aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java85
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java27
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java126
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java2
7 files changed, 160 insertions, 88 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
index 0173c67a1..6f83da367 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
@@ -31,6 +31,8 @@ public interface MOAIDAuthConstants {
public static final String PARAM_MODUL = "MODUL";
public static final String PARAM_ACTION = "ACTION";
public static final String PARAM_SSO = "SSO";
+ public static final String INTERFEDERATION_IDP = "interIDP";
+
/** servlet parameter "sourceID" */
public static final String PARAM_SOURCEID = "sourceID";
/** servlet parameter "BKUSelectionTemplate" */
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
index 9911fccd4..9b300578a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
@@ -53,7 +53,6 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
@@ -62,7 +61,6 @@ import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
import at.gv.egovernment.moa.id.moduls.RequestStorage;
import at.gv.egovernment.moa.id.moduls.SSOManager;
import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
-import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -107,7 +105,7 @@ public class LogOutServlet extends AuthServlet {
//delete SSO session and MOA session
AuthenticationManager authmanager = AuthenticationManager.getInstance();
- String moasessionid = AuthenticationSessionStoreage.getMOASessionID(ssoid);
+ String moasessionid = AuthenticationSessionStoreage.getMOASessionSSOID(ssoid);
RequestStorage.removePendingRequest(AuthenticationSessionStoreage.getPendingRequestID(moasessionid));
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
index 00acdc540..57755ca9f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
@@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.auth.builder.RedirectFormBuilder;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
+import at.gv.egovernment.moa.id.moduls.SSOManager;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moa.util.URLEncoder;
@@ -53,8 +54,10 @@ public class RedirectServlet extends AuthServlet{
String url = req.getParameter(REDIRCT_PARAM_URL);
String target = req.getParameter(PARAM_TARGET);
String artifact = req.getParameter(PARAM_SAMLARTIFACT);
+ String interIDP = req.getParameter(INTERFEDERATION_IDP);
- if (MiscUtil.isEmpty(artifact)) {
+
+ if (MiscUtil.isEmpty(artifact) && MiscUtil.isEmpty(interIDP)) {
resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid");
return;
}
@@ -68,14 +71,57 @@ public class RedirectServlet extends AuthServlet{
resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid");
return;
- } else {
- try {
- String test = oa.getAuthComponentOA().getTemplates().getBKUSelectionCustomization().getAppletRedirectTarget();
- if (MiscUtil.isNotEmpty(test))
- redirectTarget = test;
+ } else {
+ //Redirect is a SAML1 send Artifact redirct
+ if (MiscUtil.isNotEmpty(artifact)) {
+ try {
+ String test = oa.getAuthComponentOA().getTemplates().getBKUSelectionCustomization().getAppletRedirectTarget();
+ if (MiscUtil.isNotEmpty(test))
+ redirectTarget = test;
+
+ } catch (Exception e) {
+ Logger.debug("Use default redirectTarget.");
+ }
+
+ Logger.info("Redirect to " + url);
+
+ if (MiscUtil.isNotEmpty(target)) {
+// redirectURL = addURLParameter(redirectURL, PARAM_TARGET,
+// URLEncoder.encode(session.getTarget(), "UTF-8"));
+ url = addURLParameter(url, PARAM_TARGET,
+ URLEncoder.encode(target, "UTF-8"));
+
+
+ }
+ url = addURLParameter(url, PARAM_SAMLARTIFACT,
+ URLEncoder.encode(artifact, "UTF-8"));
+ url = resp.encodeRedirectURL(url);
+
+ String redirect_form = RedirectFormBuilder.buildLoginForm(url, redirectTarget);
+
+ resp.setContentType("text/html;charset=UTF-8");
+ resp.setStatus(HttpServletResponse.SC_OK);
+ PrintWriter out = new PrintWriter(resp.getOutputStream());
+ out.write(redirect_form);
+ out.flush();
+
+ } else if (MiscUtil.isNotEmpty(interIDP)) {
+ //store IDP identifier and redirect to generate AuthRequst service
+ Logger.info("Receive an interfederation redirect request for IDP " + interIDP);
+ SSOManager sso = SSOManager.getInstance();
+ sso.setInterfederationIDPCookie(req, resp, interIDP);
+
+ Logger.debug("Redirect to " + url);
+ url = resp.encodeRedirectURL(url);
+ resp.setContentType("text/html");
+ resp.setStatus(HttpServletResponse.SC_FOUND);
+ resp.addHeader("Location", url);
+
+
+ } else {
+ resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid");
+ return;
- } catch (Exception e) {
- Logger.debug("Use default redirectTarget.");
}
}
@@ -88,29 +134,6 @@ public class RedirectServlet extends AuthServlet{
ConfigurationDBUtils.closeSession();
}
-
- Logger.info("Redirect to " + url);
-
- if (MiscUtil.isNotEmpty(target)) {
-// redirectURL = addURLParameter(redirectURL, PARAM_TARGET,
-// URLEncoder.encode(session.getTarget(), "UTF-8"));
- url = addURLParameter(url, PARAM_TARGET,
- URLEncoder.encode(target, "UTF-8"));
-
-
- }
- url = addURLParameter(url, PARAM_SAMLARTIFACT,
- URLEncoder.encode(artifact, "UTF-8"));
- url = resp.encodeRedirectURL(url);
-
- String redirect_form = RedirectFormBuilder.buildLoginForm(url, redirectTarget);
-
- resp.setContentType("text/html;charset=UTF-8");
- PrintWriter out = new PrintWriter(resp.getOutputStream());
- out.write(redirect_form);
- out.flush();
-
-
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java
index 442ebe2f4..495c4ca5b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java
@@ -124,7 +124,7 @@ public class SSOSendAssertionServlet extends AuthServlet{
}
if (valueString.compareToIgnoreCase("true") == 0) {
- moaSessionID = AuthenticationSessionStoreage.getMOASessionID(ssoId);
+ moaSessionID = AuthenticationSessionStoreage.getMOASessionSSOID(ssoId);
AuthenticationSession moasession = AuthenticationSessionStoreage.getSession(moaSessionID);
AuthenticationSessionStoreage.setAuthenticated(moaSessionID, true);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
index 1cc2a5711..30585c413 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
@@ -330,7 +330,10 @@ public class DispatcherServlet extends AuthServlet{
boolean needAuthentication = moduleAction.needAuthentication(protocolRequest, req, resp);
if (needAuthentication) {
-
+
+ //check if interfederation IDP is requested
+ ssomanager.checkInterfederationIsRequested(req, resp, protocolRequest);
+
//check SSO session
if (ssoId != null) {
String correspondingMOASession = ssomanager.existsOldSSOSession(ssoId);
@@ -404,31 +407,29 @@ public class DispatcherServlet extends AuthServlet{
if (oaParam.useSSOQuestion() && !AuthenticationSessionStoreage.isAuthenticated(moasessionID)) {
authmanager.sendTransmitAssertionQuestion(req, resp, protocolRequest, oaParam);
return;
- }
- }
- else {
+ }
- moasessionID = (String) req.getParameter(PARAM_SESSIONID);
-
+ } else {
+ moasessionID = (String) req.getParameter(PARAM_SESSIONID);
moasession = AuthenticationSessionStoreage.getSession(moasessionID);
- }
-
+
+ }
//save SSO session usage in Database
newSSOSessionId = ssomanager.createSSOSessionInformations(moasessionID, protocolRequest.getOAURL());
- if (newSSOSessionId != null) {
+ if (MiscUtil.isNotEmpty(newSSOSessionId)) {
ssomanager.setSSOSessionID(req, resp, newSSOSessionId);
} else {
ssomanager.deleteSSOSessionID(req, resp);
+
}
- } else {
-
- moasessionID = (String) req.getParameter(PARAM_SESSIONID);
-
+ } else {
+ moasessionID = (String) req.getParameter(PARAM_SESSIONID);
moasession = AuthenticationSessionStoreage.getSession(moasessionID);
moasessionID = AuthenticationSessionStoreage.changeSessionID(moasession);
+
}
//build authenticationdata from session information and OA configuration
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
index c2e6cd273..c2b9bab52 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
@@ -31,6 +31,7 @@ import javax.servlet.http.HttpServletResponse;
import org.hibernate.Query;
import org.hibernate.Session;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils;
import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore;
@@ -47,9 +48,12 @@ import at.gv.egovernment.moa.util.MiscUtil;
public class SSOManager {
private static final String SSOCOOKIE = "MOA_ID_SSO";
+ private static final String SSOINTERFEDERATION = "MOA_INTERFEDERATION_SSO";
private static final int DEFAULTSSOTIMEOUT = 15 * 60; // sec
+ private static final int INTERFEDERATIONCOOKIEMAXAGE = 5 * 60;// sec
+
private static SSOManager instance = null;
private static int sso_timeout;
@@ -71,6 +75,45 @@ public class SSOManager {
return instance;
}
+ public void checkInterfederationIsRequested(HttpServletRequest httpReq, HttpServletResponse httpResp,
+ IRequest protocolRequest) {
+ String interIDP = httpReq.getParameter(MOAIDAuthConstants.INTERFEDERATION_IDP);
+
+ if (MiscUtil.isNotEmpty(protocolRequest.getRequestedIDP())) {
+ Logger.info("Protocolspecific preprocessing already set interfederation IDP " + protocolRequest.getRequestedIDP());
+
+ }
+
+ if (protocolRequest instanceof RequestImpl) {
+ //check if IDP is requested
+ RequestImpl moaReq = (RequestImpl) protocolRequest;
+ if (MiscUtil.isNotEmpty(interIDP)) {
+ Logger.info("Receive SSO request for interfederation IDP " + interIDP);
+ moaReq.setRequestedIDP(interIDP);
+
+ } else {
+ //check if IDP cookie is set
+ String cookie = getValueFromCookie(httpReq, SSOINTERFEDERATION);
+ if (MiscUtil.isNotEmpty(cookie)) {
+ Logger.info("Receive SSO request for interfederation IDP from Cookie " + cookie);
+ moaReq.setRequestedIDP(cookie);
+
+ deleteCookie(httpReq, httpResp, SSOINTERFEDERATION);
+ }
+ }
+
+ } else {
+ Logger.warn("Request is not of type RequestImpl");
+
+ }
+ }
+
+ public void setInterfederationIDPCookie(HttpServletRequest httpReq, HttpServletResponse httpResp, String value) {
+ setCookie(httpReq, httpResp, SSOINTERFEDERATION, value, INTERFEDERATIONCOOKIEMAXAGE);
+
+ }
+
+
public boolean isValidSSOSession(String ssoSessionID, IRequest protocolRequest) {
// search SSO Session
@@ -113,7 +156,8 @@ public class SSOManager {
}
public String getMOASession(String ssoSessionID) {
- return AuthenticationSessionStoreage.getMOASessionID(ssoSessionID);
+ return AuthenticationSessionStoreage.getMOASessionSSOID(ssoSessionID);
+
}
public String existsOldSSOSession(String ssoId) {
@@ -171,49 +215,21 @@ public class SSOManager {
return newSSOId;
}
-
+
public void setSSOSessionID(HttpServletRequest httpReq, HttpServletResponse httpResp, String ssoId) {
- Cookie[] cookies = httpReq.getCookies();
+ setCookie(httpReq, httpResp, SSOCOOKIE, ssoId, sso_timeout);
- if (cookies != null) {
- deleteSSOSessionID(httpReq, httpResp);
- }
-
- Cookie cookie = new Cookie(SSOCOOKIE, ssoId);
- cookie.setMaxAge(sso_timeout);
- cookie.setSecure(true);
- cookie.setPath(httpReq.getContextPath());
- httpResp.addCookie(cookie);
}
-
+
public String getSSOSessionID(HttpServletRequest httpReq) {
- Cookie[] cookies = httpReq.getCookies();
+ return getValueFromCookie(httpReq, SSOCOOKIE);
- if (cookies != null) {
- for (Cookie cookie : cookies) {
-
- // funktioniert nicht, da Cookie seltsamerweise immer unsecure übertragen wird
- // (firefox)
- // if (cookie.getName().equals(SSOCOOKIE) && cookie.getSecure()) {
-
- if (cookie.getName().equals(SSOCOOKIE)) {
- return cookie.getValue();
- }
- }
- }
- return null;
}
-
- public void deleteSSOSessionID(HttpServletRequest httpReq, HttpServletResponse httpResp) {
- Cookie[] cookies = httpReq.getCookies();
- if (cookies != null) {
- for (Cookie cookie : cookies) {
- if (!cookie.getName().equals(SSOCOOKIE)) httpResp.addCookie(cookie);
- }
- }
+ public void deleteSSOSessionID(HttpServletRequest httpReq, HttpServletResponse httpResp) {
+ deleteCookie(httpReq, httpResp, SSOCOOKIE);
}
-
+
/**
* @param entityID
* @param request
@@ -242,9 +258,6 @@ public class SSOManager {
Logger.warn("MOASession is marked as interfederated SSO session but no interfederated IDP is found. Switch to local authentication ...");
}
-
-
-
return true;
@@ -252,5 +265,40 @@ public class SSOManager {
return false;
}
+
+ private String getValueFromCookie(HttpServletRequest httpReq, String cookieName) {
+ Cookie[] cookies = httpReq.getCookies();
+
+ if (cookies != null) {
+ for (Cookie cookie : cookies) {
+
+ // funktioniert nicht, da Cookie seltsamerweise immer unsecure übertragen wird
+ // (firefox)
+ // if (cookie.getName().equals(SSOCOOKIE) && cookie.getSecure()) {
+
+ if (cookie.getName().equals(cookieName)) {
+ return cookie.getValue();
+ }
+ }
+ }
+ return null;
+ }
+
+ private void setCookie(HttpServletRequest httpReq, HttpServletResponse httpResp,
+ String cookieName, String cookieValue, int maxAge) {
+
+ Cookie cookie = new Cookie(cookieName, cookieValue);
+ cookie.setMaxAge(maxAge);
+ cookie.setSecure(true);
+
+ //TODO: could be a problem if the IDP is accessible from different contextPaths or Domains
+ cookie.setPath(httpReq.getContextPath());
+
+ httpResp.addCookie(cookie);
+ }
+
+ private void deleteCookie(HttpServletRequest httpReq, HttpServletResponse httpResp, String cookieName) {
+ setCookie(httpReq, httpResp, cookieName, "", 1);
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
index 2ee4327dc..6437a4cac 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
@@ -429,7 +429,7 @@ public class AuthenticationSessionStoreage {
}
- public static String getMOASessionID(String SSOSessionID) {
+ public static String getMOASessionSSOID(String SSOSessionID) {
MiscUtil.assertNotNull(SSOSessionID, "moasessionID");
Logger.trace("Get authenticated session with SSOID " + SSOSessionID + " from database.");
Session session = MOASessionDBUtils.getCurrentSession();