aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/ProtocolNotActiveException.java44
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java22
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/ProtocolAllowed.java91
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java18
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java10
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java8
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties3
8 files changed, 199 insertions, 6 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/ProtocolNotActiveException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/ProtocolNotActiveException.java
new file mode 100644
index 000000000..fe2bcedca
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/ProtocolNotActiveException.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.exception;
+
+/**
+ * @author tlenz
+ *
+ */
+public class ProtocolNotActiveException extends MOAIDException {
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = 1832697083163940710L;
+
+ /**
+ * @param messageId
+ * @param parameters
+ */
+ public ProtocolNotActiveException(String messageId, Object[] parameters) {
+ super(messageId, parameters);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index 69a73215a..d1872b2bc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -105,6 +105,7 @@ import at.gv.egovernment.moa.id.config.ConnectionParameter;
import at.gv.egovernment.moa.id.config.ConnectionParameterForeign;
import at.gv.egovernment.moa.id.config.ConnectionParameterMOASP;
import at.gv.egovernment.moa.id.config.ConnectionParameterMandate;
+import at.gv.egovernment.moa.id.config.auth.data.ProtocolAllowed;
import at.gv.egovernment.moa.id.config.legacy.BuildFromLegacyConfig;
import at.gv.egovernment.moa.id.config.stork.STORKConfig;
import at.gv.egovernment.moa.id.data.IssuerAndSerial;
@@ -190,6 +191,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
private static String alternativesourceid = null;
private static List<String> legacyallowedprotocols = new ArrayList<String>();
+ private static ProtocolAllowed allowedProtcols = null;
private static VerifyAuthBlock verifyidl = null;
@@ -246,6 +248,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
return instance;
}
+
/**
* Constructor for AuthConfigurationProvider.
* @param fileName
@@ -515,8 +518,22 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
//set PVP2 general config
Protocols protocols = auth.getProtocols();
if (protocols != null) {
+
+ allowedProtcols = new ProtocolAllowed();
+
+ if (protocols.getSAML1() != null) {
+ allowedProtcols.setSAML1Active(protocols.getSAML1().isIsActive());
+ }
+
+ if (protocols.getOAuth() != null) {
+ allowedProtcols.setOAUTHActive(protocols.getOAuth().isIsActive());
+ }
+
if (protocols.getPVP2() != null) {
- PVP2 el = protocols.getPVP2();;
+ PVP2 el = protocols.getPVP2();
+
+ allowedProtcols.setPVP21Active(el.isIsActive());
+
pvp2general = new PVP2();
pvp2general.setIssuerName(el.getIssuerName());
pvp2general.setPublicURLPrefix(el.getPublicURLPrefix());
@@ -730,6 +747,9 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
return this.getGeneralProperiesConfig("protocols.oauth20.");
}
+ public ProtocolAllowed getAllowedProtocols() {
+ return this.allowedProtcols;
+ }
public PVP2 getGeneralPVP2DBConfig() {
return pvp2general;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/ProtocolAllowed.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/ProtocolAllowed.java
new file mode 100644
index 000000000..a04fb1626
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/ProtocolAllowed.java
@@ -0,0 +1,91 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.config.auth.data;
+
+/**
+ * @author tlenz
+ *
+ */
+public class ProtocolAllowed {
+
+ private boolean isSAML1Active = false;
+ private boolean isPVP21Active = true;
+ private boolean isOAUTHActive = true;
+
+ /**
+ *
+ */
+ public ProtocolAllowed() {
+
+ }
+
+ /**
+ *
+ */
+ public ProtocolAllowed(boolean saml1, boolean pvp21, boolean oauth) {
+ this.isOAUTHActive = oauth;
+ this.isPVP21Active = pvp21;
+ this.isSAML1Active = saml1;
+
+ }
+
+ /**
+ * @return the isSAML1Active
+ */
+ public boolean isSAML1Active() {
+ return isSAML1Active;
+ }
+ /**
+ * @param isSAML1Active the isSAML1Active to set
+ */
+ public void setSAML1Active(boolean isSAML1Active) {
+ this.isSAML1Active = isSAML1Active;
+ }
+ /**
+ * @return the isPVP21Active
+ */
+ public boolean isPVP21Active() {
+ return isPVP21Active;
+ }
+ /**
+ * @param isPVP21Active the isPVP21Active to set
+ */
+ public void setPVP21Active(boolean isPVP21Active) {
+ this.isPVP21Active = isPVP21Active;
+ }
+ /**
+ * @return the isOAUTHActive
+ */
+ public boolean isOAUTHActive() {
+ return isOAUTHActive;
+ }
+ /**
+ * @param isOAUTHActive the isOAUTHActive to set
+ */
+ public void setOAUTHActive(boolean isOAUTHActive) {
+ this.isOAUTHActive = isOAUTHActive;
+ }
+
+
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
index 260a4fd79..1f526caca 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
@@ -28,6 +28,7 @@ import iaik.security.ecc.provider.ECCProvider;
import iaik.security.provider.IAIK;
import java.io.IOException;
+import java.io.PrintWriter;
import java.security.Security;
import java.util.Iterator;
import java.util.Map;
@@ -45,6 +46,7 @@ import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
import at.gv.egovernment.moa.id.auth.servlet.AuthServlet;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
@@ -317,20 +319,28 @@ public class DispatcherServlet extends AuthServlet{
}
}
}
+
+ } catch (ProtocolNotActiveException e) {
+ resp.getWriter().write(e.getMessage());
+ resp.setContentType("text/html;charset=UTF-8");
+ resp.sendError(HttpServletResponse.SC_FORBIDDEN, e.getMessage());
+ return;
+
+
} catch (MOAIDException e) {
Logger.error("Failed to generate a valid protocol request!");
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
resp.setContentType("text/html;charset=UTF-8");
- resp.getWriter().write("NO valid protocol request received!");
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!");
return;
+
}
if (protocolRequest == null) {
Logger.error("Failed to generate a valid protocol request!");
- resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
resp.setContentType("text/html;charset=UTF-8");
- resp.getWriter().write("NO valid protocol request received!");
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!");
return;
+
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
index 1fb67a0b2..7ef5a2068 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
@@ -32,6 +32,8 @@ import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.moduls.IAction;
import at.gv.egovernment.moa.id.moduls.IModulInfo;
import at.gv.egovernment.moa.id.moduls.IRequest;
@@ -77,6 +79,13 @@ public class OAuth20Protocol implements IModulInfo {
*/
public IRequest preProcess(HttpServletRequest request, HttpServletResponse resp, String action) throws MOAIDException {
// validation is done inside creation
+
+ if (!AuthConfigurationProvider.getInstance().getAllowedProtocols().isOAUTHActive()) {
+ Logger.info("OAuth is deaktivated!");
+ throw new ProtocolNotActiveException("auth.22", new Object[] { NAME });
+
+ }
+
OAuth20BaseRequest res = OAuth20BaseRequest.newInstance(action, request);
Logger.debug("Created: " + res);
return res;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 82a620f6b..84c0138a5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -47,6 +47,8 @@ import org.opensaml.saml2.metadata.SPSSODescriptor;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.moduls.IAction;
import at.gv.egovernment.moa.id.moduls.IModulInfo;
import at.gv.egovernment.moa.id.moduls.IRequest;
@@ -129,6 +131,14 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
public IRequest preProcess(HttpServletRequest request,
HttpServletResponse response, String action) throws MOAIDException {
+
+ if (!AuthConfigurationProvider.getInstance().getAllowedProtocols().isPVP21Active()) {
+ Logger.info("PVP2.1 is deaktivated!");
+ throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME });
+
+ }
+
+
if(METADATA.equals(action)) {
return new PVPTargetConfiguration();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
index 1c57c841e..e587ef0e1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
@@ -32,6 +32,7 @@ import org.apache.commons.lang.StringEscapeUtils;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet;
import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1;
@@ -81,6 +82,13 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants {
public IRequest preProcess(HttpServletRequest request,
HttpServletResponse response, String action) throws MOAIDException {
RequestImpl config = new RequestImpl();
+
+ if (!AuthConfigurationProvider.getInstance().getAllowedProtocols().isSAML1Active()) {
+ Logger.info("SAML1 is deaktivated!");
+ throw new ProtocolNotActiveException("auth.22", new Object[] { NAME });
+
+ }
+
String oaURL = (String) request.getParameter(PARAM_OA);
//oaURL = StringEscapeUtils.escapeHtml(oaURL);
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 3151aa657..dc698782a 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -40,6 +40,7 @@ auth.18=Keine MOASessionID vorhanden
auth.19=Die Authentifizierung kann nicht passiv durchgef\u00FChrt werden.
auth.20=No valid MOA session found. Authentification process is abourted.
auth.21=Der Anmeldevorgang wurde durch den Benutzer abgebrochen.
+auth.22=Das Protokoll {0} ist deaktiviert.
init.00=MOA ID Authentisierung wurde erfolgreich gestartet
init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m\u00F6glicherweise nicht verf\u00FCgbar
@@ -227,5 +228,5 @@ oauth20.04=Die Art der Anmeldung wird nicht unterstuetzt
oauth20.05=Der angegebene Benutzer ist nicht berechtigt
oauth20.06=Die angegebene OA kann nicht verwendet werden
oauth20.07=Angeforderter grant_type ist nicht erlaubt
-oauth20.08=Nicht berechtigt für Token-Request
+oauth20.08=Nicht berechtigt f�r Token-Request
oauth20.09=Zertifikat fuer JSON Web-Token ist falsch konfiguriert. Fehler bei "{0}"