aboutsummaryrefslogtreecommitdiff
path: root/id/server
diff options
context:
space:
mode:
Diffstat (limited to 'id/server')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java24
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java20
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java10
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java53
-rw-r--r--id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java30
6 files changed, 109 insertions, 30 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index c638c6324..eab7c511e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -11,9 +11,11 @@ import java.io.InputStream;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
+import java.net.URL;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.cert.CertificateException;
+import java.text.SimpleDateFormat;
import java.util.ArrayList;
//import java.security.cert.CertificateFactory;
import java.util.Calendar;
@@ -1846,6 +1848,17 @@ public class AuthenticationServer implements MOAIDAuthConstants {
//send
moasession.setStorkAuthnRequest(authnRequest);
+ // do PEPS-conform logging for easier evaluation
+ try {
+ // 2015-03-12 16:44:27.144#S-PEPS receives request from SP#spurl#spepsurl#spapp#spdomain#citizen country#qaa#msghash#msg_id id1#
+ Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS receives request from SP#" +
+ moasession.getPublicOAURLPrefix() + "#" + issuerValue + "#" + spApplication + "#" +
+ new URL(moasession.getPublicOAURLPrefix()).getHost() + "#" + moasession.getCcc() + "#" + oaParam.getQaaLevel() +
+ "#_hash_#" + moasession.getProcessInstanceId() + "#");
+ } catch (Exception e1) {
+ Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage());
+ }
+
AuthenticationSessionStoreage.changeSessionID(moasession, authnRequest.getSamlId());
@@ -1878,6 +1891,17 @@ public class AuthenticationServer implements MOAIDAuthConstants {
}
Logger.info("STORK AuthnRequest successfully successfully prepared for client with target location: " + authnRequest.getDestination());
+
+ // do PEPS-conform logging for easier evaluation
+ try {
+ // 2015-03-12 16:44:27.144#S-PEPS generates request to C-PEPS#spepsurl#cpepsurl#spapp#spdomain#citizen country#qaa#msghash#msg_id id1#id2#
+ Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS generates request to C-PEPS#" +
+ issuerValue + "#" + destination + "#" + spApplication + "#" +
+ new URL(moasession.getPublicOAURLPrefix()).getHost() + "#" + moasession.getCcc() + "#" + oaParam.getQaaLevel() +
+ "#_hash_#" + moasession.getProcessInstanceId() + "#" + authnRequest.getSamlId() + "#");
+ } catch (Exception e1) {
+ Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage());
+ }
}
private static String generateDssSignRequest(String text, String mimeType, String citizenCountry) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 82e079459..cd751ce7f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -906,7 +906,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
}
} catch (Exception e) {
- Logger.error("Failed to extract country code from certificate", e);
+ Logger.error("Failed to extract country code from certificate with message: " + e.getMessage());
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
index 7357818c8..24daa76a3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
@@ -28,8 +28,10 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.StringWriter;
import java.net.URL;
+import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Date;
import java.util.List;
import java.util.Properties;
@@ -201,6 +203,15 @@ public class PEPSConnectorServlet extends AuthServlet {
Logger.debug("STORK response: ");
Logger.debug(authnResponse.toString());
+ // do PEPS-conform logging for easier evaluation
+ try {
+ // 2015-03-12 16:44:27.144#S-PEPS receives response from C-PEPS#orig_msg_id id2 (in response to)#orig_msg_id id1 (in response to)#status#msghash#msg_id id3#
+ Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS receives response from C-PEPS#" +
+ authnResponse.getInResponseTo() + "#NA#" + authnResponse.getMessage() + "#_hash_#" + authnResponse.getSamlId() + "#");
+ } catch (Exception e1) {
+ Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage());
+ }
+
Logger.debug("Trying to find MOA Session-ID ...");
//String moaSessionID = request.getParameter(PARAM_SESSIONID);
//first use SAML2 relayState
@@ -554,6 +565,15 @@ public class PEPSConnectorServlet extends AuthServlet {
// stork did the authentication step
moaSession.setAuthenticated(true);
+ // do PEPS-conform logging for easier evaluation
+ try {
+ // 2015-03-12 16:44:27.144#S-PEPS generates response to SP#orig_msg_id id1 (in response to)#status#msghash#msg_id id4#
+ Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS generates response to SP#" +
+ "#NA#" + authnResponse.getMessage() + "#_hash_#" + moaSession.getProcessInstanceId() + "#");
+ } catch (Exception e1) {
+ Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage());
+ }
+
// //TODO: found better solution, but QAA Level in response could be not supported yet
// try {
//
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index c746c0888..d33a9ea92 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -1042,6 +1042,16 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
return null;
}
+ /**
+ * Gets the countries for which it is configured to require no signature
+ *
+ * @return the stork no signature countries
+ */
+ public List<String> getStorkNoSignatureCountries() {
+ String prop = props.getProperty("stork.fakeIdL.noSignatureCountries", "");
+ return Arrays.asList(prop.replaceAll(" ", "").split(","));
+ }
+
public boolean isMonitoringActive() {
String prop = props.getProperty("configuration.monitoring.active", "false");
return Boolean.valueOf(prop);
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java
index be6d7d01e..13d680b78 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java
@@ -44,14 +44,13 @@ import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
-import org.apache.log4j.Logger;
+import at.gv.egovernment.moa.logging.Logger;
public class ValidationHelper {
public static final String PUBLICSERVICE_URL_POSTFIX = ".gv.at";
- private static final Logger log = Logger.getLogger(ValidationHelper.class);
private static final String TEMPLATE_DATEFORMAT = "dd.MM.yyyy";
@@ -68,7 +67,7 @@ public class ValidationHelper {
host = host.substring(0, host.length()-1);
if (url.getHost().endsWith(PUBLICSERVICE_URL_POSTFIX)) {
- log.debug("PublicURLPrefix with .gv.at Domain found.");
+ Logger.debug("PublicURLPrefix with .gv.at Domain found.");
return true;
} else {
@@ -95,7 +94,7 @@ public class ValidationHelper {
return false;
} else {
- log.info("Found correct X509 Extension in server certificate. PublicService is allowed");
+ Logger.info("Found correct X509 Extension in server certificate. PublicService is allowed");
return true;
}
}
@@ -104,27 +103,27 @@ public class ValidationHelper {
}
} catch (MalformedURLException e) {
- log.warn("PublicURLPrefix can not parsed to URL", e);
+ Logger.warn("PublicURLPrefix can not parsed to URL", e);
return false;
} catch (UnknownHostException e) {
- log.warn("Can not connect to PublicURLPrefix Server", e);
+ Logger.warn("Can not connect to PublicURLPrefix Server", e);
return false;
} catch (IOException e) {
- log.warn("Can not connect to PublicURLPrefix Server", e);
+ Logger.warn("Can not connect to PublicURLPrefix Server", e);
return false;
} catch (CertificateEncodingException e) {
- log.warn("Can not parse X509 server certificate", e);
+ Logger.warn("Can not parse X509 server certificate", e);
return false;
} catch (CertificateException e) {
- log.warn("Can not read X509 server certificate", e);
+ Logger.warn("Can not read X509 server certificate", e);
return false;
} catch (X509ExtensionInitException e) {
- log.warn("Can not read X509 server certificate extension", e);
+ Logger.warn("Can not read X509 server certificate extension", e);
return false;
}
@@ -133,7 +132,7 @@ public class ValidationHelper {
try {
socket.close();
} catch (IOException e) {
- log.warn("SSL Socket can not be closed.", e);
+ Logger.warn("SSL Socket can not be closed.", e);
}
}
}
@@ -148,7 +147,7 @@ public class ValidationHelper {
return true;
} catch (Throwable t) {
- log.warn("No valid DataBase OAID received! " + oaIDObj);
+ Logger.warn("No valid DataBase OAID received! " + oaIDObj);
}
}
return false;
@@ -156,7 +155,7 @@ public class ValidationHelper {
public static boolean validateNumber(String value) {
- log.debug("Validate Number " + value);
+ Logger.debug("Validate Number " + value);
try {
Float.valueOf(value);
@@ -171,7 +170,7 @@ public class ValidationHelper {
}
public static boolean validatePhoneNumber(String value) {
- log.debug ("Validate PhoneNumber " + value);
+ Logger.debug ("Validate PhoneNumber " + value);
/* ************************************************************************************************
* Legende:
@@ -187,11 +186,11 @@ public class ValidationHelper {
Matcher matcher = pattern.matcher(value);
boolean b = matcher.matches();
if (b) {
- log.debug("Parameter PhoneNumber erfolgreich ueberprueft");
+ Logger.debug("Parameter PhoneNumber erfolgreich ueberprueft");
return true;
}
else {
- log.error("Fehler Ueberpruefung Parameter PhoneNumber. PhoneNumber entspricht nicht den Kriterien ^ [a-zA-Z .,;:/\\-]* [ ]* [(]{0,1}[ ]*[+]{0,1}[ ]*[0-9]{0,2}[ ]*[)]{0,1} [ ]* [0-9]*[ ]*[/\\-]{0,1} [ ]*[ ]* [0-9]* [ ]* [a-zA-Z .,;:\\/-]* $");
+ Logger.error("Fehler Ueberpruefung Parameter PhoneNumber. PhoneNumber entspricht nicht den Kriterien ^ [a-zA-Z .,;:/\\-]* [ ]* [(]{0,1}[ ]*[+]{0,1}[ ]*[0-9]{0,2}[ ]*[)]{0,1} [ ]* [0-9]*[ ]*[/\\-]{0,1} [ ]*[ ]* [0-9]* [ ]* [a-zA-Z .,;:\\/-]* $");
return false;
}
@@ -200,7 +199,7 @@ public class ValidationHelper {
public static boolean validateURL(String urlString) {
- log.debug("Validate URL " + urlString);
+ Logger.debug("Validate URL " + urlString);
if (urlString.startsWith("http") || urlString.startsWith("https")) {
try {
@@ -216,7 +215,7 @@ public class ValidationHelper {
// public static boolean validateGeneralURL(String urlString) {
//
-// log.debug("Validate URL " + urlString);
+// Logger.debug("Validate URL " + urlString);
//
// try {
// new URL(urlString);
@@ -231,17 +230,17 @@ public class ValidationHelper {
public static boolean isValidAdminTarget(String target) {
- log.debug("Ueberpruefe Parameter Target");
+ Logger.debug("Ueberpruefe Parameter Target");
Pattern pattern = Pattern.compile("[a-zA-Z-]{1,5}");
Matcher matcher = pattern.matcher(target);
boolean b = matcher.matches();
if (b) {
- log.debug("Parameter SSO-Target erfolgreich ueberprueft. SSO Target is PublicService.");
+ Logger.debug("Parameter SSO-Target erfolgreich ueberprueft. SSO Target is PublicService.");
return true;
}
else {
- log.info("Parameter SSO-Target entspricht nicht den Kriterien " +
+ Logger.info("Parameter SSO-Target entspricht nicht den Kriterien " +
"(nur Zeichen a-z, A-Z und -, sowie 1-5 Zeichen lang) fuer den oeffentlichen Bereich. " +
"Valiere SSO-Target fuer privatwirtschaftliche Bereiche.");
return false;
@@ -250,14 +249,14 @@ public class ValidationHelper {
public static boolean isValidTarget(String target) {
- log.debug("Ueberpruefe Parameter Target");
+ Logger.debug("Ueberpruefe Parameter Target");
if (TargetValidator.isValidTarget(target)) {
- log.debug("Parameter Target erfolgreich ueberprueft");
+ Logger.debug("Parameter Target erfolgreich ueberprueft");
return true;
}
else {
- log.error("Fehler Ueberpruefung Parameter Target. Target entspricht nicht den Kriterien (nur Zeichen a-z, A-Z und -, sowie 1-5 Zeichen lang)");
+ Logger.error("Fehler Ueberpruefung Parameter Target. Target entspricht nicht den Kriterien (nur Zeichen a-z, A-Z und -, sowie 1-5 Zeichen lang)");
return false;
}
@@ -265,17 +264,17 @@ public class ValidationHelper {
public static boolean isValidSourceID(String sourceID) {
- log.debug("Ueberpruefe Parameter sourceID");
+ Logger.debug("Ueberpruefe Parameter sourceID");
Pattern pattern = Pattern.compile("[\\w-_]{1,20}");
Matcher matcher = pattern.matcher(sourceID);
boolean b = matcher.matches();
if (b) {
- log.debug("Parameter sourceID erfolgreich ueberprueft");
+ Logger.debug("Parameter sourceID erfolgreich ueberprueft");
return true;
}
else {
- log.error("Fehler Ueberpruefung Parameter sourceID. SourceID entspricht nicht den Kriterien (nur Zeichen a-z, A-Z, - und _, sowie 1-20 Zeichen lang)");
+ Logger.error("Fehler Ueberpruefung Parameter sourceID. SourceID entspricht nicht den Kriterien (nur Zeichen a-z, A-Z, - und _, sowie 1-20 Zeichen lang)");
return false;
}
}
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
index 59f54f957..6e0bd19ff 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
@@ -6,8 +6,10 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.StringWriter;
import java.net.URL;
+import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Date;
import java.util.List;
import java.util.Properties;
@@ -28,6 +30,7 @@ import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import org.opensaml.saml2.core.StatusCode;
+import org.springframework.format.datetime.DateFormatter;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -170,6 +173,15 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
Logger.debug("STORK response: ");
Logger.debug(authnResponse.toString());
+ // do PEPS-conform logging for easier evaluation
+ try {
+ // 2015-03-12 16:44:27.144#S-PEPS receives response from C-PEPS#orig_msg_id id2 (in response to)#orig_msg_id id1 (in response to)#status#msghash#msg_id id3#
+ Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS receives response from C-PEPS#" +
+ authnResponse.getInResponseTo() + "#NA#" + authnResponse.getMessage() + "#_hash_#" + authnResponse.getSamlId() + "#");
+ } catch (Exception e1) {
+ Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage());
+ }
+
Logger.debug("Trying to find MOA Session-ID ...");
// String moaSessionID = request.getParameter(PARAM_SESSIONID);
// first use SAML2 relayState
@@ -315,9 +327,13 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
// ////////////////////////////////////////////////////////////////////////
+ AuthConfigurationProvider config = AuthConfigurationProvider.getInstance();
+ String citizenSignature = null;
+ if(config.isStorkFakeIdLActive() && config.getStorkNoSignatureCountries().contains(storkAuthnRequest.getCitizenCountryCode()) && config.getStorkFakeIdLCountries().contains(storkAuthnRequest.getCitizenCountryCode())) {
+ Logger.debug("signedDoc extraction skipped due to configuration");
+ } else {
Logger.debug("Starting extraction of signedDoc attribute");
// extract signed doc element and citizen signature
- String citizenSignature = null;
try {
if (authnResponse.getPersonalAttributeList().get("signedDoc") == null
@@ -398,6 +414,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
Logger.error("Could not extract citizen signature from C-PEPS", e);
throw new MOAIDException("stork.09", null);
}
+ }
Logger.debug("Foregin Citizen signature successfully extracted from STORK Assertion (signedDoc)");
Logger.debug("Citizen signature will be verified by SZR Gateway!");
@@ -430,7 +447,6 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
IdentityLink identityLink = null;
executionContext.put("identityLinkAvailable", false);
try {
- AuthConfigurationProvider config = AuthConfigurationProvider.getInstance();
if(config.isStorkFakeIdLActive() && config.getStorkFakeIdLCountries().contains(storkAuthnRequest.getCitizenCountryCode())) {
// create fake IdL
// - fetch IdL template from resources
@@ -467,6 +483,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
if(!STORKResponseProcessor.hasAttribute("dateOfBirth", attributeList))
throw new STORKException("dateOfBirth is missing");
String dateOfBirth = STORKResponseProcessor.getAttributeValue("dateOfBirth", attributeList, false);
+ dateOfBirth = new SimpleDateFormat("yyyy-MM-dd").format(new SimpleDateFormat("yyyyMMdd").parse(dateOfBirth));
prDateOfBirth.getFirstChild().setNodeValue(dateOfBirth);
identityLink = new IdentityLinkAssertionParser(idlassertion).parseIdentityLink();
@@ -549,6 +566,15 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
// stork did the authentication step
moaSession.setAuthenticated(true);
+ // do PEPS-conform logging for easier evaluation
+ try {
+ // 2015-03-12 16:44:27.144#S-PEPS generates response to SP#orig_msg_id id1 (in response to)#status#msghash#msg_id id4#
+ Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS generates response to SP#" +
+ "#" + moaSession.getProcessInstanceId() + "#" + authnResponse.getMessage() + "#_hash_#" + moaSession.getProcessInstanceId() + "#");
+ } catch (Exception e1) {
+ Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage());
+ }
+
// TODO: found better solution, but QAA Level in STORK response is not be supported yet
// try {
//