aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java16
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java49
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java19
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java15
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java14
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java90
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java24
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java26
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java34
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java12
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java29
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java47
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java17
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java12
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java11
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKResponse.java12
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKProtocol.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java12
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java16
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties1
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties1
47 files changed, 442 insertions, 135 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 63bdab919..8aa6a15d7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -757,7 +757,7 @@ public class AuthenticationServer extends MOAIDAuthConstants {
if (session.isSsoRequested()) {
String oaURL = new String();
try {
- oaURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ oaURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix().get(0);
if (MiscUtil.isNotEmpty(oaURL))
oaURL = oaURL.replaceAll("&", "&");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
index b29e0d9f6..49c3578d8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
@@ -169,4 +169,6 @@ public class MOAIDAuthConstants extends MOAIDConstants{
public static final String MDC_TRANSACTION_ID = "transactionId";
public static final String MDC_SESSION_ID = "sessionId";
+ public static final int TIME_JITTER = 5; //allow 5 minutes time jitter for AuthnRequests
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
index 899b0fd15..d4350f97b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
@@ -95,6 +95,9 @@ public class DataURLBuilder {
// dataURL = individualDataURLPrefix + authServletName;
// } else
+ if (!authBaseURL.endsWith("/"))
+ authBaseURL += "/";
+
dataURL = authBaseURL + authServletName;
dataURL = addParameter(dataURL, MOAIDAuthConstants.PARAM_SESSIONID, sessionID);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java
index 253125fe9..295254eda 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java
@@ -148,6 +148,9 @@ public class SendAssertionFormBuilder {
value = value.replace(ACTION, action);
value = value.replace(ID, id);
value = value.replace(OANAME, oaParam.getFriendlyName());
+
+ if (contextpath.endsWith("/"))
+ contextpath = contextpath.substring(0, contextpath.length() - 1);
value = value.replace(CONTEXTPATH, contextpath);
value = FormBuildUtils.customiceLayoutBKUSelection(value,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
index ded261bfc..8a536ca77 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
@@ -56,7 +56,8 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
String ccc,
String module,
String action,
- HttpServletRequest req) throws WrongParametersException, MOAIDException {
+ HttpServletRequest req,
+ IRequest protocolReq) throws WrongParametersException, MOAIDException {
String targetFriendlyName = null;
@@ -218,20 +219,15 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
throw new WrongParametersException("StartAuthentication",
PARAM_OA, "auth.05");
moasession.setOAURLRequested(oaURL);
-
+
//check AuthURL
- String authURL = req.getScheme() + "://" + req.getServerName();
- if ((req.getScheme().equalsIgnoreCase("https") && req.getServerPort()!=443) || (req.getScheme().equalsIgnoreCase("http") && req.getServerPort()!=80)) {
- authURL = authURL.concat(":" + req.getServerPort());
- }
- authURL = authURL.concat(req.getContextPath() + "/");
-
+ String authURL = protocolReq.getAuthURL();
if (!authURL.startsWith("https:") && !AuthConfigurationProviderFactory.getInstance().isHTTPAuthAllowed())
throw new AuthenticationException("auth.07",
new Object[] { authURL + "*" });
//set Auth URL from configuration
- moasession.setAuthURL(AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() + "/");
+ moasession.setAuthURL(authURL);
//check and set SourceID
if (oaParam.getSAML1Parameter() != null) {
@@ -314,7 +310,7 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
oaURL = request.getOAURL();
target = request.getTarget();
- parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, modul, action, req);
+ parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, modul, action, req, request);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
index c33cb3d81..ef5eaf5b9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java
@@ -164,7 +164,8 @@ public class GenerateIFrameTemplateServlet extends AuthServlet {
ccc,
moasession.getModul(),
moasession.getAction(),
- req);
+ req,
+ pendingReq);
}
ExecutionContext ec = new ExecutionContextImpl();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
index c1e084a59..53187088e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java
@@ -60,6 +60,7 @@ import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
import at.gv.egovernment.moa.id.moduls.RequestStorage;
import at.gv.egovernment.moa.id.moduls.SSOManager;
import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -85,14 +86,14 @@ public class LogOutServlet extends AuthServlet {
if (MiscUtil.isEmpty(redirectUrl)) {
//set default redirect Target
Logger.debug("Set default RedirectURL back to MOA-ID-Auth");
- redirectUrl = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ redirectUrl = HTTPUtils.extractAuthURLFromRequest(req);
} else {
//return an error if RedirectURL is not a active Online-Applikation
OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(redirectUrl);
if (oa == null) {
Logger.info("RedirctURL does not match to OA configuration. Set default RedirectURL back to MOA-ID-Auth");
- redirectUrl = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ redirectUrl = HTTPUtils.extractAuthURLFromRequest(req);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
index 7dd8645c6..a914659b0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
@@ -36,6 +36,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.moduls.SSOManager;
import at.gv.egovernment.moa.id.util.FormBuildUtils;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moa.util.URLEncoder;
@@ -64,8 +65,10 @@ public class RedirectServlet extends AuthServlet{
OAAuthParameter oa = null;
String redirectTarget = DEFAULT_REDIRECTTARGET;
try {
- oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(url);
- if (oa == null && !url.startsWith(AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix())) {
+ oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(url);
+ String authURL = HTTPUtils.extractAuthURLFromRequest(req);
+
+ if (oa == null && !AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix().contains(authURL)) {
resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid");
return;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index e1ab0025e..d70cd6f50 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -420,7 +420,7 @@ public class CreateXMLSignatureResponseValidator {
String oaURL;
try {
- oaURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ oaURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix().get(0);
} catch (ConfigurationException e1) {
oaURL = new String();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java
index d8f1a28c5..4da066e5b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java
@@ -81,7 +81,13 @@ public interface AuthConfiguration extends ConfigurationProvider{
public boolean isAdvancedLoggingActive();
- public String getPublicURLPrefix();
+ /**
+ * Returns the PublicURLPrefix.
+ *
+ * @return the PublicURLPrefix (one or more) of this IDP instance. All publicURLPrefix URLs are ends without /
+ * @throws ConfigurationException if no PublicURLPrefix is found.
+ */
+ public List<String> getPublicURLPrefix() throws ConfigurationException;
public boolean isPVP2AssertionEncryptionActive();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
index cb9ac890d..d99e92b22 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
@@ -6,6 +6,7 @@ import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
+import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
@@ -23,6 +24,7 @@ import org.springframework.context.support.ClassPathXmlApplicationContext;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
import at.gv.egovernment.moa.id.commons.config.persistence.MOAIDConfiguration;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.ConfigurationProviderImpl;
import at.gv.egovernment.moa.id.config.ConfigurationUtils;
@@ -754,20 +756,47 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
return Boolean.valueOf(prop);
}
- /**
- * Returns the PublicURLPrefix. NOTE: returns {@code null} if no PublicURLPrefix is set.
- *
- * @return the PublicURLPrefix or {@code null}
- */
- public String getPublicURLPrefix() {
- try {
- return configuration.getStringValue(
- MOAIDConfigurationConstants.GENERAL_PUBLICURLPREFIX);
+ public List<String> getPublicURLPrefix() throws ConfigurationException{
+ try {
+ String publicURLPrefixList = configuration.getStringValue(
+ MOAIDConfigurationConstants.GENERAL_PUBLICURLPREFIX);
+ List<String> returnValues = new ArrayList<String>();
+ if (publicURLPrefixList != null) {
+ publicURLPrefixList = KeyValueUtils.normalizeCSVValueString(publicURLPrefixList);
+ List<String> publicURLPrefixArray = Arrays.asList(publicURLPrefixList.split(","));
+ Logger.trace("Found " + publicURLPrefixArray.size() + " PublicURLPrefix in configuration.");
+
+
+ for (String el : publicURLPrefixArray) {
+ try {
+ new URL(el);
+ if (el.endsWith("/"))
+ returnValues.add(el.substring(0, el.length()-1));
+ else
+ returnValues.add(el);
+
+ } catch (MalformedURLException e) {
+ Logger.warn("IDP PublicURLPrefix URL " + el + " is not a valid URL", e);
+ }
+ }
+ }
+
+ if (returnValues.size() > 0)
+ return returnValues;
+
+ else {
+ Logger.warn("MOA-ID PublicURLPrefix is not found in configuration.");
+ throw new ConfigurationException("config.08", new Object[]{"IDP PublicURLPrefix"});
+
+ }
+
} catch (at.gv.egiz.components.configuration.api.ConfigurationException e) {
Logger.warn("MOA-ID PublicURLPrefix can not be read from configuration.", e);
- return null;
+ throw new ConfigurationException("config.08", new Object[]{"IDP PublicURLPrefix"}, e);
+
}
+
}
/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java
index d1e04e107..a4bba8b19 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java
@@ -75,6 +75,7 @@ public class SLOInformationContainer implements Serializable {
if (sloDesc.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI))
activeBackChannelOAs.put(oa.getOaurlprefix(),
new SLOInformationImpl(
+ oa.getAuthURL(),
oa.getAssertionSessionID(),
oa.getUserNameID(),
oa.getUserNameIDFormat(),
@@ -84,6 +85,7 @@ public class SLOInformationContainer implements Serializable {
else
activeFrontChannalOAs.put(oa.getOaurlprefix(),
new SLOInformationImpl(
+ oa.getAuthURL(),
oa.getAssertionSessionID(),
oa.getUserNameID(),
oa.getUserNameIDFormat(),
@@ -123,6 +125,7 @@ public class SLOInformationContainer implements Serializable {
activeFrontChannalOAs.put(el.getIdpurlprefix(),
new SLOInformationImpl(
+ el.getAuthURL(),
el.getSessionIndex(),
el.getUserNameID(),
NameID.TRANSIENT,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java
index 55b213702..55a56056d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java
@@ -39,17 +39,23 @@ public class SLOInformationImpl implements SLOInformationInterface, Serializable
private String nameIDFormat = null;
private String binding = null;
private String serviceURL = null;
+ private String authURL = null;
- public SLOInformationImpl(String sessionID, String nameID, String nameIDFormat, String protocolType) {
- new SLOInformationImpl(sessionID, nameID, nameIDFormat, protocolType, null);
+ public SLOInformationImpl(String authURL, String sessionID, String nameID, String nameIDFormat, String protocolType) {
+ new SLOInformationImpl(authURL, sessionID, nameID, nameIDFormat, protocolType, null);
}
- public SLOInformationImpl(String sessionID, String nameID, String nameIDFormat, String protocolType, SingleLogoutService sloService) {
+ public SLOInformationImpl(String authURL, String sessionID, String nameID, String nameIDFormat, String protocolType, SingleLogoutService sloService) {
this.sessionIndex = sessionID;
this.nameID = nameID;
this.nameIDFormat = nameIDFormat;
this.protocolType = protocolType;
+ if (authURL.endsWith("/"))
+ this.authURL = authURL.substring(0, authURL.length()-1);
+ else
+ this.authURL = authURL;
+
if (sloService != null) {
this.binding = sloService.getBinding();
this.serviceURL = sloService.getLocation();
@@ -148,6 +154,13 @@ public class SLOInformationImpl implements SLOInformationInterface, Serializable
public String getServiceURL() {
return serviceURL;
}
+
+ /**
+ * @return the authURL from requested IDP without ending /
+ */
+ public String getAuthURL() {
+ return authURL;
+ }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
index f486829bf..86d7c232f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
@@ -46,6 +46,7 @@ import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
import at.gv.egovernment.moa.id.auth.servlet.AuthServlet;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
@@ -368,7 +369,10 @@ public class DispatcherServlet extends AuthServlet{
} catch (AuthnRequestValidatorException e) {
//log Error Message
StatisticLogger logger = StatisticLogger.getInstance();
- logger.logErrorOperation(e, e.getErrorRequest());
+ logger.logErrorOperation(e, e.getErrorRequest());
+
+ //TODO: maybe add some error message handling???
+
return;
}catch (InvalidProtocolRequestException e) {
@@ -381,6 +385,13 @@ public class DispatcherServlet extends AuthServlet{
"(Errorcode=" + code +
" | Description=" + descr + ")");
return;
+ } catch (ConfigurationException e) {
+ resp.setContentType("text/html;charset=UTF-8");
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!" +
+ "(Errorcode=9199"
+ +" | Description="+ e.getMessage() + ")");
+ return;
+
} catch (MOAIDException e) {
Logger.error("Failed to generate a valid protocol request!");
resp.setContentType("text/html;charset=UTF-8");
@@ -542,7 +553,7 @@ public class DispatcherServlet extends AuthServlet{
try {
//Store OA specific SSO session information
AuthenticationSessionStoreage.addSSOInformation(moasessionID,
- newSSOSessionId, assertionID, protocolRequest.getOAURL());
+ newSSOSessionId, assertionID, protocolRequest);
} catch (AuthenticationException e) {
Logger.warn("SSO Session information can not be stored -> SSO is not enabled!");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index f54cffc54..18fb08f1b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -194,7 +194,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
} catch (MOADatabaseException e) {
Logger.warn("Delete MOASession FAILED.");
- sloContainer.putFailedOA(AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix());
+ sloContainer.putFailedOA(pvpReq.getAuthURL());
}
@@ -257,8 +257,8 @@ public class AuthenticationManager extends MOAIDAuthConstants {
AssertionStorage.getInstance().put(relayState, sloContainer);
- String timeOutURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix()
- + "/idpSingleLogout"
+ String timeOutURL = pvpReq
+ + "idpSingleLogout"
+ "?restart=" + relayState;
VelocityContext context = new VelocityContext();
@@ -380,7 +380,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
String form = SendAssertionFormBuilder.buildForm(target.requestedModule(),
target.requestedAction(), target.getRequestID(), oaParam,
- AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix());
+ target.getAuthURL());
MOAReversionLogger.getInstance().logEvent(target.getOnlineApplicationConfiguration(),
target, MOAIDEventConstants.AUTHPROCESS_SSO_ASK_USER_START);
@@ -449,7 +449,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
authReq.setAssertionConsumerServiceIndex(0);
authReq.setIssueInstant(new DateTime());
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath();
+ String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath().get(0);
issuer.setValue(serviceURL);
issuer.setFormat(NameIDType.ENTITY);
@@ -672,7 +672,9 @@ public class AuthenticationManager extends MOAIDAuthConstants {
//Build authentication form
- String publicURLPreFix = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ String publicURLPreFix = target.getAuthURL();
+ if (publicURLPreFix.endsWith("/"))
+ publicURLPreFix = publicURLPreFix.substring(0, publicURLPreFix.length() - 1);
String loginForm = LoginFormBuilder.buildLoginForm(target.requestedModule(),
target.requestedAction(), oaParam, publicURLPreFix, moasession.getSessionID());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
index 6f43b3ee7..4ae271bbc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
@@ -49,5 +49,13 @@ public interface IRequest {
public List<Attribute> getRequestedAttributes();
public IOAAuthParameters getOnlineApplicationConfiguration();
+ /**
+ * get the IDP URL PreFix, which was used for authentication request
+ *
+ * @return IDP URL PreFix <String>. The URL prefix always ends without /
+ */
+ public String getAuthURL();
+ public String getAuthURLWithOutSlash();
+
//public void setTarget();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
index 26fb7bd29..c9482967f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
@@ -23,15 +23,25 @@
package at.gv.egovernment.moa.id.moduls;
import java.io.Serializable;
+import java.net.MalformedURLException;
+import java.net.URL;
import java.util.List;
+import javax.servlet.http.HttpServletRequest;
+
import org.opensaml.saml2.core.Attribute;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.ConfigurationProvider;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
public abstract class RequestImpl implements IRequest, Serializable{
-
+
private static final long serialVersionUID = 1L;
private String oaURL;
@@ -44,12 +54,67 @@ public abstract class RequestImpl implements IRequest, Serializable{
private String requestID;
private String sessionIdentifier;
private IOAAuthParameters OAConfiguration = null;
+ private String authURL = null;
//MOA-ID interfederation
private String requestedIDP = null;
private MOAResponse response = null;
/**
+ * @throws ConfigurationException
+ *
+ */
+ public RequestImpl(HttpServletRequest req) throws ConfigurationException {
+ String authURLString = HTTPUtils.extractAuthURLFromRequest(req);
+ URL authURL;
+ try {
+ authURL = new URL(authURLString);
+
+ } catch (MalformedURLException e) {
+ Logger.error("IDP AuthenticationServiceURL Prefix is not a valid URL." + authURLString, e);
+ throw new ConfigurationException("1299", null, e);
+
+ }
+
+ List<String> configuredPublicURLPrefix =
+ AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+
+ if (MiscUtil.isEmpty(authURLString)) {
+ Logger.info("AuthenticationServiceURL extraction FAILED. Use default IDP PublicURLPrefix from configuration: " + configuredPublicURLPrefix.get(0));
+ this.authURL = configuredPublicURLPrefix.get(0);
+
+ } else {
+ Logger.debug("Extract AuthenticationServiceURL: " + authURLString);
+ URL resultURL = null;
+
+ for (String el : configuredPublicURLPrefix) {
+ try {
+ URL configuredURL = new URL(el);
+ if (configuredURL.getHost().equals(authURL.getHost()) &&
+ configuredURL.getPath().equals(authURL.getPath())) {
+ Logger.debug("Select configurated PublicURLPrefix: " + configuredURL
+ + " for authURL: " + authURLString);
+ resultURL = configuredURL;
+ }
+
+ } catch (MalformedURLException e) {
+ Logger.error("Configurated IDP PublicURLPrefix is not a valid URL." + el);
+
+ }
+ }
+
+ if (resultURL == null) {
+ Logger.warn("Extract AuthenticationServiceURL: " + authURL + " is NOT found in configuration.");
+ throw new ConfigurationException("config.25", new Object[]{authURLString});
+
+ } else {
+ this.authURL = resultURL.toExternalForm();
+
+ }
+ }
+ }
+
+ /**
* This method map the protocol specific requested attributes to PVP 2.1 attributes.
*
* @return List of PVP 2.1 attributes with maps all protocol specific attributes
@@ -169,4 +234,27 @@ public abstract class RequestImpl implements IRequest, Serializable{
this.OAConfiguration = oaConfig;
}
+
+ /**
+ * @return the authURL
+ */
+ public String getAuthURL() {
+ return authURL;
+ }
+
+ public String getAuthURLWithOutSlash() {
+ if (authURL.endsWith("/"))
+ return authURL.substring(0, authURL.length()-1);
+ else
+ return authURL;
+
+ }
+
+// /**
+// * @param authURL the authURL to set
+// */
+// public void setAuthURL(String authURL) {
+// this.authURL = authURL;
+// }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
index d90df51e7..19eb9a5f9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
@@ -105,7 +105,7 @@ class OAuth20AuthAction implements IAction {
//TODO: maybe add bPK / wbPK to SLO information
- SLOInformationInterface sloInformation = new SLOInformationImpl(accessToken, null, null, req.requestedModule());
+ SLOInformationInterface sloInformation = new SLOInformationImpl(req.getAuthURL(), accessToken, null, null, req.requestedModule());
return sloInformation;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
index 3bef7844c..c375e674a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
@@ -48,6 +48,15 @@ import at.gv.egovernment.moa.logging.Logger;
public class OAuth20AuthRequest extends OAuth20BaseRequest {
+ /**
+ * @param req
+ * @throws ConfigurationException
+ */
+ public OAuth20AuthRequest(HttpServletRequest req)
+ throws ConfigurationException {
+ super(req);
+ }
+
private static final long serialVersionUID = 1L;
private String responseType;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java
index bd3fdb3e8..5fcac0b2f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java
@@ -31,8 +31,6 @@ import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang.StringUtils;
-import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
@@ -52,8 +50,8 @@ abstract class OAuth20BaseRequest extends RequestImpl {
protected Set<String> allowedParameters = new HashSet<String>();
- protected OAuth20BaseRequest() {
-
+ public OAuth20BaseRequest(HttpServletRequest req) throws ConfigurationException {
+ super(req);
}
protected String getParam(final HttpServletRequest request, final String name, final boolean isNeeded) throws OAuth20Exception {
@@ -124,15 +122,21 @@ abstract class OAuth20BaseRequest extends RequestImpl {
public static OAuth20BaseRequest newInstance(final String action, final HttpServletRequest request, String sessionId, String transactionId) throws OAuth20Exception {
OAuth20BaseRequest res;
-
- if (action.equals(OAuth20Protocol.AUTH_ACTION)) {
- res = new OAuth20AuthRequest();
+ try {
+ if (action.equals(OAuth20Protocol.AUTH_ACTION)) {
+ res = new OAuth20AuthRequest(request);
- } else if (action.equals(OAuth20Protocol.TOKEN_ACTION)) {
- res = new OAuth20TokenRequest();
+ } else if (action.equals(OAuth20Protocol.TOKEN_ACTION)) {
+ res = new OAuth20TokenRequest(request);
- } else {
+ } else {
+ throw new OAuth20InvalidRequestException();
+ }
+
+ } catch (ConfigurationException e) {
+ Logger.warn(e.getMessage());
throw new OAuth20InvalidRequestException();
+
}
res.setAction(action);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java
index 9d611b2f1..f8e34cdea 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java
@@ -41,6 +41,15 @@ import at.gv.egovernment.moa.logging.Logger;
class OAuth20TokenRequest extends OAuth20BaseRequest {
+ /**
+ * @param req
+ * @throws ConfigurationException
+ */
+ public OAuth20TokenRequest(HttpServletRequest req)
+ throws ConfigurationException {
+ super(req);
+ }
+
private static final long serialVersionUID = 1L;
private String code;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
index 9f8b6610f..9327cabd7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
@@ -102,10 +102,10 @@ public class AttributQueryAction implements IAction {
List<String> attrList = addDefaultAttributes(attrQuery, authData);
//build PVP 2.1 assertion
- Assertion assertion = PVP2AssertionBuilder.buildAssertion(attrQuery, attrList, authData, date, authData.getSessionIndex());
+ Assertion assertion = PVP2AssertionBuilder.buildAssertion(req.getAuthURL(), attrQuery, attrList, authData, date, authData.getSessionIndex());
//build PVP 2.1 response
- Response authResponse = AuthResponseBuilder.buildResponse(attrQuery, date, assertion);
+ Response authResponse = AuthResponseBuilder.buildResponse(req.getAuthURL(), attrQuery, date, assertion);
try {
SoapBinding decoder = new SoapBinding();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
index 1b187d82e..50f91df44 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java
@@ -110,7 +110,7 @@ public class MetadataAction implements IAction {
// .setEntityID(PVPConfiguration.getInstance().getIDPSSOMetadataService());
idpEntityDescriptor
- .setEntityID(PVPConfiguration.getInstance().getIDPPublicPath());
+ .setEntityID(req.getAuthURLWithOutSlash());
idpEntityDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_HOURS));
@@ -139,10 +139,10 @@ public class MetadataAction implements IAction {
idpEntitiesDescriptor.setSignature(signature);
//set IDP metadata
- idpEntityDescriptor.getRoleDescriptors().add(generateIDPMetadata(keyInfoGenerator));
+ idpEntityDescriptor.getRoleDescriptors().add(generateIDPMetadata(req, keyInfoGenerator));
//set SP metadata for interfederation
- idpEntityDescriptor.getRoleDescriptors().add(generateSPMetadata(keyInfoGenerator));
+ idpEntityDescriptor.getRoleDescriptors().add(generateSPMetadata(req, keyInfoGenerator));
DocumentBuilder builder;
DocumentBuilderFactory factory = DocumentBuilderFactory
@@ -190,7 +190,7 @@ public class MetadataAction implements IAction {
return (PVP2XProtocol.METADATA);
}
- private RoleDescriptor generateSPMetadata(KeyInfoGenerator keyInfoGenerator) throws CredentialsNotAvailableException, SecurityException, ConfigurationException {
+ private RoleDescriptor generateSPMetadata(IRequest req, KeyInfoGenerator keyInfoGenerator) throws CredentialsNotAvailableException, SecurityException, ConfigurationException {
Logger.debug("Set SP Metadata key information");
@@ -248,7 +248,7 @@ public class MetadataAction implements IAction {
postassertionConsumerService.setIndex(0);
postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
postassertionConsumerService.setLocation(PVPConfiguration
- .getInstance().getSPSSOPostService());
+ .getInstance().getSPSSOPostService(req.getAuthURL()));
postassertionConsumerService.setIsDefault(true);
spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService);
@@ -257,7 +257,7 @@ public class MetadataAction implements IAction {
redirectassertionConsumerService.setIndex(1);
redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
redirectassertionConsumerService.setLocation(PVPConfiguration
- .getInstance().getSPSSORedirectService());
+ .getInstance().getSPSSORedirectService(req.getAuthURL()));
spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService);
@@ -273,7 +273,7 @@ public class MetadataAction implements IAction {
SingleLogoutService redirectSLOService =
SAML2Utils.createSAMLObject(SingleLogoutService.class);
redirectSLOService.setLocation(PVPConfiguration
- .getInstance().getSPSSORedirectService());
+ .getInstance().getSPSSORedirectService(req.getAuthURL()));
redirectSLOService
.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
spSSODescriptor.getSingleLogoutServices().add(redirectSLOService);
@@ -293,7 +293,7 @@ public class MetadataAction implements IAction {
return spSSODescriptor;
}
- private IDPSSODescriptor generateIDPMetadata(KeyInfoGenerator keyInfoGenerator) throws ConfigurationException, CredentialsNotAvailableException, SecurityException {
+ private IDPSSODescriptor generateIDPMetadata(IRequest req, KeyInfoGenerator keyInfoGenerator) throws ConfigurationException, CredentialsNotAvailableException, SecurityException {
// //set SignatureMethode
@@ -325,12 +325,12 @@ public class MetadataAction implements IAction {
idpSSODescriptor.setWantAuthnRequestsSigned(true);
- if (PVPConfiguration.getInstance().getIDPSSOPostService() != null) {
+ if (PVPConfiguration.getInstance().getIDPSSOPostService(req.getAuthURL()) != null) {
//add SSO descriptor
SingleSignOnService postSingleSignOnService = SAML2Utils
.createSAMLObject(SingleSignOnService.class);
postSingleSignOnService.setLocation(PVPConfiguration
- .getInstance().getIDPSSOPostService());
+ .getInstance().getIDPSSOPostService(req.getAuthURL()));
postSingleSignOnService
.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
idpSSODescriptor.getSingleSignOnServices().add(
@@ -347,12 +347,12 @@ public class MetadataAction implements IAction {
}
- if (PVPConfiguration.getInstance().getIDPSSORedirectService() != null) {
+ if (PVPConfiguration.getInstance().getIDPSSORedirectService(req.getAuthURL()) != null) {
//add SSO descriptor
SingleSignOnService redirectSingleSignOnService = SAML2Utils
.createSAMLObject(SingleSignOnService.class);
redirectSingleSignOnService.setLocation(PVPConfiguration
- .getInstance().getIDPSSORedirectService());
+ .getInstance().getIDPSSORedirectService(req.getAuthURL()));
redirectSingleSignOnService
.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
idpSSODescriptor.getSingleSignOnServices().add(
@@ -362,7 +362,7 @@ public class MetadataAction implements IAction {
SingleLogoutService redirectSLOService =
SAML2Utils.createSAMLObject(SingleLogoutService.class);
redirectSLOService.setLocation(PVPConfiguration
- .getInstance().getIDPSSORedirectService());
+ .getInstance().getIDPSSORedirectService(req.getAuthURL()));
redirectSLOService
.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
idpSSODescriptor.getSingleLogoutServices().add(redirectSLOService);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index a8349f0ef..544fd9925 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -85,6 +85,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestValidatorException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException;
@@ -97,6 +98,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.validation.AuthnRequestValidator
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.id.util.ErrorResponseUtils;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
import at.gv.egovernment.moa.id.util.VelocityLogAdapter;
import at.gv.egovernment.moa.logging.Logger;
@@ -209,7 +211,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
if(METADATA.equals(action)) {
- return new PVPTargetConfiguration();
+ return new PVPTargetConfiguration(request);
}
@@ -386,7 +388,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
samlResponse.setIssueInstant(new DateTime());
Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
- nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ nissuer.setValue(pvpRequest.getAuthURLWithOutSlash());
nissuer.setFormat(NameID.ENTITY);
samlResponse.setIssuer(nissuer);
@@ -459,7 +461,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
HttpServletResponse response, InboundMessage inMsg,
String sessionId, String transactionId) throws MOAIDException {
- PVPTargetConfiguration config = new PVPTargetConfiguration();
+ PVPTargetConfiguration config = new PVPTargetConfiguration(request);
MOARequest msg;
if (inMsg instanceof MOARequest &&
@@ -495,13 +497,24 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
Logger.debug("PreProcess SLO Response from " + resp.getIssuer());
- if (!resp.getDestination().startsWith(
- PVPConfiguration.getInstance().getIDPPublicPath())) {
+ List<String> allowedPublicURLPrefix =
+ AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ boolean isAllowedDestination = false;
+
+ for (String prefix : allowedPublicURLPrefix) {
+ if (!resp.getDestination().startsWith(
+ prefix)) {
+ isAllowedDestination = true;
+ break;
+ }
+ }
+
+ if (!isAllowedDestination) {
Logger.warn("PVP 2.1 single logout response destination does not match to IDP URL");
throw new AssertionValidationExeption("PVP 2.1 single logout response destination does not match to IDP URL", null);
}
-
+
//TODO: check if relayState exists
inMsg.getRelayState();
@@ -532,7 +545,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
//validate destination
String destinaten = attrQuery.getDestination();
- if (!PVPConfiguration.getInstance().getIDPAttributeQueryService().equals(destinaten)) {
+ if (!PVPConfiguration.getInstance().getIDPAttributeQueryService(HTTPUtils.extractAuthURLFromRequest(request)).equals(destinaten)) {
Logger.warn("AttributeQuery destination does not match IDP AttributeQueryService URL");
throw new AttributQueryException("AttributeQuery destination does not match IDP AttributeQueryService URL", null);
@@ -557,7 +570,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
}
- PVPTargetConfiguration config = new PVPTargetConfiguration();
+ PVPTargetConfiguration config = new PVPTargetConfiguration(request);
config.setRequest(moaRequest);
config.setOAURL(moaRequest.getEntityID());
config.setOnlineApplicationConfiguration(oa);
@@ -585,7 +598,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
if(!(samlReq instanceof AuthnRequest)) {
throw new MOAIDException("Unsupported request", new Object[] {});
}
-
+
EntityDescriptor metadata = moaRequest.getEntityMetadata();
if(metadata == null) {
throw new NoMetadataInformationException();
@@ -606,6 +619,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
}
+
//parse AssertionConsumerService
AssertionConsumerService consumerService = null;
if (MiscUtil.isNotEmpty(authnRequest.getAssertionConsumerServiceURL()) &&
@@ -668,7 +682,7 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo {
Logger.info("Dispatch PVP2 AuthnRequest: OAURL=" + oaURL + " Binding=" + consumerService.getBinding());
- PVPTargetConfiguration config = new PVPTargetConfiguration();
+ PVPTargetConfiguration config = new PVPTargetConfiguration(request);
config.setOAURL(oaURL);
config.setOnlineApplicationConfiguration(oa);
config.setBinding(consumerService.getBinding());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
index 74b20356e..0b402a0fd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
@@ -26,6 +26,8 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
+
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.impl.AuthnRequestImpl;
@@ -46,6 +48,16 @@ import at.gv.egovernment.moa.logging.Logger;
public class PVPTargetConfiguration extends RequestImpl {
+ /**
+ * @param req
+ * @throws ConfigurationException
+ */
+ public PVPTargetConfiguration(HttpServletRequest req)
+ throws ConfigurationException {
+ super(req);
+
+ }
+
private static final long serialVersionUID = 4889919265919638188L;
InboundMessage request;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 5402e3dce..1e0a9cf32 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -60,6 +60,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.id.util.VelocityProvider;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -151,11 +152,11 @@ public class PostBinding implements IDecoder, IEncoder {
//set metadata descriptor type
if (isSPEndPoint) {
messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
- decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService()));
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService(HTTPUtils.extractAuthURLFromRequest(req))));
} else {
messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
- decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService()));
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService(HTTPUtils.extractAuthURLFromRequest(req))));
}
} catch (ConfigurationException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 81863f48f..0a459a9be 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -60,6 +60,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -141,11 +142,11 @@ public class RedirectBinding implements IDecoder, IEncoder {
//set metadata descriptor type
if (isSPEndPoint) {
messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
- decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService()));
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService(HTTPUtils.extractAuthURLFromRequest(req))));
} else {
messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
- decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService()));
+ decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService(HTTPUtils.extractAuthURLFromRequest(req))));
}
} catch (ConfigurationException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
index 91888df5c..ebbafd4e3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
@@ -127,7 +127,7 @@ public class AttributQueryBuilder {
query.setIssueInstant(now);
Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
- nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath().get(0));
nissuer.setFormat(NameID.ENTITY);
query.setIssuer(nissuer);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java
index 4959df16c..24c2626e3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java
@@ -66,13 +66,15 @@ import at.gv.egovernment.moa.logging.Logger;
*/
public class AuthResponseBuilder {
- public static Response buildResponse(RequestAbstractType req, DateTime date, Assertion assertion) throws InvalidAssertionEncryptionException, ConfigurationException {
+ public static Response buildResponse(String authURL, RequestAbstractType req, DateTime date, Assertion assertion) throws InvalidAssertionEncryptionException, ConfigurationException {
Response authResponse = SAML2Utils.createSAMLObject(Response.class);
Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
//change to entity value from entity name to IDP EntityID (URL)
- nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ if (authURL.endsWith("/"))
+ authURL = authURL.substring(0, authURL.length()-1);
+ nissuer.setValue(authURL);
nissuer.setFormat(NameID.ENTITY);
authResponse.setIssuer(nissuer);
authResponse.setInResponseTo(req.getID());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
index 50f42d928..df68a1029 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
@@ -215,8 +215,8 @@ public class SingleLogOutBuilder {
}
DateTime now = new DateTime();
- Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
+ issuer.setValue(sloInfo.getAuthURL());
issuer.setFormat(NameID.ENTITY);
sloReq.setIssuer(issuer);
sloReq.setIssueInstant(now);
@@ -277,7 +277,7 @@ public class SingleLogOutBuilder {
private static LogoutResponse buildBasicResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException {
LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class);
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ issuer.setValue(spRequest.getAuthURLWithOutSlash());
issuer.setFormat(NameID.ENTITY);
sloResp.setIssuer(issuer);
sloResp.setIssueInstant(new DateTime());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 61bc51565..065118e2b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -90,7 +90,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
public class PVP2AssertionBuilder implements PVPConstants {
- public static Assertion buildAssertion(AttributeQuery attrQuery,
+ public static Assertion buildAssertion(String authURL, AttributeQuery attrQuery,
List<String> reqAttributes, IAuthData authData, DateTime date, String sessionIndex) throws ConfigurationException {
@@ -136,12 +136,12 @@ public class PVP2AssertionBuilder implements PVPConstants {
SubjectConfirmationData subjectConfirmationData = null;
- return buildGenericAssertion(attrQuery.getIssuer().getValue(), date,
+ return buildGenericAssertion(authURL, attrQuery.getIssuer().getValue(), date,
authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex,
new DateTime(authData.getSsoSessionValidTo().getTime()));
}
- public static Assertion buildAssertion(AuthnRequest authnRequest,
+ public static Assertion buildAssertion(String authURL, AuthnRequest authnRequest,
IAuthData authData, EntityDescriptor peerEntity, DateTime date,
AssertionConsumerService assertionConsumerService, SLOInformationImpl sloInformation)
throws MOAIDException {
@@ -416,10 +416,25 @@ public class PVP2AssertionBuilder implements PVPConstants {
sloInformation.setNameIDFormat(subjectNameID.getFormat());
sloInformation.setSessionIndex(sessionIndex);
- return buildGenericAssertion(peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter());
+ return buildGenericAssertion(authURL, peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter());
}
- private static Assertion buildGenericAssertion(String entityID, DateTime date,
+ /**
+ *
+ * @param authURL IDP PublicURL PreFix
+ * @param entityID Service Provider EntityID
+ * @param date
+ * @param authnContextClassRef
+ * @param attrList
+ * @param subjectNameID
+ * @param subjectConfirmationData
+ * @param sessionIndex
+ * @param isValidTo
+ * @return
+ * @throws ConfigurationException
+ */
+
+ private static Assertion buildGenericAssertion(String authURL, String entityID, DateTime date,
AuthnContextClassRef authnContextClassRef, List<Attribute> attrList,
NameID subjectNameID, SubjectConfirmationData subjectConfirmationData,
String sessionIndex, DateTime isValidTo) throws ConfigurationException {
@@ -471,7 +486,9 @@ public class PVP2AssertionBuilder implements PVPConstants {
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ if (authURL.endsWith("/"))
+ authURL = authURL.substring(0, authURL.length()-1);
+ issuer.setValue(authURL);
issuer.setFormat(NameID.ENTITY);
assertion.setIssuer(issuer);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
index dc3b787e4..47d7a29b3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
@@ -121,43 +121,46 @@ public class PVPConfiguration {
}
}
- public String getIDPPublicPath() throws ConfigurationException {
- String publicPath = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
- if(publicPath != null) {
- if(publicPath.endsWith("/")) {
- int length = publicPath.length();
- publicPath = publicPath.substring(0, length-1);
- }
+ public List<String> getIDPPublicPath() throws ConfigurationException {
+ List<String> publicPath = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ List<String> returnvalue = new ArrayList<String>();
+ for (String el : publicPath) {
+ if(el.endsWith("/")) {
+ int length = el.length();
+ returnvalue.add(el.substring(0, length-1));
+
+ } else
+ returnvalue.add(el);
}
- return publicPath;
+ return returnvalue;
}
- public String getSPSSOPostService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_SP_POST;
+ public String getSPSSOPostService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_SP_POST;
}
- public String getSPSSORedirectService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_SP_REDIRECT;
+ public String getSPSSORedirectService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_SP_REDIRECT;
}
- public String getIDPSSOPostService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_IDP_POST;
+ public String getIDPSSOPostService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_IDP_POST;
}
- public String getIDPSSORedirectService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_IDP_REDIRECT;
+ public String getIDPSSORedirectService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_IDP_REDIRECT;
}
- public String getIDPSSOSOAPService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_IDP_SOAP;
+ public String getIDPSSOSOAPService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_IDP_SOAP;
}
- public String getIDPAttributeQueryService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_IDP_ATTRIBUTEQUERY;
+ public String getIDPAttributeQueryService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_IDP_ATTRIBUTEQUERY;
}
- public String getIDPSSOMetadataService() throws ConfigurationException {
- return getIDPPublicPath() + PVP2_METADATA;
+ public String getIDPSSOMetadataService(String publicURLPrefix) throws ConfigurationException {
+ return publicURLPrefix + PVP2_METADATA;
}
public String getIDPKeyStoreFilename() {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
index a31258784..059e68865 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
@@ -82,10 +82,10 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
SLOInformationImpl sloInformation = new SLOInformationImpl();
//build Assertion
- Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authData,
+ Assertion assertion = PVP2AssertionBuilder.buildAssertion(obj.getAuthURL(), authnRequest, authData,
peerEntity, date, consumerService, sloInformation);
- Response authResponse = AuthResponseBuilder.buildResponse(authnRequest, date, assertion);
+ Response authResponse = AuthResponseBuilder.buildResponse(obj.getAuthURL(), authnRequest, date, assertion);
IEncoder binding = null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index 70b778c49..2e5f78611 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -61,6 +61,7 @@ import org.xml.sax.SAXException;
import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException;
@@ -175,10 +176,20 @@ public class SAMLVerificationEngine {
if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
- if (validateDestination && !samlResp.getDestination().startsWith(
- PVPConfiguration.getInstance().getIDPPublicPath())) {
+ List<String> allowedPublicURLPrefix =
+ AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ boolean isValidDestination = false;
+ for (String allowedPreFix : allowedPublicURLPrefix) {
+ if (validateDestination && samlResp.getDestination().startsWith(
+ allowedPreFix)) {
+ isValidDestination = true;
+ break;
+
+ }
+ }
+ if (!isValidDestination) {
Logger.warn("PVP 2.1 assertion destination does not match to IDP URL");
- throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);
+ throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
index 2019b0d20..621c7c753 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
@@ -81,7 +81,7 @@ public class GetArtifactAction implements IAction {
String samlArtifactBase64 = saml1server.BuildSAMLArtifact(oaParam, authData, sourceID);
if (authData.isSsoSession()) {
- String url = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() + "/RedirectServlet";
+ String url = req.getAuthURL() + "/RedirectServlet";
url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8"));
if (!oaParam.getBusinessService())
url = addURLParameter(url, MOAIDAuthConstants.PARAM_TARGET, URLEncoder.encode(req.getTarget(), "UTF-8"));
@@ -110,7 +110,7 @@ public class GetArtifactAction implements IAction {
}
SLOInformationInterface sloInformation =
- new SLOInformationImpl(authData.getAssertionID(), null, null, req.requestedModule());
+ new SLOInformationImpl(req.getAuthURL(), authData.getAssertionID(), null, null, req.requestedModule());
return sloInformation;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
index 7416dfb00..ddd1f1394 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
@@ -101,7 +101,7 @@ public class SAML1Protocol extends MOAIDAuthConstants implements IModulInfo {
public IRequest preProcess(HttpServletRequest request,
HttpServletResponse response, String action,
String sessionId, String transactionId) throws MOAIDException {
- SAML1RequestImpl config = new SAML1RequestImpl();
+ SAML1RequestImpl config = new SAML1RequestImpl(request);
if (!AuthConfigurationProviderFactory.getInstance().getAllowedProtocols().isSAML1Active()) {
Logger.info("SAML1 is deaktivated!");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java
index 5370573a7..3da7cab80 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java
@@ -25,6 +25,8 @@ package at.gv.egovernment.moa.id.protocols.saml1;
import java.util.ArrayList;
import java.util.List;
+import javax.servlet.http.HttpServletRequest;
+
import org.opensaml.saml2.core.Attribute;
import at.gv.egovernment.moa.id.config.ConfigurationException;
@@ -42,6 +44,16 @@ import at.gv.egovernment.moa.logging.Logger;
*/
public class SAML1RequestImpl extends RequestImpl {
+ /**
+ * @param req
+ * @throws ConfigurationException
+ */
+ public SAML1RequestImpl(HttpServletRequest req)
+ throws ConfigurationException {
+ super(req);
+
+ }
+
private static final long serialVersionUID = -4961979968425683115L;
private String sourceID = null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java
index 25cb952d7..7757f5af6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java
@@ -83,7 +83,7 @@ public class AttributeCollector implements IAction {
if (httpReq.getParameter("SAMLResponse") != null) {
Logger.info("Got SAML response from external attribute provider.");
- MOASTORKResponse STORK2Response = new MOASTORKResponse();
+ MOASTORKResponse STORK2Response = new MOASTORKResponse(httpReq);
//extract STORK Response from HTTP Request
byte[] decSamlToken;
@@ -173,7 +173,7 @@ public class AttributeCollector implements IAction {
SLOInformationImpl sloInfo = (SLOInformationImpl) processRequest(container, httpReq, httpResp, authData, oaParam);
if (sloInfo == null) {
- sloInfo = new SLOInformationImpl(null, null, null, req.requestedModule());
+ sloInfo = new SLOInformationImpl(req.getAuthURL(), null, null, null, req.requestedModule());
}
return sloInfo;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java
index 59db5797d..887944366 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java
@@ -85,7 +85,7 @@ public class AuthenticationRequest implements IAction {
if (oaParam == null)
throw new AuthenticationException("stork.12", new Object[]{req.getOAURL()});
- MOASTORKResponse moaStorkResponse = new MOASTORKResponse();
+ MOASTORKResponse moaStorkResponse = new MOASTORKResponse(httpReq);
// check if it is attribute query
if (moaStorkRequest.isAttrRequest()) {
@@ -217,9 +217,9 @@ public class AuthenticationRequest implements IAction {
String destinationURL = null;
try {
- issuer = new URL(AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix()).toString();
+ issuer = new URL(moaStorkRequest.getAuthURL()).toString();
destinationURL = AuthConfigurationProviderFactory.getInstance().getStorkConfig().getCPEPS(citizenCountryCode).getPepsURL().toString();
- publicURLPrefix = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+ publicURLPrefix = moaStorkRequest.getAuthURL();
assertionConsumerURL = publicURLPrefix + "/stork2/SendPEPSAuthnRequest";
} catch (MalformedURLException ex) {
Logger.error("Wrong PublicURLPrefix setting of MOA instance: " + AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(), ex);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java
index e9a1c2f1d..3f1e96f2f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java
@@ -26,6 +26,8 @@ import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
+import javax.servlet.http.HttpServletRequest;
+
import org.opensaml.saml2.core.Attribute;
import at.gv.egovernment.moa.id.auth.builder.DynamicOAAuthParameterBuilder;
@@ -53,6 +55,15 @@ import eu.stork.peps.auth.commons.STORKAuthnResponse;
*/
public class MOASTORKRequest extends RequestImpl {
+ /**
+ * @param req
+ * @throws ConfigurationException
+ */
+ public MOASTORKRequest(HttpServletRequest req)
+ throws ConfigurationException {
+ super(req);
+ }
+
public static final List<String> DEFAULTREQUESTEDATTRFORINTERFEDERATION = Arrays.asList(
new String[] {
PVPConstants.BPK_NAME,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKResponse.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKResponse.java
index d2cf2e813..a233835bf 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKResponse.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKResponse.java
@@ -22,6 +22,7 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.stork2;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.moduls.IRequest;
import at.gv.egovernment.moa.id.moduls.RequestImpl;
import at.gv.egovernment.moa.logging.Logger;
@@ -33,6 +34,8 @@ import eu.stork.peps.auth.commons.STORKAuthnResponse;
import java.io.Serializable;
import java.util.List;
+import javax.servlet.http.HttpServletRequest;
+
import org.opensaml.saml2.core.Attribute;
/**
@@ -43,6 +46,15 @@ import org.opensaml.saml2.core.Attribute;
public class MOASTORKResponse extends RequestImpl {
/**
+ * @param req
+ * @throws ConfigurationException
+ */
+ public MOASTORKResponse(HttpServletRequest req)
+ throws ConfigurationException {
+ super(req);
+ }
+
+ /**
* The Constant serialVersionUID.
*/
private static final long serialVersionUID = -5798803155055518747L;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java
index e58fe804f..2351450e4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java
@@ -92,7 +92,7 @@ public class MandateRetrievalRequest implements IAction {
if (oaParam == null)
throw new AuthenticationException("stork.12", new Object[]{req.getOAURL()});
- MOASTORKResponse moaStorkResponse = new MOASTORKResponse();
+ MOASTORKResponse moaStorkResponse = new MOASTORKResponse(httpReq);
STORKAttrQueryResponse attrResponse = new STORKAttrQueryResponse();
this.authData = authData;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKProtocol.java
index 071b5ae8a..c4f9658e4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKProtocol.java
@@ -91,8 +91,8 @@ public class STORKProtocol extends MOAIDAuthConstants implements IModulInfo {
Logger.debug("Request content length: " + request.getContentLength());
Logger.debug("Initiating action: " + action);
- MOASTORKRequest STORK2Request = new MOASTORKRequest();
- MOASTORKResponse STORK2Response = new MOASTORKResponse();
+ MOASTORKRequest STORK2Request = new MOASTORKRequest(request);
+ MOASTORKResponse STORK2Response = new MOASTORKResponse(request);
if (AttributeCollector.class.getSimpleName().equals(action) || ConsentEvaluator.class.getSimpleName().equals(action))
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
index 4b4b5ddc5..c53bacad0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
@@ -355,7 +355,7 @@ public class AuthenticationSessionStoreage {
}
public static void addSSOInformation(String moaSessionID, String SSOSessionID,
- SLOInformationInterface SLOInfo, String OAUrl) throws AuthenticationException {
+ SLOInformationInterface SLOInfo, IRequest protocolRequest) throws AuthenticationException {
AuthenticatedSessionStore dbsession;
Transaction tx = null;
@@ -390,7 +390,7 @@ public class AuthenticationSessionStoreage {
//check if OA already has an active OA session
if (dbsession.getActiveOAsessions() != null) {
for (OASessionStore el : dbsession.getActiveOAsessions()) {
- if (el.getOaurlprefix().equals(OAUrl))
+ if (el.getOaurlprefix().equals(protocolRequest.getOAURL()))
activeOA = el;
}
}
@@ -399,7 +399,7 @@ public class AuthenticationSessionStoreage {
activeOA = new OASessionStore();
//set active OA applications
- activeOA.setOaurlprefix(OAUrl);
+ activeOA.setOaurlprefix(protocolRequest.getOAURL());
activeOA.setMoasession(dbsession);
activeOA.setCreated(new Date());
@@ -410,6 +410,7 @@ public class AuthenticationSessionStoreage {
activeOA.setUserNameIDFormat(SLOInfo.getUserNameIDFormat());
activeOA.setProtocolType(SLOInfo.getProtocolType());
activeOA.setAttributeQueryUsed(false);
+ activeOA.setAuthURL(protocolRequest.getAuthURL());
}
@@ -441,10 +442,10 @@ public class AuthenticationSessionStoreage {
tx.commit();
if (SLOInfo != null)
- Logger.info("Add SSO-Session login information for OA: " + OAUrl
+ Logger.info("Add SSO-Session login information for OA: " + protocolRequest.getOAURL()
+ " and AssertionID: " + SLOInfo.getSessionIndex());
else
- Logger.info("Add SSO-Session login information for OA: " + OAUrl);
+ Logger.info("Add SSO-Session login information for OA: " + protocolRequest.getOAURL());
}
@@ -807,6 +808,7 @@ public class AuthenticationSessionStoreage {
idp = new InterfederationSessionStore();
idp.setCreated(now);
idp.setIdpurlprefix(req.getInterfederationResponse().getEntityID());
+ idp.setAuthURL(req.getAuthURL());
try {
OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java
index 1f08d9019..2aceb833c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java
@@ -156,5 +156,21 @@ public class HTTPUtils {
return buffer.toString();
}
+
+ /**
+ * Extract the IDP PublicURLPrefix from authrequest
+ *
+ * @param req HttpServletRequest
+ * @return PublicURLPrefix <String> which ends always without /
+ */
+ public static String extractAuthURLFromRequest(HttpServletRequest req) {
+ String authURL = req.getScheme() + "://" + req.getServerName();
+ if ((req.getScheme().equalsIgnoreCase("https") && req.getServerPort()!=443) || (req.getScheme().equalsIgnoreCase("http") && req.getServerPort()!=80)) {
+ authURL = authURL.concat(":" + req.getServerPort());
+ }
+ authURL = authURL.concat(req.getContextPath());
+ return authURL;
+
+ }
}
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index aca37f072..8cf9964c4 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -79,6 +79,7 @@ config.21=F\u00FCr diese Online Applikation sind keine Vollmachtsprofile hinterl
config.22=F\u00FCr den Interfederation-Gateway mit der ID {0} ist kein Endpunkt zur Weiterleitung konfiguriert.
config.23=Fehler beim initialisieren von OpenSAML
config.24=MOA-ID-Auth Configfile {1} does not start with {0} prefix.
+config.25=Der verwendete IDP PublicURLPrefix {0} ist nicht erlaubt.
parser.00=Leichter Fehler beim Parsen: {0}
parser.01=Fehler beim Parsen: {0}
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index fa332f0c7..342d54f7f 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -58,6 +58,7 @@ config.21=9006
config.22=9008
config.23=9199
config.24=9199
+config.25=9199
parser.00=1101
parser.01=1101