diff options
Diffstat (limited to 'id/server/idserverlib/src/main')
26 files changed, 1690 insertions, 1125 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 2f882f41e..1207439dd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -126,6 +126,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {  	@Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage;  	@Autowired protected AuthConfiguration authConfig; +	@Autowired private AttributQueryBuilder attributQueryBuilder;  	public IAuthData buildAuthenticationData(IRequest protocolRequest,               AuthenticationSession session, List<Attribute> reqAttributes) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException { @@ -306,7 +307,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {  				//build attributQuery request  				AttributeQuery query =  -						AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); +						attributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs);  				//build SOAP request				  				List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query); @@ -325,7 +326,8 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {  						SAMLVerificationEngine engine = new SAMLVerificationEngine();  						engine.verifyIDPResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); -						SAMLVerificationEngine.validateAssertion(intfResp, false); +						//TODO: find better solution +						//SAMLVerificationEngine.validateAssertion(intfResp, false);  					} catch (Exception e) {  						Logger.warn("PVP 2.1 assertion validation FAILED.", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java index 84a2b69af..307b668b7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java @@ -41,6 +41,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;  import at.gv.egovernment.moa.id.auth.exception.MOAIDException;  import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;  import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.data.ISLOInformationContainer;  import at.gv.egovernment.moa.id.data.SLOInformationContainer;  import at.gv.egovernment.moa.id.moduls.AuthenticationManager;  import at.gv.egovernment.moa.id.moduls.SSOManager; @@ -65,6 +66,7 @@ public class IDPSingleLogOutServlet extends AbstractController {  	@Autowired SSOManager ssoManager;  	@Autowired AuthenticationManager authManager;  	@Autowired IAuthenticationSessionStoreage authenicationStorage; +	@Autowired SingleLogOutBuilder sloBuilder;  	@RequestMapping(value = "/idpSingleLogout", method = {RequestMethod.GET})  	public void doGet(HttpServletRequest req, HttpServletResponse resp) @@ -151,16 +153,16 @@ public class IDPSingleLogOutServlet extends AbstractController {  			if (MiscUtil.isNotEmpty(restartProcess)) {  				Logger.info("Restart Single LogOut process after timeout ... ");  					try {						 -						SLOInformationContainer sloContainer = transactionStorage.get(restartProcess, SLOInformationContainer.class); +						ISLOInformationContainer sloContainer = transactionStorage.get(restartProcess, SLOInformationContainer.class);  						if (sloContainer.hasFrontChannelOA())  							sloContainer.putFailedOA("differntent OAs");  						String redirectURL = null;  						if (sloContainer.getSloRequest() != null) {  							//send SLO response to SLO request issuer -							SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(sloContainer.getSloRequest()); -							LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, sloContainer.getSloRequest(), sloContainer.getSloFailedOAs()); -							redirectURL = SingleLogOutBuilder.getFrontChannelSLOMessageURL(sloService, message, req, resp, sloContainer.getSloRequest().getRequest().getRelayState()); +							SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(sloContainer.getSloRequest()); +							LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, sloContainer.getSloRequest(), sloContainer.getSloFailedOAs()); +							redirectURL = sloBuilder.getFrontChannelSLOMessageURL(sloService, message, req, resp, sloContainer.getSloRequest().getRequest().getRelayState());  						} else {  							//print SLO information directly diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ServletInfo.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ISLOInformationContainer.java index 807f789ce..18ffc5c6d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ServletInfo.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ISLOInformationContainer.java @@ -1,4 +1,4 @@ -/******************************************************************************* +/*   * Copyright 2014 Federal Chancellery Austria   * MOA-ID has been developed in a cooperation between BRZ, the Federal   * Chancellery Austria - ICT staff unit, and Graz University of Technology. @@ -19,35 +19,49 @@   * file for details on the various modules and licenses.   * The "NOTICE" text file is part of the distribution. Any derivative works   * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.moduls; - -import javax.servlet.http.HttpServlet; - - -public class ServletInfo { -	Class<? extends HttpServlet> servletClass; -	String servletTarget; -	ServletType type; -	 -	public ServletInfo(Class<? extends HttpServlet> servletClass, -			String servletTarget, ServletType type) { -		super(); -		this.servletClass = servletClass; -		this.servletTarget = servletTarget; -		this.type = type; -	} - -	public HttpServlet getServletInstance()  -			throws InstantiationException, IllegalAccessException { -		return servletClass.newInstance(); -	} -	 -	public String getTarget() { -		return servletTarget; -	} -	 -	public ServletType getType() { -		return type; -	} -} + */ +package at.gv.egovernment.moa.id.data; + +import java.util.Iterator; +import java.util.List; +import java.util.Set; +import java.util.Map.Entry; + +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; + +/** + * @author tlenz + * + */ +public interface ISLOInformationContainer { + +	boolean hasFrontChannelOA(); + +	Set<Entry<String, SLOInformationImpl>> getFrontChannelOASessionDescriptions(); + +	void removeFrontChannelOA(String oaID); + +	Iterator<String> getNextBackChannelOA(); + +	SLOInformationImpl getBackChannelOASessionDescripten(String oaID); + +	void removeBackChannelOA(String oaID); + +	/** +	 * @return the sloRequest +	 */ +	PVPTargetConfiguration getSloRequest(); + +	/** +	 * @param sloRequest the sloRequest to set +	 */ +	void setSloRequest(PVPTargetConfiguration sloRequest); + +	/** +	 * @return the sloFailedOAs +	 */ +	List<String> getSloFailedOAs(); + +	void putFailedOA(String oaID); + +}
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java index a4bba8b19..ba7f33821 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java @@ -24,30 +24,20 @@ package at.gv.egovernment.moa.id.data;  import java.io.Serializable;  import java.util.ArrayList; -import java.util.Collection;  import java.util.Iterator;  import java.util.LinkedHashMap;  import java.util.List;  import java.util.Map.Entry;  import java.util.Set; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.core.NameID; -import org.opensaml.saml2.metadata.SingleLogoutService; - -import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; -import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NOSLOServiceDescriptorException;  /**   * @author tlenz   *   */ -public class SLOInformationContainer implements Serializable { - +public class SLOInformationContainer implements Serializable, ISLOInformationContainer { + 	  	private static final long serialVersionUID = 7148730740582881862L;  	private PVPTargetConfiguration sloRequest = null; @@ -55,137 +45,111 @@ public class SLOInformationContainer implements Serializable {  	private LinkedHashMap<String, SLOInformationImpl> activeBackChannelOAs = null;  	private List<String> sloFailedOAs = null; -	 -	public void parseActiveOAs(List<OASessionStore> dbOAs, String removeOAID) { -		if (activeBackChannelOAs == null) -			activeBackChannelOAs = new LinkedHashMap<String, SLOInformationImpl>(); -		if (activeFrontChannalOAs == null) -			activeFrontChannalOAs = new LinkedHashMap<String, SLOInformationImpl>(); -		if (dbOAs != null) { -			for (OASessionStore oa : dbOAs) { -				if (!oa.getOaurlprefix().equals(removeOAID)) { -					 -					//Actually only PVP 2.1 support Single LogOut -					if (PVP2XProtocol.PATH.equals(oa.getProtocolType())) {					 -						SingleLogoutService sloDesc; -						try { -							sloDesc = SingleLogOutBuilder.getRequestSLODescriptor(oa.getOaurlprefix()); -						 -							if (sloDesc.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI))										 -								activeBackChannelOAs.put(oa.getOaurlprefix(),  -										new SLOInformationImpl( -											oa.getAuthURL(),	 -											oa.getAssertionSessionID(),  -											oa.getUserNameID(),  -											oa.getUserNameIDFormat(),  -											oa.getProtocolType(), -											sloDesc)); -						 -							else -								activeFrontChannalOAs.put(oa.getOaurlprefix(),  -										new SLOInformationImpl( -											oa.getAuthURL(), -											oa.getAssertionSessionID(),  -											oa.getUserNameID(),  -											oa.getUserNameIDFormat(),  -											oa.getProtocolType(), -											sloDesc)); -							 -						} catch (NOSLOServiceDescriptorException e) { -							putFailedOA(oa.getOaurlprefix()); -													 -						} -					 -					} else -						putFailedOA(oa.getOaurlprefix()); -				} -			}			 -		}		 +	/** +	 * @return the activeFrontChannalOAs +	 */ +	public LinkedHashMap<String, SLOInformationImpl> getActiveFrontChannalOAs() { +		return activeFrontChannalOAs;  	}  	/** -	 * @param dbIDPs -	 * @param value +	 * @param activeFrontChannalOAs the activeFrontChannalOAs to set  	 */ -	public void parseActiveIDPs(List<InterfederationSessionStore> dbIDPs, -			String removeIDP) {		 -		if (activeBackChannelOAs == null) -			activeBackChannelOAs = new LinkedHashMap<String, SLOInformationImpl>(); -		if (activeFrontChannalOAs == null) -			activeFrontChannalOAs = new LinkedHashMap<String, SLOInformationImpl>(); -		 -		if (dbIDPs != null) { -			for (InterfederationSessionStore el : dbIDPs) {				 -				if (!el.getIdpurlprefix().equals(removeIDP)) { -					 -					SingleLogoutService sloDesc; -					try { -						sloDesc = SingleLogOutBuilder.getRequestSLODescriptor(el.getIdpurlprefix()); -					 -						activeFrontChannalOAs.put(el.getIdpurlprefix(),  -								new SLOInformationImpl( -										el.getAuthURL(), -										el.getSessionIndex(),  -										el.getUserNameID(),  -										NameID.TRANSIENT,  -										PVP2XProtocol.PATH, -										sloDesc)); -						 -					} catch (NOSLOServiceDescriptorException e) { -						putFailedOA(el.getIdpurlprefix()); -												 -					} -				}				 -			}			 -		}		 +	public void setActiveFrontChannalOAs(LinkedHashMap<String, SLOInformationImpl> activeFrontChannalOAs) { +		this.activeFrontChannalOAs = activeFrontChannalOAs;  	} -	 + +	/** +	 * @return the activeBackChannelOAs +	 */ +	public LinkedHashMap<String, SLOInformationImpl> getActiveBackChannelOAs() { +		return activeBackChannelOAs; +	} + +	/** +	 * @param activeBackChannelOAs the activeBackChannelOAs to set +	 */ +	public void setActiveBackChannelOAs(LinkedHashMap<String, SLOInformationImpl> activeBackChannelOAs) { +		this.activeBackChannelOAs = activeBackChannelOAs; +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#hasFrontChannelOA() +	 */ +	@Override  	public boolean hasFrontChannelOA() {  		return !activeFrontChannalOAs.isEmpty();  	} +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#getFrontChannelOASessionDescriptions() +	 */ +	@Override  	public Set<Entry<String, SLOInformationImpl>> getFrontChannelOASessionDescriptions() {  		return activeFrontChannalOAs.entrySet();  	} +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#removeFrontChannelOA(java.lang.String) +	 */ +	@Override  	public void removeFrontChannelOA(String oaID) {  		activeFrontChannalOAs.remove(oaID);  	} +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#getNextBackChannelOA() +	 */ +	@Override  	public Iterator<String> getNextBackChannelOA() {  		return activeBackChannelOAs.keySet().iterator();	  	} +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#getBackChannelOASessionDescripten(java.lang.String) +	 */ +	@Override  	public SLOInformationImpl getBackChannelOASessionDescripten(String oaID) {  		return activeBackChannelOAs.get(oaID);  	} +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#removeBackChannelOA(java.lang.String) +	 */ +	@Override  	public void removeBackChannelOA(String oaID) {  		activeBackChannelOAs.remove(oaID);  	} -	/** -	 * @return the sloRequest +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#getSloRequest()  	 */ +	@Override  	public PVPTargetConfiguration getSloRequest() {  		return sloRequest;  	} -	/** -	 * @param sloRequest the sloRequest to set +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#setSloRequest(at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration)  	 */ +	@Override  	public void setSloRequest(PVPTargetConfiguration sloRequest) {  		this.sloRequest = sloRequest;  	} -	/** -	 * @return the sloFailedOAs +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#getSloFailedOAs()  	 */ +	@Override  	public List<String> getSloFailedOAs() {  		return sloFailedOAs;  	} +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#putFailedOA(java.lang.String) +	 */ +	@Override  	public void putFailedOA(String oaID) {  		if (sloFailedOAs == null)  			sloFailedOAs = new ArrayList<String>(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index f77042bc5..39106dc3b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -98,10 +98,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {  	@Autowired private IAuthenticationSessionStoreage authenticatedSessionStore;  	@Autowired private MOAReversionLogger revisionsLogger;  	@Autowired protected AuthConfiguration authConfig; -	 -	public AuthenticationManager() { -		 -	} +	@Autowired private SingleLogOutBuilder sloBuilder;  	public void performSingleLogOut(HttpServletRequest httpReq,  	HttpServletResponse httpResp, AuthenticationSession session, PVPTargetConfiguration pvpReq) throws MOAIDException { @@ -452,9 +449,9 @@ public class AuthenticationManager extends MOAIDAuthConstants {  		List<OASessionStore> dbOAs = authenticatedSessionStore.getAllActiveOAFromMOASession(session);  		List<InterfederationSessionStore> dbIDPs = authenticatedSessionStore.getAllActiveIDPsFromMOASession(session);  		SLOInformationContainer sloContainer = new SLOInformationContainer(); -		sloContainer.setSloRequest(pvpReq); -		sloContainer.parseActiveIDPs(dbIDPs, pvpSLOIssuer); -		sloContainer.parseActiveOAs(dbOAs, pvpSLOIssuer); +		sloContainer.setSloRequest(pvpReq);		 +		sloBuilder.parseActiveIDPs(sloContainer, dbIDPs, pvpSLOIssuer); +		sloBuilder.parseActiveOAs(sloContainer, dbOAs, pvpSLOIssuer);  		//terminate MOASession  		try { @@ -471,7 +468,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {  		Iterator<String> nextOAInterator = sloContainer.getNextBackChannelOA();	  		while (nextOAInterator.hasNext()) {  			SLOInformationImpl sloDescr = sloContainer.getBackChannelOASessionDescripten(nextOAInterator.next()); -			LogoutRequest sloReq = SingleLogOutBuilder.buildSLORequestMessage(sloDescr); +			LogoutRequest sloReq = sloBuilder.buildSLORequestMessage(sloDescr);  			try {  				List<XMLObject> soapResp = MOASAMLSOAPClient.send(sloDescr.getServiceURL(), sloReq); @@ -494,7 +491,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {  				} -				SingleLogOutBuilder.checkStatusCode(sloContainer, sloResp); +				sloBuilder.checkStatusCode(sloContainer, sloResp);  			} catch (SOAPException e) {  				Logger.warn("Single LogOut for OA " + sloReq.getIssuer().getValue() @@ -517,9 +514,9 @@ public class AuthenticationManager extends MOAIDAuthConstants {  				Collection<Entry<String, SLOInformationImpl>> sloDescr = sloContainer.getFrontChannelOASessionDescriptions();  				List<String> sloReqList = new ArrayList<String>();  				for (Entry<String, SLOInformationImpl> el : sloDescr) { -					LogoutRequest sloReq = SingleLogOutBuilder.buildSLORequestMessage(el.getValue()); +					LogoutRequest sloReq = sloBuilder.buildSLORequestMessage(el.getValue());  					try { -						sloReqList.add(SingleLogOutBuilder.getFrontChannelSLOMessageURL(el.getValue().getServiceURL(), el.getValue().getBinding(),  +						sloReqList.add(sloBuilder.getFrontChannelSLOMessageURL(el.getValue().getServiceURL(), el.getValue().getBinding(),   								sloReq, httpReq, httpResp, relayState));  					} catch (Exception e) { @@ -549,9 +546,9 @@ public class AuthenticationManager extends MOAIDAuthConstants {  			} else {  				if (pvpReq != null) {  					//send SLO response to SLO request issuer -					SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); -					LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs()); -					SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState); +					SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq); +					LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs()); +					sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);  				} else {  					//print SLO information directly @@ -572,9 +569,9 @@ public class AuthenticationManager extends MOAIDAuthConstants {  		} catch (MOADatabaseException e) {  			Logger.error("MOA AssertionDatabase ERROR", e);  			if (pvpReq != null) { -				SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); -				LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); -				SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState); +				SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq); +				LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); +				sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);  			}else {  				//print SLO information directly diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulStorage.java deleted file mode 100644 index e65d77326..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulStorage.java +++ /dev/null @@ -1,94 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.moduls; - -import java.util.ArrayList; -import java.util.Iterator; -import java.util.List; -import java.util.ServiceLoader; - -import at.gv.egovernment.moa.logging.Logger; - -public class ModulStorage { -	 -//	private static final String[] modulClasses = new String[]{ -////		"at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol", -//		"at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol", -//        "at.gv.egovernment.moa.id.protocols.stork2.STORKProtocol", -//		"at.gv.egovernment.moa.id.protocols.oauth20.protocol.OAuth20Protocol" -//	}; -	 -	private static ServiceLoader<IModulInfo> protocolModuleLoader =  -			ServiceLoader.load(IModulInfo.class); -	private static List<IModulInfo> registeredModules = new ArrayList<IModulInfo>(); - -	 -	public static  List<IModulInfo> getAllModules() { -		return registeredModules; -	} -	 -	public static IModulInfo getModuleByPath(String modname) { -		Iterator<IModulInfo> it = registeredModules.iterator(); -		while (it.hasNext()) { -			IModulInfo info = it.next(); -			if (info.getPath().equals(modname)) { -				return info; -			} -		} -		return null; -	} -	 -	static { -		Logger.info("Loading protocol modules:"); -		if (protocolModuleLoader != null ) {		 -			Iterator<IModulInfo> moduleLoaderInterator = protocolModuleLoader.iterator(); -			while (moduleLoaderInterator.hasNext()) { -				try { -					IModulInfo modul = moduleLoaderInterator.next(); -					Logger.info("Loading Modul Information: " + modul.getName()); -					registeredModules.add(modul); -					 -				} catch(Throwable e) { -					Logger.error("Check configuration! " + "Some protocol modul" +  -							" is not a valid IModulInfo", e); -				}	 -			} -		} -				 -//		for(int i = 0; i < modulClasses.length; i++) { -//			String modulClassName = modulClasses[i]; -//			try { -//				@SuppressWarnings("unchecked") -//				Class<IModulInfo> moduleClass = (Class<IModulInfo>)Class.forName(modulClassName); -//				IModulInfo module = moduleClass.newInstance(); -//				Logger.info("Loading Modul Information: " + module.getName()); -//				registeredModules.add(module); -//			} catch(Throwable e) { -//				Logger.error("Check configuration! " + modulClassName +  -//						" is not a valid IModulInfo", e); -//			} -//		} -		Logger.info("Loading modules done"); -	} - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulUtils.java deleted file mode 100644 index 13768a343..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulUtils.java +++ /dev/null @@ -1,46 +0,0 @@ -///******************************************************************************* -// * Copyright 2014 Federal Chancellery Austria -// * MOA-ID has been developed in a cooperation between BRZ, the Federal -// * Chancellery Austria - ICT staff unit, and Graz University of Technology. -// * -// * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by -// * the European Commission - subsequent versions of the EUPL (the "Licence"); -// * You may not use this work except in compliance with the Licence. -// * You may obtain a copy of the Licence at: -// * http://www.osor.eu/eupl/ -// * -// * Unless required by applicable law or agreed to in writing, software -// * distributed under the Licence is distributed on an "AS IS" basis, -// * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// * See the Licence for the specific language governing permissions and -// * limitations under the Licence. -// * -// * This product combines work with different licenses. See the "NOTICE" text -// * file for details on the various modules and licenses. -// * The "NOTICE" text file is part of the distribution. Any derivative works -// * that you distribute must include a readable copy of the "NOTICE" text file. -// *******************************************************************************/ -//package at.gv.egovernment.moa.id.moduls; -// -//import at.gv.egovernment.moa.id.entrypoints.DispatcherServlet; -// -// -//public class ModulUtils { -// -//	public static final String UNAUTHDISPATCHER = "dispatcher"; -//	public static final String AUTHDISPATCHER = "dispatcher"; -//	 -//	public static String buildUnauthURL(String modul, String action, String pendingRequestID) { -//		return UNAUTHDISPATCHER + "?" +  -//				DispatcherServlet.PARAM_TARGET_MODULE + "=" + modul + "&" + -//				DispatcherServlet.PARAM_TARGET_ACTION + "=" + action + "&" +  -//				DispatcherServlet.PARAM_TARGET_PENDINGREQUESTID + "=" + pendingRequestID; -//	} -//	 -//	public static String buildAuthURL(String modul, String action, String pendingRequestID) { -//		return AUTHDISPATCHER +  -//				"?" + DispatcherServlet.PARAM_TARGET_MODULE + "=" + modul + "&" + -//				DispatcherServlet.PARAM_TARGET_ACTION + "=" + action + "&" +  -//				DispatcherServlet.PARAM_TARGET_PENDINGREQUESTID + "=" + pendingRequestID; -//	} -//} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java index bba9f66ae..a1a814e95 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java @@ -32,6 +32,7 @@ import java.util.Map;  import javax.servlet.http.HttpServletRequest;  import org.opensaml.saml2.core.Attribute; +import org.springframework.beans.factory.annotation.Autowired;  import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;  import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException; @@ -40,6 +41,7 @@ import at.gv.egovernment.moa.id.config.ConfigurationException;  import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;  import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;  import at.gv.egovernment.moa.id.util.HTTPUtils;  import at.gv.egovernment.moa.id.util.Random;  import at.gv.egovernment.moa.logging.Logger; @@ -78,11 +80,13 @@ public abstract class RequestImpl implements IRequest, Serializable{  	private Map<String, Object> genericDataStorage = new HashMap<String, Object>(); +	@Autowired protected AttributQueryBuilder attributQueryBuilder;  +	  	/**  	 * @throws ConfigurationException   	 *   	 */ -	public RequestImpl(HttpServletRequest req) throws ConfigurationException {				 +	public final void initialize(HttpServletRequest req) throws ConfigurationException {				  		//set requestID  		requestID = Random.nextRandom(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ServletType.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ServletType.java deleted file mode 100644 index c8fbfb558..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ServletType.java +++ /dev/null @@ -1,27 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.moduls; - -public enum ServletType { -		UNAUTH, AUTH, NONE	 -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index 5c1c60dc8..d48603a7c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -22,49 +22,20 @@   *******************************************************************************/  package at.gv.egovernment.moa.id.protocols.pvp2x; -import java.io.StringWriter; +import java.util.Arrays;  import java.util.List;  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse; -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; -import javax.xml.transform.Transformer; -import javax.xml.transform.TransformerFactory; -import javax.xml.transform.dom.DOMSource; -import javax.xml.transform.stream.StreamResult; - -import org.joda.time.DateTime; -import org.opensaml.Configuration; -import org.opensaml.common.xml.SAMLConstants; + +import org.opensaml.saml2.core.Attribute;  import org.opensaml.saml2.core.NameIDType; -import org.opensaml.saml2.metadata.AssertionConsumerService; -import org.opensaml.saml2.metadata.AttributeConsumingService;  import org.opensaml.saml2.metadata.ContactPerson; -import org.opensaml.saml2.metadata.EntitiesDescriptor; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.IDPSSODescriptor; -import org.opensaml.saml2.metadata.KeyDescriptor; -import org.opensaml.saml2.metadata.LocalizedString; -import org.opensaml.saml2.metadata.NameIDFormat; -import org.opensaml.saml2.metadata.RoleDescriptor; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.saml2.metadata.ServiceName; -import org.opensaml.saml2.metadata.SingleLogoutService; -import org.opensaml.saml2.metadata.SingleSignOnService; -import org.opensaml.xml.io.Marshaller; -import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.SecurityHelper; +import org.opensaml.saml2.metadata.Organization; +import org.opensaml.saml2.metadata.RequestedAttribute;  import org.opensaml.xml.security.credential.Credential; -import org.opensaml.xml.security.credential.UsageType; -import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; -import org.opensaml.xml.security.x509.X509Credential; -import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; -import org.opensaml.xml.signature.Signature; -import org.opensaml.xml.signature.Signer;  import org.springframework.beans.factory.annotation.Autowired;  import org.springframework.stereotype.Service; -import org.w3c.dom.Document;  import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;  import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; @@ -74,103 +45,28 @@ import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.data.SLOInformationInterface;  import at.gv.egovernment.moa.id.moduls.IAction;  import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;  import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;  import at.gv.egovernment.moa.logging.Logger;  @Service("pvpMetadataService") -public class MetadataAction implements IAction { +public class MetadataAction extends AbstractPVPMetadataBuilder implements IAction {  	private static final int VALIDUNTIL_IN_HOURS = 24;  	@Autowired private MOAReversionLogger revisionsLogger; +	@Autowired private IDPCredentialProvider credentialProvider;  	public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq,  			HttpServletResponse httpResp, IAuthData authData) throws MOAIDException {  		try { -  			revisionsLogger.logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_PVP_METADATA); -			EntitiesDescriptor idpEntitiesDescriptor =  -					SAML2Utils.createSAMLObject(EntitiesDescriptor.class); -						 -			idpEntitiesDescriptor.setName(PVPConfiguration.getInstance().getIDPIssuerName()); - -			idpEntitiesDescriptor.setID(SAML2Utils.getSecureIdentifier()); -			 -			DateTime date = new DateTime(); -			 -			idpEntitiesDescriptor.setValidUntil(date.plusHours(VALIDUNTIL_IN_HOURS)); -				 -			EntityDescriptor idpEntityDescriptor = SAML2Utils -					.createSAMLObject(EntityDescriptor.class); - -			idpEntitiesDescriptor.getEntityDescriptors().add(idpEntityDescriptor); -			 -			//TODO: maybe change EntityID to Metadata URL -			//idpEntityDescriptor -			//		.setEntityID(PVPConfiguration.getInstance().getIDPSSOMetadataService()); - -			idpEntityDescriptor -			.setEntityID(req.getAuthURLWithOutSlash()); -			 -			idpEntityDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_HOURS)); -			 -			List<ContactPerson> persons = PVPConfiguration.getInstance() -					.getIDPContacts(); - -			idpEntityDescriptor.getContactPersons().addAll(persons); - -			idpEntityDescriptor.setOrganization(PVPConfiguration.getInstance() -					.getIDPOrganisation()); - -			X509KeyInfoGeneratorFactory keyInfoFactory = new X509KeyInfoGeneratorFactory(); -			//keyInfoFactory.setEmitPublicKeyValue(true); -			keyInfoFactory.setEmitEntityIDAsKeyName(true); -			keyInfoFactory.setEmitEntityCertificate(true); - -			KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance(); -			 -			Credential metadataSigningCredential = CredentialProvider.getIDPMetaDataSigningCredential(); -			Signature signature = CredentialProvider -					.getIDPSignature(metadataSigningCredential); -			 -			//set KeyInfo Element -			SecurityHelper.prepareSignatureParams(signature, metadataSigningCredential, null, null); -			 -			idpEntitiesDescriptor.setSignature(signature); - -			//set IDP metadata -			idpEntityDescriptor.getRoleDescriptors().add(generateIDPMetadata(req, keyInfoGenerator)); -			 -			//set SP metadata for interfederation -			idpEntityDescriptor.getRoleDescriptors().add(generateSPMetadata(req, keyInfoGenerator)); -			 -			DocumentBuilder builder; -			DocumentBuilderFactory factory = DocumentBuilderFactory -					.newInstance(); - -			builder = factory.newDocumentBuilder(); -			Document document = builder.newDocument(); -			Marshaller out = Configuration.getMarshallerFactory() -					.getMarshaller(idpEntitiesDescriptor); -			out.marshall(idpEntitiesDescriptor, document); - -			Signer.signObject(signature); - -			Transformer transformer = TransformerFactory.newInstance() -					.newTransformer(); - -			StringWriter sw = new StringWriter(); -			StreamResult sr = new StreamResult(sw); -			DOMSource source = new DOMSource(document); -			transformer.transform(source, sr); -			sw.close(); - -			String metadataXML = sw.toString(); +			//build metadata +			String metadataXML = buildPVPMetadata(req.getAuthURLWithOutSlash());			  			Logger.debug("METADATA: " + metadataXML);  			httpResp.setContentType("text/xml"); @@ -195,228 +91,232 @@ public class MetadataAction implements IAction {  		return (PVP2XProtocol.METADATA);  	} -	private RoleDescriptor generateSPMetadata(IRequest req, KeyInfoGenerator keyInfoGenerator) throws CredentialsNotAvailableException, SecurityException, ConfigurationException { +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataValidUntil() +	 */ +	@Override +	public int getMetadataValidUntil() { +		return VALIDUNTIL_IN_HOURS; +	} -		Logger.debug("Set SP Metadata key information"); -		 -		SPSSODescriptor spSSODescriptor = SAML2Utils -				.createSAMLObject(SPSSODescriptor.class); +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildEntitiesDescriptorAsRootElement() +	 */ +	@Override +	public boolean buildEntitiesDescriptorAsRootElement() { +		return true; +	} -		spSSODescriptor.setAuthnRequestsSigned(true); -		spSSODescriptor.setWantAssertionsSigned(false); -	 - 		 -		//Set AuthRequest Signing certificate -		X509Credential authcredential = CredentialProvider.getIDPAssertionSigningCredential(); -		 -		KeyDescriptor signKeyDescriptor = SAML2Utils -				.createSAMLObject(KeyDescriptor.class); -		signKeyDescriptor.setUse(UsageType.SIGNING); -		signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential));	 -		spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); -		 -		 -		//set AuthRequest encryption certificate -		 -		X509Credential authEncCredential = CredentialProvider.getIDPAssertionEncryptionCredential();			 - -		if (authEncCredential != null) { -			KeyDescriptor encryKeyDescriptor = SAML2Utils -					.createSAMLObject(KeyDescriptor.class); -			encryKeyDescriptor.setUse(UsageType.ENCRYPTION); -			encryKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authEncCredential));	 -			spSSODescriptor.getKeyDescriptors().add(encryKeyDescriptor); +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildIDPSSODescriptor() +	 */ +	@Override +	public boolean buildIDPSSODescriptor() { +		return true; +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildSPSSODescriptor() +	 */ +	@Override +	public boolean buildSPSSODescriptor() { +		return false; +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityID() +	 */ +	@Override +	public String getEntityIDPostfix() { +		//TODO: maybe change EntityID to Metadata URL +		return null; +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityFriendlyName() +	 */ +	@Override +	public String getEntityFriendlyName() { +		try { +			return PVPConfiguration.getInstance().getIDPIssuerName(); -		} else { -			Logger.warn("No Assertion Encryption-Key defined. This setting is not recommended!"); +		} catch (ConfigurationException e) { +			Logger.error("Can not load Metadata entry: EntityID friendlyName.", e); +			return null;  		} -				 -		NameIDFormat persistentnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); -		persistentnameIDFormat.setFormat(NameIDType.PERSISTENT); -		 -		spSSODescriptor.getNameIDFormats().add(persistentnameIDFormat); -		 -		NameIDFormat transientnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); -		transientnameIDFormat.setFormat(NameIDType.TRANSIENT); -		 -		spSSODescriptor.getNameIDFormats().add(transientnameIDFormat); -		 -		NameIDFormat unspecifiednameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); -		unspecifiednameIDFormat.setFormat(NameIDType.UNSPECIFIED); -		 -		spSSODescriptor.getNameIDFormats().add(unspecifiednameIDFormat); - -		//add assertion consumer services -		AssertionConsumerService postassertionConsumerService =  -				SAML2Utils.createSAMLObject(AssertionConsumerService.class);		 -		postassertionConsumerService.setIndex(0); -		postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); -		postassertionConsumerService.setLocation(PVPConfiguration -				.getInstance().getSPSSOPostService(req.getAuthURL()));	 -		postassertionConsumerService.setIsDefault(true); -		spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService); -				 -		AssertionConsumerService redirectassertionConsumerService =  -				SAML2Utils.createSAMLObject(AssertionConsumerService.class);		 -		redirectassertionConsumerService.setIndex(1); -		redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); -		redirectassertionConsumerService.setLocation(PVPConfiguration -				.getInstance().getSPSSORedirectService(req.getAuthURL())); -		spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService); -		 -		 -		//add SLO descriptor -//		SingleLogoutService postSLOService =  -//				SAML2Utils.createSAMLObject(SingleLogoutService.class);			 -//		postSLOService.setLocation(PVPConfiguration -//				.getInstance().getIDPSSOPostService()); -//		postSLOService -//				.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); -//		spSSODescriptor.getSingleLogoutServices().add(postSLOService); -		 -		SingleLogoutService redirectSLOService =  -				SAML2Utils.createSAMLObject(SingleLogoutService.class);			 -		redirectSLOService.setLocation(PVPConfiguration -				.getInstance().getSPSSORedirectService(req.getAuthURL())); -		redirectSLOService -				.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); -		spSSODescriptor.getSingleLogoutServices().add(redirectSLOService); -		 -		 -		spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); -						 -		AttributeConsumingService attributeService =  -				SAML2Utils.createSAMLObject(AttributeConsumingService.class); -		attributeService.setIndex(0); -		attributeService.setIsDefault(true); -		ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class); -		serviceName.setName(new LocalizedString("Default Service", "de")); -		attributeService.getNames().add(serviceName); -						 -		return spSSODescriptor;  	} -	 -	private IDPSSODescriptor generateIDPMetadata(IRequest req, KeyInfoGenerator keyInfoGenerator) throws ConfigurationException, CredentialsNotAvailableException, SecurityException { -		 - -//		//set SignatureMethode -//		signature.setSignatureAlgorithm(PVPConstants.DEFAULT_SIGNING_METHODE); -//		 -//		//set DigestMethode -//		List<ContentReference> contentList = signature.getContentReferences(); -//		for (ContentReference content : contentList) { -//			 -//			if (content instanceof SAMLObjectContentReference) { -//				 -//				SAMLObjectContentReference el = (SAMLObjectContentReference) content; -//				el.setDigestAlgorithm(PVPConstants.DEFAULT_DIGESTMETHODE); -//				 -//			} -//		} -		 -		 -//		KeyInfoBuilder metadataKeyInfoBuilder = new KeyInfoBuilder(); -//		KeyInfo metadataKeyInfo = metadataKeyInfoBuilder.buildObject(); -//		//KeyInfoHelper.addCertificate(metadataKeyInfo, metadataSigningCredential.); -//		signature.setKeyInfo(metadataKeyInfo ); -		 -		 -		IDPSSODescriptor idpSSODescriptor = SAML2Utils -				.createSAMLObject(IDPSSODescriptor.class); -		idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); -		 -		idpSSODescriptor.setWantAuthnRequestsSigned(true);			 -		 -		if (PVPConfiguration.getInstance().getIDPSSOPostService(req.getAuthURL()) != null) { -			//add SSO descriptor -			SingleSignOnService postSingleSignOnService = SAML2Utils -					.createSAMLObject(SingleSignOnService.class); -			postSingleSignOnService.setLocation(PVPConfiguration -					.getInstance().getIDPSSOPostService(req.getAuthURL())); -			postSingleSignOnService -					.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); -			idpSSODescriptor.getSingleSignOnServices().add( -					postSingleSignOnService); +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getContactPersonInformation() +	 */ +	@Override +	public List<ContactPerson> getContactPersonInformation() { +		try { +			return PVPConfiguration.getInstance().getIDPContacts(); -			//add SLO descriptor -//			SingleLogoutService postSLOService =  -//					SAML2Utils.createSAMLObject(SingleLogoutService.class);			 -//			postSLOService.setLocation(PVPConfiguration -//					.getInstance().getIDPSSOPostService()); -//			postSLOService -//					.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); -//			idpSSODescriptor.getSingleLogoutServices().add(postSLOService); +		} catch (ConfigurationException e) { +			Logger.warn("Can not load Metadata entry: Contect Person", e); +			return null;  		} +		 +	} -		if (PVPConfiguration.getInstance().getIDPSSORedirectService(req.getAuthURL()) != null) { -			//add SSO descriptor -			SingleSignOnService redirectSingleSignOnService = SAML2Utils -					.createSAMLObject(SingleSignOnService.class); -			redirectSingleSignOnService.setLocation(PVPConfiguration -					.getInstance().getIDPSSORedirectService(req.getAuthURL())); -			redirectSingleSignOnService -					.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); -			idpSSODescriptor.getSingleSignOnServices().add( -					redirectSingleSignOnService); +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getOrgansiationInformation() +	 */ +	@Override +	public Organization getOrgansiationInformation() { +		try { +			return PVPConfiguration.getInstance().getIDPOrganisation(); +			 +		} catch (ConfigurationException e) { +			Logger.warn("Can not load Metadata entry: Organisation", e); +			return null; -			//add SLO descriptor -			SingleLogoutService redirectSLOService =  -					SAML2Utils.createSAMLObject(SingleLogoutService.class);			 -			redirectSLOService.setLocation(PVPConfiguration -					.getInstance().getIDPSSORedirectService(req.getAuthURL())); -			redirectSLOService -					.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); -			idpSSODescriptor.getSingleLogoutServices().add(redirectSLOService);  		} +	} -		/*if (PVPConfiguration.getInstance().getIDPResolveSOAPService() != null) { -			ArtifactResolutionService artifactResolutionService = SAML2Utils -					.createSAMLObject(ArtifactResolutionService.class); - -			artifactResolutionService -					.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); -			artifactResolutionService.setLocation(PVPConfiguration -					.getInstance().getIDPResolveSOAPService()); +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataSigningCredentials() +	 */ +	@Override +	public Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException { +		return credentialProvider.getIDPMetaDataSigningCredential(); +	} -			artifactResolutionService.setIndex(0); -			 -			idpSSODescriptor.getArtifactResolutionServices().add( -					artifactResolutionService); -		}*/ -	 -		//set assertion signing key -		Credential assertionSigingCredential = CredentialProvider -				.getIDPAssertionSigningCredential(); - -		KeyDescriptor signKeyDescriptor = SAML2Utils -				.createSAMLObject(KeyDescriptor.class); -		signKeyDescriptor.setUse(UsageType.SIGNING); -		signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(assertionSigingCredential)); -		idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); -					 -		idpSSODescriptor.getAttributes().addAll(PVPAttributeBuilder.buildSupportedEmptyAttributes()); +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getRequestorResponseSigningCredentials() +	 */ +	@Override +	public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException { +		return credentialProvider.getIDPAssertionSigningCredential(); -		NameIDFormat persistenNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); -		persistenNameIDFormat.setFormat(NameIDType.PERSISTENT); +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEncryptionCredentials() +	 */ +	@Override +	public Credential getEncryptionCredentials() throws CredentialsNotAvailableException { +		return credentialProvider.getIDPAssertionEncryptionCredential(); -		idpSSODescriptor.getNameIDFormats().add(persistenNameIDFormat); +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSOPostBindingURL() +	 */ +	@Override +	public String getIDPWebSSOPostBindingURL() { +		return PVPConfiguration.PVP2_IDP_POST; -		NameIDFormat transientNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); -		transientNameIDFormat.setFormat(NameIDType.TRANSIENT); +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSORedirectBindingURL() +	 */ +	@Override +	public String getIDPWebSSORedirectBindingURL() { +		return PVPConfiguration.PVP2_IDP_REDIRECT; -		idpSSODescriptor.getNameIDFormats().add(transientNameIDFormat); +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLOPostBindingURL() +	 */ +	@Override +	public String getIDPSLOPostBindingURL() { +		return PVPConfiguration.PVP2_IDP_POST; -		NameIDFormat unspecifiedNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); -		unspecifiedNameIDFormat.setFormat(NameIDType.UNSPECIFIED); +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLORedirectBindingURL() +	 */ +	@Override +	public String getIDPSLORedirectBindingURL() { +		return PVPConfiguration.PVP2_IDP_REDIRECT; -		idpSSODescriptor.getNameIDFormats().add(unspecifiedNameIDFormat); +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServicePostBindingURL() +	 */ +	@Override +	public String getSPAssertionConsumerServicePostBindingURL() { +		return null; +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServiceRedirectBindingURL() +	 */ +	@Override +	public String getSPAssertionConsumerServiceRedirectBindingURL() { +		return null; +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOPostBindingURL() +	 */ +	@Override +	public String getSPSLOPostBindingURL() { +		return null; +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLORedirectBindingURL() +	 */ +	@Override +	public String getSPSLORedirectBindingURL() { +		return null; +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOSOAPBindingURL() +	 */ +	@Override +	public String getSPSLOSOAPBindingURL() { +		return null; +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleAttributes() +	 */ +	@Override +	public List<Attribute> getIDPPossibleAttributes() { +		return PVPAttributeBuilder.buildSupportedEmptyAttributes(); -		return idpSSODescriptor; +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleNameITTypes() +	 */ +	@Override +	public List<String> getIDPPossibleNameITTypes() { +		return Arrays.asList(NameIDType.PERSISTENT,  +							 NameIDType.TRANSIENT, +							 NameIDType.UNSPECIFIED);  	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPRequiredAttributes() +	 */ +	@Override +	public List<RequestedAttribute> getSPRequiredAttributes() { +		return null; +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAllowedNameITTypes() +	 */ +	@Override +	public List<String> getSPAllowedNameITTypes() { +		return null; +	} + +  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 6fb03a37d..88f0e3b74 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -22,13 +22,11 @@   *******************************************************************************/  package at.gv.egovernment.moa.id.protocols.pvp2x; -import java.io.IOException;  import java.util.Arrays;  import java.util.List;  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse; -import javax.xml.transform.TransformerException;  import org.apache.commons.lang.StringEscapeUtils;  import org.joda.time.DateTime; @@ -49,7 +47,6 @@ import org.opensaml.saml2.metadata.AttributeConsumingService;  import org.opensaml.saml2.metadata.EntityDescriptor;  import org.opensaml.saml2.metadata.SPSSODescriptor;  import org.opensaml.ws.security.SecurityPolicyException; -import org.opensaml.xml.io.MarshallingException;  import org.opensaml.xml.security.SecurityException;  import org.opensaml.xml.signature.SignableXMLObject;  import org.springframework.stereotype.Controller; @@ -145,7 +142,8 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController  {  		}  		//create pendingRequest object -		PVPTargetConfiguration pendingReq = new PVPTargetConfiguration(req); +		PVPTargetConfiguration pendingReq = applicationContext.getBean(PVPTargetConfiguration.class); +		pendingReq.initialize(req);  		pendingReq.setModule(NAME);  		revisionsLogger.logEvent( @@ -155,7 +153,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController  {  				req.getRemoteAddr());  		MetadataAction metadataAction = applicationContext.getBean(MetadataAction.class); -		metadataAction.processRequest(new PVPTargetConfiguration(req),  +		metadataAction.processRequest(pendingReq,   				req, resp, null);  	} @@ -171,7 +169,8 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController  {  		try {  			//create pendingRequest object -			PVPTargetConfiguration pendingReq = new PVPTargetConfiguration(req); +			PVPTargetConfiguration pendingReq = applicationContext.getBean(PVPTargetConfiguration.class); +			pendingReq.initialize(req);  			pendingReq.setModule(NAME);  			revisionsLogger.logEvent(MOAIDEventConstants.SESSION_CREATED, pendingReq.getUniqueSessionIdentifier()); @@ -219,7 +218,8 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController  {  		try {  			//create pendingRequest object -			PVPTargetConfiguration pendingReq = new PVPTargetConfiguration(req); +			PVPTargetConfiguration pendingReq = applicationContext.getBean(PVPTargetConfiguration.class); +			pendingReq.initialize(req);  			pendingReq.setModule(NAME);  			revisionsLogger.logEvent(MOAIDEventConstants.SESSION_CREATED, pendingReq.getUniqueSessionIdentifier()); @@ -732,42 +732,42 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController  {  	} -	/** -	 * PreProcess AuthResponse and Assertion  -	 * @param msg -	 */ -	private MOAResponse preProcessAuthResponse(MOAResponse msg) { -		Logger.debug("Start PVP21 assertion processing... "); -		Response samlResp = (Response) msg.getResponse(); -		 -		try { -			if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { -				 -				//validate PVP 2.1 assertion -				SAMLVerificationEngine.validateAssertion(samlResp, true); - -				msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement()); -				return msg; -				 -			} else { -				Logger.debug("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue()  -						+ " from interfederated IDP."); -						 -			} -						 -		} catch (IOException e) { -			Logger.warn("Interfederation response marshaling FAILED.", e); -			 -		} catch (MarshallingException e) { -			Logger.warn("Interfederation response marshaling FAILED.", e); -			 -		} catch (TransformerException e) { -			Logger.warn("Interfederation response marshaling FAILED.", e); -			 -		} catch (AssertionValidationExeption e) { -			//error is already logged, to nothing -		} -		 -		return null; -	}	 +//	/** +//	 * PreProcess AuthResponse and Assertion  +//	 * @param msg +//	 */ +//	private MOAResponse preProcessAuthResponse(MOAResponse msg) { +//		Logger.debug("Start PVP21 assertion processing... "); +//		Response samlResp = (Response) msg.getResponse(); +//		 +//		try { +//			if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { +//				 +//				//validate PVP 2.1 assertion +//				SAMLVerificationEngine.validateAssertion(samlResp, true); +// +//				msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement()); +//				return msg; +//				 +//			} else { +//				Logger.debug("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue()  +//						+ " from interfederated IDP."); +//						 +//			} +//						 +//		} catch (IOException e) { +//			Logger.warn("Interfederation response marshaling FAILED.", e); +//			 +//		} catch (MarshallingException e) { +//			Logger.warn("Interfederation response marshaling FAILED.", e); +//			 +//		} catch (TransformerException e) { +//			Logger.warn("Interfederation response marshaling FAILED.", e); +//			 +//		} catch (AssertionValidationExeption e) { +//			//error is already logged, to nothing +//		} +//		 +//		return null; +//	}	  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index 181e89806..800728bbd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -26,35 +26,26 @@ import java.util.HashMap;  import java.util.List;  import java.util.Map; -import javax.servlet.http.HttpServletRequest; -  import org.opensaml.common.xml.SAMLConstants;  import org.opensaml.saml2.core.Attribute;  import org.opensaml.saml2.core.impl.AuthnRequestImpl;  import org.opensaml.saml2.metadata.AttributeConsumingService;  import org.opensaml.saml2.metadata.RequestedAttribute;  import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.springframework.beans.factory.config.BeanDefinition; +import org.springframework.context.annotation.Scope; +import org.springframework.stereotype.Component; -import at.gv.egovernment.moa.id.config.ConfigurationException;  import at.gv.egovernment.moa.id.moduls.RequestImpl; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;  import at.gv.egovernment.moa.logging.Logger; +@Component("PVPTargetConfiguration") +@Scope(value = BeanDefinition.SCOPE_PROTOTYPE)  public class PVPTargetConfiguration extends RequestImpl { -	/** -	 * @param req -	 * @throws ConfigurationException -	 */ -	public PVPTargetConfiguration(HttpServletRequest req) -			throws ConfigurationException { -		super(req); -		 -	} -  	private static final long serialVersionUID = 4889919265919638188L;  	InboundMessage request; @@ -132,7 +123,7 @@ public class PVPTargetConfiguration extends RequestImpl {  					reqAttr.put(attr.getName(), "");  			} -			return AttributQueryBuilder.buildSAML2AttributeList(this.getOnlineApplicationConfiguration(), reqAttr.keySet().iterator()); +			return attributQueryBuilder.buildSAML2AttributeList(this.getOnlineApplicationConfiguration(), reqAttr.keySet().iterator());  		} catch (NoMetadataInformationException e) {  			Logger.warn("NO metadata found for Entity " + getRequest().getEntityID()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java index 8928aaeca..5afa10a72 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java @@ -49,6 +49,7 @@ import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils;  import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore;  import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;  import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.ISLOInformationContainer;  import at.gv.egovernment.moa.id.data.SLOInformationContainer;  import at.gv.egovernment.moa.id.data.SLOInformationInterface;  import at.gv.egovernment.moa.id.moduls.AuthenticationManager; @@ -77,6 +78,8 @@ public class SingleLogOutAction implements IAction {  	@Autowired private AuthenticationManager authManager;  	@Autowired private IAuthenticationSessionStoreage authenticationSessionStorage;  	@Autowired private ITransactionStorage transactionStorage; +	@Autowired private SingleLogOutBuilder sloBuilder; +	  	/* (non-Javadoc)  	 * @see at.gv.egovernment.moa.id.moduls.IAction#processRequest(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.data.IAuthData) @@ -107,11 +110,11 @@ public class SingleLogOutAction implements IAction {  					String ssoID = ssomanager.getSSOSessionID(httpReq);  					if (MiscUtil.isEmpty(ssoID)) {  						Logger.info("Can not find active Session. Single LogOut not possible!"); -						SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); -						//LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); -						LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, pvpReq, null); +						SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq); +						//LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); +						LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, null);  						Logger.info("Sending SLO success message to requester ..."); -						SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());						 +						sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());						  						return null;  					} else { @@ -121,11 +124,11 @@ public class SingleLogOutAction implements IAction {  						} catch (MOADatabaseException e) {  							Logger.info("Can not find active Session. Single LogOut not possible!"); -							SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); -							//LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); -							LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, pvpReq, null); +							SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq); +							//LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); +							LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, null);  							Logger.info("Sending SLO success message to requester ..."); -							SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); +							sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());  							return null;  						}						 @@ -175,10 +178,10 @@ public class SingleLogOutAction implements IAction {  						Object data = SerializationUtils.deserialize(element.getAssertion());  						if (data instanceof SLOInformationContainer) { -							SLOInformationContainer sloContainer = (SLOInformationContainer) data; +							ISLOInformationContainer sloContainer = (ISLOInformationContainer) data;  							//check status -							SingleLogOutBuilder.checkStatusCode(sloContainer, logOutResp); +							sloBuilder.checkStatusCode(sloContainer, logOutResp);  							if (sloContainer.hasFrontChannelOA()) {							  								try { @@ -224,9 +227,9 @@ public class SingleLogOutAction implements IAction {  								String redirectURL = null;  								if (sloContainer.getSloRequest() != null) {  									//send SLO response to SLO request issuer -									SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(sloContainer.getSloRequest()); -									LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, sloContainer.getSloRequest(), sloContainer.getSloFailedOAs()); -									redirectURL = SingleLogOutBuilder.getFrontChannelSLOMessageURL(sloService, message, httpReq, httpResp, sloContainer.getSloRequest().getRequest().getRelayState()); +									SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(sloContainer.getSloRequest()); +									LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, sloContainer.getSloRequest(), sloContainer.getSloFailedOAs()); +									redirectURL = sloBuilder.getFrontChannelSLOMessageURL(sloService, message, httpReq, httpResp, sloContainer.getSloRequest().getRequest().getRelayState());  								} else {  									//print SLO information directly diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 9e176f724..24bdf4c3c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -47,6 +47,7 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter;  import org.opensaml.xml.parse.BasicParserPool;  import org.opensaml.xml.security.SecurityException;  import org.opensaml.xml.security.x509.X509Credential; +import org.springframework.beans.factory.annotation.Autowired;  import org.springframework.stereotype.Service;  import at.gv.egovernment.moa.id.config.ConfigurationException; @@ -58,8 +59,8 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;  import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.validation.MOAPVPSignedRequestPolicyRule;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;  import at.gv.egovernment.moa.id.util.HTTPUtils; @@ -69,13 +70,15 @@ import at.gv.egovernment.moa.util.MiscUtil;  @Service("PVPPostBindingCoder")  public class PostBinding implements IDecoder, IEncoder { - +	 +	@Autowired private IDPCredentialProvider credentialProvider; +	  	public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,  			RequestAbstractType request, String targetLocation, String relayState)	  			throws MessageEncodingException, SecurityException {  		try { -			X509Credential credentials = CredentialProvider +			X509Credential credentials = credentialProvider  					.getIDPAssertionSigningCredential();  			//load default PVP security configurations @@ -113,7 +116,7 @@ public class PostBinding implements IDecoder, IEncoder {  			throws MessageEncodingException, SecurityException {  		try { -			X509Credential credentials = CredentialProvider +			X509Credential credentials = credentialProvider  					.getIDPAssertionSigningCredential();  			//load default PVP security configurations diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 08aa76e58..7167d8b7d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -48,6 +48,7 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter;  import org.opensaml.xml.parse.BasicParserPool;  import org.opensaml.xml.security.SecurityException;  import org.opensaml.xml.security.x509.X509Credential; +import org.springframework.beans.factory.annotation.Autowired;  import org.springframework.stereotype.Service;  import at.gv.egovernment.moa.id.config.ConfigurationException; @@ -59,8 +60,8 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;  import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;  import at.gv.egovernment.moa.id.util.HTTPUtils;  import at.gv.egovernment.moa.logging.Logger; @@ -69,12 +70,14 @@ import at.gv.egovernment.moa.util.MiscUtil;  @Service("PVPRedirectBindingCoder")  public class RedirectBinding implements IDecoder, IEncoder { +	@Autowired private IDPCredentialProvider credentialProvider; +	  	public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,  			RequestAbstractType request, String targetLocation, String relayState)  			throws MessageEncodingException, SecurityException {  		try { -			X509Credential credentials = CredentialProvider +			X509Credential credentials = credentialProvider  					.getIDPAssertionSigningCredential();  			//load default PVP security configurations @@ -107,7 +110,7 @@ public class RedirectBinding implements IDecoder, IEncoder {  			StatusResponseType response, String targetLocation, String relayState)  			throws MessageEncodingException, SecurityException {  		try { -			X509Credential credentials = CredentialProvider +			X509Credential credentials = credentialProvider  					.getIDPAssertionSigningCredential();  			//load default PVP security configurations diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index d42d91105..bd60b7a13 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -45,6 +45,7 @@ import org.opensaml.xml.parse.BasicParserPool;  import org.opensaml.xml.security.SecurityException;  import org.opensaml.xml.security.credential.Credential;  import org.opensaml.xml.signature.SignableXMLObject; +import org.springframework.beans.factory.annotation.Autowired;  import org.springframework.stereotype.Service;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; @@ -54,14 +55,16 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.MiscUtil;  @Service("PVPSOAPBindingCoder")  public class SoapBinding implements IDecoder, IEncoder { +	@Autowired private IDPCredentialProvider credentialProvider; +	  	public InboundMessageInterface decode(HttpServletRequest req,  			HttpServletResponse resp, boolean isSPEndPoint) throws MessageDecodingException,  			SecurityException, PVP2Exception { @@ -142,7 +145,7 @@ public class SoapBinding implements IDecoder, IEncoder {  			StatusResponseType response, String targetLocation, String relayState)  			throws MessageEncodingException, SecurityException, PVP2Exception {  		try { -			Credential credentials = CredentialProvider +			Credential credentials = credentialProvider  					.getIDPAssertionSigningCredential();  			//load default PVP security configurations diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AbstractPVPMetadataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AbstractPVPMetadataBuilder.java new file mode 100644 index 000000000..23870806a --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AbstractPVPMetadataBuilder.java @@ -0,0 +1,649 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder; + +import java.io.IOException; +import java.io.StringWriter; +import java.security.PrivateKey; +import java.security.interfaces.RSAPrivateKey; +import java.util.List; + +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactory; +import javax.xml.transform.TransformerFactoryConfigurationError; +import javax.xml.transform.dom.DOMSource; +import javax.xml.transform.stream.StreamResult; + +import org.joda.time.DateTime; +import org.opensaml.Configuration; +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.metadata.AssertionConsumerService; +import org.opensaml.saml2.metadata.AttributeConsumingService; +import org.opensaml.saml2.metadata.ContactPerson; +import org.opensaml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.IDPSSODescriptor; +import org.opensaml.saml2.metadata.KeyDescriptor; +import org.opensaml.saml2.metadata.LocalizedString; +import org.opensaml.saml2.metadata.NameIDFormat; +import org.opensaml.saml2.metadata.Organization; +import org.opensaml.saml2.metadata.RequestedAttribute; +import org.opensaml.saml2.metadata.RoleDescriptor; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.ServiceName; +import org.opensaml.saml2.metadata.SingleLogoutService; +import org.opensaml.saml2.metadata.SingleSignOnService; +import org.opensaml.xml.io.Marshaller; +import org.opensaml.xml.io.MarshallingException; +import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.SecurityHelper; +import org.opensaml.xml.security.credential.Credential; +import org.opensaml.xml.security.credential.UsageType; +import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; +import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; +import org.opensaml.xml.signature.Signature; +import org.opensaml.xml.signature.SignatureConstants; +import org.opensaml.xml.signature.SignatureException; +import org.opensaml.xml.signature.Signer; +import org.w3c.dom.Document; + +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ + +public abstract class AbstractPVPMetadataBuilder { + +	X509KeyInfoGeneratorFactory keyInfoFactory = null; +	 +	/** +	 *  +	 */ +	public AbstractPVPMetadataBuilder() { +		keyInfoFactory = new X509KeyInfoGeneratorFactory(); +		keyInfoFactory.setEmitEntityIDAsKeyName(true); +		keyInfoFactory.setEmitEntityCertificate(true); +		 +	} +	 +	 +	/** +	 * Set metadata valid area +	 *  +	 * @return valid until in hours [h] +	 */ +	public abstract int getMetadataValidUntil(); +	 +	/** +	 * Build a SAML2 Entities element as metadata root element +	 *  +	 * @return true, if the metadata should start with entities element  +	 */ +	public abstract boolean buildEntitiesDescriptorAsRootElement(); +	 +	/** +	 *  +	 *  +	 * @return true, if an IDP SSO-descriptor element should be generated  +	 */ +	public abstract boolean buildIDPSSODescriptor(); +	 +	/** +	 *  +	 *  +	 * @return true, if an SP SSO-descriptor element should be generated  +	 */ +	public abstract boolean buildSPSSODescriptor(); +	 +	/** +	 * Set the PVP entityID for this SAML2 metadata. +	 * The entityID must be a URL and is public-URL prefix of the server, as minimum. +	 * If this is null or a empty String, the EntityID is the public-url prefix +	 *  +	 * @return PVP entityID postfix as String +	 */ +	public abstract String getEntityIDPostfix(); +	 +	/** +	 * Set a friendlyName for this PVP entity +	 *  +	 * @return  +	 */ +	public abstract String getEntityFriendlyName(); +	 +	/** +	 * Set the contact information for this metadata entity +	 *  +	 * @return +	 */ +	public abstract List<ContactPerson> getContactPersonInformation(); +	 +	/** +	 * Set organisation information for this metadata entity +	 *  +	 * @return +	 */ +	public abstract Organization getOrgansiationInformation(); +	 + +	/** +	 * Set the credential for metadata signing +	 *  +	 * @return +	 * @throws CredentialsNotAvailableException  +	 */ +	public abstract Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException; +	 +	/** +	 * Set the credential for request/response signing +	 * IDP metadata: this credential is used for SAML2 response signing +	 * SP metadata: this credential is used for SAML2 response signing +	 *  +	 * @return +	 * @throws CredentialsNotAvailableException  +	 */ +	public abstract Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException; +	 +	/** +	 * Set the credential for response encryption +	 *  +	 * @return +	 * @throws CredentialsNotAvailableException  +	 */ +	public abstract Credential getEncryptionCredentials() throws CredentialsNotAvailableException; +	 +	/** +	 * Set the IDP Post-Binding URL-postfix for WebSSO  +	 *  +	 * @return +	 */ +	public abstract String getIDPWebSSOPostBindingURL(); +	 +	/** +	 * Set the IDP Redirect-Binding URL-postfix for WebSSO  +	 *  +	 * @return +	 */ +	public abstract String getIDPWebSSORedirectBindingURL(); +	 +	/** +	 * Set the IDP Post-Binding URL-postfix for Single LogOut  +	 *  +	 * @return +	 */ +	public abstract String getIDPSLOPostBindingURL(); +	 +	/** +	 * Set the IDP Redirect-Binding URL-postfix for Single LogOut  +	 *  +	 * @return +	 */ +	public abstract String getIDPSLORedirectBindingURL(); +	 +	/** +	 * Set the SP Post-Binding URL-postfix for for the Assertion-Consumer Service +	 *  +	 * @return +	 */ +	public abstract String getSPAssertionConsumerServicePostBindingURL(); +	 +	/** +	 * Set the SP Redirect-Binding URL-postfix for the Assertion-Consumer Service  +	 *  +	 * @return +	 */ +	public abstract String getSPAssertionConsumerServiceRedirectBindingURL(); +	 +	/** +	 * Set the SP Post-Binding URL-postfix for Single LogOut  +	 *  +	 * @return +	 */ +	public abstract String getSPSLOPostBindingURL(); +	 +	/** +	 * Set the SP Redirect-Binding URL-postfix for Single LogOut  +	 *  +	 * @return +	 */ +	public abstract String getSPSLORedirectBindingURL(); +	 +	/** +	 * Set the SP SOAP-Binding URL-postfix for Single LogOut  +	 *  +	 * @return +	 */ +	public abstract String getSPSLOSOAPBindingURL(); +	 +	 +	/** +	 * Set all SAML2 attributes which could be provided by this IDP +	 *  +	 * @return +	 */ +	public abstract List<Attribute> getIDPPossibleAttributes(); +	 +	/** +	 * Set all nameID types which could be provided by this IDP +	 *  +	 * @return a List of SAML2 nameID types +	 */ +	public abstract List<String> getIDPPossibleNameITTypes(); +	 +	/** +	 * Set all SAML2 attributes which are required by the SP +	 *  +	 * @return +	 */ +	public abstract List<RequestedAttribute> getSPRequiredAttributes(); +	 +	/** +	 * Set all nameID types which allowed from the SP +	 *  +	 * @return a List of SAML2 nameID types +	 */ +	public abstract List<String> getSPAllowedNameITTypes(); +	 +	/** +	 *  +	 * Build PVP 2.1 conform SAML2 metadata +	 *  +	 * @param instancePublicURLPrefix  +	 * 				Public-URL prefix which should be used to generate URLs.  +	 * 				The URL String must by without trailing / +	 *  +	 * @return PVP metadata as XML String +	 * @throws SecurityException  +	 * @throws ConfigurationException  +	 * @throws CredentialsNotAvailableException  +	 * @throws TransformerFactoryConfigurationError  +	 * @throws MarshallingException  +	 * @throws TransformerException  +	 * @throws ParserConfigurationException  +	 * @throws IOException  +	 * @throws SignatureException  +	 */ +	public String buildPVPMetadata(String instancePublicURLPrefix) throws CredentialsNotAvailableException, ConfigurationException, SecurityException, TransformerFactoryConfigurationError, MarshallingException, TransformerException, ParserConfigurationException, IOException, SignatureException {		 +		if (MiscUtil.isEmpty(instancePublicURLPrefix)) { +			Logger.error("Metadata generation FAILED! --> PublicURL Prefix is null or empty"); +			throw new NullPointerException("PublicURL Prefix is null or empty"); +			 +		} + +		//remove trailing slash +		if (instancePublicURLPrefix.endsWith("/")) +			instancePublicURLPrefix.substring(0, instancePublicURLPrefix.length()-1); +		 +		DateTime date = new DateTime(); +		EntityDescriptor entityDescriptor = SAML2Utils +				.createSAMLObject(EntityDescriptor.class); +		 +		//set entityID +		if (MiscUtil.isNotEmpty(getEntityIDPostfix())) +			entityDescriptor.setEntityID(instancePublicURLPrefix + getEntityIDPostfix());		 +		else +			entityDescriptor.setEntityID(instancePublicURLPrefix); +								 +		//set contact and organisation information +		List<ContactPerson> contactPersons = getContactPersonInformation(); +		if (contactPersons != null) +			entityDescriptor.getContactPersons().addAll(contactPersons); +		 +		Organization organisation = getOrgansiationInformation(); +		if (organisation != null) +			entityDescriptor.setOrganization(organisation); + +		//set IDP metadata +		if (buildIDPSSODescriptor()) { +			RoleDescriptor idpSSODesc = generateIDPMetadata(instancePublicURLPrefix); +			if (idpSSODesc != null) +				entityDescriptor.getRoleDescriptors().add(idpSSODesc); +						 +		} +		 +		//set SP metadata for interfederation +		if (buildSPSSODescriptor()) { +			RoleDescriptor spSSODesc = generateSPMetadata(instancePublicURLPrefix); +			if (spSSODesc != null) +				entityDescriptor.getRoleDescriptors().add(spSSODesc); +		 +		} + +		//set metadata signature parameters +		Credential metadataSignCred = getMetadataSigningCredentials();		 +		Signature signature = getIDPSignature(metadataSignCred); +		SecurityHelper.prepareSignatureParams(signature, metadataSignCred, null, null); +		 +		 +		//initialize XML document builder +		DocumentBuilder builder; +		DocumentBuilderFactory factory = DocumentBuilderFactory +				.newInstance(); + +		builder = factory.newDocumentBuilder(); +		Document document = builder.newDocument(); +		 + +		//build entities descriptor +		if (buildEntitiesDescriptorAsRootElement()) { +			EntitiesDescriptor entitiesDescriptor =  +					SAML2Utils.createSAMLObject(EntitiesDescriptor.class);					 +			entitiesDescriptor.setName(getEntityFriendlyName()); +			entitiesDescriptor.setID(SAML2Utils.getSecureIdentifier());							 +			entitiesDescriptor.setValidUntil(date.plusHours(getMetadataValidUntil()));			 +			entitiesDescriptor.getEntityDescriptors().add(entityDescriptor); +			 +			entitiesDescriptor.setSignature(signature); +			 +			//marshall document +			Marshaller out = Configuration.getMarshallerFactory() +					.getMarshaller(entitiesDescriptor); +			out.marshall(entitiesDescriptor, document); +						 +		} else { +			entityDescriptor.setValidUntil(date.plusHours(getMetadataValidUntil())); +			 +			entityDescriptor.setSignature(signature); +			 +			//marshall document +			Marshaller out = Configuration.getMarshallerFactory() +					.getMarshaller(entityDescriptor); +			out.marshall(entityDescriptor, document); +			 +		} +		 +		//sign metadata +		Signer.signObject(signature); + +		//transform metadata object to XML string +		Transformer transformer = TransformerFactory.newInstance() +				.newTransformer(); + +		StringWriter sw = new StringWriter(); +		StreamResult sr = new StreamResult(sw); +		DOMSource source = new DOMSource(document); +		transformer.transform(source, sr); +		sw.close(); + +		return sw.toString(); +	} +	 +	 +	private RoleDescriptor generateSPMetadata(String instancePublicURLPrefix) throws CredentialsNotAvailableException, SecurityException, ConfigurationException {		 +		SPSSODescriptor spSSODescriptor = SAML2Utils.createSAMLObject(SPSSODescriptor.class); +		spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); +		spSSODescriptor.setAuthnRequestsSigned(true); +		spSSODescriptor.setWantAssertionsSigned(false); +	 +		KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance(); +		 +		//Set AuthRequest Signing certificate +		Credential authcredential = getRequestorResponseSigningCredentials(); +		if (authcredential == null) { +			Logger.warn("SP Metadata generation FAILED! --> Builder has NO request signing-credential. ");			 +			return null; +						 +		} else {			 +			KeyDescriptor signKeyDescriptor = SAML2Utils +					.createSAMLObject(KeyDescriptor.class); +			signKeyDescriptor.setUse(UsageType.SIGNING); +			signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential));	 +			spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); +			 +		} +		 +		//Set assertion encryption credentials		 +		Credential authEncCredential = getEncryptionCredentials();			 + +		if (authEncCredential != null) { +			KeyDescriptor encryKeyDescriptor = SAML2Utils +					.createSAMLObject(KeyDescriptor.class); +			encryKeyDescriptor.setUse(UsageType.ENCRYPTION); +			encryKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authEncCredential));	 +			spSSODescriptor.getKeyDescriptors().add(encryKeyDescriptor); +			 +		} else { +			Logger.warn("No Assertion Encryption-Key defined. This setting is not recommended!"); +			 +		} + +		//check nameID formates +		if (getIDPPossibleNameITTypes() == null || getIDPPossibleNameITTypes().size() == 0) { +			Logger.warn("SP Metadata generation FAILED! --> Builder has NO provideable SAML2 nameIDFormats. "); +			return null; +			 +		} else { +			for (String format : getSPAllowedNameITTypes()) { +				NameIDFormat nameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); +				nameIDFormat.setFormat(format);		 +				spSSODescriptor.getNameIDFormats().add(nameIDFormat); +							 +			}			 +		} +		 + +		//add POST-Binding assertion consumer services +		if (MiscUtil.isNotEmpty(getSPAssertionConsumerServicePostBindingURL())) { +			AssertionConsumerService postassertionConsumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class);		 +			postassertionConsumerService.setIndex(0); +			postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); +			postassertionConsumerService.setLocation(instancePublicURLPrefix + getSPAssertionConsumerServicePostBindingURL());	 +			postassertionConsumerService.setIsDefault(true); +			spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService); +			 +		} +		 +		//add POST-Binding assertion consumer services +		if (MiscUtil.isNotEmpty(getSPAssertionConsumerServiceRedirectBindingURL())) { +			AssertionConsumerService redirectassertionConsumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class);		 +			redirectassertionConsumerService.setIndex(1); +			redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); +			redirectassertionConsumerService.setLocation(instancePublicURLPrefix + getSPAssertionConsumerServiceRedirectBindingURL()); +			spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService); +			 +		} +		 +		//validate WebSSO endpoints +		if (spSSODescriptor.getAssertionConsumerServices().size() == 0) { +			Logger.warn("SP Metadata generation FAILED! --> NO SAML2 AssertionConsumerService endpoint found. "); +			return null; +			 +		} +		 +		//add POST-Binding SLO descriptor +		if (MiscUtil.isNotEmpty(getSPSLOPostBindingURL())) { +			SingleLogoutService postSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class);			 +			postSLOService.setLocation(instancePublicURLPrefix + getSPSLOPostBindingURL()); +			postSLOService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); +			spSSODescriptor.getSingleLogoutServices().add(postSLOService); +			 +		} +		 +		//add POST-Binding SLO descriptor +		if (MiscUtil.isNotEmpty(getSPSLORedirectBindingURL())) { +			SingleLogoutService redirectSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class);			 +			redirectSLOService.setLocation(instancePublicURLPrefix + getSPSLORedirectBindingURL()); +			redirectSLOService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); +			spSSODescriptor.getSingleLogoutServices().add(redirectSLOService); +			 +		} +		 +		//add POST-Binding SLO descriptor +		if (MiscUtil.isNotEmpty(getSPSLOSOAPBindingURL())) { +			SingleLogoutService soapSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class);			 +			soapSLOService.setLocation(instancePublicURLPrefix + getSPSLOSOAPBindingURL()); +			soapSLOService.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); +			spSSODescriptor.getSingleLogoutServices().add(soapSLOService); +			 +		} +		 +		 +		//add required attributes +		List<RequestedAttribute> reqSPAttr = getSPRequiredAttributes(); +		AttributeConsumingService attributeService = SAML2Utils.createSAMLObject(AttributeConsumingService.class);		 +			 +		attributeService.setIndex(0); +		attributeService.setIsDefault(true); +		ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class); +		serviceName.setName(new LocalizedString("Default Service", "en")); +		attributeService.getNames().add(serviceName); + +		if (reqSPAttr != null && reqSPAttr.size() > 0) { +			Logger.debug("Add " + reqSPAttr.size() + " attributes to SP metadata"); +			attributeService.getRequestAttributes().addAll(reqSPAttr); +			 +		} else { +			Logger.debug("SP metadata contains NO requested attributes."); +			 +		} +			 +		spSSODescriptor.getAttributeConsumingServices().add(attributeService); +						 +		return spSSODescriptor; +	} +	 +	private IDPSSODescriptor generateIDPMetadata(String instancePublicURLPrefix) throws ConfigurationException, CredentialsNotAvailableException, SecurityException {					 +		//check response signing credential +		Credential responseSignCred = getRequestorResponseSigningCredentials(); +		if (responseSignCred == null) { +			Logger.warn("IDP Metadata generation FAILED! --> Builder has NO Response signing credential. ");			 +			return null; +			 +		} + +		//check nameID formates +		if (getIDPPossibleNameITTypes() == null || getIDPPossibleNameITTypes().size() == 0) { +			Logger.warn("IDP Metadata generation FAILED! --> Builder has NO provideable SAML2 nameIDFormats. "); +			return null; +			 +		} +				 +		// build SAML2 IDP-SSO descriptor element +		IDPSSODescriptor idpSSODescriptor = SAML2Utils +				.createSAMLObject(IDPSSODescriptor.class); + +		idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); + +		//set ass default value, because PVP 2.x specification defines this feature as MUST +		idpSSODescriptor.setWantAuthnRequestsSigned(true);			 +		 +		// add WebSSO descriptor for POST-Binding +		if (MiscUtil.isNotEmpty(getIDPWebSSOPostBindingURL())) { +			SingleSignOnService postSingleSignOnService = SAML2Utils.createSAMLObject(SingleSignOnService.class); +			postSingleSignOnService.setLocation(instancePublicURLPrefix + getIDPWebSSOPostBindingURL()); +			postSingleSignOnService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); +			idpSSODescriptor.getSingleSignOnServices().add(postSingleSignOnService); +						 +		} +		 +		// add WebSSO descriptor for Redirect-Binding +		if (MiscUtil.isNotEmpty(getIDPWebSSORedirectBindingURL())) { +			SingleSignOnService postSingleSignOnService = SAML2Utils.createSAMLObject(SingleSignOnService.class); +			postSingleSignOnService.setLocation(instancePublicURLPrefix + getIDPWebSSORedirectBindingURL()); +			postSingleSignOnService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); +			idpSSODescriptor.getSingleSignOnServices().add(postSingleSignOnService); +						 +		} +		 +		//add Single LogOut POST-Binding endpoing +		if (MiscUtil.isNotEmpty(getIDPSLOPostBindingURL())) { +			SingleLogoutService postSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class);			 +			postSLOService.setLocation(instancePublicURLPrefix + getIDPSLOPostBindingURL()); +			postSLOService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); +			idpSSODescriptor.getSingleLogoutServices().add(postSLOService); +			 +		} +		 +		//add Single LogOut Redirect-Binding endpoing +		if (MiscUtil.isNotEmpty(getIDPSLORedirectBindingURL())) { +			SingleLogoutService redirectSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class);			 +			redirectSLOService.setLocation(instancePublicURLPrefix + getIDPSLORedirectBindingURL()); +			redirectSLOService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); +			idpSSODescriptor.getSingleLogoutServices().add(redirectSLOService); +			 +		} +		 +		//validate WebSSO endpoints +		if (idpSSODescriptor.getSingleSignOnServices().size() == 0) { +			Logger.warn("IDP Metadata generation FAILED! --> NO SAML2 SingleSignOnService endpoint found. "); +			return null; +			 +		} +				 +		//set assertion signing key +		KeyDescriptor signKeyDescriptor = SAML2Utils +				.createSAMLObject(KeyDescriptor.class); +		signKeyDescriptor.setUse(UsageType.SIGNING); +		KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance(); +		signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(getRequestorResponseSigningCredentials())); +		idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); + +		//set IDP attribute set +		idpSSODescriptor.getAttributes().addAll(getIDPPossibleAttributes()); +			 +		//set providable nameID formats +		for (String format : getIDPPossibleNameITTypes()) { +			NameIDFormat nameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); +			nameIDFormat.setFormat(format);		 +			idpSSODescriptor.getNameIDFormats().add(nameIDFormat); +						 +		} +			 +		return idpSSODescriptor; +		 +	} +	 +	private Signature getIDPSignature(Credential credentials) {		 +		PrivateKey privatekey = credentials.getPrivateKey();		 +		Signature signer = SAML2Utils.createSAMLObject(Signature.class); +		 +		if (privatekey instanceof RSAPrivateKey) { +			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); +			 +		} else if (privatekey instanceof iaik.security.ecc.ecdsa.ECPrivateKey) { +			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1); + +		} else { +			Logger.warn("Could NOT evaluate the Private-Key type from " + credentials.getEntityId() + " credential."); +			 +			 +		} + +		signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);		 +		signer.setSigningCredential(credentials); +		return signer; +		 +	} +	 +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java index ebbafd4e3..9c097780b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java @@ -25,7 +25,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder;  import java.util.ArrayList;  import java.util.Iterator;  import java.util.List; -import java.util.Set;  import javax.xml.parsers.DocumentBuilder;  import javax.xml.parsers.DocumentBuilderFactory; @@ -46,17 +45,18 @@ import org.opensaml.xml.signature.Signature;  import org.opensaml.xml.signature.SignatureConstants;  import org.opensaml.xml.signature.SignatureException;  import org.opensaml.xml.signature.Signer; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service;  import org.w3c.dom.Document;  import at.gv.egovernment.moa.id.config.ConfigurationException;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.SamlAttributeGenerator;  import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.Constants; @@ -65,9 +65,12 @@ import at.gv.egovernment.moa.util.Constants;   * @author tlenz   *   */ +@Service("AttributQueryBuilder")  public class AttributQueryBuilder { -	public static List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) { +	@Autowired IDPCredentialProvider credentialProvider; +	 +	public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) {  		Logger.debug("Build OA specific Attributes for AttributQuery request"); @@ -103,7 +106,7 @@ public class AttributQueryBuilder {  	} -	public static AttributeQuery buildAttributQueryRequest(String nameID,  +	public AttributeQuery buildAttributQueryRequest(String nameID,   			String endpoint, List<Attribute> requestedAttributes) throws AttributQueryException { @@ -136,7 +139,7 @@ public class AttributQueryBuilder {  			query.setDestination(endpoint); -			X509Credential idpSigningCredential = CredentialProvider.getIDPAssertionSigningCredential(); +			X509Credential idpSigningCredential = credentialProvider.getIDPAssertionSigningCredential();  			Signature signer = SAML2Utils.createSAMLObject(Signature.class);  			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java index dbbc21ec9..959fc7d2d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -23,6 +23,7 @@  package at.gv.egovernment.moa.id.protocols.pvp2x.builder;  import java.security.NoSuchAlgorithmException; +import java.util.LinkedHashMap;  import java.util.List;  import javax.servlet.http.HttpServletRequest; @@ -57,14 +58,20 @@ import org.opensaml.xml.security.x509.X509Credential;  import org.opensaml.xml.signature.Signature;  import org.opensaml.xml.signature.SignatureConstants;  import org.opensaml.xml.signature.Signer; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service;  import org.w3c.dom.Document;  import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;  import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;  import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.data.ISLOInformationContainer;  import at.gv.egovernment.moa.id.data.SLOInformationContainer;  import at.gv.egovernment.moa.id.data.SLOInformationImpl;  import at.gv.egovernment.moa.id.opemsaml.MOAStringRedirectDeflateEncoder; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; @@ -74,7 +81,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NOSLOServiceDescripto  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;  import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;  import at.gv.egovernment.moa.logging.Logger; @@ -83,9 +90,12 @@ import at.gv.egovernment.moa.logging.Logger;   * @author tlenz   *   */ +@Service("PVP_SingleLogOutBuilder")  public class SingleLogOutBuilder { -	public static void checkStatusCode(SLOInformationContainer sloContainer, LogoutResponse logOutResp) { +	@Autowired private IDPCredentialProvider credentialProvider; +	 +	public void checkStatusCode(ISLOInformationContainer sloContainer, LogoutResponse logOutResp) {  		Status status = logOutResp.getStatus();				  		if (!status.getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {  			String message = " Message: "; @@ -111,12 +121,12 @@ public class SingleLogOutBuilder {  	 * @param relayState  	 * @return   	 */ -	public static String getFrontChannelSLOMessageURL(String serviceURL, String bindingType, +	public String getFrontChannelSLOMessageURL(String serviceURL, String bindingType,  			RequestAbstractType sloReq, HttpServletRequest httpReq,  			HttpServletResponse httpResp, String relayState) throws MOAIDException {  		try { -			X509Credential credentials = CredentialProvider +			X509Credential credentials = credentialProvider  					.getIDPAssertionSigningCredential();  			Logger.debug("create SAML RedirectBinding response"); @@ -143,12 +153,12 @@ public class SingleLogOutBuilder {  		}		  	} -	public static String getFrontChannelSLOMessageURL(SingleLogoutService service, +	public String getFrontChannelSLOMessageURL(SingleLogoutService service,  			StatusResponseType sloResp, HttpServletRequest httpReq,  			HttpServletResponse httpResp, String relayState) throws MOAIDException {  		try { -			X509Credential credentials = CredentialProvider +			X509Credential credentials = credentialProvider  					.getIDPAssertionSigningCredential();  			Logger.debug("create SAML RedirectBinding response"); @@ -171,7 +181,7 @@ public class SingleLogOutBuilder {  		}		  	} -	public static void sendFrontChannelSLOMessage(SingleLogoutService consumerService,  +	public void sendFrontChannelSLOMessage(SingleLogoutService consumerService,   			LogoutResponse sloResp, HttpServletRequest req, HttpServletResponse resp,   			String relayState) throws MOAIDException {  		IEncoder binding = null; @@ -205,7 +215,7 @@ public class SingleLogOutBuilder {  	} -	public static LogoutRequest buildSLORequestMessage(SLOInformationImpl sloInfo) throws ConfigurationException, MOAIDException { +	public LogoutRequest buildSLORequestMessage(SLOInformationImpl sloInfo) throws ConfigurationException, MOAIDException {  		LogoutRequest sloReq = SAML2Utils.createSAMLObject(LogoutRequest.class);  		SecureRandomIdentifierGenerator gen; @@ -236,7 +246,7 @@ public class SingleLogOutBuilder {  		//sign message  		try { -			X509Credential idpSigningCredential = CredentialProvider.getIDPAssertionSigningCredential(); +			X509Credential idpSigningCredential = credentialProvider.getIDPAssertionSigningCredential();  			Signature signer = SAML2Utils.createSAMLObject(Signature.class);  			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); @@ -265,7 +275,7 @@ public class SingleLogOutBuilder {  		return sloReq;		  	} -	public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest, String firstLevelStatusCode) throws ConfigurationException, MOAIDException { +	public LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest, String firstLevelStatusCode) throws ConfigurationException, MOAIDException {  		LogoutResponse sloResp = buildBasicResponse(sloService, spRequest);  		Status status = SAML2Utils.createSAMLObject(Status.class); @@ -282,7 +292,7 @@ public class SingleLogOutBuilder {  		return sloResp;  	} -	public static LogoutResponse buildSLOResponseMessage(SingleLogoutService sloService, PVPTargetConfiguration spRequest, List<String> failedOAs) throws MOAIDException {		 +	public LogoutResponse buildSLOResponseMessage(SingleLogoutService sloService, PVPTargetConfiguration spRequest, List<String> failedOAs) throws MOAIDException {		  		LogoutResponse sloResp = buildBasicResponse(sloService, spRequest);  		Status status; @@ -307,7 +317,7 @@ public class SingleLogOutBuilder {  	} -	private static LogoutResponse buildBasicResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException { +	private LogoutResponse buildBasicResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException {  		LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class);		  		Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);		  		issuer.setValue(spRequest.getAuthURLWithOutSlash()); @@ -338,7 +348,7 @@ public class SingleLogOutBuilder {  	} -	public static SingleLogoutService getRequestSLODescriptor(String entityID) throws NOSLOServiceDescriptorException { +	public SingleLogoutService getRequestSLODescriptor(String entityID) throws NOSLOServiceDescriptorException {  		try {  			EntityDescriptor entity = MOAMetadataProvider.getInstance().getEntityDescriptor(entityID);  			SSODescriptor spsso = entity.getSPSSODescriptor(SAMLConstants.SAML20P_NS); @@ -379,7 +389,7 @@ public class SingleLogOutBuilder {  	} -	public static SingleLogoutService getResponseSLODescriptor(PVPTargetConfiguration spRequest) throws NoMetadataInformationException, NOSLOServiceDescriptorException { +	public SingleLogoutService getResponseSLODescriptor(PVPTargetConfiguration spRequest) throws NoMetadataInformationException, NOSLOServiceDescriptorException {  		MOARequest moaReq = (MOARequest) spRequest.getRequest();  		EntityDescriptor metadata = moaReq.getEntityMetadata();  		SSODescriptor ssodesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); @@ -415,4 +425,91 @@ public class SingleLogOutBuilder {  		return sloService;		  	} +	public void parseActiveOAs(SLOInformationContainer container,  +			List<OASessionStore> dbOAs, String removeOAID) {		 +		if (container.getActiveBackChannelOAs() == null) +			container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationImpl>());			 +		if (container.getActiveFrontChannalOAs() == null) +			container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationImpl>()); +			 +		 +		if (dbOAs != null) { +			for (OASessionStore oa : dbOAs) { +				if (!oa.getOaurlprefix().equals(removeOAID)) { +					 +					//Actually only PVP 2.1 support Single LogOut +					if (PVP2XProtocol.PATH.equals(oa.getProtocolType())) {					 +						SingleLogoutService sloDesc; +						try { +							sloDesc = getRequestSLODescriptor(oa.getOaurlprefix()); +						 +							if (sloDesc.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI))										 +								container.getActiveBackChannelOAs().put(oa.getOaurlprefix(),  +										new SLOInformationImpl( +											oa.getAuthURL(),	 +											oa.getAssertionSessionID(),  +											oa.getUserNameID(),  +											oa.getUserNameIDFormat(),  +											oa.getProtocolType(), +											sloDesc)); +						 +							else +								container.getActiveFrontChannalOAs().put(oa.getOaurlprefix(),  +										new SLOInformationImpl( +											oa.getAuthURL(), +											oa.getAssertionSessionID(),  +											oa.getUserNameID(),  +											oa.getUserNameIDFormat(),  +											oa.getProtocolType(), +											sloDesc)); +							 +						} catch (NOSLOServiceDescriptorException e) { +							container.putFailedOA(oa.getOaurlprefix()); +													 +						} +					 +					} else +						container.putFailedOA(oa.getOaurlprefix()); +				} +			}			 +		}		 +	} + +	/** +	 * @param dbIDPs +	 * @param value +	 */ +	public void parseActiveIDPs(SLOInformationContainer container, +			List<InterfederationSessionStore> dbIDPs, String removeIDP) {		 +		if (container.getActiveBackChannelOAs() == null) +			container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationImpl>());			 +		if (container.getActiveFrontChannalOAs() == null) +			container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationImpl>()); +		 +		if (dbIDPs != null) { +			for (InterfederationSessionStore el : dbIDPs) {				 +				if (!el.getIdpurlprefix().equals(removeIDP)) { +					 +					SingleLogoutService sloDesc; +					try { +						sloDesc = getRequestSLODescriptor(el.getIdpurlprefix()); +					 +						container.getActiveFrontChannalOAs().put(el.getIdpurlprefix(),  +								new SLOInformationImpl( +										el.getAuthURL(), +										el.getSessionIndex(),  +										el.getUserNameID(),  +										NameID.TRANSIENT,  +										PVP2XProtocol.PATH, +										sloDesc)); +						 +					} catch (NOSLOServiceDescriptorException e) { +						container.putFailedOA(el.getIdpurlprefix()); +												 +					} +				}				 +			}			 +		}		 +	} +	  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index 47d7a29b3..bbf395a6f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -22,8 +22,6 @@   *******************************************************************************/  package at.gv.egovernment.moa.id.protocols.pvp2x.config; -import iaik.x509.X509Certificate; -  import java.io.IOException;  import java.net.URL;  import java.security.cert.CertificateException; @@ -51,12 +49,11 @@ import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;  import at.gv.egovernment.moa.id.config.ConfigurationException;  import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.Base64Utils; -import at.gv.egovernment.moa.util.FileUtils;  import at.gv.egovernment.moa.util.MiscUtil; +import iaik.x509.X509Certificate;  public class PVPConfiguration { @@ -79,18 +76,6 @@ public class PVPConfiguration {  	public static final String PVP_CONFIG_FILE = "pvp2config.properties"; -	public static final String IDP_JAVAKEYSTORE = "idp.ks.file"; -	public static final String IDP_KS_PASS = "idp.ks.kspassword"; -	 -	public static final String IDP_KEYALIASMETADATA = "idp.ks.metadata.alias";	 -	public static final String IDP_KEY_PASSMETADATA = "idp.ks.metadata.keypassword"; - -	public static final String IDP_KEYALIASASSERTION = "idp.ks.assertion.sign.alias";	 -	public static final String IDP_KEY_PASSASSERTION = "idp.ks.assertion.sign.keypassword"; - -	public static final String IDP_KEYALIASENCRYTPION = "sp.ks.assertion.encryption.alias";	 -	public static final String IDP_KEY_PASSENCRYTPION = "sp.ks.assertion.encryption.keypassword"; -	  	public static final String IDP_ISSUER_NAME = "servicename";  	public static final String IDP_ORG_NAME = "name.short"; @@ -162,38 +147,6 @@ public class PVPConfiguration {  	public String getIDPSSOMetadataService(String publicURLPrefix) throws ConfigurationException {  		return publicURLPrefix + PVP2_METADATA;  	} - -	public String getIDPKeyStoreFilename() { -		return FileUtils.makeAbsoluteURL(props.getProperty(IDP_JAVAKEYSTORE), rootDir); -	} -	 -	public String getIDPKeyStorePassword() { -		return props.getProperty(IDP_KS_PASS).trim(); -	} - -	public String getIDPKeyAliasMetadata() { -		return props.getProperty(IDP_KEYALIASMETADATA).trim(); -	} - -	public String getIDPKeyPasswordMetadata() { -		return props.getProperty(IDP_KEY_PASSMETADATA).trim(); -	} -	 -	public String getIDPKeyAliasAssertionSign() { -		return props.getProperty(IDP_KEYALIASASSERTION).trim(); -	} - -	public String getIDPKeyPasswordAssertionSign() { -		return props.getProperty(IDP_KEY_PASSASSERTION).trim(); -	} - -	public String getIDPKeyAliasAssertionEncryption() { -		return props.getProperty(IDP_KEYALIASASSERTION).trim(); -	} - -	public String getIDPKeyPasswordAssertionEncryption() { -		return props.getProperty(IDP_KEY_PASSASSERTION).trim(); -	}  	public String getIDPIssuerName() throws ConfigurationException { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java new file mode 100644 index 000000000..e7df23d61 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java @@ -0,0 +1,186 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.pvp2x.signer; + +import java.security.KeyStore; + +import org.opensaml.xml.security.credential.UsageType; +import org.opensaml.xml.security.x509.X509Credential; + +import at.gv.egovernment.moa.id.opemsaml.MOAKeyStoreX509CredentialAdapter; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.KeyStoreUtils; +import at.gv.egovernment.moa.util.MiscUtil; + +public abstract class AbstractCredentialProvider { +	 +	private static KeyStore keyStore = null; +	 +	/** +	 * Get a friendlyName for this keyStore implementation +	 * This friendlyName is used for logging +	 *  +	 * @return keyStore friendlyName +	 */ +	public abstract String getFriendlyName(); +	 +	/** +	 * Get KeyStore +	 *  +	 * @return URL to the keyStore +	 */ +	public abstract String getKeyStoreFilePath(); +	 +	/** +	 * Get keyStore password +	 *  +	 * @return Password of the keyStore +	 */ +	public abstract String getKeyStorePassword(); +	 +	/** +	 * Get alias of key for metadata signing +	 *  +	 * @return key alias +	 */ +	public abstract String getMetadataKeyAlias(); +	 +	/** +	 * Get password of key for metadata signing +	 *  +	 * @return key password +	 */ +	public abstract String getMetadataKeyPassword(); +	 +	/** +	 * Get alias of key for request/response signing +	 *  +	 * @return key alias +	 */ +	public abstract String getSignatureKeyAlias(); +	 +	/** +	 * Get password of key for request/response signing +	 *  +	 * @return key password +	 */ +	public abstract String getSignatureKeyPassword(); +	 +	/** +	 * Get alias of key for IDP response encryption +	 *  +	 * @return key alias +	 */ +	public abstract String getEncryptionKeyAlias(); +	 +	/** +	 * Get password of key for IDP response encryption +	 *  +	 * @return key password +	 */ +	public abstract String getEncryptionKeyPassword(); +	 +	 +	public X509Credential getIDPMetaDataSigningCredential() +			throws CredentialsNotAvailableException { +		try { +			 +			if (keyStore == null) +				keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(),  +						getKeyStorePassword()); + +			MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter( +					keyStore, getMetadataKeyAlias(), getMetadataKeyPassword().toCharArray()); + +			credentials.setUsageType(UsageType.SIGNING); +			if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { +				Logger.error(getFriendlyName() + " Metadata Signing credentials is not found or contains no PrivateKey."); +				throw new CredentialsNotAvailableException(getFriendlyName() + " Assertion Signing credentials (Alias: " +						+ getMetadataKeyAlias() + ") is not found or contains no PrivateKey.", null); +				 +			} +			return credentials; +		} catch (Exception e) { +			Logger.error("Failed to generate " + getFriendlyName() + " Metadata Signing credentials"); +			e.printStackTrace(); +			throw new CredentialsNotAvailableException(e.getMessage(), null); +		} +	} + +	public X509Credential getIDPAssertionSigningCredential() +			throws CredentialsNotAvailableException { +		try { +			if (keyStore == null) +				keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(),  +						getKeyStorePassword()); + +			MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter( +					keyStore, getSignatureKeyAlias(), getSignatureKeyPassword().toCharArray()); +			 +			credentials.setUsageType(UsageType.SIGNING); +			if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { +				Logger.error(getFriendlyName() + " Assertion Signing credentials is not found or contains no PrivateKey."); +				throw new CredentialsNotAvailableException(getFriendlyName() + " Assertion Signing credentials (Alias: " +						+ getSignatureKeyAlias() + ") is not found or contains no PrivateKey.", null); +				 +			} +			 +			return (X509Credential) credentials; +		} catch (Exception e) { +			Logger.error("Failed to generate " + getFriendlyName() + " Assertion Signing credentials"); +			e.printStackTrace(); +			throw new CredentialsNotAvailableException(e.getMessage(), null); +		} +	} +	 +	public X509Credential getIDPAssertionEncryptionCredential() +			throws CredentialsNotAvailableException { +		try { +			if (keyStore == null) +				keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(),  +						getKeyStorePassword()); + +			//if no encryption key is configured return null +			if (MiscUtil.isEmpty(getEncryptionKeyAlias())) +				return null; +			 +			MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter( +					keyStore, getEncryptionKeyAlias(), getEncryptionKeyPassword().toCharArray()); +			 +			credentials.setUsageType(UsageType.ENCRYPTION); +			 +			if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { +				Logger.error(getFriendlyName() + " Assertion Encryption credentials is not found or contains no PrivateKey."); +				throw new CredentialsNotAvailableException(getFriendlyName() + " Assertion Encryption credentials (Alias: " +						+ getEncryptionKeyAlias() + ") is not found or contains no PrivateKey.", null); +				 +			} +			 +			return (X509Credential) credentials; +		} catch (Exception e) { +			Logger.error("Failed to generate " + getFriendlyName() + " Assertion Encryption credentials"); +			e.printStackTrace(); +			throw new CredentialsNotAvailableException(e.getMessage(), null); +		} +	} +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java deleted file mode 100644 index d76e6c2f1..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java +++ /dev/null @@ -1,198 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.signer; - -import java.security.KeyStore; -import java.security.PrivateKey; -import java.security.interfaces.RSAPrivateKey; - -import org.opensaml.xml.security.credential.Credential; -import org.opensaml.xml.security.credential.UsageType; -import org.opensaml.xml.security.x509.BasicX509Credential; -import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; -import org.opensaml.xml.security.x509.X509Credential; -import org.opensaml.xml.signature.Signature; -import org.opensaml.xml.signature.SignatureConstants; - -import at.gv.egovernment.moa.id.opemsaml.MOAKeyStoreX509CredentialAdapter; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.KeyStoreUtils; -import at.gv.egovernment.moa.util.MiscUtil; - -public class CredentialProvider { -	 -	private static KeyStore keyStore = null; -	 -	public static X509Credential getIDPMetaDataSigningCredential() -			throws CredentialsNotAvailableException { -		PVPConfiguration config = PVPConfiguration.getInstance(); -		try { -			 -			if (keyStore == null) -				keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(),  -						config.getIDPKeyStorePassword()); - -			MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter( -					keyStore, config.getIDPKeyAliasMetadata(), config -							.getIDPKeyPasswordMetadata().toCharArray()); - -			credentials.setUsageType(UsageType.SIGNING); -			if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { -				Logger.error("IDP Metadata Signing credentials is not found or contains no PrivateKey."); -				throw new CredentialsNotAvailableException("IDP Assertion Signing credentials (Alias: " -						+ config.getIDPKeyAliasMetadata() + ") is not found or contains no PrivateKey.", null); -				 -			} -			return credentials; -		} catch (Exception e) { -			Logger.error("Failed to generate IDP Metadata Signing credentials"); -			e.printStackTrace(); -			throw new CredentialsNotAvailableException(e.getMessage(), null); -		} -	} - -	public static X509Credential getIDPAssertionSigningCredential() -			throws CredentialsNotAvailableException { -		PVPConfiguration config = PVPConfiguration.getInstance(); -		try { -			if (keyStore == null) -				keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(),  -						config.getIDPKeyStorePassword()); - -			MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter( -					keyStore, config.getIDPKeyAliasAssertionSign(), config -							.getIDPKeyPasswordAssertionSign().toCharArray()); -			 -			credentials.setUsageType(UsageType.SIGNING); -			if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { -				Logger.error("IDP Assertion Signing credentials is not found or contains no PrivateKey."); -				throw new CredentialsNotAvailableException("IDP Assertion Signing credentials (Alias: " -						+ config.getIDPKeyAliasAssertionSign() + ") is not found or contains no PrivateKey.", null); -				 -			} -			 -			return (X509Credential) credentials; -		} catch (Exception e) { -			Logger.error("Failed to generate IDP Assertion Signing credentials"); -			e.printStackTrace(); -			throw new CredentialsNotAvailableException(e.getMessage(), null); -		} -	} -	 -	public static X509Credential getIDPAssertionEncryptionCredential() -			throws CredentialsNotAvailableException { -		PVPConfiguration config = PVPConfiguration.getInstance(); -		try { -			if (keyStore == null) -				keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(),  -						config.getIDPKeyStorePassword()); - -			//if no encryption key is configured return null -			if (MiscUtil.isEmpty(config.getIDPKeyAliasAssertionEncryption())) -				return null; -			 -			MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter( -					keyStore, config.getIDPKeyAliasAssertionEncryption(), config -							.getIDPKeyPasswordAssertionEncryption().toCharArray()); -			 -			credentials.setUsageType(UsageType.ENCRYPTION); -			 -			if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { -				Logger.error("IDP Assertion Encryption credentials is not found or contains no PrivateKey."); -				throw new CredentialsNotAvailableException("IDP Assertion Encryption credentials (Alias: " -						+ config.getIDPKeyAliasAssertionEncryption() + ") is not found or contains no PrivateKey.", null); -				 -			} -			 -			return (X509Credential) credentials; -		} catch (Exception e) { -			Logger.error("Failed to generate IDP Assertion Encryption credentials"); -			e.printStackTrace(); -			throw new CredentialsNotAvailableException(e.getMessage(), null); -		} -	} -	 -	public static Signature getIDPSignature(Credential credentials) { -		 -		PrivateKey privatekey = credentials.getPrivateKey(); -		 -		Signature signer = SAML2Utils.createSAMLObject(Signature.class); -		 -		if (privatekey instanceof RSAPrivateKey) { -			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); -			 -		} else if (privatekey instanceof iaik.security.ecc.ecdsa.ECPrivateKey) { -			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1); - -		} else { -			Logger.warn("Could NOT evaluate the Private-Key type from PVP credential."); -			 -		} - -		signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);		 -		signer.setSigningCredential(credentials); -		return signer; -		 -	} - -	public static Credential getSPTrustedCredential(String entityID) -			throws CredentialsNotAvailableException { - -		iaik.x509.X509Certificate cert = PVPConfiguration.getInstance() -				.getTrustEntityCertificate(entityID); -		 -		if (cert == null) { -			throw new CredentialsNotAvailableException("ServiceProvider Certificate can not be loaded from Database", null); -		} -		 -		BasicX509Credential credential = new BasicX509Credential(); -		credential.setEntityId(entityID); -		credential.setUsageType(UsageType.SIGNING); -		credential.setPublicKey(cert.getPublicKey()); - -		return credential; -	} -	/* -	 * public static Credential getTrustedCredential() throws -	 * CredentialsNotAvailableException { String filename = -	 * PVPConfiguration.getInstance().getTrustEntityCertificate("sp.crt"); -	 *  -	 * iaik.x509.X509Certificate cert; try { cert = new X509Certificate(new -	 * FileInputStream(new File(filename))); } catch (CertificateException e) { -	 * e.printStackTrace(); throw new -	 * CredentialsNotAvailableException(e.getMessage(), null); } catch -	 * (FileNotFoundException e) { e.printStackTrace(); throw new -	 * CredentialsNotAvailableException(e.getMessage(), null); } catch -	 * (IOException e) { e.printStackTrace(); throw new -	 * CredentialsNotAvailableException(e.getMessage(), null); } -	 *  -	 * BasicX509Credential credential = new BasicX509Credential(); -	 * credential.setEntityId("sp.crt"); -	 * credential.setUsageType(UsageType.SIGNING); -	 * credential.setPublicKey(cert.getPublicKey()); -	 *  -	 * return credential; } -	 */ -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/IDPCredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/IDPCredentialProvider.java new file mode 100644 index 000000000..8fb4ec3cf --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/IDPCredentialProvider.java @@ -0,0 +1,150 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.signer; + +import java.util.Properties; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.util.FileUtils; + +@Service("IDPCredentialProvider") +public class IDPCredentialProvider extends AbstractCredentialProvider {	 +	public static final String IDP_JAVAKEYSTORE = "idp.ks.file"; +	public static final String IDP_KS_PASS = "idp.ks.kspassword"; +	 +	public static final String IDP_KEYALIASMETADATA = "idp.ks.metadata.alias";	 +	public static final String IDP_KEY_PASSMETADATA = "idp.ks.metadata.keypassword"; + +	public static final String IDP_KEYALIASASSERTION = "idp.ks.assertion.sign.alias";	 +	public static final String IDP_KEY_PASSASSERTION = "idp.ks.assertion.sign.keypassword"; + +	public static final String IDP_KEYALIASENCRYTPION = "sp.ks.assertion.encryption.alias";	 +	public static final String IDP_KEY_PASSENCRYTPION = "sp.ks.assertion.encryption.keypassword"; +	 +	 +	private @Autowired AuthConfiguration authConfig;	 +	private Properties props = null; +	 +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStoreFilePath() +	 */ +	@Override +	public String getKeyStoreFilePath() { +		if (props == null) +			props = authConfig.getGeneralPVP2ProperiesConfig(); +		 +		return FileUtils.makeAbsoluteURL( +					props.getProperty(IDP_JAVAKEYSTORE),  +					authConfig.getRootConfigFileDir()); +		 +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStorePassword() +	 */ +	@Override +	public String getKeyStorePassword() { +		if (props == null) +			props = authConfig.getGeneralPVP2ProperiesConfig(); +		 +		return props.getProperty(IDP_KS_PASS).trim(); +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyAlias() +	 */ +	@Override +	public String getMetadataKeyAlias() { +		if (props == null) +			props = authConfig.getGeneralPVP2ProperiesConfig(); +		 +		return props.getProperty(IDP_KEYALIASMETADATA).trim(); +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyPassword() +	 */ +	@Override +	public String getMetadataKeyPassword() { +		if (props == null) +			props = authConfig.getGeneralPVP2ProperiesConfig(); +		 +		return props.getProperty(IDP_KEY_PASSMETADATA).trim(); +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyAlias() +	 */ +	@Override +	public String getSignatureKeyAlias() { +		if (props == null) +			props = authConfig.getGeneralPVP2ProperiesConfig(); +		 +		return props.getProperty(IDP_KEYALIASASSERTION).trim(); +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyPassword() +	 */ +	@Override +	public String getSignatureKeyPassword() { +		if (props == null) +			props = authConfig.getGeneralPVP2ProperiesConfig(); +		 +		return props.getProperty(IDP_KEY_PASSASSERTION).trim(); +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyAlias() +	 */ +	@Override +	public String getEncryptionKeyAlias() { +		if (props == null) +			props = authConfig.getGeneralPVP2ProperiesConfig(); +		 +		return props.getProperty(IDP_KEYALIASENCRYTPION).trim(); +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyPassword() +	 */ +	@Override +	public String getEncryptionKeyPassword() { +		if (props == null) +			props = authConfig.getGeneralPVP2ProperiesConfig(); +		 +		return props.getProperty(IDP_KEYALIASENCRYTPION).trim(); +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getCredentialName() +	 */ +	@Override +	public String getFriendlyName() { +		return "IDP"; +	} + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java index 69c760f19..4650327b4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java @@ -29,6 +29,8 @@ import org.opensaml.saml2.metadata.EntitiesDescriptor;  import org.opensaml.saml2.metadata.EntityDescriptor;  import org.opensaml.security.SAMLSignatureProfileValidator;  import org.opensaml.xml.security.credential.Credential; +import org.opensaml.xml.security.credential.UsageType; +import org.opensaml.xml.security.x509.BasicX509Credential;  import org.opensaml.xml.signature.SignatureValidator;  import org.opensaml.xml.validation.ValidationException; @@ -37,9 +39,10 @@ import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;  import at.gv.egovernment.moa.id.config.ConfigurationException;  import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;  import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSignedException; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.Base64Utils;  import at.gv.egovernment.moa.util.MiscUtil; @@ -83,8 +86,7 @@ public class EntityVerifier {  			throw new SAMLRequestNotSignedException(e);  		} -		Credential credential = CredentialProvider -				.getSPTrustedCredential(entityDescriptor.getEntityID()); +		Credential credential = getSPTrustedCredential(entityDescriptor.getEntityID());  		if (credential == null) {  			throw new NoCredentialsException(entityDescriptor.getEntityID());  		} @@ -171,8 +173,7 @@ public class EntityVerifier {  						+ " entryID is used to select the certificate to perform Metadata verification.");  			} -			Credential credential = CredentialProvider -					.getSPTrustedCredential(entities.get(0).getEntityID()); +			Credential credential = getSPTrustedCredential(entities.get(0).getEntityID());  			if (credential == null) {  				throw new NoCredentialsException("moaID IDP"); @@ -188,5 +189,23 @@ public class EntityVerifier {  			}  		}  	} +	 +	public static Credential getSPTrustedCredential(String entityID) +			throws CredentialsNotAvailableException { + +		iaik.x509.X509Certificate cert = PVPConfiguration.getInstance() +				.getTrustEntityCertificate(entityID); +		 +		if (cert == null) { +			throw new CredentialsNotAvailableException("ServiceProvider Certificate can not be loaded from Database", null); +		} +		 +		BasicX509Credential credential = new BasicX509Credential(); +		credential.setEntityId(entityID); +		credential.setUsageType(UsageType.SIGNING); +		credential.setPublicKey(cert.getPublicKey()); + +		return credential; +	}  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index 812e27a36..cc7afa842 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -22,55 +22,34 @@   *******************************************************************************/  package at.gv.egovernment.moa.id.protocols.pvp2x.verification; -import java.util.ArrayList; -import java.util.List; -  import javax.xml.namespace.QName;  import javax.xml.transform.dom.DOMSource;  import javax.xml.validation.Schema;  import javax.xml.validation.Validator; -import org.joda.time.DateTime;  import org.opensaml.common.xml.SAMLConstants;  import org.opensaml.common.xml.SAMLSchemaBuilder; -import org.opensaml.saml2.core.Conditions; -import org.opensaml.saml2.core.EncryptedAssertion;  import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.StatusCode;  import org.opensaml.saml2.core.StatusResponseType; -import org.opensaml.saml2.encryption.Decrypter; -import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;  import org.opensaml.saml2.metadata.IDPSSODescriptor;  import org.opensaml.saml2.metadata.SPSSODescriptor;  import org.opensaml.security.MetadataCriteria;  import org.opensaml.security.SAMLSignatureProfileValidator; -import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver; -import org.opensaml.xml.encryption.DecryptionException; -import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; -import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;  import org.opensaml.xml.security.CriteriaSet;  import org.opensaml.xml.security.credential.UsageType;  import org.opensaml.xml.security.criteria.EntityIDCriteria;  import org.opensaml.xml.security.criteria.UsageCriteria; -import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; -import org.opensaml.xml.security.x509.X509Credential;  import org.opensaml.xml.signature.SignatureTrustEngine;  import org.opensaml.xml.validation.ValidationException;  import org.w3c.dom.Element;  import org.xml.sax.SAXException;  import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;  import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.MiscUtil; @@ -179,114 +158,114 @@ public class SAMLVerificationEngine {  		}  	} -	public static void validateAssertion(Response samlResp, boolean validateDestination) throws AssertionValidationExeption { -		try { -			if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { -				List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>(); -				 -				List<String> allowedPublicURLPrefix =  -						AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); -				boolean isValidDestination = false; -				for (String allowedPreFix : allowedPublicURLPrefix) { -					if (validateDestination && samlResp.getDestination().startsWith( -							allowedPreFix)) { -							isValidDestination = true; -							break; -					 -					} -				} -				if (!isValidDestination) { -					Logger.warn("PVP 2.1 assertion destination does not match to IDP URL"); -					throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);					 -					 -				} -				 -				//check encrypted Assertion -				List<EncryptedAssertion> encryAssertionList = samlResp.getEncryptedAssertions(); -				if (encryAssertionList != null && encryAssertionList.size() > 0) { -					//decrypt assertions -					 -					Logger.debug("Found encryped assertion. Start decryption ..."); -									 -					X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential(); -									 -					StaticKeyInfoCredentialResolver skicr = -							  new StaticKeyInfoCredentialResolver(authDecCredential); -					 -					ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); -					encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); -					encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); -					encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); -					 -					Decrypter samlDecrypter = -							  new Decrypter(null, skicr, encryptedKeyResolver); -					 -					for (EncryptedAssertion encAssertion : encryAssertionList) {							 -						saml2assertions.add(samlDecrypter.decrypt(encAssertion)); -	 -					} -					 -					Logger.debug("Assertion decryption finished. "); -					 -				} else { -					saml2assertions.addAll(samlResp.getAssertions()); -			 -				} -				 -				List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>();				 -				for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { -					 -					try { -						performSchemaValidation(saml2assertion.getDOM()); -											 -						Conditions conditions = saml2assertion.getConditions(); -					DateTime notbefore = conditions.getNotBefore().minusMinutes(5); -					DateTime notafter = conditions.getNotOnOrAfter(); -					if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { -						Logger.warn("PVP2 Assertion is out of Date. " -								+ "{ Current : " + new DateTime()  -								+ " NotBefore: " + notbefore  -								+ " NotAfter : " + notafter -								+ " }");; -											 -						} else { -							validatedassertions.add(saml2assertion); -						 -						} -						 -					} catch (SchemaValidationException e) { -						 -					} -				} -				 -				if (validatedassertions.isEmpty()) { -					Logger.info("No valid PVP 2.1 assertion received."); -					throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null); -				} -					 -				samlResp.getAssertions().clear(); -				samlResp.getEncryptedAssertions().clear(); -				samlResp.getAssertions().addAll(validatedassertions); -				 -			} else { -				Logger.info("PVP 2.1 assertion includes an error. Receive errorcode "  -						+ samlResp.getStatus().getStatusCode().getValue()); -				throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode "  -						+ samlResp.getStatus().getStatusCode().getValue(), null); -			} -			 -		} catch (CredentialsNotAvailableException e) { -			Logger.warn("Assertion decrypt FAILED - No Credentials", e); -			throw new AssertionValidationExeption("Assertion decrypt FAILED - No Credentials", null, e); -			 -		} catch (DecryptionException e) { -			Logger.warn("Assertion decrypt FAILED.", e); -			throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e); -			 -		} catch (ConfigurationException e) { -			throw new AssertionValidationExeption("pvp.12", null, e); -		} 		 -	} +//	public static void validateAssertion(Response samlResp, boolean validateDestination) throws AssertionValidationExeption { +//		try { +//			if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { +//				List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>(); +//				 +//				List<String> allowedPublicURLPrefix =  +//						AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); +//				boolean isValidDestination = false; +//				for (String allowedPreFix : allowedPublicURLPrefix) { +//					if (validateDestination && samlResp.getDestination().startsWith( +//							allowedPreFix)) { +//							isValidDestination = true; +//							break; +//					 +//					} +//				} +//				if (!isValidDestination) { +//					Logger.warn("PVP 2.1 assertion destination does not match to IDP URL"); +//					throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);					 +//					 +//				} +//				 +//				//check encrypted Assertion +//				List<EncryptedAssertion> encryAssertionList = samlResp.getEncryptedAssertions(); +//				if (encryAssertionList != null && encryAssertionList.size() > 0) { +//					//decrypt assertions +//					 +//					Logger.debug("Found encryped assertion. Start decryption ..."); +//									 +//					X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential(); +//									 +//					StaticKeyInfoCredentialResolver skicr = +//							  new StaticKeyInfoCredentialResolver(authDecCredential); +//					 +//					ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); +//					encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); +//					encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); +//					encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); +//					 +//					Decrypter samlDecrypter = +//							  new Decrypter(null, skicr, encryptedKeyResolver); +//					 +//					for (EncryptedAssertion encAssertion : encryAssertionList) {							 +//						saml2assertions.add(samlDecrypter.decrypt(encAssertion)); +//	 +//					} +//					 +//					Logger.debug("Assertion decryption finished. "); +//					 +//				} else { +//					saml2assertions.addAll(samlResp.getAssertions()); +//			 +//				} +//				 +//				List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>();				 +//				for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { +//					 +//					try { +//						performSchemaValidation(saml2assertion.getDOM()); +//											 +//						Conditions conditions = saml2assertion.getConditions(); +//					DateTime notbefore = conditions.getNotBefore().minusMinutes(5); +//					DateTime notafter = conditions.getNotOnOrAfter(); +//					if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { +//						Logger.warn("PVP2 Assertion is out of Date. " +//								+ "{ Current : " + new DateTime()  +//								+ " NotBefore: " + notbefore  +//								+ " NotAfter : " + notafter +//								+ " }");; +//											 +//						} else { +//							validatedassertions.add(saml2assertion); +//						 +//						} +//						 +//					} catch (SchemaValidationException e) { +//						 +//					} +//				} +//				 +//				if (validatedassertions.isEmpty()) { +//					Logger.info("No valid PVP 2.1 assertion received."); +//					throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null); +//				} +//					 +//				samlResp.getAssertions().clear(); +//				samlResp.getEncryptedAssertions().clear(); +//				samlResp.getAssertions().addAll(validatedassertions); +//				 +//			} else { +//				Logger.info("PVP 2.1 assertion includes an error. Receive errorcode "  +//						+ samlResp.getStatus().getStatusCode().getValue()); +//				throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode "  +//						+ samlResp.getStatus().getStatusCode().getValue(), null); +//			} +//			 +//		} catch (CredentialsNotAvailableException e) { +//			Logger.warn("Assertion decrypt FAILED - No Credentials", e); +//			throw new AssertionValidationExeption("Assertion decrypt FAILED - No Credentials", null, e); +//			 +//		} catch (DecryptionException e) { +//			Logger.warn("Assertion decrypt FAILED.", e); +//			throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e); +//			 +//		} catch (ConfigurationException e) { +//			throw new AssertionValidationExeption("pvp.12", null, e); +//		} 		 +//	}  	private static void performSchemaValidation(Element source) throws SchemaValidationException { diff --git a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml index dcaeb42c3..abb9720a7 100644 --- a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml +++ b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml @@ -44,27 +44,35 @@  <!-- Authentication Process Tasks -->  	<bean id="GenerateBKUSelectionFrameTask"  -				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.GenerateBKUSelectionFrameTask"/> +				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.GenerateBKUSelectionFrameTask" +				scope="prototype"/>  	<bean id="EvaluateBKUSelectionTask"  -				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.EvaluateBKUSelectionTask"/> +				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.EvaluateBKUSelectionTask" +				scope="prototype"/>  	<bean id="RestartAuthProzessManagement"  -				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.RestartAuthProzessManagement"/>				 +				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.RestartAuthProzessManagement" +				scope="prototype"/>				  	<bean id="FinalizeAuthenticationTask"  -				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.FinalizeAuthenticationTask"/> +				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.FinalizeAuthenticationTask" +				scope="prototype"/>  	<bean id="CreateInterfedeartionRequestTask"  -				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.CreateInterfedeartionRequestTask"/>				 +				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.CreateInterfedeartionRequestTask" +				scope="prototype"/>				  	<bean id="ReceiveInterfederationResponseTask"  -				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.ReceiveInterfederationResponseTask"/>				 +				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.ReceiveInterfederationResponseTask" +				scope="prototype"/>				  	<bean id="GenerateSSOConsentEvaluatorFrameTask"  -				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.GenerateSSOConsentEvaluatorFrameTask"/> +				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.GenerateSSOConsentEvaluatorFrameTask" +				scope="prototype"/>  	<bean id="EvaluateSSOConsentsTaskImpl"  -				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.EvaluateSSOConsentsTaskImpl"/>								 +				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.EvaluateSSOConsentsTaskImpl" +				scope="prototype"/>								  </beans>
\ No newline at end of file | 
