diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java')
15 files changed, 635 insertions, 107 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 8de82a8d6..64eaf30cd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -800,9 +800,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { OAAuthParameter oaParam = authConfigurationProvider.getOnlineApplicationParameter(session.getPublicOAURLPrefix()); VerifyInfoboxParameters verifyInfoboxParameters = oaParam.getVerifyInfoboxParameters(); + session.setExtendedSAMLAttributesAUTH(new Vector()); // Initialize SAML Attributes + session.setExtendedSAMLAttributesOA(new Vector()); + if (verifyInfoboxParameters != null) { - session.setExtendedSAMLAttributesAUTH(new Vector()); // Initialize SAML Attributes - session.setExtendedSAMLAttributesOA(new Vector()); + infoboxParameters = verifyInfoboxParameters.getInfoboxParameters(); // get the list of infobox identifiers List identifiers = verifyInfoboxParameters.getIdentifiers(); @@ -1556,7 +1558,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * already for the given session ID */ private static AuthenticationSession newSession() throws AuthenticationException { - String sessionID = Random.nextRandom(); + String sessionID = Random.nextRandom(); AuthenticationSession newSession = new AuthenticationSession(sessionID); synchronized (sessionStore) { AuthenticationSession session = (AuthenticationSession) sessionStore.get(sessionID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index 0e361ee57..259b21db7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -28,6 +28,8 @@ public interface MOAIDAuthConstants { /** servlet parameter "Target" */ public static final String PARAM_TARGET = "Target"; + /** servlet parameter "useMandate" */ + public static final String PARAM_USEMANDATE = "useMandate"; /** servlet parameter "OA" */ public static final String PARAM_OA = "OA"; /** servlet parameter "bkuURI" */ diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java index bff0a3fca..109d17d11 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java @@ -53,7 +53,7 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants { /** - * Handles an error. <br> + * Handles an error. <br>> * <ul> * <li>Logs the error</li> * <li>Places error message and exception thrown into the request @@ -89,7 +89,13 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants { //forward this to errorpage-auth.jsp where the HTML error page is generated ServletContext context = getServletContext(); RequestDispatcher dispatcher = context.getRequestDispatcher("/errorpage-auth.jsp"); - try { + try { + + resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES); + resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA); + resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL); + resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE); + dispatcher.forward(req, resp); } catch (ServletException e) { Logger.error(e); @@ -111,6 +117,11 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants { ServletContext context = getServletContext(); RequestDispatcher dispatcher = context.getRequestDispatcher("/errorpage-auth.jsp"); try { + resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES); + resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA); + resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL); + resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE); + dispatcher.forward(req, resp); } catch (ServletException e) { Logger.error(e); @@ -123,7 +134,6 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants { * Logs all servlet parameters for debugging purposes. */ protected void logParameters(HttpServletRequest req) { - //@TODO Parameter? for (Enumeration params = req.getParameterNames(); params.hasMoreElements(); ) { String parname = (String)params.nextElement(); Logger.debug("Parameter " + parname + req.getParameter(parname)); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ConfigurationServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ConfigurationServlet.java index be8b5e272..a9082dd8e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ConfigurationServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ConfigurationServlet.java @@ -26,6 +26,7 @@ import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; import at.gv.egovernment.moa.id.util.HTTPRequestJSPForwarder; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; @@ -48,6 +49,12 @@ public class ConfigurationServlet extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + + response.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES); + response.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA); + response.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL); + response.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE); + MOAIDMessageProvider msg = MOAIDMessageProvider.getInstance(); try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java index 23d4eab20..c83650587 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java @@ -12,11 +12,13 @@ import javax.servlet.http.HttpServletResponse; import javax.xml.transform.TransformerException;
import org.apache.commons.fileupload.FileUploadException;
+import org.apache.commons.lang.StringEscapeUtils;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import at.gv.egovernment.moa.id.MOAIDException;
import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.WrongParametersException;
import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
@@ -61,7 +63,12 @@ public class GetForeignIDServlet extends AuthServlet { throws ServletException, IOException {
Logger.debug("GET GetForeignIDServlet");
-
+
+ resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+ resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+ resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+ resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+
}
@@ -87,6 +94,11 @@ public class GetForeignIDServlet extends AuthServlet { Logger.debug("POST GetForeignIDServlet");
+ resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+ resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+ resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+ resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+
Map parameters;
try
{
@@ -97,16 +109,24 @@ public class GetForeignIDServlet extends AuthServlet { throw new IOException(e.getMessage());
}
String sessionID = req.getParameter(PARAM_SESSIONID);
+
+ // escape parameter strings
+ sessionID = StringEscapeUtils.escapeHtml(sessionID);
+
String redirectURL = null;
AuthenticationSession session = null;
try {
+ String xmlCreateXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE);
+
// check parameter
if (!ParamValidatorUtils.isValidSessionID(sessionID))
throw new WrongParametersException("GetForeignID", PARAM_SESSIONID, "auth.12");
+ if (!ParamValidatorUtils.isValidXMLDocument(xmlCreateXMLSignatureResponse))
+ throw new WrongParametersException("GetForeignID", PARAM_XMLRESPONSE, "auth.12");
session = AuthenticationServer.getSession(sessionID);
- String xmlCreateXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE);
+
Logger.debug(xmlCreateXMLSignatureResponse);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java index 317af3e06..54d08c59e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java @@ -24,10 +24,13 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse;
import org.apache.commons.fileupload.FileUploadException;
+import org.apache.commons.lang.StringEscapeUtils; import at.gv.egovernment.moa.id.AuthenticationException;
import at.gv.egovernment.moa.id.MOAIDException;
import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.WrongParametersException; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
import at.gv.egovernment.moa.id.auth.builder.GetVerifyAuthBlockFormBuilder;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
@@ -36,6 +39,7 @@ import at.gv.egovernment.moa.id.auth.validator.ValidateException; import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.FileUtils;
@@ -66,7 +70,12 @@ public class ProcessValidatorInputServlet extends AuthServlet { protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
- Logger.debug("GET ProcessInput");
+ Logger.debug("GET ProcessInput"); + resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES); + resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA); + resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL); + resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE); +
Map parameters;
try {
parameters = getParameters(req);
@@ -78,8 +87,15 @@ public class ProcessValidatorInputServlet extends AuthServlet { if (sessionID==null) sessionID = (String) req.getAttribute(PARAM_SESSIONID);
if (sessionID==null) sessionID = (String) parameters.get(PARAM_SESSIONID);
if (sessionID==null) sessionID = (String) parameters.get(PARAM_SESSIONID+"_");
+ + // escape parameter strings + sessionID = StringEscapeUtils.escapeHtml(sessionID); - try {
+ try { + + if (!ParamValidatorUtils.isValidSessionID(sessionID)) + throw new WrongParametersException("ProcessInput", PARAM_SESSIONID, "auth.12"); +
AuthenticationSession session = AuthenticationServer.getSession(sessionID);
InfoboxValidator infoboxvalidator = session.getFirstPendingValidator();
String outputStream;
@@ -103,7 +119,10 @@ public class ProcessValidatorInputServlet extends AuthServlet { out.flush();
out.close();
Logger.debug("Finished GET ProcessInput");
- }
+ } + catch (WrongParametersException ex) { + handleWrongParameters(ex, req, resp); + }
catch (MOAIDException ex) {
handleError(null, ex, req, resp);
}
@@ -117,7 +136,13 @@ public class ProcessValidatorInputServlet extends AuthServlet { protected void doPost(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
- Logger.debug("POST ProcessInput");
+ Logger.debug("POST ProcessInput"); + + resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES); + resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA); + resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL); + resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE); +
Map parameters;
try {
parameters = getParameters(req);
@@ -125,13 +150,20 @@ public class ProcessValidatorInputServlet extends AuthServlet { Logger.error("Parsing mulitpart/form-data request parameters failed: " + e.getMessage());
throw new IOException(e.getMessage());
} - //@TODO Parameter
+ String sessionID = req.getParameter(PARAM_SESSIONID);
if (sessionID==null) sessionID = (String) req.getAttribute(PARAM_SESSIONID);
if (sessionID==null) sessionID = (String) parameters.get(PARAM_SESSIONID);
if (sessionID==null) sessionID = (String) parameters.get(PARAM_SESSIONID+"_");
+ + // escape parameter strings + sessionID = StringEscapeUtils.escapeHtml(sessionID); - try {
+ try { + + if (!ParamValidatorUtils.isValidSessionID(sessionID)) + throw new WrongParametersException("ProcessInput", PARAM_SESSIONID, "auth.12"); +
AuthenticationSession session = AuthenticationServer.getSession(sessionID);
AuthenticationServer.processInput(session, parameters);
String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().getCreateXMLSignatureRequestAuthBlockOrRedirect(session, null, null);
@@ -143,16 +175,22 @@ public class ProcessValidatorInputServlet extends AuthServlet { String htmlForm = null;
boolean doInputProcessorSign = false; // If sign process should be within an extra form, provide a parameter. Otherwise transport through security layer is assumed
- //@TODO Parameter + String inputProcessorSignForm = req.getParameter("Sign_Form");
if (inputProcessorSignForm==null) inputProcessorSignForm = (String) req.getAttribute("Sign_Form");
if (inputProcessorSignForm==null) inputProcessorSignForm = (String) parameters.get("Sign_Form");
- if (inputProcessorSignForm==null) inputProcessorSignForm = (String) parameters.get("Sign_Form_");
+ if (inputProcessorSignForm==null) inputProcessorSignForm = (String) parameters.get("Sign_Form_"); + // escape parameter strings + inputProcessorSignForm = StringEscapeUtils.escapeHtml(inputProcessorSignForm);
if (!ParepUtils.isEmpty(inputProcessorSignForm)) doInputProcessorSign = inputProcessorSignForm.equalsIgnoreCase("true");
if (doInputProcessorSign) {
// Test if we have a user input form sign template - //@TODO Parameter
- String inputProcessorSignTemplateURL = req.getParameter(PARAM_INPUT_PROCESSOR_SIGN_TEMPLATE);
+
+ String inputProcessorSignTemplateURL = req.getParameter(PARAM_INPUT_PROCESSOR_SIGN_TEMPLATE); + + if (!ParamValidatorUtils.isValidSignUrl(inputProcessorSignTemplateURL)) + throw new WrongParametersException("ProcessInput", PARAM_INPUT_PROCESSOR_SIGN_TEMPLATE, "auth.12"); +
String inputProcessorSignTemplate = null;
OAAuthParameter oaParam =
AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getOAURLRequested());
@@ -199,7 +237,10 @@ public class ProcessValidatorInputServlet extends AuthServlet { resp.addHeader("Location", redirectURL);
Logger.debug("REDIRECT TO: " + redirectURL);
}
- }
+ } + catch (WrongParametersException ex) { + handleWrongParameters(ex, req, resp); + }
catch (MOAIDException ex) {
handleError(null, ex, req, resp);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java index 09b3ae15f..6e285a2c0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java @@ -24,7 +24,10 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.StringEscapeUtils; + import at.gv.egovernment.moa.id.auth.AuthenticationServer; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; import at.gv.egovernment.moa.id.auth.WrongParametersException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; @@ -70,6 +73,12 @@ public class SelectBKUServlet extends AuthServlet { throws ServletException, IOException { Logger.debug("GET SelectBKU"); + + resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES); + resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA); + resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL); + resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE); + String authURL = req.getScheme() + "://" + req.getServerName(); if ((req.getScheme().equalsIgnoreCase("https") && req.getServerPort()!=443) || (req.getScheme().equalsIgnoreCase("http") && req.getServerPort()!=80)) { authURL = authURL.concat(":" + req.getServerPort()); @@ -80,6 +89,14 @@ public class SelectBKUServlet extends AuthServlet { String oaURL = req.getParameter(PARAM_OA); String bkuSelectionTemplateURL = req.getParameter(PARAM_BKUTEMPLATE); String templateURL = req.getParameter(PARAM_TEMPLATE); + + // escape parameter strings + target = StringEscapeUtils.escapeHtml(target); + oaURL = StringEscapeUtils.escapeHtml(oaURL); + templateURL = StringEscapeUtils.escapeHtml(templateURL); + bkuSelectionTemplateURL = StringEscapeUtils.escapeHtml(bkuSelectionTemplateURL); + + resp.setHeader(HEADER_EXPIRES,HEADER_VALUE_EXPIRES); resp.setHeader(HEADER_PRAGMA,HEADER_VALUE_PRAGMA); resp.setHeader(HEADER_CACHE_CONTROL,HEADER_VALUE_CACHE_CONTROL); @@ -89,11 +106,13 @@ public class SelectBKUServlet extends AuthServlet { // check parameter if (!ParamValidatorUtils.isValidTarget(target)) - throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12"); + throw new WrongParametersException("SelectBKU", PARAM_TARGET, "auth.12"); if (!ParamValidatorUtils.isValidOA(oaURL)) - throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); - if (!ParamValidatorUtils.isValidTemplate(templateURL)) - throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); + throw new WrongParametersException("SelectBKU", PARAM_OA, "auth.12"); + if (!ParamValidatorUtils.isValidTemplate(req, templateURL)) + throw new WrongParametersException("SelectBKU", PARAM_TEMPLATE, "auth.12"); + if (!ParamValidatorUtils.isValidTemplate(req, bkuSelectionTemplateURL)) + throw new WrongParametersException("SelectBKU", PARAM_TEMPLATE, "auth.12"); String returnValue = AuthenticationServer.getInstance().selectBKU( diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java index 2430095b2..10b4041df 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java @@ -17,12 +17,16 @@ package at.gv.egovernment.moa.id.auth.servlet; import java.io.IOException; import java.io.PrintWriter; +import java.io.Reader; +import java.io.StringReader; import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.StringEscapeUtils; + import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; @@ -64,16 +68,27 @@ public class StartAuthenticationServlet extends AuthServlet { authURL = authURL.concat(req.getContextPath() + "/"); String target = req.getParameter(PARAM_TARGET); - String oaURL = req.getParameter(PARAM_OA); + String oaURL = req.getParameter(PARAM_OA); String bkuURL = req.getParameter(PARAM_BKU); String templateURL = req.getParameter(PARAM_TEMPLATE); String sessionID = req.getParameter(PARAM_SESSIONID); + String useMandate = req.getParameter(PARAM_USEMANDATE); + + // escape parameter strings + target = StringEscapeUtils.escapeHtml(target); + oaURL = StringEscapeUtils.escapeHtml(oaURL); + bkuURL = StringEscapeUtils.escapeHtml(bkuURL); + templateURL = StringEscapeUtils.escapeHtml(templateURL); + sessionID = StringEscapeUtils.escapeHtml(sessionID); + useMandate = StringEscapeUtils.escapeHtml(useMandate); + resp.setHeader(HEADER_EXPIRES,HEADER_VALUE_EXPIRES); resp.setHeader(HEADER_PRAGMA,HEADER_VALUE_PRAGMA); resp.setHeader(HEADER_CACHE_CONTROL,HEADER_VALUE_CACHE_CONTROL); resp.addHeader(HEADER_CACHE_CONTROL,HEADER_VALUE_CACHE_CONTROL_IE); + //System.out.println("useMandate: " + useMandate); try { // check parameter @@ -83,10 +98,14 @@ public class StartAuthenticationServlet extends AuthServlet { throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); if (!ParamValidatorUtils.isValidBKUURI(bkuURL)) throw new WrongParametersException("StartAuthentication", PARAM_BKU, "auth.12"); - if (!ParamValidatorUtils.isValidTemplate(templateURL)) + if (!ParamValidatorUtils.isValidTemplate(req, templateURL)) throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); if (!ParamValidatorUtils.isValidSessionID(sessionID)) throw new WrongParametersException("StartAuthentication", PARAM_SESSIONID, "auth.12"); + if (!ParamValidatorUtils.isValidUseMandate(useMandate)) + throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12"); + + String getIdentityLinkForm = @@ -97,6 +116,7 @@ public class StartAuthenticationServlet extends AuthServlet { out.print(getIdentityLinkForm); out.flush(); Logger.debug("Finished GET StartAuthentication"); + } catch (WrongParametersException ex) { handleWrongParameters(ex, req, resp); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java index 8ae951dda..ad01de6c8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java @@ -23,9 +23,11 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.fileupload.FileUploadException; +import org.apache.commons.lang.StringEscapeUtils; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.auth.AuthenticationServer; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.WrongParametersException; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; @@ -60,6 +62,12 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { throws ServletException, IOException { Logger.debug("GET VerifyAuthenticationBlock"); + + resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES); + resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA); + resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL); + resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE); + } /** @@ -87,6 +95,12 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { throws ServletException, IOException { Logger.debug("POST VerifyAuthenticationBlock"); + + resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES); + resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA); + resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL); + resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE); + Map parameters; try { @@ -98,11 +112,17 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { } String sessionID = req.getParameter(PARAM_SESSIONID); String createXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE); + + // escape parameter strings + sessionID = StringEscapeUtils.escapeHtml(sessionID); + String redirectURL = null; try { // check parameter if (!ParamValidatorUtils.isValidSessionID(sessionID)) throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_SESSIONID, "auth.12"); + if (!ParamValidatorUtils.isValidXMLDocument(createXMLSignatureResponse)) + throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_XMLRESPONSE, "auth.12"); AuthenticationSession session = AuthenticationServer.getSession(sessionID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java index 1b96ce8a4..76c5476ae 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java @@ -17,12 +17,14 @@ import javax.xml.parsers.ParserConfigurationException; import org.apache.axis.encoding.Base64;
import org.apache.commons.fileupload.FileUploadException;
+import org.apache.commons.lang.StringEscapeUtils;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Text;
import at.gv.egovernment.moa.id.MOAIDException;
import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.WrongParametersException;
import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
@@ -64,7 +66,10 @@ public class VerifyCertificateServlet extends AuthServlet { Logger.debug("GET VerifyCertificateServlet");
-
+ resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+ resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+ resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+ resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
}
/**
@@ -84,6 +89,11 @@ public class VerifyCertificateServlet extends AuthServlet { Logger.debug("POST VerifyCertificateServlet");
+ resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+ resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+ resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+ resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+
Map parameters;
try
{
@@ -94,6 +104,10 @@ public class VerifyCertificateServlet extends AuthServlet { throw new IOException(e.getMessage());
}
String sessionID = req.getParameter(PARAM_SESSIONID);
+
+ // escape parameter strings
+ sessionID = StringEscapeUtils.escapeHtml(sessionID);
+
AuthenticationSession session = null;
try {
// check parameter
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java index ba3e2141b..dff366829 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java @@ -23,10 +23,12 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.fileupload.FileUploadException; +import org.apache.commons.lang.StringEscapeUtils; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.ParseException; import at.gv.egovernment.moa.id.auth.AuthenticationServer; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.WrongParametersException; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilderCertificate; @@ -61,6 +63,11 @@ public class VerifyIdentityLinkServlet extends AuthServlet { throws ServletException, IOException { Logger.debug("GET VerifyIdentityLink"); + + resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES); + resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA); + resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL); + resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE); } /** @@ -85,6 +92,7 @@ public class VerifyIdentityLinkServlet extends AuthServlet { throws ServletException, IOException { Logger.debug("POST VerifyIdentityLink"); + Map parameters; try { @@ -95,10 +103,16 @@ public class VerifyIdentityLinkServlet extends AuthServlet { throw new IOException(e.getMessage()); } String sessionID = req.getParameter(PARAM_SESSIONID); - - + // escape parameter strings + sessionID = StringEscapeUtils.escapeHtml(sessionID); + resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES); + resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA); + resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL); + resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE); + + try { // check parameter if (!ParamValidatorUtils.isValidSessionID(sessionID)) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java index 7cc33ca52..dbfbda535 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java @@ -162,6 +162,10 @@ public class ConfigurationBuilder { ROOT + CONF + "GenericConfiguration"; /** an XPATH-Expression */ + protected static final String TRUSTED_BKUS = + ROOT + CONF + "TrustedBKUs/" + CONF + "BKUURL"; + + /** an XPATH-Expression */ protected static final String CHAINING_MODES_XPATH = ROOT + CONF + "ChainingModes"; /** an XPATH-Expression */ @@ -372,6 +376,22 @@ public class ConfigurationBuilder { return result; } + public List getTrustedBKUs() { + + List trustedBKUs = new ArrayList(); + + NodeIterator bkuIter = XPathUtils.selectNodeIterator(configElem_, TRUSTED_BKUS); + + Element vtElem; + + while ((vtElem = (Element) bkuIter.nextNode()) != null) { + String bkuURL = DOMUtils.getText(vtElem); + trustedBKUs.add(bkuURL); + } + + return trustedBKUs; + + } /** * Returns a list containing all X509 Subject Names diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index a25bc1af5..6e296b4f4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -164,6 +164,11 @@ public class AuthConfigurationProvider extends ConfigurationProvider { */ private ConnectionParameter foreignIDConnectionParameter; + /** + * Parameter for trusted BKUs + */ + private List trustedBKUs; + /** * Return the single instance of configuration data. * @@ -271,7 +276,8 @@ public class AuthConfigurationProvider extends ConfigurationProvider { defaultChainingMode = builder.getDefaultChainingMode(); chainingModes = builder.buildChainingModes(); trustedCACertificates = builder.getTrustedCACertificates(); - trustedCACertificates = FileUtils.makeAbsoluteURL(trustedCACertificates, rootConfigFileDir); + trustedCACertificates = FileUtils.makeAbsoluteURL(trustedCACertificates, rootConfigFileDir); + trustedBKUs = builder.getTrustedBKUs(); } catch (Throwable t) { throw new ConfigurationException("config.02", null, t); @@ -411,6 +417,15 @@ public class AuthConfigurationProvider extends ConfigurationProvider { public List getIdentityLinkX509SubjectNames() { return identityLinkX509SubjectNames; } + + /** + * Returns the trustBKUs. + * @return List + */ + public List getTrustedBKUs() { + return this.trustedBKUs; + } + /** * Returns the bKUConnectionParameter. diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java index 684291c59..79db9907b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java @@ -1,14 +1,25 @@ package at.gv.egovernment.moa.id.util;
-import java.io.BufferedReader;
import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
+import java.io.StringReader;
import java.net.MalformedURLException;
import java.net.URL;
+import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.logging.Logger;
+
public class ParamValidatorUtils {
@@ -19,52 +30,266 @@ public class ParamValidatorUtils { */
public static boolean isValidTarget(String target) {
+ Logger.debug("Überprüfe Parameter Target");
+
// if non parameter is given return true
- if (target == null)
- return true;
+ if (target == null) {
+ Logger.debug("Parameter Target ist null");
+ return true;
+ }
+
Pattern pattern = Pattern.compile("[a-zA-Z-]{1,5}");
Matcher matcher = pattern.matcher(target);
- return matcher.matches();
+ boolean b = matcher.matches();
+ if (b) {
+ Logger.debug("Parameter Target erfolgreich überprüft");
+ return true;
+ }
+ else {
+ Logger.error("Fehler Überprüfung Parameter Target. Target entspricht nicht den Kriterien (nur Zeichen a-z, A-Z und -, sowie 1-5 Zeichen lang)");
+ return false;
+ }
+
}
/**
- * Checks if the given bkuURI is valid
+ * Checks if the given useMandate is valid
* @param target HTTP parameter from request
* @return
*/
- public static boolean isValidBKUURI(String bkuURI) {
+ public static boolean isValidUseMandate(String usemandate) {
+ Logger.debug("Überprüfe Parameter useMandate");
+
// if non parameter is given return true
- if (bkuURI == null)
- return true;
+ if (usemandate== null) {
+ Logger.debug("Parameter useMandate ist null");
+ return true;
+ }
+
- // check if bkuURI is a valid URL
- try {
- new URL(bkuURI);
- return true;
- } catch (MalformedURLException e) {
- return false;
+ if (usemandate.compareToIgnoreCase("true") == 0 || usemandate.compareToIgnoreCase("false") == 0) {
+ Logger.debug("Parameter useMandate erfolgreich überprüft");
+ return true;
}
+ else {
+ Logger.error("Fehler Überprüfung Parameter useMandate. useMandate ist weder 'true' noch 'false')");
+ return false;
+ }
+
+
+
+
+
}
/**
- * Checks if the given template is valid
+ * Checks if the given bkuURI is valid
* @param target HTTP parameter from request
* @return
*/
- public static boolean isValidTemplate(String template) {
+ public static boolean isValidBKUURI(String bkuURI) {
+ Logger.debug("Überprüfe Parameter bkuURI");
+ // if non parameter is given return true
+ if (bkuURI == null) {
+ Logger.debug("Parameter bkuURI ist null");
+ return true;
+ }
+
+ // check if template is a valid URL
+ try {
+ // check if bku url starts with http or https
+ if (bkuURI.startsWith("http") || bkuURI.startsWith("https")) {
+ URL url =new URL(bkuURI);
+
+ // check if bkuURI is a local BKU
+ if (bkuURI.compareToIgnoreCase("https://localhost:3496/https-security-layer-request") == 0 ||
+ bkuURI.compareToIgnoreCase("http://localhost:3495/http-security-layer-request") == 0) {
+ Logger.debug("Parameter bkuURI erfolgreich überprüft");
+ return true;
+ }
+ else {
+ Logger.debug("Parameter bkuURI ist keine lokale BKU. Überprüfe Liste der vertrauenswürdigen BKUs.");
+ AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
+ List trustedBKUs = authConf.getTrustedBKUs();
+ boolean b = trustedBKUs.contains(bkuURI);
+ if (b) {
+ Logger.debug("Parameter bkuURI erfolgreich überprüft");
+ return true;
+ }
+ else {
+ Logger.error("Fehler Überprüfung Parameter bkuURI. bkuURI ist nicht auf Liste der vertrauenswürdigen BKUs (Konfigurationselement: MOA-IDConfiguration/TrustedBKUs)");
+ return false;
+ }
+ }
+
+
+ }
+ else {
+ Logger.error("Fehler Überprüfung Parameter bkuURI. bkuURI beginnt nicht mit http or https");
+ return false;
+ }
+
+
+ } catch (MalformedURLException e) {
+ Logger.error("Fehler Überprüfung Parameter bkuURI", e);
+ return false;
+ } catch (ConfigurationException e) {
+ Logger.error("Fehler Überprüfung Parameter bkuURI", e);
+ return false;
+ }
+ }
+
+// private static boolean testBKUConnection(URL url) {
+//
+// // make NullOperationRequest
+// //String request = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><sl:NullOperationRequest xmlns:sl=\"http://www.buergerkarte.at/namespaces/securitylayer/1.2#\"/>";
+// String request = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><sl:GetPropertiesRequest xmlns:sl=\"http://www.buergerkarte.at/namespaces/securitylayer/1.2#\"/>";
+//
+// HttpURLConnection connection;
+// if (url != null) {
+// try {
+// if (url.toExternalForm().startsWith("https")) {
+// connection = (HttpsURLConnection)url.openConnection();
+// }
+// else {
+// connection = (HttpURLConnection)url.openConnection();
+// }
+//
+// connection.setRequestMethod("POST");
+// connection.setDoOutput(true);
+//
+// connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
+//
+// String toSend = URLEncoder.encode(request, "UTF-8");
+// toSend = "XMLRequest=" + toSend;
+// connection.setRequestProperty("Content-Length", String.valueOf(toSend.getBytes().length));
+//
+// Logger.debug("Send NullOperationRequest to BKU.");
+//
+// OutputStream out = connection.getOutputStream();
+// out.write(toSend.getBytes());
+//
+// // get response
+// connection.connect();
+// int responseCode = connection.getResponseCode();
+//
+// if (responseCode != 200) {
+// InputStream is = connection.getErrorStream();
+// int ch;
+// String ret = "";
+// while ((ch = is.read()) != -1)
+// ret += (char)ch;
+//
+// is.close();
+//
+// System.out.println("ret: " + ret);
+//
+// Logger.error("Fehler Überprüfung Parameter bkuURI. Antwortcode von BKU ist nicht 200.");
+// return false;
+// }
+//
+// DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+// factory.setNamespaceAware(true);
+// DocumentBuilder builder = factory.newDocumentBuilder();
+//
+// //Document doc = builder.parse(connection.getInputStream());
+//
+// System.out.println(convertStreamToString(connection.getInputStream()));
+//
+//// NodeList l = doc.getElementsByTagNameNS(Constants.SL12_NS_URI, "ErrorResponse");
+//// if (l.getLength() != 0) {
+//// Logger.error("Fehler Überprüfung Parameter bkuURI. ErrorResponse von BKU empfangen.");
+//// return false;
+//// }
+//
+// Logger.debug("Parameter Template bkuURI erfolgreich überprüft");
+// return true;
+//
+//// } catch (SAXException e) {
+//// Logger.error("Fehler Überprüfung Parameter bkuURI.", e);
+//// return false;
+// } catch (IOException e) {
+// Logger.error("Fehler Überprüfung Parameter bkuURI.", e);
+// return false;
+// } catch (ParserConfigurationException e) {
+// Logger.error("Fehler Überprüfung Parameter bkuURI.", e);
+// return false;
+// }
+// }
+// else {
+// Logger.error("Fehler Überprüfung Parameter bkuURI. bkuURI ist null.");
+// return false;
+// }
+//
+//
+// }
+
+// public static String convertStreamToString(InputStream is) {
+// if (is != null) {
+// Writer writer = new StringWriter();
+//
+// char[] buffer = new char[1024];
+// try {
+// Reader reader = new BufferedReader(new InputStreamReader(is, "UTF-8"));
+// int n;
+// while ((n = reader.read(buffer)) != -1) {
+// writer.write(buffer, 0, n);
+// }
+// } catch (IOException e) {
+// e.printStackTrace();
+// }
+//
+// return writer.toString();
+// }
+// else {
+// return "";
+// }
+// }
+
+ /**
+ * Checks if the given template is valid
+ * @param req
+ * @param template
+ * @return
+ */
+ public static boolean isValidTemplate(HttpServletRequest req, String template) {
+ Logger.debug("Überprüfe Parameter Template bzw. bkuSelectionTemplateURL");
+
// if non parameter is given return true
- if (template == null)
- return true;
+ if (template == null) {
+ Logger.debug("Parameter Template bzw. bkuSelectionTemplateURL ist null");
+ return true;
+ }
// check if template is a valid URL
try {
- new URL(template);
- return true;
+
+ // check if template url starts with http or https
+ if (template.startsWith("http") || template.startsWith("https")) {
+
+ // check if template url is from same server
+ if (template.contains(req.getServerName())) {
+ new URL(template);
+ Logger.debug("Parameter Template bzw. bkuSelectionTemplateURL erfolgreich überprüft");
+ return true;
+ }
+ else {
+ Logger.error("Fehler Überprüfung Parameter Template bzw. bkuSelectionTemplateURL. Parameter liegt nicht am gleichen Server wie die MOA-Instanz (" + req.getServerName() + ")");
+ return false;
+ }
+
+ }
+ else {
+ Logger.error("Fehler Überprüfung Parameter Template bzw. bkuSelectionTemplateURL. Paramter beginnt nicht mit http oder https.");
+ return false;
+ }
+
+
} catch (MalformedURLException e) {
- e.printStackTrace();
+ Logger.error("Fehler Überprüfung Parameter Template bzw. bkuSelectionTemplateURL.", e);
return false;
}
}
@@ -75,16 +300,31 @@ public class ParamValidatorUtils { * @return
*/
public static boolean isValidSessionID(String sessionID) {
-
+ Logger.debug("Überprüfe Parameter MOASessionId");
+
// if non parameter is given return true
- if (sessionID == null)
- return true;
+ if (sessionID == null) {
+ Logger.debug("Parameter MOASessionId ist null");
+ return true;
+ }
+
Pattern pattern = Pattern.compile("[0-9-]*");
Matcher matcher = pattern.matcher(sessionID);
- return matcher.matches();
-
+ boolean b = matcher.matches();
+ if (b) {
+ Logger.debug("Parameter MOASessionId erfolgreich überprüft");
+ return true;
+ }
+ else {
+ Logger.error("Fehler Überprüfung Parameter MOASessionId. MOASessionId entspricht nicht den Kriterien (nur Zeichen 0-9 und -)");
+ return false;
+ }
+
+
+
+
}
/**
@@ -93,18 +333,68 @@ public class ParamValidatorUtils { * @return
*/
public static boolean isValidOA(String oa) {
+ Logger.debug("Überprüfe Parameter oa");
+ // if non parameter is given return true
+ if (oa == null) {
+ Logger.debug("Parameter oa ist null");
+ return true;
+ }
+
+ // check if template is a valid URL
+ try {
+
+ // check if template url starts with http or https
+ if (oa.startsWith("http") || oa.startsWith("https")) {
+ new URL(oa);
+ Logger.debug("Parameter oa erfolgreich überprüft");
+ return true;
+ }
+ else {
+ Logger.error("Fehler Überprüfung Parameter oa. oa beginnt nicht mit http or https");
+ return false;
+ }
+
+ } catch (MalformedURLException e) {
+ Logger.error("Fehler Überprüfung Parameter oa", e);
+ return false;
+ }
+
+ }
- // if non parameter is given return true
- if (oa == null)
- return true;
-
- // check if oa is a valid URL
- try {
- new URL(oa);
- return true;
- } catch (MalformedURLException e) {
- return false;
- }
+ /**
+ * Checks if the given signurl is valid
+ * @param target HTTP parameter from request
+ * @return
+ */
+ public static boolean isValidSignUrl(String signurl) {
+
+ Logger.debug("Überprüfe Parameter signurl");
+
+ // if non parameter is given return true
+ if (signurl == null) {
+ Logger.debug("Parameter signurl ist null");
+ return true;
+ }
+
+ // check if template is a valid URL
+ try {
+
+ // check if signurl starts with http or https
+ if (signurl.startsWith("http") || signurl.startsWith("https")) {
+ new URL(signurl);
+ Logger.debug("Parameter signurl erfolgreich überprüft");
+ return true;
+ }
+ else {
+ Logger.error("Fehler Überprüfung Parameter signurl. signurl beginnt nicht mit http or https");
+ return false;
+ }
+
+ } catch (MalformedURLException e) {
+ Logger.error("Fehler Überprüfung Parameter signurl", e);
+ return false;
+ }
+
}
/**
@@ -115,44 +405,69 @@ public class ParamValidatorUtils { * @param data
* @return
*/
- private static boolean checkPlaceHolders(String data) {
-
- boolean bku = data.contains("<BKU>");
- boolean xmlrequest = data.contains("<XMLRequest>");
- boolean dataurl = data.contains("<DataURL>");
- boolean certinfoxmlrequest = data.contains("<CertInfoXMLRequest>");
- boolean certinfodataurl = data.contains("<CertInfoDataURL>");
-
- System.out.println("Check Data: ");
- System.out.println("bku: " + bku);
- System.out.println("xmlrequest: " + xmlrequest);
- System.out.println("dataurl: " + dataurl);
- System.out.println("certinfoxmlrequest: " + certinfoxmlrequest);
- System.out.println("certinfodataurl: " + certinfodataurl);
-
-
- //return bku && xmlrequest && dataurl && certinfoxmlrequest && certinfodataurl;
- return true;
-
- }
+// private static boolean checkPlaceHolders(String data) {
+//
+// boolean bku = data.contains("<BKU>");
+// boolean xmlrequest = data.contains("<XMLRequest>");
+// boolean dataurl = data.contains("<DataURL>");
+// boolean certinfoxmlrequest = data.contains("<CertInfoXMLRequest>");
+// boolean certinfodataurl = data.contains("<CertInfoDataURL>");
+//
+// System.out.println("Check Data: ");
+// System.out.println("bku: " + bku);
+// System.out.println("xmlrequest: " + xmlrequest);
+// System.out.println("dataurl: " + dataurl);
+// System.out.println("certinfoxmlrequest: " + certinfoxmlrequest);
+// System.out.println("certinfodataurl: " + certinfodataurl);
+//
+//
+// //return bku && xmlrequest && dataurl && certinfoxmlrequest && certinfodataurl;
+// return true;
+//
+// }
- /**
- * Converts an input stream to a string
- * @param is
- * @return
- * @throws Exception
- */
- private static String convertStreamToString(InputStream is) throws Exception {
- BufferedReader reader = new BufferedReader(new InputStreamReader(is));
- StringBuilder sb = new StringBuilder();
- String line = null;
- while ((line = reader.readLine()) != null) {
- sb.append(line);
- }
- is.close();
- return sb.toString();
- }
+// /**
+// * Converts an input stream to a string
+// * @param is
+// * @return
+// * @throws Exception
+// */
+// private static String convertStreamToString(InputStream is) throws Exception {
+// BufferedReader reader = new BufferedReader(new InputStreamReader(is));
+// StringBuilder sb = new StringBuilder();
+// String line = null;
+// while ((line = reader.readLine()) != null) {
+// sb.append(line);
+// }
+// is.close();
+// return sb.toString();
+// }
+
+ public static boolean isValidXMLDocument(String document) {
+
+ Logger.debug("Überprüfe Parameter XMLDocument");
+ try {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilder builder = factory.newDocumentBuilder();
+ InputSource is = new InputSource(new StringReader(document));
+ builder.parse(is);
+
+ Logger.debug("Parameter XMLDocument erfolgreich überprüft");
+ return true;
+
+ } catch (ParserConfigurationException e) {
+ Logger.error("Fehler Überprüfung Parameter XMLDocument", e);
+ return false;
+ } catch (SAXException e) {
+ Logger.error("Fehler Überprüfung Parameter XMLDocument", e);
+ return false;
+ } catch (IOException e) {
+ Logger.error("Fehler Überprüfung Parameter XMLDocument", e);
+ return false;
+ }
+
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java index 225a5e246..450c002f9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java @@ -15,7 +15,8 @@ */ package at.gv.egovernment.moa.id.util; -import java.util.Date; +import java.nio.ByteBuffer; +import java.security.SecureRandom; /** * Random number generator used to generate ID's @@ -25,13 +26,21 @@ import java.util.Date; public class Random { /** random number generator used */ - private static java.util.Random random = new java.util.Random(new Date().getTime()); + private static SecureRandom random = new SecureRandom(); /** * Creates a new random number, to be used as an ID. * * @return random long as a String */ public static String nextRandom() { - return "" + random.nextLong(); + + byte[] b = new byte[16]; // 16 bytes = 128 bits + random.nextBytes(b); + + + ByteBuffer bb = ByteBuffer.wrap(b); + long l = bb.getLong(); + + return "" + l; } } |