diff options
Diffstat (limited to 'id')
27 files changed, 125 insertions, 674 deletions
diff --git a/id/history.txt b/id/history.txt index c0b12dd1c..8d1495e30 100644 --- a/id/history.txt +++ b/id/history.txt @@ -8,6 +8,7 @@ Version MOA-ID Release 3.3.0: Änderungen seit Version MOA-ID 3.2.3 - Anpassungen des BKU Auswahl(OnlineBKU entfernt, Detection der lokalen BKU hinzugefügt)
- Anpassungen der Konfigurationsoberfläche (OnlineBKU entfernt)
- Bugfix - Problem mit openSAML welches unsignierte SAML2 AuthnRequests bei Redirect Binding ermöglicht
+ - Bugfix - Nicht spezifikationskonforme Validierung PVP2 AuthnRequest bezüglich NameIDPolicy
- Bugfix - Ungültig kodierter PVP2 Attributwert 'MANDATOR-NATURAL-PERSON-BPK'
- Bugfix - Updates an Endpunten um Cross-Site-Scripting (XSS) zu verhindern
- Code-Cleaning von unbenutzen Methoden und Klassen
diff --git a/id/server/data/deploy/conf/moa-id/log4j.properties b/id/server/data/deploy/conf/moa-id/log4j.properties index f37100a5b..2c3b8a311 100644 --- a/id/server/data/deploy/conf/moa-id/log4j.properties +++ b/id/server/data/deploy/conf/moa-id/log4j.properties @@ -2,34 +2,57 @@ org.apache.commons.logging.LogFactory=org.apache.commons.logging.impl.Log4jFactory # define log4j root loggers -log4j.rootLogger=info, stdout -log4j.logger.at.gv.egovernment.moa=info -log4j.logger.at.gv.egovernment.moa.spss=info -log4j.logger.iaik.server=info -log4j.logger.at.gv.egovernment.moa.id=info,R -log4j.logger.at.gv.egovernment.moa.id.proxy=info -log4j.logger.eu.stork=info -log4j.logger.org.hibernate=warn +log4j.rootLogger=warn,stdout +### MOA-ID process log ### +log4j.logger.at.gv.egovernment.moa.id=info,moaid +log4j.logger.at.gv.egovernment.moa.spss=info,moaid + +### process revision log with event-codes ### +log4j.logger.at.gv.egiz.eventlog.plain.all=info,reversion + +### Signature verification and certificate proofing #### +log4j.logger.at.gv.egovernment.moa.spss=info,moaspss +log4j.logger.iaik.server=info,moaspss +log4j.logger.pki=info,moaspss + +### ConfigTool Logs #### log4j.logger.at.gv.egiz.components.configuration=info,CONFIGTOOL -log4j.logger.at.gv.egovernment.moa.id.commons=info,CONFIGTOOL R +log4j.logger.at.gv.egovernment.moa.id.commons=info,CONFIGTOOL log4j.logger.at.gv.egovernment.moa.id.config.webgui=info,CONFIGTOOL log4j.logger.at.gv.egovernment.moa.id.configuration=info,CONFIGTOOL + +### Log Appender #### # configure the stdout appender log4j.appender.stdout=org.apache.log4j.ConsoleAppender log4j.appender.stdout.layout=org.apache.log4j.PatternLayout log4j.appender.stdout.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} |%20.20c | %10t | %m%n -# configure the rolling file appender (R) -log4j.appender.R=org.apache.log4j.RollingFileAppender -log4j.appender.R.File=${catalina.base}/logs/moa-id.log -log4j.appender.R.MaxFileSize=10000KB -log4j.appender.R.MaxBackupIndex=1 -log4j.appender.R.layout=org.apache.log4j.PatternLayout -log4j.appender.R.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} | %t | %m%n +# configure the rolling file appender (moaid) +log4j.appender.moaid=org.apache.log4j.RollingFileAppender +log4j.appender.moaid.File=${catalina.base}/logs/moa-id.log +log4j.appender.moaid.MaxFileSize=10000KB +log4j.appender.moaid.MaxBackupIndex=1 +log4j.appender.moaid.layout=org.apache.log4j.PatternLayout +log4j.appender.moaid.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} | %t | %m%n + +# configure the rolling file appender (moaid) +log4j.appender.moaspss=org.apache.log4j.RollingFileAppender +log4j.appender.moaspss.File=${catalina.base}/logs/moa-spss.log +log4j.appender.moaspss.MaxFileSize=10000KB +log4j.appender.moaspss.MaxBackupIndex=1 +log4j.appender.moaspss.layout=org.apache.log4j.PatternLayout +log4j.appender.moaspss.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} | %t | %m%n + +log4j.appender.reversion=org.apache.log4j.RollingFileAppender +log4j.appender.reversion.File=${catalina.base}/moa-id-reversion.log +log4j.appender.reversion.MaxFileSize=10000KB +log4j.appender.reversion.MaxBackupIndex=9999 +log4j.appender.reversion.layout=org.apache.log4j.PatternLayout +log4j.appender.reversion.layout.ConversionPattern=%5p | %d{ISO8601} | %t | %m%n -# configure the rolling file appender (R) +# configure the rolling file appender (configtool) log4j.appender.CONFIGTOOL=org.apache.log4j.RollingFileAppender log4j.appender.CONFIGTOOL.File=${catalina.base}/logs/moa-id-webgui.log log4j.appender.CONFIGTOOL.MaxFileSize=10000KB diff --git a/id/server/data/deploy/conf/moa-id/moa-id.properties b/id/server/data/deploy/conf/moa-id/moa-id.properties index 15084b387..4228b0d3a 100644 --- a/id/server/data/deploy/conf/moa-id/moa-id.properties +++ b/id/server/data/deploy/conf/moa-id/moa-id.properties @@ -43,12 +43,6 @@ service.foreignidentities.acceptedServerCertificates= service.foreignidentities.clientKeyStore=keys/.... service.foreignidentities.clientKeyStorePassword= -##STORK 2 -stork.fakeIdL.active=false -stork.fakeIdL.countries= -stork.fakeIdL.keygroup= -stork.documentservice.url= - ##Protocol configuration## #PVP2 protocols.pvp2.idp.ks.file=file:$PATH_TO_CONFIG$/conf/moa-id/keys/moa_idp[password].p12 @@ -59,6 +53,7 @@ protocols.pvp2.idp.ks.assertion.sign.alias=pvp_assertion protocols.pvp2.idp.ks.assertion.sign.keypassword=password protocols.pvp2.idp.ks.assertion.encryption.alias=pvp_assertion protocols.pvp2.idp.ks.assertion.encryption.keypassword=password +protocols.pvp2.metadata.entitycategories.active=false #OpenID connect (OAuth) protocols.oauth20.jwt.ks.file=file:$PATH_TO_CONFIG$/conf/moa-id/keys/moa_idp[password].p12 diff --git a/id/server/data/deploy/conf/moa-id/oa/BasicOAConfiguration.xml b/id/server/data/deploy/conf/moa-id/oa/BasicOAConfiguration.xml deleted file mode 100644 index fc99cea79..000000000 --- a/id/server/data/deploy/conf/moa-id/oa/BasicOAConfiguration.xml +++ /dev/null @@ -1,9 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- Demokonfiguration fuer eine Online Applikation (OA) welche 401 Basic Authentication zur Uebergabe der Parameter verwendet --> -<Configuration xmlns="http://www.buergerkarte.at/namespaces/moaconfig#" xmlns:sl10="http://www.buergerkarte.at/namespaces/securitylayer/20020225#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> - <LoginType>stateless</LoginType> - <BasicAuth> - <UserID>MOAFamilyName</UserID> - <Password>MOAGivenName</Password> - </BasicAuth> -</Configuration> diff --git a/id/server/data/deploy/conf/moa-id/oa/HeaderOAConfiguration.xml b/id/server/data/deploy/conf/moa-id/oa/HeaderOAConfiguration.xml deleted file mode 100644 index 4d34c3646..000000000 --- a/id/server/data/deploy/conf/moa-id/oa/HeaderOAConfiguration.xml +++ /dev/null @@ -1,10 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- Demokonfiguration fuer eine Online Applikation (OA) welche Header Authentication zur Uebergabe der Parameter verwendet --> -<Configuration xmlns="http://www.buergerkarte.at/namespaces/moaconfig#" xmlns:sl10="http://www.buergerkarte.at/namespaces/securitylayer/20020225#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> - <LoginType>stateless</LoginType> - <HeaderAuth> - <!-- zusaetzlicher Header GivenName --> - <Header Name="X-MOAParameterGivenName" Value="MOAGivenName"></Header> - <Header Name="X-MOAParameterFamilyName" Value="MOAFamilyName"></Header> - </HeaderAuth> -</Configuration> diff --git a/id/server/data/deploy/conf/moa-id/oa/ParamOAConfiguration.xml b/id/server/data/deploy/conf/moa-id/oa/ParamOAConfiguration.xml deleted file mode 100644 index 979faca95..000000000 --- a/id/server/data/deploy/conf/moa-id/oa/ParamOAConfiguration.xml +++ /dev/null @@ -1,10 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- Demokonfiguration fuer eine Online Applikation (OA) welche Parameter Authentication verwendet --> -<Configuration xmlns="http://www.buergerkarte.at/namespaces/moaconfig#" xmlns:sl10="http://www.buergerkarte.at/namespaces/securitylayer/20020225#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> - <LoginType>stateless</LoginType> - <ParamAuth> - <!-- URL Parameter GivenName und FamilyName --> - <Parameter Name="GivenName" Value="MOAGivenName"></Parameter> - <Parameter Name="FamilyName" Value="MOAFamilyName"></Parameter> - </ParamAuth> -</Configuration> diff --git a/id/server/data/deploy/conf/moa-id/oa/SampleOAConfiguration.xml b/id/server/data/deploy/conf/moa-id/oa/SampleOAConfiguration.xml deleted file mode 100644 index edbfe7aa5..000000000 --- a/id/server/data/deploy/conf/moa-id/oa/SampleOAConfiguration.xml +++ /dev/null @@ -1,9 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- Demokonfiguration fuer Online Applikation (OA) welche 401 Basic Authentication zur Uebergabe der Parameter verwendet --> -<Configuration xmlns="http://www.buergerkarte.at/namespaces/moaconfig#" xmlns:sl10="http://www.buergerkarte.at/namespaces/securitylayer/20020225#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> - <LoginType>stateless</LoginType> - <BasicAuth> - <UserID>MOAFamilyName</UserID> - <Password>MOAGivenName</Password> - </BasicAuth> -</Configuration> diff --git a/id/server/data/deploy/conf/moa-id/oa/SamplewbPKOAConfiguration.xml b/id/server/data/deploy/conf/moa-id/oa/SamplewbPKOAConfiguration.xml deleted file mode 100644 index 2cff3bd67..000000000 --- a/id/server/data/deploy/conf/moa-id/oa/SamplewbPKOAConfiguration.xml +++ /dev/null @@ -1,9 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- Demokonfiguration fuer eine Online Applikation (OA) welche 401 Basic Authentication zur Uebergabe der Parameter verwendet --> -<Configuration xmlns="http://www.buergerkarte.at/namespaces/moaconfig#" xmlns:sl10="http://www.buergerkarte.at/namespaces/securitylayer/20020225#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> - <LoginType>stateless</LoginType> - <BasicAuth> - <UserID>MOAWBPK</UserID> - <Password>MOAGivenName</Password> - </BasicAuth> -</Configuration> diff --git a/id/server/data/deploy/conf/moa-id/stork/SamlEngine.xml b/id/server/data/deploy/conf/moa-id/stork/SamlEngine.xml deleted file mode 100644 index eca38ec8c..000000000 --- a/id/server/data/deploy/conf/moa-id/stork/SamlEngine.xml +++ /dev/null @@ -1,70 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<instances> - - - <!-- Configuration name--> - <instance name="outgoing"> - <!-- Configurations parameters StorkSamlEngine --> - <configuration name="SamlEngineConf"> - <parameter name="fileConfiguration" value="StorkSamlEngine_outgoing.xml" /> - </configuration> - - <!-- Settings module signature--> - <configuration name="SignatureConf"> - <!-- Specific signature module --> - <parameter name="class" value="eu.stork.peps.auth.engine.core.impl.SignSW" /> - <!-- Settings specific module --> - <parameter name="fileConfiguration" value="SignModule_outgoing.xml" /> - </configuration> - </instance> - - <instance name="incoming"> - <!-- Configurations parameters StorkSamlEngine --> - <configuration name="SamlEngineConf"> - <parameter name="fileConfiguration" value="StorkSamlEngine_incoming.xml" /> - </configuration> - - <!-- Settings module signature--> - <configuration name="SignatureConf"> - <!-- Specific signature module --> - <parameter name="class" value="eu.stork.peps.auth.engine.core.impl.SignSW" /> - <!-- Settings specific module --> - <parameter name="fileConfiguration" value="SignModule_incoming.xml" /> - </configuration> - </instance> - - - <instance name="incoming_attr"> - <!-- Configurations parameters StorkSamlEngine --> - <configuration name="SamlEngineConf"> - <parameter name="fileConfiguration" value="StorkSamlEngine_incoming_attr.xml" /> - </configuration> - - <!-- Settings module signature--> - <configuration name="SignatureConf"> - <!-- Specific signature module --> - <parameter name="class" value="eu.stork.peps.auth.engine.core.impl.SignSW" /> - <!-- Settings specific module --> - <parameter name="fileConfiguration" value="SignModule_incoming_attr.xml" /> - </configuration> - </instance> - - - <instance name="VIDP"> - <!-- Configurations parameters StorkSamlEngine --> - <configuration name="SamlEngineConf"> - <parameter name="fileConfiguration" value="StorkSamlEngine_VIDP.xml" /> - </configuration> - - <!-- Settings module signature--> - <configuration name="SignatureConf"> - <!-- Specific signature module --> - <parameter name="class" value="eu.stork.peps.auth.engine.core.impl.SignSW" /> - <!-- Settings specific module --> - <parameter name="fileConfiguration" value="SignModule_VIDP.xml" /> - </configuration> - </instance> - - - -</instances> diff --git a/id/server/data/deploy/conf/moa-id/stork/SignModule_incoming.xml b/id/server/data/deploy/conf/moa-id/stork/SignModule_incoming.xml deleted file mode 100644 index 68b15e667..000000000 --- a/id/server/data/deploy/conf/moa-id/stork/SignModule_incoming.xml +++ /dev/null @@ -1,12 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd"> - -<properties> - <comment>SWModule sign with JKS.</comment> - <entry key="keystorePath">/home/stork/repos/moa-idspss/id/server/data/deploy/conf/moa-id/stork/storkDemoKeysPT.jks</entry> - <entry key="keyStorePassword">local-demo</entry> - <entry key="keyPassword">local-demo</entry> - <entry key="issuer">CN=local-demo, O=Indra, L=Madrid, ST=Spain, C=ES</entry> - <entry key="serialNumber">4BA89DB2</entry> - <entry key="keystoreType">JKS</entry> -</properties> diff --git a/id/server/data/deploy/conf/moa-id/stork/SignModule_incoming_attr.xml b/id/server/data/deploy/conf/moa-id/stork/SignModule_incoming_attr.xml deleted file mode 100644 index 68b15e667..000000000 --- a/id/server/data/deploy/conf/moa-id/stork/SignModule_incoming_attr.xml +++ /dev/null @@ -1,12 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd"> - -<properties> - <comment>SWModule sign with JKS.</comment> - <entry key="keystorePath">/home/stork/repos/moa-idspss/id/server/data/deploy/conf/moa-id/stork/storkDemoKeysPT.jks</entry> - <entry key="keyStorePassword">local-demo</entry> - <entry key="keyPassword">local-demo</entry> - <entry key="issuer">CN=local-demo, O=Indra, L=Madrid, ST=Spain, C=ES</entry> - <entry key="serialNumber">4BA89DB2</entry> - <entry key="keystoreType">JKS</entry> -</properties> diff --git a/id/server/data/deploy/conf/moa-id/stork/SignModule_outgoing.xml b/id/server/data/deploy/conf/moa-id/stork/SignModule_outgoing.xml deleted file mode 100644 index 7139c5a41..000000000 --- a/id/server/data/deploy/conf/moa-id/stork/SignModule_outgoing.xml +++ /dev/null @@ -1,12 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd"> - -<properties> - <comment>SWModule sign with JKS.</comment> - <entry key="keystorePath">projects/stork2/code/moa-idspss/id/server/stork2-saml-engine/src/test/resources/storkDemoKeys.jks</entry> - <entry key="keyStorePassword">local-demo</entry> - <entry key="keyPassword">local-demo</entry> - <entry key="issuer">CN=local-demo-cert, O=Indra, L=Madrid, ST=Spain, C=ES</entry> - <entry key="serialNumber">4BA89DB2</entry> - <entry key="keystoreType">JKS</entry> -</properties>
\ No newline at end of file diff --git a/id/server/data/deploy/conf/moa-id/stork/StorkSamlEngine_VIDP.xml b/id/server/data/deploy/conf/moa-id/stork/StorkSamlEngine_VIDP.xml deleted file mode 100644 index 29973690e..000000000 --- a/id/server/data/deploy/conf/moa-id/stork/StorkSamlEngine_VIDP.xml +++ /dev/null @@ -1,127 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd"> - -<properties> - <comment>SAML constants for AuthnRequests and Responses.</comment> - - <!-- - Types of consent obtained from the user for this authentication and - data transfer. - Allow values: 'unspecified'. - --> - <entry key="consentAuthnRequest">unspecified</entry> - - <!-- - Allow values: 'obtained', 'prior', 'current-implicit', 'current-explicit', 'unspecified'. - --> - <entry key="consentAuthnResponse">obtained</entry> - - <!--URI representing the classification of the identifier - Allow values: 'entity'. - --> - <entry key="formatEntity">entity</entry> - - <!--Only HTTP-POST binding is only supported for inter PEPS--> - <!--The SOAP binding is only supported for direct communication between SP-MW and VIdP--> - <entry key="protocolBinding">HTTP-POST</entry> - - <!--URI representing the classification of the identifier - Allow values: 'entity'. - <entry key="eIDSectorShare">true</entry> - <entry key="eIDCrossSectorShare">true</entry> - <entry key="eIDCrossBorderShare">true</entry> - --> - - - <!-- A friendly name for the attribute that can be displayed to a user --> - <entry key="friendlyName">false</entry> - - <!-- A friendly name for the attribute that can be displayed to a user --> - <entry key="isRequired">true</entry> - - <!--PEPS in the Service Provider's country--> - <entry key="requester">https://testvidp.buergerkarte.at/moa-id-auth/stork2/SendPEPSAuthnRequest</entry> - - <!--PEPS in the citizen's origin country--> - <entry key="responder">https://testvidp.buergerkarte.at/moa-id-auth/stork2/SendPEPSAuthnRequest</entry> - - <!--Subject cannot be confirmed on or after this seconds time (positive number)--> - <entry key="timeNotOnOrAfter">600</entry> - - <!--Validation IP of the response--> - <entry key="ipAddrValidation">false</entry> - - <!--One time use--> - <entry key="oneTimeUse">true</entry> - - <!--Subject Attribute Definitions--> - <entry key="eIdentifier">http://www.stork.gov.eu/1.0/eIdentifier</entry> - <entry key="givenName">http://www.stork.gov.eu/1.0/givenName</entry> - <entry key="surname">http://www.stork.gov.eu/1.0/surname</entry> - <entry key="inheritedFamilyName">http://www.stork.gov.eu/1.0/inheritedFamilyName</entry> - <entry key="adoptedFamilyName">http://www.stork.gov.eu/1.0/adoptedFamilyName</entry> - <entry key="gender">http://www.stork.gov.eu/1.0/gender</entry> - <entry key="dateOfBirth">http://www.stork.gov.eu/1.0/dateOfBirth</entry> - <entry key="countryCodeOfBirth">http://www.stork.gov.eu/1.0/countryCodeOfBirth</entry> - <entry key="nationalityCode">http://www.stork.gov.eu/1.0/nationalityCode</entry> - <entry key="maritalStatus">http://www.stork.gov.eu/1.0/maritalStatus</entry> - <entry key="residenceAddress">http://www.stork.gov.eu/1.0/residenceAddress</entry> - <entry key="eMail">http://www.stork.gov.eu/1.0/eMail</entry> - <entry key="academicTitle">http://www.stork.gov.eu/1.0/academicTitle</entry> - <entry key="pseudonym">http://www.stork.gov.eu/1.0/pseudonym</entry> - <entry key="age">http://www.stork.gov.eu/1.0/age</entry> - <entry key="isAgeOver">http://www.stork.gov.eu/1.0/isAgeOver</entry> - - <entry key="textResidenceAddress">http://www.stork.gov.eu/1.0/textResidenceAddress</entry> - <entry key="canonicalResidenceAddress">http://www.stork.gov.eu/1.0/canonicalResidenceAddress</entry> - - <entry key="title">http://www.stork.gov.eu/1.0/title</entry> - <entry key="residencePermit">http://www.stork.gov.eu/1.0/residencePermit</entry> - - <entry key="signedDoc">http://www.stork.gov.eu/1.0/signedDoc</entry> - <entry key="citizen509Certificate">http://www.stork.gov.eu/1.0/citizen509Certificate</entry> - - <entry key="newAttribute1">http://www.stork.gov.eu/1.0/newAttribute1</entry> - <entry key="newAttribute2">http://www.stork.gov.eu/1.0/newAttribute2</entry> - <entry key="hasDegree">http://www.stork.gov.eu/1.0/hasDegree</entry> - - - <entry key="diplomaSupplement">http://www.stork.gov.eu/1.0/diplomaSupplement</entry> - <entry key="currentStudiesSupplement">http://www.stork.gov.eu/1.0/currentStudiesSupplement</entry> - <entry key="isStudent">http://www.stork.gov.eu/1.0/isStudent</entry> - <entry key="isAcademicStaff">http://www.stork.gov.eu/1.0/isAcademicStaff</entry> - <entry key="isTeacherOf">http://www.stork.gov.eu/1.0/isTeacherOf</entry> - <entry key="isCourseCoordinator">http://www.stork.gov.eu/1.0/isCourseCoordinator</entry> - <entry key="isAdminStaff">http://www.stork.gov.eu/1.0/isAdminStaff</entry> - <entry key="habilitation">http://www.stork.gov.eu/1.0/habilitation</entry> - <entry key="Title">http://www.stork.gov.eu/1.0/Title</entry> - <entry key="hasDegree">http://www.stork.gov.eu/1.0/hasDegree</entry> - <entry key="hasAccountInBank">http://www.stork.gov.eu/1.0/hasAccountInBank</entry> - <entry key="isHealthCareProfessional">http://www.stork.gov.eu/1.0/isHealthCareProfessional</entry> - - <entry key="eLPIdentifier">http://www.stork.gov.eu/1.0/eLPIdentifier</entry> - <entry key="legalName">http://www.stork.gov.eu/1.0/legalName</entry> - <entry key="alternativeName">http://www.stork.gov.eu/1.0/alternativeName</entry> - <entry key="type">http://www.stork.gov.eu/1.0/type</entry> - <entry key="translatableType">http://www.stork.gov.eu/1.0/translatableType</entry> - <entry key="status">http://www.stork.gov.eu/1.0/status</entry> - <entry key="activity">http://www.stork.gov.eu/1.0/activity</entry> - <entry key="registeredAddress">http://www.stork.gov.eu/1.0/registeredAddress</entry> - <entry key="registeredCanonicalAddress">http://www.stork.gov.eu/1.0/registeredCanonicalAddress</entry> - <entry key="contactInformation">http://www.stork.gov.eu/1.0/contactInformation</entry> - <entry key="LPFiscalNumber">http://www.stork.gov.eu/1.0/LPFiscalNumber</entry> - <entry key="mandate">http://www.stork.gov.eu/1.0/mandate</entry> - <entry key="docRequest">http://www.stork.gov.eu/1.0/docRequest</entry> - - <entry key="mandateContent">http://www.stork.gov.eu/1.0/mandateContent</entry> - <entry key="representative">http://www.stork.gov.eu/1.0/representative</entry> - <entry key="represented">http://www.stork.gov.eu/1.0/represented</entry> - - <!-- ISA 1.18 attributes--> - <entry key="ECApplicationRole">http://www.stork.gov.eu/1.1/ECApplicationRole</entry> - <entry key="MSOrganization">http://www.stork.gov.eu/1.1/MSOrganization</entry> - - <entry key="citizenQAALevel">http://www.stork.gov.eu/1.0/citizenQAALevel</entry> - - -</properties> diff --git a/id/server/data/deploy/conf/moa-id/stork/StorkSamlEngine_incoming.xml b/id/server/data/deploy/conf/moa-id/stork/StorkSamlEngine_incoming.xml deleted file mode 100644 index a817e29c0..000000000 --- a/id/server/data/deploy/conf/moa-id/stork/StorkSamlEngine_incoming.xml +++ /dev/null @@ -1,100 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd"> - -<properties> - <comment>SAML constants for AuthnRequests and Responses.</comment> - - <!-- - Types of consent obtained from the user for this authentication and - data transfer. - Allow values: 'unspecified'. - --> - <entry key="consentAuthnRequest">unspecified</entry> - - <!-- - Allow values: 'obtained', 'prior', 'current-implicit', 'current-explicit', 'unspecified'. - --> - <entry key="consentAuthnResponse">obtained</entry> - - <!--URI representing the classification of the identifier - Allow values: 'entity'. - --> - <entry key="formatEntity">entity</entry> - - <!--Only HTTP-POST binding is only supported for inter PEPS--> - <!--The SOAP binding is only supported for direct communication between SP-MW and VIdP--> - <entry key="protocolBinding">HTTP-POST</entry> - - - - - <!--URI representing the classification of the identifier - Allow values: 'entity'. - <entry key="eIDSectorShare">true</entry> - <entry key="eIDCrossSectorShare">true</entry> - <entry key="eIDCrossBorderShare">true</entry> - --> - - - - <!-- A friendly name for the attribute that can be displayed to a user --> - <entry key="friendlyName">false</entry> - - <!-- A friendly name for the attribute that can be displayed to a user --> - <entry key="isRequired">true</entry> - - <!--PEPS in the Service Provider's country--> - <entry key="requester">http://S-PEPS.gov.xx</entry> - - <!--PEPS in the citizen's origin country--> - <entry key="responder">http://C-PEPS.gov.xx</entry> - - <!--Subject cannot be confirmed on or after this seconds time (positive number)--> - <entry key="timeNotOnOrAfter">300</entry> - - <!--Validation IP of the response--> - <entry key="ipAddrValidation">false</entry> - - - <!--Subject Attribute Definitions--> - <entry key="eIdentifier">http://www.stork.gov.eu/1.0/eIdentifier</entry> - <entry key="givenName">http://www.stork.gov.eu/1.0/givenName</entry> - <entry key="surname">http://www.stork.gov.eu/1.0/surname</entry> - <entry key="inheritedFamilyName">http://www.stork.gov.eu/1.0/inheritedFamilyName</entry> - <entry key="adoptedFamilyName">http://www.stork.gov.eu/1.0/adoptedFamilyName</entry> - <entry key="gender">http://www.stork.gov.eu/1.0/gender</entry> - <entry key="dateOfBirth">http://www.stork.gov.eu/1.0/dateOfBirth</entry> - <entry key="countryCodeOfBirth">http://www.stork.gov.eu/1.0/countryCodeOfBirth</entry> - <entry key="nationalityCode">http://www.stork.gov.eu/1.0/nationalityCode</entry> - <entry key="maritalStatus">http://www.stork.gov.eu/1.0/maritalStatus</entry> - <entry key="residenceAddress">http://www.stork.gov.eu/1.0/residenceAddress</entry> - <entry key="eMail">http://www.stork.gov.eu/1.0/eMail</entry> - <entry key="academicTitle">http://www.stork.gov.eu/1.0/academicTitle</entry> - <entry key="pseudonym">http://www.stork.gov.eu/1.0/pseudonym</entry> - <entry key="age">http://www.stork.gov.eu/1.0/age</entry> - <entry key="isAgeOver">http://www.stork.gov.eu/1.0/isAgeOver</entry> - <entry key="fiscalNumber">http://www.stork.gov.eu/1.0/fiscalNumber</entry> - - <entry key="textResidenceAddress">http://www.stork.gov.eu/1.0/textResidenceAddress</entry> - <entry key="canonicalResidenceAddress">http://www.stork.gov.eu/1.0/canonicalResidenceAddress</entry> - - <entry key="title">http://www.stork.gov.eu/1.0/title</entry> - <entry key="residencePermit">http://www.stork.gov.eu/1.0/residencePermit</entry> - - <entry key="signedDoc">http://www.stork.gov.eu/1.0/signedDoc</entry> - <entry key="citizen509Certificate">http://www.stork.gov.eu/1.0/citizen509Certificate</entry> - - <entry key="newAttribute1">http://www.stork.gov.eu/1.0/newAttribute1</entry> - <entry key="newAttribute2">http://www.stork.gov.eu/1.0/newAttribute2</entry> - <entry key="hasDegree">http://www.stork.gov.eu/1.0/hasDegree</entry> - <entry key="mandateContent">http://www.stork.gov.eu/1.0/mandateContent</entry> - <entry key="representative">http://www.stork.gov.eu/1.0/representative</entry> - <entry key="represented">http://www.stork.gov.eu/1.0/represented</entry> - - <!-- ISA 1.18 attributes--> - <entry key="ECApplicationRole">http://www.stork.gov.eu/1.1/ECApplicationRole</entry> - <entry key="MSOrganization">http://www.stork.gov.eu/1.1/MSOrganization</entry> - - <entry key="citizenQAALevel">http://www.stork.gov.eu/1.0/citizenQAALevel</entry> - -</properties> diff --git a/id/server/data/deploy/conf/moa-id/stork/StorkSamlEngine_incoming_attr.xml b/id/server/data/deploy/conf/moa-id/stork/StorkSamlEngine_incoming_attr.xml deleted file mode 100644 index 33437c110..000000000 --- a/id/server/data/deploy/conf/moa-id/stork/StorkSamlEngine_incoming_attr.xml +++ /dev/null @@ -1,98 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd"> - -<properties> - <comment>SAML constants for AuthnRequests and Responses.</comment> - - <!-- - Types of consent obtained from the user for this authentication and - data transfer. - Allow values: 'unspecified'. - --> - <entry key="consentAuthnRequest">unspecified</entry> - - <!-- - Allow values: 'obtained', 'prior', 'current-implicit', 'current-explicit', 'unspecified'. - --> - <entry key="consentAuthnResponse">obtained</entry> - - <!--URI representing the classification of the identifier - Allow values: 'entity'. - --> - <entry key="formatEntity">entity</entry> - - <!--Only HTTP-POST binding is only supported for inter PEPS--> - <!--The SOAP binding is only supported for direct communication between SP-MW and VIdP--> - <entry key="protocolBinding">HTTP-POST</entry> - - - - - <!--URI representing the classification of the identifier - Allow values: 'entity'. - <entry key="eIDSectorShare">true</entry> - <entry key="eIDCrossSectorShare">true</entry> - <entry key="eIDCrossBorderShare">true</entry> - --> - - - - <!-- A friendly name for the attribute that can be displayed to a user --> - <entry key="friendlyName">false</entry> - - <!-- A friendly name for the attribute that can be displayed to a user --> - <entry key="isRequired">true</entry> - - <!--PEPS in the Service Provider's country--> - <entry key="requester">http://S-PEPS.gov.xx</entry> - - <!--PEPS in the citizen's origin country--> - <entry key="responder">http://C-PEPS.gov.xx</entry> - - <!--Subject cannot be confirmed on or after this seconds time (positive number)--> - <entry key="timeNotOnOrAfter">300</entry> - - <!--Validation IP of the response--> - <entry key="ipAddrValidation">false</entry> - - - <!--Subject Attribute Definitions--> - <entry key="eIdentifier">http://www.stork.gov.eu/1.0/eIdentifier</entry> - <entry key="givenName">http://www.stork.gov.eu/1.0/givenName</entry> - <entry key="surname">http://www.stork.gov.eu/1.0/surname</entry> - <entry key="inheritedFamilyName">http://www.stork.gov.eu/1.0/inheritedFamilyName</entry> - <entry key="adoptedFamilyName">http://www.stork.gov.eu/1.0/adoptedFamilyName</entry> - <entry key="gender">http://www.stork.gov.eu/1.0/gender</entry> - <entry key="dateOfBirth">http://www.stork.gov.eu/1.0/dateOfBirth</entry> - <entry key="countryCodeOfBirth">http://www.stork.gov.eu/1.0/countryCodeOfBirth</entry> - <entry key="nationalityCode">http://www.stork.gov.eu/1.0/nationalityCode</entry> - <entry key="maritalStatus">http://www.stork.gov.eu/1.0/maritalStatus</entry> - <entry key="residenceAddress">http://www.stork.gov.eu/1.0/residenceAddress</entry> - <entry key="eMail">http://www.stork.gov.eu/1.0/eMail</entry> - <entry key="academicTitle">http://www.stork.gov.eu/1.0/academicTitle</entry> - <entry key="pseudonym">http://www.stork.gov.eu/1.0/pseudonym</entry> - <entry key="age">http://www.stork.gov.eu/1.0/age</entry> - <entry key="isAgeOver">http://www.stork.gov.eu/1.0/isAgeOver</entry> - <entry key="fiscalNumber">http://www.stork.gov.eu/1.0/fiscalNumber</entry> - - <entry key="textResidenceAddress">http://www.stork.gov.eu/1.0/textResidenceAddress</entry> - <entry key="canonicalResidenceAddress">http://www.stork.gov.eu/1.0/canonicalResidenceAddress</entry> - - <entry key="title">http://www.stork.gov.eu/1.0/title</entry> - <entry key="residencePermit">http://www.stork.gov.eu/1.0/residencePermit</entry> - - <entry key="signedDoc">http://www.stork.gov.eu/1.0/signedDoc</entry> - <entry key="citizen509Certificate">http://www.stork.gov.eu/1.0/citizen509Certificate</entry> - - <entry key="newAttribute1">http://www.stork.gov.eu/1.0/newAttribute1</entry> - <entry key="newAttribute2">http://www.stork.gov.eu/1.0/newAttribute2</entry> - <entry key="hasDegree">http://www.stork.gov.eu/1.0/hasDegree</entry> - <entry key="mandateContent">http://www.stork.gov.eu/1.0/mandateContent</entry> - <entry key="representative">http://www.stork.gov.eu/1.0/representative</entry> - <entry key="represented">http://www.stork.gov.eu/1.0/represented</entry> - - <!-- ISA 1.18 attributes--> - <entry key="ECApplicationRole">http://www.stork.gov.eu/1.1/ECApplicationRole</entry> - <entry key="MSOrganization">http://www.stork.gov.eu/1.1/MSOrganization</entry> - -</properties> diff --git a/id/server/data/deploy/conf/moa-id/stork/StorkSamlEngine_outgoing.xml b/id/server/data/deploy/conf/moa-id/stork/StorkSamlEngine_outgoing.xml deleted file mode 100644 index b840b4fe5..000000000 --- a/id/server/data/deploy/conf/moa-id/stork/StorkSamlEngine_outgoing.xml +++ /dev/null @@ -1,130 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd"> - -<properties> - <comment>SAML constants for AuthnRequests and Responses.</comment> - - <!-- - Types of consent obtained from the user for this authentication and - data transfer. - Allow values: 'unspecified'. - --> - <entry key="consentAuthnRequest">unspecified</entry> - - <!-- - Allow values: 'obtained', 'prior', 'current-implicit', 'current-explicit', 'unspecified'. - --> - <entry key="consentAuthnResponse">obtained</entry> - - <!--URI representing the classification of the identifier - Allow values: 'entity'. - --> - <entry key="formatEntity">entity</entry> - - <!--Only HTTP-POST binding is only supported for inter PEPS--> - <!--The SOAP binding is only supported for direct communication between SP-MW and VIdP--> - <entry key="protocolBinding">HTTP-POST</entry> - - - - - <!--URI representing the classification of the identifier - Allow values: 'entity'. - <entry key="eIDSectorShare">true</entry> - <entry key="eIDCrossSectorShare">true</entry> - <entry key="eIDCrossBorderShare">true</entry> - --> - - - - <!-- A friendly name for the attribute that can be displayed to a user --> - <entry key="friendlyName">false</entry> - - <!-- A friendly name for the attribute that can be displayed to a user --> - <entry key="isRequired">true</entry> - - <!--PEPS in the Service Provider's country--> - <entry key="requester">http://S-PEPS.gov.xx</entry> - - <!--PEPS in the citizen's origin country--> - <entry key="responder">http://C-PEPS.gov.xx</entry> - - <!--Subject cannot be confirmed on or after this seconds time (positive number)--> - <entry key="timeNotOnOrAfter">300</entry> - - <!--Validation IP of the response--> - <entry key="ipAddrValidation">false</entry> - - - <!--Subject Attribute Definitions--> - <entry key="eIdentifier">http://www.stork.gov.eu/1.0/eIdentifier</entry> - <entry key="givenName">http://www.stork.gov.eu/1.0/givenName</entry> - <entry key="surname">http://www.stork.gov.eu/1.0/surname</entry> - <entry key="inheritedFamilyName">http://www.stork.gov.eu/1.0/inheritedFamilyName</entry> - <entry key="adoptedFamilyName">http://www.stork.gov.eu/1.0/adoptedFamilyName</entry> - <entry key="gender">http://www.stork.gov.eu/1.0/gender</entry> - <entry key="dateOfBirth">http://www.stork.gov.eu/1.0/dateOfBirth</entry> - <entry key="countryCodeOfBirth">http://www.stork.gov.eu/1.0/countryCodeOfBirth</entry> - <entry key="nationalityCode">http://www.stork.gov.eu/1.0/nationalityCode</entry> - <entry key="maritalStatus">http://www.stork.gov.eu/1.0/maritalStatus</entry> - <entry key="residenceAddress">http://www.stork.gov.eu/1.0/residenceAddress</entry> - <entry key="eMail">http://www.stork.gov.eu/1.0/eMail</entry> - <entry key="academicTitle">http://www.stork.gov.eu/1.0/academicTitle</entry> - <entry key="pseudonym">http://www.stork.gov.eu/1.0/pseudonym</entry> - <entry key="age">http://www.stork.gov.eu/1.0/age</entry> - <entry key="isAgeOver">http://www.stork.gov.eu/1.0/isAgeOver</entry> - <entry key="fiscalNumber">http://www.stork.gov.eu/1.0/fiscalNumber</entry> - - <entry key="textResidenceAddress">http://www.stork.gov.eu/1.0/textResidenceAddress</entry> - <entry key="canonicalResidenceAddress">http://www.stork.gov.eu/1.0/canonicalResidenceAddress</entry> - - <entry key="title">http://www.stork.gov.eu/1.0/title</entry> - <entry key="residencePermit">http://www.stork.gov.eu/1.0/residencePermit</entry> - - <entry key="signedDoc">http://www.stork.gov.eu/1.0/signedDoc</entry> - <entry key="citizen509Certificate">http://www.stork.gov.eu/1.0/citizen509Certificate</entry> - - <entry key="newAttribute1">http://www.stork.gov.eu/1.0/newAttribute1</entry> - <entry key="newAttribute2">http://www.stork.gov.eu/1.0/newAttribute2</entry> - <entry key="hasDegree">http://www.stork.gov.eu/1.0/hasDegree</entry> - - - <entry key="diplomaSupplement">http://www.stork.gov.eu/1.0/diplomaSupplement</entry> - <entry key="currentStudiesSupplement">http://www.stork.gov.eu/1.0/currentStudiesSupplement</entry> - <entry key="isStudent">http://www.stork.gov.eu/1.0/isStudent</entry> - <entry key="isAcademicStaff">http://www.stork.gov.eu/1.0/isAcademicStaff</entry> - <entry key="isTeacherOf">http://www.stork.gov.eu/1.0/isTeacherOf</entry> - <entry key="isCourseCoordinator">http://www.stork.gov.eu/1.0/isCourseCoordinator</entry> - <entry key="isAdminStaff">http://www.stork.gov.eu/1.0/isAdminStaff</entry> - <entry key="habilitation">http://www.stork.gov.eu/1.0/habilitation</entry> - <entry key="Title">http://www.stork.gov.eu/1.0/Title</entry> - <entry key="hasDegree">http://www.stork.gov.eu/1.0/hasDegree</entry> - <entry key="hasAccountInBank">http://www.stork.gov.eu/1.0/hasAccountInBank</entry> - <entry key="isHealthCareProfessional">http://www.stork.gov.eu/1.0/isHealthCareProfessional</entry> - - <entry key="eLPIdentifier">http://www.stork.gov.eu/1.0/eLPIdentifier</entry> - <entry key="legalName">http://www.stork.gov.eu/1.0/legalName</entry> - <entry key="alternativeName">http://www.stork.gov.eu/1.0/alternativeName</entry> - <entry key="type">http://www.stork.gov.eu/1.0/type</entry> - <entry key="translatableType">http://www.stork.gov.eu/1.0/translatableType</entry> - <entry key="status">http://www.stork.gov.eu/1.0/status</entry> - <entry key="activity">http://www.stork.gov.eu/1.0/activity</entry> - <entry key="registeredAddress">http://www.stork.gov.eu/1.0/registeredAddress</entry> - <entry key="registeredCanonicalAddress">http://www.stork.gov.eu/1.0/registeredCanonicalAddress</entry> - <entry key="contactInformation">http://www.stork.gov.eu/1.0/contactInformation</entry> - <entry key="LPFiscalNumber">http://www.stork.gov.eu/1.0/LPFiscalNumber</entry> - <entry key="mandate">http://www.stork.gov.eu/1.0/mandate</entry> - <entry key="docRequest">http://www.stork.gov.eu/1.0/docRequest</entry> - - - <entry key="mandateContent">http://www.stork.gov.eu/1.0/mandateContent</entry> - <entry key="representative">http://www.stork.gov.eu/1.0/representative</entry> - <entry key="represented">http://www.stork.gov.eu/1.0/represented</entry> - - <!-- ISA 1.18 attributes--> - <entry key="ECApplicationRole">http://www.stork.gov.eu/1.1/ECApplicationRole</entry> - <entry key="MSOrganization">http://www.stork.gov.eu/1.1/MSOrganization</entry> - - <entry key="citizenQAALevel">http://www.stork.gov.eu/1.0/citizenQAALevel</entry> - -</properties> diff --git a/id/server/data/deploy/conf/moa-id/stork/storkDemoKeysPT.jks b/id/server/data/deploy/conf/moa-id/stork/storkDemoKeysPT.jks Binary files differdeleted file mode 100644 index f9baad202..000000000 --- a/id/server/data/deploy/conf/moa-id/stork/storkDemoKeysPT.jks +++ /dev/null diff --git a/id/server/data/deploy/conf/moa-id/stork/storkDemoKeys_minividp_old.jks b/id/server/data/deploy/conf/moa-id/stork/storkDemoKeys_minividp_old.jks Binary files differdeleted file mode 100644 index efaeac86c..000000000 --- a/id/server/data/deploy/conf/moa-id/stork/storkDemoKeys_minividp_old.jks +++ /dev/null diff --git a/id/server/doc/handbook/config/config.html b/id/server/doc/handbook/config/config.html index e6b86204a..1972d2150 100644 --- a/id/server/doc/handbook/config/config.html +++ b/id/server/doc/handbook/config/config.html @@ -576,6 +576,11 @@ https://<host>:<port>/moa-id-auth/MonitoringServlet</pre> <td>password</td> <td>Passwort des Schlüssels mit dem PVP 2.1 Assertion für MOA-ID-Auth als Service Provider durch einen weiteren IDP Verschlüsselt werden sollen (siehe Kapitel <a href="./../interfederation/interfederation.html">Interfederation</a>)</td> </tr> + <tr> + <td>protocols.pvp2.metadata.entitycategories.active</td> + <td>true / <strong>false</strong></td> + <td>Funktion zum Mappen einer in den Metadaten enthaltenen PVP EntityCategory auf ein Set von PVP Attributen, welche von MOA-ID returniert werden sollen.</td> + </tr> </table> <p> </p> <h6><a name="basisconfig_moa_id_auth_param_protocol_openid" id="uebersicht_bekanntmachung11"></a>2.2.2.3.2 OpenID Connect</h6> diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java index 332604257..d3e340a90 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java @@ -1311,7 +1311,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide String value = properties.getProperty(key); if (MiscUtil.isNotEmpty(value)) - return Boolean.valueOf(value); + return Boolean.valueOf(value.trim()); return defaultValue; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 216d7a8b1..cdb85c563 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -259,6 +259,8 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); } catch (MOAIDException e) { + String samlRequest = req.getParameter("SAMLRequest"); + Logger.info("Receive INVALID protocol request: " + samlRequest); throw e; } catch (Throwable e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 45539da3f..196aa47af 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -373,7 +373,8 @@ public class PVP2AssertionBuilder implements PVPConstants { //get NameIDFormat from request AuthnRequest authnReq = (AuthnRequestImpl) authnRequest; - if (authnReq.getNameIDPolicy() != null) { + if (authnReq.getNameIDPolicy() != null && + MiscUtil.isNotEmpty(authnReq.getNameIDPolicy().getFormat())) { nameIDFormat = authnReq.getNameIDPolicy().getFormat(); } else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 585aac805..7f6f9b88c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -51,6 +51,7 @@ import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.IDestroyableObject; import at.gv.egovernment.moa.id.auth.IGarbageCollectorProcessing; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; @@ -491,7 +492,10 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException, ConfigurationException { PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate); filterChain.getFilters().add(new SchemaValidationFilter()); - filterChain.getFilters().add(new PVPEntityCategoryFilter()); + filterChain.getFilters().add( + new PVPEntityCategoryFilter(authConfig.getBasicMOAIDConfigurationBoolean( + AuthConfiguration.PROP_KEY_PROTOCOL_PVP_METADATA_ENTITYCATEGORY_RESOLVER, + false))); if (oaParam.isInderfederationIDP()) { Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java index ab8fab5d1..4ae89466d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java @@ -28,6 +28,7 @@ import org.opensaml.saml2.core.NameIDPolicy; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestValidatorException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException; +import at.gv.egovernment.moaspss.logging.Logger; /** * @author tlenz @@ -41,17 +42,20 @@ public class AuthnRequestValidator { NameIDPolicy nameIDPolicy = req.getNameIDPolicy(); if (nameIDPolicy != null) { String nameIDFormat = nameIDPolicy.getFormat(); - - if ( !(nameIDFormat != null && - (NameID.TRANSIENT.equals(nameIDFormat) || - NameID.PERSISTENT.equals(nameIDFormat) || - NameID.UNSPECIFIED.equals(nameIDFormat))) ) { - - throw new NameIDFormatNotSupportedException(nameIDFormat); + if (nameIDFormat != null) { + if ( !(NameID.TRANSIENT.equals(nameIDFormat) || + NameID.PERSISTENT.equals(nameIDFormat) || + NameID.UNSPECIFIED.equals(nameIDFormat)) ) { - } - } - + throw new NameIDFormatNotSupportedException(nameIDFormat); + + } + + } else + Logger.trace("Find NameIDPolicy, but NameIDFormat is 'null'"); + } else + Logger.trace("AuthnRequest includes no 'NameIDPolicy'"); + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java index 679bdd10f..589713c4b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java @@ -22,8 +22,6 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; -import iaik.x509.X509Certificate; - import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.Iterator; @@ -31,16 +29,15 @@ import java.util.List; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.provider.FilterException; import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.xml.XMLObject; import org.opensaml.xml.security.x509.BasicX509Credential; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier; import at.gv.egovernment.moa.logging.Logger; +import iaik.x509.X509Certificate; public class MetadataSignatureFilter implements MetadataFilter { @@ -87,8 +84,9 @@ public class MetadataSignatureFilter implements MetadataFilter { //CHECK if Entity also match MetaData signature. /*This check is necessary to prepend declaration of counterfeit OA metadata!!*/ + Logger.debug("Validate metadata for entityID: " + entityID + " ..... "); byte[] entityCert = EntityVerifier.fetchSavedCredential(entityID); - + if (entityCert != null) { X509Certificate cert; @@ -99,8 +97,10 @@ public class MetadataSignatureFilter implements MetadataFilter { EntityVerifier.verify(desc, entityCrendential); - //add entity to verified entity-list + //add entity to verified entity-list verifiedEntIT.add(entity); + Logger.debug("Metadata for entityID: " + entityID + " valid"); + } catch (Exception e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java index 95d30db49..caabfea30 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java @@ -54,6 +54,17 @@ import at.gv.egovernment.moaspss.logging.Logger; public class PVPEntityCategoryFilter implements MetadataFilter { + private boolean isUsed = false; + + /** + * Filter to map PVP EntityCategories into a set of single PVP attributes + * + * @param isUsed if true PVP EntityCategories are mapped, otherwise they are ignored + * + */ + public PVPEntityCategoryFilter(boolean isUsed) { + this.isUsed = isUsed; + } /* (non-Javadoc) @@ -61,31 +72,38 @@ public class PVPEntityCategoryFilter implements MetadataFilter { */ @Override public void doFilter(XMLObject metadata) throws FilterException { - String entityId = null; - try { - if (metadata instanceof EntitiesDescriptor) { - Logger.trace("Find EnitiesDescriptor ... "); - EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata; - if (entitiesDesc.getEntityDescriptors() != null) { - for (EntityDescriptor el : entitiesDesc.getEntityDescriptors()) - resolveEntityCategoriesToAttributes(el); + + if (isUsed) { + Logger.trace("Map PVP EntityCategory to single PVP Attributes ... "); + String entityId = null; + try { + if (metadata instanceof EntitiesDescriptor) { + Logger.trace("Find EnitiesDescriptor ... "); + EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata; + if (entitiesDesc.getEntityDescriptors() != null) { + for (EntityDescriptor el : entitiesDesc.getEntityDescriptors()) + resolveEntityCategoriesToAttributes(el); + + } + + } else if (metadata instanceof EntityDescriptor) { + Logger.trace("Find EntityDescriptor"); + resolveEntityCategoriesToAttributes((EntityDescriptor)metadata); - } - - } else if (metadata instanceof EntityDescriptor) { - Logger.trace("Find EntityDescriptor"); - resolveEntityCategoriesToAttributes((EntityDescriptor)metadata); + + } else + throw new MOAIDException("Invalid Metadata file Root element is no Entities- or EntityDescriptor", null); - } else - throw new MOAIDException("Invalid Metadata file Root element is no Entities- or EntityDescriptor", null); - - - - } catch (Exception e) { - Logger.warn("SAML2 Metadata processing FAILED: Can not resolve EntityCategories for metadata: " + entityId, e); + + } catch (Exception e) { + Logger.warn("SAML2 Metadata processing FAILED: Can not resolve EntityCategories for metadata: " + entityId, e); + + } - } + } else + Logger.trace("Filter to map PVP EntityCategory to single PVP Attributes is deactivated"); + } private void resolveEntityCategoriesToAttributes(EntityDescriptor metadata) { @@ -94,6 +112,7 @@ public class PVPEntityCategoryFilter implements MetadataFilter { if (extensions != null) { List<XMLObject> listOfExt = extensions.getUnknownXMLObjects(); if (listOfExt != null && !listOfExt.isEmpty()) { + Logger.trace("Find #" + listOfExt.size() + " 'Extension' elements "); for (XMLObject el : listOfExt) { Logger.trace("Find ExtensionElement: " + el.getElementQName().toString()); if (el instanceof EntityAttributes) { @@ -132,9 +151,13 @@ public class PVPEntityCategoryFilter implements MetadataFilter { Logger.info("Can NOT resolve EntityAttributes! Reason: Only EntityAttributes are supported!"); } - } - } - } + } + + } else + Logger.trace("'Extension' element is 'null' or empty"); + + } else + Logger.trace("No 'Extension' element found"); } diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java index 07b07d980..4dda4c736 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java @@ -13,6 +13,7 @@ public interface AuthConfiguration extends ConfigurationProvider{ public static final String PROP_KEY_SSL_HOSTNAME_VALIDATION = "configuration.ssl.validation.hostname"; public static final String PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION = "service.onlinemandates.ssl.validation.hostname"; + public static final String PROP_KEY_PROTOCOL_PVP_METADATA_ENTITYCATEGORY_RESOLVER = "protocols.pvp2.metadata.entitycategories.active"; public static final String DEFAULT_X509_CHAININGMODE = "pkix"; |