diff options
Diffstat (limited to 'id/server/modules/moa-id-module-ssoTransfer/src')
10 files changed, 316 insertions, 114 deletions
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java index a93412b11..b9ab4f307 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java @@ -28,10 +28,11 @@ import java.util.List; import org.w3c.dom.Element; -import eu.stork.peps.auth.commons.IPersonalAttributeList; -import eu.stork.peps.auth.commons.STORKAuthnRequest; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.data.AuthenticationRole; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.MISMandate; @@ -44,9 +45,12 @@ import at.gv.egovernment.moa.logging.Logger; public class SSOTransferAuthenticationData implements IAuthData { private AuthenticationSession authSession = null; + boolean isIDPPrivateService = true; - public SSOTransferAuthenticationData(AuthenticationSession authSession) { + public SSOTransferAuthenticationData(AuthConfiguration authConfig, AuthenticationSession authSession) throws ConfigurationException { this.authSession = authSession; + String domainIdentifier = authConfig.getSSOTagetIdentifier().trim(); + isIDPPrivateService = domainIdentifier.startsWith(MOAIDAuthConstants.PREFIX_WPBK); } @@ -74,7 +78,7 @@ public class SSOTransferAuthenticationData implements IAuthData { */ @Override public boolean isBusinessService() { - return this.authSession.getBusinessService(); + return this.isIDPPrivateService; } /* (non-Javadoc) @@ -358,28 +362,20 @@ public class SSOTransferAuthenticationData implements IAuthData { } /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.data.IAuthData#getStorkAuthnRequest() + * @see at.gv.egovernment.moa.id.data.IAuthData#getEIDASQAALevel() */ @Override - public STORKAuthnRequest getStorkAuthnRequest() { + public String getEIDASQAALevel() { // TODO Auto-generated method stub return null; } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.data.IAuthData#getStorkAuthnResponse() - */ - @Override - public String getStorkAuthnResponse() { - // TODO Auto-generated method stub - return null; - } /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.data.IAuthData#getStorkAttributes() + * @see at.gv.egovernment.moa.id.data.IAuthData#getGenericData(java.lang.String, java.lang.Class) */ @Override - public IPersonalAttributeList getStorkAttributes() { + public <T> T getGenericData(String key, Class<T> clazz) { // TODO Auto-generated method stub return null; } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java index 9b5005a61..4ba2e1a01 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java @@ -441,4 +441,13 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { return null; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isRemovePBKFromAuthBlock() + */ + @Override + public boolean isRemovePBKFromAuthBlock() { + // TODO Auto-generated method stub + return false; + } + } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java new file mode 100644 index 000000000..d33b157e0 --- /dev/null +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java @@ -0,0 +1,201 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.ssotransfer.servlet; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.PrintWriter; +import java.util.Date; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.velocity.VelocityContext; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; + +import com.google.gson.JsonObject; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; +import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils; +import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.SSOContainerUtils; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.moduls.SSOManager; +import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.storage.ITransactionStorage; +import at.gv.egovernment.moa.id.util.HTTPUtils; +import at.gv.egovernment.moa.id.util.Random; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.MiscUtil; +import net.glxn.qrgen.QRCode; +import net.glxn.qrgen.image.ImageType; + + + +/** + * @author tlenz + * + */ +//@WebServlet(name = "SSOTransferGUI", value = "/TransferSSOSession") +@Controller +public class SSOTransferServlet{ + + private static final long transmisionTimeOut = 90 * 1000; // default 90 secundes + + @Autowired SSOManager ssomanager; + @Autowired IAuthenticationSessionStoreage authenticationSessionStorage; + @Autowired SSOContainerUtils ssoTransferUtils; + @Autowired ITransactionStorage transactionStorage; + + public SSOTransferServlet() { + super(); + Logger.debug("Registering servlet " + getClass().getName() + + " with mapping {'/TransferSSOSession','/TransmitSSOSession'}."); + } + + @RequestMapping(value = { "/TransmitSSOSession" + }, + method = {RequestMethod.GET}) + public void transferToPhone(HttpServletRequest req, HttpServletResponse resp) throws IOException { + Object tokenObj = req.getParameter(SSOTransferConstants.REQ_PARAM_TOKEN); + if (tokenObj != null && tokenObj instanceof String) { + String token = (String)tokenObj; + try { + String signedEncSession = transactionStorage.get(token, String.class, transmisionTimeOut); + if (MiscUtil.isNotEmpty(signedEncSession)) { + resp.setContentType("text/html;charset=UTF-8"); + PrintWriter out = new PrintWriter(resp.getOutputStream()); + out.print(signedEncSession); + out.flush(); + + } else { + Logger.info("Servlet " + getClass().getName() + " receive a token:" + + token + ", which references an empty data object."); + resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Empty data object."); + + } + + } catch (MOADatabaseException e) { + Logger.info("Servlet " + getClass().getName() + " receive a token:" + + token + ", which is UNKNOWN."); + resp.sendError(HttpServletResponse.SC_NOT_FOUND, "Transfer token is UNKOWN:"); + + + } catch (AuthenticationException e) { + Logger.info("Servlet " + getClass().getName() + " receive a token:" + + token + ", which has a timeout."); + resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Single Sign-On session transfer token is not valid any more."); + + } + + } else { + Logger.info("Servlet " + getClass().getName() + " receive a NOT valid request."); + resp.sendError(HttpServletResponse.SC_NOT_FOUND, "Request not valid."); + + } + + + } + + + @RequestMapping(value = { "/TransferSSOSession" + }, + method = {RequestMethod.GET}) + public void transferSSOSessionGUI(HttpServletRequest req, HttpServletResponse resp) throws IOException { + //search SSO session + String ssoid = ssomanager.getSSOSessionID(req); + + VelocityContext context = new VelocityContext(); + + try { + if (ssomanager.isValidSSOSession(ssoid, null)) { + Object createQRObj = req.getParameter(SSOTransferConstants.REQ_PARAM_GENERATE_QR); + if (createQRObj != null && createQRObj instanceof Integer) { + + + + } else { + //create first step of SSO Transfer GUI + String authURL = HTTPUtils.extractAuthURLFromRequest(req); + if (!AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(). + contains(authURL)) { + Logger.warn("Requested URL is not allowed.");; + resp.sendError(500, "Requested URL is not allowed."); + + } + + String moaSessionID = authenticationSessionStorage.getMOASessionSSOID(ssoid); + if (MiscUtil.isNotEmpty(moaSessionID)) { + AuthenticationSession authSession = authenticationSessionStorage.getSession(moaSessionID); + if(authSession != null) { + Date now = new Date(); + String encodedSSOContainer = ssoTransferUtils.generateSignedAndEncryptedSSOContainer(authURL, authSession, now); + + String token = Random.nextRandom(); + transactionStorage.put(token, encodedSSOContainer); + + String containerURL = authURL + + SSOTransferConstants.SERVLET_SSOTRANSFER_TO_SMARTPHONE + + "?"+ SSOTransferConstants.REQ_PARAM_TOKEN + "=" + token; + + JsonObject qrResult = new JsonObject(); + qrResult.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_TYPE, + SSOTransferConstants.SSOCONTAINER_VALUE_TYPE_PERSIST); + qrResult.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_URL, containerURL); + + ByteArrayOutputStream qrStream = + QRCode.from(qrResult.toString()).to(ImageType.GIF).withSize(300, 300).stream(); + String base64EncodedImage = Base64Utils.encode(qrStream.toByteArray()); + context.put("QRImage", base64EncodedImage); + + context.put("successMsg", "Scan the QR-Code with your <i>SSO-Transfer App</i> to start the transfer operation."); + + GUIUtils.printSSOTransferGUI(context, resp); + + } + } + } + + } else { + context.put("errorMsg", + "No active Single Sign-On session found! SSO Session transfer is not possible."); + GUIUtils.printSSOTransferGUI(context, resp); + } + + } catch (MOAIDException | MOADatabaseException e) { + e.printStackTrace(); + resp.sendError(500, e.getMessage()); + + } + + } + + +} diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java index b82417ae6..b53916338 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java @@ -24,37 +24,33 @@ package at.gv.egovernment.moa.id.auth.modules.ssotransfer.servlet; import java.io.IOException; -import javax.servlet.ServletException; -import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import at.gv.egovernment.moa.id.auth.servlet.ProcessEngineSignalServlet; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; + +import at.gv.egovernment.moa.id.auth.servlet.AbstractProcessEngineSignalController; import at.gv.egovernment.moa.logging.Logger; /** * @author tlenz * */ -@WebServlet(urlPatterns = { "/SSOTransferSignalEndpoint" }, loadOnStartup = 1) -public class SSOTransferSignalServlet extends ProcessEngineSignalServlet { - - private static final long serialVersionUID = 8372275858647807149L; - +@Controller +public class SSOTransferSignalServlet extends AbstractProcessEngineSignalController { public SSOTransferSignalServlet() { super(); Logger.debug("Registering servlet " + getClass().getName() + " with mappings '/SSOTransferEndpoint'."); } - protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - Logger.debug("Receive http-POST request."); - super.doPost(req, resp); - - } - - protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - Logger.debug("Receive http-GET request."); - super.doPost(req, resp); + @RequestMapping(value = { "/SSOTransferSignalEndpoint" + }, + method = {RequestMethod.POST, RequestMethod.GET}) + public void performSSOTransfer(HttpServletRequest req, HttpServletResponse resp) throws IOException { + signalProcessManagement(req, resp); + } } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java index 67566afe5..e84c60ec5 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java @@ -22,32 +22,27 @@ */ package at.gv.egovernment.moa.id.auth.modules.ssotransfer.task; -import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_SESSIONID; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.velocity.VelocityContext; +import org.springframework.stereotype.Component; -import at.gv.egovernment.moa.id.auth.BaseAuthenticationServer; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.moduls.IRequest; -import at.gv.egovernment.moa.id.moduls.RequestStorage; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.util.HTTPUtils; -import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; /** * @author tlenz * */ +@Component("InitializeRestoreSSOSessionTask") public class InitializeRestoreSSOSessionTask extends AbstractAuthServletTask { /* (non-Javadoc) @@ -67,27 +62,17 @@ public class InitializeRestoreSSOSessionTask extends AbstractAuthServletTask { response.sendError(500, "Requested URL is not allowed."); } - - String sessionID = (String) executionContext.get(PARAM_SESSIONID); - String pendingRequestID = (String) executionContext.get("pendingRequestID"); - - // check parameter - if (!ParamValidatorUtils.isValidSessionID(sessionID)) { - throw new WrongParametersException("CreateStorkAuthRequestFormTask", PARAM_SESSIONID, "auth.12"); - } - AuthenticationSession moasession = BaseAuthenticationServer.getSession(sessionID); - IRequest pendingReq = RequestStorage.getPendingRequest(pendingRequestID); - - VelocityContext context = GUIUtils.buildSSOTransferGUI(authURL, moasession); + + VelocityContext context = GUIUtils.buildSSOTransferGUI(authURL, pendingReq.getRequestID()); GUIUtils.printSSOTransferGUI(context, response); } catch (WrongParametersException | AuthenticationException e) { - throw new TaskExecutionException(e.getMessage(), e); + throw new TaskExecutionException(pendingReq, e.getMessage(), e); } catch (Exception e) { Logger.error(this.getClass().getName() + " has an interal Error.", e); - throw new TaskExecutionException(this.getClass().getName() + " has an interal Error.", e); + throw new TaskExecutionException(pendingReq, this.getClass().getName() + " has an interal Error.", e); } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java index 006b27167..6ba29fe3a 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java @@ -22,8 +22,6 @@ */ package at.gv.egovernment.moa.id.auth.modules.ssotransfer.task; -import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_SESSIONID; - import java.io.BufferedReader; import java.io.IOException; @@ -34,15 +32,13 @@ import org.apache.commons.lang3.BooleanUtils; import org.apache.velocity.VelocityContext; import org.joda.time.DateTime; import org.opensaml.saml2.core.Response; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; import com.google.gson.JsonObject; import com.google.gson.JsonParser; -import at.gv.egovernment.moa.id.auth.BaseAuthenticationServer; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; -import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; @@ -50,13 +46,9 @@ import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.SSOContainerUtils; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.moduls.IRequest; -import at.gv.egovernment.moa.id.moduls.RequestStorage; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; -import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.HTTPUtils; -import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -64,8 +56,11 @@ import at.gv.egovernment.moa.util.MiscUtil; * @author tlenz * */ +@Component("RestoreSSOSessionTask") public class RestoreSSOSessionTask extends AbstractAuthServletTask { + @Autowired SSOContainerUtils ssoTransferUtils; + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) */ @@ -78,21 +73,8 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { StringBuffer sb = new StringBuffer(); String receivedPostMessage = null; - AuthenticationSession moasession = null; - IRequest pendingReq = null; String authURL =null; - try { - String sessionID = (String) request.getParameter(PARAM_SESSIONID); - String pendingRequestID = (String) executionContext.get("pendingRequestID"); - - // check parameter - if (!ParamValidatorUtils.isValidSessionID(sessionID)) { - throw new WrongParametersException("RestoreSSOSessionTask", PARAM_SESSIONID, "auth.12"); - - } - moasession = BaseAuthenticationServer.getSession(sessionID); - pendingReq = RequestStorage.getPendingRequest(pendingRequestID); - + try { BufferedReader reader = request.getReader(); String line = null; while ((line = reader.readLine()) != null) { @@ -104,11 +86,19 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { } catch (IOException e) { Logger.warn("Received POST-message produce an ERROR.", e); - } catch (WrongParametersException | AuthenticationException e) { - throw new TaskExecutionException(e.getMessage(), e); - } + //session is valid --> load MOASession object + try { + defaultTaskInitialization(request, executionContext); + + } catch (MOAIDException | MOADatabaseException e1) { + Logger.error("Database Error! MOASession is not stored!"); + throw new TaskExecutionException(pendingReq, "Load MOASession FAILED.", e1); + + } + + if (MiscUtil.isNotEmpty(receivedPostMessage)) { Logger.debug("Receive POST-Message data. Start data-validation process ... "); try { @@ -125,12 +115,14 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { if (PVPConfiguration.getInstance().getIDPPublicPath().contains(entityID)) { // stored SSO session data is from this IDP - start local session reconstruction - Response ssoInformation = SSOContainerUtils.validateReceivedSSOContainer(sessionBlob); - SSOContainerUtils.parseSSOContainerToMOASessionDataObject(pendingReq, moasession, ssoInformation); + Response ssoInformation = ssoTransferUtils.validateReceivedSSOContainer(sessionBlob); + + //transfer SSO Assertion into MOA-Session + ssoTransferUtils.parseSSOContainerToMOASessionDataObject(pendingReq, moasession, ssoInformation); // store MOASession into database try { - AuthenticationSessionStoreage.storeSession(moasession); + authenticatedSessionStorage.storeSession(moasession); } catch (MOADatabaseException e) { Logger.error("Database Error! MOASession is not stored!"); @@ -151,7 +143,7 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { } catch (Exception e) { Logger.error("Parse reveived JSON data-object " + sb.toString() + " FAILED!", e); - throw new TaskExecutionException("JSON data is not parseable.", e); + throw new TaskExecutionException(pendingReq, "JSON data is not parseable.", e); } @@ -170,7 +162,7 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { DateTime moaSessionCreated = new DateTime(moasession.getSessionCreated().getTime()); if (moaSessionCreated.plusMinutes(3).isBeforeNow()) { Logger.warn("No SSO session-container received. Stop authentication process after time-out."); - throw new TaskExecutionException("No SSO container received from smartphone app.", null); + throw new TaskExecutionException(pendingReq, "No SSO container received from smartphone app.", null); } else { Logger.debug("No restored SSO session found --> Wait a few minutes and check again."); @@ -187,11 +179,11 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { } - context = GUIUtils.buildSSOTransferGUI(authURL, moasession); + context = GUIUtils.buildSSOTransferGUI(authURL, pendingReq.getRequestID()); GUIUtils.printSSOTransferGUI(context, response); } catch (IOException | MOAIDException e) { - throw new TaskExecutionException(e.getMessage(), e); + throw new TaskExecutionException(pendingReq, e.getMessage(), e); } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java index 310b8a813..ee7a397aa 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java @@ -40,7 +40,6 @@ import org.apache.velocity.app.VelocityEngine; import com.google.gson.JsonObject; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; import at.gv.egovernment.moa.id.config.ConfigurationException; @@ -61,11 +60,10 @@ public class GUIUtils { public static final int REFESH_TIMEOUT = 5 * 1000; //5 sec - public static VelocityContext buildSSOTransferGUI(String authURL, AuthenticationSession moasession) throws ConfigurationException, IOException { - String token = moasession.getSessionID(); + public static VelocityContext buildSSOTransferGUI(String authURL, String pendingReqID) throws ConfigurationException, IOException { String containerURL = authURL + SSOTransferConstants.SERVLET_SSOTRANSFER_FROM_SMARTPHONE - + "?" + MOAIDAuthConstants.PARAM_SESSIONID + "=" + token; + + "?" + MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID + "=" + pendingReqID; JsonObject qrResult = new JsonObject(); qrResult.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_TYPE, diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java index 861dcbf58..7c8a86f73 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java @@ -79,6 +79,8 @@ import org.opensaml.xml.signature.SignatureException; import org.opensaml.xml.signature.SignatureValidator; import org.opensaml.xml.signature.Signer; import org.opensaml.xml.validation.ValidationException; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.NodeList; @@ -93,6 +95,7 @@ import at.gv.egovernment.moa.id.auth.modules.ssotransfer.data.SSOTransferAuthent import at.gv.egovernment.moa.id.auth.modules.ssotransfer.data.SSOTransferOnlineApplication; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.data.IAuthData; @@ -104,8 +107,9 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionB import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSignedException; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; @@ -119,9 +123,9 @@ import iaik.x509.X509Certificate; * @author tlenz * */ +@Service("SSOContainerUtils") public class SSOContainerUtils { public static final List<String> REQUIRED_ATTRIBUTES; - static { List<String> tmp = new ArrayList<String>(); tmp.add(PVPConstants.EID_AUTH_BLOCK_NAME); @@ -140,15 +144,13 @@ public class SSOContainerUtils { REQUIRED_ATTRIBUTES = Collections.unmodifiableList(tmp); } - public static void parseSSOContainerToMOASessionDataObject(IRequest pendingReq, AuthenticationSession moasession, Response ssoInformation) throws AssertionAttributeExtractorExeption, ConfigurationException { + @Autowired IDPCredentialProvider credentials; + @Autowired SAMLVerificationEngine samlVerificationEngine; + @Autowired AuthConfiguration authConfig; + + public void parseSSOContainerToMOASessionDataObject(IRequest pendingReq, AuthenticationSession moasession, Response ssoInformation) throws AssertionAttributeExtractorExeption, ConfigurationException { AssertionAttributeExtractor attributeExtractor = new AssertionAttributeExtractor(ssoInformation); - String authServiceURL = pendingReq.getAuthURL(); - if (authServiceURL.endsWith("/")) - moasession.setAuthURL(authServiceURL); - else - moasession.setAuthURL(authServiceURL + "/"); - //TODO: maybe change to correct URL //set dummy BKU URLx moasession.setBkuURL("http://egiz.gv.at/sso_session-transfer_app"); @@ -248,7 +250,7 @@ public class SSOContainerUtils { } - public static Response validateReceivedSSOContainer(String signedEncryptedContainer) throws IOException, XMLParserException, UnmarshallingException, MOAIDException { + public Response validateReceivedSSOContainer(String signedEncryptedContainer) throws IOException, XMLParserException, UnmarshallingException, MOAIDException { byte[] base64decodedContainer = Base64Utils.decode(signedEncryptedContainer, false); final BasicParserPool ppMgr = new BasicParserPool(); @@ -276,7 +278,7 @@ public class SSOContainerUtils { throw new SAMLRequestNotSignedException(e); } - Credential credential = CredentialProvider.getIDPAssertionSigningCredential(); + Credential credential = credentials.getIDPAssertionSigningCredential(); if (credential == null) { throw new NoCredentialsException("moaID IDP"); } @@ -293,7 +295,7 @@ public class SSOContainerUtils { if (ssoContainer.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { //validate PVP 2.1 assertion - SAMLVerificationEngine.validateAssertion(ssoContainer, false); + samlVerificationEngine.validateAssertion(ssoContainer, false, credentials.getIDPAssertionEncryptionCredential()); return ssoContainer; } else { @@ -311,7 +313,7 @@ public class SSOContainerUtils { } - public static String generateSignedAndEncryptedSSOContainer(String authURL, + public String generateSignedAndEncryptedSSOContainer(String authURL, AuthenticationSession authSession, Date date) { try { String entityID = authURL; @@ -342,7 +344,7 @@ public class SSOContainerUtils { String sessionIndex = SAML2Utils.getSecureIdentifier(); - IAuthData authData = new SSOTransferAuthenticationData(authSession); + IAuthData authData = new SSOTransferAuthenticationData(authConfig, authSession); Assertion assertion = PVP2AssertionBuilder.buildGenericAssertion( authURL, @@ -376,7 +378,7 @@ public class SSOContainerUtils { return null; } - private static String buildSSOContainerObject(String authURL, Assertion assertion, DateTime date) throws ConfigurationException, EncryptionException, CredentialsNotAvailableException, SecurityException, ParserConfigurationException, MarshallingException, SignatureException, TransformerFactoryConfigurationError, TransformerException, IOException { + private String buildSSOContainerObject(String authURL, Assertion assertion, DateTime date) throws ConfigurationException, EncryptionException, CredentialsNotAvailableException, SecurityException, ParserConfigurationException, MarshallingException, SignatureException, TransformerFactoryConfigurationError, TransformerException, IOException { Response authResponse = SAML2Utils.createSAMLObject(Response.class); Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); @@ -396,7 +398,7 @@ public class SSOContainerUtils { authResponse.setStatus(SAML2Utils.getSuccessStatus()); //encrypt container - X509Credential encryptionCredentials = CredentialProvider.getIDPAssertionEncryptionCredential(); + X509Credential encryptionCredentials = credentials.getIDPAssertionEncryptionCredential(); EncryptionParameters dataEncParams = new EncryptionParameters(); dataEncParams.setAlgorithm(PVPConstants.DEFAULT_SYM_ENCRYPTION_METHODE); @@ -422,9 +424,9 @@ public class SSOContainerUtils { //sign container - Credential signingCredential = CredentialProvider.getIDPAssertionSigningCredential(); - Signature signature = CredentialProvider - .getIDPSignature(signingCredential); + Credential signingCredential = credentials.getIDPAssertionSigningCredential(); + Signature signature = AbstractCredentialProvider.getIDPSignature(signingCredential); + SecurityHelper.prepareSignatureParams(signature, signingCredential, null, null); authResponse.setSignature(signature); diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/resources/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransfer.authmodule.beans.xml b/id/server/modules/moa-id-module-ssoTransfer/src/main/resources/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransfer.authmodule.beans.xml index 1a8709e15..349b3afb0 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/resources/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransfer.authmodule.beans.xml +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/resources/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransfer.authmodule.beans.xml @@ -11,4 +11,27 @@ <property name="priority" value="1" /> </bean> + <bean id="SSOContainerUtils" + class="at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.SSOContainerUtils"/> + + + <bean id="SSOTransferSignalServlet" + class="at.gv.egovernment.moa.id.auth.modules.ssotransfer.servlet.SSOTransferSignalServlet"/> + + + <bean id="SSOTransferServlet" + class="at.gv.egovernment.moa.id.auth.modules.ssotransfer.servlet.SSOTransferServlet"/> + + +<!-- Federated Authentication Process Tasks --> + <bean id="RestoreSSOSessionTask" + class="at.gv.egovernment.moa.id.auth.modules.ssotransfer.task.RestoreSSOSessionTask" + scope="prototype"/> + + <bean id="InitializeRestoreSSOSessionTask" + class="at.gv.egovernment.moa.id.auth.modules.ssotransfer.task.InitializeRestoreSSOSessionTask" + scope="prototype"/> + + + </beans> diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/resources/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransferAuthentication.process.xml b/id/server/modules/moa-id-module-ssoTransfer/src/main/resources/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransferAuthentication.process.xml index 07d746e39..e7d98c8c8 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/resources/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransferAuthentication.process.xml +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/resources/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransferAuthentication.process.xml @@ -4,9 +4,9 @@ <!-- STORK authentication both with C-PEPS supporting xml signatures and with C-PEPS not supporting xml signatures. --> - <pd:Task id="initializeRestoreSSOSessionTask" class="at.gv.egovernment.moa.id.auth.modules.ssotransfer.task.InitializeRestoreSSOSessionTask" /> - <pd:Task id="restoreSSOSessionTask" class="at.gv.egovernment.moa.id.auth.modules.ssotransfer.task.RestoreSSOSessionTask" async="true" /> - <pd:Task id="finalizeAuthentication" class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.FinalizeAuthenticationTask" /> + <pd:Task id="initializeRestoreSSOSessionTask" class="InitializeRestoreSSOSessionTask" /> + <pd:Task id="restoreSSOSessionTask" class="RestoreSSOSessionTask" async="true" /> + <pd:Task id="finalizeAuthentication" class="FinalizeAuthenticationTask" /> <!-- Process is triggered either by GenerateIFrameTemplateServlet (upon bku selection) or by AuthenticationManager (upon legacy authentication start using legacy parameters. --> <pd:StartEvent id="start" /> |