aboutsummaryrefslogtreecommitdiff
path: root/id/server
diff options
context:
space:
mode:
Diffstat (limited to 'id/server')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java274
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java125
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java10
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java10
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java40
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java62
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java56
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java82
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java73
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java47
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java49
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java45
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepOIDAttributeBuilder.java21
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeAttributeBuilder.java31
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java33
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java94
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java19
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java23
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java15
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java113
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java135
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java14
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java (renamed from id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java)28
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java53
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java11
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties17
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties15
-rw-r--r--id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java11
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java115
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java18
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java3
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java54
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml13
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml24
-rw-r--r--id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java2
-rw-r--r--id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java2
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java2
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java9
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java18
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java4
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java213
-rw-r--r--id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java2
57 files changed, 1444 insertions, 617 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
index 1a9018563..c7ef73b47 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
@@ -184,5 +184,7 @@ public class MOAIDAuthConstants extends MOAIDConstants{
public static final String AUTHPROCESS_DATA_TARGETFRIENDLYNAME = "authProces_TargetFriendlyName";
public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate";
+ //General MOASession data-store keys
+ public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert";
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 8a9999d85..999f289e0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -45,10 +45,6 @@ import javax.xml.bind.Marshaller;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeQuery;
import org.opensaml.saml2.core.AuthnStatement;
-import org.opensaml.saml2.core.Response;
-import org.opensaml.ws.soap.common.SOAPException;
-import org.opensaml.xml.XMLObject;
-import org.opensaml.xml.security.SecurityException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.w3c.dom.Element;
@@ -82,7 +78,6 @@ import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.AuthenticationData;
import at.gv.egovernment.moa.id.data.AuthenticationRoleFactory;
import at.gv.egovernment.moa.id.data.IAuthData;
@@ -91,7 +86,6 @@ import at.gv.egovernment.moa.id.moduls.IRequest;
import at.gv.egovernment.moa.id.moduls.RequestImpl;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
-import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
@@ -99,7 +93,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
-import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage;
import at.gv.egovernment.moa.id.util.IdentityLinkReSigner;
@@ -125,140 +118,62 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
@Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage;
@Autowired protected AuthConfiguration authConfig;
- @Autowired private AttributQueryBuilder attributQueryBuilder;
- @Autowired private SAMLVerificationEngine samlVerificationEngine;
- public IAuthData buildAuthenticationData(IRequest protocolRequest,
- AuthenticationSession session, List<Attribute> reqAttributes) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException {
- AuthenticationData authdata = null;
+ public IAuthData buildAuthenticationDataForAttributQuery(IRequest pendingReq,
+ AuthenticationSession session, List<Attribute> reqAttributes) {
+ AuthenticationData authdata = new AuthenticationData();
- //only needed for SAML1 legacy support
try {
- //check if SAML1 authentication module is in Classpath
- Class<?> saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl");
- IAuthData saml1authdata = (IAuthData) Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData").newInstance();
- if (saml1RequstTemplate != null &&
- saml1RequstTemplate.isInstance(protocolRequest)) {
- //request is SAML1 --> invoke SAML1 protocol specific methods
- if (session.getExtendedSAMLAttributesOA() == null) {
- saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, new ArrayList<ExtendedSAMLAttribute>());
-
- } else {
- saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, session.getExtendedSAMLAttributesOA());
- }
+ //mark AttributeQuery as used if it exists
+ OASessionStore activeOA = authenticatedSessionStorage.searchActiveOASSOSession(session, pendingReq.getOAURL(), pendingReq.requestedModule());
+ if (activeOA != null) {
+ //reuse some parameters if it is a Service-Provider reauthentication
+ authdata.setSessionIndex(activeOA.getAssertionSessionID());
+ authdata.setNameID(activeOA.getUserNameID());
+ authdata.setNameIDFormat(activeOA.getUserNameIDFormat());
- authdata = (AuthenticationData) saml1authdata;
-
- } else {
- authdata = new AuthenticationData();
-
- }
-
- } catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) {
- authdata = new AuthenticationData();
-
- }
-
- //reuse some parameters if it is a Service-Provider reauthentication
- OASessionStore activeOA = authenticatedSessionStorage.searchActiveOASSOSession(session, protocolRequest.getOAURL(), protocolRequest.requestedModule());
- if (activeOA != null) {
- authdata.setSessionIndex(activeOA.getAssertionSessionID());
- authdata.setNameID(activeOA.getUserNameID());
- authdata.setNameIDFormat(activeOA.getUserNameIDFormat());
-
- //mark AttributeQuery as used
- if ( protocolRequest instanceof PVPTargetConfiguration &&
- ((PVPTargetConfiguration) protocolRequest).getRequest() instanceof MOARequest &&
- ((PVPTargetConfiguration) protocolRequest).getRequest().getInboundMessage() instanceof AttributeQuery) {
- try {
- activeOA.setAttributeQueryUsed(true);
- MOASessionDBUtils.saveOrUpdate(activeOA);
+ //mark
+ if ( pendingReq instanceof PVPTargetConfiguration &&
+ ((PVPTargetConfiguration) pendingReq).getRequest() instanceof MOARequest &&
+ ((PVPTargetConfiguration) pendingReq).getRequest().getInboundMessage() instanceof AttributeQuery) {
+ try {
+ activeOA.setAttributeQueryUsed(true);
+ MOASessionDBUtils.saveOrUpdate(activeOA);
- } catch (MOADatabaseException e) {
- Logger.error("MOASession interfederation information can not stored to database.", e);
+ } catch (MOADatabaseException e) {
+ Logger.error("MOASession interfederation information can not stored to database.", e);
- }
+ }
+ }
}
- }
-
- //search federated IDP information in MOASession
- InterfederationSessionStore interfIDP = authenticatedSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session);
- IOAAuthParameters oaParam = null;
- if (reqAttributes == null) {
- //get OnlineApplication from MOA-ID-Auth configuration
- oaParam = protocolRequest.getOnlineApplicationConfiguration();
-
- //build OA dynamically from STROK request if this OA is used as STORK<->PVP gateway
- if (oaParam.isSTORKPVPGateway())
- oaParam = DynamicOAAuthParameterBuilder.buildFromAuthnRequest(oaParam, protocolRequest);
-
- } else {
- //build OnlineApplication dynamic from requested attributes (AttributeQuerry Request)
- oaParam = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(reqAttributes, interfIDP);
+ getAuthDataFromInterfederation(authdata, session, spConfig, pendingReq, interfIDP, idp, reqAttributes);
- }
-
- if (interfIDP != null ) {
- //authentication by using a federated IDP
- if (oaParam.isInderfederationIDP() && protocolRequest instanceof PVPTargetConfiguration &&
- !(((PVPTargetConfiguration)protocolRequest).getRequest() instanceof AttributeQuery)) {
- //IDP is a chained interfederated IDP and Authentication is requested
-
- //only set minimal response attributes
- authdata.setQAALevel(interfIDP.getQAALevel());
- authdata.setBPK(interfIDP.getUserNameID());
-
- } else {
- //get attributes from interfederated IDP
- OAAuthParameter idp = authConfig.getOnlineApplicationParameter(interfIDP.getIdpurlprefix());
- getAuthDataFromInterfederation(authdata, session, oaParam, protocolRequest, interfIDP, idp, reqAttributes);
+
+
+
+
+
+ //mark attribute request as used
+ try {
+ interfIDP.setAttributesRequested(true);
+ MOASessionDBUtils.saveOrUpdate(interfIDP);
+
+ } catch (MOADatabaseException e) {
+ Logger.error("MOASession interfederation information can not stored to database.", e);
- //mark attribute request as used
- try {
- interfIDP.setAttributesRequested(true);
- MOASessionDBUtils.saveOrUpdate(interfIDP);
-
- } catch (MOADatabaseException e) {
- Logger.error("MOASession interfederation information can not stored to database.", e);
-
- }
}
- } else {
- //build AuthenticationData from MOASession
- buildAuthDataFormMOASession(authdata, session, oaParam, protocolRequest);
-
- }
- return authdata;
+ return authdata;
+
+ } catch (DynamicOABuildException e) {
+ //TODO:
+
+ }
}
- /**
- * @param req
- * @param session
- * @param reqAttributes
- * @return
- * @throws WrongParametersException
- * @throws ConfigurationException
- * @throws BuildException
- * @throws DynamicOABuildException
- */
- public IAuthData buildAuthenticationData(IRequest req,
- AuthenticationSession session) throws WrongParametersException, ConfigurationException, BuildException, DynamicOABuildException {
- return buildAuthenticationData(req, session, null);
- }
- /**
- * @param authdata
- * @param session
- * @param oaParam
- * @param protocolRequest
- * @param interfIDP
- * @param idp
- * @param reqQueryAttr
- * @throws ConfigurationException
- */
private void getAuthDataFromInterfederation(
AuthenticationData authdata, AuthenticationSession session,
IOAAuthParameters oaParam, IRequest req,
@@ -363,6 +278,76 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
}
}
+
+ public IAuthData buildAuthenticationData(IRequest pendingReq,
+ AuthenticationSession session) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException {
+ AuthenticationData authdata = null;
+
+ //only needed for SAML1 legacy support
+ try {
+ //check if SAML1 authentication module is in Classpath
+ Class<?> saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl");
+ IAuthData saml1authdata = (IAuthData) Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData").newInstance();
+ if (saml1RequstTemplate != null &&
+ saml1RequstTemplate.isInstance(pendingReq)) {
+ //request is SAML1 --> invoke SAML1 protocol specific methods
+ if (session.getExtendedSAMLAttributesOA() == null) {
+ saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, new ArrayList<ExtendedSAMLAttribute>());
+
+ } else {
+ saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, session.getExtendedSAMLAttributesOA());
+ }
+
+ authdata = (AuthenticationData) saml1authdata;
+
+ } else {
+ authdata = new AuthenticationData();
+
+ }
+
+ } catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) {
+ authdata = new AuthenticationData();
+
+ }
+
+ OASessionStore activeOA = authenticatedSessionStorage.searchActiveOASSOSession(session, pendingReq.getOAURL(), pendingReq.requestedModule());
+ //reuse authentication information in case of service-provider reauthentication
+ if (activeOA != null) {
+ authdata.setSessionIndex(activeOA.getAssertionSessionID());
+ authdata.setNameID(activeOA.getUserNameID());
+ authdata.setNameIDFormat(activeOA.getUserNameIDFormat());
+
+ }
+
+ //get OnlineApplication from MOA-ID-Auth configuration
+ IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
+
+ //TODO: move to eIDAS-Code in case of ISA1.18 action is enabled for eIDAS
+ //build OA dynamically from STROK request if this OA is used as STORK<->PVP gateway
+ if (oaParam.isSTORKPVPGateway())
+ oaParam = DynamicOAAuthParameterBuilder.buildFromAuthnRequest(oaParam, pendingReq);
+
+ //check if minimal response is required
+
+ //TODO check if really required
+ Boolean isMinimalFrontChannelResp = pendingReq.getGenericData(
+ PVPTargetConfiguration.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, Boolean.class);
+ if (isMinimalFrontChannelResp != null && isMinimalFrontChannelResp) {
+ //only set minimal response attributes
+ authdata.setQAALevel(
+ pendingReq.getGenericData(PVPTargetConfiguration.DATAID_INTERFEDERATION_QAALEVEL, String.class));
+ authdata.setBPK(
+ pendingReq.getGenericData(PVPTargetConfiguration.DATAID_INTERFEDERATION_NAMEID, String.class));
+
+ } else {
+ //build AuthenticationData from MOASession
+ buildAuthDataFormMOASession(authdata, session, oaParam, pendingReq);
+
+ }
+
+ return authdata;
+ }
+
private void buildAuthDataFormInterfederationResponse(
AuthenticationData authData,
AuthenticationSession session,
@@ -982,19 +967,45 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
MISMandate mandate = session.getMISMandate();
- authData.setMISMandate(mandate);
- authData.setUseMandate(session.getUseMandate());
+ if (session.getUseMandate() && mandate == null) {
+ Logger.error("Mandate is requested but NO mandate-data is found!.");
+ throw new BuildException("builder.00", new Object[]{
+ "Mandate", "Mandate is requested but NO mandate-data is found!"});
+
+ }
+
authData.setMandateReferenceValue(session.getMandateReferenceValue());
+ if (mandate != null) {
+ //set MIS mandate to authdata
+ authData.setMISMandate(mandate);
+ authData.setUseMandate(session.getUseMandate());
+
+ } else {
+ //check if ELGA mandates exists
+ String mandateType = session.getGenericDataFromSession(
+ PVPConstants.MANDATE_TYPE_NAME, String.class);
+ if (MiscUtil.isNotEmpty(mandateType)) {
+ //switch to mandate-mode for authdata generation, because mandate-information
+ // is directly included in MOA-Session as PVP attributes
+ Logger.debug("AuthDataBuilder find directly included 'MandateType' attribute."
+ + " --> Switch to mandate-mode for authdata generation.");
+ authData.setUseMandate(true);
+
+ }
+
+
+ }
+
if (session.getUseMandate() && session.isOW()
&& mandate != null && MiscUtil.isNotEmpty(mandate.getOWbPK())) {
authData.setBPK(mandate.getOWbPK());
authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW");
-
+
//TODO: check in case of mandates for business services
authData.setIdentityLink(identityLink);
Logger.trace("Authenticated User is OW: " + mandate.getOWbPK());
-
+
} else {
buildOAspecificbPK(protocolRequest, oaParam, authData,
identityLink.getIdentificationValue(),
@@ -1004,7 +1015,10 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
}
-
+ //TODO
+ } catch (BuildException e) {
+ throw e;
+
} catch (Throwable ex) {
throw new BuildException("builder.00", new Object[]{
"AuthenticationData", ex.toString()}, ex);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
index 79b09503f..ab43f2f79 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java
@@ -45,7 +45,7 @@ import at.gv.egovernment.moa.util.Constants;
*/
public class DynamicOAAuthParameterBuilder {
- public static IOAAuthParameters buildFromAttributeQuery(List<Attribute> reqAttributes, InterfederationSessionStore interfIDP) throws DynamicOABuildException {
+ public static IOAAuthParameters buildFromAttributeQuery(OAAuthParameter oa, List<Attribute> reqAttributes, InterfederationSessionStore interfIDP) throws DynamicOABuildException {
Logger.debug("Build dynamic OAConfiguration from AttributeQuery and interfederation information");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java
new file mode 100644
index 000000000..9af247714
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java
@@ -0,0 +1,125 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.data;
+
+import java.io.Serializable;
+
+import at.gv.egovernment.moa.id.util.Random;
+
+/**
+ * @author tlenz
+ *
+ */
+public class FederatedAuthenticatenContainer implements Serializable {
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = 6075571915585105988L;
+
+ private String id;
+ private String moaSessionID;
+
+ private String idpEntityID;
+ private String userNameID;
+ private String userQAALevel;
+
+ /**
+ * Build a new data-container for federated authentication with Attribute-Query
+ *
+ */
+ public FederatedAuthenticatenContainer() {
+ this.id = Random.nextRandom();
+
+ }
+
+ /**
+ * Get the identifier of this container
+ *
+ * @return the identifier of this container, but never null
+ */
+ public String getId() {
+ return id;
+ }
+
+ /**
+ * Get the MOASessionID, of the corresponding MOASession
+ *
+ * @return the moaSessionID, or null if no MOASession exists
+ */
+ public String getMoaSessionID() {
+ return moaSessionID;
+ }
+ /**
+ * @param moaSessionID the moaSessionID to set
+ */
+ public void setMoaSessionID(String moaSessionID) {
+ this.moaSessionID = moaSessionID;
+ }
+ /**
+ * Get the Entity of the federated IDP, which has the authentication data
+ *
+ * @return the idpEntityID, but never null
+ */
+ public String getIdpEntityID() {
+ return idpEntityID;
+ }
+ /**
+ * @param idpEntityID the idpEntityID to set
+ */
+ public void setIdpEntityID(String idpEntityID) {
+ this.idpEntityID = idpEntityID;
+ }
+ /**
+ * Get the SAML2 NameID of the user, which is used to identify the user on the federated IDP
+ *
+ * @return the SAML2 NameID, but never null
+ */
+ public String getUserNameID() {
+ return userNameID;
+ }
+ /**
+ * @param userNameID the userNameID to set
+ */
+ public void setUserNameID(String userNameID) {
+ this.userNameID = userNameID;
+ }
+ /**
+ * Get the SAML2 QAA-level, which should be send to the federated IDP
+ *
+ * @return the userQAALevel, but never null
+ */
+ public String getUserQAALevel() {
+ return userQAALevel;
+ }
+ /**
+ * @param userQAALevel the userQAALevel to set
+ */
+ public void setUserQAALevel(String userQAALevel) {
+ this.userQAALevel = userQAALevel;
+ }
+
+
+
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index a97486097..21ef38732 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -70,6 +70,7 @@ import at.gv.egovernment.moa.id.process.api.ExecutionContext;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
@@ -499,7 +500,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
} else {
samlVerificationEngine.verifySLOResponse(sloResp,
- TrustEngineFactory.getSignatureKnownKeysTrustEngine());
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(MOAMetadataProvider.getInstance()));
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
index e1edb6b77..d5d0e6c48 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
@@ -22,6 +22,8 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.moduls;
+import java.util.Collection;
+
import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
@@ -189,4 +191,12 @@ public interface IRequest {
* @param b true, if the user has abort the authentication process, otherwise false
*/
public void setAbortedByUser(boolean isAborted);
+
+ /**
+ * This method get a Set of PVP 2.1 attribute, which are request by this pending-request.
+ *
+ * @return A set of PVP attribute names or null if no attributes are requested
+ * or the Service Provider, which sends this request needs no attributes
+ */
+ public Collection<String> getRequestedAttributes();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
index 4dade61fa..e05bedac8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
@@ -48,7 +48,7 @@ public abstract class RequestImpl implements IRequest, Serializable{
public static final String DATAID_INTERFEDERATIOIDP_URL = "interIDPURL";
public static final String DATAID_INTERFEDERATIOIDP_RESPONSE = "interIDPResponse";
- public static final String DATAID_REQUESTED_ATTRIBUTES = "requestedAttributes";
+ public static final String DATAID_REQUESTED_ATTRIBUTES = "requestedAttributes";
private static final long serialVersionUID = 1L;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
index 3b7c99d5a..db4022cdc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
@@ -150,12 +150,11 @@ public class SSOManager {
return false;
}
- //check if request starts an interfederated SSO session
+ //check if stored SSO session is a federated SSO session
if (protocolRequest != null &&
- protocolRequest instanceof RequestImpl &&
- storedSession.isInterfederatedSSOSession() &&
- !storedSession.isAuthenticated()) {
-
+ storedSession.isInterfederatedSSOSession()) {
+ //in case of federated SSO session, jump to federated IDP for authentication
+
String interfederationIDP =
protocolRequest.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class);
@@ -164,6 +163,7 @@ public class SSOManager {
if (selectedIDP != null) {
//no local SSO session exist -> request interfederated IDP
+ Logger.info("SSO Session refer to federated IDP: " + selectedIDP.getIdpurlprefix());
protocolRequest.setGenericDataToSession(
RequestImpl.DATAID_INTERFEDERATIOIDP_URL, selectedIDP.getIdpurlprefix());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java
index 7144ebe6d..67eb92d9b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java
@@ -27,12 +27,12 @@ import org.w3c.dom.Element;
import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
import at.gv.egovernment.moa.id.util.MandateBuilder;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
public class MandateLegalPersonFullNameAttributeBuilder implements IPVPAttributeBuilder {
@@ -43,22 +43,32 @@ public class MandateLegalPersonFullNameAttributeBuilder implements IPVPAttribute
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
if (authData.isUseMandate()) {
- Element mandate = authData.getMandate();
- if (mandate == null) {
- throw new NoMandateDataAttributeException();
- }
- Mandate mandateObject = MandateBuilder.buildMandate(mandate);
- if (mandateObject == null) {
- throw new NoMandateDataAttributeException();
- }
- CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
- if (corporation == null) {
- Logger.error("No corporation mandate");
- throw new NoMandateDataAttributeException();
- }
+ //get PVP attribute directly, if exists
+ String fullName = authData.getGenericData(MANDATE_LEG_PER_FULL_NAME_NAME, String.class);
+
+ if (MiscUtil.isEmpty(fullName)) {
+ Element mandate = authData.getMandate();
+ if (mandate == null) {
+ throw new NoMandateDataAttributeException();
+
+ }
+ Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+ if (mandateObject == null) {
+ throw new NoMandateDataAttributeException();
+
+ }
+ CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
+ if (corporation == null) {
+ Logger.error("No corporation mandate");
+ throw new NoMandateDataAttributeException();
+
+ }
+ fullName = corporation.getFullName();
+ }
return g.buildStringAttribute(MANDATE_LEG_PER_FULL_NAME_FRIENDLY_NAME, MANDATE_LEG_PER_FULL_NAME_NAME,
- corporation.getFullName());
+ fullName);
+
}
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java
index 12dc8877b..9474cd832 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java
@@ -26,14 +26,13 @@ import org.w3c.dom.Element;
import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType;
-import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
import at.gv.egovernment.moa.id.util.MandateBuilder;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
public class MandateLegalPersonSourcePinAttributeBuilder implements IPVPAttributeBuilder {
@@ -44,36 +43,39 @@ public class MandateLegalPersonSourcePinAttributeBuilder implements IPVPAttribu
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
if(authData.isUseMandate()) {
- Element mandate = authData.getMandate();
- if(mandate == null) {
- throw new NoMandateDataAttributeException();
+
+ //get PVP attribute directly, if exists
+ String sourcePin = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class);
+
+ if (MiscUtil.isEmpty(sourcePin)) {
+ Element mandate = authData.getMandate();
+ if(mandate == null) {
+ throw new NoMandateDataAttributeException();
+
+ }
+ Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+ if(mandateObject == null) {
+ throw new NoMandateDataAttributeException();
+
+ }
+ CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
+ if(corporation == null) {
+ Logger.error("No corporation mandate");
+ throw new NoMandateDataAttributeException();
+
+ }
+ if(corporation.getIdentification().size() == 0) {
+ Logger.error("Failed to generate IdentificationType");
+ throw new NoMandateDataAttributeException();
+
+ }
+
+ sourcePin = corporation.getIdentification().get(0).getValue().getValue();
+
}
- Mandate mandateObject = MandateBuilder.buildMandate(mandate);
- if(mandateObject == null) {
- throw new NoMandateDataAttributeException();
- }
- CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
- if(corporation == null) {
- Logger.error("No corporation mandate");
- throw new NoMandateDataAttributeException();
- }
- IdentificationType id = null;
- if(corporation.getIdentification().size() == 0) {
- Logger.error("Failed to generate IdentificationType");
- throw new NoMandateDataAttributeException();
- }
- id = corporation.getIdentification().get(0);
- /*if(authSession.getBusinessService()) {
- id = MandateBuilder.getWBPKIdentification(corporation);
- } else {
- id = MandateBuilder.getBPKIdentification(corporation);
- }*/
- /*if(id == null) {
- Logger.error("Failed to generate IdentificationType");
- throw new NoMandateDataAttributeException();
- }*/
+
return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME,
- MANDATE_LEG_PER_SOURCE_PIN_NAME, id.getValue().getValue());
+ MANDATE_LEG_PER_SOURCE_PIN_NAME, sourcePin);
}
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java
index a7a9a757b..8391c8230 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java
@@ -26,14 +26,13 @@ import org.w3c.dom.Element;
import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType;
-import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
import at.gv.egovernment.moa.id.util.MandateBuilder;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
public class MandateLegalPersonSourcePinTypeAttributeBuilder implements IPVPAttributeBuilder {
@@ -44,32 +43,37 @@ public class MandateLegalPersonSourcePinTypeAttributeBuilder implements IPVPAttr
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
if (authData.isUseMandate()) {
- Element mandate = authData.getMandate();
- if (mandate == null) {
- throw new NoMandateDataAttributeException();
+ //get PVP attribute directly, if exists
+ String sourcePinType = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, String.class);
+
+ if (MiscUtil.isEmpty(sourcePinType)) {
+ Element mandate = authData.getMandate();
+ if (mandate == null) {
+ throw new NoMandateDataAttributeException();
+
+ }
+ Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+ if (mandateObject == null) {
+ throw new NoMandateDataAttributeException();
+
+ }
+ CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
+ if (corporation == null) {
+ Logger.error("No corporate mandate");
+ throw new NoMandateDataAttributeException();
+
+ }
+ if (corporation.getIdentification().size() == 0) {
+ Logger.error("Failed to generate IdentificationType");
+ throw new NoMandateDataAttributeException();
+
+ }
+ sourcePinType = corporation.getIdentification().get(0).getType();
+
}
- Mandate mandateObject = MandateBuilder.buildMandate(mandate);
- if (mandateObject == null) {
- throw new NoMandateDataAttributeException();
- }
- CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
- if (corporation == null) {
- Logger.error("No corporate mandate");
- throw new NoMandateDataAttributeException();
- }
- IdentificationType id = null;
- if (corporation.getIdentification().size() == 0) {
- Logger.error("Failed to generate IdentificationType");
- throw new NoMandateDataAttributeException();
- }
- id = corporation.getIdentification().get(0);
- /*
- * id = MandateBuilder.getBPKIdentification(corporate); if (id == null) {
- * Logger.error("Failed to generate IdentificationType"); throw new
- * NoMandateDataAttributeException(); }
- */
+
return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME,
- id.getType());
+ sourcePinType);
}
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
index be6372913..df077a631 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
@@ -30,13 +30,13 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPers
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
import at.gv.egovernment.moa.id.util.MandateBuilder;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.MiscUtil;
public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBuilder {
@@ -45,49 +45,53 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui
}
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
- IAttributeGenerator<ATT> g) throws AttributeException {
- if (authData.isUseMandate()) {
- Element mandate = authData.getMandate();
- if (mandate == null) {
- throw new NoMandateDataAttributeException();
- }
- Mandate mandateObject = MandateBuilder.buildMandate(mandate);
- if (mandateObject == null) {
- throw new NoMandateDataAttributeException();
- }
- PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
- if (physicalPerson == null) {
- Logger.error("No physicalPerson mandate");
- throw new NoMandateDataAttributeException();
- }
- IdentificationType id = null;
- id = physicalPerson.getIdentification().get(0);
- if (id == null) {
- Logger.error("Failed to generate IdentificationType");
- throw new NoMandateDataAttributeException();
- }
+ IAttributeGenerator<ATT> g) throws AttributeException {
+ if (authData.isUseMandate()) {
- String bpk;
- try {
+ //get PVP attribute directly, if exists
+ String bpk = authData.getGenericData(MANDATE_NAT_PER_BPK_NAME, String.class);
+
+ if (MiscUtil.isEmpty(bpk)) {
+ //read bPK from mandate if it is not directly included
+ Element mandate = authData.getMandate();
+ if (mandate == null) {
+ throw new NoMandateDataAttributeException();
+ }
+ Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+ if (mandateObject == null) {
+ throw new NoMandateDataAttributeException();
+ }
+ PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
+ if (physicalPerson == null) {
+ Logger.error("No physicalPerson mandate");
+ throw new NoMandateDataAttributeException();
+ }
+ IdentificationType id = null;
+ id = physicalPerson.getIdentification().get(0);
+ if (id == null) {
+ Logger.error("Failed to generate IdentificationType");
+ throw new NoMandateDataAttributeException();
+ }
- if (id.getType().equals(Constants.URN_PREFIX_BASEID)) {
- if (oaParam.getBusinessService()) {
- bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier());
+ try {
+ if (id.getType().equals(Constants.URN_PREFIX_BASEID)) {
+ if (oaParam.getBusinessService()) {
+ bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier());
+
+ } else {
+ bpk = new BPKBuilder().buildBPK(id.getValue().getValue(), oaParam.getTarget());
+
+ }
- }
+ } else
+ bpk = id.getValue().getValue();
- else {
- bpk = new BPKBuilder().buildBPK(id.getValue().getValue(), oaParam.getTarget());
-
- }
+ }
+ catch (BuildException e) {
+ Logger.error("Failed to generate IdentificationType");
+ throw new NoMandateDataAttributeException();
- } else
- bpk = id.getValue().getValue();
-
- }
- catch (BuildException e) {
- Logger.error("Failed to generate IdentificationType");
- throw new NoMandateDataAttributeException();
+ }
}
return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, bpk);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java
index e644f49e4..663e927fc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java
@@ -32,13 +32,13 @@ import org.w3c.dom.Element;
import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.InvalidDateFormatAttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
import at.gv.egovernment.moa.id.util.MandateBuilder;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttributeBuilder {
@@ -49,33 +49,56 @@ public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttrib
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
if (authData.isUseMandate()) {
- Element mandate = authData.getMandate();
- if (mandate == null) {
- throw new NoMandateDataAttributeException();
- }
- Mandate mandateObject = MandateBuilder.buildMandate(mandate);
- if (mandateObject == null) {
- throw new NoMandateDataAttributeException();
- }
- PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
- if (physicalPerson == null) {
- Logger.error("No physicalPerson mandate");
- throw new NoMandateDataAttributeException();
- }
- String dateOfBirth = physicalPerson.getDateOfBirth();
- try {
- DateFormat mandateFormat = new SimpleDateFormat(MandateBuilder.MANDATE_DATE_OF_BIRTH_FORMAT);
- Date date = mandateFormat.parse(dateOfBirth);
- DateFormat pvpDateFormat = new SimpleDateFormat(MANDATE_NAT_PER_BIRTHDATE_FORMAT_PATTERN);
- String dateString = pvpDateFormat.format(date);
+ //get PVP attribute directly, if exists
+ String birthDayString = authData.getGenericData(MANDATE_NAT_PER_BIRTHDATE_NAME, String.class);
+
+ if (MiscUtil.isEmpty(birthDayString)) {
+ //read bPK from mandate if it is not directly included
+ Element mandate = authData.getMandate();
+ if (mandate == null) {
+ throw new NoMandateDataAttributeException();
+ }
+ Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+ if (mandateObject == null) {
+ throw new NoMandateDataAttributeException();
+ }
+ PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
+ if (physicalPerson == null) {
+ Logger.error("No physicalPerson mandate");
+ throw new NoMandateDataAttributeException();
+ }
+
+ String dateOfBirth = physicalPerson.getDateOfBirth();
+ try {
+ DateFormat mandateFormat = new SimpleDateFormat(MandateBuilder.MANDATE_DATE_OF_BIRTH_FORMAT);
+ mandateFormat.setLenient(false);
+ Date date = mandateFormat.parse(dateOfBirth);
+ DateFormat pvpDateFormat = new SimpleDateFormat(MANDATE_NAT_PER_BIRTHDATE_FORMAT_PATTERN);
+ birthDayString = pvpDateFormat.format(date);
+
+ }
+ catch (ParseException e) {
+ Logger.warn("MIS mandate birthday has an incorrect formt. (Value:" + dateOfBirth, e);
+ throw new InvalidDateFormatAttributeException();
+
+ }
+
+ } else {
+ try {
+ DateFormat pvpDateFormat = new SimpleDateFormat(MANDATE_NAT_PER_BIRTHDATE_FORMAT_PATTERN);
+ pvpDateFormat.setLenient(false);
+ pvpDateFormat.parse(birthDayString);
+
+ } catch (ParseException e) {
+ Logger.warn("Format of direct included PVP Attribute " + MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME
+ + " has an incorrect formt. (Value:" + birthDayString, e);
+ throw new InvalidDateFormatAttributeException();
+ }
- return g.buildStringAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME, dateString);
- }
- catch (ParseException e) {
- e.printStackTrace();
- throw new InvalidDateFormatAttributeException();
}
+
+ return g.buildStringAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME, birthDayString);
}
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java
index fa3ad691d..dd49b2a1e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java
@@ -30,12 +30,12 @@ import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType.FamilyName;
import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
import at.gv.egovernment.moa.id.util.MandateBuilder;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
public class MandateNaturalPersonFamilyNameAttributeBuilder implements IPVPAttributeBuilder {
@@ -46,29 +46,38 @@ public class MandateNaturalPersonFamilyNameAttributeBuilder implements IPVPAttr
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
if(authData.isUseMandate()) {
- Element mandate = authData.getMandate();
- if(mandate == null) {
- throw new NoMandateDataAttributeException();
- }
- Mandate mandateObject = MandateBuilder.buildMandate(mandate);
- if(mandateObject == null) {
- throw new NoMandateDataAttributeException();
- }
- PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
- if(physicalPerson == null) {
- Logger.error("No physicalPerson mandate");
- throw new NoMandateDataAttributeException();
- }
- StringBuilder sb = new StringBuilder();
- Iterator<FamilyName> fNamesit = physicalPerson.getName().getFamilyName().iterator();
+ //get PVP attribute directly, if exists
+ String familyName = authData.getGenericData(MANDATE_NAT_PER_FAMILY_NAME_NAME, String.class);
- while(fNamesit.hasNext()) {
- sb.append(" " + fNamesit.next().getValue());
+ if (MiscUtil.isEmpty(familyName)) {
+ //read mandator familyName from mandate if it is not directly included
+ Element mandate = authData.getMandate();
+ if(mandate == null) {
+ throw new NoMandateDataAttributeException();
+ }
+ Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+ if(mandateObject == null) {
+ throw new NoMandateDataAttributeException();
+ }
+ PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
+ if(physicalPerson == null) {
+ Logger.error("No physicalPerson mandate");
+ throw new NoMandateDataAttributeException();
+ }
+
+ StringBuilder sb = new StringBuilder();
+ Iterator<FamilyName> fNamesit = physicalPerson.getName().getFamilyName().iterator();
+
+ while(fNamesit.hasNext())
+ sb.append(" " + fNamesit.next().getValue());
+
+ familyName = sb.toString();
+
}
return g.buildStringAttribute(MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME,
- MANDATE_NAT_PER_FAMILY_NAME_NAME, sb.toString());
+ MANDATE_NAT_PER_FAMILY_NAME_NAME, familyName);
}
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java
index 4c725c1c5..8948f1227 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java
@@ -29,12 +29,12 @@ import org.w3c.dom.Element;
import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
import at.gv.egovernment.moa.id.util.MandateBuilder;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
public class MandateNaturalPersonGivenNameAttributeBuilder implements IPVPAttributeBuilder {
@@ -44,29 +44,36 @@ public class MandateNaturalPersonGivenNameAttributeBuilder implements IPVPAttrib
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
- if (authData.isUseMandate()) {
- Element mandate = authData.getMandate();
- if (mandate == null) {
- throw new NoMandateDataAttributeException();
- }
- Mandate mandateObject = MandateBuilder.buildMandate(mandate);
- if (mandateObject == null) {
- throw new NoMandateDataAttributeException();
- }
- PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
- if (physicalPerson == null) {
- Logger.error("No physicalPerson mandate");
- throw new NoMandateDataAttributeException();
- }
-
- StringBuilder sb = new StringBuilder();
- Iterator<String> gNamesit = physicalPerson.getName().getGivenName().iterator();
+ if (authData.isUseMandate()) {
+ //get PVP attribute directly, if exists
+ String givenName = authData.getGenericData(MANDATE_NAT_PER_BPK_NAME, String.class);
- while (gNamesit.hasNext()) {
- sb.append(" " + gNamesit.next());
+ if (MiscUtil.isEmpty(givenName)) {
+ Element mandate = authData.getMandate();
+ if (mandate == null) {
+ throw new NoMandateDataAttributeException();
+ }
+ Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+ if (mandateObject == null) {
+ throw new NoMandateDataAttributeException();
+ }
+ PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson();
+ if (physicalPerson == null) {
+ Logger.error("No physicalPerson mandate");
+ throw new NoMandateDataAttributeException();
+ }
+
+ StringBuilder sb = new StringBuilder();
+ Iterator<String> gNamesit = physicalPerson.getName().getGivenName().iterator();
+
+ while (gNamesit.hasNext())
+ sb.append(" " + gNamesit.next());
+
+ givenName = sb.toString();
+
}
- return g.buildStringAttribute(MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME, MANDATE_NAT_PER_GIVEN_NAME_NAME, sb.toString());
+ return g.buildStringAttribute(MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME, MANDATE_NAT_PER_GIVEN_NAME_NAME, givenName);
}
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java
index e70326114..d1da36aa3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java
@@ -26,7 +26,6 @@ import org.w3c.dom.Element;
import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.data.MISMandate;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
@@ -42,35 +41,37 @@ public class MandateProfRepDescAttributeBuilder implements IPVPAttributeBuilder
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
- if(authData.isUseMandate()) {
- String text = null;
+ if(authData.isUseMandate()) {
+ String profRepName = authData.getGenericData(MANDATE_PROF_REP_DESC_NAME, String.class);
- MISMandate misMandate = authData.getMISMandate();
-
- if(misMandate == null) {
- throw new NoMandateDataAttributeException();
- }
-
- text = misMandate.getTextualDescriptionOfOID();
-
- if (MiscUtil.isEmpty(text)) {
- Element mandate = authData.getMandate();
- if (mandate == null) {
+ if (MiscUtil.isEmpty(profRepName)) {
+ MISMandate misMandate = authData.getMISMandate();
+
+ if(misMandate == null) {
throw new NoMandateDataAttributeException();
}
- Mandate mandateObject = MandateBuilder.buildMandate(authData.getMandate());
- if (mandateObject == null) {
- throw new NoMandateDataAttributeException();
- }
-
- text = mandateObject.getAnnotation();
+ profRepName = misMandate.getTextualDescriptionOfOID();
+
+ if (MiscUtil.isEmpty(profRepName)) {
+ Element mandate = authData.getMandate();
+ if (mandate == null) {
+ throw new NoMandateDataAttributeException();
+ }
+ Mandate mandateObject = MandateBuilder.buildMandate(authData.getMandate());
+ if (mandateObject == null) {
+ throw new NoMandateDataAttributeException();
+ }
+
+ profRepName = mandateObject.getAnnotation();
+
+ }
}
- if(MiscUtil.isNotEmpty(text))
+ if(MiscUtil.isNotEmpty(profRepName))
return g.buildStringAttribute(MANDATE_PROF_REP_DESC_FRIENDLY_NAME,
- MANDATE_PROF_REP_DESC_NAME, text);
+ MANDATE_PROF_REP_DESC_NAME, profRepName);
}
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepOIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepOIDAttributeBuilder.java
index 89e9198b6..3cfc40d22 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepOIDAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepOIDAttributeBuilder.java
@@ -23,7 +23,6 @@
package at.gv.egovernment.moa.id.protocols.builder.attributes;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.data.MISMandate;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
@@ -38,19 +37,23 @@ public class MandateProfRepOIDAttributeBuilder implements IPVPAttributeBuilder {
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
- if (authData.isUseMandate()) {
+ if (authData.isUseMandate()) {
+ String profRepOID = authData.getGenericData(MANDATE_PROF_REP_OID_NAME, String.class);
- MISMandate mandate = authData.getMISMandate();
- if (mandate == null) {
- throw new NoMandateDataAttributeException();
+ if (MiscUtil.isEmpty(profRepOID)) {
+ MISMandate mandate = authData.getMISMandate();
+ if (mandate == null) {
+ throw new NoMandateDataAttributeException();
+ }
+
+ profRepOID = mandate.getProfRep();
+
}
-
- String oid = mandate.getProfRep();
- if(MiscUtil.isEmpty(oid))
+ if(MiscUtil.isEmpty(profRepOID))
return null;
else
- return g.buildStringAttribute(MANDATE_PROF_REP_OID_FRIENDLY_NAME, MANDATE_PROF_REP_OID_NAME, oid);
+ return g.buildStringAttribute(MANDATE_PROF_REP_OID_FRIENDLY_NAME, MANDATE_PROF_REP_OID_NAME, profRepOID);
}
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeAttributeBuilder.java
index 040174e26..573f0584a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeAttributeBuilder.java
@@ -26,11 +26,11 @@ import org.w3c.dom.Element;
import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
import at.gv.egovernment.moa.id.util.MandateBuilder;
+import at.gv.egovernment.moa.util.MiscUtil;
public class MandateTypeAttributeBuilder implements IPVPAttributeBuilder {
@@ -40,17 +40,26 @@ public class MandateTypeAttributeBuilder implements IPVPAttributeBuilder {
public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
IAttributeGenerator<ATT> g) throws AttributeException {
- if (authData.isUseMandate()) {
- Element mandate = authData.getMandate();
- if (mandate == null) {
- throw new NoMandateDataAttributeException();
- }
- Mandate mandateObject = MandateBuilder.buildMandate(mandate);
- if (mandateObject == null) {
- throw new NoMandateDataAttributeException();
- }
+ if (authData.isUseMandate()) {
+ //get PVP attribute directly, if exists
+ String mandateType = authData.getGenericData(MANDATE_TYPE_NAME, String.class);
- return g.buildStringAttribute(MANDATE_TYPE_FRIENDLY_NAME, MANDATE_TYPE_NAME, mandateObject.getAnnotation());
+ if (MiscUtil.isEmpty(mandateType)) {
+ Element mandate = authData.getMandate();
+ if (mandate == null) {
+ throw new NoMandateDataAttributeException();
+
+ }
+ Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+ if (mandateObject == null) {
+ throw new NoMandateDataAttributeException();
+
+ }
+ mandateType = mandateObject.getAnnotation();
+
+ }
+
+ return g.buildStringAttribute(MANDATE_TYPE_FRIENDLY_NAME, MANDATE_TYPE_NAME, mandateType);
}
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
index bd6399377..c733e662a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
@@ -50,7 +50,6 @@ import at.gv.egovernment.moa.id.moduls.IRequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AuthResponseBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage;
@@ -80,31 +79,29 @@ public class AttributQueryAction implements IAction {
* @see at.gv.egovernment.moa.id.moduls.IAction#processRequest(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.data.IAuthData)
*/
@Override
- public SLOInformationInterface processRequest(IRequest req,
+ public SLOInformationInterface processRequest(IRequest pendingReq,
HttpServletRequest httpReq, HttpServletResponse httpResp,
IAuthData authData) throws MOAIDException {
- if (req instanceof PVPTargetConfiguration &&
- ((PVPTargetConfiguration) req).getRequest() instanceof MOARequest &&
- ((MOARequest)((PVPTargetConfiguration) req).getRequest()).getSamlRequest() instanceof AttributeQuery) {
+ if (pendingReq instanceof PVPTargetConfiguration &&
+ ((PVPTargetConfiguration) pendingReq).getRequest() instanceof MOARequest &&
+ ((MOARequest)((PVPTargetConfiguration) pendingReq).getRequest()).getSamlRequest() instanceof AttributeQuery) {
- AttributeQuery attrQuery = (AttributeQuery)((MOARequest)((PVPTargetConfiguration) req).getRequest()).getSamlRequest();
+ //set time reference
+ DateTime date = new DateTime();
- //load moaSession
- String nameID = attrQuery.getSubject().getNameID().getValue();
+ //load session and request information
+ AuthenticationSession moaSession =
+ pendingReq.getGenericData(PVPTargetConfiguration.DATAID_MOASESSION, AuthenticationSession.class);
+
+ AttributeQuery attrQuery =
+ (AttributeQuery)((MOARequest)((PVPTargetConfiguration) pendingReq).getRequest()).getSamlRequest();
- AuthenticationSession session = authenticationSessionStorage.getSessionWithUserNameID(nameID);
- if (session == null) {
- Logger.warn("AttributeQuery nameID does not match to an active single sign-on session.");
- throw new AttributQueryException("AttributeQuery nameID does not match to an active single sign-on session.", null);
-
- }
-
- DateTime date = new DateTime();
- //generate authData
- authData = authDataBuilder.buildAuthenticationData(req, session, attrQuery.getAttributes());
+ //generate authData for AttributQueryRequest
+ authData = authDataBuilder.buildAuthenticationDataForAttributQuery(pendingReq, moaSession, attrQuery.getAttributes());
+
//add default attributes in case of mandates or STORK is in use
List<String> attrList = addDefaultAttributes(attrQuery, authData);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 08d9f67b6..57c1aa8af 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -57,11 +57,15 @@ import org.springframework.web.bind.annotation.RequestMethod;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.auth.builder.DynamicOAAuthParameterBuilder;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
+import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.moduls.IRequest;
import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException;
@@ -83,6 +87,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SLOException;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
@@ -188,7 +193,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
req.getRemoteAddr());
//get POST-Binding decoder implementation
- InboundMessage msg = (InboundMessage) new PostBinding().decode(req, resp, false);
+ InboundMessage msg = (InboundMessage) new PostBinding().decode(req, resp, MOAMetadataProvider.getInstance(), false);
pendingReq.setRequest(msg);
//preProcess Message
@@ -236,7 +241,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
req.getRemoteAddr());
//get POST-Binding decoder implementation
- InboundMessage msg = (InboundMessage) new RedirectBinding().decode(req, resp, false);
+ InboundMessage msg = (InboundMessage) new RedirectBinding().decode(req, resp, MOAMetadataProvider.getInstance(), false);
pendingReq.setRequest(msg);
//preProcess Message
@@ -261,9 +266,57 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
}
+ //PVP2.x IDP SOAP-Binding end-point
+ @RequestMapping(value = "/pvp2/soap", method = {RequestMethod.POST})
+ public void PVPIDPSOAPRequest(HttpServletRequest req, HttpServletResponse resp) throws MOAIDException {
+ if (!authConfig.getAllowedProtocols().isPVP21Active()) {
+ Logger.info("PVP2.1 is deaktivated!");
+ throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME });
+
+ }
+
+ try {
+ //create pendingRequest object
+ PVPTargetConfiguration pendingReq = applicationContext.getBean(PVPTargetConfiguration.class);
+ pendingReq.initialize(req);
+ pendingReq.setModule(NAME);
+
+ revisionsLogger.logEvent(MOAIDEventConstants.SESSION_CREATED, pendingReq.getUniqueSessionIdentifier());
+ revisionsLogger.logEvent(MOAIDEventConstants.TRANSACTION_CREATED, pendingReq.getUniqueTransactionIdentifier());
+ revisionsLogger.logEvent(
+ pendingReq.getUniqueSessionIdentifier(),
+ pendingReq.getUniqueTransactionIdentifier(),
+ MOAIDEventConstants.TRANSACTION_IP,
+ req.getRemoteAddr());
+
+ //get POST-Binding decoder implementation
+ InboundMessage msg = (InboundMessage) new SoapBinding().decode(req, resp, MOAMetadataProvider.getInstance(), false);
+ pendingReq.setRequest(msg);
+
+ //preProcess Message
+ preProcess(req, resp, pendingReq);
+
+ } catch (SecurityPolicyException e) {
+ String samlRequest = req.getParameter("SAMLRequest");
+ Logger.warn("Receive INVALID protocol request: " + samlRequest, e);
+ throw new InvalidProtocolRequestException("pvp2.21", new Object[] {});
+
+ } catch (SecurityException e) {
+ String samlRequest = req.getParameter("SAMLRequest");
+ Logger.warn("Receive INVALID protocol request: " + samlRequest, e);
+ throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()});
+
+ } catch (Throwable e) {
+ String samlRequest = req.getParameter("SAMLRequest");
+ Logger.warn("Receive INVALID protocol request: " + samlRequest, e);
+
+ throw new MOAIDException(e.getMessage(), new Object[] {});
+ }
+ }
+
- public void preProcess(HttpServletRequest request,
+ private void preProcess(HttpServletRequest request,
HttpServletResponse response, PVPTargetConfiguration pendingReq) throws Throwable {
InboundMessage msg = pendingReq.getRequest();
@@ -274,7 +327,8 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
}
if(!msg.isVerified()) {
- samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine());
+ samlVerificationEngine.verify(msg,
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(MOAMetadataProvider.getInstance()));
msg.setVerified(true);
}
@@ -521,7 +575,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
throw new WrongParametersException("StartAuthentication",
PARAM_OA, "auth.12");
- OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(moaRequest.getEntityID());
+ OAAuthParameter oa = authConfig.getOnlineApplicationParameter(moaRequest.getEntityID());
if (!oa.isInderfederationIDP()) {
Logger.warn("AttributeQuery requests are only allowed for interfederation IDPs.");
throw new AttributQueryException("AttributeQuery requests are only allowed for interfederation IDPs.", null);
@@ -533,17 +587,39 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
throw new AttributQueryException("Interfederation IDP does not allow outgoing SSO interfederation.", null);
}
+
+ //check active MOASession
+ String nameID = attrQuery.getSubject().getNameID().getValue();
+ AuthenticationSession session = authenticatedSessionStorage.getSessionWithUserNameID(nameID);
+ if (session == null) {
+ Logger.warn("AttributeQuery nameID does not match to an active single sign-on session.");
+ throw new AttributQueryException("AttributeQuery nameID does not match to an active single sign-on session.", null);
+ }
+
+ //search federated IDP information for this MOASession
+
+
+ InterfederationSessionStore interfIDP =
+ authenticatedSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session);
+
+ //build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) and configuration
+ IOAAuthParameters spConfig = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(oa, attrQuery.getAttributes(), interfIDP);
+
+ //set preProcessed information into pending-request
pendingReq.setRequest(moaRequest);
pendingReq.setOAURL(moaRequest.getEntityID());
- pendingReq.setOnlineApplicationConfiguration(oa);
+ pendingReq.setOnlineApplicationConfiguration(spConfig);
pendingReq.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI);
- //Attribute-Query Request needs authentication
- pendingReq.setNeedAuthentication(true);
-
+ //Attribute-Query Request needs authentication, because session MUST be already authenticated
+ pendingReq.setNeedAuthentication(false);
+
//set protocol action, which should be executed after authentication
pendingReq.setAction(AttributQueryAction.class.getName());
+
+ //add moasession
+ pendingReq.setGenericDataToSession(PVPTargetConfiguration.DATAID_MOASESSION, session);
//write revisionslog entry
revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_ATTRIBUTQUERY);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
index 1d2754e3f..c2b61aaa7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java
@@ -276,6 +276,6 @@ public interface PVPConstants {
public static final int CHARGE_CODE_MAX_LENGTH = 32767;
public static final String PVP_HOLDEROFKEY_OID = "1.2.40.0.10.2.1.1.261.xx.xx";
- public static final String PVP_HOLDEROFKEY_NAME = URN_OID_PREFIX + PVP_VERSION_OID;
+ public static final String PVP_HOLDEROFKEY_NAME = URN_OID_PREFIX + PVP_HOLDEROFKEY_OID;
public static final String PVP_HOLDEROFKEY_FRIENDLY_NAME = "HOLDER-OF-KEY-CERTIFICATE";
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
index 27773a248..a8e02c317 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
@@ -46,6 +46,12 @@ import at.gv.egovernment.moa.logging.Logger;
@Scope(value = BeanDefinition.SCOPE_PROTOTYPE)
public class PVPTargetConfiguration extends RequestImpl {
+ public static final String DATAID_MOASESSION = "moasession";
+ public static final String DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP = "useMinimalFrontChannelResponse";
+ public static final String DATAID_INTERFEDERATION_NAMEID = "federatedNameID";
+ public static final String DATAID_INTERFEDERATION_QAALEVEL = "federatedQAALevel";
+ public static final String DATAID_INTERFEDERATION_ATTRQUERYCONTAINERID = "attrQueryContainerID";
+
private static final long serialVersionUID = 4889919265919638188L;
InboundMessage request;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java
index 6619876dc..86b31f1eb 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java
@@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.xml.security.SecurityException;
@@ -33,7 +34,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface
public interface IDecoder {
public InboundMessageInterface decode(HttpServletRequest req,
- HttpServletResponse resp, boolean isSPEndPoint)
+ HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint)
throws MessageDecodingException, SecurityException, PVP2Exception;
public boolean handleDecode(String action, HttpServletRequest req);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index ebb4b2991..6d376faa0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -37,6 +37,7 @@ import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder;
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.ws.security.SecurityPolicyResolver;
@@ -56,7 +57,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
-import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.validation.MOAPVPSignedRequestPolicyRule;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.id.util.HTTPUtils;
@@ -146,7 +146,7 @@ public class PostBinding implements IDecoder, IEncoder {
}
public InboundMessageInterface decode(HttpServletRequest req,
- HttpServletResponse resp, boolean isSPEndPoint) throws MessageDecodingException,
+ HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint) throws MessageDecodingException,
SecurityException {
HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool());
@@ -168,13 +168,13 @@ public class PostBinding implements IDecoder, IEncoder {
throw new SecurityException(e);
}
- messageContext.setMetadataProvider(MOAMetadataProvider.getInstance());
+ messageContext.setMetadataProvider(metadataProvider);
//set security policy context
BasicSecurityPolicy policy = new BasicSecurityPolicy();
policy.getPolicyRules().add(
new MOAPVPSignedRequestPolicyRule(
- TrustEngineFactory.getSignatureKnownKeysTrustEngine(),
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider),
messageContext.getPeerEntityRole()));
SecurityPolicyResolver secResolver = new StaticSecurityPolicyResolver(policy);
messageContext.setSecurityPolicyResolver(secResolver);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 0ff18d903..683a72e67 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -38,6 +38,7 @@ import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder;
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.ws.security.SecurityPolicyResolver;
@@ -133,7 +134,7 @@ public class RedirectBinding implements IDecoder, IEncoder {
}
public InboundMessageInterface decode(HttpServletRequest req,
- HttpServletResponse resp, boolean isSPEndPoint) throws MessageDecodingException,
+ HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint) throws MessageDecodingException,
SecurityException {
HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(
@@ -159,10 +160,10 @@ public class RedirectBinding implements IDecoder, IEncoder {
}
- messageContext.setMetadataProvider(MOAMetadataProvider.getInstance());
+ messageContext.setMetadataProvider(metadataProvider);
SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
- TrustEngineFactory.getSignatureKnownKeysTrustEngine());
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();
BasicSecurityPolicy policy = new BasicSecurityPolicy();
policy.getPolicyRules().add(signatureRule);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
index cc3553551..12b571ed1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
@@ -34,6 +34,7 @@ import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.ws.soap.soap11.Envelope;
@@ -63,7 +64,7 @@ public class SoapBinding implements IDecoder, IEncoder {
@Autowired private IDPCredentialProvider credentialProvider;
public InboundMessageInterface decode(HttpServletRequest req,
- HttpServletResponse resp, boolean isSPEndPoint) throws MessageDecodingException,
+ HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint) throws MessageDecodingException,
SecurityException, PVP2Exception {
HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder(new BasicParserPool());
BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext =
@@ -71,7 +72,7 @@ public class SoapBinding implements IDecoder, IEncoder {
messageContext
.setInboundMessageTransport(new HttpServletRequestAdapter(
req));
- messageContext.setMetadataProvider(MOAMetadataProvider.getInstance());
+ messageContext.setMetadataProvider(metadataProvider);
//TODO: update in a futher version:
// requires a special SignedSOAPRequestPolicyRole because
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java
index 23ea4d7ee..164583f77 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java
@@ -29,24 +29,22 @@ import java.util.List;
import java.util.ServiceLoader;
import org.opensaml.saml2.core.Attribute;
-
-import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder;
-import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator;
+import org.opensaml.saml2.metadata.RequestedAttribute;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
import at.gv.egovernment.moa.id.data.IAuthData;
-
+import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.SamlAttributeGenerator;
-
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.InvalidDateFormatAttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
-
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidDateFormatException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.UnprovideableAttributeException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.logging.Logger;
public class PVPAttributeBuilder {
@@ -148,4 +146,13 @@ public class PVPAttributeBuilder {
return attributes;
}
+ public static RequestedAttribute buildReqAttribute(String name, String friendlyName, boolean required) {
+ RequestedAttribute attribute = SAML2Utils.createSAMLObject(RequestedAttribute.class);
+ attribute.setIsRequired(required);
+ attribute.setName(name);
+ attribute.setFriendlyName(friendlyName);
+ attribute.setNameFormat(Attribute.URI_REFERENCE);
+ return attribute;
+ }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java
index 312bb823d..0a0be2a2c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java
@@ -33,9 +33,11 @@ import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.Issuer;
+import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.NameIDType;
import org.opensaml.saml2.core.RequestedAuthnContext;
+import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.ws.message.encoder.MessageEncodingException;
@@ -51,6 +53,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestBuildExce
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
/**
* @author tlenz
@@ -98,7 +101,7 @@ public class PVPAuthnRequestBuilder {
if (endpoint == null) {
Logger.warn("Building AuthnRequest FAILED: > Requested IDP " + idpEntity.getEntityID()
+ " does not support POST or Redirect Binding.");
- throw new AuthnRequestBuildException("sp.pvp2.00", new Object[]{idpEntity.getEntityID()});
+ throw new AuthnRequestBuildException("sp.pvp2.00", new Object[]{config.getSPNameForLogging(), idpEntity.getEntityID()});
} else
authReq.setDestination(endpoint.getLocation());
@@ -148,7 +151,23 @@ public class PVPAuthnRequestBuilder {
reqAuthContext.getAuthnContextClassRefs().add(authnClassRef);
authReq.setRequestedAuthnContext(reqAuthContext);
}
-
+
+ //set request Subject element
+ if (MiscUtil.isNotEmpty(config.getSubjectNameID())) {
+ Subject reqSubject = SAML2Utils.createSAMLObject(Subject.class);
+ NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class);
+
+ subjectNameID.setValue(config.getSubjectNameID());
+ if (MiscUtil.isNotEmpty(config.getSubjectNameIDFormat()))
+ subjectNameID.setFormat(config.getSubjectNameIDFormat());
+ else
+ subjectNameID.setFormat(NameID.TRANSIENT);
+
+ reqSubject.setNameID(subjectNameID);
+ authReq.setSubject(reqSubject );
+
+ }
+
//TODO: implement requested attributes
//maybe: config.getRequestedAttributes();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index af22a2d7e..03cfe27d7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -284,6 +284,7 @@ public class PVP2AssertionBuilder implements PVPConstants {
NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class);
//build nameID and nameID Format from moasession
+ //TODO: nameID generation
if (authData.isUseMandate()) {
Element mandate = authData.getMandate();
if(mandate == null) {
@@ -395,7 +396,10 @@ public class PVP2AssertionBuilder implements PVPConstants {
subjectNameID.setValue(authData.getNameID());
sessionIndex = authData.getSessionIndex();
- } else
+ }
+
+ //
+ if (MiscUtil.isEmpty(sessionIndex))
sessionIndex = SAML2Utils.getSecureIdentifier();
SubjectConfirmationData subjectConfirmationData = SAML2Utils
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java
index e0994ff19..9a51e75e4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java
@@ -285,4 +285,12 @@ public class IDPPVPMetadataConfiguration implements IPVPMetadataBuilderConfigura
return null;
}
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#getSPNameForLogging()
+ */
+ @Override
+ public String getSPNameForLogging() {
+ return "MOA-ID-Auth";
+ }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java
index d51231044..e209d0bc5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java
@@ -33,6 +33,13 @@ import org.opensaml.xml.security.credential.Credential;
public interface IPVPAuthnRequestBuilderConfiguruation {
/**
+ * Defines a unique name for this PVP Service-provider, which is used for logging
+ *
+ * @return
+ */
+ public String getSPNameForLogging();
+
+ /**
* If true, the SAML2 isPassive flag is set in the AuthnRequest
*
* @return
@@ -110,5 +117,13 @@ public interface IPVPAuthnRequestBuilderConfiguruation {
* @return SubjectNameID, or null if no SubjectNameID should be used
*/
public String getSubjectNameID();
+
+ /**
+ * Define the format of the subjectNameID, which is included in authn-request
+ *
+ *
+ * @return nameIDFormat, of SAML2 'transient' if nothing is defined
+ */
+ public String getSubjectNameIDFormat();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java
index 52096fd19..56274535b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java
@@ -40,6 +40,13 @@ public interface IPVPMetadataBuilderConfiguration {
/**
+ * Defines a unique name for this PVP Service-provider, which is used for logging
+ *
+ * @return
+ */
+ public String getSPNameForLogging();
+
+ /**
* Set metadata valid area
*
* @return valid until in hours [h]
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index 03fa686f9..6e87abb06 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -31,12 +31,9 @@ import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
-import java.util.Timer;
-import javax.net.ssl.SSLHandshakeException;
import javax.xml.namespace.QName;
-import org.apache.commons.httpclient.MOAHttpClient;
import org.opensaml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.RoleDescriptor;
@@ -47,20 +44,13 @@ import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider;
import org.opensaml.xml.XMLObject;
-import org.opensaml.xml.parse.BasicParserPool;
import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
-import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
-import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
import at.gv.egovernment.moa.id.config.ConfigurationException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing;
import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
-import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPMetadataFilterChain;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter;
@@ -68,7 +58,8 @@ import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.MiscUtil;
-public class MOAMetadataProvider implements ObservableMetadataProvider, IGarbageCollectorProcessing {
+public class MOAMetadataProvider extends SimpleMOAMetadataProvider
+ implements ObservableMetadataProvider, IGarbageCollectorProcessing {
private static MOAMetadataProvider instance = null;
private static Object mutex = new Object();
@@ -151,10 +142,9 @@ public class MOAMetadataProvider implements ObservableMetadataProvider, IGarbage
String oaFriendlyName = oaParam.getFriendlyName();
ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;
- HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL,
- cert, oaFriendlyName,
- buildMetadataFilterChain(oaParam, metadataURL,
- cert));
+ HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL,
+ buildMetadataFilterChain(oaParam, metadataURL, cert),
+ oaFriendlyName);
chainProvider.addMetadataProvider(newMetadataProvider);
@@ -264,11 +254,9 @@ public class MOAMetadataProvider implements ObservableMetadataProvider, IGarbage
Logger.info("Loading metadata for: " + oaFriendlyName);
httpProvider = createNewHTTPMetaDataProvider(
- metadataurl,
- cert,
- oaFriendlyName,
- buildMetadataFilterChain(oaParam, metadataurl,
- cert));
+ metadataurl,
+ buildMetadataFilterChain(oaParam, metadataurl, cert),
+ oaFriendlyName);
if (httpProvider != null)
providersinuse.put(metadataurl, httpProvider);
@@ -389,10 +377,8 @@ public class MOAMetadataProvider implements ObservableMetadataProvider, IGarbage
if (!providersinuse.containsKey(metadataurl)) {
httpProvider = createNewHTTPMetaDataProvider(
metadataurl,
- cert,
- oaFriendlyName,
- buildMetadataFilterChain(oaParam, metadataurl,
- cert));
+ buildMetadataFilterChain(oaParam, metadataurl, cert),
+ oaFriendlyName);
if (httpProvider != null)
providersinuse.put(metadataurl, httpProvider);
@@ -450,86 +436,7 @@ public class MOAMetadataProvider implements ObservableMetadataProvider, IGarbage
return filterChain;
}
-
- private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName, PVPMetadataFilterChain filter) {
- HTTPMetadataProvider httpProvider = null;
- Timer timer= null;
- MOAHttpClient httpClient = null;
- try {
- httpClient = new MOAHttpClient();
-
- if (metadataURL.startsWith("https:")) {
- try {
- MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
- PVPConstants.SSLSOCKETFACTORYNAME,
- AuthConfigurationProviderFactory.getInstance().getCertstoreDirectory(),
- AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(),
- null,
- AuthConfiguration.DEFAULT_X509_CHAININGMODE,
- AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking());
-
- httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
-
- } catch (MOAHttpProtocolSocketFactoryException e) {
- Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.");
-
- }
- }
-
- timer = new Timer();
- httpProvider = new HTTPMetadataProvider(timer, httpClient,
- metadataURL);
- httpProvider.setParserPool(new BasicParserPool());
- httpProvider.setRequireValidMetadata(true);
- httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
- httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
- //httpProvider.setRefreshDelayFactor(0.1F);
-
- if (filter == null) {
- filter = new PVPMetadataFilterChain(metadataURL, certificate);
- }
- httpProvider.setMetadataFilter(filter);
- httpProvider.initialize();
-
- httpProvider.setRequireValidMetadata(true);
-
- return httpProvider;
-
- } catch (Throwable e) {
- if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
- Logger.warn("SSL-Server certificate for metadata "
- + metadataURL + " not trusted.", e);
-
- } if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) {
- Logger.warn("Signature verification for metadata"
- + metadataURL + " FAILED.", e);
-
- } if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) {
- Logger.warn("Schema validation for metadata "
- + metadataURL + " FAILED.", e);
- }
-
- Logger.error(
- "Failed to add Metadata file for "
- + oaName + "[ "
- + e.getMessage() + " ]", e);
-
- if (httpProvider != null) {
- Logger.debug("Destroy failed Metadata provider");
- httpProvider.destroy();
- }
-
- if (timer != null) {
- Logger.debug("Destroy Timer.");
- timer.cancel();
- }
-
-
- }
- return null;
- }
-
public boolean requireValidMetadata() {
return internalProvider.requireValidMetadata();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java
new file mode 100644
index 000000000..6d646c609
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java
@@ -0,0 +1,135 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.metadata;
+
+import java.util.Timer;
+
+import javax.net.ssl.SSLHandshakeException;
+
+import org.apache.commons.httpclient.MOAHttpClient;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
+import org.opensaml.xml.parse.BasicParserPool;
+
+import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
+import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
+import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public abstract class SimpleMOAMetadataProvider implements MetadataProvider{
+
+ /**
+ * Create a single SAML2 HTTP metadata provider
+ *
+ * @param metadataURL URL, where the metadata should be loaded
+ * @param filter Filters, which should be used to validate the metadata
+ * @param IdForLogging Id, which is used for Logging
+ *
+ * @return SAML2 Metadata Provider
+ */
+ protected HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, MetadataFilter filter, String IdForLogging ) {
+ HTTPMetadataProvider httpProvider = null;
+ Timer timer= null;
+ MOAHttpClient httpClient = null;
+ try {
+ httpClient = new MOAHttpClient();
+
+ if (metadataURL.startsWith("https:")) {
+ try {
+ MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
+ PVPConstants.SSLSOCKETFACTORYNAME,
+ AuthConfigurationProviderFactory.getInstance().getCertstoreDirectory(),
+ AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(),
+ null,
+ AuthConfiguration.DEFAULT_X509_CHAININGMODE,
+ AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking());
+
+ httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
+
+ } catch (MOAHttpProtocolSocketFactoryException e) {
+ Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.");
+
+ }
+ }
+
+ timer = new Timer();
+ httpProvider = new HTTPMetadataProvider(timer, httpClient,
+ metadataURL);
+ httpProvider.setParserPool(new BasicParserPool());
+ httpProvider.setRequireValidMetadata(true);
+ httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
+ httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
+ //httpProvider.setRefreshDelayFactor(0.1F);
+
+ httpProvider.setMetadataFilter(filter);
+ httpProvider.initialize();
+
+ httpProvider.setRequireValidMetadata(true);
+
+ return httpProvider;
+
+ } catch (Throwable e) {
+ if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
+ Logger.warn("SSL-Server certificate for metadata "
+ + metadataURL + " not trusted.", e);
+
+ } if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) {
+ Logger.warn("Signature verification for metadata"
+ + metadataURL + " FAILED.", e);
+
+ } if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) {
+ Logger.warn("Schema validation for metadata "
+ + metadataURL + " FAILED.", e);
+ }
+
+ Logger.error(
+ "Failed to load Metadata file for "
+ + IdForLogging + "[ "
+ + e.getMessage() + " ]", e);
+
+ if (httpProvider != null) {
+ Logger.debug("Destroy failed Metadata provider");
+ httpProvider.destroy();
+ }
+
+ if (timer != null) {
+ Logger.debug("Destroy Timer.");
+ timer.cancel();
+ }
+
+
+ }
+
+ return null;
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
index 9c294245f..8787df82d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
@@ -24,9 +24,11 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.utils;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import java.util.Set;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
@@ -111,7 +113,7 @@ public class AssertionAttributeExtractor {
*
* @return
*/
- public boolean containsAllRequiredAttributes(List<String> attributeNameList) {
+ public boolean containsAllRequiredAttributes(Collection<String> attributeNameList) {
//first check if a bPK or an encrypted bPK is available
if (attributs.containsKey(PVPConstants.ENC_BPK_LIST_NAME) ||
@@ -152,6 +154,16 @@ public class AssertionAttributeExtractor {
}
+ /**
+ * Return all include PVP attribute names
+ *
+ * @return
+ */
+ public Set<String> getAllIncludeAttributeNames() {
+ return attributs.keySet();
+
+ }
+
// public PersonalAttributeList getSTORKAttributes() {
// return storkAttributes;
// }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java
index 67a91f6e1..3ea124db6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java
@@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification;
import java.util.ArrayList;
import java.util.List;
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
@@ -35,8 +36,6 @@ import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;
import org.opensaml.xml.signature.SignatureTrustEngine;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
//import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine;
-
-import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
//import edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver;
public class TrustEngineFactory {
@@ -65,11 +64,10 @@ public class TrustEngineFactory {
// }
// }
- public static SignatureTrustEngine getSignatureKnownKeysTrustEngine() {
+ public static SignatureTrustEngine getSignatureKnownKeysTrustEngine(MetadataProvider provider) {
MetadataCredentialResolver resolver;
- resolver = new MetadataCredentialResolver(
- MOAMetadataProvider.getInstance());
+ resolver = new MetadataCredentialResolver(provider);
List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();
keyInfoProvider.add(new DSAKeyValueProvider());
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java
index c9f3e5bcd..f67c475bb 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java
@@ -20,13 +20,12 @@
* The "NOTICE" text file is part of the distribution. Any derivative works
* that you distribute must include a readable copy of the "NOTICE" text file.
*/
-package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
+package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;
import java.io.IOException;
import java.io.StringWriter;
import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.TransformerFactoryConfigurationError;
@@ -40,7 +39,6 @@ import org.opensaml.xml.XMLObject;
import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils;
import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
-import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.logging.Logger;
@@ -48,14 +46,14 @@ import at.gv.egovernment.moa.logging.Logger;
* @author tlenz
*
*/
-public class MOAeIDASMetadataSignatureFilter implements MetadataFilter {
+public class MOASPMetadataSignatureFilter implements MetadataFilter {
private String trustProfileID = null;
/**
*
*/
- public MOAeIDASMetadataSignatureFilter(String trustProfileID) {
+ public MOASPMetadataSignatureFilter(String trustProfileID) {
this.trustProfileID = trustProfileID;
}
@@ -87,20 +85,20 @@ public class MOAeIDASMetadataSignatureFilter implements MetadataFilter {
//check signature-verification result
if (result.getSignatureCheckCode() != 0) {
- Logger.warn("eIDAS Metadata signature-verification FAILED!"
+ Logger.warn("Metadata signature-verification FAILED!"
+ " Metadata: " + entityDes.getEntityID()
+ " StatusCode:" + result.getSignatureCheckCode());
- throw new FilterException("eIDAS Metadata signature-verification FAILED!"
+ throw new FilterException("Metadata signature-verification FAILED!"
+ " Metadata: " + entityDes.getEntityID()
+ " StatusCode:" + result.getSignatureCheckCode());
}
if (result.getCertificateCheckCode() != 0) {
- Logger.warn("eIDAS Metadata certificate-verification FAILED!"
+ Logger.warn("Metadata certificate-verification FAILED!"
+ " Metadata: " + entityDes.getEntityID()
+ " StatusCode:" + result.getCertificateCheckCode());
- throw new FilterException("eIDAS Metadata certificate-verification FAILED!"
+ throw new FilterException("Metadata certificate-verification FAILED!"
+ " Metadata: " + entityDes.getEntityID()
+ " StatusCode:" + result.getCertificateCheckCode());
@@ -108,22 +106,22 @@ public class MOAeIDASMetadataSignatureFilter implements MetadataFilter {
} catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) {
- Logger.error("eIDAS Metadata verification has an interal error.", e);
- throw new FilterException("eIDAS Metadata verification has an interal error."
+ Logger.error("Metadata verification has an interal error.", e);
+ throw new FilterException("Metadata verification has an interal error."
+ " Message:" + e.getMessage());
}
} else {
- Logger.warn("eIDAS Metadata root-element MUST be signed.");
- throw new FilterException("eIDAS Metadata root-element MUST be signed.'");
+ Logger.warn("Metadata root-element MUST be signed.");
+ throw new FilterException("Metadata root-element MUST be signed.'");
}
} else {
- Logger.warn("eIDAS Metadata root-element is not of type 'EntityDescriptor'");
- throw new FilterException("eIDAS Metadata root-element is not of type 'EntityDescriptor'");
+ Logger.warn("Metadata root-element is not of type 'EntityDescriptor'");
+ throw new FilterException("Metadata root-element is not of type 'EntityDescriptor'");
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java
index 1aca587c9..69fe0ee6a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java
@@ -22,16 +22,13 @@
*/
package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;
-import org.opensaml.saml2.metadata.provider.FilterException;
-import org.opensaml.saml2.metadata.provider.MetadataFilter;
-import org.opensaml.xml.XMLObject;
-
import javax.xml.transform.dom.DOMSource;
import javax.xml.validation.Schema;
import javax.xml.validation.Validator;
import org.opensaml.common.xml.SAMLSchemaBuilder;
-
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.xml.XMLObject;
import org.xml.sax.SAXException;
import at.gv.egovernment.moa.id.config.ConfigurationException;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java
index cfdb4426b..c190ad779 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java
@@ -53,9 +53,8 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.EncryptedData;
import at.gv.egovernment.moa.id.data.SLOInformationInterface;
import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.RequestImpl;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
-import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
import at.gv.egovernment.moa.id.util.Random;
import at.gv.egovernment.moa.id.util.SessionEncrytionUtil;
@@ -95,9 +94,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
Date now = new Date();
dbsession.setCreated(now);
dbsession.setUpdated(now);
-
- dbsession.setPendingRequestID(target.getRequestID());
-
+
//set additional session informations
AuthenticationSessionExtensions sessionExt = new AuthenticationSessionExtensions();
sessionExt.setUniqueSessionId(target.getUniqueSessionIdentifier());
@@ -443,6 +440,10 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
}
+ //set additional information for AttributeQuery
+ activeOA.setAttQueryContainerID(protocolRequest.getGenericData(
+ PVPTargetConfiguration.DATAID_INTERFEDERATION_ATTRQUERYCONTAINERID, String.class));
+
List<OASessionStore> activeOAs = dbsession.getActiveOAsessions();
activeOAs.add(activeOA);
dbsession.setActiveOAsessions(activeOAs);
@@ -461,7 +462,6 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
dbsession.setSSOSession(true);
dbsession.setSSOsessionid(SSOSessionID);
dbsession.setAuthenticated(false);
- dbsession.setPendingRequestID("empty");
//Store MOASession
session.saveOrUpdate(dbsession);
@@ -751,7 +751,8 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
}
}
- public void createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException {
+ @Override
+ public void addFederatedSessionInformation(IRequest req, String idpEntityID, AssertionAttributeExtractor extractor) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException {
AuthenticatedSessionStore dbsession = null;
Date now = new Date();
@@ -766,23 +767,27 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
throw e;
}
}
+
+ dbsession.setUpdated(now);
+ //decrypt MOASession
AuthenticationSession session = decryptSession(dbsession);
- //set Session parameters
- session.setAuthenticated(isAuthenticated);
- dbsession.setAuthenticated(isAuthenticated);
- dbsession.setInterfederatedSSOSession(true);
- dbsession.setUpdated(now);
-
+ //federated Session are never authenticated locally,
+ // because they get always authentication information from federated IDP
+ session.setAuthenticated(false);
+ dbsession.setAuthenticated(false);
+
+ //encrypt MOASession
encryptSession(session, dbsession);
+
+ //mark as federated SSO session
+ dbsession.setInterfederatedSSOSession(true);
//add interfederation information
List<InterfederationSessionStore> idpList = dbsession.getInderfederation();
-
- MOAResponse interfederationResp = req.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, MOAResponse.class);
- String interFedEntityID = interfederationResp.getEntityID();
-
+
+ //check if federated IDP is already stored
InterfederationSessionStore idp = null;
if (idpList == null) {
idpList = new ArrayList<InterfederationSessionStore>();
@@ -791,7 +796,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
} else {
for (InterfederationSessionStore el : idpList) {
//resue old entry if interfederation IDP is reused for authentication
- if (el.getIdpurlprefix().equals(interFedEntityID))
+ if (el.getIdpurlprefix().equals(idpEntityID))
idp = el;
}
@@ -801,7 +806,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
if (idp == null) {
idp = new InterfederationSessionStore();
idp.setCreated(now);
- idp.setIdpurlprefix(interFedEntityID);
+ idp.setIdpurlprefix(idpEntityID);
idp.setAuthURL(req.getAuthURL());
OAAuthParameter oa = authConfig.getOnlineApplicationParameter(idp.getIdpurlprefix());
@@ -809,12 +814,11 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
idp.setMoasession(dbsession);
idpList.add(idp);
- }
- AssertionAttributeExtractor extract = new AssertionAttributeExtractor(interfederationResp.getResponse());
- idp.setSessionIndex(extract.getSessionIndex());
- idp.setUserNameID(extract.getNameID());
+ }
+ idp.setSessionIndex(extractor.getSessionIndex());
+ idp.setUserNameID(extractor.getNameID());
idp.setAttributesRequested(false);
- idp.setQAALevel(extract.getQAALevel());
+ idp.setQAALevel(extractor.getQAALevel());
//store AssertionStore element to Database
try {
@@ -1024,4 +1028,5 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt
throw e;
}
}
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java
index 2fd540a67..aaa54fbb9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java
@@ -36,6 +36,7 @@ import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.data.SLOInformationInterface;
import at.gv.egovernment.moa.id.moduls.IRequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
/**
* @author tlenz
@@ -238,16 +239,16 @@ public interface IAuthenticationSessionStoreage {
/**
- * Create a MOASession from interfederation information
+ * Add information of the federated IDP to MOASession
*
- * @param req Pending request
- * @param isAuthenticated true if the session should be marked as authenticated, otherwise false
+ * @param req Pending request of the service-provider request, never null
+ * @param idpEntityID The SAML2 EntityID of the federated IDP, never null
+ * @param extractor <code>AssertionAttributeExtractor</code> which holds the SAML2 response of the federated IDP, never null
* @throws MOADatabaseException
* @throws AssertionAttributeExtractorExeption
* @throws BuildException
*/
- @Deprecated
- public void createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException;
+ public void addFederatedSessionInformation(IRequest req, String idpEntityID, AssertionAttributeExtractor extractor) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException;
/**
* Search an active federation IDP which could be used for federated Single Sign-On by using an AttributeQuery
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 50d01ce2f..a94b90931 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -112,6 +112,8 @@ service.07=Der SZR-Gateway ist unter {0} nicht erreichbar.
service.08=Die Eintragung der ausländischen Person am SZR-Gateway ist fehlgeschlagen.
service.09=Der SZR-Gateway Client konnte nicht initialisiert werden.
+service.10=Die Verwendung des Service {0} ist nicht m\u00f6glich. Ursache: {1}
+
cleaner.00=AuthenticationSessionCleaner wurde gestartet
cleaner.01=Fehler im AuthenticationSessionCleaner
cleaner.02=Abgelaufene MOASession {0} wurde aus dem Speicher entfernt
@@ -272,12 +274,15 @@ pvp2.23={0} ist keine gueltige AssertionConsumerServiceURL oder entspricht nicht
##add status codes!!!!
-sp.pvp2.00=Can not build PVP AuthnRequest for IDP {0}. No valid SingleSignOnService endpoint found.
-sp.pvp2.01=Can not build PVP AuthnRequest for IDP {0}. IDP is not allowed for federated authentication.
-sp.pvp2.02=Can not build PVP AuthnRequest for IDP {0}. IDP has no (valid) metadata.
-sp.pvp2.03=Receive PVP Response from IDP with unsupported Binding.
-sp.pvp2.04=Receive invalid PVP Response from IDP. No PVP metadata found.
-sp.pvp2.04=Receive invalid PVP Response from IDP {0}. StatusCode {1}.
+sp.pvp2.00=Can not build PVP AuthnRequest for {0} {1}. No valid SingleSignOnService endpoint found.
+sp.pvp2.01=Can not build PVP AuthnRequest for {0} {0}. IDP is not allowed for federated authentication.
+sp.pvp2.02=Can not build PVP AuthnRequest for {0} {0}. IDP has no (valid) metadata.
+sp.pvp2.03=Receive PVP Response from {0} with unsupported Binding.
+sp.pvp2.04=Receive invalid PVP Response from {0}. No PVP metadata found.
+sp.pvp2.05=Receive invalid PVP Response from {0} {1}. StatusCode {2}.
+sp.pvp2.06=Receive invalid PVP Response from {0}. Assertion does not contain all required attributes.
+sp.pvp2.07=Receive invalid PVP Response from {0}. Attribute {1} is not valid.
+sp.pvp2.08=Receive invalid PVP Response from {0}. Response issuer {1} is not valid or allowed.
oauth20.01=Fehlerhafte redirect url
oauth20.02=Fehlender oder ung\u00FCltiger Parameter "{0}"
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index 0b00b2d29..4e36e2cbf 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -90,6 +90,21 @@ service.07=4200
service.08=4201
service.09=9007
+service.10=TODO
+
+process.01=TODO
+process.02=TODO
+
+sp.pvp2.00=TODO
+sp.pvp2.01=TODO
+sp.pvp2.02=TODO
+sp.pvp2.03=TODO
+sp.pvp2.04=TODO
+sp.pvp2.05=TODO
+sp.pvp2.06=TODO
+sp.pvp2.07=TODO
+sp.pvp2.08=TODO
+
validator.00=1102
validator.01=1102
validator.02=1102
diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java
index 6d43bcdc6..125d83d6d 100644
--- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java
+++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java
@@ -22,6 +22,8 @@
*/
package at.gv.egovernment.moa.id.module.test;
+import java.util.Collection;
+
import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
import at.gv.egovernment.moa.id.moduls.IRequest;
@@ -247,6 +249,15 @@ public class TestRequestImpl implements IRequest {
// TODO Auto-generated method stub
}
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.moduls.IRequest#getRequestedAttributes()
+ */
+ @Override
+ public Collection<String> getRequestedAttributes() {
+ // TODO Auto-generated method stub
+ return null;
+ }
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java
index af5950c98..a8cc1928e 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java
@@ -38,7 +38,6 @@ import javax.persistence.Lob;
import javax.persistence.NamedQueries;
import javax.persistence.NamedQuery;
import javax.persistence.OneToMany;
-import javax.persistence.PrePersist;
import javax.persistence.PreUpdate;
import javax.persistence.Table;
import javax.persistence.Temporal;
@@ -130,46 +129,115 @@ public class AuthenticatedSessionStore implements Serializable{
this.id = id;
}
+ /**
+ * Get the internal ID of this MOASession
+ *
+ * @return moaSessionID, but never null
+ */
public String getSessionid() {
return sessionid;
+
}
+ /**
+ * Set the internal ID of this MOASession.
+ *
+ * @param sessionid The internal ID of this MOASession, but never null
+ **/
public void setSessionid(String sessionid) {
this.sessionid = sessionid;
}
+ /**
+ * Get the Single Sign-On SessionID of this MOASession
+ *
+ * @return SSO SessionID
+ */
public String getSSOsessionid() {
return SSOsessionid;
}
+ /**
+ * Set the Single Sign-On SessionID for this MOASession
+ *
+ * @param sSOsessionid SSO SessionID
+ */
public void setSSOsessionid(String sSOsessionid) {
SSOsessionid = sSOsessionid;
}
+ /**
+ * Get the serialized (and encrypted) AuthenticatedData DAO, which contains the user
+ * identification and authentication information.
+ *
+ * @return serialized (and encryped) authenticationData, but never null
+ */
public byte[] getSession() {
return authSession;
}
+ /**
+ * Set the AuthenticationData DAO, as serialized (and encrypted) blob.<br><br>
+ *
+ * <strong>This method should only be used, since MOASesion is not authenticated
+ * <code>this.isAuthenticated() == false</code>. If the MOASession is already authenticated,
+ * the corresponding user authentication data should not be changed any more.</strong>
+ *
+ * @param session the serialized (and encryped) authenticationData
+ */
public void setSession(byte[] session) {
this.authSession = session;
}
+ /**
+ * Indicates this MOASession is already authenticated. <br><br>
+ *
+ * A authenticated MOASession contains all information, which are
+ * needed build protocol specific authentication information.
+ * Therefore, a user has already performed a full identification and
+ * authentication process.
+ *
+ * @return true, if this MOASession is authenticated, otherwise false
+ */
public boolean isAuthenticated() {
return isAuthenticated;
}
+ /**
+ * Mark a MOASession as authenticated. <br><br>
+ *
+ * A MOASession had to be marked as authenticated, if the user
+ * identification and authentication process is completed.
+ *
+ * @param isAuthenticated
+ */
public void setAuthenticated(boolean isAuthenticated) {
this.isAuthenticated = isAuthenticated;
}
+ /**
+ * Indicates this MOASession as a Single Sign-On session
+ *
+ * @return true if it is a SSO session, otherwise false
+ */
public boolean isSSOSession() {
return isSSOSession;
}
+ /**
+ * Mark this MOASession as a Single Sign-On session
+ *
+ * @param isSSOSession true, if this MOASession is a SSO session, otherwise false
+ */
public void setSSOSession(boolean isSSOSession) {
this.isSSOSession = isSSOSession;
}
+ /**
+ * Get a timestamp when this MOASession was created
+ *
+ * @return timestamp
+ */
public Date getCreated() {
return created;
}
@@ -178,6 +246,11 @@ public class AuthenticatedSessionStore implements Serializable{
this.created = created;
}
+ /**
+ * Get a timestamp, when this MOASession was updated last time
+ *
+ * @return timestamp
+ */
public Date getUpdated() {
return updated;
}
@@ -186,6 +259,12 @@ public class AuthenticatedSessionStore implements Serializable{
this.updated = updated;
}
+ /**
+ * Get a List of Service Providers, which has received a authentication information by using
+ * Single Sign-On
+ *
+ * @return
+ */
public List<OASessionStore> getActiveOAsessions() {
return activeOAsessions;
}
@@ -198,6 +277,12 @@ public class AuthenticatedSessionStore implements Serializable{
this.activeOAsessions = activeOAsessions;
}
+ /**
+ * Get a List of old Single Sign-On SessionIDs, which are already used for this MOASession.
+ * Every SSO SessionID can only be used once.
+ *
+ * @return
+ */
public List<OldSSOSessionIDStore> getOldssosessionids() {
return oldssosessionids;
}
@@ -207,6 +292,8 @@ public class AuthenticatedSessionStore implements Serializable{
}
/**
+ * Get a List of federated IDPs which are already used in this Session
+ *
* @return the inderfederation
*/
public List<InterfederationSessionStore> getInderfederation() {
@@ -221,20 +308,8 @@ public class AuthenticatedSessionStore implements Serializable{
}
/**
- * @return the pendingRequestID
- */
- public String getPendingRequestID() {
- return pendingRequestID;
- }
-
- /**
- * @param pendingRequestID the pendingRequestID to set
- */
- public void setPendingRequestID(String pendingRequestID) {
- this.pendingRequestID = pendingRequestID;
- }
-
- /**
+ * Get the initial vector for AuthenticationData encryption
+ *
* @return the iv
*/
public byte[] getIv() {
@@ -242,6 +317,8 @@ public class AuthenticatedSessionStore implements Serializable{
}
/**
+ * Set the inital vector for AuthenticationData encryption
+ *
* @param iv the iv to set
*/
public void setIv(byte[] iv) {
@@ -249,14 +326,18 @@ public class AuthenticatedSessionStore implements Serializable{
}
/**
- * @return the isInterfederatedSSOSession
+ * Indicates this MOASession as an federated session
+ *
+ * @return true if it is a federated session, otherwise false
*/
public boolean isInterfederatedSSOSession() {
return isInterfederatedSSOSession;
}
/**
- * @param isInterfederatedSSOSession the isInterfederatedSSOSession to set
+ * Mark this MOASession as an federated session
+ *
+ * @param isInterfederatedSSOSession true, if this MOASession is a federated session
*/
public void setInterfederatedSSOSession(boolean isInterfederatedSSOSession) {
this.isInterfederatedSSOSession = isInterfederatedSSOSession;
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java
index 8b720e901..bead2f593 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java
@@ -71,6 +71,9 @@ public class OASessionStore implements Serializable{
@Column(name = "attributequeryused", unique=false, nullable=false)
private boolean attributeQueryUsed = false;
+ @Column(name = "attQueryContainerID", unique=false, nullable=true)
+ private String attQueryContainerID = null;
+
@Column(name = "created", updatable=false, nullable=false)
// @Temporal(TemporalType.TIMESTAMP)
private Date created;
@@ -200,6 +203,21 @@ public class OASessionStore implements Serializable{
this.authURL = authURL;
}
+ /**
+ * @return the attQueryContainerID
+ */
+ public String getAttQueryContainerID() {
+ return attQueryContainerID;
+ }
+
+ /**
+ * @param attQueryContainerID the attQueryContainerID to set
+ */
+ public void setAttQueryContainerID(String attQueryContainerID) {
+ this.attQueryContainerID = attQueryContainerID;
+ }
+
+
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
index 965abcde1..55504dcb0 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
@@ -34,6 +34,7 @@ import at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing;
import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetadataSignatureFilter;
import at.gv.egovernment.moa.id.saml2.MetadataFilterChain;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -178,7 +179,7 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
//add Metadata filters
MetadataFilterChain filter = new MetadataFilterChain();
- filter.addFilter(new MOAeIDASMetadataSignatureFilter(
+ filter.addFilter(new MOASPMetadataSignatureFilter(
authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE)));
httpProvider.setMetadataFilter(filter);
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java
index 935cefdf9..f682913e6 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java
@@ -22,6 +22,12 @@ package at.gv.egovernment.moa.id.auth.modules.elgamandates;
* that you distribute must include a readable copy of the "NOTICE" text file.
*/
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import at.gv.egovernment.moa.id.data.Pair;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
/**
* @author tlenz
@@ -29,13 +35,24 @@ package at.gv.egovernment.moa.id.auth.modules.elgamandates;
*/
public class ELGAMandatesAuthConstants {
+ public static final String MODULE_NAME_FOR_LOGGING = "ELGA Mandate-Service";
+
public static final int METADATA_VALIDUNTIL_IN_HOURS = 24;
+ //Service endpoint definitions
public static final String ENDPOINT_POST = "/sp/elga_mandate/post";
public static final String ENDPOINT_REDIRECT = "/sp/elga_mandate/redirect";
public static final String ENDPOINT_METADATA = "/sp/elga_mandate/metadata";
- public static final String CONFIG_PROPS_PREFIX = "modules.elga_mandate.";
+ //configuration properties
+ public static final String CONFIG_PROPS_PREFIX = "modules.elga_mandate.";
+
+ public static final String CONFIG_PROPS_SUBJECTNAMEID_TARGET = CONFIG_PROPS_PREFIX + "nameID.target";
+
+ public static final String CONFIG_PROPS_ENTITYID = CONFIG_PROPS_PREFIX + "service.entityID";
+ public static final String CONFIG_PROPS_METADATAURL = CONFIG_PROPS_PREFIX + "service.metadataurl";
+ public static final String CONFIG_PROPS_METADATA_TRUSTPROFILE = CONFIG_PROPS_PREFIX + "service.metadata.trustprofileID";
+
public static final String CONFIG_PROPS_KEYSTORE = CONFIG_PROPS_PREFIX + "keystore.path";
public static final String CONFIG_PROPS_KEYSTOREPASSWORD = CONFIG_PROPS_PREFIX + "keystore.password";
public static final String CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.password";
@@ -45,7 +62,42 @@ public class ELGAMandatesAuthConstants {
public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.password";
public static final String CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.alias";
+
+ /**
+ *
+ * Get required PVP attributes
+ * First : PVP attribute name (OID)
+ * Second: FriendlyName
+ *
+ */
+ public static final List<Pair<String, String>> REQUIRED_PVP_ATTRIBUTES =
+ Collections.unmodifiableList(new ArrayList<Pair<String, String>>() {
+ private static final long serialVersionUID = 1L;
+ {
+ //request mandate type
+ add(Pair.newInstance(PVPConstants.MANDATE_TYPE_NAME, PVPConstants.MANDATE_TYPE_FRIENDLY_NAME));
+
+ //request attributes for natural mandators
+ add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_BPK_NAME, PVPConstants.MANDATE_NAT_PER_BPK_FRIENDLY_NAME));
+ add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME, PVPConstants.MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME));
+ add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME, PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME));
+ add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME, PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME));
+
+ //request reference_value
+ add(Pair.newInstance(PVPConstants.MANDATE_REFERENCE_VALUE_NAME, PVPConstants.MANDATE_REFERENCE_VALUE_FRIENDLY_NAME));
+ }
+ });
+
+
public static final String CONFIG_DEFAULT_QAA_STORK_LEVEL = "http://www.stork.gov.eu/1.0/citizenQAALevel/4";
public static final String CONFIG_DEFAULT_QAA_SECCLASS_LEVEL = "http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3";
+
+ public static List<String> getRequiredAttributeNames() {
+ List<String> list = new ArrayList<String>();
+ for (Pair<String, String> el : REQUIRED_PVP_ATTRIBUTES)
+ list.add(el.getFirst());
+ return list;
+ }
+
}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml
index 1c0071c4a..b648e4d27 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml
@@ -16,6 +16,11 @@
<pd:Task id="prepareGetMISMandate" class="PrepareGetMISMandateTask" />
<pd:Task id="finalizeAuthentication" class="FinalizeAuthenticationTask" />
<pd:Task id="getForeignID" class="GetForeignIDTask" async="true" />
+
+ <!-- ELGA Mandate-Service Tasks -->
+ <pd:Task id="requestELGAMandateTask" class="RequestELGAMandateTask" />
+ <pd:Task id="receiveElgaMandateResponseTask" class="ReceiveElgaMandateResponseTask" async="true"/>
+
<!-- Process is triggered either by GenerateIFrameTemplateServlet (upon bku selection) or by AuthenticationManager (upon legacy authentication start using legacy parameters. -->
<pd:StartEvent id="start" />
@@ -39,11 +44,15 @@
<pd:Transition from="verifyCertificate" to="getForeignID" />
<pd:Transition from="verifyAuthBlock" to="prepareGetMISMandate" conditionExpression="ctx['useMandate']" />
+ <pd:Transition from="verifyAuthBlock" to="requestELGAMandateTask" conditionExpression="ctx['useELGAMandate']" />
<pd:Transition from="verifyAuthBlock" to="finalizeAuthentication" />
-
- <pd:Transition from="prepareGetMISMandate" to="getMISMandate" />
+ <pd:Transition from="requestELGAMandateTask" to="receiveElgaMandateResponseTask" />
+ <pd:Transition from="receiveElgaMandateResponseTask" to="finalizeAuthentication" />
+
+ <pd:Transition from="prepareGetMISMandate" to="getMISMandate" />
<pd:Transition from="getMISMandate" to="finalizeAuthentication" />
+
<pd:Transition from="getForeignID" to="finalizeAuthentication" />
<pd:Transition from="finalizeAuthentication" to="end" />
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml
index 89f1edd06..6e567a42c 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml
@@ -14,23 +14,25 @@
<property name="priority" value="1" />
</bean>
- <bean id="FederatedAuthCredentialProvider"
- class="at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider"/>
+ <bean id="ELGAMandate_MetadataProvider"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateServiceMetadataProvider"/>
- <bean id="FederatedAuthMetadataController"
- class="at.gv.egovernment.moa.id.auth.modules.federatedauth.controller.FederatedAuthMetadataController"/>
-
- <bean id="FederatedAuthSignalController"
- class="at.gv.egovernment.moa.id.auth.modules.federatedauth.controller.FederatedAuthSignalController"/>
+ <bean id="ELGAMandatesCredentialProvider"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider"/>
+ <bean id="ELGAMandateMetadataController"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.controller.ELGAMandateMetadataController"/>
+
+ <bean id="ELGAMandateSignalController"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.controller.ELGAMandateSignalController"/>
<!-- Federated Authentication Process Tasks -->
- <bean id="CreateFederatedAuthnRequestTask"
- class="at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks.CreateAuthnRequestTask"
+ <bean id="RequestELGAMandateTask"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks.RequestELGAMandateTask"
scope="prototype"/>
- <bean id="ReceiveFederatedAuthnResponseTask"
- class="at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks.ReceiveAuthnResponseTask"
+ <bean id="ReceiveElgaMandateResponseTask"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks.ReceiveElgaMandateResponseTask"
scope="prototype"/>
</beans> \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java
index 1f9d9e3a0..21fe4e5fa 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java
@@ -33,6 +33,7 @@ import com.google.gson.JsonPrimitive;
import at.gv.egovernment.moa.id.auth.stork.STORKConstants;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.protocols.builder.attributes.BPKAttributeBuilder;
import at.gv.egovernment.moa.id.protocols.builder.attributes.EIDAuthBlock;
import at.gv.egovernment.moa.id.protocols.builder.attributes.EIDCcsURL;
@@ -59,7 +60,6 @@ import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateProfRepDescA
import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateProfRepOIDAttributeBuilder;
import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateReferenceValueAttributeBuilder;
import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateTypeAttributeBuilder;
-import at.gv.egovernment.moa.id.protocols.oauth20.Pair;
import at.gv.egovernment.moa.id.protocols.oauth20.protocol.OAuth20AuthRequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
index 33d057fe9..518a694b0 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
@@ -38,13 +38,13 @@ import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.data.SLOInformationImpl;
import at.gv.egovernment.moa.id.data.SLOInformationInterface;
import at.gv.egovernment.moa.id.moduls.IAction;
import at.gv.egovernment.moa.id.moduls.IRequest;
import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject;
-import at.gv.egovernment.moa.id.protocols.oauth20.Pair;
import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder;
import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OpenIdExpirationTimeAttribute;
import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception;
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java
index e2f851132..1f7f27617 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java
@@ -28,6 +28,8 @@ package at.gv.egovernment.moa.id.auth.modules.federatedauth;
*/
public class FederatedAuthConstants {
+ public static final String MODULE_NAME_FOR_LOGGING = "federated IDP";
+
public static final int METADATA_VALIDUNTIL_IN_HOURS = 24;
public static final String ENDPOINT_POST = "/sp/federated/post";
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java
index 29b6ea18b..0f2c85350 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java
@@ -278,4 +278,13 @@ public class FederatedAuthMetadataConfiguration implements IPVPMetadataBuilderCo
}
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#getSPNameForLogging()
+ */
+ @Override
+ public String getSPNameForLogging() {
+ return FederatedAuthConstants.MODULE_NAME_FOR_LOGGING;
+ }
+
}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
index eca5c7649..4ae162f5a 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
@@ -27,6 +27,7 @@ import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.xml.security.credential.Credential;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation;
/**
@@ -157,5 +158,22 @@ public class FederatedAuthnRequestBuilderConfiguration implements IPVPAuthnReque
return null;
}
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSPNameForLogging()
+ */
+ @Override
+ public String getSPNameForLogging() {
+ return FederatedAuthConstants.MODULE_NAME_FOR_LOGGING;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDFormat()
+ */
+ @Override
+ public String getSubjectNameIDFormat() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java
index 2e134713b..06664af45 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java
@@ -89,7 +89,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask {
Logger.debug("isInderfederationIDP:" + String.valueOf(idpConfig.isInderfederationIDP())
+ " isInboundSSOAllowed:" + String.valueOf(idpConfig.isInboundSSOInterfederationAllowed()));
- handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.01", new Object[]{idpEntityID});
+ handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.01", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, idpEntityID});
return;
@@ -102,7 +102,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask {
Logger.warn("Requested IDP " + idpEntityID
+ " has no valid metadata or metadata is not found");
- handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.02", new Object[]{idpEntityID});
+ handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.02", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, idpEntityID});
return;
}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
index 49f9782ae..d87109244 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
@@ -23,14 +23,21 @@
package at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks;
import java.io.IOException;
+import java.util.Collection;
+import java.util.List;
+import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.transform.TransformerException;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.AttributeQuery;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.ws.message.decoder.MessageDecodingException;
+import org.opensaml.ws.soap.common.SOAPException;
+import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.SecurityException;
import org.springframework.beans.factory.annotation.Autowired;
@@ -38,25 +45,39 @@ import org.springframework.stereotype.Component;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
+import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.FederatedAuthenticatenContainer;
import at.gv.egovernment.moa.id.moduls.RequestImpl;
import at.gv.egovernment.moa.id.moduls.SSOManager;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnResponseValidationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
+import at.gv.egovernment.moa.id.storage.ITransactionStorage;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -67,9 +88,12 @@ import at.gv.egovernment.moa.util.MiscUtil;
@Component("ReceiveFederatedAuthnResponseTask")
public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
- @Autowired SAMLVerificationEngine samlVerificationEngine;
- @Autowired FederatedAuthCredentialProvider credentialProvider;
- @Autowired SSOManager ssoManager;
+ @Autowired private SAMLVerificationEngine samlVerificationEngine;
+ @Autowired private FederatedAuthCredentialProvider credentialProvider;
+ @Autowired private SSOManager ssoManager;
+ @Autowired private AttributQueryBuilder attributQueryBuilder;
+ @Autowired private ITransactionStorage transactionStorage;
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
@@ -94,21 +118,21 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
} else {
Logger.warn("Receive PVP Response, but Binding ("
+ request.getMethod() + ") is not supported.");
- throw new AuthnResponseValidationException("sp.pvp2.03", null);
+ throw new AuthnResponseValidationException("sp.pvp2.03", new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
}
//decode PVP response object
- msg = (InboundMessage) decoder.decode(request, response, true);
+ msg = (InboundMessage) decoder.decode(request, response, MOAMetadataProvider.getInstance(), true);
if (MiscUtil.isEmpty(msg.getEntityID())) {
- throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {});
+ throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
}
//validate response signature
if(!msg.isVerified()) {
- samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine());
+ samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine(MOAMetadataProvider.getInstance()));
msg.setVerified(true);
}
@@ -118,12 +142,77 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
//validate assertion
MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg);
- //store valid assertion into pending-request
- pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg);
+ //load IDP and SP configuration
+ IOAAuthParameters idpConfig = authConfig.getOnlineApplicationParameter(msg.getEntityID());
+ IOAAuthParameters spConfig = pendingReq.getOnlineApplicationConfiguration();
+
+ //check if response Entity is valid
+ if (!idpConfig.isInderfederationIDP()) {
+ Logger.warn("Response Issuer is not a federated IDP. Stopping federated authentication ...");
+ throw new AuthnResponseValidationException("sp.pvp2.08",
+ new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING,
+ msg.getEntityID()});
+
+ }
- //update MOASession with federation information
- authenticatedSessionStorage.createInterfederatedSession(pendingReq, true);
+ //load MOASession from database
+ defaultTaskInitialization(request, executionContext);
+ //initialize Attribute extractor
+ AssertionAttributeExtractor extractor =
+ new AssertionAttributeExtractor((Response) processedMsg.getResponse());
+
+ //check if SP is also a federated IDP
+ if (spConfig.isInderfederationIDP()) {
+ //SP is a federated IDP --> answer only with nameID and wait for attribute-Query
+ pendingReq.setGenericDataToSession(
+ PVPTargetConfiguration.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, true);
+ pendingReq.setGenericDataToSession(
+ PVPTargetConfiguration.DATAID_INTERFEDERATION_NAMEID, extractor.getNameID());
+ pendingReq.setGenericDataToSession(
+ PVPTargetConfiguration.DATAID_INTERFEDERATION_QAALEVEL, extractor.getQAALevel());
+
+ //build data-container for AttributeQuery
+ FederatedAuthenticatenContainer container = new FederatedAuthenticatenContainer();
+ container.setIdpEntityID(idpConfig.getPublicURLPrefix());
+ container.setUserNameID(extractor.getNameID());
+ container.setUserQAALevel(extractor.getQAALevel());
+
+ if (idpConfig.isInterfederationSSOStorageAllowed()) {
+ //open SSO session and store IDP as federated IDP
+ container.setMoaSessionID(moasession.getSessionID());
+
+ //store federatedIDP to MOASession
+ authenticatedSessionStorage.
+ addFederatedSessionInformation(pendingReq,
+ idpConfig.getPublicURLPrefix(), extractor);
+
+ }
+
+ //store container into transaction storage
+ transactionStorage.put(container.getId(), container);
+
+ //store container ID to pending-request
+ pendingReq.setGenericDataToSession(
+ PVPTargetConfiguration.DATAID_INTERFEDERATION_ATTRQUERYCONTAINERID,
+ container.getId());
+
+ } else {
+ //SP is real Service-Provider --> check attributes in response
+ // and start Attribute-Query if required
+
+ //get authenticationData and store it into MOASession
+ getAuthDataFromInterfederation(extractor, pendingReq.getOnlineApplicationConfiguration(),
+ idpConfig);
+
+ //update MOASession
+ authenticatedSessionStorage.storeSession(moasession);
+
+ }
+
+ //store valid assertion into pending-request
+ pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg);
+
//store pending-request
requestStoreage.storePendingRequest(pendingReq);
@@ -165,6 +254,104 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
}
+ private void getAuthDataFromInterfederation(AssertionAttributeExtractor extractor, IOAAuthParameters spConfig,
+ IOAAuthParameters idpConfig) throws BuildException, ConfigurationException{
+
+ try {
+ Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... ");
+ Collection<String> requestedAttr = pendingReq.getRequestedAttributes();
+
+ //check if SAML2 Assertion contains a minimal set of attributes
+ if (!extractor.containsAllRequiredAttributes()) {
+ Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ...");
+ //collect attributes by using BackChannel communication
+ String endpoint = idpConfig.getIDPAttributQueryServiceURL();
+ if (MiscUtil.isEmpty(endpoint)) {
+ Logger.error("No AttributeQueryURL for interfederationIDP " + idpConfig.getPublicURLPrefix());
+ throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + idpConfig.getPublicURLPrefix(), null);
+
+ }
+
+ //build attributQuery request
+ List<Attribute> attributs =
+ attributQueryBuilder.buildSAML2AttributeList(spConfig, requestedAttr.iterator());
+ AttributeQuery query =
+ attributQueryBuilder.buildAttributQueryRequest(extractor.getNameID(), endpoint, attributs);
+
+ //build SOAP request
+ List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
+
+ if (xmlObjects.size() == 0) {
+ Logger.error("Receive emptry AttributeQuery response-body.");
+ throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null);
+
+ }
+
+ if (xmlObjects.get(0) instanceof Response) {
+ Response intfResp = (Response) xmlObjects.get(0);
+
+ //validate PVP 2.1 response
+ try {
+ samlVerificationEngine.verifyIDPResponse(intfResp,
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(
+ MOAMetadataProvider.getInstance()));
+
+ //create assertion attribute extractor from AttributeQuery response
+ extractor = new AssertionAttributeExtractor(intfResp);
+
+ } catch (Exception e) {
+ Logger.warn("PVP 2.1 assertion validation FAILED.", e);
+ throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e);
+ }
+
+ } else {
+ Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response");
+ throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null);
+
+ }
+
+ } else {
+ Logger.info("Interfedation response include a minimal set of attributes with are required. Skip AttributQuery request step. ");
+
+ }
+
+ //check if all attributes are include
+ if (!extractor.containsAllRequiredAttributes(
+ pendingReq.getRequestedAttributes())) {
+ Logger.warn("PVP Response from federated IDP contains not all requested attributes.");
+ throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
+
+ }
+
+ //copy attributes into MOASession
+ Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames();
+ for (String el : includedAttrNames) {
+ moasession.setGenericDataToSession(el, extractor.getSingleAttributeValue(el));
+ Logger.debug("Add PVP-attribute " + el + " into MOASession");
+
+ }
+
+ } catch (SOAPException e) {
+ throw new BuildException("builder.06", null, e);
+
+ } catch (SecurityException e) {
+ throw new BuildException("builder.06", null, e);
+
+ } catch (AttributQueryException e) {
+ throw new BuildException("builder.06", null, e);
+
+ } catch (SessionDataStorageException e) {
+ throw new BuildException("builder.06", null, e);
+
+ } catch (AssertionValidationExeption e) {
+ throw new BuildException("builder.06", null, e);
+
+ } catch (AssertionAttributeExtractorExeption e) {
+ throw new BuildException("builder.06", null, e);
+
+ }
+ }
+
/**
* @param executionContext
* @param idpConfig
@@ -215,8 +402,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
} else {
Logger.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue()
+ " from federated IDP.");
- throw new AuthnResponseValidationException("sp.pvp2.04",
- new Object[]{samlResp.getIssuer().getValue(), samlResp.getStatus().getStatusCode().getValue()});
+ throw new AuthnResponseValidationException("sp.pvp2.05",
+ new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, samlResp.getIssuer().getValue(), samlResp.getStatus().getStatusCode().getValue()});
}
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java
index e85f8ce6b..64c0a0c8e 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java
@@ -81,8 +81,6 @@ public class SAML1RequestImpl extends RequestImpl {
reqAttr.add(PVPConstants.MANDATE_FULL_MANDATE_NAME);
}
- //return attributQueryBuilder.buildSAML2AttributeList(this.getOnlineApplicationConfiguration(), reqAttr.iterator());
-
return reqAttr;
}