isBaseIDTransferRestrication;
}
/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
index 4c15cd3d1..e9fef4676 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
@@ -38,8 +38,8 @@ public interface IAuthData {
Date getIssueInstant();
String getIssuer();
-
- boolean isBusinessService();
+ boolean isBaseIDTransferRestrication();
+
boolean isSsoSession();
//boolean isInterfederatedSSOSession();
boolean isUseMandate();
@@ -90,5 +90,6 @@ public interface IAuthData {
String getCcc();
public <T> T getGenericData(String key, final Class<T> clazz);
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 7c581d470..aff2c83ad 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -23,6 +23,7 @@
package at.gv.egovernment.moa.id.moduls;
import java.io.IOException;
+import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
@@ -90,6 +91,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
@Service("MOAID_AuthenticationManager")
public class AuthenticationManager extends MOAIDAuthConstants {
+ private static List<String> reqParameterWhiteListeForModules = new ArrayList<String>();
public static final String MOA_SESSION = "MoaAuthenticationSession";
public static final String MOA_AUTHENTICATED = "MoaAuthenticated";
@@ -309,6 +311,18 @@ public class AuthenticationManager extends MOAIDAuthConstants {
}
/**
+ * Add a request parameter to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext}
+ *
+ * @param httpReqParam http parameter name, but never null
+ */
+ public void addParameterNameToWhiteList(String httpReqParam) {
+ if (MiscUtil.isNotEmpty(httpReqParam))
+ reqParameterWhiteListeForModules.add(httpReqParam);
+
+ }
+
+
+ /**
* Checks if a authenticated MOASession already exists and if {protocolRequest} is authenticated
*
* @param protocolRequest Authentication request which is actually in process
@@ -386,17 +400,25 @@ public class AuthenticationManager extends MOAIDAuthConstants {
executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_ISLEGACYREQUEST, leagacyMode);
executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, !leagacyMode
&& MiscUtil.isEmpty(pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class)));
+
+ //add X509 SSL client certificate if exist
+ if (httpReq.getAttribute("javax.servlet.request.X509Certificate") != null) {
+ Logger.debug("Find SSL-client-certificate on request --> Add it to context");
+ executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE,
+ ((X509Certificate[])httpReq.getAttribute("javax.servlet.request.X509Certificate")));
+
+ }
- //add leagcy parameters to context
- if (leagacyMode) {
+ //add additional http request parameter to context
+ if (!reqParameterWhiteListeForModules.isEmpty() || leagacyMode) {
Enumeration<String> reqParamNames = httpReq.getParameterNames();
while(reqParamNames.hasMoreElements()) {
String paramName = reqParamNames.nextElement();
if (MiscUtil.isNotEmpty(paramName) &&
- MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName))
+ ( MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName)
+ || reqParameterWhiteListeForModules.contains(paramName) ))
executionContext.put(paramName,
- StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName)));
-
+ StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName)));
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java
index eff839e4e..c13c5e288 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java
@@ -23,7 +23,6 @@
package at.gv.egovernment.moa.id.protocols.builder.attributes;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
@@ -51,6 +50,9 @@ public class BPKAttributeBuilder implements IPVPAttributeBuilder {
else if (type.startsWith(Constants.URN_PREFIX_CDID))
type = type.substring((Constants.URN_PREFIX_CDID + "+").length());
+ else if (type.startsWith(Constants.URN_PREFIX_EIDAS))
+ type = type.substring((Constants.URN_PREFIX_EIDAS + "+").length());
+
if (bpk.length() > BPK_MAX_LENGTH) {
bpk = bpk.substring(0, BPK_MAX_LENGTH);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java
index a6a5f1dd4..b4846db12 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java
@@ -38,7 +38,7 @@ public class EIDSourcePIN implements IPVPAttributeBuilder {
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
- if (authData.isBusinessService())
+ if (authData.isBaseIDTransferRestrication())
throw new AttributePolicyException(EID_SOURCE_PIN_NAME);
else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java
index 1d836802a..ccaecb3b6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java
@@ -23,7 +23,6 @@
package at.gv.egovernment.moa.id.protocols.builder.attributes;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
@@ -37,7 +36,7 @@ public class EIDSourcePINType implements IPVPAttributeBuilder {
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
- if (authData.isBusinessService())
+ if (authData.isBaseIDTransferRestrication())
throw new UnavailableAttributeException(EID_SOURCE_PIN_TYPE_NAME);
else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java
index 97043a3a0..f85fd7cae 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java
@@ -60,7 +60,7 @@ public class MandateLegalPersonFullNameAttributeBuilder implements IPVPAttribute
}
CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
if (corporation == null) {
- Logger.error("No corporation mandate");
+ Logger.info("No corporation mandate");
throw new NoMandateDataAttributeException();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java
index 46472c983..7e0815ab2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java
@@ -42,41 +42,12 @@ public class MandateLegalPersonSourcePinAttributeBuilder implements IPVPAttribu
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
- if(authData.isUseMandate()) {
-
- //get PVP attribute directly, if exists
- String sourcePin = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class);
-
- if (MiscUtil.isEmpty(sourcePin)) {
- Element mandate = authData.getMandate();
- if(mandate == null) {
- throw new NoMandateDataAttributeException();
-
- }
- Mandate mandateObject = MandateBuilder.buildMandate(mandate);
- if(mandateObject == null) {
- throw new NoMandateDataAttributeException();
-
- }
- CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
- if(corporation == null) {
- Logger.error("No corporation mandate");
- throw new NoMandateDataAttributeException();
-
- }
- if(corporation.getIdentification().size() == 0) {
- Logger.error("Failed to generate IdentificationType");
- throw new NoMandateDataAttributeException();
-
- }
-
- sourcePin = corporation.getIdentification().get(0).getValue().getValue();
-
- }
-
+ if(authData.isUseMandate()) {
return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME,
- MANDATE_LEG_PER_SOURCE_PIN_NAME, sourcePin);
+ MANDATE_LEG_PER_SOURCE_PIN_NAME, getLegalPersonIdentifierFromMandate(authData));
+
}
+
return null;
}
@@ -84,4 +55,39 @@ public class MandateLegalPersonSourcePinAttributeBuilder implements IPVPAttribu
public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
return g.buildEmptyAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, MANDATE_LEG_PER_SOURCE_PIN_NAME);
}
+
+
+ protected String getLegalPersonIdentifierFromMandate(IAuthData authData) throws NoMandateDataAttributeException {
+ //get PVP attribute directly, if exists
+ String sourcePin = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class);
+
+ if (MiscUtil.isEmpty(sourcePin)) {
+ Element mandate = authData.getMandate();
+ if(mandate == null) {
+ throw new NoMandateDataAttributeException();
+
+ }
+ Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+ if(mandateObject == null) {
+ throw new NoMandateDataAttributeException();
+
+ }
+ CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
+ if(corporation == null) {
+ Logger.info("No corporation mandate");
+ throw new NoMandateDataAttributeException();
+
+ }
+ if(corporation.getIdentification().size() == 0) {
+ Logger.info("Failed to generate IdentificationType");
+ throw new NoMandateDataAttributeException();
+
+ }
+
+ sourcePin = corporation.getIdentification().get(0).getValue().getValue();
+
+ }
+
+ return sourcePin;
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java
index 41c35dad3..8b22acc01 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java
@@ -59,12 +59,12 @@ public class MandateLegalPersonSourcePinTypeAttributeBuilder implements IPVPAttr
}
CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
if (corporation == null) {
- Logger.error("No corporate mandate");
+ Logger.info("No corporate mandate");
throw new NoMandateDataAttributeException();
}
if (corporation.getIdentification().size() == 0) {
- Logger.error("Failed to generate IdentificationType");
+ Logger.info("Failed to generate IdentificationType");
throw new NoMandateDataAttributeException();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
index df8f86f7e..6ac517e19 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
@@ -30,9 +30,12 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPers
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
import at.gv.egovernment.moa.id.util.MandateBuilder;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
@@ -45,12 +48,60 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui
}
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
- IAttributeGenerator<ATT> g) throws AttributeException {
- if (authData.isUseMandate()) {
+ IAttributeGenerator<ATT> g) throws AttributeException {
+ try {
+ Pair<String, String> calcResult = internalBPKGenerator(oaParam, authData);
+ if (calcResult != null) {
+ String bpk = calcResult.getFirst();
+ String type = calcResult.getSecond();
+
+ if (MiscUtil.isEmpty(bpk))
+ throw new UnavailableAttributeException(BPK_NAME);
+
+ if (type.startsWith(Constants.URN_PREFIX_WBPK))
+ type = type.substring((Constants.URN_PREFIX_WBPK + "+").length());
+
+ else if (type.startsWith(Constants.URN_PREFIX_CDID))
+ type = type.substring((Constants.URN_PREFIX_CDID + "+").length());
+
+ else if (type.startsWith(Constants.URN_PREFIX_EIDAS))
+ type = type.substring((Constants.URN_PREFIX_EIDAS + "+").length());
+
+ if (bpk.length() > BPK_MAX_LENGTH) {
+ bpk = bpk.substring(0, BPK_MAX_LENGTH);
+ }
+
+ Logger.trace("Authenticate user with bPK/wbPK " + bpk + " and Type=" + type);
+
+ if (type != null)
+ return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, type + ":" + bpk);
+ else
+ return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, bpk);
- //get PVP attribute directly, if exists
- String bpk = authData.getGenericData(MANDATE_NAT_PER_BPK_NAME, String.class);
+ }
+ }
+ catch (BuildException | ConfigurationException e) {
+ Logger.error("Failed to generate IdentificationType");
+ throw new NoMandateDataAttributeException();
+
+ }
+
+ return null;
+
+ }
+
+ public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+ return g.buildEmptyAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME);
+ }
+
+ protected Pair<String, String> internalBPKGenerator(IOAAuthParameters oaParam, IAuthData authData) throws NoMandateDataAttributeException, BuildException, ConfigurationException {
+ //get PVP attribute directly, if exists
+ Pair<String, String> calcResult = null;
+
+ if (authData.isUseMandate()) {
+ String bpk = authData.getGenericData(MANDATE_NAT_PER_BPK_NAME, String.class);
+
if (MiscUtil.isEmpty(bpk)) {
//read bPK from mandate if it is not directly included
Element mandate = authData.getMandate();
@@ -63,45 +114,31 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui
}
PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
if (physicalPerson == null) {
- Logger.error("No physicalPerson mandate");
+ Logger.debug("No physicalPerson mandate");
throw new NoMandateDataAttributeException();
}
IdentificationType id = null;
id = physicalPerson.getIdentification().get(0);
if (id == null) {
- Logger.error("Failed to generate IdentificationType");
+ Logger.info("Failed to generate IdentificationType");
throw new NoMandateDataAttributeException();
}
+
+
+ if (id.getType().equals(Constants.URN_PREFIX_BASEID))
+ calcResult = new BPKBuilder().generateAreaSpecificPersonIdentifier(id.getValue().getValue(),
+ oaParam.getAreaSpecificTargetIdentifier());
+ else
+ calcResult = Pair.newInstance(id.getValue().getValue(), id.getType());
+
+
+ } else {
+ Logger.info("Find '" + MANDATE_NAT_PER_BPK_NAME + "' in AuthData. Use it what is is.");
+ calcResult = Pair.newInstance(bpk, null);
- try {
- if (id.getType().equals(Constants.URN_PREFIX_BASEID)) {
- if (oaParam.getBusinessService()) {
- bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier());
-
- } else {
- bpk = new BPKBuilder().buildBPK(id.getValue().getValue(), oaParam.getTarget());
-
- }
-
- } else
- bpk = id.getValue().getValue();
-
- }
- catch (BuildException e) {
- Logger.error("Failed to generate IdentificationType");
- throw new NoMandateDataAttributeException();
-
- }
}
-
- return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, bpk);
}
- return null;
+ return calcResult;
}
-
- public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
- return g.buildEmptyAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME);
- }
-
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java
index a64880889..ebba376f8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java
@@ -48,6 +48,21 @@ public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttrib
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
+
+ String attrValue = internalAttributGeneration(oaParam, authData);
+ if (attrValue != null)
+ return g.buildStringAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME, attrValue);
+ else
+ return null;
+
+ }
+
+ public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+ return g.buildEmptyAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME);
+ }
+
+
+ protected String internalAttributGeneration(IOAAuthParameters oaParam, IAuthData authData) throws InvalidDateFormatAttributeException, NoMandateDataAttributeException {
if (authData.isUseMandate()) {
//get PVP attribute directly, if exists
@@ -65,7 +80,7 @@ public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttrib
}
PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
if (physicalPerson == null) {
- Logger.error("No physicalPerson mandate");
+ Logger.info("No physicalPerson mandate");
throw new NoMandateDataAttributeException();
}
@@ -98,14 +113,12 @@ public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttrib
}
- return g.buildStringAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME, birthDayString);
+ return birthDayString;
+
}
- return null;
+ return null;
}
- public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
- return g.buildEmptyAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME);
- }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java
index 085579108..07e5c9d09 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java
@@ -62,7 +62,7 @@ public class MandateNaturalPersonFamilyNameAttributeBuilder implements IPVPAttr
}
PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
if(physicalPerson == null) {
- Logger.error("No physicalPerson mandate");
+ Logger.debug("No physicalPerson mandate");
throw new NoMandateDataAttributeException();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java
index 4cd2ca670..51a3d2e74 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java
@@ -59,7 +59,7 @@ public class MandateNaturalPersonGivenNameAttributeBuilder implements IPVPAttrib
}
PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
if (physicalPerson == null) {
- Logger.error("No physicalPerson mandate");
+ Logger.debug("No physicalPerson mandate");
throw new NoMandateDataAttributeException();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
index 69a731e53..8be85415e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
@@ -27,10 +27,7 @@ import org.w3c.dom.Element;
import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
-import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException;
@@ -58,18 +55,18 @@ public class MandateNaturalPersonSourcePinAttributeBuilder implements IPVPAttri
PhysicalPersonType physicalPerson = mandateObject.getMandator()
.getPhysicalPerson();
if (physicalPerson == null) {
- Logger.error("No physicalPerson mandate");
+ Logger.debug("No physicalPerson mandate");
throw new NoMandateDataAttributeException();
}
IdentificationType id = null;
id = physicalPerson.getIdentification().get(0);
- if(oaParam.getBusinessService()) {
+ if(authData.isBaseIDTransferRestrication()) {
throw new AttributePolicyException(this.getName());
}
if(id == null) {
- Logger.error("Failed to generate IdentificationType");
+ Logger.info("Failed to generate IdentificationType");
throw new NoMandateDataAttributeException();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java
index 41a821c98..d89ae0225 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java
@@ -28,7 +28,6 @@ import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
@@ -55,13 +54,13 @@ public class MandateNaturalPersonSourcePinTypeAttributeBuilder implements IPVPAt
PhysicalPersonType physicalPerson = mandateObject.getMandator()
.getPhysicalPerson();
if (physicalPerson == null) {
- Logger.error("No physicalPerson mandate");
+ Logger.debug("No physicalPerson mandate");
throw new NoMandateDataAttributeException();
}
IdentificationType id = null;
id = physicalPerson.getIdentification().get(0);
if(id == null) {
- Logger.error("Failed to generate IdentificationType");
+ Logger.info("Failed to generate IdentificationType");
throw new NoMandateDataAttributeException();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
index 643e30ac9..72691a034 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
@@ -227,9 +227,9 @@ public class AttributQueryAction implements IAction {
}
//check next IDP service area policy. BusinessService IDPs can only request wbPKs
- if (!spConfig.getBusinessService() && !idp.isIDPPublicService()) {
+ if (!spConfig.hasBaseIdTransferRestriction() && !idp.isIDPPublicService()) {
Logger.error("Interfederated IDP " + idp.getPublicURLPrefix()
- + " has a BusinessService-IDP but requests PublicService attributes.");
+ + " is a BusinessService-IDP but requests PublicService attributes.");
throw new MOAIDException("auth.34", new Object[]{nextIDPInformation.getIdpurlprefix()});
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
index 73d6e978e..95e3c5bc2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
@@ -22,13 +22,19 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
import org.opensaml.xml.encryption.EncryptionConstants;
import org.opensaml.xml.signature.SignatureConstants;
+import at.gv.egovernment.moa.id.data.Trible;
+
public interface PVPConstants {
public static final String SSLSOCKETFACTORYNAME = "MOAMetaDataProvider";
-
+
public static final String DEFAULT_SIGNING_METHODE = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256;
public static final String DEFAULT_DIGESTMETHODE = SignatureConstants.ALGO_ID_DIGEST_SHA256;
public static final String DEFAULT_SYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256;
@@ -54,8 +60,12 @@ public interface PVPConstants {
public static final String PVP_VERSION_NAME = URN_OID_PREFIX + PVP_VERSION_OID;
public static final String PVP_VERSION_FRIENDLY_NAME = "PVP-VERSION";
public static final String PVP_VERSION_2_1 = "2.1";
+
+ public static final String SECCLASS_OID = "1.2.40.0.10.2.1.1.261.110";
public static final String SECCLASS_FRIENDLY_NAME = "SECCLASS";
+ public static final String SECCLASS_NAME = URN_OID_PREFIX + SECCLASS_OID;
+ public static final int SECCLASS_MAX_LENGTH = 128;
public static final String PRINCIPAL_NAME_OID = "1.2.40.0.10.2.1.1.261.20";
public static final String PRINCIPAL_NAME_NAME = URN_OID_PREFIX + PRINCIPAL_NAME_OID;
@@ -136,9 +146,13 @@ public interface PVPConstants {
public static final String ROLES_FRIENDLY_NAME = "ROLES";
public static final int ROLES_MAX_LENGTH = 32767;
- public static final String EID_CITIZEN_QAA_LEVEL_OID = "1.2.40.0.10.2.1.1.261.94";
- public static final String EID_CITIZEN_QAA_LEVEL_NAME = URN_OID_PREFIX + EID_CITIZEN_QAA_LEVEL_OID;
- public static final String EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME = "EID-CITIZEN-QAA-LEVEL";
+ @Deprecated public static final String EID_CITIZEN_QAA_LEVEL_OID = "1.2.40.0.10.2.1.1.261.94";
+ @Deprecated public static final String EID_CITIZEN_QAA_LEVEL_NAME = URN_OID_PREFIX + EID_CITIZEN_QAA_LEVEL_OID;
+ @Deprecated public static final String EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME = "EID-CITIZEN-QAA-LEVEL";
+
+ public static final String EID_CITIZEN_EIDAS_QAA_LEVEL_OID = "1.2.40.0.10.2.1.1.261.108";
+ public static final String EID_CITIZEN_EIDAS_QAA_LEVEL_NAME = URN_OID_PREFIX + EID_CITIZEN_EIDAS_QAA_LEVEL_OID;
+ public static final String EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME = "EID-CITIZEN-QAA-EIDAS-LEVEL";
public static final String EID_ISSUING_NATION_OID = "1.2.40.0.10.2.1.1.261.32";
public static final String EID_ISSUING_NATION_NAME = URN_OID_PREFIX + EID_ISSUING_NATION_OID;
@@ -283,4 +297,81 @@ public interface PVPConstants {
public static final String PVP_HOLDEROFKEY_OID = "1.2.40.0.10.2.1.1.261.xx.xx";
public static final String PVP_HOLDEROFKEY_NAME = URN_OID_PREFIX + PVP_HOLDEROFKEY_OID;
public static final String PVP_HOLDEROFKEY_FRIENDLY_NAME = "HOLDER-OF-KEY-CERTIFICATE";
+
+
+
+ public static final String ENTITY_CATEGORY_ATTRIBITE = "http://macedir.org/entity-category";
+ public static final String EGOVTOKEN = "http://www.ref.gv.at/ns/names/agiz/pvp/egovtoken";
+ public static final String CITIZENTOKEN = "http://www.ref.gv.at/ns/names/agiz/pvp/citizentoken";
+
+ /**
+ *
+ * Get required PVP attributes for egovtoken
+ * First : PVP attribute name (OID)
+ * Second: FriendlyName
+ * Third: Required
+ *
+ */
+ public static final List<Trible<String, String, Boolean>> EGOVTOKEN_PVP_ATTRIBUTES =
+ Collections.unmodifiableList(new ArrayList<Trible<String, String, Boolean>>() {
+ private static final long serialVersionUID = 1L;
+ {
+ //currently supported attributes
+ add(Trible.newInstance(PVP_VERSION_NAME, PVP_VERSION_FRIENDLY_NAME, true));
+ add(Trible.newInstance(PRINCIPAL_NAME_NAME, PRINCIPAL_NAME_FRIENDLY_NAME, true));
+
+ //currently not supported attributes
+ add(Trible.newInstance(USERID_NAME, USERID_FRIENDLY_NAME, false));
+ add(Trible.newInstance(GID_NAME, GID_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PARTICIPANT_ID_NAME, PARTICIPANT_ID_FRIENDLY_NAME, false));
+ add(Trible.newInstance(OU_GV_OU_ID_NAME, OU_GV_OU_ID_FRIENDLY_NAME, false));
+ add(Trible.newInstance(OU_NAME, OU_FRIENDLY_NAME, false));
+ add(Trible.newInstance(SECCLASS_NAME, SECCLASS_FRIENDLY_NAME, false));
+
+
+ }
+ });
+
+ /**
+ *
+ * Get required PVP attributes for citizenToken
+ * First : PVP attribute name (OID)
+ * Second: FriendlyName
+ * Third: Required
+ *
+ */
+ public static final List<Trible<String, String, Boolean>> CITIZENTOKEN_PVP_ATTRIBUTES =
+ Collections.unmodifiableList(new ArrayList<Trible<String, String, Boolean>>() {
+ private static final long serialVersionUID = 1L;
+ {
+ //required attributes - eIDAS minimal-data set
+ add(Trible.newInstance(PVP_VERSION_NAME, PVP_VERSION_FRIENDLY_NAME, true));
+ add(Trible.newInstance(PRINCIPAL_NAME_NAME, PRINCIPAL_NAME_FRIENDLY_NAME, true));
+ add(Trible.newInstance(GIVEN_NAME_NAME, GIVEN_NAME_FRIENDLY_NAME, true));
+ add(Trible.newInstance(BIRTHDATE_NAME, BIRTHDATE_FRIENDLY_NAME, true));
+ add(Trible.newInstance(BPK_NAME, BPK_FRIENDLY_NAME, true));
+
+
+ //not required attributes
+ add(Trible.newInstance(EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME, false));
+ add(Trible.newInstance(EID_ISSUING_NATION_NAME, EID_ISSUING_NATION_FRIENDLY_NAME, false));
+ add(Trible.newInstance(EID_SECTOR_FOR_IDENTIFIER_NAME, EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, false));
+ add(Trible.newInstance(MANDATE_TYPE_NAME, MANDATE_TYPE_FRIENDLY_NAME, false));
+ add(Trible.newInstance(MANDATE_TYPE_OID_NAME, MANDATE_TYPE_OID_FRIENDLY_NAME, false));
+ add(Trible.newInstance(MANDATE_LEG_PER_SOURCE_PIN_NAME, MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, false));
+ add(Trible.newInstance(MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, MANDATE_LEG_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, false));
+ add(Trible.newInstance(MANDATE_NAT_PER_BPK_NAME, MANDATE_NAT_PER_BPK_FRIENDLY_NAME, false));
+ add(Trible.newInstance(MANDATE_NAT_PER_GIVEN_NAME_NAME, MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME, false));
+ add(Trible.newInstance(MANDATE_NAT_PER_FAMILY_NAME_NAME, MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME, false));
+ add(Trible.newInstance(MANDATE_NAT_PER_BIRTHDATE_NAME, MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, false));
+ add(Trible.newInstance(MANDATE_LEG_PER_FULL_NAME_NAME, MANDATE_LEG_PER_FULL_NAME_FRIENDLY_NAME, false));
+ add(Trible.newInstance(MANDATE_PROF_REP_OID_NAME, MANDATE_PROF_REP_OID_FRIENDLY_NAME, false));
+ add(Trible.newInstance(MANDATE_PROF_REP_DESC_NAME, MANDATE_PROF_REP_DESC_FRIENDLY_NAME, false));
+ add(Trible.newInstance(MANDATE_REFERENCE_VALUE_NAME, MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, false));
+
+
+
+ }
+ });
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 4f44a6202..95c4f1726 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -31,7 +31,6 @@ import org.opensaml.common.binding.decoding.URIComparator;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;
import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
-import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.StatusResponseType;
@@ -60,6 +59,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.IMOARefreshableMetadataProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.validation.MOASAML2AuthRequestSignedRole;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -159,10 +159,10 @@ public class RedirectBinding implements IDecoder, IEncoder {
SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
- SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();
+ MOASAML2AuthRequestSignedRole signedRole = new MOASAML2AuthRequestSignedRole();
BasicSecurityPolicy policy = new BasicSecurityPolicy();
- policy.getPolicyRules().add(signatureRule);
- policy.getPolicyRules().add(signedRole);
+ policy.getPolicyRules().add(signedRole);
+ policy.getPolicyRules().add(signatureRule);
SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(
policy);
messageContext.setSecurityPolicyResolver(resolver);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
index 2df72637d..4aa4f7419 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
@@ -59,7 +59,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableEx
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.Constants;
/**
* @author tlenz
@@ -70,7 +69,7 @@ public class AttributQueryBuilder {
@Autowired IDPCredentialProvider credentialProvider;
- public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) {
+ public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) throws ConfigurationException {
Logger.debug("Build OA specific Attributes for AttributQuery request");
@@ -87,17 +86,13 @@ public class AttributQueryBuilder {
} else {
//add OA specific information
if (rA.equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
- if (oa.getBusinessService())
- attr = generator.buildStringAttribute(attr.getFriendlyName(),
- attr.getName(), oa.getIdentityLinkDomainIdentifier());
- else
- attr = generator.buildStringAttribute(attr.getFriendlyName(),
- attr.getName(), Constants.URN_PREFIX_CDID + "+" + oa.getTarget());
+ attr = generator.buildStringAttribute(attr.getFriendlyName(),
+ attr.getName(), oa.getAreaSpecificTargetIdentifier());
+
}
//TODO: add attribute values for SSO with mandates (ProfileList)
-
-
+
attrList.add(attr);
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 55d8fa1ff..45539da3f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -60,11 +60,11 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBod
import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.data.SLOInformationImpl;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
@@ -338,20 +338,8 @@ public class PVP2AssertionBuilder implements PVPConstants {
}
//set bPK-Type from configuration, because it MUST be equal to service-provider type
- if (oaParam.getBusinessService()) {
- if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
- bpktype = oaParam.getIdentityLinkDomainIdentifier();
- else
- bpktype = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier();
-
- } else {
- if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+"))
- bpktype = oaParam.getTarget();
- else
- bpktype = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget();
-
- }
-
+ bpktype = oaParam.getAreaSpecificTargetIdentifier();
+
} else {
//sourcePin is include --> check sourcePinType
if (MiscUtil.isEmpty(bpktype))
@@ -365,21 +353,10 @@ public class PVP2AssertionBuilder implements PVPConstants {
}
- if (bpktype.equals(Constants.URN_PREFIX_BASEID)) {
- if (oaParam.getBusinessService()) {
- subjectNameID.setValue(new BPKBuilder().buildWBPK(bpk, oaParam.getIdentityLinkDomainIdentifier()));
- if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
- subjectNameID.setNameQualifier(oaParam.getIdentityLinkDomainIdentifier());
- else
- subjectNameID.setNameQualifier(Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier());
-
- } else {
- subjectNameID.setValue(new BPKBuilder().buildBPK(bpk, oaParam.getTarget()));
- if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+"))
- subjectNameID.setNameQualifier(oaParam.getTarget());
- else
- subjectNameID.setNameQualifier(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
- }
+ if (bpktype.equals(Constants.URN_PREFIX_BASEID)) {
+ Pair<String, String> calcbPK = new BPKBuilder().generateAreaSpecificPersonIdentifier(bpk, oaParam.getAreaSpecificTargetIdentifier());
+ subjectNameID.setValue(calcbPK.getFirst());
+ subjectNameID.setNameQualifier(calcbPK.getSecond());
} else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index 5380d7f53..585aac805 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -55,6 +55,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPEntityCategoryFilter;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPMetadataFilterChain;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter;
import at.gv.egovernment.moa.logging.Logger;
@@ -217,6 +218,9 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
Logger.warn("Refresh PVP2X metadata for onlineApplication: "
+ entityID + " FAILED.", e);
+ } catch (ConfigurationException e) {
+ Logger.warn("Refresh PVP2X metadata for onlineApplication: "
+ + entityID + " FAILED.", e);
}
return false;
@@ -484,13 +488,14 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
}
- private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException {
+ private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException, ConfigurationException {
PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate);
filterChain.getFilters().add(new SchemaValidationFilter());
+ filterChain.getFilters().add(new PVPEntityCategoryFilter());
if (oaParam.isInderfederationIDP()) {
Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies");
- filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.getBusinessService()));
+ filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.hasBaseIdTransferRestriction()));
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java
new file mode 100644
index 000000000..efcf21b50
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.validation;
+
+import org.opensaml.common.binding.SAMLMessageContext;
+import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
+import org.opensaml.ws.transport.http.HTTPInTransport;
+import org.opensaml.xml.util.DatatypeHelper;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOASAML2AuthRequestSignedRole extends SAML2AuthnRequestsSignedRule {
+
+ @Override
+ protected boolean isMessageSigned(SAMLMessageContext messageContext) {
+ // This handles HTTP-Redirect and HTTP-POST-SimpleSign bindings.
+ HTTPInTransport inTransport = (HTTPInTransport) messageContext.getInboundMessageTransport();
+ String sigParam = inTransport.getParameterValue("Signature");
+ boolean isSigned = !DatatypeHelper.isEmpty(sigParam);
+
+ String sigAlgParam = inTransport.getParameterValue("SigAlg");
+ boolean isSigAlgExists = !DatatypeHelper.isEmpty(sigAlgParam);
+
+ return isSigned && isSigAlgExists;
+
+ }
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java
new file mode 100644
index 000000000..95d30db49
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java
@@ -0,0 +1,207 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.common.Extensions;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.metadata.AttributeConsumingService;
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.LocalizedString;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.ServiceName;
+import org.opensaml.saml2.metadata.provider.FilterException;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.samlext.saml2mdattr.EntityAttributes;
+import org.opensaml.xml.XMLObject;
+
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.data.Trible;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moaspss.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class PVPEntityCategoryFilter implements MetadataFilter {
+
+
+
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject)
+ */
+ @Override
+ public void doFilter(XMLObject metadata) throws FilterException {
+ String entityId = null;
+ try {
+ if (metadata instanceof EntitiesDescriptor) {
+ Logger.trace("Find EnitiesDescriptor ... ");
+ EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata;
+ if (entitiesDesc.getEntityDescriptors() != null) {
+ for (EntityDescriptor el : entitiesDesc.getEntityDescriptors())
+ resolveEntityCategoriesToAttributes(el);
+
+ }
+
+ } else if (metadata instanceof EntityDescriptor) {
+ Logger.trace("Find EntityDescriptor");
+ resolveEntityCategoriesToAttributes((EntityDescriptor)metadata);
+
+
+ } else
+ throw new MOAIDException("Invalid Metadata file Root element is no Entities- or EntityDescriptor", null);
+
+
+
+ } catch (Exception e) {
+ Logger.warn("SAML2 Metadata processing FAILED: Can not resolve EntityCategories for metadata: " + entityId, e);
+
+ }
+ }
+
+ private void resolveEntityCategoriesToAttributes(EntityDescriptor metadata) {
+ Logger.debug("Resolving EntityCategorie for Entity: " + metadata.getEntityID() + " ...");
+ Extensions extensions = metadata.getExtensions();
+ if (extensions != null) {
+ List<XMLObject> listOfExt = extensions.getUnknownXMLObjects();
+ if (listOfExt != null && !listOfExt.isEmpty()) {
+ for (XMLObject el : listOfExt) {
+ Logger.trace("Find ExtensionElement: " + el.getElementQName().toString());
+ if (el instanceof EntityAttributes) {
+ EntityAttributes entityAttrElem = (EntityAttributes)el;
+ if (entityAttrElem.getAttributes() != null) {
+ Logger.trace("Find EntityAttributes. Start attribute processing ...");
+ for (Attribute entityAttr : entityAttrElem.getAttributes()) {
+ if (entityAttr.getName().equals(PVPConstants.ENTITY_CATEGORY_ATTRIBITE)) {
+ if (!entityAttr.getAttributeValues().isEmpty()) {
+ String entityAttrValue = entityAttr.getAttributeValues().get(0).getDOM().getTextContent();
+ if (PVPConstants.EGOVTOKEN.equals(entityAttrValue)) {
+ Logger.debug("Find 'EGOVTOKEN' EntityAttribute. Adding single pvp attributes ... ");
+ addAttributesToEntityDescriptor(metadata,
+ buildAttributeList(PVPConstants.EGOVTOKEN_PVP_ATTRIBUTES),
+ entityAttrValue);
+
+
+ } else if (PVPConstants.CITIZENTOKEN.equals(entityAttrValue)) {
+ Logger.debug("Find 'CITIZENTOKEN' EntityAttribute. Adding single pvp attributes ... ");
+ addAttributesToEntityDescriptor(metadata,
+ buildAttributeList(PVPConstants.CITIZENTOKEN_PVP_ATTRIBUTES),
+ entityAttrValue);
+
+ } else
+ Logger.info("EntityAttributeValue: " + entityAttrValue + " is UNKNOWN!");
+
+ } else
+ Logger.info("EntityAttribute: No attribute value");
+
+ } else
+ Logger.info("EntityAttribute: " + entityAttr.getName() + " is NOT supported");
+
+ }
+
+ } else
+ Logger.info("Can NOT resolve EntityAttributes! Reason: Only EntityAttributes are supported!");
+
+ }
+ }
+ }
+ }
+
+ }
+
+ /**
+ * @param metadata
+ * @param attrList
+ */
+ private void addAttributesToEntityDescriptor(EntityDescriptor metadata, List<RequestedAttribute> attrList, String entityAttr) {
+ SPSSODescriptor spSSODesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
+ if (spSSODesc != null) {
+ if (spSSODesc.getAttributeConsumingServices() == null ||
+ spSSODesc.getAttributeConsumingServices().isEmpty()) {
+ Logger.trace("No 'AttributeConsumingServices' found. Added it ...");
+
+ AttributeConsumingService attributeService = SAML2Utils.createSAMLObject(AttributeConsumingService.class);
+ attributeService.setIndex(0);
+ attributeService.setIsDefault(true);
+ ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class);
+ serviceName.setName(new LocalizedString("Default Service", "en"));
+ attributeService.getNames().add(serviceName);
+
+ if (attrList != null && !attrList.isEmpty()) {
+ attributeService.getRequestAttributes().addAll(attrList);
+ Logger.info("Add " + attrList.size() + " attributes for 'EntityAttribute': " + entityAttr);
+
+ }
+
+ spSSODesc.getAttributeConsumingServices().add(attributeService);
+
+ } else {
+ Logger.debug("Find 'AttributeConsumingServices'. Starting updating process ... ");
+ for (AttributeConsumingService el : spSSODesc.getAttributeConsumingServices()) {
+ Logger.debug("Update 'AttributeConsumingService' with Index: " + el.getIndex());
+
+ //load currently requested attributes
+ List<String> currentlyReqAttr = new ArrayList<String>();
+ for (RequestedAttribute reqAttr : el.getRequestAttributes())
+ currentlyReqAttr.add(reqAttr.getName());
+
+
+ //check against EntityAttribute List
+ for (RequestedAttribute entityAttrListEl : attrList) {
+ if (!currentlyReqAttr.contains(entityAttrListEl.getName())) {
+ el.getRequestAttributes().add(entityAttrListEl);
+
+ } else
+ Logger.debug("'AttributeConsumingService' already contains attr: " + entityAttrListEl.getName());
+
+ }
+
+ }
+
+ }
+
+ } else
+ Logger.info("Can ONLY add 'EntityAttributes' to 'SPSSODescriptor'");
+
+ }
+
+ private List<RequestedAttribute> buildAttributeList(List<Trible<String, String, Boolean>> attrSet) {
+ List<RequestedAttribute> requestedAttributes = new ArrayList<RequestedAttribute>();
+ for (Trible<String, String, Boolean> el : attrSet)
+ requestedAttributes.add(PVPAttributeBuilder.buildReqAttribute(el.getFirst(), el.getSecond(), el.getThird()));
+
+ return requestedAttributes;
+
+
+ }
+
+}