aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-modules-federated_authentication/src
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/modules/moa-id-modules-federated_authentication/src')
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java17
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java94
2 files changed, 47 insertions, 64 deletions
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
index 4ae162f5a..19eae06d7 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
@@ -171,7 +171,22 @@ public class FederatedAuthnRequestBuilderConfiguration implements IPVPAuthnReque
*/
@Override
public String getSubjectNameIDFormat() {
- // TODO Auto-generated method stub
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getRequestID()
+ */
+ @Override
+ public String getRequestID() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDQualifier()
+ */
+ @Override
+ public String getSubjectNameIDQualifier() {
return null;
}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
index a07a87c2b..d5c5354c0 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
@@ -32,12 +32,9 @@ import javax.servlet.http.HttpServletResponse;
import javax.xml.transform.TransformerException;
import org.opensaml.saml2.core.Attribute;
-import org.opensaml.saml2.core.AttributeQuery;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.ws.message.decoder.MessageDecodingException;
-import org.opensaml.ws.soap.common.SOAPException;
-import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.SecurityException;
import org.springframework.beans.factory.annotation.Autowired;
@@ -45,8 +42,11 @@ import org.springframework.stereotype.Component;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
@@ -55,12 +55,12 @@ import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCr
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
-import at.gv.egovernment.moa.id.data.FederatedAuthenticatenContainer;
import at.gv.egovernment.moa.id.moduls.RequestImpl;
import at.gv.egovernment.moa.id.moduls.SSOManager;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
@@ -73,11 +73,9 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
-import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
-import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
-import at.gv.egovernment.moa.id.storage.ITransactionStorage;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -88,11 +86,12 @@ import at.gv.egovernment.moa.util.MiscUtil;
@Component("ReceiveFederatedAuthnResponseTask")
public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
- @Autowired private SAMLVerificationEngine samlVerificationEngine;
+ @Autowired private SAMLVerificationEngineSP samlVerificationEngine;
@Autowired private FederatedAuthCredentialProvider credentialProvider;
@Autowired private SSOManager ssoManager;
@Autowired private AttributQueryBuilder attributQueryBuilder;
- @Autowired private ITransactionStorage transactionStorage;
+ @Autowired private AuthenticationDataBuilder authDataBuilder;
+
/* (non-Javadoc)
@@ -106,13 +105,16 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
try {
IDecoder decoder = null;
+ MOAURICompare comperator = null;
//select Response Binding
if (request.getMethod().equalsIgnoreCase("POST")) {
decoder = new PostBinding();
+ comperator = new MOAURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_POST);
Logger.trace("Receive PVP Response from federated IDP, by using POST-Binding.");
} else if (request.getMethod().equalsIgnoreCase("GET")) {
decoder = new RedirectBinding();
+ comperator = new MOAURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_REDIRECT);
Logger.trace("Receive PVP Response from federated IDP, by using Redirect-Binding.");
} else {
@@ -123,7 +125,9 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
}
//decode PVP response object
- msg = (InboundMessage) decoder.decode(request, response, MOAMetadataProvider.getInstance(), true);
+ msg = (InboundMessage) decoder.decode(
+ request, response, MOAMetadataProvider.getInstance(), true,
+ comperator);
if (MiscUtil.isEmpty(msg.getEntityID())) {
throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
@@ -179,8 +183,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
} else {
//SP is real Service-Provider --> check attributes in response
// and start Attribute-Query if required
-
- //get authenticationData and store it into MOASession
+
getAuthDataFromInterfederation(extractor, pendingReq.getOnlineApplicationConfiguration(),
idpConfig);
@@ -197,7 +200,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
//store valid assertion into pending-request
pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg);
-
+ pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_ENTITYID, processedMsg.getEntityID());
+
//store pending-request
requestStoreage.storePendingRequest(pendingReq);
@@ -245,55 +249,17 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
try {
Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... ");
Collection<String> requestedAttr = pendingReq.getRequestedAttributes();
-
+
//check if SAML2 Assertion contains a minimal set of attributes
if (!extractor.containsAllRequiredAttributes()) {
- Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ...");
- //collect attributes by using BackChannel communication
- String endpoint = idpConfig.getIDPAttributQueryServiceURL();
- if (MiscUtil.isEmpty(endpoint)) {
- Logger.error("No AttributeQueryURL for interfederationIDP " + idpConfig.getPublicURLPrefix());
- throw new ConfigurationException("config.26", new Object[]{idpConfig.getPublicURLPrefix()});
-
- }
-
+ Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ...");
+
//build attributQuery request
List<Attribute> attributs =
attributQueryBuilder.buildSAML2AttributeList(spConfig, requestedAttr.iterator());
- AttributeQuery query =
- attributQueryBuilder.buildAttributQueryRequest(extractor.getNameID(), endpoint, attributs);
-
- //build SOAP request
- List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
- if (xmlObjects.size() == 0) {
- Logger.error("Receive emptry AttributeQuery response-body.");
- throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null);
-
- }
-
- if (xmlObjects.get(0) instanceof Response) {
- Response intfResp = (Response) xmlObjects.get(0);
-
- //validate PVP 2.1 response
- try {
- samlVerificationEngine.verifyIDPResponse(intfResp,
- TrustEngineFactory.getSignatureKnownKeysTrustEngine(
- MOAMetadataProvider.getInstance()));
-
- //create assertion attribute extractor from AttributeQuery response
- extractor = new AssertionAttributeExtractor(intfResp);
-
- } catch (Exception e) {
- Logger.warn("PVP 2.1 assertion validation FAILED.", e);
- throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e);
- }
-
- } else {
- Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response");
- throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null);
-
- }
+ //request IDP to get additional attributes
+ extractor = authDataBuilder.getAuthDataFromAttributeQuery(attributs, extractor.getNameID(), idpConfig);
} else {
Logger.info("Interfedation response include a minimal set of attributes with are required. Skip AttributQuery request step. ");
@@ -314,14 +280,13 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
moasession.setGenericDataToSession(el, extractor.getSingleAttributeValue(el));
Logger.debug("Add PVP-attribute " + el + " into MOASession");
- }
-
- } catch (SOAPException e) {
- throw new BuildException("builder.06", null, e);
-
- } catch (SecurityException e) {
- throw new BuildException("builder.06", null, e);
+ }
+ //set validTo from this federated IDP response
+ moasession.setGenericDataToSession(
+ AuthenticationSessionStorageConstants.FEDERATION_RESPONSE_VALIDE_TO,
+ extractor.getAssertionNotOnOrAfter());
+
} catch (AttributQueryException e) {
throw new BuildException("builder.06", null, e);
@@ -334,6 +299,9 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
} catch (AssertionAttributeExtractorExeption e) {
throw new BuildException("builder.06", null, e);
+ } catch (MOAIDException e) {
+ throw new BuildException("builder.06", null, e);
+
}
}