aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java87
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java11
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java19
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java233
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWClient.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java49
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java28
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRoleFactory.java35
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java67
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java10
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java21
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepDescAttributeBuilder.java40
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SchemaValidationException.java52
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java14
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java86
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java1
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java110
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java11
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java11
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java33
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/CorporateBodyMandateContainer.java1
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java22
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateContainer.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java87
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttributeProviderPlugin.java15
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttribute_deprecatedProviderPlugin.java20
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java55
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java72
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java10
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java31
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java4
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties28
-rw-r--r--id/server/idserverlib/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml51
42 files changed, 1081 insertions, 276 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index cf50a1bf5..b9ce76d0c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -1612,6 +1612,8 @@ public class AuthenticationServer implements MOAIDAuthConstants {
data.setFamilyname(PEPSFamilyname);
data.setFirstname(PEPSFirstname);
data.setIdentifier(PEPSIdentifier);
+
+ data.setFiscalNumber(PEPSFiscalNumber);
data.setRepresentative(representative);
data.setRepresented(represented);
@@ -1737,6 +1739,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
// add sign request
PersonalAttribute newAttribute = new PersonalAttribute();
newAttribute.setName("signedDoc");
+ newAttribute.setIsRequired(true);
List<String> value = new ArrayList<String>();
Logger.debug("PEPS supports XMLSignatures:"+cpeps.isXMLSignatureSupported());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 52488c3cb..5d816be1b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -43,6 +43,7 @@ import javax.xml.bind.Marshaller;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeQuery;
+import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Response;
import org.opensaml.ws.soap.common.SOAPException;
import org.opensaml.xml.XMLObject;
@@ -214,7 +215,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
} else {
//build AuthenticationData from MOASession
- buildAuthDataFormMOASession(authdata, session, oaParam);
+ buildAuthDataFormMOASession(authdata, session, oaParam, protocolRequest);
}
@@ -271,12 +272,13 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
AssertionAttributeExtractor extractor =
new AssertionAttributeExtractor(intfResp);
- if (!extractor.containsAllRequiredAttributes()) {
+ if (!extractor.containsAllRequiredAttributes()) {
+ Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ...");
//collect attributes by using BackChannel communication
String endpoint = idp.getIDPAttributQueryServiceURL();
if (MiscUtil.isEmpty(endpoint)) {
- Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix());
- throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null);
+ Logger.error("No AttributeQueryURL for interfederationIDP " + idp.getPublicURLPrefix());
+ throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + idp.getPublicURLPrefix(), null);
}
//build attributQuery request
@@ -321,7 +323,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
}
//parse response information to authData
- buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam);
+ buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam, req);
} catch (SOAPException e) {
throw new BuildException("builder.06", null, e);
@@ -348,7 +350,8 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
AuthenticationData authData,
AuthenticationSession session,
AssertionAttributeExtractor extractor,
- IOAAuthParameters oaParam)
+ IOAAuthParameters oaParam,
+ IRequest req)
throws BuildException, AssertionAttributeExtractorExeption {
Logger.debug("Build AuthData from assertion starts ....");
@@ -358,14 +361,35 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
authData.setFamilyName(extractor.getSingleAttributeValue(PVPConstants.PRINCIPAL_NAME_NAME));
authData.setGivenName(extractor.getSingleAttributeValue(PVPConstants.GIVEN_NAME_NAME));
authData.setDateOfBirth(extractor.getSingleAttributeValue(PVPConstants.BIRTHDATE_NAME));
- authData.setBPKType(extractor.getSingleAttributeValue(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME));
authData.setCcc(extractor.getSingleAttributeValue(PVPConstants.EID_ISSUING_NATION_NAME));
authData.setBkuURL(extractor.getSingleAttributeValue(PVPConstants.EID_CCS_URL_NAME));
authData.setIdentificationValue(extractor.getSingleAttributeValue(PVPConstants.EID_SOURCE_PIN_NAME));
authData.setIdentificationType(extractor.getSingleAttributeValue(PVPConstants.EID_SOURCE_PIN_TYPE_NAME));
+
+ if (extractor.containsAttribute(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
+ String bpkType = extractor.getSingleAttributeValue(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME);
+ if (bpkType.startsWith(Constants.URN_PREFIX_CDID) &&
+ !bpkType.substring(Constants.URN_PREFIX_CDID.length(),
+ Constants.URN_PREFIX_CDID.length() + 1).equals("+")) {
+ Logger.warn("Receive uncorrect encoded bBKType attribute " + bpkType + " Starting attribute value correction ... ");
+ bpkType = Constants.URN_PREFIX_CDID + "+" + bpkType.substring(Constants.URN_PREFIX_CDID.length() + 1);
+
+ }
+
+ authData.setBPKType(bpkType);
+ }
+
if (extractor.containsAttribute(PVPConstants.BPK_NAME)) {
String pvpbPK = extractor.getSingleAttributeValue(PVPConstants.BPK_NAME);
+
+ if (pvpbPK.startsWith("bPK:")) {
+ Logger.warn("Attribute " + PVPConstants.BPK_NAME
+ + " contains a not standardize prefix! Staring attribute value correction process ...");
+ pvpbPK = pvpbPK.substring("bPK:".length());
+
+ }
+
String[] spitted = pvpbPK.split(":");
authData.setBPK(spitted[1]);
if (MiscUtil.isEmpty(authData.getBPKType())) {
@@ -513,7 +537,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
}
//build OA specific bPK/wbPK information
- buildOAspecificbPK(oaParam, authData,
+ buildOAspecificbPK(req, oaParam, authData,
authData.getIdentificationValue(),
authData.getIdentificationType());
@@ -521,7 +545,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
if (MiscUtil.isEmpty(authData.getBPK())) {
Logger.debug("Calcutlate bPK from baseID");
- buildOAspecificbPK(oaParam, authData,
+ buildOAspecificbPK(req, oaParam, authData,
authData.getIdentificationValue(),
authData.getIdentificationType());
@@ -536,7 +560,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
} else {
Logger.debug("Found PVP QAA level. QAA mapping process starts ... ");
- String mappedQAA = PVPtoSTORKMapper.getInstance().mapQAALevel(qaaLevel);
+ String mappedQAA = PVPtoSTORKMapper.getInstance().mapToQAALevel(qaaLevel);
if (MiscUtil.isNotEmpty(mappedQAA))
authData.setQAALevel(mappedQAA);
@@ -744,6 +768,12 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
}
}
+ //set PVP OU attribute
+ if (extractor.containsAttribute(PVPConstants.OU_NAME)) {
+ authData.setPvpAttribute_OU(extractor.getSingleAttributeValue(PVPConstants.OU_NAME));
+ Logger.debug("Found PVP 'OU' attribute in response -> " + authData.getPvpAttribute_OU());
+
+ }
//set STORK attributes
if (extractor.containsAttribute(PVPConstants.EID_STORK_TOKEN_NAME)) {
@@ -761,8 +791,19 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
authData.setSsoSession(true);
authData.setInterfederatedSSOSession(true);
- if (extractor.getFullAssertion().getConditions() != null && extractor.getFullAssertion().getConditions().getNotOnOrAfter() != null)
+ if (extractor.getFullAssertion().getAuthnStatements() != null
+ && extractor.getFullAssertion().getAuthnStatements().size() > 0) {
+ for (AuthnStatement el : extractor.getFullAssertion().getAuthnStatements()) {
+ if (el.getSessionNotOnOrAfter() != null) {
+ authData.setSsoSessionValidTo(el.getSessionNotOnOrAfter().toDate());
+ break;
+ }
+ }
+
+ } else {
authData.setSsoSessionValidTo(extractor.getFullAssertion().getConditions().getNotOnOrAfter().toDate());
+
+ }
//only for SAML1
if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel()))
@@ -805,7 +846,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
}
private static void buildAuthDataFormMOASession(AuthenticationData authData, AuthenticationSession session,
- IOAAuthParameters oaParam) throws BuildException, ConfigurationException {
+ IOAAuthParameters oaParam, IRequest protocolRequest) throws BuildException, ConfigurationException {
IdentityLink identityLink = session.getIdentityLink();
@@ -919,7 +960,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
Logger.trace("Authenticated User is OW: " + mandate.getOWbPK());
} else {
- buildOAspecificbPK(oaParam, authData,
+ buildOAspecificbPK(protocolRequest, oaParam, authData,
identityLink.getIdentificationValue(),
identityLink.getIdentificationType());
@@ -951,7 +992,13 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
//resign IDL
IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance();
Element resignedilAssertion;
- resignedilAssertion = identitylinkresigner.resignIdentityLink(businessServiceIdl.getSamlAssertion());
+
+ AuthConfigurationProvider config = AuthConfigurationProvider.getInstance();
+ if (config.isIdentityLinkResigning()) {
+ resignedilAssertion = identitylinkresigner.resignIdentityLink(businessServiceIdl.getSamlAssertion(), config.getIdentityLinkResigningKey());
+ } else {
+ resignedilAssertion = businessServiceIdl.getSamlAssertion();
+ }
IdentityLinkAssertionParser resignedIDLParser = new IdentityLinkAssertionParser(resignedilAssertion);
IdentityLink resignedIDL = resignedIDLParser.parseIdentityLink();
@@ -963,7 +1010,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
}
- private static void buildOAspecificbPK(IOAAuthParameters oaParam, AuthenticationData authData, String baseID, String baseIDType) throws BuildException {
+ private static void buildOAspecificbPK(IRequest protocolRequest, IOAAuthParameters oaParam, AuthenticationData authData, String baseID, String baseIDType) throws BuildException {
if (oaParam.getBusinessService()) {
//since we have foreigner, wbPK is not calculated in BKU
@@ -984,9 +1031,15 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
if (baseIDType.equals(Constants.URN_PREFIX_BASEID)) {
// only compute bPK if online application is a public service and we have the Stammzahl
- String bpkBase64 = new BPKBuilder().buildBPK(baseID, oaParam.getTarget());
+ String target = null;
+ if (protocolRequest instanceof SAML1RequestImpl)
+ target = protocolRequest.getTarget();
+ else
+ target = oaParam.getTarget();
+
+ String bpkBase64 = new BPKBuilder().buildBPK(baseID, target);
authData.setBPK(bpkBase64);
- authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
+ authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + target);
}
Logger.trace("Authenticate user with bPK " + authData.getBPK());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java
index e2802c1d2..a5783bfb7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java
@@ -106,7 +106,7 @@ public class IdentityLinkAssertionParser {
+ PDATA
+ "Person";
/** Xpath expression to the PersonData GivenName element */
- private static final String PERSON_GIVEN_NAME_XPATH =
+ public static final String PERSON_GIVEN_NAME_XPATH =
PERSON_XPATH
+ "/"
+ PDATA
@@ -114,7 +114,7 @@ public class IdentityLinkAssertionParser {
+ PDATA
+ "GivenName";
/** Xpath expression to the PersonData FamilyName element */
- private static final String PERSON_FAMILY_NAME_XPATH =
+ public static final String PERSON_FAMILY_NAME_XPATH =
PERSON_XPATH
+ "/"
+ PDATA
@@ -122,7 +122,7 @@ public class IdentityLinkAssertionParser {
+ PDATA
+ "FamilyName";
/** Xpath expression to the PersonData DateOfBirth element */
- private static final String PERSON_DATE_OF_BIRTH_XPATH =
+ public static final String PERSON_DATE_OF_BIRTH_XPATH =
PERSON_XPATH
+ "/"
+ PDATA
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
index 1bc3702e4..a123569d5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
@@ -132,12 +132,13 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{
String targetFriendlyNameConfig = oaParam.getTargetFriendlyName();
if (StringUtils.isEmpty(targetConfig)
-// || (module.equals(SAML1Protocol.PATH) &&
-// !StringUtils.isEmpty(target))
+ || (module.equals(SAML1Protocol.PATH) &&
+ !StringUtils.isEmpty(target))
) {
- // no target attribut is given in OA config
- // target is used from request
- // check parameter
+ //INFO: ONLY SAML1 legacy mode
+ // if SAML1 is used and target attribute is given in request
+ // use requested target
+ // check target parameter
if (!ParamValidatorUtils.isValidTarget(target)) {
Logger.error("Selected target is invalid. Using target: " + target);
throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
index bc8a01e41..ad4776a45 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
@@ -42,6 +42,11 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+
+import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.moduls.RequestStorage;
+import at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol;
+
import at.gv.egovernment.moa.id.process.ExecutionContextImpl;
import at.gv.egovernment.moa.id.process.ProcessInstance;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
@@ -101,11 +106,15 @@ public class GenerateIFrameTemplateServlet extends AuthServlet {
else {
- //load Parameters from config
- String target = oaParam.getTarget();
-
-
-
+ //get Target from config or from request in case of SAML 1
+ String target = null;
+ IRequest pendingReq = RequestStorage.getPendingRequest(pendingRequestID);
+ if (MiscUtil.isNotEmpty(pendingReq.getTarget()) &&
+ pendingReq.requestedModule().equals(SAML1Protocol.PATH))
+ target = pendingReq.getTarget();
+ else
+ target = oaParam.getTarget();
+
String bkuURL = oaParam.getBKUURL(bkuid);
if (MiscUtil.isEmpty(bkuURL)) {
Logger.info("No OA specific BKU defined. Use BKU from default configuration");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
index e45418b4b..7357818c8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
@@ -48,6 +48,8 @@ import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import org.opensaml.saml2.core.StatusCode;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
import at.gv.egovernment.moa.id.auth.AuthenticationServer;
import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
@@ -55,18 +57,23 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.data.IdentityLink;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
import at.gv.egovernment.moa.id.auth.stork.STORKException;
import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.moduls.ModulUtils;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
import at.gv.egovernment.moa.id.util.HTTPUtils;
+import at.gv.egovernment.moa.id.util.IdentityLinkReSigner;
import at.gv.egovernment.moa.id.util.VelocityProvider;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.StringUtils;
+import at.gv.egovernment.moa.util.XPathUtils;
import at.gv.util.xsd.xmldsig.SignatureType;
import at.gv.util.xsd.xmldsig.X509DataType;
import eu.stork.oasisdss.api.ApiUtils;
@@ -111,15 +118,26 @@ public class PEPSConnectorServlet extends AuthServlet {
public PEPSConnectorServlet()
{
super();
- Properties props = new Properties();
+
try {
- props.load(DatabaseConnectorMySQLImpl.class.getResourceAsStream("docservice.properties"));
- dtlUrl = props.getProperty("docservice.url");
- } catch (IOException e) {
+ AuthConfigurationProvider authConfigurationProvider = AuthConfigurationProvider.getInstance();
+ dtlUrl = authConfigurationProvider.getDocumentServiceUrl();
+ Logger.info ("PEPSConnectorServlet, using dtlUrl:"+dtlUrl);
+ } catch (Exception e) {
dtlUrl = "http://testvidp.buergerkarte.at/DocumentService/DocumentService";
- Logger.error("Loading DTL config failed, using default value:"+dtlUrl);
e.printStackTrace();
- }
+ Logger.error("Loading documentservice url failed, using default value:"+dtlUrl);
+ }
+
+// Properties props = new Properties();
+// try {
+// props.load(DatabaseConnectorMySQLImpl.class.getResourceAsStream("docservice.properties"));
+// dtlUrl = props.getProperty("docservice.url");
+// } catch (IOException e) {
+// dtlUrl = "http://testvidp.buergerkarte.at/DocumentService/DocumentService";
+// Logger.error("Loading DTL config failed, using default value:"+dtlUrl);
+// e.printStackTrace();
+// }
}
/**
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
@@ -247,7 +265,56 @@ public class PEPSConnectorServlet extends AuthServlet {
Logger.error("Could not find any preceeding STORK AuthnRequest to this MOA session: " + moaSessionID);
throw new MOAIDException("stork.07", null);
}
-
+
+ OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moaSession.getPublicOAURLPrefix());
+ if (oaParam == null)
+ throw new AuthenticationException("auth.00", new Object[] { moaSession.getPublicOAURLPrefix() });
+ //================== Check QAA level start ====================
+ int reqQaa = -1;
+ int authQaa = -1;
+ String authQaaStr = null;
+ try {
+ reqQaa = storkAuthnRequest.getQaa();
+
+ //TODO: found better solution, but QAA Level in response could be not supported yet
+ try {
+
+ authQaaStr = authnResponse.getAssertions().get(0).
+ getAuthnStatements().get(0).getAuthnContext().
+ getAuthnContextClassRef().getAuthnContextClassRef();
+ moaSession.setQAALevel(authQaaStr);
+
+ } catch (Throwable e) {
+ Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level");
+ moaSession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel());
+ authQaaStr = PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel();
+ }
+ if(authQaaStr != null)//Check value only if set
+ {
+ authQaa = Integer.valueOf(authQaaStr.substring(PVPConstants.STORK_QAA_PREFIX.length()));
+// authQaa = Integer.valueOf(authQaaStr);
+ if (reqQaa > authQaa) {
+ Logger.warn("Requested QAA level does not match to authenticated QAA level");
+ throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa});
+
+ }
+ }
+ } catch (MOAIDException e) {
+ throw e;
+
+ } catch (Exception e) {
+ if (Logger.isDebugEnabled())
+ Logger.warn("STORK QAA Level evaluation error", e);
+
+ else
+ Logger.warn("STORK QAA Level evaluation error (ErrorMessage="
+ + e.getMessage() + ")");
+
+ throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa});
+
+ }
+ //================== Check QAA level end ====================
+
Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID);
////////////// incorporate gender from parameters if not in stork response
@@ -288,28 +355,41 @@ public class PEPSConnectorServlet extends AuthServlet {
SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo)));
// fetch signed doc
- DataSource ds = LightweightSourceResolver.getDataSource(dssSignResponse);
+ DataSource ds = null;
+ try{
+ ds = LightweightSourceResolver.getDataSource(dssSignResponse);
+ }catch(Exception e)
+ {
+ e.printStackTrace();
+ }
if(ds == null){
- throw new ApiUtilsException("No datasource found in response");
- }
-
- InputStream incoming = ds.getInputStream();
- citizenSignature = IOUtils.toString(incoming);
- incoming.close();
-
- Logger.debug("citizenSignature:"+citizenSignature);
- if(isDocumentServiceUsed(citizenSignature)==true)
+ //Normal DocumentServices return a http-page, but the SI DocumentService returns HTTP error 500
+ //which results in an exception and ds==null
+
+ //try to load document from documentservice
+ citizenSignature = loadDocumentFromDocumentService(dssSignResponse);
+ //throw new ApiUtilsException("No datasource found in response");
+ }
+ else
{
- Logger.debug("Loading document from DocumentService.");
- String url = getDtlUrlFromResponse(dssSignResponse);
- //get Transferrequest
- String transferRequest = getDocTransferRequest(dssSignResponse.getDocUI(), url);
- //Load document from DocujmentService
- byte[] data = getDocumentFromDtl(transferRequest, url);
- citizenSignature = new String(data, "UTF-8");
- Logger.debug("Overridung citizenSignature with:"+citizenSignature);
+ InputStream incoming = ds.getInputStream();
+ citizenSignature = IOUtils.toString(incoming);
+ incoming.close();
+
+ Logger.debug("citizenSignature:"+citizenSignature);
+ if(isDocumentServiceUsed(citizenSignature)==true)
+ {
+ citizenSignature = loadDocumentFromDocumentService(dssSignResponse);
+ // Logger.debug("Loading document from DocumentService.");
+ // String url = getDtlUrlFromResponse(dssSignResponse);
+ // //get Transferrequest
+ // String transferRequest = getDocTransferRequest(dssSignResponse.getDocUI(), url);
+ // //Load document from DocumentService
+ // byte[] data = getDocumentFromDtl(transferRequest, url);
+ // citizenSignature = new String(data, "UTF-8");
+ // Logger.debug("Overridung citizenSignature with:"+citizenSignature);
+ }
}
-
JAXBContext ctx = JAXBContext.newInstance(SignatureType.class.getPackage().getName());
SignatureType root = ((JAXBElement<SignatureType>) ctx.createUnmarshaller().unmarshal(IOUtils.toInputStream(citizenSignature))).getValue();
@@ -346,9 +426,9 @@ public class PEPSConnectorServlet extends AuthServlet {
// Logger.error("could not retrieve moa session");
// throw new AuthenticationException("auth.01", null);
// }
- OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moaSession.getPublicOAURLPrefix());
- if (oaParam == null)
- throw new AuthenticationException("auth.00", new Object[] { moaSession.getPublicOAURLPrefix() });
+// OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moaSession.getPublicOAURLPrefix());
+// if (oaParam == null)
+// throw new AuthenticationException("auth.00", new Object[] { moaSession.getPublicOAURLPrefix() });
// retrieve target
//TODO: check in case of SSO!!!
@@ -363,14 +443,61 @@ public class PEPSConnectorServlet extends AuthServlet {
targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget();
}
- Logger.debug("Starting connecting SZR Gateway");
- //contact SZR Gateway
IdentityLink identityLink = null;
try {
- identityLink = STORKResponseProcessor.connectToSZRGateway(authnResponse.getPersonalAttributeList(),
+ AuthConfigurationProvider config = AuthConfigurationProvider.getInstance();
+ if(config.isStorkFakeIdLActive() && config.getStorkFakeIdLCountries().contains(storkAuthnRequest.getCitizenCountryCode())) {
+ // create fake IdL
+ // - fetch IdL template from resources
+ InputStream s = PEPSConnectorServlet.class.getResourceAsStream("/resources/xmldata/fakeIdL_IdL_template.xml");
+ Element idlTemplate = DOMUtils.parseXmlValidating(s);
+
+ identityLink = new IdentityLinkAssertionParser(idlTemplate).parseIdentityLink();
+
+ // replace data
+ Element idlassertion = identityLink.getSamlAssertion();
+ // - set bpk/wpbk;
+ Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
+ if(!STORKResponseProcessor.hasAttribute("eIdentifier", attributeList))
+ throw new STORKException("eIdentifier is missing");
+ String eIdentifier = STORKResponseProcessor.getAttributeValue("eIdentifier", attributeList, false);
+ prIdentification.getFirstChild().setNodeValue(eIdentifier);
+
+ // - set last name
+ Node prFamilyName = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH);
+ if(!STORKResponseProcessor.hasAttribute("surname", attributeList))
+ throw new STORKException("surname is missing");
+ String familyName = STORKResponseProcessor.getAttributeValue("surname", attributeList, false);
+ prFamilyName.getFirstChild().setNodeValue(familyName);
+
+ // - set first name
+ Node prGivenName = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_GIVEN_NAME_XPATH);
+ if(!STORKResponseProcessor.hasAttribute("givenName", attributeList))
+ throw new STORKException("givenName is missing");
+ String givenName = STORKResponseProcessor.getAttributeValue("givenName", attributeList, false);
+ prGivenName.getFirstChild().setNodeValue(givenName);
+
+ // - set date of birth
+ Node prDateOfBirth = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH);
+ if(!STORKResponseProcessor.hasAttribute("dateOfBirth", attributeList))
+ throw new STORKException("dateOfBirth is missing");
+ String dateOfBirth = STORKResponseProcessor.getAttributeValue("dateOfBirth", attributeList, false);
+ prDateOfBirth.getFirstChild().setNodeValue(dateOfBirth);
+
+ identityLink = new IdentityLinkAssertionParser(idlassertion).parseIdentityLink();
+
+ //resign IDL
+ IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance();
+ Element resignedilAssertion = identitylinkresigner.resignIdentityLink(identityLink.getSamlAssertion(), config.getStorkFakeIdLResigningKey());
+ identityLink = new IdentityLinkAssertionParser(resignedilAssertion).parseIdentityLink();
+ } else {
+ //contact SZR Gateway
+ Logger.debug("Starting connecting SZR Gateway");
+ identityLink = STORKResponseProcessor.connectToSZRGateway(authnResponse.getPersonalAttributeList(),
oaParam.getFriendlyName(),
targetType, null,
oaParam.getMandateProfiles(), citizenSignature);
+ }
} catch (STORKException e) {
// this is really nasty but we work against the system here. We are supposed to get the gender attribute from
// stork. If we do not, we cannot register the person in the ERnP - we have to have the
@@ -427,18 +554,18 @@ public class PEPSConnectorServlet extends AuthServlet {
// stork did the authentication step
moaSession.setAuthenticated(true);
- //TODO: found better solution, but QAA Level in response could be not supported yet
- try {
-
- moaSession.setQAALevel(authnResponse.getAssertions().get(0).
- getAuthnStatements().get(0).getAuthnContext().
- getAuthnContextClassRef().getAuthnContextClassRef());
-
- } catch (Throwable e) {
- Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level");
- moaSession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel());
-
- }
+// //TODO: found better solution, but QAA Level in response could be not supported yet
+// try {
+//
+// moaSession.setQAALevel(authnResponse.getAssertions().get(0).
+// getAuthnStatements().get(0).getAuthnContext().
+// getAuthnContextClassRef().getAuthnContextClassRef());
+//
+// } catch (Throwable e) {
+// Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level");
+// moaSession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel());
+//
+// }
//session is implicit stored in changeSessionID!!!!
String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession);
@@ -476,11 +603,28 @@ public class PEPSConnectorServlet extends AuthServlet {
}
+ private String loadDocumentFromDocumentService(SignResponse dssSignResponse) throws Exception
+ {
+ Logger.debug("Loading document from DocumentService.");
+ String url = getDtlUrlFromResponse(dssSignResponse);
+ Logger.debug("Loading document from DocumentService, url:"+url);
+ //get Transferrequest
+ String transferRequest = getDocTransferRequest(dssSignResponse.getDocUI(), url);
+ //Load document from DocumentService
+ byte[] data = getDocumentFromDtl(transferRequest, url);
+ String citizenSignature = new String(data, "UTF-8");
+ Logger.debug("Overridung citizenSignature with:"+citizenSignature);
+ return citizenSignature;
+ }
private boolean isDocumentServiceUsed(String citizenSignature) //TODo add better check
{
if(citizenSignature.contains("<table border=\"0\"><tr><td>Service Name:</td><td>{http://stork.eu}DocumentService</td></tr><tr><td>Port Name:</td><td>{http://stork.eu}DocumentServicePort</td></tr></table>"))
+ {
+ Logger.trace("isDocumentServiceUsed => true");
return true;
+ }
+ Logger.trace("isDocumentServiceUsed => false");
return false;
}
@@ -517,6 +661,7 @@ public class PEPSConnectorServlet extends AuthServlet {
URL url = null;
try
{
+ Logger.debug("getDocumentFromDtl, dtlUrl:'"+dtlUrl+"' eDtlUrl:'"+eDtlUrl+"'");
url = new URL(dtlUrl);
QName qname = new QName("http://stork.eu",
"DocumentService");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
index 7113dcf70..ea1526ff0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
@@ -102,7 +102,7 @@ public class STORKResponseProcessor {
private static String getAttributeValue(String attributeName, IPersonalAttributeList attributeList) throws STORKException {
return getAttributeValue(attributeName, attributeList, true);
}
- private static String getAttributeValue(String attributeName, IPersonalAttributeList attributeList, boolean throwException) throws STORKException {
+ public static String getAttributeValue(String attributeName, IPersonalAttributeList attributeList, boolean throwException) throws STORKException {
try {
String result = attributeList.get(attributeName).getValue().get(0);
Logger.trace(attributeName + " : " + result);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWClient.java
index e1cd59c26..61b26b59a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWClient.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWClient.java
@@ -65,6 +65,7 @@ import org.w3c.dom.NodeList;
import org.w3c.dom.Text;
import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils;
+import at.gv.egovernment.moa.id.commons.utils.HttpClientWithProxySupport;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
@@ -137,7 +138,7 @@ public class SZRGWClient {
if (address == null) {
throw new NullPointerException("Address (SZR-gateway ServiceURL) must not be null.");
}
- HttpClient client = new HttpClient();
+ HttpClient client = HttpClientWithProxySupport.getHttpClient();
PostMethod method = new PostMethod(address);
method.setRequestHeader("SOAPAction", "");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index 0dfd2236f..c746c0888 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -53,6 +53,7 @@ import java.io.IOException;
import java.math.BigInteger;
import java.net.MalformedURLException;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
@@ -1008,6 +1009,39 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
return null;
}
+ /**
+ * Checks if is fakeIdL is activated.
+ *
+ * @return true, if fake IdLs are available for stork
+ */
+ public boolean isStorkFakeIdLActive() {
+ String prop = props.getProperty("stork.fakeIdL.active", "false");
+ return Boolean.valueOf(prop);
+ }
+
+ /**
+ * Gets the countries which will receive a fake IdL
+ *
+ * @return the countries
+ */
+ public List<String> getStorkFakeIdLCountries() {
+ String prop = props.getProperty("stork.fakeIdL.countries", "");
+ return Arrays.asList(prop.replaceAll(" ", "").split(","));
+ }
+
+ /**
+ * Gets the resigning key (group) for the stork fake IdL.
+ *
+ * @return the resigning key
+ */
+ public String getStorkFakeIdLResigningKey() {
+ String prop = props.getProperty("stork.fakeIdL.keygroup");
+ if (MiscUtil.isNotEmpty(prop))
+ return prop;
+ else
+ return null;
+ }
+
public boolean isMonitoringActive() {
String prop = props.getProperty("configuration.monitoring.active", "false");
return Boolean.valueOf(prop);
@@ -1048,8 +1082,21 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
return !Boolean.valueOf(prop);
}
+
+ //Load document service url from moa properties
+ public String getDocumentServiceUrl() {
+ String prop = props.getProperty("stork.documentservice.url", "false");
+ return prop;
+ }
+
+
+ public boolean isPVPSchemaValidationActive() {
+ String prop = props.getProperty("protocols.pvp2.schemavalidation", "true");
+ return Boolean.valueOf(prop);
+ }
+
/**
- * Retruns the STORK Configuration
+ * Returns the STORK Configuration
* @return STORK Configuration
* @throws ConfigurationException
*/
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
index 65c413ef9..05b008515 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
@@ -133,7 +133,9 @@ public class AuthenticationData implements IAuthData, Serializable {
private String authBlock = null;
private List<String> encbPKList = null;
+ //ISA 1.18 attributes
private List<AuthenticationRole> roles = null;
+ private String pvpAttribute_OU = null;
private boolean useMandate = false;
private MISMandate mandate = null;
@@ -707,6 +709,7 @@ public class AuthenticationData implements IAuthData, Serializable {
return roles;
}
+ //ISA 1.18 attributes
/**
* @param roles the roles to set
*/
@@ -716,26 +719,31 @@ public class AuthenticationData implements IAuthData, Serializable {
this.roles.add(role);
}
+
+ /**
+ * @return the pvpAttribute_OU
+ */
+ public String getPvpAttribute_OU() {
+ return pvpAttribute_OU;
+ }
+
+ /**
+ * @param pvpAttribute_OU the pvpAttribute_OU to set
+ */
+ public void setPvpAttribute_OU(String pvpAttribute_OU) {
+ this.pvpAttribute_OU = pvpAttribute_OU;
+ }
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService()
*/
@Override
public boolean isBusinessService() {
- // TODO Auto-generated method stub
return this.businessService;
}
public void setIsBusinessService(boolean flag) {
this.businessService = flag;
- }
-
-
-
-
-
-
-
-
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRoleFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRoleFactory.java
index 8915b2442..b3b29f6c5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRoleFactory.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRoleFactory.java
@@ -26,6 +26,7 @@ import java.util.Arrays;
import java.util.List;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
/**
* @author tlenz
@@ -51,23 +52,29 @@ public class AuthenticationRoleFactory {
List<String> param = Arrays.asList(params.split(","));
String test = new String();
for (String el : param) {
- test = test.concat(el);
- if (!test.endsWith("\\") ||
- (test.endsWith("\\\\") && !test.endsWith("\\\\\\")) ) {
- String[] keyValue = test.split("=");
- if (keyValue.length < 2) {
- role.addParameter(keyValue[0].trim(), "");
- Logger.debug("Add authentication roleparameter with key=" + keyValue[0].trim());
+ if (MiscUtil.isNotEmpty(el)) {
+ test = test.concat(el);
+ if (!test.endsWith("\\") ||
+ (test.endsWith("\\\\") && !test.endsWith("\\\\\\")) ) {
+ String[] keyValue = test.split("=");
+ if (keyValue.length < 2) {
+ role.addParameter(keyValue[0].trim(), "");
+ Logger.debug("Add authentication roleparameter with key=" + keyValue[0].trim());
- } else {
- role.addParameter(keyValue[0].trim(), keyValue[1].trim());
- Logger.debug("Add authentication roleparameter with key=" + keyValue[0].trim()
- + " value=" + keyValue[1].trim());
+ } else {
+ role.addParameter(keyValue[0].trim(), keyValue[1].trim());
+ Logger.debug("Add authentication roleparameter with key=" + keyValue[0].trim()
+ + " value=" + keyValue[1].trim());
- }
+ }
- test = new String();
- }
+ test = new String();
+
+ } else {
+ test = test.substring(0, test.length()-1).concat(",");
+
+ }
+ }
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
index ebbf62ce7..ccc90a031 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
@@ -69,7 +69,9 @@ public interface IAuthData {
IdentityLink getIdentityLink();
byte[] getSignerCertificate();
String getAuthBlock();
-
+
+ //ISA 1.18 attributes
+ String getPvpAttribute_OU();
List<AuthenticationRole> getAuthenticationRoles();
boolean isPublicAuthority();
@@ -90,5 +92,6 @@ public interface IAuthData {
String getCcc();
STORKAuthnRequest getStorkAuthnRequest();
String getStorkAuthnResponse();
- IPersonalAttributeList getStorkAttributes();
+ IPersonalAttributeList getStorkAttributes();
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index b239fbb1d..49f3df25c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -77,6 +77,8 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.SLOInformationContainer;
import at.gv.egovernment.moa.id.data.SLOInformationImpl;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+
import at.gv.egovernment.moa.id.process.ExecutionContextImpl;
import at.gv.egovernment.moa.id.process.ProcessEngine;
import at.gv.egovernment.moa.id.process.ProcessExecutionException;
@@ -91,9 +93,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest;
import at.gv.egovernment.moa.id.storage.AssertionStorage;
import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
+import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper;
import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
import at.gv.egovernment.moa.id.util.Random;
import at.gv.egovernment.moa.logging.Logger;
@@ -384,6 +388,7 @@ public class AuthenticationManager implements MOAIDAuthConstants {
//get IDP metadata
try {
OAAuthParameter idp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(target.getRequestedIDP());
+ OAAuthParameter sp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(target.getOAURL());
if (!idp.isInderfederationIDP() || !idp.isInboundSSOInterfederationAllowed()) {
Logger.info("Requested interfederation IDP " + target.getRequestedIDP() + " is not valid for interfederation.");
@@ -392,7 +397,7 @@ public class AuthenticationManager implements MOAIDAuthConstants {
return;
}
-
+
EntityDescriptor idpEntity = MOAMetadataProvider.getInstance().
getEntityDescriptor(target.getRequestedIDP());
@@ -412,7 +417,7 @@ public class AuthenticationManager implements MOAIDAuthConstants {
redirectEndpoint == null )
redirectEndpoint = sss;
}
-
+
if (redirectEndpoint != null) {
AuthnRequest authReq = SAML2Utils
@@ -425,16 +430,10 @@ public class AuthenticationManager implements MOAIDAuthConstants {
authReq.setAssertionConsumerServiceIndex(0);
authReq.setIssueInstant(new DateTime());
- Subject subject = SAML2Utils.createSAMLObject(Subject.class);
- NameID name = SAML2Utils.createSAMLObject(NameID.class);
- Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
-
+ Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath();
- name.setValue(serviceURL);
issuer.setValue(serviceURL);
- subject.setNameID(name);
- authReq.setSubject(subject);
issuer.setFormat(NameIDType.ENTITY);
authReq.setIssuer(issuer);
NameIDPolicy policy = SAML2Utils
@@ -449,13 +448,55 @@ public class AuthenticationManager implements MOAIDAuthConstants {
SAML2Utils.createSAMLObject(RequestedAuthnContext.class);
AuthnContextClassRef authnClassRef =
- SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
- authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4");
+ SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
+
+ if (sp != null && sp.isSTORKPVPGateway()){
+ //use PVP SecClass instead of STORK QAA level
+ String secClass = null;
+ if (target instanceof MOASTORKRequest) {
+
+ try {
+ MOASTORKRequest storkReq = (MOASTORKRequest) target;
+ secClass = PVPtoSTORKMapper.getInstance().mapToSecClass(
+ PVPConstants.STORK_QAA_PREFIX + storkReq.getStorkAuthnRequest().getQaa());
+
+ } catch (Exception e) {
+ Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e);
+
+ }
+ }
+
+ if (MiscUtil.isNotEmpty(secClass))
+ authnClassRef.setAuthnContextClassRef(secClass);
+ else
+ authnClassRef.setAuthnContextClassRef("http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3");
+
+ } else {
+ if (target instanceof MOASTORKRequest) {
+ //use requested QAA level from STORK request
+ try {
+ MOASTORKRequest storkReq = (MOASTORKRequest) target;
+ authnClassRef.setAuthnContextClassRef(
+ PVPConstants.STORK_QAA_PREFIX + storkReq.getStorkAuthnRequest().getQaa());
+ Logger.debug("Use STORK-QAA level " + authnClassRef.getAuthnContextClassRef()
+ + " from STORK request");
+
+ } catch (Exception e) {
+ Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e);
+
+ }
+
+ }
+
+ if (MiscUtil.isEmpty(authnClassRef.getAuthnContextClassRef()))
+ authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4");
+
+ }
+
reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);
reqAuthContext.getAuthnContextClassRefs().add(authnClassRef);
authReq.setRequestedAuthnContext(reqAuthContext);
-
-
+
IEncoder binding = null;
if (redirectEndpoint.getBinding().equals(
SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
index b22941216..aa154b84b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
@@ -135,8 +135,10 @@ public class SingleLogOutAction implements IAction {
if (MiscUtil.isEmpty(ssoID)) {
Logger.warn("Can not find active Session. Single LogOut not possible!");
SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq);
- LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
- SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());
+ //LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
+ LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, pvpReq, null);
+ Logger.info("Sending SLO success message to requester ...");
+ SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());
return null;
} else {
@@ -147,7 +149,9 @@ public class SingleLogOutAction implements IAction {
} catch (MOADatabaseException e) {
Logger.warn("Can not find active Session. Single LogOut not possible!");
SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq);
- LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
+ //LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
+ LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, pvpReq, null);
+ Logger.info("Sending SLO success message to requester ...");
SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
index 01139d95c..50f42d928 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
@@ -43,6 +43,7 @@ import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusMessage;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SSODescriptor;
import org.opensaml.saml2.metadata.SingleLogoutService;
@@ -348,17 +349,29 @@ public class SingleLogOutBuilder {
public static SingleLogoutService getResponseSLODescriptor(PVPTargetConfiguration spRequest) throws NoMetadataInformationException, NOSLOServiceDescriptorException {
MOARequest moaReq = (MOARequest) spRequest.getRequest();
EntityDescriptor metadata = moaReq.getEntityMetadata();
- SPSSODescriptor spsso = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
+ SSODescriptor ssodesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
+
+ if (ssodesc == null) {
+ Logger.debug("No PVP SPSSO descriptor found --> search IDPSSO descriptor");
+ ssodesc = metadata.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
+
+ }
+
+ if (ssodesc == null) {
+ Logger.error("Found no SLO ServiceDescriptor in Metadata");
+ throw new NOSLOServiceDescriptorException("NO SLO ServiceDescriptor", null);
+ }
+
SingleLogoutService sloService = null;
- for (SingleLogoutService el : spsso.getSingleLogoutServices()) {
+ for (SingleLogoutService el : ssodesc.getSingleLogoutServices()) {
if (el.getBinding().equals(spRequest.getBinding()))
sloService = el;
}
if (sloService == null) {
- if (spsso.getSingleLogoutServices().size() != 0)
- sloService = spsso.getSingleLogoutServices().get(0);
+ if (ssodesc.getSingleLogoutServices().size() != 0)
+ sloService = ssodesc.getSingleLogoutServices().get(0);
else {
Logger.error("Found no SLO ServiceDescriptor in Metadata");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepDescAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepDescAttributeBuilder.java
index 4c981cb24..1059e324e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepDescAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepDescAttributeBuilder.java
@@ -22,10 +22,14 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes;
+import org.w3c.dom.Element;
+
+import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
+import at.gv.egovernment.moa.id.util.MandateBuilder;
import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -37,23 +41,37 @@ public class MandateProfRepDescAttributeBuilder implements IPVPAttributeBuilder
public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
- if(authData.isUseMandate()) {
- MISMandate mandate = authData.getMISMandate();
-
+ if(authData.isUseMandate()) {
+ Element mandate = authData.getMandate();
+ if (mandate == null) {
+ throw new NoMandateDataAttributeException();
+ }
- if(mandate == null) {
+ Mandate mandateObject = MandateBuilder.buildMandate(authData.getMandate());
+ if (mandateObject == null) {
throw new NoMandateDataAttributeException();
}
+
+ String text = null;
+ if (MiscUtil.isNotEmpty(mandateObject.getAnnotation())) {
+ text = mandateObject.getAnnotation();
+
+ } else {
+ MISMandate misMandate = authData.getMISMandate();
- String text = mandate.getTextualDescriptionOfOID();
+ if(misMandate == null) {
+ throw new NoMandateDataAttributeException();
+ }
- if(MiscUtil.isEmpty(text)) {
- return null;
-
- } else
- return g.buildStringAttribute(MANDATE_PROF_REP_DESC_FRIENDLY_NAME,
- MANDATE_PROF_REP_DESC_NAME, text);
+ text = misMandate.getTextualDescriptionOfOID();
+ if(MiscUtil.isEmpty(text)) {
+ return null;
+
+ } else
+ return g.buildStringAttribute(MANDATE_PROF_REP_DESC_FRIENDLY_NAME,
+ MANDATE_PROF_REP_DESC_NAME, text);
+ }
}
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SchemaValidationException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SchemaValidationException.java
new file mode 100644
index 000000000..fc4ed1f28
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SchemaValidationException.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions;
+
+/**
+ * @author tlenz
+ *
+ */
+public class SchemaValidationException extends PVP2Exception {
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = 1L;
+
+ /**
+ * @param messageId
+ * @param parameters
+ */
+ public SchemaValidationException(String messageId, Object[] parameters) {
+ super(messageId, parameters);
+ }
+
+ /**
+ * @param messageId
+ * @param parameters
+ */
+ public SchemaValidationException(String messageId, Object[] parameters, Throwable e) {
+ super(messageId, parameters, e);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index cba64e080..12afa14bc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -57,6 +57,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -324,6 +325,7 @@ public class MOAMetadataProvider implements MetadataProvider {
private MetadataFilterChain buildMetadataFilterChain(OnlineApplication oa, String metadataURL, byte[] certificate) throws CertificateException {
MetadataFilterChain filterChain = new MetadataFilterChain(metadataURL, certificate);
+ filterChain.getFilters().add(new SchemaValidationFilter());
if (oa.isIsInterfederationIDP() != null && oa.isIsInterfederationIDP()) {
Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies");
@@ -374,6 +376,8 @@ public class MOAMetadataProvider implements MetadataProvider {
httpProvider.setMetadataFilter(filter);
httpProvider.initialize();
+ httpProvider.setRequireValidMetadata(true);
+
return httpProvider;
} catch (Throwable e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
index f0373e214..26b3bfbd1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
@@ -54,8 +54,7 @@ public class AssertionAttributeExtractor {
private final List<String> minimalAttributeNameList = Arrays.asList(
PVPConstants.PRINCIPAL_NAME_NAME,
- PVPConstants.GIVEN_NAME_NAME,
- PVPConstants.BIRTHDATE_NAME);
+ PVPConstants.GIVEN_NAME_NAME);
public AssertionAttributeExtractor(StatusResponseType samlResponse) throws AssertionAttributeExtractorExeption {
@@ -119,16 +118,21 @@ public class AssertionAttributeExtractor {
//first check if a bPK or an encrypted bPK is available
if (attributs.containsKey(PVPConstants.ENC_BPK_LIST_NAME) ||
- (attributs.containsKey(PVPConstants.BPK_NAME) && attributs.containsKey(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME))) {
+ (attributs.containsKey(PVPConstants.BPK_NAME))) {
boolean flag = true;
for (String attr : attributeNameList) {
- if (!attributs.containsKey(attr))
+ if (!attributs.containsKey(attr)) {
flag = false;
+ Logger.debug("Assertion contains no Attribute " + attr);
+
+ }
+
}
return flag;
- }
+ }
+ Logger.debug("Assertion contains no bPK or encryptedbPK.");
return false;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index 4ba93f8fe..257f9dac4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -25,14 +25,20 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification;
import java.util.ArrayList;
import java.util.List;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.validation.Schema;
+import javax.xml.validation.Validator;
+
import org.joda.time.DateTime;
import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.common.xml.SAMLSchemaBuilder;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusResponseType;
+import org.opensaml.saml2.core.validator.AuthnRequestSchemaValidator;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
@@ -51,11 +57,14 @@ import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.SignatureTrustEngine;
import org.opensaml.xml.validation.ValidationException;
+import org.w3c.dom.Element;
+import org.xml.sax.SAXException;
import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
@@ -81,9 +90,15 @@ public class SAMLVerificationEngine {
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
try {
profileValidator.validate(samlObj.getSignature());
+ performSchemaValidation(samlObj.getDOM());
+
} catch (ValidationException e) {
- // Indicates signature did not conform to SAML Signature profile
- e.printStackTrace();
+ Logger.warn("Signature is not conform to SAML signature profile", e);
+ throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
+
+ } catch (SchemaValidationException e) {
+ throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()});
+
}
CriteriaSet criteriaSet = new CriteriaSet();
@@ -103,12 +118,17 @@ public class SAMLVerificationEngine {
public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception {
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
-
try {
- profileValidator.validate(samlObj.getSignature());
+ profileValidator.validate(samlObj.getSignature());
+ performSchemaValidation(samlObj.getDOM());
+
} catch (ValidationException e) {
- // Indicates signature did not conform to SAML Signature profile
- e.printStackTrace();
+ Logger.warn("Signature is not conform to SAML signature profile", e);
+ throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
+
+ } catch (SchemaValidationException e) {
+ throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()});
+
}
CriteriaSet criteriaSet = new CriteriaSet();
@@ -173,16 +193,27 @@ public class SAMLVerificationEngine {
List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
- Conditions conditions = saml2assertion.getConditions();
- DateTime notbefore = conditions.getNotBefore();
+ try {
+ performSchemaValidation(saml2assertion.getDOM());
+
+ Conditions conditions = saml2assertion.getConditions();
+ DateTime notbefore = conditions.getNotBefore().minusMinutes(5);
DateTime notafter = conditions.getNotOnOrAfter();
if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) {
- Logger.warn("PVP2 Assertion is out of Date");
+ Logger.warn("PVP2 Assertion is out of Date. "
+ + "{ Current : " + new DateTime()
+ + " NotBefore: " + notbefore
+ + " NotAfter : " + notafter
+ + " }");;
- } else {
- validatedassertions.add(saml2assertion);
+ } else {
+ validatedassertions.add(saml2assertion);
+
+ }
+
+ } catch (SchemaValidationException e) {
- }
+ }
}
if (validatedassertions.isEmpty()) {
@@ -213,4 +244,35 @@ public class SAMLVerificationEngine {
throw new AssertionValidationExeption("pvp.12", null, e);
}
}
+
+ private static void performSchemaValidation(Element source) throws SchemaValidationException {
+
+ String err = null;
+ try {
+ Schema test = SAMLSchemaBuilder.getSAML11Schema();
+ Validator val = test.newValidator();
+ val.validate(new DOMSource(source));
+ Logger.debug("Schema validation check done OK");
+ return;
+
+ } catch (SAXException e) {
+ err = e.getMessage();
+ if (Logger.isDebugEnabled() || Logger.isTraceEnabled())
+ Logger.warn("Schema validation FAILED with exception:", e);
+ else
+ Logger.warn("Schema validation FAILED with message: "+ e.getMessage());
+
+ } catch (Exception e) {
+ err = e.getMessage();
+ if (Logger.isDebugEnabled() || Logger.isTraceEnabled())
+ Logger.warn("Schema validation FAILED with exception:", e);
+ else
+ Logger.warn("Schema validation FAILED with message: "+ e.getMessage());
+
+ }
+
+ throw new SchemaValidationException("pvp2.22", new Object[]{err});
+
+ }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java
index 3d608fd6d..4d9b97a52 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java
@@ -26,7 +26,6 @@ import org.opensaml.saml2.metadata.provider.FilterException;
import org.opensaml.saml2.metadata.provider.MetadataFilter;
import org.opensaml.xml.XMLObject;
-import at.gv.egovernment.moa.id.commons.db.dao.config.InterfederationIDPType;
import at.gv.egovernment.moa.id.commons.validation.ValidationHelper;
import at.gv.egovernment.moa.logging.Logger;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java
new file mode 100644
index 000000000..382adb108
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java
@@ -0,0 +1,110 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;
+
+import java.io.IOException;
+
+import org.opensaml.saml2.metadata.provider.FilterException;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.xml.XMLObject;
+
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.validation.Schema;
+import javax.xml.validation.Validator;
+
+import org.opensaml.common.xml.SAMLSchemaBuilder;
+
+import org.xml.sax.SAXException;
+
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class SchemaValidationFilter implements MetadataFilter {
+
+ private boolean isActive = true;
+
+ public SchemaValidationFilter() {
+ try {
+ isActive = AuthConfigurationProvider.getInstance().isPVPSchemaValidationActive();
+
+ } catch (ConfigurationException e) {
+ e.printStackTrace();
+ }
+ }
+
+ /**
+ *
+ */
+ public SchemaValidationFilter(boolean useSchemaValidation) {
+ this.isActive = useSchemaValidation;
+ }
+
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject)
+ */
+ @Override
+ public void doFilter(XMLObject arg0) throws FilterException {
+
+ String errString = null;
+
+ if (isActive) {
+ try {
+ Schema test = SAMLSchemaBuilder.getSAML11Schema();
+ Validator val = test.newValidator();
+ DOMSource source = new DOMSource(arg0.getDOM());
+ val.validate(source);
+ Logger.info("Metadata Schema validation check done OK");
+ return;
+
+ } catch (SAXException e) {
+ if (Logger.isDebugEnabled() || Logger.isTraceEnabled())
+ Logger.warn("Metadata Schema validation FAILED with exception:", e);
+ else
+ Logger.warn("Metadata Schema validation FAILED with message: "+ e.getMessage());
+
+ errString = e.getMessage();
+
+ } catch (Exception e) {
+ if (Logger.isDebugEnabled() || Logger.isTraceEnabled())
+ Logger.warn("Metadata Schema validation FAILED with exception:", e);
+ else
+ Logger.warn("Metadata Schema validation FAILED with message: "+ e.getMessage());
+
+ errString = e.getMessage();
+
+ }
+
+ throw new FilterException("Metadata Schema validation FAILED with message: "+ errString);
+
+ } else
+ Logger.info("Metadata Schema validation check is DEACTIVATED!");
+
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
index 67f780b3a..4cdd1db01 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
@@ -83,7 +83,7 @@ public class GetArtifactAction implements IAction {
String url = AuthConfigurationProvider.getInstance().getPublicURLPrefix() + "/RedirectServlet";
url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8"));
if (!oaParam.getBusinessService())
- url = addURLParameter(url, PARAM_TARGET, URLEncoder.encode(oaParam.getTarget(), "UTF-8"));
+ url = addURLParameter(url, PARAM_TARGET, URLEncoder.encode(req.getTarget(), "UTF-8"));
url = addURLParameter(url, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8"));
url = httpResp.encodeRedirectURL(url);
@@ -95,7 +95,7 @@ public class GetArtifactAction implements IAction {
String redirectURL = oaURL;
if (!oaParam.getBusinessService()) {
redirectURL = addURLParameter(redirectURL, PARAM_TARGET,
- URLEncoder.encode(oaParam.getTarget(), "UTF-8"));
+ URLEncoder.encode(req.getTarget(), "UTF-8"));
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
index 65e520cc3..c8a480cac 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
@@ -64,6 +64,7 @@ import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moa.util.StringUtils;
import at.gv.util.xsd.persondata.IdentificationType;
import at.gv.util.xsd.persondata.IdentificationType.Value;
@@ -222,8 +223,14 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
Value value = new Value();
id.setValue(value );
- id.setType(Constants.URN_PREFIX_BASEID);
- value.setValue("");
+ id.setType(authData.getIdentificationType());
+ //add baseID if it is requested and available
+ if ( MiscUtil.isNotEmpty(authData.getIdentificationValue()) &&
+ saml1parameter.isProvideIdentityLink() )
+ value.setValue(authData.getIdentificationValue());
+ else
+ value.setValue("");
+
familyName.setValue(authData.getFamilyName());
familyName.setPrimary("undefined");
name.getGivenName().add(authData.getGivenName());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
index 8f7f17e2e..9934c339d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
@@ -132,7 +132,7 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants {
if (!ParamValidatorUtils.isValidOA(oaURL))
throw new WrongParametersException("StartAuthentication", PARAM_OA,
"auth.12");
-
+
config.setOAURL(oaURL);
Logger.info("Dispatch SAML1 Request: OAURL=" + oaURL);
@@ -156,8 +156,13 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants {
new Object[] { null });
}
- config.setSourceID(sourceID);
- config.setTarget(oaParam.getTarget());
+ config.setSourceID(sourceID);
+ if (MiscUtil.isNotEmpty(target))
+ config.setTarget(target);
+
+ else
+ config.setTarget(oaParam.getTarget());
+
return config;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java
index e3b9992aa..1e6cf6910 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java
@@ -45,7 +45,7 @@ import at.gv.egovernment.moa.id.storage.AssertionStorage;
import at.gv.egovernment.moa.logging.Logger;
import eu.stork.peps.auth.commons.*;
import eu.stork.peps.auth.engine.STORKSAMLEngine;
-import eu.stork.peps.complex.attributes.AttributeStatusType;
+import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.AttributeStatusType;
import eu.stork.peps.exceptions.STORKSAMLEngineException;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
@@ -121,7 +121,7 @@ public class AttributeCollector implements IAction {
if (authnResponse.getPersonalAttributeList().size() > 0) {
Logger.info("Response from external attribute provider contains " + authnResponse.getPersonalAttributeList().size() + " attributes.");
- addOrUpdateAll(container.getResponse().getPersonalAttributeList(), authnResponse.getPersonalAttributeList());
+ container.getResponse().setPersonalAttributeList(addOrUpdateAll(container.getResponse().getPersonalAttributeList(), authnResponse.getPersonalAttributeList()));
}
}
@@ -157,7 +157,7 @@ public class AttributeCollector implements IAction {
// - insert the embedded attribute(s) into the container
if (null != newAttributes)
- addOrUpdateAll(container.getResponse().getPersonalAttributeList(), newAttributes);
+ container.getResponse().setPersonalAttributeList(addOrUpdateAll(container.getResponse().getPersonalAttributeList(), newAttributes));
// see if we need some more attributes
SLOInformationImpl sloInfo = (SLOInformationImpl) processRequest(container, httpReq, httpResp, authData, oaParam);
@@ -203,7 +203,8 @@ public class AttributeCollector implements IAction {
IPersonalAttributeList aquiredAttributes = new PersonalAttributeList();
currentAttribute.setStatus(AttributeStatusType.NOT_AVAILABLE.value());
aquiredAttributes.add((PersonalAttribute) currentAttribute.clone());
- addOrUpdateAll(container.getResponse().getPersonalAttributeList(), aquiredAttributes);
+ container.getResponse().setPersonalAttributeList(
+ addOrUpdateAll(container.getResponse().getPersonalAttributeList(), aquiredAttributes));
// - check if we can find a suitable AttributeProvider Plugin
Iterator<AttributeProvider> attibuteProvidersInterator = AttributeProviderFactory.getConfiguredPlugins(oaParam.getStorkAPs());
@@ -247,7 +248,7 @@ public class AttributeCollector implements IAction {
Logger.error("We have no suitable plugin for obtaining the attribute '" + currentAttribute.getName() + "'");
} else
// else, update any existing attributes
- addOrUpdateAll(container.getResponse().getPersonalAttributeList(), aquiredAttributes);
+ container.getResponse().setPersonalAttributeList(addOrUpdateAll(container.getResponse().getPersonalAttributeList(), aquiredAttributes));
}
Logger.info("collecting attributes done");
@@ -296,15 +297,21 @@ public class AttributeCollector implements IAction {
*
* @param target the target
* @param source the source
+ * @return
* @throws MOAIDException
*/
- private void addOrUpdateAll(IPersonalAttributeList target, IPersonalAttributeList source) throws MOAIDException {
+ private PersonalAttributeList addOrUpdateAll(IPersonalAttributeList target, IPersonalAttributeList source) throws MOAIDException {
+
+ PersonalAttributeList updatedList = new PersonalAttributeList();
+ for (PersonalAttribute el : target)
+ updatedList.add(el);
+
Logger.debug("Updating " + source.size() + " attributes...");
for (PersonalAttribute current : source) {
Logger.debug("treating " + current.getName());
// check if we need to update the current pa
- if (target.containsKey(current.getName())) {
+ if (updatedList.containsKey(current.getName())) {
PersonalAttribute existing = target.get(current.getName());
if(!(existing.isEmptyValue() && existing.isEmptyComplexValue()))
if(!(existing.getValue().equals(current.getValue()) || existing.getComplexValue().equals(current.getComplexValue()))) {
@@ -312,14 +319,16 @@ public class AttributeCollector implements IAction {
throw new MOAIDException("stork.16", new Object[] {existing.getName()});
}
- target.get(current.getName()).setStatus(current.getStatus());
- target.get(current.getName()).setValue(current.getValue());
- target.get(current.getName()).setComplexValue(current.getComplexValue());
+ updatedList.get(current.getName()).setStatus(current.getStatus());
+ updatedList.get(current.getName()).setValue(current.getValue());
+ updatedList.get(current.getName()).setComplexValue(current.getComplexValue());
} else
- target.add(current);
+ updatedList.add(current);
- Logger.debug("...successfully treated " + current.getName());
+ Logger.debug("...successfully treated " + current.getName());
}
+
+ return updatedList;
}
/* (non-Javadoc)
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java
index de7d5d6dd..2c5728798 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java
@@ -41,7 +41,7 @@ import eu.stork.peps.auth.commons.PEPSUtil;
import eu.stork.peps.auth.commons.PersonalAttribute;
import eu.stork.peps.auth.commons.STORKAuthnResponse;
import eu.stork.peps.auth.engine.STORKSAMLEngine;
-import eu.stork.peps.complex.attributes.AttributeStatusType;
+import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.AttributeStatusType;
import eu.stork.peps.exceptions.STORKSAMLEngineException;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/CorporateBodyMandateContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/CorporateBodyMandateContainer.java
index 3e16db7d2..acbf1678a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/CorporateBodyMandateContainer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/CorporateBodyMandateContainer.java
@@ -90,6 +90,7 @@ public class CorporateBodyMandateContainer extends MandateContainer {
}
public void setCorpMandatorIdentificationValue(String corpMandatorIdentificationValue) {
+ Logger.debug("Setting corpMandatorIdentificationValue to AT/" + corpMandatorIdentificationValue);
this.corpMandatorIdentificationValue = "AT/" + corpMandatorIdentificationValue;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java
index 993514ec7..3ab4ec4a1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java
@@ -31,8 +31,7 @@ import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
import eu.stork.peps.auth.commons.PersonalAttribute;
import eu.stork.peps.auth.commons.PersonalAttributeList;
-import eu.stork.peps.auth.commons.STORKStatusCode;
-
+import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.AttributeStatusType;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.text.DateFormat;
@@ -59,19 +58,23 @@ public class MOAAttributeProvider {
static {
Map<String, String> tempSimpleMap = new HashMap<String, String>();
tempSimpleMap.put("givenName", "getGivenName");
- tempSimpleMap.put("surname", "getFamilyName");
+ tempSimpleMap.put("surname", "getFamilyName");
+ tempSimpleMap.put("MSOrganization", "getPvpAttribute_OU");
storkAttributeSimpleMapping = Collections.unmodifiableMap(tempSimpleMap);
+
Map<String, String> tempFunctionMap = new HashMap<String, String>();
tempFunctionMap.put("eIdentifier", "geteIdentifier");
tempFunctionMap.put("ECApplicationRole","getECApplicationRole");
tempFunctionMap.put("dateOfBirth", "getFormatedDateOfBirth");
+ tempFunctionMap.put("MSOrganization", "getMSOrganization");
storkAttributeFunctionMapping = Collections.unmodifiableMap(tempFunctionMap);
+
}
public MOAAttributeProvider(IAuthData authData, MOASTORKRequest moastorkRequest) {
this.authData = authData;
this.moastorkRequest = moastorkRequest;
- Logger.debug("identity " + authData.getIdentificationType() + " " + authData.getIdentificationValue());
+
}
public void populateAttribute(PersonalAttributeList attributeList, PersonalAttribute requestedAttribute ) {
@@ -129,12 +132,11 @@ public class MOAAttributeProvider {
}
return storkRoles;
}
-
+
private String getFormatedDateOfBirth() {
if (authData.getDateOfBirth() != null) {
DateFormat fmt = new SimpleDateFormat("yyyyMMdd");
return fmt.format(authData.getDateOfBirth());
-
}
else
return null;
@@ -143,14 +145,14 @@ public class MOAAttributeProvider {
private void populateAttributeWithMethod(Method method, Object object, PersonalAttributeList attributeList, String storkAttribute, Boolean isRequired) {
try {
- Object attributeValue = method.invoke(object, new Class[]{});
+ Object attributeValue = method.invoke(object, new Class[]{}); // (Object[])
PersonalAttribute newAttribute = new PersonalAttribute();
newAttribute.setName(storkAttribute);
newAttribute.setIsRequired(isRequired);
if (attributeValue != null) {
- newAttribute.setStatus(STORKStatusCode.STATUS_AVAILABLE.name());
+ newAttribute.setStatus(AttributeStatusType.AVAILABLE.value());
Logger.info("Got attribute value: " + attributeValue);
if (attributeValue instanceof String)
@@ -163,7 +165,7 @@ public class MOAAttributeProvider {
} else {
Logger.info("Attribute " + storkAttribute + " is not available.");
- newAttribute.setStatus(STORKStatusCode.STATUS_NOT_AVAILABLE.name());
+ newAttribute.setStatus(AttributeStatusType.NOT_AVAILABLE.value());
}
@@ -175,7 +177,7 @@ public class MOAAttributeProvider {
} else {
Logger.info("Attribute " + storkAttribute + " is not available.");
- newAttribute.setStatus(STORKStatusCode.STATUS_NOT_AVAILABLE.name());
+ newAttribute.setStatus(AttributeStatusType.NOT_AVAILABLE.value());
}
} catch (InvocationTargetException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateContainer.java
index e6c58b503..9207cc2dc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateContainer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateContainer.java
@@ -54,6 +54,8 @@ public abstract class MandateContainer {
public MandateContainer(String mandate) throws XPathExpressionException, MOAIDException {
+ Logger.debug("Received mandate content for processing: " + mandate);
+
xPath = XPathFactory.newInstance().newXPath();
HashMap<String, String> prefMap = new HashMap<String, String>() {{
put(S2Constants.MANDATE_PREFIX, S2Constants.MANDATE_NS);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java
index baa91a854..ed8480ccb 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java
@@ -33,13 +33,16 @@ import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.data.SLOInformationInterface;
import at.gv.egovernment.moa.id.moduls.IAction;
import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
import eu.stork.peps.auth.commons.IPersonalAttributeList;
import eu.stork.peps.auth.commons.PersonalAttribute;
import eu.stork.peps.auth.commons.PersonalAttributeList;
import eu.stork.peps.auth.commons.STORKAttrQueryResponse;
-import eu.stork.peps.complex.attributes.*;
+import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.*;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.codec.binary.StringUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -65,12 +68,21 @@ public class MandateRetrievalRequest implements IAction {
private IAuthData authData;
private MOASTORKRequest moaStorkRequest;
private IdentityLink representingIdentityLink;
+ private Integer QAALevel;
+ private byte[] originalContent;
public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException {
Logger.debug("Entering AttributeRequest for MandateProvider");
httpResp.reset();
this.representingIdentityLink = authData.getIdentityLink();
+ this.QAALevel = translateQAALevel(authData.getQAALevel());
+ // preparing original content and removing sensitive data from it
+ this.originalContent = authData.getMISMandate().getMandate(); // TODO ERROR
+ //Logger.debug("Original content " + StringUtils.newStringUtf8(authData.getMISMandate().getMandate()));
+ String originalMandate = StringUtils.newStringUtf8(authData.getMISMandate().getMandate()).replaceAll("<pd:Value>.*?==</pd:Value><pd:Type>urn:publicid:gv.at:baseid</pd:Type>","<pd:Value></pd:Value><pd:Type></pd:Type>");;
+ Logger.debug("Removing personal identification value and type from original mandate ");
+ originalContent = StringUtils.getBytesUtf8(originalMandate);
OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(req.getOAURL());
if (oaParam == null)
@@ -206,6 +218,18 @@ public class MandateRetrievalRequest implements IAction {
return null;
}
+ private Integer translateQAALevel(String qaaLevel) throws MOAIDException {
+ if (qaaLevel.equals(PVPConstants.STORK_QAA_1_1))
+ return 1;
+ if (qaaLevel.equals(PVPConstants.STORK_QAA_1_2))
+ return 2;
+ if (qaaLevel.equals(PVPConstants.STORK_QAA_1_3))
+ return 3;
+ if (qaaLevel.equals(PVPConstants.STORK_QAA_1_4))
+ return 4;
+ Logger.error("Wrong QAA Number format");
+ throw new MOAIDException("stork.16", new Object[]{});
+ }
private String geteLPIdentifier(MandateContainer mandateContainer, PersonalAttribute currentAttribute) throws MOAIDException {
RepresentationPersonType represented = getRepresented(mandateContainer, currentAttribute);
@@ -213,7 +237,7 @@ public class MandateRetrievalRequest implements IAction {
return represented.getELPIdentifier();
} else if (currentAttribute.isRequired()) {
Logger.error("Cannot provide eLPIdentifier for natural person.");
- throw new MOAIDException("stork.19", new Object[]{currentAttribute.getName()});
+ throw new MOAIDException("stork.19", new Object[]{currentAttribute.getName()}); // TODO
}
return "";
}
@@ -249,14 +273,35 @@ public class MandateRetrievalRequest implements IAction {
private String mapPowersType(MandateContainer mandateContainer) {
+ // using if for java 6 compatibility if necessary
if (mandateContainer.getAnnotation().equals("ELGABilateral")) {
return "6"; // Health Powers
} else if (mandateContainer.getAnnotation().equals("ERsB")) {
return "0"; // General Powers
} else if (mandateContainer.getAnnotation().equals("GeneralvollmachtBilateral")) {
return "0"; // General Powers
+ } else if (mandateContainer.getAnnotation().equals("ERsBMitPostvollmacht")) {
+ return "0"; // General Powers
+ } else if (mandateContainer.getAnnotation().equals("ZVR")) {
+ return "0"; // General Powers
+ } else if (mandateContainer.getAnnotation().equals("ZVRMitPostvollmacht")) {
+ return "0"; // General Powers
+ } else if (mandateContainer.getAnnotation().equals("EVB")) {
+ return "0"; // General Powers
+ } else if (mandateContainer.getAnnotation().equals("Einzelvertretungsbefugnis")) {
+ return "0"; // General Powers
+ } else if (mandateContainer.getAnnotation().equals("Prokura")) {
+ return "0"; // General Powers
+ } else if (mandateContainer.getAnnotation().equals("Notar")) {
+ return "0"; // General Powers
+ } else if (mandateContainer.getAnnotation().equals("Organwalter")) {
+ return "0"; // General Powers
+ } else if (mandateContainer.getAnnotation().equals("Rechtsanwalt")) {
+ return "0"; // General Powers
+ } else if (mandateContainer.getAnnotation().equals("Ziviltechniker")) {
+ return "0"; // General Powers
}
- return "";
+ return "9";
}
private MandateType getMandateType(MandateContainer mandateContainer, PersonalAttribute sourceAttribute) throws MOAIDException {
@@ -264,10 +309,9 @@ public class MandateRetrievalRequest implements IAction {
RepresentationPersonType representative = getRepresentative(mandateContainer, sourceAttribute);
RepresentationPersonType represented = getRepresented(mandateContainer, sourceAttribute);
MandateContentType mandateContent = getMandateContent(mandateContainer, sourceAttribute);
-
- mandateType.setRepresenting(representative);
+ mandateType.setRepresentative(representative);
mandateType.setRepresented(represented);
- mandateType.setMandateContent(mandateContent);
+ mandateType.getMandateContent().add(mandateContent);
Logger.debug("Complex attribute extracted: " + sourceAttribute.getName());
return mandateType;
}
@@ -275,7 +319,8 @@ public class MandateRetrievalRequest implements IAction {
private String getLegalName(MandateContainer mandateContainer, PersonalAttribute sourceAttribute) throws MOAIDException {
RepresentationPersonType represented = getRepresented(mandateContainer, sourceAttribute);
if (mandateContainer instanceof CorporateBodyMandateContainer) {
- return represented.getName();
+ represented.getLegalName();
+ //return represented.getName();
} else if (sourceAttribute.isRequired()) {
Logger.error("Cannot provide legalName for natural person.");
throw new MOAIDException("stork.19", new Object[]{sourceAttribute.getName()});
@@ -487,10 +532,10 @@ public class MandateRetrievalRequest implements IAction {
if (mandateContainer instanceof CorporateBodyMandateContainer) {
CorporateBodyMandateContainer corporateBodyMandateContainer = (CorporateBodyMandateContainer) mandateContainer;
represented.setELPIdentifier(corporateBodyMandateContainer.getCorpMandatorIdentificationValue());
- represented.setName(corporateBodyMandateContainer.getCorpMandatorFullName());
- represented.setAddress("");
- represented.setCanonicalAddress(new CanonicalAddressType());
- represented.setType(getCompanyType(corporateBodyMandateContainer.corpMandatorFullName, corporateBodyMandateContainer.corpMandatorIdentificationType, sourceAttribute));
+ represented.setLegalName(corporateBodyMandateContainer.getCorpMandatorFullName());
+ represented.setTextRegisteredAddress(null);
+ represented.setCanonicalRegisteredAddress(new CanonicalAddressType());
+ represented.setLegalForm(getCompanyType(corporateBodyMandateContainer.corpMandatorFullName, corporateBodyMandateContainer.corpMandatorIdentificationType, sourceAttribute));
} else if (mandateContainer instanceof PhyPersonMandateContainer) {
PhyPersonMandateContainer phyPersonMandateContainer = (PhyPersonMandateContainer) mandateContainer;
represented.setEIdentifier(getRepresentedStorkeIdentifier(mandateContainer));
@@ -510,18 +555,22 @@ public class MandateRetrievalRequest implements IAction {
try {
XMLGregorianCalendar validFrom = DatatypeFactory.newInstance().newXMLGregorianCalendar(mandateContainer.getMandateValidFrom());
XMLGregorianCalendar validTo = DatatypeFactory.newInstance().newXMLGregorianCalendar(mandateContainer.getMandateValidTo());
- mandateContent.setValidFrom(validFrom);
- mandateContent.setValidTo(validTo);
+ TimeRestrictionType timeRestriction = new TimeRestrictionType();
+ timeRestriction.setValidFrom(validFrom);
+ timeRestriction.setValidTo(validTo);
+ mandateContent.setTimeRestriction(timeRestriction);
} catch (DatatypeConfigurationException dte) {
Logger.error("Error converting date from mandate: " + mandateContainer.getMandateValidFrom() + ", " + mandateContainer.getMandateValidTo());
throw new MOAIDException("stork.20", new Object[]{});
}
-
- mandateContent.setTransactionLimit(BigInteger.valueOf(0)); // TODO
- mandateContent.setTransactionLimitCurrency("");// TODO
- mandateContent.setIsJoint("0");
- mandateContent.setIschained(false);
- mandateContent.setTypePower(mapPowersType(mandateContainer));
+ mandateContent.setAQAA(this.QAALevel);
+ mandateContent.setOriginalMandate(originalContent);
+ mandateContent.setOriginalMandateType("application/xml");
+ TransactionLimitRestrictionType transactionLimit = new TransactionLimitRestrictionType();
+ mandateContent.setTransactionLimit(transactionLimit);
+ mandateContent.setIsJoint("");
+ mandateContent.setIsChained(false);
+ mandateContent.setTypeOfPower(mapPowersType(mandateContainer)); // TODO check
Logger.debug("Complex attribute extracted: " + sourceAttribute.getName());
return mandateContent;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java
index d923eccde..123d32af4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java
@@ -32,7 +32,7 @@ import java.util.List;
public class STORKPVPUtilits {
public static final List<String> attributesRequirePVPAuthentication =
- Arrays.asList("ECApplicationRole");
+ Arrays.asList("ECApplicationRole", "MSOrganization");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttributeProviderPlugin.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttributeProviderPlugin.java
index 761460971..bd1576020 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttributeProviderPlugin.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttributeProviderPlugin.java
@@ -52,8 +52,9 @@ import at.gv.egovernment.moa.logging.Logger;
import eu.stork.peps.auth.commons.IPersonalAttributeList;
import eu.stork.peps.auth.commons.PersonalAttribute;
import eu.stork.peps.auth.commons.PersonalAttributeList;
-import eu.stork.peps.complex.attributes.IsHealthCareProfessionalType;
-import eu.stork.peps.complex.attributes.ObjectFactory;
+import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.AttributeStatusType;
+import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.IsHealthCareProfessionalType;
+import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.ObjectFactory;
/**
* Fetches the attribute IsHealthcareProfessional from the BAGDAD SOAP service
@@ -67,7 +68,7 @@ public class EHvdAttributeProviderPlugin extends AttributeProvider {
* Instantiates a new e hvd attribute provider plugin.
*
* @param url the service url
- * @param attributes
+ * @param supportedAttributes
*/
public EHvdAttributeProviderPlugin(String url, String supportedAttributes) {
super(supportedAttributes);
@@ -183,7 +184,7 @@ public class EHvdAttributeProviderPlugin extends AttributeProvider {
if (collection.get("IsHealthcareProfessional").equals("false") || !collection.get("Type").equals("Medical doctor")) {
// the citizen is no HCP
- acquiredAttribute = new PersonalAttribute("isHealthCareProfessional", false, new ArrayList<String>(), "NotAvailable");
+ acquiredAttribute = new PersonalAttribute("isHealthCareProfessional", false, new ArrayList<String>(), AttributeStatusType.NOT_AVAILABLE.value());
} else {
// go on and parse the data
IsHealthCareProfessionalType result = new IsHealthCareProfessionalType();
@@ -193,7 +194,7 @@ public class EHvdAttributeProviderPlugin extends AttributeProvider {
result.setTypeOfHCP("physician");
result.setNameOfOrganisation(collection.get("NameOfOrganisation"));
- result.setTypeOfOrganisation("Unknown");
+ //result.setTypeOfOrganisation("Unknown"); // TODO used in previous version, check what to do with this
result.setAQAA(4);
@@ -206,7 +207,7 @@ public class EHvdAttributeProviderPlugin extends AttributeProvider {
ArrayList<String> value = new ArrayList<String>();
value.add(stringWriter.toString());
- acquiredAttribute = new PersonalAttribute("isHealthCareProfessional", false, value, "Available");
+ acquiredAttribute = new PersonalAttribute("isHealthCareProfessional", false, value, AttributeStatusType.AVAILABLE.value());
}
// pack and return the result
@@ -216,7 +217,7 @@ public class EHvdAttributeProviderPlugin extends AttributeProvider {
// add stork id for verification
ArrayList<String> value = new ArrayList<String>();
value.add(new BPKBuilder().buildStorkeIdentifier(authData.getIdentityLink(), moastorkRequest.getSpCountry()));
- result.add(new PersonalAttribute("eIdentifier", false, value, "Available"));
+ result.add(new PersonalAttribute("eIdentifier", false, value, AttributeStatusType.AVAILABLE.value()));
return result;
} catch (Exception e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttribute_deprecatedProviderPlugin.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttribute_deprecatedProviderPlugin.java
index 2000ef928..a16603beb 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttribute_deprecatedProviderPlugin.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttribute_deprecatedProviderPlugin.java
@@ -52,9 +52,11 @@ import at.gv.egovernment.moa.logging.Logger;
import eu.stork.peps.auth.commons.IPersonalAttributeList;
import eu.stork.peps.auth.commons.PersonalAttribute;
import eu.stork.peps.auth.commons.PersonalAttributeList;
-import eu.stork.peps.complex.attributes.IsHealthCareProfessionalDeprecatedType;
-import eu.stork.peps.complex.attributes.IsHealthCareProfessionalType;
-import eu.stork.peps.complex.attributes.ObjectFactory;
+import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.AttributeStatusType;
+import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.IsHealthCareProfessionalDeprecatedType;
+import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.IsHealthCareProfessionalType; // IsHealthCareProfessionalDeprecatedType;
+//import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion. _1_0.assertion.IsHealthCareProfessionalType;
+import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.ObjectFactory;
/**
* Fetches the attribute IsHealthcareProfessional from the BAGDAD SOAP service
@@ -68,7 +70,7 @@ public class EHvdAttribute_deprecatedProviderPlugin extends AttributeProvider {
* Instantiates a new e hvd attribute provider plugin.
*
* @param url the service url
- * @param attributes
+ * @param supportedAttributes
*/
public EHvdAttribute_deprecatedProviderPlugin(String url, String supportedAttributes) {
super(supportedAttributes);
@@ -184,7 +186,7 @@ public class EHvdAttribute_deprecatedProviderPlugin extends AttributeProvider {
if (collection.get("IsHealthcareProfessional").equals("false")) {
// the citizen is no HCP
- acquiredAttribute = new PersonalAttribute("isHealthCareProfessional", false, new ArrayList<String>(), "NotAvailable");
+ acquiredAttribute = new PersonalAttribute("isHealthCareProfessional", false, new ArrayList<String>(), AttributeStatusType.NOT_AVAILABLE.value());
} else {
// go on and parse the data
IsHealthCareProfessionalDeprecatedType result = new IsHealthCareProfessionalDeprecatedType();
@@ -202,16 +204,16 @@ public class EHvdAttribute_deprecatedProviderPlugin extends AttributeProvider {
result.setAQAA(4);
- final Marshaller m = JAXBContext.newInstance(IsHealthCareProfessionalType.class).createMarshaller();
+ final Marshaller m = JAXBContext.newInstance(IsHealthCareProfessionalDeprecatedType.class).createMarshaller();
m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
StringWriter stringWriter = new StringWriter();
- m.marshal(new ObjectFactory().createIsHealthCareProfessional(result), stringWriter);
+ m.marshal(new ObjectFactory().createIsHealthCareProfessionalDeprecated(result), stringWriter);
ArrayList<String> value = new ArrayList<String>();
value.add(stringWriter.toString());
- acquiredAttribute = new PersonalAttribute("isHealthCareProfessional", false, value, "Available");
+ acquiredAttribute = new PersonalAttribute("isHealthCareProfessional", false, value, AttributeStatusType.AVAILABLE.value());
}
// pack and return the result
@@ -221,7 +223,7 @@ public class EHvdAttribute_deprecatedProviderPlugin extends AttributeProvider {
// add stork id for verification
ArrayList<String> value = new ArrayList<String>();
value.add(new BPKBuilder().buildStorkeIdentifier(authData.getIdentityLink(), moastorkRequest.getSpCountry()));
- result.add(new PersonalAttribute("eIdentifier", false, value, "Available"));
+ result.add(new PersonalAttribute("eIdentifier", false, value, AttributeStatusType.AVAILABLE.value()));
return result;
} catch (Exception e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java
index 96aa55bcf..7f06c604b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java
@@ -80,7 +80,7 @@ public class PVPAuthenticationProvider extends AttributeProvider {
this.moastorkRequest = moastorkRequest;
// break if we cannot handle the requested attribute
- if (!attributes.contains(attribute.getName())) {
+ if (!getSupportedAttributeNames().contains(attribute.getName())) {
Logger.info("Attribute " + attribute.getName() + " not supported by the provider: " + getAttrProviderName());
throw new UnsupportedAttributeException();
@@ -193,33 +193,34 @@ public class PVPAuthenticationProvider extends AttributeProvider {
public IPersonalAttributeList parse(HttpServletRequest httpReq)
throws UnsupportedAttributeException, MOAIDException {
- Logger.info(this.getClass().getSimpleName() + " tries to extract SAMLResponse out of HTTP Request");
+ throw new UnsupportedAttributeException();
- //extract STORK Response from HTTP Request
- //Decodes SAML Response
- byte[] decSamlToken;
- try {
- decSamlToken = PEPSUtil.decodeSAMLToken(httpReq.getParameter("SAMLResponse"));
- } catch(NullPointerException e) {
- throw new UnsupportedAttributeException();
- }
-
- //Get SAMLEngine instance
- STORKSAMLEngine engine = STORKSAMLEngine.getInstance("VIDP");
-
- STORKAuthnResponse authnResponse = null;
- try {
- //validate SAML Token
- Logger.debug("Starting validation of SAML response");
- authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) httpReq.getRemoteHost());
- Logger.info("SAML response successfully verified!");
-
- }catch(STORKSAMLEngineException e){
- Logger.error("Failed to verify STORK SAML Response", e);
- throw new MOAIDException("stork.05", null);
- }
-
- return authnResponse.getPersonalAttributeList();
+// Logger.info(this.getClass().getSimpleName() + " tries to extract SAMLResponse out of HTTP Request");
+// //extract STORK Response from HTTP Request
+// //Decodes SAML Response
+// byte[] decSamlToken;
+// try {
+// decSamlToken = PEPSUtil.decodeSAMLToken(httpReq.getParameter("SAMLResponse"));
+// } catch(NullPointerException e) {
+// throw new UnsupportedAttributeException();
+// }
+//
+// //Get SAMLEngine instance
+// STORKSAMLEngine engine = STORKSAMLEngine.getInstance("VIDP");
+//
+// STORKAuthnResponse authnResponse = null;
+// try {
+// //validate SAML Token
+// Logger.debug("Starting validation of SAML response");
+// authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) httpReq.getRemoteHost());
+// Logger.info("SAML response successfully verified!");
+//
+// }catch(STORKSAMLEngineException e){
+// Logger.error("Failed to verify STORK SAML Response", e);
+// throw new MOAIDException("stork.05", null);
+// }
+//
+// return authnResponse.getPersonalAttributeList();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java
index 124b91e8b..bb3d8b1fd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java
@@ -46,6 +46,7 @@ import javax.xml.ws.Service;
import javax.xml.ws.soap.SOAPBinding;
import javax.xml.ws.BindingProvider;
+import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.AttributeStatusType;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.NotImplementedException;
@@ -55,6 +56,7 @@ import org.apache.velocity.app.VelocityEngine;
import org.bouncycastle.util.encoders.UrlBase64;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.stork2.ExternalAttributeRequestRequiredException;
@@ -107,15 +109,25 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider {
super(attributes);
this.oasisDssWebFormURL = oasisDssWebFormURL;
- Properties props = new Properties();
try {
- props.load(DatabaseConnectorMySQLImpl.class.getResourceAsStream("docservice.properties"));
- dtlUrl = props.getProperty("docservice.url");
- } catch (IOException e) {
+ AuthConfigurationProvider authConfigurationProvider = AuthConfigurationProvider.getInstance();
+ dtlUrl = authConfigurationProvider.getDocumentServiceUrl();
+ Logger.info ("SignedDocAttributeRequestProvider, using dtlUrl:"+dtlUrl);
+ } catch (Exception e) {
dtlUrl = "http://testvidp.buergerkarte.at/DocumentService/DocumentService";
- Logger.error("Loading DTL config failed, using default value:"+dtlUrl);
e.printStackTrace();
- }
+ Logger.error("Loading documentservice url failed, using default value:"+dtlUrl);
+ }
+
+// Properties props = new Properties();
+// try {
+// props.load(DatabaseConnectorMySQLImpl.class.getResourceAsStream("docservice.properties"));
+// dtlUrl = props.getProperty("docservice.url");
+// } catch (IOException e) {
+// dtlUrl = "http://testvidp.buergerkarte.at/DocumentService/DocumentService";
+// Logger.error("Loading DTL config failed, using default value:"+dtlUrl);
+// e.printStackTrace();
+// }
}
/*
@@ -207,7 +219,16 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider {
// set the url in the SignResponse
DocumentWithSignature documentWithSignature = new DocumentWithSignature();
DocumentType value = new DocumentType();
- value.setDocumentURL(dtlUrl);
+ if(dtlUrl.endsWith("?wsdl"))
+ {
+ String tmp = dtlUrl.replace("?wsdl", "");
+ Logger.debug("DocumentUrl ends with ? wsdl, using "+tmp+" instead.");
+ value.setDocumentURL(tmp);
+ }
+ else
+ {
+ value.setDocumentURL(dtlUrl);
+ }
documentWithSignature.setDocument(value);
if(signResponse.getOptionalOutputs()!=null)
{
@@ -296,7 +317,7 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider {
Logger.debug("Assembling signedDoc attribute");
PersonalAttribute signedDocAttribute = new PersonalAttribute("signedDoc", false, values,
- "Available");
+ AttributeStatusType.AVAILABLE.value());
// pack and return the result
PersonalAttributeList result = new PersonalAttributeList();
@@ -355,7 +376,13 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider {
byte[] data = getDocumentFromDtl(docRequest, dtlURL);//dtlUrl
//load doc from DTL
- Logger.debug("data:"+data);
+ Logger.debug("data:"+data+" "+data.length);
+ try{
+ Logger.trace("data:"+new String(data,"UTF-8"));
+ }catch(Exception e)
+ {
+ Logger.trace("data: creating String failed:"+e);
+ }
String mime = getDocumentMimeFromDtl(docId, dtlURL);//dtlUrl
Logger.debug("mime:"+mime);
@@ -366,11 +393,28 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider {
IncludeObject.class);
signRequest.getOptionalInputs().getAny().removeAll(includeObjects);
+ String documentId = null;
+ Object objDoc = signRequest.getInputDocuments().getDocumentOrTransformedDataOrDocumentHash().get(0);
+ if (objDoc != null && objDoc instanceof DocumentType)
+ {
+ DocumentType document = (DocumentType)objDoc;
+ documentId = document.getID();
+ }
DocumentType document = new DocumentType();
- Base64Data b64data = new Base64Data();
- b64data.setValue(data);
- b64data.setMimeType(mime);
- document.setBase64Data(b64data);
+ if(documentId != null)
+ document.setID(documentId);
+ if(signRequest.getProfile().toLowerCase().contains("xades"))
+ {
+ document.setBase64XML(data);
+ }
+ else
+ {
+ Base64Data b64data = new Base64Data();
+ b64data.setValue(data);
+ b64data.setMimeType(mime);
+ document.setBase64Data(b64data);
+ }
+
signRequest.setInputDocuments(ApiUtils.createInputDocuments(document));
//override old signRequestString
@@ -379,6 +423,7 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider {
IOUtils.copy(istr, writer, "UTF-8");
signRequestString = writer.toString();
Logger.info("Signrequest overwritten");
+ Logger.debug("Signrequest overwritten:"+signRequestString);
} catch (Exception e) {
e.printStackTrace();
throw new Exception("Could not marshall sign request", e);
@@ -469,6 +514,7 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider {
URL url = null;
try
{
+ Logger.debug("getDocumentFromDtl:"+dtlUrl);
url = new URL(dtlUrl);
QName qname = new QName("http://stork.eu",
"DocumentService");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java
index 090bea486..520b81b17 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java
@@ -71,13 +71,9 @@ public class IdentityLinkReSigner {
return instance;
}
- public Element resignIdentityLink(Element idl) throws MOAIDException {
+ public Element resignIdentityLink(Element idl, String keyGroupId) throws MOAIDException {
try {
- AuthConfigurationProvider config = AuthConfigurationProvider.getInstance();
-
- if (config.isIdentityLinkResigning()) {
-
if (idl == null) {
Logger.warn("IdentityLink is empty");
return null;
@@ -91,7 +87,6 @@ public class IdentityLinkReSigner {
SPSSFactory spssFac = SPSSFactory.getInstance();
- String keyGroupId = config.getIdentityLinkResigningKey();
if (MiscUtil.isEmpty(keyGroupId)) {
Logger.warn("No IdentityLink reSigning-Key definded");
throw new MOAIDException("config.19", new Object[]{});
@@ -166,9 +161,6 @@ public class IdentityLinkReSigner {
Logger.warn("Allgemeiner Fehler beim Aufruf von MOA-SS: Unbekannter ResponseType von MOA-SS");
throw new MOAIDException("builder.05", new Object[]{});
}
-
- } else
- return idl;
} catch (ConfigurationException e) {
Logger.warn("Configuration can not be loaded", e);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java
index 0ea03e29d..5ef9494f4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java
@@ -36,6 +36,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
public class PVPtoSTORKMapper {
private static final String PVP_SECCLASS_PREFIX = "http://www.ref.gv.at/ns/names/agiz/pvp/";
+ private static final String STORK_QAA_PREFIX = "http://www.stork.gov.eu/1.0/";
private static final String MAPPING_RESOURCE =
"resources/properties/pvp-stork_mapping.properties";
@@ -67,12 +68,31 @@ public class PVPtoSTORKMapper {
}
+ /**Map a STORK QAA level to PVP SecClass
+ *
+ * @param STORK-QAA level
+ * @return PVP SecClass pvpQAALevel
+ */
+ public String mapToSecClass(String storkQAALevel) {
+ if (mapping != null) {
+ String input = storkQAALevel.substring(STORK_QAA_PREFIX.length());
+ String mappedQAA = mapping.getProperty(input);
+ if (MiscUtil.isNotEmpty(mappedQAA)) {
+ Logger.info("Map STORK-QAA " + storkQAALevel + " to PVP SecClass " + mappedQAA);
+ return mappedQAA;
+
+ }
+ }
+ Logger.warn("No mapping for STORK-QAA " + storkQAALevel +" !");
+ return null;
+ }
+
/**Map a PVP SecClass to STORK QAA level
*
* @param PVP SecClass pvpQAALevel
* @return STORK-QAA level
*/
- public String mapQAALevel(String pvpQAALevel) {
+ public String mapToQAALevel(String pvpQAALevel) {
if (mapping != null) {
String input = pvpQAALevel.substring(PVP_SECCLASS_PREFIX.length());
String mappedQAA = mapping.getProperty(input);
@@ -93,13 +113,16 @@ public class PVPtoSTORKMapper {
*/
public String map(AuthenticationRole el) {
if (mapping != null) {
- String ecRole = mapping.getProperty(el.getRawRoleString());
+ //String ecRole = mapping.getProperty(el.getRawRoleString());
+ String ecRole = mapping.getProperty(el.getRoleName());
if (MiscUtil.isNotEmpty(ecRole)) {
- Logger.info("Map PVPRole " + el.getRawRoleString() + " to ECRole " + ecRole);
+ //Logger.info("Map PVPRole " + el.getRawRoleString() + " to ECRole " + ecRole);
+ Logger.info("Map PVPRole " + el.getRoleName() + " to ECRole " + ecRole);
return ecRole;
}
}
- Logger.warn("NO mapping for PVPRole "+ el.getRawRoleString() + " !");
+ //Logger.warn("NO mapping for PVPRole "+ el.getRawRoleString() + " !");
+ Logger.warn("NO mapping for PVPRole "+ el.getRoleName() + " !");
return null;
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
index 20cabaf4d..1edb8d1f3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
@@ -66,6 +66,9 @@ public class MISMandate implements Serializable{
final static public String OID_ORGANWALTER = "1.2.40.0.10.3.4";
final static private String TEXT_ORGANWALTER = "Organwalter";
+ final static public String OID_ELGA_OMBUTSSTELLE = "1.2.40.0.34.3.1.3";
+ final static public String OID_ELGA_OMBUTSSTELLE_TEST = "1.2.40.0.34.3.1.2.99.9";
+ final static private String TEXT_ELGA_OMBUTSSTELLE = "ELGA-Ombudsstelle";
private String oid = null;
private byte[] mandate = null;
@@ -102,7 +105,10 @@ public class MISMandate implements Serializable{
return TEXT_ZIVILTECHNIKER;
if (this.oid.equalsIgnoreCase(OID_ORGANWALTER))
return TEXT_ORGANWALTER;
-
+ if (this.oid.equalsIgnoreCase(OID_ELGA_OMBUTSSTELLE)
+ || this.oid.equalsIgnoreCase(OID_ELGA_OMBUTSSTELLE_TEST))
+ return TEXT_ELGA_OMBUTSSTELLE;
+
return "Keine textuelle Beschreibung für OID " + oid;
} else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
index 15b2a89b5..24c96a78f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
@@ -56,6 +56,7 @@ import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.TransformerException;
import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.httpclient.HostConfiguration;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.methods.PostMethod;
import org.apache.commons.httpclient.methods.StringRequestEntity;
@@ -70,6 +71,7 @@ import org.xml.sax.SAXException;
import at.gv.egovernment.moa.id.auth.exception.MISSimpleClientException;
import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWSecureSocketFactory;
+import at.gv.egovernment.moa.id.commons.utils.HttpClientWithProxySupport;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.StringUtils;
@@ -300,7 +302,7 @@ public class MISSimpleClient {
throw new NullPointerException("Argument request must not be null.");
}
try {
- HttpClient httpclient = new HttpClient();
+ HttpClient httpclient = HttpClientWithProxySupport.getHttpClient();
PostMethod post = new PostMethod(webServiceURL);
StringRequestEntity re = new StringRequestEntity(DOMUtils.serializeNode(packIntoSOAP(request)),"text/xml", "UTF-8");
post.setRequestEntity(re);
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties b/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties
index 63745f826..ca12fada4 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties
@@ -1,9 +1,31 @@
##PVP role mapping
viewer=CIRCABC/viewer
CIRCABC-viewer=CIRCABC/viewer
+CIRCABC-DIRECTOR=CIRCABC/DIRECTOR
+CIRCABC-SECRETARY=CIRCABC/SECRETARY
+CIRCABC-MEMBER=CIRCABC/MEMBER
-##PVP SecClass mapping
+ecas-demo-EUROPEAN_COMMISSION=ecas-demo/EUROPEAN_COMMISSION
+ecas-demo-EXTERNAL_INTRAMUROS=ecas-demo/EXTERNAL_INTRAMUROS
+ecas-demo-INTERNET=ecas-demo/INTERNET
+ecas-demo-LIVENEWS=ecas-demo/LIVENEWS
+
+DIGIT-EUROPEAN_COMMISSION=DIGIT/EUROPEAN_COMMISSION
+DIGIT-EXTERNAL_INTRAMUROS=DIGIT/EXTERNAL_INTRAMUROS
+DIGIT-INTERNET=DIGIT/INTERNET
+DIGIT-LIVENEWS=DIGIT/LIVENEWS
+
+
+
+
+##PVP SecClass to STORK-QAA mapping
secclass/0=http://www.stork.gov.eu/1.0/citizenQAALevel/1
secclass/0-1=http://www.stork.gov.eu/1.0/citizenQAALevel/2
-secclass/0-2=http://www.stork.gov.eu/1.0/citizenQAALevel/3
-secclass/0-3=http://www.stork.gov.eu/1.0/citizenQAALevel/4 \ No newline at end of file
+secclass/0-2=http://www.stork.gov.eu/1.0/citizenQAALevel/4
+secclass/0-3=http://www.stork.gov.eu/1.0/citizenQAALevel/4
+
+##STORK-QAA to PVP SecClass mapping
+citizenQAALevel/1=http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0
+citizenQAALevel/2=http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-1
+citizenQAALevel/3=http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-2
+citizenQAALevel/4=http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-2 \ No newline at end of file
diff --git a/id/server/idserverlib/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml b/id/server/idserverlib/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml
new file mode 100644
index 000000000..09084a34f
--- /dev/null
+++ b/id/server/idserverlib/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ecdsa="http://www.w3.org/2001/04/xmldsig-more#" xmlns:pr="http://reference.e-government.gv.at/namespace/persondata/20020228#" xmlns:si="http://www.w3.org/2001/XMLSchema-instance" AssertionID="szr.bmi.gv.at-AssertionID13456264458587874" IssueInstant="2012-08-22T11:07:25+01:00" Issuer="http://portal.bmi.gv.at/ref/szr/issuer" MajorVersion="1" MinorVersion="0" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
+ <saml:AttributeStatement>
+ <saml:Subject>
+ <saml:SubjectConfirmation>
+ <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
+ <saml:SubjectConfirmationData>
+ <pr:Person si:type="pr:PhysicalPersonType"><pr:Identification><pr:Value>wJO/bvDJjUysG0yARn7I6w==</pr:Value><pr:Type>urn:publicid:gv.at:baseid</pr:Type></pr:Identification><pr:Name><pr:GivenName>XXXRúùd</pr:GivenName><pr:FamilyName primary="undefined">XXXVàn Nisteĺrooy</pr:FamilyName></pr:Name><pr:DateOfBirth>1969-02-13</pr:DateOfBirth></pr:Person>
+ </saml:SubjectConfirmationData>
+ </saml:SubjectConfirmation>
+ </saml:Subject>
+ <saml:Attribute AttributeName="CitizenPublicKey" AttributeNamespace="urn:publicid:gv.at:namespaces:identitylink:1.2"><saml:AttributeValue><ecdsa:ECDSAKeyValue><ecdsa:DomainParameters><ecdsa:NamedCurve URN="urn:oid:1.2.840.10045.3.1.7"/></ecdsa:DomainParameters><ecdsa:PublicKey><ecdsa:X Value="22280299907126338788314199678167217078072953115254374209747379168424021905237" si:type="ecdsa:PrimeFieldElemType"/><ecdsa:Y Value="40387096985250872237992703378062984723606079359080588656963239072881568409170" si:type="ecdsa:PrimeFieldElemType"/></ecdsa:PublicKey></ecdsa:ECDSAKeyValue></saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="CitizenPublicKey" AttributeNamespace="urn:publicid:gv.at:namespaces:identitylink:1.2"><saml:AttributeValue><dsig:RSAKeyValue><dsig:Modulus>4Y4FL09VhczsfYQgFPuycP8quJNZBAAu1R1rFXNodI2711B6BTMjAGQn6xuFWfd3/nyFav/MLTr/
+t2VazvANS4TRFxJAcWyIx7xbxCdzZr6gJ+FCmq4g5JPrQvt50v3JX+wKSYft1gHBOWlDn90Ia4Gm
+P8MVuze21T+VVKM6ZklmS6d5PT1er/uYQFydGErmJ17xlSQG6Fi5xuftopBDyJxG1tL1KIebpLFg
+gaM2EyuB1HxH8/+Mfqa4UgeqIH65</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></saml:AttributeValue></saml:Attribute></saml:AttributeStatement>
+ <dsig:Signature>
+ <dsig:SignedInfo>
+ <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+ <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+ <dsig:Reference URI="">
+ <dsig:Transforms>
+ <dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
+ <dsig:XPath>not(ancestor-or-self::pr:Identification)</dsig:XPath>
+ </dsig:Transform>
+ <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+ </dsig:Transforms>
+ <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+ <dsig:DigestValue>KEQEPY2O3Z3IRaISSSoRZVPzsHE=</dsig:DigestValue>
+ </dsig:Reference>
+ <dsig:Reference Type="http://www.w3.org/2000/09/xmldsig#Manifest" URI="#manifest">
+ <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+ <dsig:DigestValue>gzGhjH1kdmPcPbgen0xojNIoJLk=</dsig:DigestValue>
+ </dsig:Reference>
+ </dsig:SignedInfo>
+ <dsig:SignatureValue>
+ 06wqWHgplwpu3N5HMhzb6QC5NkXMO1z4N4oc1L6eDqwZlvFJ9X1XGW//QqviKO9oog3il7IzdfJwnjygR4trgGCIqx+JYCDHJCrG9l8zlxlSW0ZqfsygGXthutcQ1aeUpfO6jYuhnWOUywa8BgzukRtWT+AOJBQZPRYTb8IBmey+uAwlhFLni94eMOd81l+efCvkWi3jRajwsG8ZOaNxSZT3aEV5vj+32Aqtx2MPEVzQWtIA7GqZi+EzcdSdHQvHhg7UB+8kqbU70ENAJbEMTANFZYvLOJ0Om9KfDtPf/+R2TvTc360fNo9RnPl04pHPhCIjcGZhFZorBpUhXFwd2Q==
+ </dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509Certificate>MIIF3TCCBMWgAwIBAgIDByniMA0GCSqGSIb3DQEBBQUAMIGfMQswCQYDVQQGEwJBVDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBpbSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMSIwIAYDVQQLDBlhLXNpZ24tY29ycG9yYXRlLWxpZ2h0LTAyMSIwIAYDVQQDDBlhLXNpZ24tY29ycG9yYXRlLWxpZ2h0LTAyMB4XDTEwMDcyODExMzY0M1oXDTE1MDcyODExMzY0M1owgbYxCzAJBgNVBAYTAkFUMR4wHAYDVQQKDBVEYXRlbnNjaHV0emtvbW1pc3Npb24xIjAgBgNVBAsMGVN0YW1temFobHJlZ2lzdGVyYmVob2VyZGUxLjAsBgNVBAMMJVNpZ25hdHVyc2VydmljZSBEYXRlbnNjaHV0emtvbW1pc3Npb24xFTATBgNVBAUTDDMyNTkyODMyMzk5ODEcMBoGCSqGSIb3DQEJARYNZHNrQGRzay5ndi5hdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+dBSEBGj2jUXIK1Mp3lVxc/Za+pJMiyKrX3G1ZxgX/ikx7D9scsPYMt473LlAWl9cmCbHbJK+PV2XNNdURLMUCIX+4vUNs2MHeDTQtX8BXjJFpwJYSoaRJQ39FVS/1r5sWcra9Hhdm7w5Gtx/2ukyDX0kdkxawkhP4EQEzi/SI+Fugn+WqgQ1nAdlbxb/dcBw5w1h9b3lmuwUf4z3ooQWUD2DgA/kKd1KejNR43mLUsmvSzevPxT9zs78pOR1OacB7IszTVJPXeOEaaNZHnnB/UeO3g8LEV/3OkXcUgcMkbIIiaBHlll71Pq0COj9kqjXoe7OrRjLY5i3KwOpa6TMCAwEAAaOCAgcwggIDMBMGA1UdIwQMMAqACEkcWDpP6A0DMH8GCCsGAQUFBwEBBHMwcTAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AuYS10cnVzdC5hdC9vY3NwMEYGCCsGAQUFBzAChjpodHRwOi8vd3d3LmEtdHJ1c3QuYXQvY2VydHMvYS1zaWduLWNvcnBvcmF0ZS1saWdodC0wMmEuY3J0MFQGA1UdIARNMEswSQYGKigAEQESMD8wPQYIKwYBBQUHAgEWMWh0dHA6Ly93d3cuYS10cnVzdC5hdC9kb2NzL2NwL2Etc2lnbi1BbXRzc2lnbmF0dXIwgZ4GA1UdHwSBljCBkzCBkKCBjaCBioaBh2xkYXA6Ly9sZGFwLmEtdHJ1c3QuYXQvb3U9YS1zaWduLWNvcnBvcmF0ZS1saWdodC0wMixvPUEtVHJ1c3QsYz1BVD9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0P2Jhc2U/b2JqZWN0Y2xhc3M9ZWlkQ2VydGlmaWNhdGlvbkF1dGhvcml0eTARBgNVHQ4ECgQITAgOnhr0tbowDgYDVR0PAQH/BAQDAgSwMCAGA1UdEQQZMBeBFW1hcmN1cy5oaWxkQGRzay5ndi5hdDAJBgNVHRMEAjAAMA4GByooAAoBBwEEAwEB/zAUBgcqKAAKAQEBBAkMB0JTQi1EU0swDQYJKoZIhvcNAQEFBQADggEBAHTklnvPCH/bJSOlIPbLUEkSGuFHsektSZ8Vr22x/Yv7EzsxoQrJIiz2mQ2gQqFuExdWYxvsowjiSbiis9iUf1c0zscvDS3mIZxGs4M89XHsjHnIyb+Fuwnamw65QrFvM1tNB1ZMjxJ3x+YmHLHdtT3BEBcr3/NCRHd2S0HoBspNz9HVgJaZY1llR7poKBvnAc4g1i+QTvyVb00PtKxR9Lw/9ABInX/1pzpxqrPy7Ib2OP8z6dd3WHmIsCiSHUaj0Dxwwln6fYJjhxZ141SnbovlCLYtrsZLXoi9ljIqX4xO0PwMI2RfNc9cXxTRrRS6rEOvX7PpvgXiDXhp592Yyp4=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo>
+ <dsig:Object>
+ <dsig:Manifest Id="manifest">
+ <dsig:Reference URI="">
+ <dsig:Transforms>
+ <dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
+ <dsig:XPath>not(ancestor-or-self::dsig:Signature)</dsig:XPath>
+ </dsig:Transform>
+ </dsig:Transforms>
+ <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+ <dsig:DigestValue>8e7RjLnA4Mgltq5ruIJzheKGxu0=</dsig:DigestValue>
+ </dsig:Reference>
+ </dsig:Manifest>
+ </dsig:Object>
+ </dsig:Signature>
+</saml:Assertion> \ No newline at end of file