diff options
Diffstat (limited to 'id/server/idserverlib/src/main')
16 files changed, 310 insertions, 106 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 68e6b950a..a68dca65a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -24,11 +24,15 @@ package at.gv.egovernment.moa.id.auth; +import iaik.ixsil.exceptions.UtilsException; +import iaik.ixsil.util.Utils; import iaik.pki.PKIException; import iaik.x509.X509Certificate; import java.io.ByteArrayInputStream; import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; import java.io.IOException; import java.security.GeneralSecurityException; import java.security.Principal; @@ -49,7 +53,6 @@ import org.apache.xpath.XPathAPI; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; -import org.w3c.dom.NodeList; import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.AuthenticationException; @@ -114,7 +117,6 @@ import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.DateTimeUtils; import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.StringUtils; -import at.gv.egovernment.moa.util.XPathUtils; /** @@ -305,7 +307,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { * @param useMandate Indicates if mandate is used or not * @param templateURL URL providing an HTML template for the HTML form generated * @param templateMandteURL URL providing an HTML template for the HTML form generated (for signing in mandates mode) - * @param scheme determines the protocol used + * @param scheme determines the protocol used + * @param sourceID * @return HTML form * @throws AuthenticationException * @see GetIdentityLinkFormBuilder @@ -320,7 +323,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { String bkuURL, String useMandate, String sessionID, - String scheme) + String scheme, + String sourceID) throws WrongParametersException, AuthenticationException, ConfigurationException, BuildException { String useMandateString = null; @@ -381,7 +385,9 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.setPublicOAURLPrefix(oaParam.getPublicURLPrefix()); session.setAuthURL(authURL); session.setTemplateURL(templateURL); - session.setBusinessService(oaParam.getBusinessService()); + session.setBusinessService(oaParam.getBusinessService()); + if (sourceID != null) + session.setSourceID(sourceID); } // BKU URL has not been set yet, even if session already exists if (bkuURL == null) { @@ -510,17 +516,16 @@ public class AuthenticationServer implements MOAIDAuthConstants { } // for testing new identity link certificate - // https://localhost:8443/moa-id-auth/StartAuthentication?Target=AR&OA=https://localhost:8443/TestMOAID_OA/LoginServletExample // xmlInfoboxReadResponse = null; // try { -// File file = new File("c:/temp/xxxMuster-new-cert_infobox.xml"); +// File file = new File("c:/temp/XXXMuster.xml"); // FileInputStream fis; // // fis = new FileInputStream(file); // byte[] array = Utils.readFromInputStream(fis); // // xmlInfoboxReadResponse = new String(array); -// //System.out.println(xmlInfoboxReadResponse); +// System.out.println(xmlInfoboxReadResponse); // // } catch (FileNotFoundException e) { // // TODO Auto-generated catch block @@ -529,7 +534,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { // // TODO Auto-generated catch block // e.printStackTrace(); // } -// + // parses the <InfoboxReadResponse> @@ -687,7 +692,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { // builds the AUTH-block - String authBlock = buildAuthenticationBlock(session); + String authBlock = buildAuthenticationBlock(session, oaParam); // session.setAuthBlock(authBlock); // builds the <CreateXMLSignatureRequest> @@ -871,14 +876,14 @@ public class AuthenticationServer implements MOAIDAuthConstants { * @throws BuildException If an error occurs on serializing an extended SAML attribute * to be appended to the AUTH-Block. */ - private String buildAuthenticationBlock(AuthenticationSession session) throws BuildException { + private String buildAuthenticationBlock(AuthenticationSession session, OAAuthParameter oaParam) throws BuildException { IdentityLink identityLink = session.getIdentityLink(); String issuer = identityLink.getName(); String gebDat = identityLink.getDateOfBirth(); String identificationValue = identityLink.getIdentificationValue(); String identificationType = identityLink.getIdentificationType(); - String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance()); + String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance(), oaParam.getUseUTC()); session.setIssueInstant(issueInstant); String authURL = session.getAuthURL(); String target = session.getTarget(); @@ -1418,6 +1423,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { // parses <CreateXMLSignatureResponse> CreateXMLSignatureResponse csresp = new CreateXMLSignatureResponseParser(xmlCreateXMLSignatureReadResponse).parseResponse(); + try { String serializedAssertion = DOMUtils.serializeNode(csresp.getSamlAssertion()); session.setAuthBlock(serializedAssertion); @@ -1502,12 +1508,21 @@ public class AuthenticationServer implements MOAIDAuthConstants { } } + OAAuthParameter oaParam = + AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( + session.getPublicOAURLPrefix()); + boolean useUTC = oaParam.getUseUTC(); // builds authentication data and stores it together with a SAML artifact - AuthenticationData authData = buildAuthenticationData(session, vsresp); + AuthenticationData authData = buildAuthenticationData(session, vsresp, useUTC); if (session.getUseMandate()) { // mandate mode + //session.setAssertionAuthBlock(assertionAuthBlock) + + // set signer certificate + session.setSignerCertificate(vsresp.getX509certificate()); + return null; } else { @@ -1521,6 +1536,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.getBkuURL(), session.getAssertionSignerCertificateBase64(), session.getAssertionBusinessService(), + session.getSourceID(), session.getExtendedSAMLAttributesOA()); authData.setSamlAssertion(samlAssertion); @@ -1677,6 +1693,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.getBkuURL(), session.getAssertionSignerCertificateBase64(), session.getAssertionBusinessService(), + session.getSourceID(), session.getExtendedSAMLAttributesOA()); authData.setSamlAssertion(samlAssertion); @@ -1772,9 +1789,14 @@ public class AuthenticationServer implements MOAIDAuthConstants { } VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponse(); - X509Certificate cert = session.getForeignSignerCertificate(); + X509Certificate cert = session.getSignerCertificate(); vsresp.setX509certificate(cert); - AuthenticationData authData = buildAuthenticationData(session, vsresp); + + OAAuthParameter oaParam = + AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( + session.getPublicOAURLPrefix()); + boolean useUTC = oaParam.getUseUTC(); + AuthenticationData authData = buildAuthenticationData(session, vsresp, useUTC); String samlAssertion = @@ -1786,6 +1808,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.getBkuURL(), session.getAssertionSignerCertificateBase64(), session.getAssertionBusinessService(), + session.getSourceID(), session.getExtendedSAMLAttributesOA()); authData.setSamlAssertion(samlAssertion); @@ -1823,7 +1846,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { */ private AuthenticationData buildAuthenticationData( AuthenticationSession session, - VerifyXMLSignatureResponse verifyXMLSigResp) + VerifyXMLSignatureResponse verifyXMLSigResp, + boolean useUTC) throws ConfigurationException, BuildException { IdentityLink identityLink = session.getIdentityLink(); @@ -1836,7 +1860,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { authData.setMinorVersion(0); authData.setAssertionID(Random.nextRandom()); authData.setIssuer(session.getAuthURL()); - authData.setIssueInstant(DateTimeUtils.buildDateTime(Calendar.getInstance())); + authData.setIssueInstant(DateTimeUtils.buildDateTime(Calendar.getInstance(), useUTC)); authData.setIdentificationType(identityLink.getIdentificationType()); authData.setGivenName(identityLink.getGivenName()); authData.setFamilyName(identityLink.getFamilyName()); @@ -1845,6 +1869,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority()); authData.setPublicAuthorityCode(verifyXMLSigResp.getPublicAuthorityCode()); authData.setBkuURL(session.getBkuURL()); + authData.setUseUTC(oaParam.getUseUTC()); boolean provideStammzahl = oaParam.getProvideStammzahl(); if (provideStammzahl) { authData.setIdentificationValue(identityLink.getIdentificationValue()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index 260b3fd01..f3be98ef0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -43,6 +43,8 @@ public interface MOAIDAuthConstants { public static final String PARAM_OA = "OA"; /** servlet parameter "bkuURI" */ public static final String PARAM_BKU = "bkuURI"; + /** servlet parameter "sourceID" */ + public static final String PARAM_SOURCEID = "sourceID"; /** servlet parameter "BKUSelectionTemplate" */ public static final String PARAM_BKUTEMPLATE = "BKUSelectionTemplate"; /** servlet parameter "BKUSelectionTemplate" */ diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java index 8af4e3af5..410d045f0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java @@ -57,6 +57,11 @@ public class AuthenticationAssertionBuilder { " <saml:Attribute AttributeName=''{0}'' AttributeNamespace=''{1}''>" + NL + " <saml:AttributeValue>{2}</saml:AttributeValue>" + NL + " </saml:Attribute>"+ NL; + + protected static String SAML_ATTRIBUTE_NO_NAMESPACE = + " <saml:Attribute AttributeName=''{0}''>" + NL + + " <saml:AttributeValue>{1}</saml:AttributeValue>" + NL + + " </saml:Attribute>"+ NL; /** * Empty constructor @@ -108,5 +113,26 @@ public class AuthenticationAssertionBuilder { } return sb.toString(); } + + /** + * Builds the SAML attributes to be appended to the AUTHBlock or to the SAML assertion + * delivered to the online application. + * The method traverses through the list of given SAML attribute objects and builds an + * XML structure (String representation) for each of the attributes. + * + * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock or + * to the SAML assertion delivered to the online application. + * @return A string representation including the XML structures of + * the SAML attributes. + * + * @throws ParseException If an error occurs on serializing an SAML attribute. + */ + protected String buildSourceIDSAMLAttributes(String sourceID) throws ParseException { + StringBuffer sb = new StringBuffer(); + if (sourceID!=null) + sb.append(MessageFormat.format( SAML_ATTRIBUTE_NO_NAMESPACE, new Object[] {"SourceID", sourceID})); + + return sb.toString(); + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java index 367116c73..7032e09eb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java @@ -69,9 +69,10 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB " <saml:Attribute AttributeName=''bkuURL'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + " <saml:AttributeValue>{9}</saml:AttributeValue>" + NL + " </saml:Attribute>" + NL + - "{10}" + - "{11}" + + "{10}" + + "{11}" + "{12}" + + "{13}" + " </saml:AttributeStatement>" + NL + "</saml:Assertion>"; @@ -103,9 +104,10 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB " <saml:Attribute AttributeName=''bkuURL'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + " <saml:AttributeValue>{10}</saml:AttributeValue>" + NL + " </saml:Attribute>" + NL + - "{11}" + - "{12}" + + "{11}" + + "{12}" + "{13}" + + "{14}" + " </saml:AttributeStatement>" + NL + "</saml:Assertion>"; /** @@ -156,6 +158,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB String bkuURL, String signerCertificateBase64, boolean businessService, + String sourceID, List extendedSAMLAttributes) throws BuildException { @@ -195,6 +198,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB String assertion; try { + assertion = MessageFormat.format(AUTH_DATA, new Object[] { authData.getAssertionID(), authData.getIssuer(), @@ -206,6 +210,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB StringUtils.removeXMLDeclaration(xmlPersonData), isQualifiedCertificate, bkuURL, + buildSourceIDSAMLAttributes(sourceID), publicAuthorityAttribute, signerCertificateAttribute, buildExtendedSAMLAttributes(extendedSAMLAttributes)}); @@ -244,6 +249,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB String bkuURL, String signerCertificateBase64, boolean businessService, + String sourceID, List extendedSAMLAttributes) throws BuildException { @@ -295,6 +301,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB StringUtils.removeXMLDeclaration(xmlMandateData), isQualifiedCertificate, bkuURL, + buildSourceIDSAMLAttributes(sourceID), publicAuthorityAttribute, signerCertificateAttribute, buildExtendedSAMLAttributes(extendedSAMLAttributes)}); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 3ab8ff819..5a18b720b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -62,6 +62,11 @@ public class AuthenticationSession { * Friendly name for the target, if target is configured via MOA-ID configuration */ private String targetFriendlyName; + + /** + * SourceID + */ + private String sourceID; /** * Indicates if target from configuration is used or not */ @@ -155,7 +160,7 @@ public class AuthenticationSession { private boolean businessService; /** - * Signer certificate of the foreign citizen + * Signer certificate of the foreign citizen or for mandate mode */ private X509Certificate signerCertificate; /** @@ -212,11 +217,11 @@ public class AuthenticationSession { infoboxValidators = new ArrayList(); } - public X509Certificate getForeignSignerCertificate() { + public X509Certificate getSignerCertificate() { return signerCertificate; } - public void setForeignSignerCertificate(X509Certificate signerCertificate) { + public void setSignerCertificate(X509Certificate signerCertificate) { this.signerCertificate = signerCertificate; } @@ -285,6 +290,14 @@ public class AuthenticationSession { } /** + * Returns the sourceID. + * @return String + */ + public String getSourceID() { + return sourceID; + } + + /** * Returns the target friendly name. * @return String */ @@ -332,6 +345,15 @@ public class AuthenticationSession { this.target = target; } } + + /** + * Sets the sourceID + * @param sourceID The sourceID to set + */ + public void setSourceID(String sourceID) { + this.sourceID = sourceID; + } + /** * Sets the target. If the target includes the target prefix, the prefix will be stripped off. * @param target The target to set diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetAuthenticationDataService.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetAuthenticationDataService.java index da5ad6ab9..b5c72ef9f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetAuthenticationDataService.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetAuthenticationDataService.java @@ -87,6 +87,7 @@ public class GetAuthenticationDataService implements Constants { String statusMessageCode = null; String statusMessage = null; String samlAssertion = ""; + boolean useUTC = false; if (requests.length > 1) { // more than 1 request given as parameter statusCode = "samlp:Requester"; @@ -113,8 +114,11 @@ public class GetAuthenticationDataService implements Constants { requestID = request.getAttribute("RequestID"); String samlArtifact = DOMUtils.getText(samlArtifactElem); try { + AuthenticationData authData = AuthenticationServer.getInstance(). getAuthenticationData(samlArtifact); + + useUTC = authData.getUseUTC(); // success samlAssertion = authData.getSamlAssertion(); statusCode = "samlp:Success"; @@ -135,12 +139,13 @@ public class GetAuthenticationDataService implements Constants { } } try { - String responseID = Random.nextRandom(); - String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance()); + String responseID = Random.nextRandom(); + String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance(), useUTC); if (statusMessage == null) statusMessage = MOAIDMessageProvider.getInstance().getMessage(statusMessageCode, null); responses[0] = new SAMLResponseBuilder().build( responseID, requestID, issueInstant, statusCode, subStatusCode, statusMessage, samlAssertion); + } catch (MOAIDException e) { AxisFault fault = AxisFault.makeFault(e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java index ca3883dad..431af3c31 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java @@ -79,21 +79,22 @@ public class StartAuthenticationServlet extends AuthServlet { authURL = authURL.concat(req.getContextPath() + "/"); String target = req.getParameter(PARAM_TARGET); + String sourceID = req.getParameter(PARAM_SOURCEID); String oaURL = req.getParameter(PARAM_OA); String bkuURL = req.getParameter(PARAM_BKU); String templateURL = req.getParameter(PARAM_TEMPLATE); String sessionID = req.getParameter(PARAM_SESSIONID); String useMandate = req.getParameter(PARAM_USEMANDATE); - // escape parameter strings target = StringEscapeUtils.escapeHtml(target); + sourceID = StringEscapeUtils.escapeHtml(sourceID); oaURL = StringEscapeUtils.escapeHtml(oaURL); bkuURL = StringEscapeUtils.escapeHtml(bkuURL); templateURL = StringEscapeUtils.escapeHtml(templateURL); sessionID = StringEscapeUtils.escapeHtml(sessionID); useMandate = StringEscapeUtils.escapeHtml(useMandate); - + resp.setHeader(HEADER_EXPIRES,HEADER_VALUE_EXPIRES); resp.setHeader(HEADER_PRAGMA,HEADER_VALUE_PRAGMA); resp.setHeader(HEADER_CACHE_CONTROL,HEADER_VALUE_CACHE_CONTROL); @@ -111,7 +112,9 @@ public class StartAuthenticationServlet extends AuthServlet { if (!ParamValidatorUtils.isValidSessionID(sessionID)) throw new WrongParametersException("StartAuthentication", PARAM_SESSIONID, "auth.12"); if (!ParamValidatorUtils.isValidUseMandate(useMandate)) - throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12"); + throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12"); + if (!ParamValidatorUtils.isValidSourceID(sourceID)) + throw new WrongParametersException("StartAuthentication", PARAM_SOURCEID, "auth.12"); OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oaURL); @@ -130,11 +133,11 @@ public class StartAuthenticationServlet extends AuthServlet { if (!ParamValidatorUtils.isValidTarget(target)) throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12"); - getIdentityLinkForm = AuthenticationServer.getInstance().startAuthentication(authURL, target, null, oaURL, templateURL, bkuURL, useMandate, sessionID, req.getScheme()); + getIdentityLinkForm = AuthenticationServer.getInstance().startAuthentication(authURL, target, null, oaURL, templateURL, bkuURL, useMandate, sessionID, req.getScheme(), sourceID); } else { // use target from config - getIdentityLinkForm = AuthenticationServer.getInstance().startAuthentication(authURL, targetConfig, targetFriendlyNameConfig, oaURL, templateURL, bkuURL, useMandate, sessionID, req.getScheme()); + getIdentityLinkForm = AuthenticationServer.getInstance().startAuthentication(authURL, targetConfig, targetFriendlyNameConfig, oaURL, templateURL, bkuURL, useMandate, sessionID, req.getScheme(), sourceID); } resp.setContentType("text/html;charset=UTF-8"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java index f7f9d8fed..17cbe7a3d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java @@ -24,26 +24,40 @@ package at.gv.egovernment.moa.id.auth.servlet; +import iaik.pki.PKIException; +import iaik.x509.X509Certificate; + import java.io.IOException; +import java.security.GeneralSecurityException; import java.util.Map; +import javax.net.ssl.SSLSocketFactory; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.xml.transform.TransformerException; import org.apache.commons.fileupload.FileUploadException; import org.apache.commons.lang.StringEscapeUtils; +import org.w3c.dom.Element; +import at.gv.egovernment.moa.id.AuthenticationException; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.WrongParametersException; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; -import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilderCertificate; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.config.ConnectionParameter; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; -import at.gv.egovernment.moa.id.util.ServletUtils; +import at.gv.egovernment.moa.id.util.SSLUtils; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISSessionId; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClientException; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.URLEncoder; /** @@ -143,27 +157,31 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { String samlArtifactBase64 = AuthenticationServer.getInstance().verifyAuthenticationBlock(sessionID, createXMLSignatureResponse); + if (samlArtifactBase64 == null) { //mandate Mode + + callMISService(session, req, resp); - Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate."); + //Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate."); - String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true); + //String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true); // build dataurl - String dataurl = - new DataURLBuilder().buildDataURL( - session.getAuthURL(), - REQ_VERIFY_CERTIFICATE, - session.getSessionID()); +// String dataurl = +// new DataURLBuilder().buildDataURL( +// session.getAuthURL(), +// REQ_VERIFY_CERTIFICATE, +// session.getSessionID()); //Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)"); //ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl); - Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)"); - ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl); + //Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)"); + //ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl); } + if (!samlArtifactBase64.equals("Redirect to Input Processor")) { redirectURL = session.getOAURLRequested(); if (!session.getBusinessService()) { @@ -187,6 +205,78 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { } } + + /** + * Calls the MIS Service + * @param session + * @throws IOException + */ + private void callMISService(AuthenticationSession session, HttpServletRequest req, HttpServletResponse resp) throws IOException { + + try { + AuthConfigurationProvider authConf= AuthConfigurationProvider.getInstance(); + ConnectionParameter connectionParameters = authConf.getOnlineMandatesConnectionParameter(); + SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters); + + // get identitity link as byte[] + Element elem = session.getIdentityLink().getSamlAssertion(); + String s = DOMUtils.serializeNode(elem); + + System.out.println("IDL: " + s); + + byte[] idl = s.getBytes(); + + // redirect url + // build redirect(to the GetMISSessionIdSerlvet) + String redirectURL = + new DataURLBuilder().buildDataURL( + session.getAuthURL(), + GET_MIS_SESSIONID, + session.getSessionID()); + + String oaURL = session.getOAURLRequested(); + OAAuthParameter oaParam = authConf.getOnlineApplicationParameter(oaURL); + String profiles = oaParam.getMandateProfiles(); + + if (profiles == null) { + Logger.error("No Mandate/Profile for OA configured."); + throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}); + } + + String profilesArray[] = profiles.split(","); + for(int i = 0; i < profilesArray.length; i++) { + profilesArray[i] = profilesArray[i].trim(); + } + + String oaFriendlyName = oaParam.getFriendlyName(); + String mandateReferenceValue = session.getMandateReferenceValue(); + X509Certificate cert = session.getSignerCertificate(); + MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(connectionParameters.getUrl(), idl, cert.getEncoded(), oaFriendlyName, redirectURL, mandateReferenceValue, profilesArray, sslFactory); + String redirectMISGUI = misSessionID.getRedirectURL(); + + if (misSessionID == null) { + Logger.error("Fehler bei Anfrage an Vollmachten Service. MIS Session ID ist null."); + throw new MISSimpleClientException("Fehler bei Anfrage an Vollmachten Service."); + } + + session.setMISSessionID(misSessionID.getSessiondId()); + + resp.setStatus(302); + resp.addHeader("Location", redirectMISGUI); + Logger.debug("REDIRECT TO: " + redirectURL); + } + catch (MOAIDException ex) { + handleError(null, ex, req, resp); + } catch (GeneralSecurityException ex) { + handleError(null, ex, req, resp); + } catch (PKIException e) { + handleError(null, e, req, resp); + } catch (MISSimpleClientException e) { + handleError(null, e, req, resp); + } catch (TransformerException e) { + handleError(null, e, req, resp); + } + } /** * Adds a parameter to a URL. * @param url the URL diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java index acf8b0b64..27f956c40 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java @@ -146,56 +146,8 @@ public class VerifyCertificateServlet extends AuthServlet { if (useMandate) {
- // Mandate Modus
- // make request to MIS
-
- AuthConfigurationProvider authConf= AuthConfigurationProvider.getInstance();
- ConnectionParameter connectionParameters = authConf.getOnlineMandatesConnectionParameter();
- SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters);
-
- // get identitity link as byte[]
- Element elem = session.getIdentityLink().getSamlAssertion();
- String s = DOMUtils.serializeNode(elem);
- byte[] idl = s.getBytes();
-
- // redirect url
- // build redirect(to the GetMISSessionIdSerlvet)
- String redirectURL =
- new DataURLBuilder().buildDataURL(
- session.getAuthURL(),
- GET_MIS_SESSIONID,
- session.getSessionID());
-
- String oaURL = session.getOAURLRequested();
- OAAuthParameter oaParam = authConf.getOnlineApplicationParameter(oaURL);
- String profiles = oaParam.getMandateProfiles();
-
- if (profiles == null) {
- Logger.error("No Mandate/Profile for OA configured.");
- throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID});
- }
-
- String profilesArray[] = profiles.split(",");
- for(int i = 0; i < profilesArray.length; i++) {
- profilesArray[i] = profilesArray[i].trim();
- }
- - String oaFriendlyName = oaParam.getFriendlyName(); - String mandateReferenceValue = session.getMandateReferenceValue();
- MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(connectionParameters.getUrl(), idl, cert.getEncoded(), oaFriendlyName, redirectURL, mandateReferenceValue, profilesArray, sslFactory);
- String redirectMISGUI = misSessionID.getRedirectURL();
-
- if (misSessionID == null) {
- Logger.error("Fehler bei Anfrage an Vollmachten Service. MIS Session ID ist null.");
- throw new MISSimpleClientException("Fehler bei Anfrage an Vollmachten Service.");
- }
-
- session.setMISSessionID(misSessionID.getSessiondId());
-
- resp.setStatus(302);
- resp.addHeader("Location", redirectMISGUI);
- Logger.debug("REDIRECT TO: " + redirectURL);
-
+ Logger.error("Online-Mandate Mode for foreign citizencs not supported."); + throw new AuthenticationException("auth.13", null);
}
else {
// Foreign Identities Modus
@@ -218,15 +170,7 @@ public class VerifyCertificateServlet extends AuthServlet { }
catch (MOAIDException ex) {
handleError(null, ex, req, resp);
- } catch (GeneralSecurityException ex) {
- handleError(null, ex, req, resp);
- } catch (PKIException e) {
- handleError(null, e, req, resp);
- } catch (MISSimpleClientException e) {
- handleError(null, e, req, resp);
- } catch (TransformerException e) {
- handleError(null, e, req, resp);
- }
+ }
}
/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java index 6d4a21674..fc5d82936 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java @@ -150,7 +150,7 @@ public class VerifyIdentityLinkServlet extends AuthServlet { // create the InfoboxReadRequest to get the certificate String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true); - // build dataurl (to the GetForeignIDSerlvet) + // build dataurl (to the VerifyCertificateSerlvet) String dataurl = new DataURLBuilder().buildDataURL( session.getAuthURL(), diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java index 7fe85cfae..8cc51bf93 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java @@ -579,6 +579,7 @@ public class ConfigurationBuilder { oap.setProvideIdentityLink(BoolUtils.valueOf(authComponent.getAttribute("provideIdentityLink"))); oap.setProvideCertificate(BoolUtils.valueOf(authComponent.getAttribute("provideCertificate"))); oap.setProvideFullMandatorData(BoolUtils.valueOf(authComponent.getAttribute("provideFullMandatorData"))); + oap.setUseUTC(BoolUtils.valueOf(authComponent.getAttribute("useUTC"))); oap.setBkuSelectionTemplateURL(buildTemplateURL(authComponent, OA_AUTH_COMPONENT_BKUSELECT_TEMPLATE_XPATH, bkuSelectionTemplateURL)); oap.setTemplateURL(buildTemplateURL(authComponent, OA_AUTH_COMPONENT_TEMPLATE_XPATH, templateURL)); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index f85666acf..65e21cbce 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -84,6 +84,9 @@ public class OAAuthParameter extends OAParameter { * determines whether the full mandator data (i.e. the mandate) is to be included in the authentication data */ private boolean provideFullMandatorData; + + /** determines wheter the IssueInstant of the SAML assertion is in UTC or not*/ + private boolean useUTC; /** * url to a template for web page "Auswahl der Bürgerkartenumgebung" */ @@ -191,6 +194,14 @@ public class OAAuthParameter extends OAParameter { return provideFullMandatorData; } + /** + * Returns <code>true</code> if the IssueInstant should be given in UTC, otherwise <code>false</code>. + * @return <code>true</code> if the IssueInstant should be given in UTC, otherwise <code>false</code>. + */ + public boolean getUseUTC() { + return useUTC; + } + /** * Returns the key box identifier. @@ -305,6 +316,16 @@ public class OAAuthParameter extends OAParameter { public void setProvideFullMandatorData(boolean provideFullMandatorData) { this.provideFullMandatorData = provideFullMandatorData; } + + /** + * Sets the useUTC variable. + * @param useUTC The useUTC value to set + */ + public void setUseUTC(boolean useUTC) { + this.useUTC = useUTC; + } + + /** * Sets the key box identifier. diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index 44eb98dad..79f3b4e30 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -107,6 +107,9 @@ public class AuthenticationData { * the corresponding <code>lt;saml:Assertion></code> */ private String samlAssertion; + + /** useUTC */ + private boolean useUTC; /** * creation timestamp */ @@ -166,6 +169,14 @@ public class AuthenticationData { public String getWBPK() { return wbPK; } + + /** + * Returns useUTC + * @return useUTC + */ + public boolean getUseUTC() { + return useUTC; + } /** * Sets the minorVersion. @@ -215,6 +226,10 @@ public class AuthenticationData { this.wbPK = wbPK; } + public void setUseUTC(boolean useUTC) { + this.useUTC = useUTC; + } + /** * Returns the assertionID. * @return String diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/builder/SAMLRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/builder/SAMLRequestBuilder.java index 5ce952662..2493f42b8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/builder/SAMLRequestBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/builder/SAMLRequestBuilder.java @@ -63,7 +63,7 @@ public class SAMLRequestBuilder implements Constants { */ public Element build(String requestID, String samlArtifactBase64) throws BuildException { try { - String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance()); + String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance(), true); String request = MessageFormat.format(REQUEST, new Object[] {requestID, issueInstant, samlArtifactBase64}); Element requestElem = DOMUtils.parseDocument(request, false, ALL_SCHEMA_LOCATIONS, null).getDocumentElement(); return requestElem; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java index 8c3bccab3..fa220d13d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java @@ -75,6 +75,36 @@ public class ParamValidatorUtils { return false;
}
+ } + + /** + * Checks if the given target is valid + * @param sourceID HTTP parameter from request + * @return + */ + public static boolean isValidSourceID(String sourceID) { + + Logger.debug("Überprüfe Parameter sourceID"); + + // if non parameter is given return true + if (sourceID == null) { + Logger.debug("Parameter Target ist null"); + return true; + } + + + Pattern pattern = Pattern.compile("[\\w-_]{1,50}"); + Matcher matcher = pattern.matcher(sourceID); + boolean b = matcher.matches(); + if (b) { + Logger.debug("Parameter sourceID erfolgreich überprüft"); + return true; + } + else { + Logger.error("Fehler Überprüfung Parameter sourceID. SourceID entspricht nicht den Kriterien (nur Zeichen a-z, A-Z, - und _, sowie 1-50 Zeichen lang)"); + return false; + } + }
/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java index 1181253f1..620919c61 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java @@ -149,7 +149,8 @@ public class MISSimpleClient { Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
Element mirElement = doc.createElementNS(MIS_NS, "MandateIssueRequest");
Element idlElement = doc.createElementNS(MIS_NS, "IdentityLink");
-
+ + idlElement.appendChild(doc.createTextNode(new String(Base64.encodeBase64(idl))));
mirElement.appendChild(idlElement);
@@ -237,7 +238,18 @@ public class MISSimpleClient { }
}
- private static Element sendSOAPRequest(String webServiceURL, Element request) throws MISSimpleClientException {
+ private static Element sendSOAPRequest(String webServiceURL, Element request) throws MISSimpleClientException { + +// try { +// System.out.println("REQUEST-MIS: \n" + DOMUtils.serializeNode(request)); +// } catch (TransformerException e1) { +// // TODO Auto-generated catch block +// e1.printStackTrace(); +// } catch (IOException e1) { +// // TODO Auto-generated catch block +// e1.printStackTrace(); +// } +
if (webServiceURL == null) {
throw new NullPointerException("Argument webServiceURL must not be null.");
}
@@ -249,7 +261,8 @@ public class MISSimpleClient { PostMethod post = new PostMethod(webServiceURL);
StringRequestEntity re = new StringRequestEntity(DOMUtils.serializeNode(packIntoSOAP(request)),"text/xml", "UTF-8");
post.setRequestEntity(re);
- int responseCode = httpclient.executeMethod(post);
+ int responseCode = httpclient.executeMethod(post); +
if (responseCode != 200) {
throw new MISSimpleClientException("Invalid HTTP response code " + responseCode);
}
|