diff options
Diffstat (limited to 'id/server/idserverlib/src/main')
17 files changed, 151 insertions, 94 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index d06298efa..a33c4fdf4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -2,8 +2,6 @@ package at.gv.egovernment.moa.id.auth; import iaik.asn1.ObjectID; -import iaik.pki.PKIRuntimeException; -import iaik.util.logging.Log; import iaik.x509.X509Certificate; import iaik.x509.X509ExtensionInitException; @@ -20,14 +18,12 @@ import java.util.ArrayList; //import java.security.cert.CertificateFactory; import java.util.Calendar; import java.util.Date; -import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Vector; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; @@ -44,13 +40,11 @@ import org.opensaml.xml.util.XMLHelper; import org.w3c.dom.DOMException; import org.w3c.dom.Document; import org.w3c.dom.Element; -import org.w3c.dom.Node; import org.w3c.dom.NodeList; import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; -import at.gv.egovernment.moa.id.auth.builder.CertInfoVerifyXMLSignatureRequestBuilder; import at.gv.egovernment.moa.id.auth.builder.CreateXMLSignatureRequestBuilder; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; import at.gv.egovernment.moa.id.auth.builder.GetIdentityLinkFormBuilder; @@ -61,7 +55,6 @@ import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl; import at.gv.egovernment.moa.id.auth.data.IdentityLink; -import at.gv.egovernment.moa.id.auth.data.InfoboxValidationResult; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.BKUException; @@ -73,19 +66,14 @@ import at.gv.egovernment.moa.id.auth.exception.ValidateException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; import at.gv.egovernment.moa.id.auth.parser.CreateXMLSignatureResponseParser; -import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.auth.parser.InfoboxReadResponseParser; import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet; import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorWithLocalSigningServlet; import at.gv.egovernment.moa.id.auth.validator.CreateXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator; -import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils; -//import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.CreateIdentityLinkResponse; -//import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClient; -//import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants; import at.gv.egovernment.moa.id.client.SZRGWClient; import at.gv.egovernment.moa.id.client.SZRGWClientException; @@ -98,14 +86,11 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.config.stork.CPEPS; import at.gv.egovernment.moa.id.config.stork.STORKConfig; -import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.AssertionStorage; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.storage.DBExceptionStoreImpl; -import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; -import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.id.util.XMLUtil; import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; @@ -117,7 +102,6 @@ import at.gv.egovernment.moa.util.DateTimeUtils; import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; -import at.gv.egovernment.moa.util.XPathUtils; import at.gv.util.xsd.mis.MandateIdentifiers; import at.gv.util.xsd.mis.Target; import at.gv.util.xsd.srzgw.CreateIdentityLinkRequest; @@ -141,11 +125,6 @@ import eu.stork.peps.auth.commons.STORKAuthnRequest; import eu.stork.peps.auth.engine.STORKSAMLEngine; import eu.stork.peps.exceptions.STORKSAMLEngineException; -//import java.security.cert.CertificateFactory; -//import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.CreateIdentityLinkResponse; -//import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClient; -//import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException; - /** * API for MOA ID Authentication Service.<br> {@link AuthenticationSession} is * stored in a session store and retrieved by giving the session ID. @@ -255,13 +234,13 @@ public class AuthenticationServer implements MOAIDAuthConstants { String domainIdentifier = AuthConfigurationProvider.getInstance().getSSOTagetIdentifier().trim(); if (MiscUtil.isEmpty(domainIdentifier) && session.isSsoRequested()) { //do not use SSO if no Target is set - Log.warn("NO SSO-Target found in configuration. Single Sign-On is deaktivated!"); + Logger.warn("NO SSO-Target found in configuration. Single Sign-On is deaktivated!"); session.setSsoRequested(false); } if (session.isSsoRequested()) { - Log.info("SSO Login requested"); + Logger.info("SSO Login requested"); //load identityLink with SSO Target boolean isbuisness = false; @@ -279,7 +258,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { isbuisness, domainIdentifier); } else { - Log.info("Non-SSO Login requested"); + Logger.info("Non-SSO Login requested"); //build ReadInfobox request infoboxReadRequest = new InfoboxReadRequestBuilder().build( oaParam.getBusinessService(), oaParam diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java index 848bf94af..db36356c0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java @@ -3,7 +3,6 @@ package at.gv.egovernment.moa.id.auth; -import iaik.cms.ecc.IaikEccProvider; import iaik.pki.PKIException; import iaik.pki.jsse.IAIKX509TrustManager; import iaik.security.ecc.provider.ECCProvider; @@ -11,12 +10,9 @@ import iaik.security.provider.IAIK; import java.io.IOException; import java.security.GeneralSecurityException; -import java.security.Security; -import java.util.Properties; import javax.activation.CommandMap; import javax.activation.MailcapCommandMap; -import javax.mail.Session; import javax.net.ssl.SSLSocketFactory; import at.gv.egovernment.moa.id.config.ConfigurationException; @@ -72,10 +68,9 @@ public class MOAIDAuthInitializer { CommandMap.setDefaultCommandMap(mc); // create some properties and get the default Session - Properties props = new Properties(); - props.put("mail.smtp.host", "localhost"); - - Session session = Session.getDefaultInstance(props, null); +// Properties props = new Properties(); +// props.put("mail.smtp.host", "localhost"); +// Session session = Session.getDefaultInstance(props, null); // Restricts TLS cipher suites // System.setProperty( @@ -120,8 +115,8 @@ public class MOAIDAuthInitializer { Logger.warn(MOAIDMessageProvider.getInstance().getMessage( "init.01", null), e); } - - IAIK.addAsProvider(); + + IAIK.addAsProvider(); ECCProvider.addAsProvider(); // Initializes SSLSocketFactory store diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java index ba4440bf8..fc04fa9a7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java @@ -278,7 +278,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB assertion = MessageFormat.format(AUTH_DATA, new Object[] { authData.getAssertionID(), authData.getIssuer(), - authData.getIssueInstant(), + authData.getIssueInstantString(), pkType, pkValue, StringUtils.removeXMLDeclaration(xmlAuthBlock), @@ -303,7 +303,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB assertion = MessageFormat.format(AUTH_DATA_WITH_CONDITIONS, new Object[] { authData.getAssertionID(), authData.getIssuer(), - authData.getIssueInstant(), + authData.getIssueInstantString(), notBefore, notOnOrAfter, pkType, @@ -401,7 +401,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB assertion = MessageFormat.format(AUTH_DATA_MANDATE, new Object[] { authData.getAssertionID(), authData.getIssuer(), - authData.getIssueInstant(), + authData.getIssueInstantString(), pkType, pkValue, StringUtils.removeXMLDeclaration(xmlAuthBlock), @@ -427,7 +427,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB assertion = MessageFormat.format(AUTH_DATA_MANDATE_WITH_CONDITIONS, new Object[] { authData.getAssertionID(), authData.getIssuer(), - authData.getIssueInstant(), + authData.getIssueInstantString(), notBefore, notOnOrAfter, pkType, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index ed2cd3ecb..a8a7d0c51 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -256,21 +256,18 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } - //collect attributes by using BackChannel communication - String endpoint = idp.getIDPAttributQueryServiceURL(); - if (MiscUtil.isEmpty(endpoint)) { - Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix()); - throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null); - } - - - //TODO: check if response include attributes and map this attributes to requested attributes - //TODO: insert code to parse Attributes from AuthnRespones for USP --> Zustelldienst Response intfResp = (Response) req.getInterfederationResponse().getResponse(); AssertionAttributeExtractor extractor = new AssertionAttributeExtractor(intfResp); - if (!extractor.containsAllRequiredAttributes()) { + if (!extractor.containsAllRequiredAttributes()) { + //collect attributes by using BackChannel communication + String endpoint = idp.getIDPAttributQueryServiceURL(); + if (MiscUtil.isEmpty(endpoint)) { + Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix()); + throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null); + } + //build attributQuery request AttributeQuery query = AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); @@ -308,6 +305,9 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { //create assertion attribute extractor from AttributeQuery response extractor = new AssertionAttributeExtractor(intfResp); + } else { + Logger.info("Interfedation response include all attributes with are required. Skip AttributQuery request step. "); + } //parse response information to authData buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index e3f32d59d..1bc3702e4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -22,8 +22,6 @@ ******************************************************************************/ package at.gv.egovernment.moa.id.auth.parser; -import iaik.util.logging.Log; - import java.io.UnsupportedEncodingException; import java.util.List; @@ -134,8 +132,9 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ String targetFriendlyNameConfig = oaParam.getTargetFriendlyName(); if (StringUtils.isEmpty(targetConfig) - || (module.equals(SAML1Protocol.PATH) && - !StringUtils.isEmpty(target))) { +// || (module.equals(SAML1Protocol.PATH) && +// !StringUtils.isEmpty(target)) + ) { // no target attribut is given in OA config // target is used from request // check parameter @@ -230,14 +229,22 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ if (MiscUtil.isEmpty(templateURL)) { List<TemplateType> templateURLList = oaParam.getTemplateURL(); - + List<String> defaulTemplateURLList = + AuthConfigurationProvider.getInstance().getSLRequestTemplates(); + if ( templateURLList != null && templateURLList.size() > 0 && MiscUtil.isNotEmpty(templateURLList.get(0).getURL()) ) { templateURL = FileUtils.makeAbsoluteURL( oaParam.getTemplateURL().get(0).getURL(), AuthConfigurationProvider.getInstance().getRootConfigFileDir()); - Log.info("No SL-Template in request, load SL-Template from OA config (URL: " + templateURL + ")"); - + Logger.info("No SL-Template in request, load SL-Template from OA configuration (URL: " + templateURL + ")"); + + } else if ( (defaulTemplateURLList.size() > 0) && MiscUtil.isNotEmpty(defaulTemplateURLList.get(0))) { + templateURL = FileUtils.makeAbsoluteURL( + defaulTemplateURLList.get(0), + AuthConfigurationProvider.getInstance().getRootConfigFileDir()); + Logger.info("No SL-Template in request, load SL-Template from general configuration (URL: " + templateURL + ")"); + } else { Logger.error("NO SL-Tempalte found in OA config"); throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java index a7ec4dcb6..c08d77f12 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java @@ -97,32 +97,31 @@ public class IDPSingleLogOutServlet extends AuthServlet { return; - } else if (MiscUtil.isNotEmpty(ssoid)) { - if (ssomanager.isValidSSOSession(ssoid, null)) { + } else if (MiscUtil.isNotEmpty(ssoid)) { + try { + if (ssomanager.isValidSSOSession(ssoid, null)) { - AuthenticationManager authmanager = AuthenticationManager.getInstance(); - String moaSessionID = AuthenticationSessionStoreage.getMOASessionSSOID(ssoid); + AuthenticationManager authmanager = AuthenticationManager.getInstance(); + String moaSessionID = AuthenticationSessionStoreage.getMOASessionSSOID(ssoid); - if (MiscUtil.isNotEmpty(moaSessionID)) { - AuthenticationSession authSession; - try { - authSession = AuthenticationSessionStoreage + if (MiscUtil.isNotEmpty(moaSessionID)) { + AuthenticationSession authSession = AuthenticationSessionStoreage .getSession(moaSessionID); if(authSession != null) { authmanager.performSingleLogOut(req, resp, authSession, null); return; } - - } catch (MOADatabaseException e) { - //TODO: insert error Handling - - } catch (MOAIDException e) { - // TODO Auto-generated catch block - e.printStackTrace(); } - } - } + } + } catch (MOADatabaseException e) { + //TODO: insert error Handling + e.printStackTrace(); + + } catch (MOAIDException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } } else if (restartProcessObj != null && restartProcessObj instanceof String) { String restartProcess = (String) restartProcessObj; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java index 6e1811c8b..532ccb7ba 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java @@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.auth.builder.RedirectFormBuilder; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -63,7 +64,7 @@ public class RedirectServlet extends AuthServlet{ String redirectTarget = DEFAULT_REDIRECTTARGET; try { oa = ConfigurationDBRead.getActiveOnlineApplication(url); - if (oa == null) { + if (oa == null && !url.startsWith(AuthConfigurationProvider.getInstance().getPublicURLPrefix())) { resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid"); return; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index 2b687a0c8..284a77126 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -53,6 +53,7 @@ import iaik.utils.RFC2253NameParserException; import iaik.x509.X509Certificate; import iaik.x509.X509ExtensionInitException; +import java.security.InvalidKeyException; import java.security.PublicKey; import java.security.interfaces.RSAPublicKey; import java.util.ArrayList; @@ -266,14 +267,25 @@ public class VerifyXMLSignatureResponseValidator { } //compare ECDSAPublicKeys - if((idl.getPublicKey()[i] instanceof iaik.security.ecc.ecdsa.ECPublicKey) && - (pubKeySignature instanceof iaik.security.ecc.ecdsa.ECPublicKey)) { + if( ( (idl.getPublicKey()[i] instanceof java.security.interfaces.ECPublicKey) || + (idl.getPublicKey()[i] instanceof iaik.security.ecc.ecdsa.ECPublicKey)) && + ( (pubKeySignature instanceof java.security.interfaces.ECPublicKey) || + (pubKeySignature instanceof iaik.security.ecc.ecdsa.ECPublicKey) ) ) { - ECPublicKey ecdsaPubKeySignature = (ECPublicKey) pubKeySignature; - ECPublicKey ecdsakey = (ECPublicKey) pubKeysIdentityLink[i]; + try { + ECPublicKey ecdsaPubKeySignature = new ECPublicKey(pubKeySignature.getEncoded()); + ECPublicKey ecdsakey = new ECPublicKey(pubKeysIdentityLink[i].getEncoded()); + + if(ecdsakey.equals(ecdsaPubKeySignature)) + found = true; + + } catch (InvalidKeyException e) { + Logger.warn("ECPublicKey can not parsed into a iaik.ECPublicKey", e); + throw new ValidateException("validator.09", null); + } - if(ecdsakey.equals(ecdsaPubKeySignature)) - found = true; + + } // Logger.debug("IDL-Pubkey=" + idl.getPublicKey()[i].getClass().getName() diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java index ca3117a79..ff294dc3d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java @@ -31,6 +31,7 @@ import java.io.InputStreamReader; import java.io.Reader; import java.io.StringWriter; import java.net.URI; +import java.util.Date; import java.util.List; import javax.servlet.http.Cookie; @@ -132,7 +133,7 @@ public class SSOManager { } - public boolean isValidSSOSession(String ssoSessionID, IRequest protocolRequest) { + public boolean isValidSSOSession(String ssoSessionID, IRequest protocolRequest) throws ConfigurationException { // search SSO Session if (ssoSessionID == null) { @@ -144,8 +145,19 @@ public class SSOManager { if (storedSession == null) return false; - + else { + + //check if session is out of lifetime + Date now = new Date(); + long maxSSOSessionTime = AuthConfigurationProvider.getInstance().getTimeOuts().getMOASessionCreated().longValue() * 1000; + Date ssoSessionValidTo = new Date(storedSession.getCreated().getTime() + maxSSOSessionTime); + if (now.after(ssoSessionValidTo)) { + Logger.info("Found outdated SSO session information. Start reauthentication process ... "); + return false; + } + + //check if request starts an interfederated SSO session if (protocolRequest != null && protocolRequest instanceof RequestImpl && storedSession.isInterfederatedSSOSession() && diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java index 3b0d07ce1..583120a86 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java @@ -115,6 +115,7 @@ public final class OAuth20AttributeBuilder { buildersOpenId.add(new OpenIdExpirationTimeAttribute()); buildersOpenId.add(new OpenIdIssueInstantAttribute()); buildersOpenId.add(new OpenIdAuthenticationTimeAttribute()); + buildersOpenId.add(new OpenIdAudiencesAttribute()); // profile buildersProfile.add(new ProfileGivenNameAttribute()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java new file mode 100644 index 000000000..404eb1b44 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java @@ -0,0 +1,47 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.attributes; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; + +public class OpenIdAudiencesAttribute implements IAttributeBuilder { + + public String getName() { + return "aud"; + } + + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator<ATT> g) throws AttributeException { + return g.buildStringAttribute(this.getName(), "", oaParam.getPublicURLPrefix()); + } + + public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { + return g.buildEmptyAttribute(this.getName(), ""); + } + +} + diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java index 4f3aff469..61840ea21 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java @@ -22,14 +22,13 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import iaik.util.logging.Log; - import java.io.IOException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; @@ -51,7 +50,7 @@ public class EIDAuthBlock implements IPVPAttributeBuilder { } catch (IOException e) { - Log.info("Encode AuthBlock BASE64 failed."); + Logger.info("Encode AuthBlock BASE64 failed."); } throw new UnavailableAttributeException(EID_AUTH_BLOCK_NAME); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java index df1bc1860..8a603f53a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java @@ -22,7 +22,6 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import iaik.util.logging.Log; import java.io.IOException; @@ -30,6 +29,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; public class EIDSignerCertificate implements IPVPAttributeBuilder { @@ -49,7 +49,7 @@ public class EIDSignerCertificate implements IPVPAttributeBuilder { } }catch (IOException e) { - Log.info("Signer certificate BASE64 encoding error"); + Logger.info("Signer certificate BASE64 encoding error"); } throw new UnavailableAttributeException(EID_SIGNER_CERTIFICATE_NAME); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index a57fb5717..cba64e080 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -261,6 +261,10 @@ public class MOAMetadataProvider implements MetadataProvider { List<OnlineApplication> oaList = ConfigurationDBRead .getAllActiveOnlineApplications(); + + if (oaList.size() == 0) + Logger.info("No Online-Application configuration found. PVP 2.1 metadata provider initialization failed!"); + Iterator<OnlineApplication> oaIt = oaList.iterator(); while (oaIt.hasNext()) { HTTPMetadataProvider httpProvider = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 9c8c52e87..8f7f17e2e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -33,6 +33,7 @@ import org.apache.commons.lang.StringEscapeUtils; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; @@ -102,7 +103,7 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { if (!AuthConfigurationProvider.getInstance().getAllowedProtocols().isSAML1Active()) { Logger.info("SAML1 is deaktivated!"); - throw new ProtocolNotActiveException("auth.22", new Object[] { NAME }); + throw new ProtocolNotActiveException("auth.22", new Object[] { "SAML 1" }); } @@ -145,14 +146,14 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { .getOnlineApplicationParameter(oaURL); if (oaParam == null) - throw new AuthenticationException("auth.00", - new Object[] { oaURL }); + throw new InvalidProtocolRequestException("auth.00", + new Object[] { null }); OASAML1 saml1 = oaParam.getSAML1Parameter(); if (saml1 == null || !(saml1.isIsActive() != null && saml1.isIsActive()) ) { Logger.info("Online-Application " + oaURL + " can not use SAML1 for authentication."); - throw new AuthenticationException("auth.00", - new Object[] { oaURL }); + throw new InvalidProtocolRequestException("auth.00", + new Object[] { null }); } config.setSourceID(sourceID); diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 0536cfae1..9bfa14a7c 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -252,7 +252,7 @@ pvp2.21=Die Signature des Requests konnte nicht g\u00FCltig validiert werden. pvp2.22=Der Request konnte nicht g\u00FCltig validiert werden (Fehler\={0}).
oauth20.01=Fehlerhafte redirect url
-oauth20.02=Fehlender Parameter "{0}"
+oauth20.02=Fehlender oder ung\u00FCltiger Parameter "{0}"
oauth20.03=Angeforderter response_type ist nicht erlaubt
oauth20.04=Die Art der Anmeldung wird nicht unterstuetzt
oauth20.05=Der angegebene Benutzer ist nicht berechtigt
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html b/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html index 88279ee96..b241e85cf 100644 --- a/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html +++ b/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html @@ -389,7 +389,7 @@ </head> #if($timeoutURL) - <body onload='setTimeout(sloTimeOut(), $timeout);'> + <body onload='setTimeout(sloTimeOut, $timeout);'> #else <body> #end |