diff options
Diffstat (limited to 'id/server/idserverlib/src')
53 files changed, 1678 insertions, 1057 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAReversionLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAReversionLogger.java index 8ee32c54e..7ac026888 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAReversionLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAReversionLogger.java @@ -23,11 +23,10 @@  package at.gv.egovernment.moa.id.advancedlogging;  import java.security.MessageDigest; +import java.util.Arrays;  import java.util.Date;  import java.util.List; -import com.google.common.primitives.Ints; -  import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;  import at.gv.egovernment.moa.id.auth.data.IdentityLink;  import at.gv.egovernment.moa.id.config.ConfigurationException; @@ -47,7 +46,7 @@ public class MOAReversionLogger {  	private static MOAReversionLogger instance = null;  -	private static final List<Integer> defaultEventCodes = Ints.asList( +	private static final List<Integer> defaultEventCodes = Arrays.asList(  			MOAIDEventConstants.SESSION_CREATED,   			MOAIDEventConstants.SESSION_DESTROYED,  			MOAIDEventConstants.SESSION_ERROR, @@ -69,8 +68,9 @@ public class MOAReversionLogger {  			MOAIDEventConstants.AUTHPROCESS_INTERFEDERATION,  			MOAIDEventConstants.AUTHPROCESS_STORK_REQUESTED,  			MOAIDEventConstants.AUTHPROCESS_SERVICEPROVIDER -			); - +	); +	 +	  	public static synchronized MOAReversionLogger getInstance() {  		if (instance == null) {  			instance = new MOAReversionLogger(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java index bfed65ae2..5487152cf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java @@ -26,7 +26,6 @@ import java.io.ByteArrayInputStream;  import java.io.IOException;  import java.io.InputStream;  import java.util.Date; -import java.util.List;  import javax.xml.bind.JAXBContext;  import javax.xml.bind.JAXBException; @@ -34,7 +33,6 @@ import javax.xml.bind.Unmarshaller;  import org.apache.commons.lang3.StringEscapeUtils; -  import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;  import at.gv.e_government.reference.namespace.mandates._20040701_.Mandator;  import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; @@ -44,7 +42,6 @@ import at.gv.egovernment.moa.id.auth.exception.MISSimpleClientException;  import at.gv.egovernment.moa.id.auth.exception.MOAIDException;  import at.gv.egovernment.moa.id.auth.exception.ServiceException;  import at.gv.egovernment.moa.id.client.SZRGWClientException; -  import at.gv.egovernment.moa.id.commons.db.StatisticLogDBUtils;  import at.gv.egovernment.moa.id.commons.db.dao.statistic.StatisticLog;  import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; @@ -68,7 +65,7 @@ public class StatisticLogger {  	private static final String MANTATORTYPE_JUR = "jur";  	private static final String MANTATORTYPE_NAT = "nat"; -	private static final int MAXERRORLENGTH = 250; +	private static final int MAXERRORLENGTH = 200;  	private static final String ERRORTYPE_UNKNOWN = "unkown";  	private static final String ERRORTYPE_BKU = "bku"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java index 953a478be..022ec9def 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java @@ -4,7 +4,6 @@  package at.gv.egovernment.moa.id.auth;  import iaik.pki.PKIException; -import iaik.pki.jsse.IAIKX509TrustManager;  import iaik.security.ecc.provider.ECCProvider;  import iaik.security.provider.IAIK; @@ -13,14 +12,11 @@ import java.security.GeneralSecurityException;  import javax.activation.CommandMap;  import javax.activation.MailcapCommandMap; -import javax.net.ssl.SSLSocketFactory;  import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.ConnectionParameter;  import at.gv.egovernment.moa.id.config.auth.AuthConfigLoader;  import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;  import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.util.AxisSecureSocketFactory;  import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;  import at.gv.egovernment.moa.id.util.SSLUtils;  import at.gv.egovernment.moa.logging.Logger; @@ -137,50 +133,27 @@ public class MOAIDAuthInitializer {                  "http://www.w3.org/2001/04/xmldsig-more#");          Constants.nSMap.put(Constants.DSIG_PREFIX, Constants.DSIG_NS_URI); -        // Loads the configuration +        // Initialize configuration provider +       	AuthConfiguration authConf = AuthConfigurationProviderFactory.reload(); + +    	//test, if MOA-ID is already configured +    	authConf.getPublicURLPrefix(); + +    	// Initialize MOA-SP +    	//MOA-SP is only use by API calls since MOA-ID 3.0.0            try { -        	AuthConfiguration authConf = AuthConfigurationProviderFactory.reload(); -        	 -            ConnectionParameter moaSPConnParam = authConf -                    .getMoaSpConnectionParameter(); - -            // If MOA-SP API calls: loads MOA-SP configuration and configures IAIK -            if (moaSPConnParam == null) { -                try { -                    LoggingContextManager.getInstance().setLoggingContext( -                            new LoggingContext("startup")); -                    ConfigurationProvider config = ConfigurationProvider -                            .getInstance(); -                    new IaikConfigurator().configure(config);   -                } catch (at.gv.egovernment.moa.spss.server.config.ConfigurationException ex) { -                    throw new ConfigurationException("config.10", new Object[] { ex -                            .toString() }, ex); -                } -            } -      -            // Initializes IAIKX509TrustManager logging -            /* -            String log4jConfigURL = System.getProperty("log4j.configuration"); -            Logger.info("Log4J Configuration: " + log4jConfigURL); -            if (log4jConfigURL != null) { -                IAIKX509TrustManager.initLog(new LoggerConfigImpl(log4jConfigURL)); -            } -             */ - -            // Initializes the Axis secure socket factory for use in calling the -            // MOA-SP web service -            if (moaSPConnParam != null && moaSPConnParam.isHTTPSURL()) { -                SSLSocketFactory ssf = SSLUtils.getSSLSocketFactory(authConf, -                        moaSPConnParam); -                AxisSecureSocketFactory.initialize(ssf); -            } -        	 -        	 -        } catch (ConfigurationException e) { -        	Logger.error("MOA-ID-Auth start-up FAILED. Error during application configuration.", e); -        	System.exit(-1); -        	 -        } +        	LoggingContextManager.getInstance().setLoggingContext( +                      new LoggingContext("startup")); +            ConfigurationProvider config = ConfigurationProvider +                      .getInstance(); +            new IaikConfigurator().configure(config); +             +         } catch (at.gv.egovernment.moa.spss.server.config.ConfigurationException ex) { +            throw new ConfigurationException("config.10", new Object[] { ex +                     .toString() }, ex); +             +         } +        	        	          // Starts the session cleaner thread to remove unpicked authentication data          AuthenticationSessionCleaner.start(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 998fa495f..57a5316e8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -135,10 +135,12 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {  		AuthenticationData authdata = null;		  		try { -			Object saml1Requst = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl").newInstance(); +			//check if SAML1 authentication module is in Classpath +			Class<?> saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl");  			IAuthData saml1authdata = (IAuthData) Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData").newInstance();			 -			if (protocolRequest.getClass().isInstance(saml1Requst)) { -				//request is SAML1 +			if (saml1RequstTemplate != null &&  +					saml1RequstTemplate.isInstance(protocolRequest)) {				 +				//request is SAML1  --> invoke SAML1 protocol specific methods   				if (session.getExtendedSAMLAttributesOA() == null) {  					saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, new ArrayList<ExtendedSAMLAttribute>()); @@ -310,7 +312,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {  					//validate PVP 2.1 response  					try {  						SAMLVerificationEngine engine = new SAMLVerificationEngine(); -						engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); +						engine.verifyIDPResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine());  						SAMLVerificationEngine.validateAssertion(intfResp, false); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java index 899b0fd15..d4350f97b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java @@ -95,6 +95,9 @@ public class DataURLBuilder {  //				dataURL = individualDataURLPrefix + authServletName;  //			} else +		if (!authBaseURL.endsWith("/")) +			authBaseURL += "/"; +		  		dataURL = authBaseURL + authServletName;      dataURL = addParameter(dataURL, MOAIDAuthConstants.PARAM_SESSIONID, sessionID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java index 02aaac8cb..d14910319 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java @@ -147,6 +147,9 @@ public class SendAssertionFormBuilder {  			value = value.replace(ACTION, action);  			value = value.replace(ID, id);  			value = value.replace(OANAME, oaParam.getFriendlyName()); +			 +			if (contextpath.endsWith("/")) +				contextpath = contextpath.substring(0, contextpath.length() - 1);  			value = value.replace(CONTEXTPATH, contextpath);  			value = FormBuildUtils.customiceLayoutBKUSelection(value,  diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateInterfedeartionRequestTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateInterfedeartionRequestTask.java index 8429baf23..4a6ecd56a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateInterfedeartionRequestTask.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateInterfedeartionRequestTask.java @@ -152,8 +152,7 @@ public class CreateInterfedeartionRequestTask extends AbstractAuthServletTask {  					authReq.setAssertionConsumerServiceIndex(0);  					authReq.setIssueInstant(new DateTime());  					Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);					 -					String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath(); -					issuer.setValue(serviceURL); +					issuer.setValue(pendingReq.getAuthURLWithOutSlash());  					issuer.setFormat(NameIDType.ENTITY);  					authReq.setIssuer(issuer); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/FinalizeAuthenticationTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/FinalizeAuthenticationTask.java index 8add03da7..712ebb731 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/FinalizeAuthenticationTask.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/FinalizeAuthenticationTask.java @@ -59,6 +59,12 @@ public class FinalizeAuthenticationTask extends AbstractAuthServletTask {  			IRequest pendingReq = RequestStorage.getPendingRequest(  					(String) executionContext.get("pendingRequestID"));	 +			if (pendingReq == null) { +				Logger.info("No PendingRequest with Id: " + executionContext.get("pendingRequestID") + " Maybe, a transaction timeout occure."); +				throw new MOAIDException("auth.28", new Object[]{executionContext.get("pendingRequestID")}); +				 +			} +			  			//get Session from context  			String moasessionid = (String) executionContext.get(PARAM_SESSIONID);  			AuthenticationSession session = null;				 diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index 004961116..e659c9447 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -56,7 +56,8 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{  			String ccc,  			String module,  			String action, -			HttpServletRequest req) throws WrongParametersException, MOAIDException { +			HttpServletRequest req,  +			IRequest protocolReq) throws WrongParametersException, MOAIDException {  		String targetFriendlyName = null; @@ -223,20 +224,15 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{  			throw new WrongParametersException("StartAuthentication",  					PARAM_OA, "auth.05");  		moasession.setOAURLRequested(oaURL); -		 +				  		//check AuthURL -	    String authURL = req.getScheme() + "://" + req.getServerName(); -	    if ((req.getScheme().equalsIgnoreCase("https") && req.getServerPort()!=443) || (req.getScheme().equalsIgnoreCase("http") && req.getServerPort()!=80)) {  -	      authURL = authURL.concat(":" + req.getServerPort()); -	    } -	    authURL = authURL.concat(req.getContextPath() + "/"); - +	    String authURL = protocolReq.getAuthURL();  		if (!authURL.startsWith("https:") && !AuthConfigurationProviderFactory.getInstance().isHTTPAuthAllowed())  			throw new AuthenticationException("auth.07",  					new Object[] { authURL + "*" });  		//set Auth URL from configuration -		moasession.setAuthURL(AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() + "/"); +		moasession.setAuthURL(authURL);  		//check and set SourceID  		if (oaParam.getSAML1Parameter() != null) { @@ -318,7 +314,7 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{  	    oaURL = request.getOAURL();  	    target = request.getTarget(); -	    parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, modul, action, req); +	    parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, modul, action, req, request);  	} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java index 43f4f90ff..fe24d45dd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java @@ -197,11 +197,6 @@ public class AuthServlet extends HttpServlet {  					procExc.getCause() instanceof TaskExecutionException) {  				TaskExecutionException taskExc = (TaskExecutionException) procExc.getCause();  				loggedException = taskExc.getOriginalException();	 -				if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) { -					Logger.error(exceptionThrown.getMessage(), exceptionThrown); -					 -				} else -					Logger.error(exceptionThrown.getMessage());  			}			  		} @@ -213,6 +208,14 @@ public class AuthServlet extends HttpServlet {  		if (!(loggedException instanceof MOAIDException)) {  			Logger.error("Receive an internal error: Message=" + loggedException.getMessage(), loggedException); +		} else { +			if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) { +				Logger.error(loggedException.getMessage(), loggedException); +			 +			} else { +				Logger.error(loggedException.getMessage()); +			 +			}			  		}  		IExceptionStore store = DBExceptionStoreImpl.getStore(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java index 2a63968dd..15d596049 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java @@ -24,8 +24,6 @@ package at.gv.egovernment.moa.id.auth.servlet;  import java.io.IOException;  import java.util.Enumeration; -import java.util.List; -import java.util.Map;  import javax.servlet.ServletException;  import javax.servlet.http.HttpServletRequest; @@ -33,28 +31,18 @@ import javax.servlet.http.HttpServletResponse;  import org.apache.commons.lang.StringEscapeUtils; -import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; -import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;  import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;  import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; -import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;  import at.gv.egovernment.moa.id.auth.exception.MOAIDException;  import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; +import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;  import at.gv.egovernment.moa.id.auth.modules.registration.ModuleRegistration; -import at.gv.egovernment.moa.id.auth.parser.StartAuthentificationParameterParser; -  import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; - -import at.gv.egovernment.moa.id.moduls.IRequest; -import at.gv.egovernment.moa.id.moduls.RequestStorage; -  import at.gv.egovernment.moa.id.process.ExecutionContextImpl; +import at.gv.egovernment.moa.id.process.ProcessExecutionException;  import at.gv.egovernment.moa.id.process.api.ExecutionContext;  import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;  import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.FileUtils;  import at.gv.egovernment.moa.util.MiscUtil;  public class GenerateIFrameTemplateServlet extends AuthServlet { @@ -139,6 +127,25 @@ public class GenerateIFrameTemplateServlet extends AuthServlet {  	    catch (MOAIDException ex) {  	    	handleError(null, ex, req, resp, pendingRequestID); + +	    } catch (ProcessExecutionException e) { +			Throwable cause = e.getCause(); +			if (cause != null && cause instanceof TaskExecutionException) { +				Throwable taskCause = cause.getCause(); +				if (taskCause != null && taskCause instanceof WrongParametersException) { +					WrongParametersException internalEx = (WrongParametersException) taskCause; +					handleWrongParameters(internalEx, req, resp); +					return; +					 +				} else if (taskCause != null && taskCause instanceof MOAIDException) { +					MOAIDException moaTaskCause = (MOAIDException) taskCause; +					handleError(null, moaTaskCause, req, resp, pendingRequestID); +					return; +					 +				}									 +			}  +			 +			Logger.error("BKUSelectionServlet has an interal Error.", e);				    	  	    } catch (Exception e) {  	    	Logger.error("BKUSelectionServlet has an interal Error.", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java index 0a6d30be7..fe5cd1ac0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java @@ -45,6 +45,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NOSLOServiceDescripto  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException;  import at.gv.egovernment.moa.id.storage.AssertionStorage;  import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.HTTPUtils;  import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;  import at.gv.egovernment.moa.id.util.Random;  import at.gv.egovernment.moa.logging.Logger; @@ -62,6 +63,23 @@ public class IDPSingleLogOutServlet extends AuthServlet {  	protected void doGet(HttpServletRequest req, HttpServletResponse resp)  			    throws ServletException, IOException {  		Logger.debug("receive IDP SingleLogOut Request"); +		 +		String authURL = HTTPUtils.extractAuthURLFromRequest(req); +		try { +			if (!AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix().contains(authURL)) {		 +				Logger.warn("Requested URL " + authURL + " is not in PublicPrefix Configuration"); +				resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Request not allowed"); +				return; +			 +			} +			 +		} catch (MOAIDException e) { +			Logger.error("Internal Server Error.", e); +			resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Internal Server Error"); +			return; +			 +		} +		  		SSOManager ssomanager = SSOManager.getInstance();		  		String ssoid = ssomanager.getSSOSessionID(req); @@ -109,7 +127,7 @@ public class IDPSingleLogOutServlet extends AuthServlet {  						AuthenticationSession authSession = AuthenticationSessionStoreage  								.getSession(moaSessionID);  						if(authSession != null) { -							authmanager.performSingleLogOut(req, resp, authSession, null); +							authmanager.performSingleLogOut(req, resp, authSession, authURL);  							return;  						} @@ -142,7 +160,7 @@ public class IDPSingleLogOutServlet extends AuthServlet {  						} else {  							//print SLO information directly -							redirectURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() + "/idpSingleLogout"; +							redirectURL = HTTPUtils.extractAuthURLFromRequest(req) + "/idpSingleLogout";  							String artifact = Random.nextRandom(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java index c1e084a59..53187088e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java @@ -60,6 +60,7 @@ import at.gv.egovernment.moa.id.moduls.AuthenticationManager;  import at.gv.egovernment.moa.id.moduls.RequestStorage;  import at.gv.egovernment.moa.id.moduls.SSOManager;  import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.HTTPUtils;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.MiscUtil; @@ -85,14 +86,14 @@ public class LogOutServlet extends AuthServlet {  		if (MiscUtil.isEmpty(redirectUrl)) {  			//set default redirect Target  			Logger.debug("Set default RedirectURL back to MOA-ID-Auth"); -			redirectUrl = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); +			redirectUrl = HTTPUtils.extractAuthURLFromRequest(req);  		} else {  			//return an error if RedirectURL is not a active Online-Applikation  			OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(redirectUrl);			  			if (oa == null) {		  				Logger.info("RedirctURL does not match to OA configuration. Set default RedirectURL back to MOA-ID-Auth"); -				redirectUrl = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); +				redirectUrl = HTTPUtils.extractAuthURLFromRequest(req);  			} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java index 7dd8645c6..a914659b0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java @@ -36,6 +36,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;  import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.moduls.SSOManager;  import at.gv.egovernment.moa.id.util.FormBuildUtils; +import at.gv.egovernment.moa.id.util.HTTPUtils;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.MiscUtil;  import at.gv.egovernment.moa.util.URLEncoder; @@ -64,8 +65,10 @@ public class RedirectServlet extends AuthServlet{  		OAAuthParameter oa = null;  		String redirectTarget = DEFAULT_REDIRECTTARGET;  		try { -			oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(url);			 -			if (oa == null && !url.startsWith(AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix())) {		 +			oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(url); +			String authURL = HTTPUtils.extractAuthURLFromRequest(req); +			 +			if (oa == null && !AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix().contains(authURL)) {		  				resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid");  				return; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java index c98a7d537..65dcc7bf3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java @@ -81,8 +81,16 @@ public interface AuthConfiguration extends ConfigurationProvider{  	public boolean isAdvancedLoggingActive(); -	public String getPublicURLPrefix(); +	/** +	 * Returns the PublicURLPrefix. +	 *  +	 * @return the PublicURLPrefix (one or more) of this IDP instance. All publicURLPrefix URLs are ends without /  +	 * @throws ConfigurationException if no PublicURLPrefix is found. +	 */ +	public List<String> getPublicURLPrefix()  throws ConfigurationException; +	public boolean isVirtualIDPsEnabled();  +	  	public boolean isPVP2AssertionEncryptionActive();  	public boolean isCertifiacteQCActive(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java index 38135b028..9812f346d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java @@ -65,7 +65,7 @@ public class AuthConfigurationProviderFactory {  	    	instance = new PropertyBasedAuthConfigurationProvider(fileURI);  	    } catch (URISyntaxException e){ -	    	Logger.error("MOA-ID-Auth configuration file does not starts with file:/ as prefix."); +	    	Logger.error("MOA-ID-Auth configuration file does not starts with file:/ as prefix.", e);  	    	throw new ConfigurationException("config24", new Object[]{MOAIDAuthConstants.FILE_URI_PREFIX, fileName});  	    } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/ConfigurationToJSONConverter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/ConfigurationToJSONConverter.java deleted file mode 100644 index e1c1ac49e..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/ConfigurationToJSONConverter.java +++ /dev/null @@ -1,155 +0,0 @@ -//package at.gv.egovernment.moa.id.config.auth; -// -//import java.beans.IntrospectionException; -//import java.beans.Introspector; -//import java.beans.PropertyDescriptor; -//import java.lang.reflect.InvocationTargetException; -//import java.lang.reflect.Method; -//import java.util.Arrays; -//import java.util.List; -// -//import org.springframework.beans.factory.annotation.Autowired; -//import org.springframework.beans.factory.config.AutowireCapableBeanFactory; -//import org.springframework.context.ApplicationContext; -//import org.springframework.context.support.ClassPathXmlApplicationContext; -// -//import at.gv.egovernment.moa.id.commons.config.persistence.MOAIDConfiguration; -//import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; -//import at.gv.egovernment.moa.id.config.ConfigurationException; -//import at.gv.egovernment.moa.id.config.ConfigurationProvider; -// -//import com.fasterxml.jackson.annotation.JsonIgnore; -//import com.fasterxml.jackson.annotation.JsonProperty; -// -//public class ConfigurationToJSONConverter { -// -//	@Autowired -//	NewAuthConfigurationProvider configProvider; -// -//	@Autowired -//	MOAIDConfiguration configDataBase; -// -//	public static void main(String[] args) { -// -//		try { -//			ConfigurationToJSONConverter converter = new ConfigurationToJSONConverter(args[0]); -//			converter.writeConfigToJSONDB(); -//			System.out.println("====================================="); -//			System.out.println("====================================="); -//			converter.readConfigFromDB(); -//			System.out.println("====================================="); -//			System.out.println("====================================="); -// -//			// otherwise the database connection is not initialized -//			JaxBAuthConfigurationProvider.getInstance(); -//			List<String> methodNames = Arrays.asList("getAllOnlineApplications", "getAllUsers", "getMOAIDConfiguration"); -//			converter.extractDataViaConfigurationDBRead(methodNames); -//			converter.readExtractedConfigurationDBReadData(methodNames); -// -//		} catch (ConfigurationException e) { -//			e.printStackTrace(); -//			System.out.println("Problems reading the configuration file in: " + System.getProperty(ConfigurationProvider.CONFIG_PROPERTY_NAME)); -//			System.exit(1); -//		} -// -//	} -// -//	public ConfigurationToJSONConverter(String pathToDBConfigPropertiesFile) throws ConfigurationException { -// -//		System.getProperties().setProperty("location", "file:" + pathToDBConfigPropertiesFile); -//		ApplicationContext context = new ClassPathXmlApplicationContext("configuration.beans.xml"); -//		AutowireCapableBeanFactory acbFactory = context.getAutowireCapableBeanFactory(); -//		acbFactory.autowireBean(this); -// -//	} -// -//	public void extractDataViaConfigurationDBRead(List<String> methodNames) { -//		System.out.println("Start extracting"); -//		// read objects from db and write to key-value -//		for (String name : methodNames) { -//			try { -//				Method method = ConfigurationDBRead.class.getMethod(name); -//				Object tmp = method.invoke(null, new Object[] {}); -//				JsonProperty annotation = method.getAnnotation(JsonProperty.class); -//				if (annotation != null) { -//					configDataBase.set(annotation.value(), tmp); -//				} else { -//					System.out.println("Annotate Method with name: " + name); -//				} -//			} catch (NoSuchMethodException | SecurityException | IllegalAccessException | IllegalArgumentException -//					| InvocationTargetException e) { -//				System.out.println("Problems while extracting ConfigurationDBRead data."); -//			} -//		} -//	} -// -//	public void readExtractedConfigurationDBReadData(List<String> methodNames) { -//		for (String name : methodNames) { -//			Object tmp = configDataBase.get(name); -//			System.out.println(">>> OBJECT: " + tmp); -//		} -//	} -// -//	public void writeConfigToJSONDB() { -// -//		try { -//			// find all getter methods -//			for (PropertyDescriptor pd : Introspector.getBeanInfo(NewAuthConfigurationProvider.class).getPropertyDescriptors()) { -//				// check if correct methods, and not annotated with @JsonIgnore -//				if ((pd.getReadMethod() != null) -//						&& (!"class".equals(pd.getName())) -//						&& (pd.getReadMethod().getAnnotation(JsonIgnore.class) == null)) { -// -//					JsonProperty name = pd.getReadMethod().getAnnotation(JsonProperty.class); -//					// get result of get method -//					Object tmp; -//					try { -//						tmp = pd.getReadMethod().invoke(configProvider); -//						// convert result to JSON -//						if (name != null) { -//							configDataBase.set(name.value(), tmp); -//						} else { -//							System.out.println("CHECK if '" + pd.getDisplayName() + "' is NOT ANNOTATED"); -//						} -//					} catch (IllegalAccessException | InvocationTargetException e) { -//						System.out.println("Problems while writing the configuration to the database."); -//					} -//				} -//			} -// -//			// no static method handling needed -// -//		} catch (IllegalArgumentException e) { -//			System.out.println("Problems while using reflection to get all getter methods."); -//		} catch (IntrospectionException e) { -//			System.out.println("Problems while using reflection to get all getter methods."); -//		} -// -//	} -// -//	public void readConfigFromDB() { -//		try { -//			// find all getter methods -//			for (PropertyDescriptor pd : Introspector.getBeanInfo(NewAuthConfigurationProvider.class) -//					.getPropertyDescriptors()) { -//				// check if correct methods, and not annotated with @JsonIgnore -//				if ((pd.getReadMethod() != null) -//						&& (!"class".equals(pd.getName())) -//						&& (pd.getReadMethod().getAnnotation(JsonIgnore.class) == null)) { -//					JsonProperty name = pd.getReadMethod().getAnnotation(JsonProperty.class); -//					// get result of get method -//					if (name != null) { -//						System.out.println(">>> OBJECT: " + configDataBase.get(name.value())); -//					} else { -//						System.out.println("CHECK if '" + pd.getDisplayName() + "' is NOT ANNOTATED"); -//					} -//				} -//			} -//		} catch (IllegalArgumentException e) { -//			System.out.println("Problems while using reflection to get all getter methods."); -//		} catch (IntrospectionException e) { -//			System.out.println("Problems while using reflection to get all getter methods."); -//		} -//	} -// -//} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java index 645831479..7b798f522 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java @@ -6,6 +6,7 @@ import java.io.FileNotFoundException;  import java.io.IOException;  import java.net.MalformedURLException;  import java.net.URI; +import java.net.URL;  import java.util.ArrayList;  import java.util.Arrays;  import java.util.Collection; @@ -21,8 +22,15 @@ import org.springframework.context.ApplicationContext;  import org.springframework.context.support.ClassPathXmlApplicationContext;  import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.MOAIDConstants;  import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;  import at.gv.egovernment.moa.id.commons.config.persistence.MOAIDConfiguration; +import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.AuthComponentGeneral; +import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.MOASP; +import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.OnlineApplication; +import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.SecurityLayer; +import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.VerifyIdentityLink; +import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;  import at.gv.egovernment.moa.id.config.ConfigurationException;  import at.gv.egovernment.moa.id.config.ConfigurationProviderImpl;  import at.gv.egovernment.moa.id.config.ConfigurationUtils; @@ -48,6 +56,8 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide  	private final Properties properties = new Properties();  	private ApplicationContext context = null; +	private boolean requireJDBCBackupImplementation = false; +	  	public PropertyBasedAuthConfigurationProvider() {  	} @@ -84,6 +94,20 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide  			AutowireCapableBeanFactory acbFactory = context.getAutowireCapableBeanFactory();  			acbFactory.autowireBean(this); +			//Some databases do not allow the selection of a lob in SQL where expression   +			String dbDriver = properties.getProperty("configuration.hibernate.connection.driver_class");					 +			if (MiscUtil.isNotEmpty(dbDriver)) { +				for (String el:MOAIDConstants.JDBC_DRIVER_NEEDS_WORKAROUND) { +					if (dbDriver.startsWith(el)) { +						requireJDBCBackupImplementation = true; +						Logger.info("JDBC driver '" + dbDriver  +						+ "' is blacklisted --> Switch to alternative DB access methode implementation."); +						 +					}					 +				}						 +			} +			 +									  		} catch (FileNotFoundException e) {  			throw new ConfigurationException("config.03", null, e); @@ -791,20 +815,47 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide  		return Boolean.valueOf(prop);  	} -	/** -	 * Returns the PublicURLPrefix. NOTE: returns {@code null} if no PublicURLPrefix is set. -	 *  -	 * @return the PublicURLPrefix or {@code null} -	 */ -	public String getPublicURLPrefix() { -		try { -			return configuration.getStringValue( -					MOAIDConfigurationConstants.GENERAL_PUBLICURLPREFIX); +	public List<String> getPublicURLPrefix() throws ConfigurationException{ +		try {			 +			String publicURLPrefixList = configuration.getStringValue( +					MOAIDConfigurationConstants.GENERAL_PUBLICURLPREFIX);			 +			List<String> returnValues = new ArrayList<String>(); +			if (publicURLPrefixList != null) { +				publicURLPrefixList = KeyValueUtils.normalizeCSVValueString(publicURLPrefixList); +				List<String> publicURLPrefixArray = Arrays.asList(publicURLPrefixList.split(",")); +				Logger.trace("Found " + publicURLPrefixArray.size() + " PublicURLPrefix in configuration."); +				 +				 +				for (String el : publicURLPrefixArray) { +					try { +						new URL(el); +						if (el.endsWith("/")) +							returnValues.add(el.substring(0, el.length()-1)); +						else +							returnValues.add(el); +						 +					} catch (MalformedURLException e) { +						Logger.warn("IDP PublicURLPrefix URL " + el + " is not a valid URL", e); +					}										 +				}										 +			}  +			 +			if (returnValues.size() > 0) +				return returnValues; +			 +			else { +				Logger.warn("MOA-ID PublicURLPrefix is not found in configuration."); +				throw new ConfigurationException("config.08", new Object[]{"IDP PublicURLPrefix"}); +				 +			} +						  		} catch (at.gv.egiz.components.configuration.api.ConfigurationException e) {  			Logger.warn("MOA-ID PublicURLPrefix can not be read from configuration.", e); -			return null; +			throw new ConfigurationException("config.08", new Object[]{"IDP PublicURLPrefix"}, e); +			  		} +		  	}  	/** @@ -983,9 +1034,11 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide  		Logger.trace("Get active OnlineApplication with ID " + id + " from database.");  		Map<String, String> oaConfig = null;  		try { -			//OracleDB does not allow the selection of a lob in SQL where expression   +			 +			//TODO: +			//Some databases do not allow the selection of a lob in SQL where expression    			String dbDriver = properties.getProperty("configuration.hibernate.connection.driver_class"); -			if (MiscUtil.isNotEmpty(dbDriver) && dbDriver.startsWith("oracle.jdbc.")) +			if (requireJDBCBackupImplementation)  				oaConfig = configuration.getOnlineApplicationBackupVersion(id);  			else @@ -1120,4 +1173,24 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide  		else  			return getMoaSpIdentityLinkTrustProfileID();  	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.config.auth.AuthConfiguration#isVirtualIDPsEnabled() +	 */ +	@Override +	public boolean isVirtualIDPsEnabled() { +		try { +			String value = configuration.getStringValue( +					MOAIDConfigurationConstants.GENERAL_ISVIRTUALIDPSENABLED); +			if (MiscUtil.isNotEmpty(value)) { +				return Boolean.valueOf(value); +			} +			 +		} catch (at.gv.egiz.components.configuration.api.ConfigurationException e) { +			Logger.error("Error during 'isVirutalIDPsEnabled' load operationen."  , e); +	 +		} +		 +		return false; +	}  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java index d1e04e107..a4bba8b19 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java @@ -75,6 +75,7 @@ public class SLOInformationContainer implements Serializable {  							if (sloDesc.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI))										  								activeBackChannelOAs.put(oa.getOaurlprefix(),   										new SLOInformationImpl( +											oa.getAuthURL(),	  											oa.getAssertionSessionID(),   											oa.getUserNameID(),   											oa.getUserNameIDFormat(),  @@ -84,6 +85,7 @@ public class SLOInformationContainer implements Serializable {  							else  								activeFrontChannalOAs.put(oa.getOaurlprefix(),   										new SLOInformationImpl( +											oa.getAuthURL(),  											oa.getAssertionSessionID(),   											oa.getUserNameID(),   											oa.getUserNameIDFormat(),  @@ -123,6 +125,7 @@ public class SLOInformationContainer implements Serializable {  						activeFrontChannalOAs.put(el.getIdpurlprefix(),   								new SLOInformationImpl( +										el.getAuthURL(),  										el.getSessionIndex(),   										el.getUserNameID(),   										NameID.TRANSIENT,  diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java index 55b213702..55a56056d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java @@ -39,17 +39,23 @@ public class SLOInformationImpl implements SLOInformationInterface, Serializable  	private String nameIDFormat = null;  	private String binding = null;  	private String serviceURL = null; +	private String authURL = null; -	public SLOInformationImpl(String sessionID, String nameID, String nameIDFormat, String protocolType) { -		new SLOInformationImpl(sessionID, nameID, nameIDFormat, protocolType, null); +	public SLOInformationImpl(String authURL, String sessionID, String nameID, String nameIDFormat, String protocolType) { +		new SLOInformationImpl(authURL, sessionID, nameID, nameIDFormat, protocolType, null);  	} -	public SLOInformationImpl(String sessionID, String nameID, String nameIDFormat, String protocolType, SingleLogoutService sloService) { +	public SLOInformationImpl(String authURL, String sessionID, String nameID, String nameIDFormat, String protocolType, SingleLogoutService sloService) {  		this.sessionIndex = sessionID;  		this.nameID = nameID;  		this.nameIDFormat = nameIDFormat;  		this.protocolType = protocolType; +		if (authURL.endsWith("/")) +			this.authURL = authURL.substring(0, authURL.length()-1); +		else +			this.authURL = authURL; +		  		if (sloService != null) {  			this.binding = sloService.getBinding();  			this.serviceURL = sloService.getLocation(); @@ -148,6 +154,13 @@ public class SLOInformationImpl implements SLOInformationInterface, Serializable  	public String getServiceURL() {  		return serviceURL;  	} + +	/** +	 * @return the authURL from requested IDP without ending / +	 */ +	public String getAuthURL() { +		return authURL; +	} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 771c9a35e..ce44db215 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -33,7 +33,6 @@ import javax.servlet.http.HttpServletResponse;  import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;  import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;  import at.gv.egovernment.moa.id.advancedlogging.StatisticLogger; -  import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;  import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;  import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; @@ -45,7 +44,7 @@ import at.gv.egovernment.moa.id.auth.exception.MOAIDException;  import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;  import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;  import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; - +import at.gv.egovernment.moa.id.config.ConfigurationException;  import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;  import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.IAuthData; @@ -86,13 +85,18 @@ public class DispatcherServlet extends AuthServlet{  			MOAIDAuthInitializer.initialize();  			Logger.info(MOAIDMessageProvider.getInstance().getMessage(  					"init.00", null)); +		 +			Logger.info("Dispatcher Servlet initialization finished."); +			  		} catch (Exception ex) {  			Logger.fatal(  					MOAIDMessageProvider.getInstance().getMessage("init.02",  							null), ex); -			throw new ServletException(ex); +			 +			//throw new ServletException(ex); +			  		} -		Logger.info("Dispatcher Servlet initialization finished."); +		  	}  	protected void processRequest(HttpServletRequest req, @@ -364,7 +368,10 @@ public class DispatcherServlet extends AuthServlet{  					} catch (AuthnRequestValidatorException e) {  						//log Error Message  						StatisticLogger logger = StatisticLogger.getInstance(); -						logger.logErrorOperation(e, e.getErrorRequest());						 +						logger.logErrorOperation(e, e.getErrorRequest()); +						 +						//TODO: maybe add some error message handling??? +						  						return;  					}catch (InvalidProtocolRequestException e) { @@ -377,6 +384,13 @@ public class DispatcherServlet extends AuthServlet{  								"(Errorcode=" + code +  								" | Description=" + descr + ")");  						return; +					} catch (ConfigurationException e) {	 +						resp.setContentType("text/html;charset=UTF-8"); +						resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!" + +								"(Errorcode=9199" +								+" | Description="+ e.getMessage() + ")"); +						return; +						  					} catch (MOAIDException e) {						  						Logger.error("Failed to generate a valid protocol request!");  						resp.setContentType("text/html;charset=UTF-8"); @@ -544,7 +558,7 @@ public class DispatcherServlet extends AuthServlet{  						try {  							//Store OA specific SSO session information   							AuthenticationSessionStoreage.addSSOInformation(moasessionID,  -									newSSOSessionId, assertionID, protocolRequest.getOAURL()); +									newSSOSessionId, assertionID, protocolRequest);  						} catch (AuthenticationException e) {  							Logger.warn("SSO Session information can not be stored  -> SSO is not enabled!"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 39cb5b9c8..c38bbc68f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -52,7 +52,6 @@ import org.opensaml.saml2.core.NameIDPolicy;  import org.opensaml.saml2.core.NameIDType;  import org.opensaml.saml2.core.RequestedAuthnContext;  import org.opensaml.saml2.core.StatusCode; -import org.opensaml.saml2.core.Subject;  import org.opensaml.saml2.metadata.EntityDescriptor;  import org.opensaml.saml2.metadata.SingleLogoutService;  import org.opensaml.saml2.metadata.SingleSignOnService; @@ -72,9 +71,10 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;  import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions;  import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;  import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;  import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;  import at.gv.egovernment.moa.id.auth.modules.registration.ModuleRegistration; -import at.gv.egovernment.moa.id.auth.parser.StartAuthentificationParameterParser;  import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;  import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;  import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; @@ -82,12 +82,11 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;  import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.SLOInformationContainer;  import at.gv.egovernment.moa.id.data.SLOInformationImpl; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -  import at.gv.egovernment.moa.id.process.ExecutionContextImpl;  import at.gv.egovernment.moa.id.process.ProcessEngine;  import at.gv.egovernment.moa.id.process.ProcessExecutionException;  import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; @@ -98,6 +97,8 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;  import at.gv.egovernment.moa.id.storage.AssertionStorage;  import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;  import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; @@ -167,7 +168,20 @@ public class AuthenticationManager extends MOAIDAuthConstants {  	}  	public void performSingleLogOut(HttpServletRequest httpReq, -	HttpServletResponse httpResp, AuthenticationSession session, PVPTargetConfiguration pvpReq) throws MOAIDException {		 +	HttpServletResponse httpResp, AuthenticationSession session, PVPTargetConfiguration pvpReq) throws MOAIDException { +		performSingleLogOut(httpReq, httpResp, session, pvpReq, null); +		 +	} +	 +	public void performSingleLogOut(HttpServletRequest httpReq, +	HttpServletResponse httpResp, AuthenticationSession session, String authURL) throws MOAIDException { +		performSingleLogOut(httpReq, httpResp, session, null, authURL); +		 +	} +	 +	 +	private void performSingleLogOut(HttpServletRequest httpReq, +	HttpServletResponse httpResp, AuthenticationSession session, PVPTargetConfiguration pvpReq, String authURL) throws MOAIDException {		  		String pvpSLOIssuer = null;  		String inboundRelayState = null; @@ -176,6 +190,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {  			LogoutRequest logOutReq = (LogoutRequest) samlReq.getSamlRequest();  			pvpSLOIssuer = logOutReq.getIssuer().getValue();  			inboundRelayState = samlReq.getRelayState(); +			  		}  		SSOManager ssomanager = SSOManager.getInstance(); @@ -195,7 +210,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {  		} catch (MOADatabaseException e) {  			Logger.warn("Delete MOASession FAILED."); -			sloContainer.putFailedOA(AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix()); +			sloContainer.putFailedOA(pvpReq.getAuthURL());  		} @@ -219,8 +234,13 @@ public class AuthenticationManager extends MOAIDAuthConstants {  							+ " FAILED. NO LogOut response received.");  					sloContainer.putFailedOA(sloReq.getIssuer().getValue()); +				} else { +					SAMLVerificationEngine engine = new SAMLVerificationEngine(); +					engine.verifySLOResponse(sloResp,  +							TrustEngineFactory.getSignatureKnownKeysTrustEngine()); +					  				} -				 +								  				SingleLogOutBuilder.checkStatusCode(sloContainer, sloResp);  			} catch (SOAPException e) { @@ -228,7 +248,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {  						+ " FAILED.", e);  				sloContainer.putFailedOA(sloReq.getIssuer().getValue()); -			} catch (SecurityException e) { +			} catch (SecurityException | InvalidProtocolRequestException e) {  				Logger.warn("Single LogOut for OA " + sloReq.getIssuer().getValue()  						+ " FAILED.", e);  				sloContainer.putFailedOA(sloReq.getIssuer().getValue()); @@ -258,7 +278,10 @@ public class AuthenticationManager extends MOAIDAuthConstants {  				AssertionStorage.getInstance().put(relayState, sloContainer); -				String timeOutURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() +				if (MiscUtil.isEmpty(authURL)) +					authURL = pvpReq.getAuthURL(); +				 +				String timeOutURL = authURL  						+ "/idpSingleLogout"  						+ "?restart=" + relayState; @@ -381,7 +404,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {  			String form = SendAssertionFormBuilder.buildForm(target.requestedModule(),   					target.requestedAction(), target.getRequestID(), oaParam,  -					AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix()); +					target.getAuthURL());  			MOAReversionLogger.getInstance().logEvent(target.getOnlineApplicationConfiguration(),   					target, MOAIDEventConstants.AUTHPROCESS_SSO_ASK_USER_START); @@ -450,7 +473,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {  					authReq.setAssertionConsumerServiceIndex(0);  					authReq.setIssueInstant(new DateTime());  					Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);					 -					String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath(); +					String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath().get(0);  					issuer.setValue(serviceURL);  					issuer.setFormat(NameIDType.ENTITY); @@ -470,28 +493,27 @@ public class AuthenticationManager extends MOAIDAuthConstants {  							SAML2Utils.createSAMLObject(AuthnContextClassRef.class);  					//check if STORK protocol module is in ClassPath -					Object storkRequst = null; +					Class<?> storkRequstTemplate = null;  					Integer storkSecClass = null;  					try { -						storkRequst = Class.forName("at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest").newInstance(); -						if (storkRequst != null &&  -								target.getClass().isInstance(storkRequst)) { +						storkRequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest"); +						if (storkRequstTemplate != null &&  +								storkRequstTemplate.isInstance(target)) {  							Object storkAuthnRequest = target.getClass().getMethod("getStorkAuthnRequest", null).invoke(target, null);  							storkSecClass = (Integer) storkAuthnRequest.getClass().getMethod("getQaa", null).invoke(storkAuthnRequest, null);  						} -					} catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) { +					} catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) {  					} -					 -					 -					if (sp != null && sp.isSTORKPVPGateway()){ +										 +					if (sp != null && sp.isSTORKPVPGateway()) {  						//use PVP SecClass instead of STORK QAA level  						String secClass = null; -						if (storkRequst != null &&  -								target.getClass().isInstance(storkRequst)) { +						if (storkRequstTemplate != null &&  +								storkRequstTemplate.isInstance(target)) {  							try {									  								secClass = PVPtoSTORKMapper.getInstance().mapToSecClass( @@ -509,8 +531,8 @@ public class AuthenticationManager extends MOAIDAuthConstants {  							authnClassRef.setAuthnContextClassRef("http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3");  					} else { -						if (storkRequst != null &&  -								target.getClass().isInstance(storkRequst)) { +						if (storkRequstTemplate != null &&  +								storkRequstTemplate.isInstance(target)) {  							//use requested QAA level from STORK request  							try {  								authnClassRef.setAuthnContextClassRef( @@ -525,7 +547,8 @@ public class AuthenticationManager extends MOAIDAuthConstants {  						} -						if (MiscUtil.isEmpty(authnClassRef.getAuthnContextClassRef()))						 +						if (MiscUtil.isEmpty(authnClassRef.getAuthnContextClassRef())) +							//TODO: switch to eIDAS QAA-levels  							authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4");  					} @@ -692,7 +715,9 @@ public class AuthenticationManager extends MOAIDAuthConstants {  				//Build authentication form -				String publicURLPreFix = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); +				String publicURLPreFix = target.getAuthURL(); +				if (publicURLPreFix.endsWith("/")) +					publicURLPreFix = publicURLPreFix.substring(0, publicURLPreFix.length() - 1);  				String loginForm = LoginFormBuilder.buildLoginForm(target.requestedModule(),   						target.requestedAction(), oaParam, publicURLPreFix, moasession.getSessionID()); @@ -714,6 +739,17 @@ public class AuthenticationManager extends MOAIDAuthConstants {  				out.flush();   			}  		} catch (ProcessExecutionException e) { +			Throwable cause = e.getCause(); +			if (cause != null && cause instanceof TaskExecutionException) { +				Throwable taskCause = cause.getCause(); +				if (taskCause != null && taskCause instanceof MOAIDException) { +					MOAIDException moaTaskCause = (MOAIDException) taskCause; +					Logger.warn(taskCause); +					throw moaTaskCause; +					 +				}									 +			}  +						  			throw new MOAIDException("process.01", new Object[] { moasession.getProcessInstanceId(), moasession }, e);  		}  	} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java index 6f43b3ee7..4ae271bbc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java @@ -49,5 +49,13 @@ public interface IRequest {  	public List<Attribute> getRequestedAttributes();  	public IOAAuthParameters getOnlineApplicationConfiguration(); +	/** +	 * get the IDP URL PreFix, which was used for authentication request +	 *  +	 * @return IDP URL PreFix <String>. The URL prefix always ends without / +	 */ +	public String getAuthURL(); +	public String getAuthURLWithOutSlash(); +	  	//public void setTarget();  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java index 26fb7bd29..cdaade1bb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java @@ -23,15 +23,24 @@  package at.gv.egovernment.moa.id.moduls;  import java.io.Serializable; +import java.net.MalformedURLException; +import java.net.URL;  import java.util.List; +import javax.servlet.http.HttpServletRequest; +  import org.opensaml.saml2.core.Attribute; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +import at.gv.egovernment.moa.id.util.HTTPUtils; +import at.gv.egovernment.moa.logging.Logger;  public abstract class RequestImpl implements IRequest, Serializable{ - +		  	private static final long serialVersionUID = 1L;  	private String oaURL; @@ -44,12 +53,79 @@ public abstract class RequestImpl implements IRequest, Serializable{  	private String requestID;  	private String sessionIdentifier;  	private IOAAuthParameters OAConfiguration = null; +	private String authURL = null;  	//MOA-ID interfederation  	private String requestedIDP = null;  	private MOAResponse response = null;  	/** +	 * @throws ConfigurationException  +	 *  +	 */ +	public RequestImpl(HttpServletRequest req) throws ConfigurationException { +		String authURLString = HTTPUtils.extractAuthURLFromRequest(req); +		URL authURL; +		try { +			authURL = new URL(authURLString); +			 +		} catch (MalformedURLException e) { +			Logger.error("IDP AuthenticationServiceURL Prefix is not a valid URL." + authURLString, e); +			throw new ConfigurationException("1299", null, e); +			 +		} +		 +		AuthConfiguration config = AuthConfigurationProviderFactory.getInstance();		 +		List<String> configuredPublicURLPrefix = config.getPublicURLPrefix(); +				 +		if (!config.isVirtualIDPsEnabled()) { +			Logger.trace("Virtual IDPs are disabled. Use default IDP PublicURLPrefix from configuration: " + configuredPublicURLPrefix.get(0)); +			this.authURL = configuredPublicURLPrefix.get(0);  +			 +		} else { +			Logger.debug("Extract AuthenticationServiceURL: " + authURLString); +			URL resultURL = null; +			 +			for (String el : configuredPublicURLPrefix) { +				try { +					URL configuredURL = new URL(el); + +					//get Ports from URL +					int configPort = configuredURL.getPort();					 +					if (configPort == -1) +						configPort = configuredURL.getDefaultPort(); +					 +					int authURLPort = authURL.getPort(); +					if (authURLPort == -1) +						authURLPort = authURL.getDefaultPort(); +					 +					//check AuthURL against ConfigurationURL +					if (configuredURL.getHost().equals(authURL.getHost()) && +							configPort == authURLPort && +							configuredURL.getPath().equals(authURL.getPath())) { +						Logger.debug("Select configurated PublicURLPrefix: " + configuredURL  +								+ " for authURL: " + authURLString); +						resultURL = configuredURL; +					} +					 +				} catch (MalformedURLException e) { +					Logger.error("Configurated IDP PublicURLPrefix is not a valid URL." + el); +					 +				}				 +			} +			 +			if (resultURL == null) { +				Logger.warn("Extract AuthenticationServiceURL: " + authURL + " is NOT found in configuration."); +				throw new ConfigurationException("config.25", new Object[]{authURLString}); +				 +			} else { +				this.authURL = resultURL.toExternalForm(); +				 +			}					 +		}				 +	} +	 +	/**  	 * This method map the protocol specific requested attributes to PVP 2.1 attributes.  	 *   	 * @return List of PVP 2.1 attributes with maps all protocol specific attributes @@ -169,4 +245,27 @@ public abstract class RequestImpl implements IRequest, Serializable{  		this.OAConfiguration = oaConfig;  	} + +	/** +	 * @return the authURL +	 */ +	public String getAuthURL() { +		return authURL; +	} +	 +	public String getAuthURLWithOutSlash() { +		if (authURL.endsWith("/")) +			return authURL.substring(0, authURL.length()-1); +		else +			return authURL; +		 +	} + +//	/** +//	 * @param authURL the authURL to set +//	 */ +//	public void setAuthURL(String authURL) { +//		this.authURL = authURL; +//	} +		  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java index 9f8b6610f..9327cabd7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -102,10 +102,10 @@ public class AttributQueryAction implements IAction {  			List<String> attrList = addDefaultAttributes(attrQuery, authData);			  			//build PVP 2.1 assertion -			Assertion assertion = PVP2AssertionBuilder.buildAssertion(attrQuery, attrList, authData, date, authData.getSessionIndex()); +			Assertion assertion = PVP2AssertionBuilder.buildAssertion(req.getAuthURL(), attrQuery, attrList, authData, date, authData.getSessionIndex());  			//build PVP 2.1 response -			Response authResponse = AuthResponseBuilder.buildResponse(attrQuery, date, assertion); +			Response authResponse = AuthResponseBuilder.buildResponse(req.getAuthURL(), attrQuery, date, assertion);  			try {  				SoapBinding decoder = new SoapBinding();				 diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index 1b187d82e..50f91df44 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -110,7 +110,7 @@ public class MetadataAction implements IAction {  			//		.setEntityID(PVPConfiguration.getInstance().getIDPSSOMetadataService());  			idpEntityDescriptor -			.setEntityID(PVPConfiguration.getInstance().getIDPPublicPath()); +			.setEntityID(req.getAuthURLWithOutSlash());  			idpEntityDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_HOURS)); @@ -139,10 +139,10 @@ public class MetadataAction implements IAction {  			idpEntitiesDescriptor.setSignature(signature);  			//set IDP metadata -			idpEntityDescriptor.getRoleDescriptors().add(generateIDPMetadata(keyInfoGenerator)); +			idpEntityDescriptor.getRoleDescriptors().add(generateIDPMetadata(req, keyInfoGenerator));  			//set SP metadata for interfederation -			idpEntityDescriptor.getRoleDescriptors().add(generateSPMetadata(keyInfoGenerator)); +			idpEntityDescriptor.getRoleDescriptors().add(generateSPMetadata(req, keyInfoGenerator));  			DocumentBuilder builder;  			DocumentBuilderFactory factory = DocumentBuilderFactory @@ -190,7 +190,7 @@ public class MetadataAction implements IAction {  		return (PVP2XProtocol.METADATA);  	} -	private RoleDescriptor generateSPMetadata(KeyInfoGenerator keyInfoGenerator) throws CredentialsNotAvailableException, SecurityException, ConfigurationException { +	private RoleDescriptor generateSPMetadata(IRequest req, KeyInfoGenerator keyInfoGenerator) throws CredentialsNotAvailableException, SecurityException, ConfigurationException {  		Logger.debug("Set SP Metadata key information"); @@ -248,7 +248,7 @@ public class MetadataAction implements IAction {  		postassertionConsumerService.setIndex(0);  		postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);  		postassertionConsumerService.setLocation(PVPConfiguration -				.getInstance().getSPSSOPostService());	 +				.getInstance().getSPSSOPostService(req.getAuthURL()));	  		postassertionConsumerService.setIsDefault(true);  		spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService); @@ -257,7 +257,7 @@ public class MetadataAction implements IAction {  		redirectassertionConsumerService.setIndex(1);  		redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);  		redirectassertionConsumerService.setLocation(PVPConfiguration -				.getInstance().getSPSSORedirectService()); +				.getInstance().getSPSSORedirectService(req.getAuthURL()));  		spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService); @@ -273,7 +273,7 @@ public class MetadataAction implements IAction {  		SingleLogoutService redirectSLOService =   				SAML2Utils.createSAMLObject(SingleLogoutService.class);			  		redirectSLOService.setLocation(PVPConfiguration -				.getInstance().getSPSSORedirectService()); +				.getInstance().getSPSSORedirectService(req.getAuthURL()));  		redirectSLOService  				.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);  		spSSODescriptor.getSingleLogoutServices().add(redirectSLOService); @@ -293,7 +293,7 @@ public class MetadataAction implements IAction {  		return spSSODescriptor;  	} -	private IDPSSODescriptor generateIDPMetadata(KeyInfoGenerator keyInfoGenerator) throws ConfigurationException, CredentialsNotAvailableException, SecurityException { +	private IDPSSODescriptor generateIDPMetadata(IRequest req, KeyInfoGenerator keyInfoGenerator) throws ConfigurationException, CredentialsNotAvailableException, SecurityException {  //		//set SignatureMethode @@ -325,12 +325,12 @@ public class MetadataAction implements IAction {  		idpSSODescriptor.setWantAuthnRequestsSigned(true);			 -		if (PVPConfiguration.getInstance().getIDPSSOPostService() != null) { +		if (PVPConfiguration.getInstance().getIDPSSOPostService(req.getAuthURL()) != null) {  			//add SSO descriptor  			SingleSignOnService postSingleSignOnService = SAML2Utils  					.createSAMLObject(SingleSignOnService.class);  			postSingleSignOnService.setLocation(PVPConfiguration -					.getInstance().getIDPSSOPostService()); +					.getInstance().getIDPSSOPostService(req.getAuthURL()));  			postSingleSignOnService  					.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);  			idpSSODescriptor.getSingleSignOnServices().add( @@ -347,12 +347,12 @@ public class MetadataAction implements IAction {  		} -		if (PVPConfiguration.getInstance().getIDPSSORedirectService() != null) { +		if (PVPConfiguration.getInstance().getIDPSSORedirectService(req.getAuthURL()) != null) {  			//add SSO descriptor  			SingleSignOnService redirectSingleSignOnService = SAML2Utils  					.createSAMLObject(SingleSignOnService.class);  			redirectSingleSignOnService.setLocation(PVPConfiguration -					.getInstance().getIDPSSORedirectService()); +					.getInstance().getIDPSSORedirectService(req.getAuthURL()));  			redirectSingleSignOnService  					.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);  			idpSSODescriptor.getSingleSignOnServices().add( @@ -362,7 +362,7 @@ public class MetadataAction implements IAction {  			SingleLogoutService redirectSLOService =   					SAML2Utils.createSAMLObject(SingleLogoutService.class);			  			redirectSLOService.setLocation(PVPConfiguration -					.getInstance().getIDPSSORedirectService()); +					.getInstance().getIDPSSORedirectService(req.getAuthURL()));  			redirectSLOService  					.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);  			idpSSODescriptor.getSingleLogoutServices().add(redirectSLOService); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 0c7502003..c0ec086ed 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x;  import java.io.IOException;  import java.util.ArrayList; +import java.util.Arrays;  import java.util.HashMap;  import java.util.Iterator;  import java.util.List; @@ -55,8 +56,6 @@ import org.opensaml.xml.io.MarshallingException;  import org.opensaml.xml.security.SecurityException;  import org.opensaml.xml.signature.SignableXMLObject; -import java.util.Arrays; -  import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;  import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;  import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils; @@ -76,12 +75,9 @@ import at.gv.egovernment.moa.id.moduls.RequestStorage;  import at.gv.egovernment.moa.id.moduls.SSOManager;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding;  import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; @@ -92,12 +88,16 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSuppor  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SLOException; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;  import at.gv.egovernment.moa.id.protocols.pvp2x.validation.AuthnRequestValidator;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;  import at.gv.egovernment.moa.id.util.ErrorResponseUtils; +import at.gv.egovernment.moa.id.util.HTTPUtils;  import at.gv.egovernment.moa.id.util.ParamValidatorUtils;  import at.gv.egovernment.moa.id.util.VelocityLogAdapter;  import at.gv.egovernment.moa.logging.Logger; @@ -210,7 +210,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo  {  		if(METADATA.equals(action)) { -			return new PVPTargetConfiguration(); +			return new PVPTargetConfiguration(request);  		} @@ -231,7 +231,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo  {  				SAMLVerificationEngine engine = new SAMLVerificationEngine();  				engine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine());  				msg.setVerified(true); -				 +								  			}  			if (msg instanceof MOARequest &&  @@ -296,6 +296,8 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo  {  			}  		} catch (PVP2Exception e) { +			String samlRequest = request.getParameter("SAMLRequest");			 +			Logger.warn("Receive INVALID protocol request: " + samlRequest, e);  			throw e;  		} catch (SecurityPolicyException e) { @@ -387,7 +389,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo  {  		samlResponse.setIssueInstant(new DateTime());  		Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); -		nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); +		nissuer.setValue(pvpRequest.getAuthURLWithOutSlash());  		nissuer.setFormat(NameID.ENTITY);  		samlResponse.setIssuer(nissuer); @@ -460,7 +462,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo  {  			HttpServletResponse response, InboundMessage inMsg,  			String sessionId, String transactionId) throws MOAIDException { -		PVPTargetConfiguration config = new PVPTargetConfiguration(); +		PVPTargetConfiguration config = new PVPTargetConfiguration(request);  		MOARequest msg;  		if (inMsg instanceof MOARequest &&  @@ -496,13 +498,24 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo  {  			Logger.debug("PreProcess SLO Response from " + resp.getIssuer()); -			if (!resp.getDestination().startsWith( -					PVPConfiguration.getInstance().getIDPPublicPath())) { +			List<String> allowedPublicURLPrefix =  +					AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); +			boolean isAllowedDestination = false; +			 +			for (String prefix : allowedPublicURLPrefix) { +				if (!resp.getDestination().startsWith( +					prefix)) { +					isAllowedDestination = true; +					break; +				} +			} +						 +			if (!isAllowedDestination) {  				Logger.warn("PVP 2.1 single logout response destination does not match to IDP URL");  				throw new AssertionValidationExeption("PVP 2.1 single logout response destination does not match to IDP URL", null);  			} -						 +			  			//TODO: check if relayState exists  			inMsg.getRelayState(); @@ -533,7 +546,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo  {  		//validate destination  		String destinaten = attrQuery.getDestination(); -		if (!PVPConfiguration.getInstance().getIDPAttributeQueryService().equals(destinaten)) { +		if (!PVPConfiguration.getInstance().getIDPAttributeQueryService(HTTPUtils.extractAuthURLFromRequest(request)).equals(destinaten)) {  			Logger.warn("AttributeQuery destination does not match IDP AttributeQueryService URL");  			throw new AttributQueryException("AttributeQuery destination does not match IDP AttributeQueryService URL", null); @@ -558,7 +571,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo  {  		} -		PVPTargetConfiguration config = new PVPTargetConfiguration(); +		PVPTargetConfiguration config = new PVPTargetConfiguration(request);  		config.setRequest(moaRequest);  		config.setOAURL(moaRequest.getEntityID());  		config.setOnlineApplicationConfiguration(oa); @@ -586,7 +599,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo  {  		if(!(samlReq instanceof AuthnRequest)) {  			throw new MOAIDException("Unsupported request", new Object[] {});  		} -					 +				  		EntityDescriptor metadata = moaRequest.getEntityMetadata();  		if(metadata == null) {  			throw new NoMetadataInformationException(); @@ -607,14 +620,30 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo  {  		} +		  		//parse AssertionConsumerService  		AssertionConsumerService consumerService = null;  		if (MiscUtil.isNotEmpty(authnRequest.getAssertionConsumerServiceURL()) &&   				MiscUtil.isNotEmpty(authnRequest.getProtocolBinding())) { -			//use AssertionConsumerServiceURL from request  -			consumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class); -			consumerService.setBinding(authnRequest.getProtocolBinding()); -			consumerService.setLocation(authnRequest.getAssertionConsumerServiceURL()); +			//use AssertionConsumerServiceURL from request + +			//check requested AssertionConsumingService URL against metadata +			List<AssertionConsumerService> metadataAssertionServiceList = spSSODescriptor.getAssertionConsumerServices(); +			for (AssertionConsumerService service : metadataAssertionServiceList) { +				if (authnRequest.getProtocolBinding().equals(service.getBinding()) +						&& authnRequest.getAssertionConsumerServiceURL().equals(service.getLocation())) { +					consumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class); +					consumerService.setBinding(authnRequest.getProtocolBinding()); +					consumerService.setLocation(authnRequest.getAssertionConsumerServiceURL());					 +					Logger.debug("Requested AssertionConsumerServiceURL is valid."); +				}				 +			} +			 +			if (consumerService == null) {				 +				throw new InvalidAssertionConsumerServiceException(authnRequest.getAssertionConsumerServiceURL()); +				 +			} +  		} else {  			//use AssertionConsumerServiceIndex and select consumerService from metadata @@ -633,9 +662,10 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo  {  			if (consumerService == null) {			  				throw new InvalidAssertionConsumerServiceException(aIdx); -			} +			}			  		} +		  		//select AttributeConsumingService from request  		AttributeConsumingService attributeConsumer = null;		  		Integer aIdx = authnRequest.getAttributeConsumingServiceIndex(); @@ -669,7 +699,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo  {  		Logger.info("Dispatch PVP2 AuthnRequest: OAURL=" + oaURL + " Binding=" + consumerService.getBinding());		 -		PVPTargetConfiguration config = new PVPTargetConfiguration();		 +		PVPTargetConfiguration config = new PVPTargetConfiguration(request);		  		config.setOAURL(oaURL);  		config.setOnlineApplicationConfiguration(oa);  		config.setBinding(consumerService.getBinding()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index 74b20356e..0b402a0fd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -26,6 +26,8 @@ import java.util.HashMap;  import java.util.List;  import java.util.Map; +import javax.servlet.http.HttpServletRequest; +  import org.opensaml.common.xml.SAMLConstants;  import org.opensaml.saml2.core.Attribute;  import org.opensaml.saml2.core.impl.AuthnRequestImpl; @@ -46,6 +48,16 @@ import at.gv.egovernment.moa.logging.Logger;  public class PVPTargetConfiguration extends RequestImpl { +	/** +	 * @param req +	 * @throws ConfigurationException +	 */ +	public PVPTargetConfiguration(HttpServletRequest req) +			throws ConfigurationException { +		super(req); +		 +	} +  	private static final long serialVersionUID = 4889919265919638188L;  	InboundMessage request; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java index b567798fa..582f5939d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java @@ -23,42 +23,20 @@  package at.gv.egovernment.moa.id.protocols.pvp2x;  import java.io.Serializable; -import java.io.StringWriter;  import java.io.UnsupportedEncodingException; -import java.security.NoSuchAlgorithmException; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Iterator;  import java.util.List; -import java.util.Map.Entry;  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse;  import org.apache.commons.lang.SerializationUtils; -import org.apache.velocity.Template; -import org.apache.velocity.VelocityContext; -import org.apache.velocity.app.VelocityEngine;  import org.hibernate.HibernateException;  import org.hibernate.Query;  import org.hibernate.Session;  import org.hibernate.Transaction; -import org.opensaml.common.SAMLObject; -import org.opensaml.common.binding.BasicSAMLMessageContext; -import org.opensaml.common.xml.SAMLConstants;  import org.opensaml.saml2.core.LogoutRequest;  import org.opensaml.saml2.core.LogoutResponse; -import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.Status; -import org.opensaml.saml2.core.StatusCode; -import org.opensaml.saml2.core.StatusResponseType;  import org.opensaml.saml2.metadata.SingleLogoutService; -import org.opensaml.saml2.metadata.impl.SingleLogoutServiceBuilder; -import org.opensaml.ws.message.encoder.MessageEncodingException; -import org.opensaml.ws.soap.common.SOAPException; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.x509.X509Credential;  import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;  import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; @@ -67,35 +45,22 @@ import at.gv.egovernment.moa.id.auth.exception.MOAIDException;  import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet;  import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils;  import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore; -import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; -import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;  import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.data.SLOInformationContainer; -import at.gv.egovernment.moa.id.data.SLOInformationImpl;  import at.gv.egovernment.moa.id.data.SLOInformationInterface;  import at.gv.egovernment.moa.id.moduls.AuthenticationManager;  import at.gv.egovernment.moa.id.moduls.IAction;  import at.gv.egovernment.moa.id.moduls.IRequest;  import at.gv.egovernment.moa.id.moduls.SSOManager; -import at.gv.egovernment.moa.id.opemsaml.MOAStringRedirectDeflateEncoder; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SLOException;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;  import at.gv.egovernment.moa.id.storage.AssertionStorage;  import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;  import at.gv.egovernment.moa.id.util.Random; -import at.gv.egovernment.moa.id.util.VelocityProvider;  import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MessageProvider;  import at.gv.egovernment.moa.util.MiscUtil;  import at.gv.egovernment.moa.util.URLEncoder; @@ -134,7 +99,7 @@ public class SingleLogOutAction implements IAction {  					SSOManager ssomanager =  SSOManager.getInstance();  					String ssoID = ssomanager.getSSOSessionID(httpReq);  					if (MiscUtil.isEmpty(ssoID)) { -						Logger.warn("Can not find active Session. Single LogOut not possible!"); +						Logger.info("Can not find active Session. Single LogOut not possible!");  						SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq);  						//LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);  						LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, pvpReq, null); @@ -148,7 +113,7 @@ public class SingleLogOutAction implements IAction {  							session = AuthenticationSessionStoreage.getSession(moasession);  						} catch (MOADatabaseException e) { -							Logger.warn("Can not find active Session. Single LogOut not possible!"); +							Logger.info("Can not find active Session. Single LogOut not possible!");  							SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq);  							//LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);  							LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, pvpReq, null); @@ -259,7 +224,7 @@ public class SingleLogOutAction implements IAction {  								} else {  									//print SLO information directly -									redirectURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() + "/idpSingleLogout"; +									redirectURL = req.getAuthURL() + "/idpSingleLogout";  									String artifact = Random.nextRandom(); @@ -275,7 +240,7 @@ public class SingleLogOutAction implements IAction {  								}								  								//redirect to Redirect Servlet -								String url = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() + "/RedirectServlet"; +								String url = req.getAuthURL() + "/RedirectServlet";  								url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(redirectURL, "UTF-8"));  								url = httpResp.encodeRedirectURL(url); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 5402e3dce..8a6b09376 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -32,27 +32,25 @@ import org.opensaml.common.xml.SAMLConstants;  import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;  import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;  import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.Response;  import org.opensaml.saml2.core.StatusResponseType;  import org.opensaml.saml2.metadata.IDPSSODescriptor;  import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.saml2.metadata.SingleLogoutService;  import org.opensaml.saml2.metadata.SingleSignOnService;  import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder;  import org.opensaml.ws.message.decoder.MessageDecodingException;  import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.ws.security.SecurityPolicyResolver; +import org.opensaml.ws.security.provider.BasicSecurityPolicy; +import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver;  import org.opensaml.ws.transport.http.HttpServletRequestAdapter;  import org.opensaml.ws.transport.http.HttpServletResponseAdapter;  import org.opensaml.xml.parse.BasicParserPool;  import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.credential.Credential; -import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;  import org.opensaml.xml.security.x509.X509Credential;  import at.gv.egovernment.moa.id.config.ConfigurationException;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;  import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; @@ -60,6 +58,9 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;  import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.id.protocols.pvp2x.validation.MOAPVPSignedRequestPolicyRule; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; +import at.gv.egovernment.moa.id.util.HTTPUtils;  import at.gv.egovernment.moa.id.util.VelocityProvider;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.MiscUtil; @@ -151,11 +152,11 @@ public class PostBinding implements IDecoder, IEncoder {  			//set metadata descriptor type  			if (isSPEndPoint) {  				messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); -				decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService())); +				decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService(HTTPUtils.extractAuthURLFromRequest(req))));  			} else {  				messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); -				decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); +				decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService(HTTPUtils.extractAuthURLFromRequest(req))));  			}  		} catch (ConfigurationException e) { @@ -163,7 +164,16 @@ public class PostBinding implements IDecoder, IEncoder {  		}  		messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); -				 +		 +		//set security policy context +		BasicSecurityPolicy policy = new BasicSecurityPolicy(); +		policy.getPolicyRules().add( +				new MOAPVPSignedRequestPolicyRule( +						TrustEngineFactory.getSignatureKnownKeysTrustEngine(), +						messageContext.getPeerEntityRole()));		 +		SecurityPolicyResolver secResolver = new StaticSecurityPolicyResolver(policy); +		messageContext.setSecurityPolicyResolver(secResolver); +		  		decode.decode(messageContext);  		InboundMessage msg = null;		 @@ -189,8 +199,9 @@ public class PostBinding implements IDecoder, IEncoder {  			if (MiscUtil.isEmpty(msg.getEntityID()))  				Logger.info("No Metadata found for OA with EntityID " + messageContext.getInboundMessageIssuer());  		} -		 -		msg.setVerified(false); +				 + +		msg.setVerified(true);  		msg.setRelayState(messageContext.getRelayState());  		return msg; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 81863f48f..0a459a9be 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -60,6 +60,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; +import at.gv.egovernment.moa.id.util.HTTPUtils;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.MiscUtil; @@ -141,11 +142,11 @@ public class RedirectBinding implements IDecoder, IEncoder {  			//set metadata descriptor type  			if (isSPEndPoint) {  				messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); -				decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService())); +				decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService(HTTPUtils.extractAuthURLFromRequest(req))));  			} else {  				messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); -				decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService())); +				decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService(HTTPUtils.extractAuthURLFromRequest(req))));  			}  		} catch (ConfigurationException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index a2583c706..2ef861e20 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -36,7 +36,6 @@ import org.opensaml.saml2.core.StatusResponseType;  import org.opensaml.saml2.metadata.SPSSODescriptor;  import org.opensaml.ws.message.decoder.MessageDecodingException;  import org.opensaml.ws.message.encoder.MessageEncodingException; -import org.opensaml.ws.soap.client.BasicSOAPMessageContext;  import org.opensaml.ws.soap.soap11.Envelope;  import org.opensaml.ws.soap.soap11.decoder.http.HTTPSOAP11Decoder;  import org.opensaml.ws.transport.http.HttpServletRequestAdapter; @@ -49,7 +48,6 @@ import org.opensaml.xml.signature.SignableXMLObject;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; @@ -70,9 +68,23 @@ public class SoapBinding implements IDecoder, IEncoder {  		messageContext  				.setInboundMessageTransport(new HttpServletRequestAdapter(  						req));		 -		//messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);  		messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); -				 + +		//TODO: update in a futher version:  +		//      requires a special SignedSOAPRequestPolicyRole because  +		//		messageContext.getInboundMessage() is not directly signed +		 +		//set security context +//		BasicSecurityPolicy policy = new BasicSecurityPolicy(); +//		policy.getPolicyRules().add( +//				new MOAPVPSignedRequestPolicyRule( +//						TrustEngineFactory.getSignatureKnownKeysTrustEngine(), +//						SPSSODescriptor.DEFAULT_ELEMENT_NAME));		 +//		SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver( +//				policy);			 +//		messageContext.setSecurityPolicyResolver(resolver); +		 +		//decode message  		soapDecoder.decode(messageContext);  		Envelope inboundMessage = (Envelope) messageContext diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java index 91888df5c..ebbafd4e3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java @@ -127,7 +127,7 @@ public class AttributQueryBuilder {  			query.setIssueInstant(now);  			Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); -			nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); +			nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath().get(0));  			nissuer.setFormat(NameID.ENTITY);  			query.setIssuer(nissuer); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java index 4959df16c..24c2626e3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java @@ -66,13 +66,15 @@ import at.gv.egovernment.moa.logging.Logger;   */  public class AuthResponseBuilder { -	public static Response buildResponse(RequestAbstractType req, DateTime date, Assertion assertion) throws InvalidAssertionEncryptionException, ConfigurationException { +	public static Response buildResponse(String authURL, RequestAbstractType req, DateTime date, Assertion assertion) throws InvalidAssertionEncryptionException, ConfigurationException {  		Response authResponse = SAML2Utils.createSAMLObject(Response.class);  		Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);  		//change to entity value from entity name to IDP EntityID (URL) -		nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); +		if (authURL.endsWith("/")) +			authURL = authURL.substring(0, authURL.length()-1); +		nissuer.setValue(authURL);  		nissuer.setFormat(NameID.ENTITY);  		authResponse.setIssuer(nissuer);  		authResponse.setInResponseTo(req.getID()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java index 50f42d928..dbbc21ec9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -27,8 +27,11 @@ import java.util.List;  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory;  import org.joda.time.DateTime; +import org.opensaml.Configuration;  import org.opensaml.common.SAMLObject;  import org.opensaml.common.binding.BasicSAMLMessageContext;  import org.opensaml.common.impl.SecureRandomIdentifierGenerator; @@ -43,15 +46,18 @@ import org.opensaml.saml2.core.StatusCode;  import org.opensaml.saml2.core.StatusMessage;  import org.opensaml.saml2.core.StatusResponseType;  import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.IDPSSODescriptor; -import org.opensaml.saml2.metadata.SPSSODescriptor;  import org.opensaml.saml2.metadata.SSODescriptor;  import org.opensaml.saml2.metadata.SingleLogoutService;  import org.opensaml.saml2.metadata.impl.SingleLogoutServiceBuilder;  import org.opensaml.saml2.metadata.provider.MetadataProviderException;  import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.xml.io.Marshaller;  import org.opensaml.xml.security.SecurityException;  import org.opensaml.xml.security.x509.X509Credential; +import org.opensaml.xml.signature.Signature; +import org.opensaml.xml.signature.SignatureConstants; +import org.opensaml.xml.signature.Signer; +import org.w3c.dom.Document;  import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;  import at.gv.egovernment.moa.id.auth.exception.MOAIDException; @@ -63,7 +69,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NOSLOServiceDescriptorException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; @@ -215,8 +220,8 @@ public class SingleLogOutBuilder {  		}			  		DateTime now = new DateTime(); -		Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);		 -		issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); +		Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); +		issuer.setValue(sloInfo.getAuthURL());  		issuer.setFormat(NameID.ENTITY);  		sloReq.setIssuer(issuer);		  		sloReq.setIssueInstant(now); @@ -228,7 +233,35 @@ public class SingleLogOutBuilder {  		nameID.setFormat(sloInfo.getUserNameIDFormat());  		nameID.setValue(sloInfo.getUserNameIdentifier());  		sloReq.setNameID(nameID ); -				 + +		//sign message +		try { +			X509Credential idpSigningCredential = CredentialProvider.getIDPAssertionSigningCredential(); +		 +			Signature signer = SAML2Utils.createSAMLObject(Signature.class); +			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); +			signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); +			signer.setSigningCredential(idpSigningCredential); +			sloReq.setSignature(signer); + +			DocumentBuilder builder; +			DocumentBuilderFactory factory = DocumentBuilderFactory +					.newInstance(); + +			builder = factory.newDocumentBuilder(); +			Document document = builder.newDocument(); +			Marshaller out = Configuration.getMarshallerFactory() +					.getMarshaller(sloReq); +			out.marshall(sloReq, document); + +			Signer.signObject(signer); +		 +		} catch (Exception e) { +			Logger.error("Single LogOut request signing FAILED!", e); +			throw new MOAIDException("pvp2.19", null); +			 +		} +		  		return sloReq;		  	} @@ -277,7 +310,7 @@ public class SingleLogOutBuilder {  	private static LogoutResponse buildBasicResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException {  		LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class);		  		Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);		 -		issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); +		issuer.setValue(spRequest.getAuthURLWithOutSlash());  		issuer.setFormat(NameID.ENTITY);  		sloResp.setIssuer(issuer);		  		sloResp.setIssueInstant(new DateTime());		 diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index d80ddba25..7c7941b68 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -90,7 +90,7 @@ import at.gv.egovernment.moa.util.MiscUtil;  public class PVP2AssertionBuilder implements PVPConstants { -	public static Assertion buildAssertion(AttributeQuery attrQuery, +	public static Assertion buildAssertion(String authURL, AttributeQuery attrQuery,  			List<String> reqAttributes, IAuthData authData, DateTime date, String sessionIndex) throws ConfigurationException { @@ -136,12 +136,12 @@ public class PVP2AssertionBuilder implements PVPConstants {  		SubjectConfirmationData subjectConfirmationData = null; -		return buildGenericAssertion(attrQuery.getIssuer().getValue(), date,  +		return buildGenericAssertion(authURL, attrQuery.getIssuer().getValue(), date,   				authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex,  				new DateTime(authData.getSsoSessionValidTo().getTime()));  	} -	public static Assertion buildAssertion(AuthnRequest authnRequest, +	public static Assertion buildAssertion(String authURL, AuthnRequest authnRequest,  			IAuthData authData, EntityDescriptor peerEntity, DateTime date,   			AssertionConsumerService assertionConsumerService, SLOInformationImpl sloInformation)  			throws MOAIDException { @@ -416,10 +416,25 @@ public class PVP2AssertionBuilder implements PVPConstants {  		sloInformation.setNameIDFormat(subjectNameID.getFormat());  		sloInformation.setSessionIndex(sessionIndex); -		return buildGenericAssertion(peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter()); +		return buildGenericAssertion(authURL, peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter());  	} -	public static Assertion buildGenericAssertion(String entityID, DateTime date,  +	/** +	 *  +	 * @param authURL IDP PublicURL PreFix +	 * @param entityID Service Provider EntityID +	 * @param date  +	 * @param authnContextClassRef +	 * @param attrList +	 * @param subjectNameID +	 * @param subjectConfirmationData +	 * @param sessionIndex +	 * @param isValidTo +	 * @return +	 * @throws ConfigurationException +	 */ +	 +	public static Assertion buildGenericAssertion(String authURL, String entityID, DateTime date,   			AuthnContextClassRef authnContextClassRef, List<Attribute> attrList,   			NameID subjectNameID, SubjectConfirmationData subjectConfirmationData,   			String sessionIndex, DateTime isValidTo) throws ConfigurationException { @@ -471,7 +486,9 @@ public class PVP2AssertionBuilder implements PVPConstants {  		Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); -		issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); +		if (authURL.endsWith("/")) +			authURL = authURL.substring(0, authURL.length()-1); +		issuer.setValue(authURL);  		issuer.setFormat(NameID.ENTITY);  		assertion.setIssuer(issuer); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index dc3b787e4..47d7a29b3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -121,43 +121,46 @@ public class PVPConfiguration {  		}  	} -	public String getIDPPublicPath() throws ConfigurationException { -		String publicPath = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); -		if(publicPath != null) { -			if(publicPath.endsWith("/")) { -				int length = publicPath.length(); -				publicPath = publicPath.substring(0, length-1); -			} +	public List<String> getIDPPublicPath() throws ConfigurationException { +		List<String> publicPath = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); +		List<String> returnvalue = new ArrayList<String>(); +		for (String el : publicPath) { +			if(el.endsWith("/")) { +				int length = el.length(); +				returnvalue.add(el.substring(0, length-1)); +				 +			} else +				returnvalue.add(el);  		} -		return publicPath; +		return returnvalue;  	} -	public String getSPSSOPostService() throws ConfigurationException { -		return getIDPPublicPath() + PVP2_SP_POST; +	public String getSPSSOPostService(String publicURLPrefix) throws ConfigurationException { +		return publicURLPrefix + PVP2_SP_POST;  	} -	public String getSPSSORedirectService() throws ConfigurationException { -		return getIDPPublicPath() + PVP2_SP_REDIRECT; +	public String getSPSSORedirectService(String publicURLPrefix) throws ConfigurationException { +		return publicURLPrefix + PVP2_SP_REDIRECT;  	} -	public String getIDPSSOPostService() throws ConfigurationException { -		return getIDPPublicPath() + PVP2_IDP_POST; +	public String getIDPSSOPostService(String publicURLPrefix) throws ConfigurationException { +		return publicURLPrefix + PVP2_IDP_POST;  	} -	public String getIDPSSORedirectService() throws ConfigurationException { -		return getIDPPublicPath() + PVP2_IDP_REDIRECT; +	public String getIDPSSORedirectService(String publicURLPrefix) throws ConfigurationException { +		return publicURLPrefix + PVP2_IDP_REDIRECT;  	} -	public String getIDPSSOSOAPService() throws ConfigurationException { -		return getIDPPublicPath() + PVP2_IDP_SOAP; +	public String getIDPSSOSOAPService(String publicURLPrefix) throws ConfigurationException { +		return publicURLPrefix + PVP2_IDP_SOAP;  	} -	public String getIDPAttributeQueryService() throws ConfigurationException { -		return getIDPPublicPath() + PVP2_IDP_ATTRIBUTEQUERY; +	public String getIDPAttributeQueryService(String publicURLPrefix) throws ConfigurationException { +		return publicURLPrefix + PVP2_IDP_ATTRIBUTEQUERY;  	} -	public String getIDPSSOMetadataService() throws ConfigurationException { -		return getIDPPublicPath() + PVP2_METADATA; +	public String getIDPSSOMetadataService(String publicURLPrefix) throws ConfigurationException { +		return publicURLPrefix + PVP2_METADATA;  	}  	public String getIDPKeyStoreFilename() { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java index 94a4e8226..392569366 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java @@ -34,6 +34,15 @@ public class InvalidAssertionConsumerServiceException extends PVP2Exception {  	/**  	 *   	 */ +	public InvalidAssertionConsumerServiceException(String wrongURL) { +		super("pvp2.23", new Object[]{wrongURL}); +		this.statusCodeValue = StatusCode.REQUESTER_URI; +		 +	} + +	/** +	 *  +	 */  	private static final long serialVersionUID = 7861790149343943091L;  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index a31258784..059e68865 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -82,10 +82,10 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {  		SLOInformationImpl sloInformation = new SLOInformationImpl();  		//build Assertion -		Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authData,  +		Assertion assertion = PVP2AssertionBuilder.buildAssertion(obj.getAuthURL(), authnRequest, authData,   				peerEntity, date, consumerService, sloInformation); -		Response authResponse = AuthResponseBuilder.buildResponse(authnRequest, date, assertion); +		Response authResponse = AuthResponseBuilder.buildResponse(obj.getAuthURL(), authnRequest, date, assertion);  		IEncoder binding = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java index fe287a433..d76e6c2f1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java @@ -59,6 +59,12 @@ public class CredentialProvider {  							.getIDPKeyPasswordMetadata().toCharArray());  			credentials.setUsageType(UsageType.SIGNING); +			if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { +				Logger.error("IDP Metadata Signing credentials is not found or contains no PrivateKey."); +				throw new CredentialsNotAvailableException("IDP Assertion Signing credentials (Alias: " +						+ config.getIDPKeyAliasMetadata() + ") is not found or contains no PrivateKey.", null); +				 +			}  			return credentials;  		} catch (Exception e) {  			Logger.error("Failed to generate IDP Metadata Signing credentials"); @@ -80,6 +86,13 @@ public class CredentialProvider {  							.getIDPKeyPasswordAssertionSign().toCharArray());  			credentials.setUsageType(UsageType.SIGNING); +			if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { +				Logger.error("IDP Assertion Signing credentials is not found or contains no PrivateKey."); +				throw new CredentialsNotAvailableException("IDP Assertion Signing credentials (Alias: " +						+ config.getIDPKeyAliasAssertionSign() + ") is not found or contains no PrivateKey.", null); +				 +			} +			  			return (X509Credential) credentials;  		} catch (Exception e) {  			Logger.error("Failed to generate IDP Assertion Signing credentials"); @@ -105,6 +118,14 @@ public class CredentialProvider {  							.getIDPKeyPasswordAssertionEncryption().toCharArray());  			credentials.setUsageType(UsageType.ENCRYPTION); +			 +			if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { +				Logger.error("IDP Assertion Encryption credentials is not found or contains no PrivateKey."); +				throw new CredentialsNotAvailableException("IDP Assertion Encryption credentials (Alias: " +						+ config.getIDPKeyAliasAssertionEncryption() + ") is not found or contains no PrivateKey.", null); +				 +			} +			  			return (X509Credential) credentials;  		} catch (Exception e) {  			Logger.error("Failed to generate IDP Assertion Encryption credentials"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java index 4d12c38da..75ef7e5a1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java @@ -57,6 +57,15 @@ public class MOASAMLSOAPClient {  		BasicSOAPMessageContext soapContext = new BasicSOAPMessageContext();  		soapContext.setOutboundMessage(soapRequest); + +		//set security policy context +//		BasicSecurityPolicy policy = new BasicSecurityPolicy(); +//		policy.getPolicyRules().add( +//				new MOAPVPSignedRequestPolicyRule( +//						TrustEngineFactory.getSignatureKnownKeysTrustEngine(), +//						SPSSODescriptor.DEFAULT_ELEMENT_NAME));		 +//		SecurityPolicyResolver secResolver = new StaticSecurityPolicyResolver(policy); +//		soapContext.setSecurityPolicyResolver(secResolver);  		HttpClientBuilder clientBuilder = new HttpClientBuilder();  		if (destination.startsWith("https")) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java new file mode 100644 index 000000000..f62410656 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java @@ -0,0 +1,187 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.validation; + +import javax.xml.namespace.QName; +import javax.xml.transform.dom.DOMSource; +import javax.xml.validation.Schema; +import javax.xml.validation.Validator; + +import org.opensaml.common.SignableSAMLObject; +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.common.xml.SAMLSchemaBuilder; +import org.opensaml.security.MetadataCriteria; +import org.opensaml.security.SAMLSignatureProfileValidator; +import org.opensaml.ws.message.MessageContext; +import org.opensaml.ws.security.SecurityPolicyException; +import org.opensaml.ws.security.SecurityPolicyRule; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.security.CriteriaSet; +import org.opensaml.xml.security.credential.UsageType; +import org.opensaml.xml.security.criteria.EntityIDCriteria; +import org.opensaml.xml.security.criteria.UsageCriteria; +import org.opensaml.xml.signature.SignatureTrustEngine; +import org.opensaml.xml.validation.ValidationException; +import org.w3c.dom.Element; +import org.xml.sax.SAXException; + +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +public abstract class AbstractRequestSignedSecurityPolicyRule implements SecurityPolicyRule { + +	private SignatureTrustEngine trustEngine = null; +	private QName peerEntityRole = null; +	/** +	 * @param peerEntityRole  +	 *  +	 */ +	public AbstractRequestSignedSecurityPolicyRule(SignatureTrustEngine trustEngine, QName peerEntityRole) { +		this.trustEngine = trustEngine; +		this.peerEntityRole = peerEntityRole; +		 +	} +	 +	 +	/** +	 * Reload the PVP metadata for a given entity +	 *  +	 * @param entityID for which the metadata should be refreshed. +	 * @return true if the refresh was successful, otherwise false +	 */ +	protected abstract boolean refreshMetadataProvider(String entityID); +	 +	 +	protected abstract SignableSAMLObject getSignedSAMLObject(XMLObject inboundData); +	 +	/* (non-Javadoc) +	 * @see org.opensaml.ws.security.SecurityPolicyRule#evaluate(org.opensaml.ws.message.MessageContext) +	 */ +	@Override +	public void evaluate(MessageContext context) throws SecurityPolicyException { +		try { +			verifySignature(context); +			 +		} catch (SecurityPolicyException e) { +			if (MiscUtil.isEmpty(context.getInboundMessageIssuer())) { +				throw e; +			 +			}			 +			Logger.debug("PVP2X message validation FAILED. Reload metadata for entityID: " + context.getInboundMessageIssuer()); +			if (!refreshMetadataProvider(context.getInboundMessageIssuer())) +				throw e; +			 +			else { +				Logger.trace("PVP2X metadata reload finished. Check validate message again.");					 +				verifySignature(context); +										 +			} +			Logger.trace("Second PVP2X message validation finished"); +			 +		} + +		 +	} + +	private void verifySignature(MessageContext context) throws SecurityPolicyException { +		SignableSAMLObject samlObj = getSignedSAMLObject(context.getInboundMessage());			 +		if (samlObj != null && samlObj.getSignature() != null) { +						 +			SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); +			try { +				profileValidator.validate(samlObj.getSignature());		     +				performSchemaValidation(samlObj.getDOM()); +		     +			} catch (ValidationException e) { +				Logger.warn("Signature is not conform to SAML signature profile", e); +				throw new SecurityPolicyException("Signature is not conform to SAML signature profile"); +		     +			} catch (SchemaValidationException e) { +				Logger.warn("Signature is not conform to SAML signature profile", e); +				throw new SecurityPolicyException("Signature is not conform to SAML signature profile"); +			 +			} +			 +			 +			 +			CriteriaSet criteriaSet = new CriteriaSet(); +			criteriaSet.add( new EntityIDCriteria(context.getInboundMessageIssuer()) ); +			criteriaSet.add( new MetadataCriteria(peerEntityRole, SAMLConstants.SAML20P_NS) ); +			criteriaSet.add( new UsageCriteria(UsageType.SIGNING) ); +						 +			try { +				if (!trustEngine.validate(samlObj.getSignature(), criteriaSet)) { +					throw new SecurityPolicyException("Signature validation FAILED."); +					 +				} +				Logger.debug("PVP AuthnRequest signature valid."); +				 +			} catch (org.opensaml.xml.security.SecurityException e) { +				Logger.info("PVP2x message signature validation FAILED. Message:" + e.getMessage()); +				throw new SecurityPolicyException("Signature validation FAILED."); +				 +			} +			 +		} else { +			throw new SecurityPolicyException("Request is not signed."); +			 +		} +				 +	} +	 +	private void performSchemaValidation(Element source) throws SchemaValidationException { +			 +		String err = null; +		try { +			Schema test = SAMLSchemaBuilder.getSAML11Schema(); +			Validator val = test.newValidator();		 +			val.validate(new DOMSource(source)); +			Logger.debug("Schema validation check done OK"); +			return; +			 +		} catch (SAXException e) { +			err = e.getMessage(); +			if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) +				Logger.warn("Schema validation FAILED with exception:", e); +			else +				Logger.warn("Schema validation FAILED with message: "+ e.getMessage()); +							 +		} catch (Exception e) { +			err = e.getMessage(); +			if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) +				Logger.warn("Schema validation FAILED with exception:", e); +			else +				Logger.warn("Schema validation FAILED with message: "+ e.getMessage()); +						 +		} +			 +		throw new SchemaValidationException("pvp2.22", new Object[]{err}); +			 +	} + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOAPVPSignedRequestPolicyRule.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOAPVPSignedRequestPolicyRule.java new file mode 100644 index 000000000..932f3b818 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOAPVPSignedRequestPolicyRule.java @@ -0,0 +1,70 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.validation; + +import javax.xml.namespace.QName; + +import org.opensaml.common.SignableSAMLObject; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.signature.SignatureTrustEngine; + +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; + +/** + * @author tlenz + * + */ +public class MOAPVPSignedRequestPolicyRule extends +		AbstractRequestSignedSecurityPolicyRule { + +	/** +	 * @param trustEngine +	 * @param peerEntityRole +	 */ +	public MOAPVPSignedRequestPolicyRule(SignatureTrustEngine trustEngine, +			QName peerEntityRole) { +		super(trustEngine, peerEntityRole); +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.validation.AbstractRequestSignedSecurityPolicyRule#refreshMetadataProvider(java.lang.String) +	 */ +	@Override +	protected boolean refreshMetadataProvider(String entityID) { +		return MOAMetadataProvider.getInstance().refreshMetadataProvider(entityID); +		 +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.validation.AbstractRequestSignedSecurityPolicyRule#getSignedSAMLObject(org.opensaml.xml.XMLObject) +	 */ +	@Override +	protected SignableSAMLObject getSignedSAMLObject(XMLObject inboundData) { +		if (inboundData instanceof SignableSAMLObject) +			return (SignableSAMLObject) inboundData; +		 +		else +			return null; +	} + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index 70b778c49..812e27a36 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification;  import java.util.ArrayList;  import java.util.List; +import javax.xml.namespace.QName;  import javax.xml.transform.dom.DOMSource;  import javax.xml.validation.Schema;  import javax.xml.validation.Validator; @@ -61,7 +62,7 @@ import org.xml.sax.SAXException;  import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;  import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; @@ -74,7 +75,6 @@ import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.MiscUtil;  public class SAMLVerificationEngine { -  	public void verify(InboundMessage msg, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception {  		try {		 @@ -83,7 +83,7 @@ public class SAMLVerificationEngine {  				verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine);  			else -				verifyResponse(((MOAResponse)msg).getResponse(), sigTrustEngine); +				verifyIDPResponse(((MOAResponse)msg).getResponse(), sigTrustEngine);  		} catch (InvalidProtocolRequestException e) {  			if (MiscUtil.isEmpty(msg.getEntityID())) { @@ -102,15 +102,24 @@ public class SAMLVerificationEngine {  					verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine);  				else -					verifyResponse(((MOAResponse)msg).getResponse(), sigTrustEngine); +					verifyIDPResponse(((MOAResponse)msg).getResponse(), sigTrustEngine);  			}  			Logger.trace("Second PVP2X message validation finished");  		}		  	} +	public void verifyIDPResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine) throws InvalidProtocolRequestException{ +		verifyResponse(samlObj, sigTrustEngine, IDPSSODescriptor.DEFAULT_ELEMENT_NAME); +		 +	} -	public void verifyResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine ) throws InvalidProtocolRequestException{ +	public void verifySLOResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine ) throws InvalidProtocolRequestException { +		verifyResponse(samlObj, sigTrustEngine, SPSSODescriptor.DEFAULT_ELEMENT_NAME); +		 +	} +	 +	private void verifyResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine, QName defaultElementName)  throws InvalidProtocolRequestException{  		SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();  		try {  		    profileValidator.validate(samlObj.getSignature()); @@ -127,7 +136,7 @@ public class SAMLVerificationEngine {  		CriteriaSet criteriaSet = new CriteriaSet();  		criteriaSet.add( new EntityIDCriteria(samlObj.getIssuer().getValue()) ); -		criteriaSet.add( new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) ); +		criteriaSet.add( new MetadataCriteria(defaultElementName, SAMLConstants.SAML20P_NS) );  		criteriaSet.add( new UsageCriteria(UsageType.SIGNING) );  		try { @@ -175,10 +184,20 @@ public class SAMLVerificationEngine {  			if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {  				List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>(); -				if (validateDestination && !samlResp.getDestination().startsWith( -						PVPConfiguration.getInstance().getIDPPublicPath())) { +				List<String> allowedPublicURLPrefix =  +						AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); +				boolean isValidDestination = false; +				for (String allowedPreFix : allowedPublicURLPrefix) { +					if (validateDestination && samlResp.getDestination().startsWith( +							allowedPreFix)) { +							isValidDestination = true; +							break; +					 +					} +				} +				if (!isValidDestination) {  					Logger.warn("PVP 2.1 assertion destination does not match to IDP URL"); -					throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null); +					throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);					  				} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java index 704adc80d..3b97f3b08 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java @@ -145,22 +145,22 @@ public class AssertionStorage {  			query.setTimestamp("timeout", expioredate);		  			results = query.list();  			session.getTransaction().commit(); -		} -		 -		if (results.size() != 0) { -			for(AssertionStore result : results) { -				try {  -					cleanDelete(result); -					Logger.info("Remove stored information with ID: " + result.getArtifact()  -							+ " after timeout."); -				} catch (HibernateException e){ -					Logger.warn("Sessioninformation with ID=" + result.getArtifact()  -							+ " not removed after timeout! (Error during Database communication)", e); -				} - -			}	 -		}	 +			if (results.size() != 0) { +				for(AssertionStore result : results) { +					try {  +						cleanDelete(result); +						Logger.info("Remove stored information with ID: " + result.getArtifact()  +								+ " after timeout."); +					 +					} catch (HibernateException e){ +						Logger.warn("Sessioninformation with ID=" + result.getArtifact()  +								+ " not removed after timeout! (Error during Database communication)", e); +					} +	 +				}	 +			} +		}  	}  	public void remove(String artifact) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 829383cb4..9dee39fe8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -377,7 +377,7 @@ public class AuthenticationSessionStoreage {  	}  	public static void addSSOInformation(String moaSessionID, String SSOSessionID,  -			SLOInformationInterface SLOInfo, String OAUrl) throws AuthenticationException { +			SLOInformationInterface SLOInfo, IRequest protocolRequest) throws AuthenticationException {  		AuthenticatedSessionStore dbsession;  		Transaction tx =  null; @@ -412,7 +412,7 @@ public class AuthenticationSessionStoreage {  				  //check if OA already has an active OA session  				  if (dbsession.getActiveOAsessions() != null) {  					for (OASessionStore el : dbsession.getActiveOAsessions()) { -						if (el.getOaurlprefix().equals(OAUrl)) +						if (el.getOaurlprefix().equals(protocolRequest.getOAURL()))  							activeOA = el;						  					}										   				  } @@ -421,7 +421,7 @@ public class AuthenticationSessionStoreage {  					  activeOA = new OASessionStore();  				  //set active OA applications -				  activeOA.setOaurlprefix(OAUrl); +				  activeOA.setOaurlprefix(protocolRequest.getOAURL());  				  activeOA.setMoasession(dbsession);  				  activeOA.setCreated(new Date()); @@ -432,6 +432,7 @@ public class AuthenticationSessionStoreage {  					  activeOA.setUserNameIDFormat(SLOInfo.getUserNameIDFormat());  					  activeOA.setProtocolType(SLOInfo.getProtocolType());  					  activeOA.setAttributeQueryUsed(false); +					  activeOA.setAuthURL(protocolRequest.getAuthURL());  				  } @@ -463,10 +464,10 @@ public class AuthenticationSessionStoreage {  					tx.commit();  					if (SLOInfo != null) -						Logger.info("Add SSO-Session login information for OA: " + OAUrl  +						Logger.info("Add SSO-Session login information for OA: " + protocolRequest.getOAURL()   								+ " and AssertionID: " + SLOInfo.getSessionIndex());  					else -						Logger.info("Add SSO-Session login information for OA: " + OAUrl); +						Logger.info("Add SSO-Session login information for OA: " + protocolRequest.getOAURL());  			} @@ -693,19 +694,20 @@ public class AuthenticationSessionStoreage {  				  //send transaction  				  tx.commit(); +			  			   +				  Logger.trace("Found entries: " + result.size()); +				   +				  //Assertion requires an unique artifact +				  if (result.size() != 1) { +					 Logger.trace("No entries found."); +					 return false; +							  +				  } else { +					  cleanDelete(result.get(0)); +					  return true; +				  }  			  } -			  Logger.trace("Found entries: " + result.size()); -			   -			  //Assertion requires an unique artifact -			  if (result.size() != 1) { -				 Logger.trace("No entries found."); -				 return false; -						  -			  } else { -				  cleanDelete(result.get(0)); -				  return true; -			  }  		  } catch (Exception e) {  				if (tx != null && !tx.wasCommitted())  					tx.rollback(); @@ -886,6 +888,7 @@ public class AuthenticationSessionStoreage {  			idp = new InterfederationSessionStore();  			idp.setCreated(now);  			idp.setIdpurlprefix(req.getInterfederationResponse().getEntityID()); +			idp.setAuthURL(req.getAuthURL());  			try {  				OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance(). @@ -1024,21 +1027,22 @@ public class AuthenticationSessionStoreage {  				query.setTimestamp("timeoutupdate", expioredateupdate);  				results = query.list();  				tx.commit(); -			} -			 -			if (results.size() != 0) { -				for(AuthenticatedSessionStore result : results) { -					try {  -						cleanDelete(result); -						Logger.info("Authenticated session with sessionID=" + result.getSessionid()  -								+ " after session timeout."); -					} catch (HibernateException e){ -						Logger.warn("Authenticated session with sessionID=" + result.getSessionid()  -								+ " not removed after timeout! (Error during Database communication)", e); -					} -				}	 +				if (results.size() != 0) { +					for(AuthenticatedSessionStore result : results) { +						try {  +							cleanDelete(result); +							Logger.info("Authenticated session with sessionID=" + result.getSessionid()  +									+ " after session timeout."); +						 +						} catch (HibernateException e){ +							Logger.warn("Authenticated session with sessionID=" + result.getSessionid()  +									+ " not removed after timeout! (Error during Database communication)", e); +						} +					}	 +				}  			} +			  		} catch (Exception e) {  			if (tx != null && !tx.wasCommitted())  				tx.rollback(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBExceptionStoreImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBExceptionStoreImpl.java index 054ad1014..4cddd141b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBExceptionStoreImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBExceptionStoreImpl.java @@ -126,22 +126,22 @@ public class DBExceptionStoreImpl implements IExceptionStore {  			query.setTimestamp("timeout", expioredate);		  			results = query.list();  			session.getTransaction().commit(); -		} -		 -		if (results.size() != 0) { -			for(ExceptionStore result : results) { -				try {  -					MOASessionDBUtils.delete(result); -					Logger.info("Remove Exception with ID=" + result.getExid()  -							+ " after timeout."); -				} catch (HibernateException e){ -					Logger.warn("Exception with ID=" + result.getExid()  -							+ " not removed after timeout! (Error during Database communication)", e); -				} - -			}	 -		}	 +			if (results.size() != 0) { +				for(ExceptionStore result : results) { +					try {  +						MOASessionDBUtils.delete(result); +						Logger.info("Remove Exception with ID=" + result.getExid()  +								+ " after timeout."); +					 +					} catch (HibernateException e){ +						Logger.warn("Exception with ID=" + result.getExid()  +								+ " not removed after timeout! (Error during Database communication)", e); +					} +	 +				}	 +			} +		}  	}  	@SuppressWarnings("rawtypes") diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java index 1f08d9019..2aceb833c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java @@ -156,5 +156,21 @@ public class HTTPUtils {  	    return buffer.toString();   	} +	 +	/** +	 * Extract the IDP PublicURLPrefix from authrequest +	 *  +	 * @param req HttpServletRequest +	 * @return PublicURLPrefix <String> which ends always without / +	 */ +	public static String extractAuthURLFromRequest(HttpServletRequest req) { +	    String authURL = req.getScheme() + "://" + req.getServerName(); +	    if ((req.getScheme().equalsIgnoreCase("https") && req.getServerPort()!=443) || (req.getScheme().equalsIgnoreCase("http") && req.getServerPort()!=80)) {  +	      authURL = authURL.concat(":" + req.getServerPort()); +	    } +	    authURL = authURL.concat(req.getContextPath()); +	    return authURL; +		 +	}  } diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index ac5a5be60..cabf1557e 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -79,6 +79,7 @@ config.21=F\u00FCr diese Online Applikation sind keine Vollmachtsprofile hinterl  config.22=F\u00FCr den Interfederation-Gateway mit der ID {0} ist kein Endpunkt zur Weiterleitung konfiguriert.
  config.23=Fehler beim initialisieren von OpenSAML
  config.24=MOA-ID-Auth Configfile {1} does not start with {0} prefix.
 +config.25=Der verwendete IDP PublicURLPrefix {0} ist nicht erlaubt. 
  parser.00=Leichter Fehler beim Parsen: {0}
  parser.01=Fehler beim Parsen: {0}
 @@ -265,6 +266,7 @@ pvp2.19=Der Single LogOut Vorgang musste wegen eines unkorregierbaren Fehler abg  pvp2.20=F\u00FCr die im Request angegebene EntityID konnten keine g\u00FCltigen Metadaten gefunden werden.
  pvp2.21=Die Signature des Requests konnte nicht g\u00FCltig validiert werden.  
  pvp2.22=Der Request konnte nicht g\u00FCltig validiert werden (Fehler\={0}).
 +pvp2.23={0} ist keine gueltige AssertionConsumerServiceURL oder entspricht nicht den Metadaten.
  oauth20.01=Fehlerhafte redirect url
  oauth20.02=Fehlender oder ung\u00FCltiger Parameter "{0}"
 diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index fa332f0c7..abd5d15f3 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -58,6 +58,7 @@ config.21=9006  config.22=9008  config.23=9199  config.24=9199 +config.25=9199  parser.00=1101  parser.01=1101 @@ -180,7 +181,11 @@ stork.21=1205  pvp2.01=6100  pvp2.06=6100 +pvp2.10=6100 +pvp2.11=6100 +pvp2.12=6100  pvp2.13=9199 +pvp2.15=6105  pvp2.16=6101  pvp2.17=6102   pvp2.20=6103 diff --git a/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html b/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html index 123a23837..2b0115d4a 100644 --- a/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html +++ b/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html @@ -405,7 +405,7 @@         	#bkulogin {	            min-width: 190px; -          min-height: 155px;	 +          min-height: 170px;	  			 }  			 .setAssertionButton_full { @@ -616,6 +616,12 @@  			    top: 40px;  			} +       +      #ssoSessionTransferBlock { +        font-size: 0.8em; +        margin-left: 5px; +        margin-bottom: 5px; +      }      </style>         <!-- MOA-ID 2.x BKUSelection JavaScript fucnctions--> @@ -740,7 +746,7 @@  			}  		}  		function onChangeChecks() { -      if (top.innerWidth < 650) { +      if (self.innerWidth < 650) {           document.getElementById("moaidform").setAttribute("target","_parent");        } else {           document.getElementById("moaidform").removeAttribute("target"); @@ -834,7 +840,7 @@  						<h2 id="tabheader" class="dunkel" role="heading">#HEADER_TEXT#</h2>  					</div>  					<div id="bkulogin" class="hell" role="form"> -						<div id="mandateLogin" style=""> +						<div id="mandateLogin" style="#MANDATEVISIBLE#">  							<div>  								<input tabindex="1" type="checkbox" name="Mandate"  									id="mandateCheckBox" class="verticalcenter" role="checkbox" @@ -867,19 +873,20 @@  								<input type="hidden" name="bkuURI" value="#LOCAL#"> <input  									type="hidden" name="useMandate" id="useMandate"> <input  									type="hidden" name="SSO" id="useSSO"> <input -									type="hidden" name="CCC" id="ccc"> <input type="hidden" +									type="hidden" name="ccc" id="ccc"> <input type="hidden"  									name="MODUL" value="#MODUL#"> <input type="hidden"  									name="ACTION" value="#ACTION#"> <input type="hidden"  									name="MOASessionID" value="#SESSIONID#">                     <input type="submit" value=" Lokale Bürgerkartenumgebung " tabindex="4" -									role="button" onclick="setMandateSelection();" -                  > -								<!--p> -                    <small>Alternativ können Sie eine lokal installierte BKU verwenden.</small>								                                   -                  </p-->								                                   -                </form>								                                                           +									role="button" onclick="setMandateSelection();"> +                </form>                </div> +              <!-- Single Sign-On Session transfer functionality --> +              <!--div id="ssoSessionTransferBlock"> +                <a href="#AUTH_URL#?MOASessionID=#SESSIONID#&restoreSSOSession=true">>Restore SSO Session from Smartphone</a> +              </div--> +                              <div id="stork" align="center" style="#STORKVISIBLE#">                  <h2 id="tabheader" class="dunkel">Home Country Selection</h2>                  <p> @@ -900,7 +907,7 @@  				</div>  			</div>  		</div> -		<div id="validation"> +		<!--div id="validation">  			<a href="http://validator.w3.org/check?uri="> <img  				style="border: 0; width: 88px; height: 31px"  				src="#CONTEXTPATH#/img/valid-html5-blue.png" alt="HTML5 ist valide!" /> @@ -909,7 +916,7 @@  				src="http://jigsaw.w3.org/css-validator/images/vcss-blue"  				alt="CSS ist valide!" />  			</a> -		</div> +		</div-->  	</div>  </body>  </html> diff --git a/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html b/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html index 033a574b9..07d018a94 100644 --- a/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html +++ b/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html @@ -1,554 +1,617 @@ -<!DOCTYPE html> +<!DOCTYPE html>   <html>  <head> -<meta content="text/html; charset=utf-8" http-equiv="Content-Type"> -<!-- MOA-ID 2.x BKUSelection Layout CSS --> -<style type="text/css"> -@media screen and (min-width: 650px) { -	body { -		margin: 0; -		padding: 0; -		color: #000; -		background-color: #fff; -		text-align: center; -		background-color: #6B7B8B; -	} -	#localBKU p { -		font-size: 0.7em; -	} -	#localBKU input { -		font-size: 0.7em; -		border-radius: 5px; -	} -	#bkuselectionarea button { -		font-size: 0.85em; -		border-radius: 7px; -		margin-bottom: 25px; -	} -	#mandateLogin { -		font-size: 0.85em; -	} -	#bku_header h2 { -		font-size: 0.8em; -	} -	#page { -		display: block; -		border: 2px solid rgb(0, 0, 0); -		width: 650px; -		height: 440px; -		margin: 0 auto; -		margin-top: 5%; -		position: relative; -		border-radius: 25px; -		background: rgb(255, 255, 255); -	} -	#page1 { -		text-align: center; -	} -	#main { -		/*	clear:both; */ -		position: relative; -		margin: 0 auto; -		width: 250px; -		text-align: center; -	} -	.OA_header { -		/*	  background-color: white;*/ -		font-size: 20pt; -		margin-bottom: 25px; -		margin-top: 25px; -	} -	#leftcontent { -		width: 300px; -		margin-top: 30px; -		padding-bottom: 15px; -		margin-bottom: 25px; -		text-align: left; -		border: 1px solid rgb(0, 0, 0); -	} -	#selectArea { -		font-size: 15px; -		padding-bottom: 65px; -	} -	#selectArea h3 { -		margin-bottom: 25px; -	} -	#bku_header { -		height: 5%; -		padding-bottom: 3px; -		padding-top: 3px; -	} -	#bkulogin { -		overflow: hidden; -		min-width: 190px; -		min-height: 180px; -		/*height: 260px;*/ -	} -	h2#tabheader { -		font-size: 1.1em; -		padding-left: 2%; -		padding-right: 2%; -		position: relative; -	} -	.setAssertionButton_full { -		margin-top: 15px; -		width: 100px; -		height: 30px; -		font-size: 1.3em; -		min-height: 1.3em; -		/*          border-radius: 10px;*/ -	} -	#leftbutton { -		width: 30%; -		float: left; -		margin-left: 40px; -	} -	#rightbutton { -		width: 30%; -		float: right; -		margin-right: 45px; -		text-align: right; -	} -	button { -		height: 25px; -		width: 90px; -		margin-bottom: 10px; -	} -	#validation { -		position: absolute; -		bottom: 0px; -		margin-left: 270px; -		padding-bottom: 10px; -	} -} - -@media screen and (max-width: 205px) { -	#localBKU p { -		font-size: 0.6em; -	} -	#localBKU input { -		font-size: 0.7em; -		min-width: 70px; -		min-height: 1.2em; -		border-radius: 5px; -	} -	#bkuselectionarea button,.setAssertionButton_full { -		font-size: 0.8em; -		min-width: 65px; -		min-height: 1.3em; -		/*        border-radius: 5px;         */ -		margin-bottom: 2% -	} -	#mandateLogin { -		font-size: 0.65em; -	} -	#bku_header h2,#selectArea h3 { -		font-size: 0.8em; -		margin-top: -0.4em; -	} -} - -@media screen and (max-width: 249px) and (min-width: 206px) { -	#localBKU p { -		font-size: 0.7em; -	} -	#localBKU input { -		font-size: 0.85em; -		min-width: 80px; -		min-height: 0.95em; -		border-radius: 6px; -	} -	#bkuselectionarea button,.setAssertionButton_full { -		font-size: 0.85em; -		min-width: 70px; -		min-height: 0.95em; -		/*        border-radius: 6px;        */ -		margin-bottom: 2% -	} -	#mandateLogin { -		font-size: 0.75em; -	} -	#bku_header h2,#selectArea h3 { -		font-size: 0.9em; -		margin-top: -0.45em; -	} -} - -@media screen and (max-width: 299px) and (min-width: 250px) { -	#localBKU p { -		font-size: 0.9em; -	} -	#localBKU input { -		font-size: 0.9em; -		min-width: 100px; -		border-radius: 6px; -	} -	#bkuselectionarea button,.setAssertionButton_full { -		font-size: 1.0em; -		min-height: 1.05em; -		/*         border-radius: 7px;          */ -		margin-bottom: 5%; -	} -	#mandateLogin { -		font-size: 1em; -	} -	#bku_header h2,#selectArea h3 { -		font-size: 1.0em; -		margin-top: -0.50em; -	} -} - -@media screen and (max-width: 399px) and (min-width: 300px) { -	#localBKU p { -		font-size: 0.9em; -	} -	#localBKU input { -		font-size: 0.9em; -		min-width: 100px; -		border-radius: 6px; -	} -	#bkuselectionarea button,.setAssertionButton_full { -		font-size: 1.1em; -		min-height: 1.2em; -		/*        border-radius: 8px;     */ -		margin-bottom: 5%; -	} -	#mandateLogin { -		font-size: 1em; -	} -	#bku_header h2,#selectArea h3 { -		font-size: 1.1em; -		margin-top: -0.55em; -	} -} - -@media screen and (max-width: 649px) and (min-width: 400px) { -	#localBKU p { -		font-size: 0.9em; -	} -	#localBKU input { -		font-size: 0.9em; -		min-width: 100px; -		border-radius: 6px; -	} -	#bkuselectionarea button,.setAssertionButton_full { -		font-size: 1.3em; -		min-height: 1.3em; -		/*          border-radius: 10px;  */ -		margin-bottom: 5%; -	} -	#mandateLogin { -		font-size: 1.2em; -	} -	#bku_header h2,#selectArea h3 { -		font-size: 1.3em; -		margin-top: -0.65em; -	} -} - -@media screen and (max-width: 649px) { -	body { -		margin: 0; -		padding: 0; -		color: #000; -		text-align: center; -		font-size: 100%; -		background-color: #MAIN_BACKGOUNDCOLOR#; -	} -	#page { -		visibility: hidden; -		margin-top: 0%; -	} -	#page1 { -		visibility: hidden; -	} -	#main { -		visibility: hidden; -	} -	#validation { -		visibility: hidden; -		display: none; -	} -	.OA_header { -		margin-bottom: 0px; -		margin-top: 0px; -		font-size: 0pt; -		visibility: hidden; -	} -	#leftcontent { -		visibility: visible; -		margin-bottom: 0px; -		text-align: left; -		border: none; -		min-width: 190px; -		/*          min-height: 190px;  */ -		vertical-align: middle; -	} -	#bku_header { -		height: 10%; -		min-height: 1.2em; -		margin-top: 1%; -	} -	h2#tabheader { -		padding-left: 2%; -		padding-right: 2%; -		padding-top: 1%; -		position: relative; -		top: 50%; -	} -	#bkulogin { -		min-width: 190px; -		min-height: 150px; -	} -	.setAssertionButton_full { -		margin-top: 15px; -		width: 70%; -		height: 11%; -		min-width: 60px; -		min-height: 25px; -	} -	#selectArea h3 { -		margin-top: 2%; -	} -	button { -		height: 11%; -		width: 70%; -	} -} - -* { -	margin: 0; -	padding: 0; -	/*				border: 0;  */ -	font-family: #FONTTYPE #; -} - -#selectArea { -	padding-top: 10px; -	padding-bottom: 55px; -	padding-left: 10px; -} - -.setAssertionButton { -	background: #efefef; -	cursor: pointer; -	margin-top: 15px; -	width: 70px; -	height: 25px; -} - -#leftbutton { -	width: 35%; -	float: left; -	margin-left: 15px; -} - -#rightbutton { -	width: 35%; -	float: right; -	margin-right: 25px; -	text-align: right; -} - -#stork { -	margin-bottom: 10px; -	margin-top: 5px; -} - -#mandateLogin { -	padding-bottom: 2%; -	padding-top: 2%; -	height: 10%; -	position: relative; -	text-align: center; -} - -.verticalcenter { -	vertical-align: middle; -} - -#mandateLogin>div { -	clear: both; -	margin-top: -1%; -	position: relative; -	top: 50%; -} - -#bkuselectionarea { -	position: relative; -	display: block; -} - -#localBKU { -	padding-left: 5%; -	padding-right: 2%; -	padding-bottom: 2%; -	position: relative; -	clear: both; -} - -#bkukarte { -	float: left; -	text-align: center; -	width: 40%; -	min-height: 70px; -	padding-left: 5%; -	padding-top: 2%; -} - -#bkuhandy { -	float: right; -	text-align: center; -	width: 40%; -	min-height: 90px; -	padding-right: 5%; -	padding-top: 2%; -} - -.bkuimage { -	width: 90%; -	height: auto; -} - -#mandate { -	text-align: center; -	padding: 5px 5px 5px 5px; -} - -button,.sendButton { -	/*				background: #BUTTON_BACKGROUNDCOLOR#; +	<meta content="text/html; charset=utf-8" http-equiv="Content-Type"> +    <!-- MOA-ID 2.x BKUSelection Layout CSS -->                +    <style type="text/css"> +			@media screen and (min-width: 650px) { +			 +				body { +					margin:0; +					padding:0; +					color : #000; +					background-color : #fff; +			  	text-align: center; +			  	background-color: #6B7B8B; +				} +				 +        #localBKU p { +          font-size: 0.7em; +        }  +         +        #localBKU input{ +          font-size: 0.7em; +          border-radius: 5px; +        } +         +         #bkuselectionarea button { +          font-size: 0.85em; +          border-radius: 7px; +          margin-bottom: 25px; +         } +         +        #mandateLogin { +          font-size: 0.85em; +        } +         +        #bku_header h2 { +          font-size: 0.8em; +        }  +         +         +			  #page { +			    display: block; +			    border: 2px solid rgb(0,0,0); +			    width: 650px; +			    height: 440px; +			    margin: 0 auto; +			    margin-top: 5%; +			    position: relative; +			    border-radius: 25px; +			    background: rgb(255,255,255); +			  } +			   +			  #page1 { +			    text-align: center; +			  } +			   +			  #main { +			    /*	clear:both; */ +				  position:relative; +			    margin: 0 auto; +			    width: 250px; +			    text-align: center; +			  } +			   +			  .OA_header { +			/*	  background-color: white;*/ +			    font-size: 20pt; +			    margin-bottom: 25px; +			    margin-top: 25px; +			  } +			 +			  #leftcontent { +        	width: 300px; +				  margin-top: 30px; +          padding-bottom: 15px; +				  margin-bottom: 25px; +			    text-align: left; +			    border: 1px solid rgb(0,0,0); +			  } +			  			   +			  #selectArea { +				 font-size: 15px; +				 padding-bottom: 65px; +			  } +			  +        #selectArea h3 { +          margin-bottom: 25px; +        } +       +        #bku_header { +          height: 5%; +          padding-bottom: 3px; +          padding-top: 3px; +        } +       +        #bkulogin { +				  overflow:hidden;	 +          min-width: 190px; +          min-height: 180px; +          /*height: 260px;*/	 +			  } +       +        h2#tabheader{ +				  font-size: 1.1em;  +          padding-left: 2%; +          padding-right: 2%; +          position: relative; +			  } +      			   +			  .setAssertionButton_full { +				  margin-top: 15px; +			    width: 100px; +			    height: 30px; +          font-size: 1.3em; +          min-height: 1.3em; +/*          border-radius: 10px;*/ +			  } +			 +			  #leftbutton  { +				 width: 30%;  +				 float:left;  +				 margin-left: 40px; +			  } +			 +			  #rightbutton { +				 width: 30%;  +				 float:right;  +				 margin-right: 45px;  +				 text-align: right; +			  } +         +        button { +          height: 25px; +          width: 90px; +          margin-bottom: 10px; +        } +         +       #validation { +        position: absolute; +        bottom: 0px; +        margin-left: 270px; +        padding-bottom: 10px; +      } +			 +			} + +      @media screen and (max-width: 205px) { +        #localBKU p { +          font-size: 0.6em; +        }  +         +        #localBKU input { +          font-size: 0.7em; +          min-width: 70px; +          min-height: 1.2em; +          border-radius: 5px; +        } +         +        #bkuselectionarea button, .setAssertionButton_full { +          font-size: 0.8em; +          min-width: 65px; +          min-height: 1.3em; +  /*        border-radius: 5px;         */ +          margin-bottom: 2% +        } +         +        #mandateLogin { +          font-size: 0.65em; +        } +         +        #bku_header h2, #selectArea h3 { +          font-size: 0.8em; +          margin-top: -0.4em; +        }  +      } + +      @media screen and (max-width: 249px) and (min-width: 206px) { +        #localBKU p { +          font-size: 0.7em; +        }  +         +        #localBKU input { +          font-size: 0.85em; +          min-width: 80px; +          min-height: 0.95em; +          border-radius: 6px; +        } +         +        #bkuselectionarea button, .setAssertionButton_full { +          font-size: 0.85em; +          min-width: 70px; +          min-height: 0.95em; +  /*        border-radius: 6px;        */ +          margin-bottom: 2% +        } +         +        #mandateLogin { +          font-size: 0.75em; +        } +         +        #bku_header h2, #selectArea h3 { +          font-size: 0.9em; +          margin-top: -0.45em; +        }  +      } + +      @media screen and (max-width: 299px) and (min-width: 250px) { +        #localBKU p { +          font-size: 0.9em; +        }  +         +        #localBKU input { +          font-size: 0.9em; +          min-width: 100px; +          border-radius: 6px; +        } +         +        #bkuselectionarea button, .setAssertionButton_full { +          font-size: 1.0em; +          min-height: 1.05em; + /*         border-radius: 7px;          */ +          margin-bottom: 5%; +        } +         +        #mandateLogin { +          font-size: 1em; +        } +         +        #bku_header h2, #selectArea h3 { +          font-size: 1.0em; +          margin-top: -0.50em; +        }  +      } + +      @media screen and (max-width: 399px) and (min-width: 300px) { +        #localBKU p { +          font-size: 0.9em; +        }  +         +        #localBKU input { +          font-size: 0.9em; +          min-width: 100px; +          border-radius: 6px; +        } +         +        #bkuselectionarea button, .setAssertionButton_full { +          font-size: 1.1em; +          min-height: 1.2em; +  /*        border-radius: 8px;     */ +          margin-bottom: 5%; +        } +         +        #mandateLogin { +          font-size: 1em; +        } +         +        #bku_header h2, #selectArea h3 { +          font-size: 1.1em; +          margin-top: -0.55em; +        }  +      } +       +      @media screen and (max-width: 649px) and (min-width: 400px) { +        #localBKU p { +          font-size: 0.9em; +        }  +         +        #localBKU input { +          font-size: 0.9em; +          min-width: 100px; +          border-radius: 6px; +        } +         +        #bkuselectionarea button, .setAssertionButton_full { +          font-size: 1.3em; +          min-height: 1.3em; +/*          border-radius: 10px;  */ +          margin-bottom: 5%; +        } +         +        #mandateLogin { +          font-size: 1.2em; +        } +         +        #bku_header h2, #selectArea h3 { +          font-size: 1.3em; +          margin-top: -0.65em; +        }  +      } + + +			 +			@media screen and (max-width: 649px) { +				 +        body { +					margin:0; +					padding:0; +					color : #000; +			  	text-align: center; +          font-size: 100%; +			  	background-color: #MAIN_BACKGOUNDCOLOR#; +				} +        				 +			  #page { +			     visibility: hidden; +			     margin-top: 0%; +			  } +			   +			  #page1 { +			    visibility: hidden; +			  } +			   +			  #main { +			    visibility: hidden; +			  } +         +        #validation { +          visibility: hidden; +          display: none; +        } +			   +			  .OA_header { +			    margin-bottom: 0px; +			    margin-top: 0px; +			    font-size: 0pt; +			    visibility: hidden; +			  } +			 +			  #leftcontent { +			    visibility: visible; +			    margin-bottom: 0px; +			    text-align: left; +			    border:none; +          min-width: 190px; +/*          min-height: 190px;  */ +          vertical-align: middle; +           +			  } +			   +        #bku_header { +          height: 10%; +          min-height: 1.2em; +          margin-top: 1%; +        } +         +        h2#tabheader{ +          padding-left: 2%; +          padding-right: 2%; +          padding-top: 1%; +          position: relative; +          top: 50%; +			  } +         +       	#bkulogin {	 +          min-width: 190px; +          min-height: 150px;	 +			 } +         +			 .setAssertionButton_full { +				    margin-top: 15px; +			      width: 70%; +			      height: 11%; +            min-width: 60px; +            min-height: 25px; +			 } +        +       #selectArea h3 { +          margin-top: 2%; +       } +        +        button { +          height: 11%; +          width: 70%; +        } +			} +			       +			* { +				margin: 0; +				padding: 0; +/*				border: 0;  */ +        font-family: #FONTTYPE#; +			} +							      			 +			#selectArea { +				padding-top: 10px; +				padding-bottom: 55px; +				padding-left: 10px; +			} +			 +			.setAssertionButton { +				background: #efefef; +				cursor: pointer; +				margin-top: 15px; +			  width: 70px; +			  height: 25px; +			} +			 +			#leftbutton  { +				width: 35%;  +				float:left;  +				margin-left: 15px; +			} +			 +			#rightbutton { +				width: 35%;  +				float:right;  +				margin-right: 25px;  +				text-align: right; +			} +			 +			#stork { +			    margin-bottom: 10px; +			    margin-top: 5px; +			} +			 +      #mandateLogin { +        padding-bottom: 2%; +        padding-top: 2%; +        height: 10%; +        position: relative; +        text-align: center; +			} +       +      .verticalcenter { +        vertical-align: middle; +      } +       +      #mandateLogin > div { +        clear: both; +        margin-top: -1%; +        position: relative; +        top: 50%; +      } +       +      #bkuselectionarea { +          position: relative; +          display: block; +      } +       +      #localBKU { +        padding-left: 5%; +        padding-right: 2%; +        padding-bottom: 2%; +        position: relative; +        clear: both;         +			} +          			 +			#bkukarte { +				float:left; +				text-align:center; +				width:40%; +        min-height: 70px; +        padding-left: 5%; +        padding-top: 2%; +			} +			 +			#bkuhandy { +				float:right; +				text-align:center; +				width:40%; +        min-height: 90px; +        padding-right: 5%; +        padding-top: 2%; +			} +			 +      .bkuimage { +        width: 90%; +        height: auto; +      } +       +			#mandate{ +				text-align:center; +				padding : 5px 5px 5px 5px; +			} +			 +			button, .sendButton { +/*				background: #BUTTON_BACKGROUNDCOLOR#;          color: #BUTTON_COLOR#;  */ -	cursor: pointer; - -	/*				border:1px solid #000; +        cursor: pointer; +         +/*				border:1px solid #000;          box-shadow: 3px 3px 3px #222222; */ -} - -button:hover,button:focus,button:active,.sendButton:hover,.sendButton:focus,.sendButton:active,#mandateCheckBox:hover,#mandateCheckBox:focus,#mandateCheckBox:active -	{ -	/*				background: #BUTTON_BACKGROUNDCOLOR_FOCUS#; -        color: #BUTTON_COLOR#;  */ -	cursor: pointer; - -	/*				border:1px solid #000; +			} +			 +      button:hover, button:focus, button:active,  +      .sendButton:hover , .sendButton:focus, .sendButton:active, +      #mandateCheckBox:hover, #mandateCheckBox:focus, #mandateCheckBox:active { +/*				background: #BUTTON_BACKGROUNDCOLOR_FOCUS#; +        color: #BUTTON_COLOR#;  */         +        cursor: pointer; +         +/*				border:1px solid #000;          box-shadow: -1px -1px 3px #222222;  */ -} - -#installJava,#BrowserNOK { -	clear: both; -	font-size: 0.8em; -	padding: 4px; -} - -.selectText { -	 -} - -.selectTextHeader { -	 -} - -#leftcontent a { -	text-decoration: none; -	color: #000; -	/*	display:block;*/ -	padding: 4px; -} - -#leftcontent a:hover,#leftcontent a:focus,#leftcontent a:active { -	text-decoration: underline; -	color: #000; -} - -.infobutton { -	background-color: #005a00; -	color: white; -	font-family: serif; -	text-decoration: none; -	padding-top: 2px; -	padding-right: 4px; -	padding-bottom: 2px; -	padding-left: 4px; -	font-weight: bold; -} - -.hell { -	background-color: #MAIN_BACKGOUNDCOLOR#; -	color: #MAIN_COLOR#; -} - -.dunkel { -	background-color: #HEADER_BACKGROUNDCOLOR#; -	color: #HEADER_COLOR#; -} - -.main_header { -	color: black; -	font-size: 32pt; -	position: absolute; -	right: 10%; -	top: 40px; -} -</style> - - -<title>Anmeldung an Online-Applikation</title> +			} +      			 +			#installJava, #BrowserNOK { +				clear:both; +				font-size:0.8em; +				padding:4px; +			} +						 +			.selectText{ +			 +			} +			 +			.selectTextHeader{ +			 +			} +						 +			#leftcontent a { +				text-decoration:none;  +				color: #000; +			/*	display:block;*/ +				padding:4px;	 +			} +			 +			#leftcontent a:hover, #leftcontent a:focus, #leftcontent a:active { +				text-decoration:underline; +				color: #000;	 +			} +						 +			.infobutton { +				background-color: #005a00; +				color: white; +				font-family: serif; +				text-decoration: none; +				padding-top: 2px; +				padding-right: 4px; +				padding-bottom: 2px; +				padding-left: 4px; +				font-weight: bold; +			} +			 +			.hell { +				background-color : #MAIN_BACKGOUNDCOLOR#; +        color: #MAIN_COLOR#;	 +			} +			 +			.dunkel { +				background-color: #HEADER_BACKGROUNDCOLOR#; +        color: #HEADER_COLOR#; +			} +			       +			.main_header { +			   color: black; +			    font-size: 32pt; +			    position: absolute; +			    right: 10%; +			    top: 40px; +				 +			} +      			                         +    </style> +     +     +    <title>Anmeldung an Online-Applikation</title>     </head>  <body> -	<div id="page"> - -		<div id="page1" class="case selected-case" role="main"> - -			<!-- 					<h2 class="OA_header">Anmeldung an: #OAName#</h2> --> - -			<div id="main"> -				<div id="leftcontent" class="hell"> -					<div id="bku_header" class="dunkel"> -						<h2 id="tabheader" class="dunkel" role="heading"> -							Anmeldeinformationen:</h2> -					</div> - -					<div id="selectArea" class="hell" role="application"> -						<h3>Anmeldung an: #OAName#</h3> - -						<!-- 						<div class="hell"> --> -						<div id="leftbutton"> -							<form method="post" id="moaidform_yes" action="#URL#"> -								<input type="hidden" name="value" value="true"> <input -									type="hidden" name="mod" value="#MODUL#"> <input -									type="hidden" name="action" value="#ACTION#"> <input -									type="hidden" name="identifier" value="#ID#"> <input -									type="submit" value="Ja" -									class="setAssertionButton_full sendButton" role="button"> -							</form> -						</div> -						<div id="rightbutton"> -							<form method="post" id="moaidform_no" action="#URL#"> -								<input type="hidden" name="value" value="false"> <input -									type="hidden" name="mod" value="#MODUL#"> <input -									type="hidden" name="action" value="#ACTION#"> <input -									type="hidden" name="identifier" value="#ID#"> <input -									type="submit" value="Nein" -									class="setAssertionButton_full sendButton" role="button"> -							</form> -						</div> - +		<div id="page"> + +			<div id="page1" class="case selected-case" role="main"> + +<!-- 					<h2 class="OA_header">Anmeldung an: #OAName#</h2> --> + +					<div id="main"> +					<div id="leftcontent" class="hell"> +            <div id="bku_header" class="dunkel"> +						  <h2 id="tabheader" class="dunkel" role="heading"> +							 Anmeldeinformationen:							   +						  </h2> +            </div> +					 +						<div id="selectArea" class="hell" role="application"> +							<h3>Anmeldung an: #OAName#</h3> +					 +<!-- 						<div class="hell"> --> +							<div id="leftbutton"> +									<form method="post" id="moaidform_yes" action="#URL#"> +										<input type="hidden" name="value" value="true"> +										<input type="hidden" name="mod" value="#MODUL#"> +								    <input type="hidden" name="action" value="#ACTION#"> +                    <input type="hidden" name="identifier" value="#ID#"> +										<input type="submit" value="Ja" class="setAssertionButton_full sendButton" role="button"> +									</form> +							</div> +							<div id="rightbutton"> +										<form method="post" id="moaidform_no" action="#URL#"> +										<input type="hidden" name="value" value="false"> +										<input type="hidden" name="mod" value="#MODUL#"> +								    <input type="hidden" name="action" value="#ACTION#"> +                    <input type="hidden" name="identifier" value="#ID#"> +										<input type="submit" value="Nein" class="setAssertionButton_full sendButton" role="button"> +									</form> +							</div> +						 +						</div>												  					</div>  				</div> -			</div> -		</div> -		<div id="validation"> -			<a href="http://validator.w3.org/check?uri="> <img -				style="border: 0; width: 88px; height: 31px" -				src="#CONTEXTPATH#/img/valid-html5-blue.png" alt="HTML5 ist valide!" /> -			</a> <a href="http://jigsaw.w3.org/css-validator/"> <img -				style="border: 0; width: 88px; height: 31px" -				src="https://jigsaw.w3.org/css-validator/images/vcss-blue" -				alt="CSS ist valide!" /> -			</a>  		</div> +    <!--div id="validation"> +        <a href="http://validator.w3.org/check?uri="> +          <img   style="border:0;width:88px;height:31px" +                 src="#CONTEXTPATH#/img/valid-html5-blue.png" +                 alt="HTML5 ist valide!" /> +        </a> +        <a href="http://jigsaw.w3.org/css-validator/"> +          <img   style="border:0;width:88px;height:31px" +                 src="http://jigsaw.w3.org/css-validator/images/vcss-blue" +                 alt="CSS ist valide!" /> +        </a> +    </div-->  	</div>  </body>  </html> diff --git a/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html b/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html index 8976b2bd6..a9d73e0d3 100644 --- a/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html +++ b/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html @@ -380,7 +380,21 @@  			function sloTimeOut() {  				window.location.href="$timeoutURL"; -			}	 +			} +      function RestartAfterDelay() { +        var eDate = null; +        var MilliSekZeit = 0; +        var SysDatumJetzt = new Date(); +        var SysDatumJetztMilli = SysDatumJetzt.getTime(); + +        do { +          eDate = new Date(); +          MilliSekZeit = eDate.getTime(); + +        } while ((MilliSekZeit-SysDatumJetztMilli) < $timeout); + +        sloTimeOut(); +      }	  		</script>  	#end @@ -430,22 +444,21 @@  				</div>  			</div>  		</div> -		<div id="validation"> +		<!--div id="validation">  			<a href="http://validator.w3.org/check?uri="> <img  				style="border: 0; width: 88px; height: 31px"  				src="$contextpath/img/valid-html5-blue.png" alt="HTML5 ist valide!" />  			</a> <a href="http://jigsaw.w3.org/css-validator/"> <img  				style="border: 0; width: 88px; height: 31px" -				src="https://jigsaw.w3.org/css-validator/images/vcss-blue" +				src="http://jigsaw.w3.org/css-validator/images/vcss-blue"  				alt="CSS ist valide!" />  			</a> -		</div> +		</div-->  	</div>    #foreach( $el in $redirectURLs )  	   <iframe src=$el class="reqframe"></iframe>    #end -    </body>  </html>
\ No newline at end of file | 
