diff options
Diffstat (limited to 'id/server/idserverlib/src/main')
4 files changed, 253 insertions, 34 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index e86db4a5c..5ffff2787 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -1508,6 +1508,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( session.getPublicOAURLPrefix()); boolean useUTC = oaParam.getUseUTC(); + boolean useCondition = oaParam.getUseCondition(); + int conditionLength = oaParam.getConditionLength(); // builds authentication data and stores it together with a SAML artifact AuthenticationData authData = buildAuthenticationData(session, vsresp, useUTC); @@ -1532,7 +1534,9 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.getBkuURL(), session.getAssertionSignerCertificateBase64(), session.getAssertionBusinessService(), - session.getExtendedSAMLAttributesOA()); + session.getExtendedSAMLAttributesOA(), + useCondition, + conditionLength); authData.setSamlAssertion(samlAssertion); String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile"); @@ -1661,11 +1665,15 @@ public class AuthenticationServer implements MOAIDAuthConstants { // e.printStackTrace(); // } String mandateData = null; + boolean useCondition = false; + int conditionLength = -1; try { OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( session.getPublicOAURLPrefix()); boolean provideStammzahl = oaParam.getProvideStammzahl(); + useCondition = oaParam.getUseCondition(); + conditionLength = oaParam.getConditionLength(); if (!provideStammzahl) { String isPrPerson = mandatePerson.getAttribute("xsi:type"); @@ -1686,6 +1694,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}); } + String samlAssertion = new AuthenticationDataAssertionBuilder().buildMandate( authData, @@ -1697,7 +1706,9 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.getAssertionSignerCertificateBase64(), session.getAssertionBusinessService(), session.getSourceID(), - session.getExtendedSAMLAttributesOA()); + session.getExtendedSAMLAttributesOA(), + useCondition, + conditionLength); authData.setSamlAssertion(samlAssertion); String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile"); @@ -1799,6 +1810,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( session.getPublicOAURLPrefix()); boolean useUTC = oaParam.getUseUTC(); + boolean useCondition = oaParam.getUseCondition(); + int conditionLength = oaParam.getConditionLength(); AuthenticationData authData = buildAuthenticationData(session, vsresp, useUTC); @@ -1811,7 +1824,9 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.getBkuURL(), session.getAssertionSignerCertificateBase64(), session.getAssertionBusinessService(), - session.getExtendedSAMLAttributesOA()); + session.getExtendedSAMLAttributesOA(), + useCondition, + conditionLength); authData.setSamlAssertion(samlAssertion); String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java index b9e44544d..0742261a7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.auth.builder; import java.text.MessageFormat; +import java.util.Calendar; import java.util.List; import at.gv.egovernment.moa.id.BuildException; @@ -32,6 +33,7 @@ import at.gv.egovernment.moa.id.ParseException; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DateTimeUtils; import at.gv.egovernment.moa.util.StringUtils; /** @@ -42,6 +44,10 @@ import at.gv.egovernment.moa.util.StringUtils; * @version $Id$ */ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionBuilder implements Constants { + + /** 5 minutes (=300 seconds) default length of the assertion */ + private static int DEFAULT_CONDITIONS_LENGTH = 300; + /** private static String NL contains the NewLine representation in Java*/ private static final String NL = "\n"; /** @@ -76,6 +82,38 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB "</saml:Assertion>"; /** + * XML template for the <code><saml:Assertion></code> to be built (with Conditions) + */ + private static final String AUTH_DATA_WITH_CONDITIONS = + "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>" + NL + + "<saml:Assertion xmlns:saml=''" + SAML_NS_URI + "'' xmlns:pr=''" + PD_NS_URI + "'' xmlns:xsi=''" + XSI_NS_URI + "''" + + " xmlns:si=''" + XSI_NS_URI + "''" + + " MajorVersion=''1'' MinorVersion=''0'' AssertionID=''{0}'' Issuer=''{1}'' IssueInstant=''{2}''>" + NL + + "<saml:Conditions NotBefore=''{3}'' NotOnOrAfter=''{4}''/>" + NL + + " <saml:AttributeStatement>" + NL + + " <saml:Subject>" + NL + + " <saml:NameIdentifier NameQualifier=''{5}''>{6}</saml:NameIdentifier>" + NL + + " <saml:SubjectConfirmation>" + NL + + " <saml:ConfirmationMethod>" + MOA_NS_URI + "cm</saml:ConfirmationMethod>" + NL + + " <saml:SubjectConfirmationData>{7}{8}</saml:SubjectConfirmationData>" + NL + + " </saml:SubjectConfirmation>" + NL + + " </saml:Subject>" + NL + + " <saml:Attribute AttributeName=''PersonData'' AttributeNamespace=''" + PD_NS_URI + "''>" + NL + + " <saml:AttributeValue>{9}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''isQualifiedCertificate'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{10}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''bkuURL'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{11}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + "{12}" + + "{13}" + + "{14}" + + " </saml:AttributeStatement>" + NL + + "</saml:Assertion>"; + + /** * XML template for the <code><saml:Assertion></code> to be built */ private static final String AUTH_DATA_MANDATE = @@ -108,6 +146,41 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB "{13}" + " </saml:AttributeStatement>" + NL + "</saml:Assertion>"; + + /** + * XML template for the <code><saml:Assertion></code> to be built + */ + private static final String AUTH_DATA_MANDATE_WITH_CONDITIONS = + "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>" + NL + + "<saml:Assertion xmlns:saml=''" + SAML_NS_URI + "'' xmlns:pr=''" + PD_NS_URI + "'' xmlns:xsi=''" + XSI_NS_URI + "''" + + " xmlns:si=''" + XSI_NS_URI + "''" + + " MajorVersion=''1'' MinorVersion=''0'' AssertionID=''{0}'' Issuer=''{1}'' IssueInstant=''{2}''>" + NL + + "<saml:Conditions NotBefore=''{3}'' NotOnOrAfter=''{4}''/>" + NL + + " <saml:AttributeStatement>" + NL + + " <saml:Subject>" + NL + + " <saml:NameIdentifier NameQualifier=''{5}''>{6}</saml:NameIdentifier>" + NL + + " <saml:SubjectConfirmation>" + NL + + " <saml:ConfirmationMethod>" + MOA_NS_URI + "cm</saml:ConfirmationMethod>" + NL + + " <saml:SubjectConfirmationData>{7}{8}</saml:SubjectConfirmationData>" + NL + + " </saml:SubjectConfirmation>" + NL + + " </saml:Subject>" + NL + + " <saml:Attribute AttributeName=''PersonData'' AttributeNamespace=''" + PD_NS_URI + "''>" + NL + + " <saml:AttributeValue>{9}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''MandateData'' AttributeNamespace=''" + PD_NS_URI + "''>" + NL + + " <saml:AttributeValue>{10}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''isQualifiedCertificate'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{11}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''bkuURL'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{12}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + "{13}" + + "{14}" + + "{15}" + + " </saml:AttributeStatement>" + NL + + "</saml:Assertion>"; /** * XML template for the <code><saml:Attribute></code> named <code>"isPublicAuthority"</code>, * to be inserted into the <code><saml:Assertion></code> @@ -156,7 +229,9 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB String bkuURL, String signerCertificateBase64, boolean businessService, - List extendedSAMLAttributes) + List extendedSAMLAttributes, + boolean useCondition, + int conditionLength) throws BuildException { @@ -195,21 +270,51 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB String assertion; try { + if (!useCondition) { + assertion = MessageFormat.format(AUTH_DATA, new Object[] { + authData.getAssertionID(), + authData.getIssuer(), + authData.getIssueInstant(), + pkType, + pkValue, + StringUtils.removeXMLDeclaration(xmlAuthBlock), + StringUtils.removeXMLDeclaration(xmlIdentityLink), + StringUtils.removeXMLDeclaration(xmlPersonData), + isQualifiedCertificate, + bkuURL, + publicAuthorityAttribute, + signerCertificateAttribute, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } + else { + Calendar cal = Calendar.getInstance(); + String notBefore = DateTimeUtils.buildDateTimeUTC(cal); + if (conditionLength <= 0) + cal.add(Calendar.SECOND, DEFAULT_CONDITIONS_LENGTH); + else + cal.add(Calendar.SECOND, conditionLength); + + String notOnOrAfter = DateTimeUtils.buildDateTimeUTC(cal); + + assertion = MessageFormat.format(AUTH_DATA_WITH_CONDITIONS, new Object[] { + authData.getAssertionID(), + authData.getIssuer(), + authData.getIssueInstant(), + notBefore, + notOnOrAfter, + pkType, + pkValue, + StringUtils.removeXMLDeclaration(xmlAuthBlock), + StringUtils.removeXMLDeclaration(xmlIdentityLink), + StringUtils.removeXMLDeclaration(xmlPersonData), + isQualifiedCertificate, + bkuURL, + publicAuthorityAttribute, + signerCertificateAttribute, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } - assertion = MessageFormat.format(AUTH_DATA, new Object[] { - authData.getAssertionID(), - authData.getIssuer(), - authData.getIssueInstant(), - pkType, - pkValue, - StringUtils.removeXMLDeclaration(xmlAuthBlock), - StringUtils.removeXMLDeclaration(xmlIdentityLink), - StringUtils.removeXMLDeclaration(xmlPersonData), - isQualifiedCertificate, - bkuURL, - publicAuthorityAttribute, - signerCertificateAttribute, - buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } catch (ParseException e) { Logger.error("Error on building Authentication Data Assertion: " + e.getMessage()); throw new BuildException("builder.00", new Object[] { "Authentication Data Assertion", e.toString()}); @@ -246,7 +351,9 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB String signerCertificateBase64, boolean businessService, String sourceID, - List extendedSAMLAttributes) + List extendedSAMLAttributes, + boolean useCondition, + int conditionLength) throws BuildException { @@ -285,21 +392,59 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB String assertion; try { - assertion = MessageFormat.format(AUTH_DATA_MANDATE, new Object[] { - authData.getAssertionID(), - authData.getIssuer(), - authData.getIssueInstant(), - pkType, - pkValue, - StringUtils.removeXMLDeclaration(xmlAuthBlock), - StringUtils.removeXMLDeclaration(xmlIdentityLink), - StringUtils.removeXMLDeclaration(xmlPersonData), - StringUtils.removeXMLDeclaration(xmlMandateData), - isQualifiedCertificate, - bkuURL, - publicAuthorityAttribute, - signerCertificateAttribute, - buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + + + if (!useCondition) { + assertion = MessageFormat.format(AUTH_DATA_MANDATE, new Object[] { + authData.getAssertionID(), + authData.getIssuer(), + authData.getIssueInstant(), + pkType, + pkValue, + StringUtils.removeXMLDeclaration(xmlAuthBlock), + StringUtils.removeXMLDeclaration(xmlIdentityLink), + StringUtils.removeXMLDeclaration(xmlPersonData), + StringUtils.removeXMLDeclaration(xmlMandateData), + isQualifiedCertificate, + bkuURL, + publicAuthorityAttribute, + signerCertificateAttribute, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } + else { + Calendar cal = Calendar.getInstance(); + String notBefore = DateTimeUtils.buildDateTimeUTC(cal); + if (conditionLength <= 0) + cal.add(Calendar.SECOND, DEFAULT_CONDITIONS_LENGTH); + else + cal.add(Calendar.SECOND, conditionLength); + + String notOnOrAfter = DateTimeUtils.buildDateTimeUTC(cal); + + assertion = MessageFormat.format(AUTH_DATA_MANDATE_WITH_CONDITIONS, new Object[] { + authData.getAssertionID(), + authData.getIssuer(), + authData.getIssueInstant(), + notBefore, + notOnOrAfter, + pkType, + pkValue, + StringUtils.removeXMLDeclaration(xmlAuthBlock), + StringUtils.removeXMLDeclaration(xmlIdentityLink), + StringUtils.removeXMLDeclaration(xmlPersonData), + StringUtils.removeXMLDeclaration(xmlMandateData), + isQualifiedCertificate, + bkuURL, + publicAuthorityAttribute, + signerCertificateAttribute, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } + + + + + + } catch (ParseException e) { Logger.error("Error on building Authentication Data Assertion: " + e.getMessage()); throw new BuildException("builder.00", new Object[] { "Authentication Data Assertion", e.toString()}); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java index 8cc51bf93..b7b5bcce6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java @@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.config; +import iaik.ixsil.util.Utils; import iaik.pki.pathvalidation.ChainingModes; import iaik.utils.RFC2253NameParser; import iaik.utils.RFC2253NameParserException; @@ -44,6 +45,8 @@ import org.w3c.dom.Node; import org.w3c.dom.NodeList; import org.w3c.dom.traversal.NodeIterator; +import com.sun.xml.internal.fastinfoset.stax.events.Util; + import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.Schema; import at.gv.egovernment.moa.id.auth.data.SchemaImpl; @@ -580,9 +583,15 @@ public class ConfigurationBuilder { oap.setProvideCertificate(BoolUtils.valueOf(authComponent.getAttribute("provideCertificate"))); oap.setProvideFullMandatorData(BoolUtils.valueOf(authComponent.getAttribute("provideFullMandatorData"))); oap.setUseUTC(BoolUtils.valueOf(authComponent.getAttribute("useUTC"))); + oap.setUseCondition(BoolUtils.valueOf(authComponent.getAttribute("useCondition"))); + oap.setConditionLength(buildConditionLength(authComponent.getAttribute("conditionLength"))); oap.setBkuSelectionTemplateURL(buildTemplateURL(authComponent, OA_AUTH_COMPONENT_BKUSELECT_TEMPLATE_XPATH, bkuSelectionTemplateURL)); oap.setTemplateURL(buildTemplateURL(authComponent, OA_AUTH_COMPONENT_TEMPLATE_XPATH, templateURL)); + System.out.println(publicURLPrefix); + System.out.println("useCondition: " + oap.getUseCondition()); + System.out.println("conditionLength: " + oap.getConditionLength()); + oap.setInputProcessorSignTemplateURL(buildTemplateURL(authComponent, INPUT_PROCESSOR_TEMPLATE_XPATH, inputProcessorSignTemplateURL)); // load OA specific transforms if present String[] transformsInfoFileNames = buildTransformsInfoFileNames(authComponent, OA_AUTH_COMPONENT_TRANSFORMS_INFO_FILENAME_XPATH); @@ -616,6 +625,19 @@ public class ConfigurationBuilder { return result; } + + /** + * Returns the condition length as int + * @param length the condition length as int + * @return + */ + private int buildConditionLength(String length) { + + if (Util.isEmptyString(length)) + return -1; + else + return new Integer(length).intValue(); + } /** * Builds the URL for a BKUSelectionTemplate or a Template. The method selects diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 65e21cbce..2959d9208 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -87,6 +87,12 @@ public class OAAuthParameter extends OAParameter { /** determines wheter the IssueInstant of the SAML assertion is in UTC or not*/ private boolean useUTC; + + /** determines wheter a saml:Condition is added to the SAML assertion or not */ + private boolean useCondition; + + /** determines the validity time of the SAML assertion (if useCondition is true) in seconds */ + private int conditionLength; /** * url to a template for web page "Auswahl der Bürgerkartenumgebung" */ @@ -202,6 +208,22 @@ public class OAAuthParameter extends OAParameter { return useUTC; } + /** + * Returns <code>true</code> if the SAML assertion should contain a saml:Condition, otherwise <code>false</code>. + * @return <code>true</code> if the SAML assertion should contain a saml:Condition, otherwise <code>false</code>. + */ + public boolean getUseCondition() { + return useCondition; + } + + /** + * Returns the validity time of the SAML assertion (if useCondition is true) in seconds + * @return the validity time of the SAML assertion (if useCondition is true) in seconds + */ + public int getConditionLength() { + return conditionLength; + } + /** * Returns the key box identifier. @@ -325,6 +347,21 @@ public class OAAuthParameter extends OAParameter { this.useUTC = useUTC; } + /** + * Sets the useCondition variable + * @param useCondition The useCondition value to set + */ + public void setUseCondition(boolean useCondition) { + this.useCondition = useCondition; + } + + /** + * Sets the conditionLength variable + * @param conditionLength the conditionLength value to set + */ + public void setConditionLength(int conditionLength) { + this.conditionLength = conditionLength; + } /** |