aboutsummaryrefslogtreecommitdiff
path: root/id
diff options
context:
space:
mode:
Diffstat (limited to 'id')
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java53
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java10
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java4
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java2
-rw-r--r--id/ConfigWebTool/src/main/resources/applicationResources_de.properties7
-rw-r--r--id/ConfigWebTool/src/main/resources/applicationResources_en.properties8
-rw-r--r--id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/formCustomization.jsp12
-rw-r--r--id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/pvp2.jsp11
-rw-r--r--id/history.txt7
-rw-r--r--id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java2
-rw-r--r--id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesBKUSelectionTask.java37
-rw-r--r--id/moa-spss-container/pom.xml22
-rw-r--r--id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java8
-rw-r--r--id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java1
-rw-r--r--id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java119
-rw-r--r--id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java11
-rw-r--r--id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java230
-rw-r--r--id/readme_3.2.3.txt732
-rw-r--r--id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html (renamed from id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html)8
-rw-r--r--id/server/data/deploy/conf/moa-id/log4j.properties7
-rw-r--r--id/server/doc/handbook/config/config.html44
-rw-r--r--id/server/doc/handbook/install/install.html9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java10
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java45
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java14
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java22
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java24
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java19
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java114
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java53
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java9
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java11
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java4
-rw-r--r--id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html193
-rw-r--r--id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html235
-rw-r--r--id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html16
-rw-r--r--id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm36
-rw-r--r--id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html46
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java2
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java1
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java7
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java3
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java34
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java27
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java9
-rw-r--r--id/server/moa-id-commons/src/main/resources/resources/schemas/eIDAS_saml_extensions.xsd31
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java (renamed from id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java)13
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java45
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java1
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java82
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java110
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java39
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java1
-rw-r--r--id/server/modules/moa-id-module-eIDAS/pom.xml10
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java2
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java4
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java8
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java4
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java33
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd31
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java15
75 files changed, 1967 insertions, 836 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java
index 80800543b..5ee2ee6a7 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java
@@ -97,6 +97,9 @@ public class FormularCustomization implements IOnlineApplicationData {
private String aditionalAuthBlockText = null;
private boolean isHideBPKAuthBlock = false;
+ private String saml2PostBindingTemplate = null;
+ private String mandateServiceSelectionTemplate = null;
+
public FormularCustomization() {
new FormularCustomization(null);
}
@@ -128,6 +131,9 @@ public class FormularCustomization implements IOnlineApplicationData {
public List<String> parse(OnlineApplication dbOA, AuthenticatedUser authUser, HttpServletRequest request) {
AuthComponentOA auth = dbOA.getAuthComponentOA();
+ mandateServiceSelectionTemplate = dbOA.getMandateServiceSelectionTemplateURL();
+ saml2PostBindingTemplate = dbOA.getSaml2PostBindingTemplateURL();
+
if (dbOA.getAuthComponentOA() != null)
isHideBPKAuthBlock = dbOA.isRemoveBPKFromAuthBlock();
@@ -243,6 +249,9 @@ public class FormularCustomization implements IOnlineApplicationData {
dbOA.setRemoveBPKFromAuthBlock(isHideBPKAuthBlock());
+ dbOA.setMandateServiceSelectionTemplateURL(mandateServiceSelectionTemplate);
+ dbOA.setSaml2PostBindingTemplateURL(saml2PostBindingTemplate);
+
TemplatesType templates = authoa.getTemplates();
if (templates == null) {
templates = new TemplatesType();
@@ -382,6 +391,21 @@ public class FormularCustomization implements IOnlineApplicationData {
}
+ check = getSaml2PostBindingTemplate();
+ if (MiscUtil.isNotEmpty(check) && ValidationHelper.isNotValidIdentityLinkSigner(check) ) {
+ log.info("URL to SAML2 POST-Binding template is not valid");
+ errors.add(LanguageHelper.getErrorString("validation.general.templates.saml2.postbinding.valid", request));
+
+ }
+
+ check = getMandateServiceSelectionTemplate();
+ if (MiscUtil.isNotEmpty(check) && ValidationHelper.isNotValidIdentityLinkSigner(check) ) {
+ log.info("URL to mandate-service selection-template is not valid");
+ errors.add(LanguageHelper.getErrorString("validation.general.templates.mandateserviceselection.valid", request));
+
+ }
+
+
//validate BKUFormCustomization
errors.addAll(new FormularCustomizationValitator().validate(this, request));
@@ -813,7 +837,36 @@ public class FormularCustomization implements IOnlineApplicationData {
*/
public Map<String, String> getFormMap() {
return map;
+ }
+
+ /**
+ * @return the saml2PostBindingTemplate
+ */
+ public String getSaml2PostBindingTemplate() {
+ return saml2PostBindingTemplate;
+ }
+
+ /**
+ * @param saml2PostBindingTemplate the saml2PostBindingTemplate to set
+ */
+ public void setSaml2PostBindingTemplate(String saml2PostBindingTemplate) {
+ this.saml2PostBindingTemplate = saml2PostBindingTemplate;
+ }
+
+ /**
+ * @return the mandateServiceSelectionTemplate
+ */
+ public String getMandateServiceSelectionTemplate() {
+ return mandateServiceSelectionTemplate;
+ }
+
+ /**
+ * @param mandateServiceSelectionTemplate the mandateServiceSelectionTemplate to set
+ */
+ public void setMandateServiceSelectionTemplate(String mandateServiceSelectionTemplate) {
+ this.mandateServiceSelectionTemplate = mandateServiceSelectionTemplate;
}
+
}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java
index 67fef3b1d..c69998fa2 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java
@@ -28,9 +28,6 @@ import java.util.Date;
import java.util.StringTokenizer;
import java.util.regex.Pattern;
-import org.apache.commons.lang.StringUtils;
-import org.apache.log4j.Logger;
-
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
@@ -42,6 +39,9 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
+import org.apache.commons.lang.StringUtils;
+import org.apache.log4j.Logger;
+
import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException;
import at.gv.egovernment.moa.id.configuration.Constants;
import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser;
@@ -205,7 +205,9 @@ public class AuthenticationFilter implements Filter{
filterchain.doFilter(req, resp);
} catch (Exception e) {
-
+
+ log.error("Servlet filter catchs an unhandled exception! Msg: " + e.getMessage(), e);
+
//String redirectURL = "./index.action";
//HttpServletResponse httpResp = (HttpServletResponse) resp;
//redirectURL = httpResp.encodeRedirectURL(redirectURL);
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java
index 5022be915..539deac9e 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java
@@ -44,7 +44,7 @@ import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import at.gv.egiz.components.configuration.meta.api.ConfigurationStorageException;
-import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.AbstractServiceProviderSpecificGUIFormBuilderConfiguration;
import at.gv.egovernment.moa.id.auth.frontend.utils.FormBuildUtils;
import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider;
import at.gv.egovernment.moa.id.commons.config.ConfigurationMigrationUtils;
@@ -610,7 +610,7 @@ public class BasicOAAction extends BasicAction {
//set parameters
Map<String, Object> params = (Map<String, Object>) mapobj;
params.put(
- ServiceProviderSpecificGUIFormBuilderConfiguration.PARAM_AUTHCONTEXT,
+ AbstractServiceProviderSpecificGUIFormBuilderConfiguration.PARAM_AUTHCONTEXT,
contextpath);
request.setCharacterEncoding("UTF-8");
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java
index 8e8020d75..fbd2f3bb3 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java
@@ -43,7 +43,7 @@ public class StorkConfigValidator {
errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.cc",
new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request ));
}
- if(!check.toLowerCase().matches("(^[a-z][a-z]$)|(^[a-z][a-z]-[a-z]*)")) {
+ if(!check.toLowerCase().matches("(^[a-z][a-z]$)|(^[a-z][a-z]-[a-z,0-9]*)")) {
log.warn("CPEPS config countrycode does not comply to ISO 3166-2 : " + check);
errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.cc",
new Object[] {check}, request ));
diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
index d75403575..728ce989a 100644
--- a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
+++ b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
@@ -218,6 +218,11 @@ webpages.oaconfig.general.bku.bkuselection.upload=Neues Template hochladen
webpages.oaconfig.general.bku.sendassertion.header=Send-Assertion Template
webpages.oaconfig.general.bku.sendassertion.filename=Dateiname
webpages.oaconfig.general.bku.sendassertion.upload=Neues Template hochladen
+webpages.oaconfig.general.templates.elgamandates.header=Template zur Vollmachtenserviceauswahl
+webpages.oaconfig.general.templates.elgamandates.url=Template URL
+webpages.oaconfig.general.templates.saml2.postbinding.header=SAML2 POST Binding Formular
+webpages.oaconfig.general.templates.saml2.postbinding.url=Template URL
+
webpages.oaconfig.bPKEncDec.header=Fremd-bPK Konfiguration
webpages.oaconfig.bPKEncDec.keystore.header=KeyStore Konfiguration
@@ -493,6 +498,8 @@ validation.general.sendassertion.filename.valid=Der Dateiname des Send-Assertion
validation.general.sendassertion.file.valid=Das Send-Assertion Templates konnte nicht geladen werden.
validation.general.sendassertion.file.selected=Es kann nur EIN Send-Assertion Template angegeben werden.
validation.general.testcredentials.oid.valid=Die Testdaten OID {0} ist ung\u00FCltig.
+validation.general.templates.saml2.postbinding.valid=URL zum Template f\u00FCr das SAML2 POST-Binding Formular ist nicht g\u00FCltig.
+validation.general.templates.mandateserviceselection.valid=URL zum Template z\u00FCr Auswahl des Vollmachtenservices ist nicht g\u00FCltig.
validation.bPKDec.keyStorePassword.empty=Das Password f\u00FCr den KeyStore ist leer.
validation.bPKDec.keyStorePassword.valid=Das Password f\u00FCr den KeyStore enth\u00E4lt nicht erlaubte Zeichen. Folgende Zeichen sind nicht erlaubt\: {0}
diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
index 708cc605e..a8f4be796 100644
--- a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
+++ b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
@@ -224,6 +224,12 @@ webpages.oaconfig.general.bku.sendassertion.header=Send-Assertion Template
webpages.oaconfig.general.bku.sendassertion.filename=Filename
webpages.oaconfig.general.bku.sendassertion.upload=Upload new template
+webpages.oaconfig.general.templates.elgamandates.header=Template to select a specific mandate service
+webpages.oaconfig.general.templates.elgamandates.url=Template URL
+webpages.oaconfig.general.templates.saml2.postbinding.header=SAML2 POST-Binding Formular
+webpages.oaconfig.general.templates.saml2.postbinding.url=Template URL
+
+
webpages.oaconfig.bPKEncDec.header=Foreign-bPK Configuration
webpages.oaconfig.bPKEncDec.keystore.header=Keystore configuration
webpages.oaconfig.bPKEncDec.filename=Filename
@@ -491,6 +497,8 @@ validation.general.sendassertion.filename.valid=The file name of Send-Assertion
validation.general.sendassertion.file.valid=Send-Assertion Templates could not be loaded.
validation.general.sendassertion.file.selected=Only one Send-Assertion Template can be provided.
validation.general.testcredentials.oid.valid=The OID {0} for test credentials is not a valid.
+validation.general.templates.saml2.postbinding.valid=URL to SAML2 POST-Binding template is not valid
+validation.general.templates.mandateserviceselection.valid=URL to mandate-service selection-template is not valid
validation.bPKDec.keyStorePassword.empty=KeyStore password is blank.
validation.bPKDec.keyStorePassword.valid=The keyStore password contains forbidden characters. The following characters are not allowed\: {0}
diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/formCustomization.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/formCustomization.jsp
index 008a8b521..6dbed0047 100644
--- a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/formCustomization.jsp
+++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/formCustomization.jsp
@@ -160,7 +160,7 @@
</div>
- <div class="oa_protocol_area">
+ <div class="oa_protocol_area">
<h4><%=LanguageHelper.getGUIString("webpages.oaconfig.general.bku.bkuselection.header", request) %></h4>
<s:iterator value="%{formOA.bkuSelectionFileUploadFileName}" var="fileNameBKU">
<div class="floatClass">
@@ -202,6 +202,16 @@
</s:if>
</div>
+ <div class="oa_protocol_area">
+ <h4><%=LanguageHelper.getGUIString("webpages.oaconfig.general.templates.elgamandates.header", request) %></h4>
+ <s:textfield name="formOA.mandateServiceSelectionTemplate"
+ value="%{formOA.mandateServiceSelectionTemplate}"
+ labelposition="left"
+ key="webpages.oaconfig.general.templates.elgamandates.url"
+ cssClass="textfield_long">
+ </s:textfield>
+ </div>
+
</s:if>
</div>
diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/pvp2.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/pvp2.jsp
index 7e40fc60b..693ef8073 100644
--- a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/pvp2.jsp
+++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/pvp2.jsp
@@ -23,6 +23,17 @@
<div id="pvp2_certificate_upload">
<s:file name="pvp2OA.fileUpload" key="webpages.oaconfig.pvp2.certifcate" cssClass="textfield_long"></s:file>
</div>
+
+ <div class="oa_protocol_area">
+ <h4><%=LanguageHelper.getGUIString("webpages.oaconfig.general.templates.saml2.postbinding.header", request) %></h4>
+ <s:textfield name="formOA.saml2PostBindingTemplate"
+ value="%{formOA.saml2PostBindingTemplate}"
+ labelposition="left"
+ key="webpages.oaconfig.general.templates.saml2.postbinding.url"
+ cssClass="textfield_long">
+ </s:textfield>
+ </div>
+
</div>
</html> \ No newline at end of file
diff --git a/id/history.txt b/id/history.txt
index befe0ffbc..1734d69e9 100644
--- a/id/history.txt
+++ b/id/history.txt
@@ -1,5 +1,12 @@
Dieses Dokument zeigt die Veränderungen und Erweiterungen von MOA-ID auf.
+Version MOA-ID Release 3.2.3: Änderungen seit Version MOA-ID 3.2.2
+- Änderungen
+ - Bug-Fix - Possible problem in combination with IAIK_JCE and JAVA JDK >= 8u141
+ - Bug-Fix - Possible thread looking during certificate validation
+ - Bug-Fix - Wrong logging entries
+ - Stability improvements
+
Version MOA-ID Release 3.2.2: Änderungen seit Version MOA-ID 3.2.1
- Änderungen
- Security-Fix - Struts2 (CVE-2017-5638)
diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java
index fb675ad43..df67ca2f1 100644
--- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java
+++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java
@@ -125,7 +125,7 @@ public static final List<String> KEYWHITELIST;
LanguageHelper.getErrorString("validation.stork.cpeps.cc",
new Object[] {ValidationHelper.getPotentialCSSCharacter(false)})));
}
- if(!cc.toLowerCase().matches("(^[a-z][a-z]$)|(^[a-z][a-z]-[a-z]*)")) {
+ if(!cc.toLowerCase().matches("(^[a-z][a-z]$)|(^[a-z][a-z]-[a-z,0-9]*)")) {
log.warn("CPEPS config countrycode does not comply to ISO 3166-2 : " + cc);
errors.add(new ValidationObjectIdentifier(
MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST
diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesBKUSelectionTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesBKUSelectionTask.java
index ca1109aa1..f8ce21c99 100644
--- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesBKUSelectionTask.java
+++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesBKUSelectionTask.java
@@ -41,7 +41,6 @@ import at.gv.egovernment.moa.id.config.webgui.helper.GUIDataParser;
import at.gv.egovernment.moa.id.config.webgui.helper.LanguageHelper;
import at.gv.egovernment.moa.id.config.webgui.validation.task.AbstractTaskValidator;
import at.gv.egovernment.moa.id.config.webgui.validation.task.ITaskValidator;
-import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.MiscUtil;
/**
@@ -82,18 +81,27 @@ public class ServicesBKUSelectionTask extends AbstractTaskValidator implements I
Map<String, String> newConfigValues = new HashMap<String, String>();
+ //delete configuration key if the configuration value is empty or null
+ if (MiscUtil.isEmpty(input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL)))
+ keysToDelete.add(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL);
+
+ //delete configuration key if the configuration value is empty or null
+ if (MiscUtil.isEmpty(input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL)))
+ keysToDelete.add(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL);
+
+
String bkuSelectTemplateUploadedFileName = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_BKUSELECTION_FILENAME);
if (MiscUtil.isNotEmpty(bkuSelectTemplateUploadedFileName)) {
newConfigValues.put(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_BKUSELECTION_PREVIEW, bkuSelectTemplateUploadedFileName);
}
-
+
String sendAssertionTemplateUploadedFileName = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SENDASSERTION_FILENAME);
if (MiscUtil.isNotEmpty(sendAssertionTemplateUploadedFileName)) {
newConfigValues.put(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_BKUSELECTION_PREVIEW, sendAssertionTemplateUploadedFileName);
}
-
+
String bkuSelectionFileUpload = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_BKUSELECTION_DATA);
String bkuSelectionFile = GUIDataParser.getBase64ContentFromGUIUpload(bkuSelectionFileUpload);
if (bkuSelectionFile != null)
@@ -253,6 +261,29 @@ public class ServicesBKUSelectionTask extends AbstractTaskValidator implements I
}
+
+ //validate template URLs
+ check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL);
+ if (MiscUtil.isNotEmpty(check) && ValidationHelper.isNotValidIdentityLinkSigner(check) ) {
+ log.info("URL to SAML2 POST-Binding template is not valid");
+ errors.add(new ValidationObjectIdentifier(
+ MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL,
+ "Templates - SAML2 Post-Binding",
+ LanguageHelper.getErrorString("validation.general.templates.saml2.postbinding.valid")));
+
+ }
+ check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL);
+ if (MiscUtil.isNotEmpty(check) && ValidationHelper.isNotValidIdentityLinkSigner(check) ) {
+ log.info("URL to mandate-service selection-template is not valid");
+ errors.add(new ValidationObjectIdentifier(
+ MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL,
+ "Templates - Mandate-Service selection",
+ LanguageHelper.getErrorString("validation.general.templates.mandateserviceselection.valid")));
+
+ }
+
+
+ //check Template customization parameters
check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_BACKGROUNDCOLOR);
if (MiscUtil.isNotEmpty(check)) {
if (!check.startsWith("#"))
diff --git a/id/moa-spss-container/pom.xml b/id/moa-spss-container/pom.xml
index fe6ea0c47..085c731fd 100644
--- a/id/moa-spss-container/pom.xml
+++ b/id/moa-spss-container/pom.xml
@@ -47,7 +47,7 @@
<dependency>
<groupId>MOA.spss.server</groupId>
<artifactId>moa-sig-lib</artifactId>
- <version>3.1.0</version>
+ <version>3.1.1</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
@@ -65,7 +65,7 @@
<dependency>
<groupId>MOA.spss</groupId>
<artifactId>common</artifactId>
- <version>3.1.0</version>
+ <version>3.1.1</version>
</dependency>
<dependency>
<groupId>MOA.spss</groupId>
@@ -90,17 +90,19 @@
<dependency>
<groupId>iaik.prod</groupId>
<artifactId>iaik_eccelerate</artifactId>
- <version>3.1_eval</version>
+ <version>4.02_eval</version>
</dependency>
- <dependency>
+
+ <dependency>
<groupId>iaik.prod</groupId>
<artifactId>iaik_eccelerate_addon</artifactId>
- <version>3.01_eval</version>
- </dependency>
+ <version>4.02</version>
+ </dependency>
+
<dependency>
<groupId>iaik.prod</groupId>
<artifactId>iaik_eccelerate_cms</artifactId>
- <version>3.01</version>
+ <version>4.02</version>
</dependency>
<dependency>
<groupId>iaik.prod</groupId>
@@ -115,12 +117,12 @@
<dependency>
<groupId>iaik.prod</groupId>
<artifactId>iaik_moa</artifactId>
- <version>2.04</version>
+ <version>2.05</version>
</dependency>
- <dependency>
+ <dependency>
<groupId>iaik.prod</groupId>
<artifactId>iaik_pki_module</artifactId>
- <version>1.02_moa</version>
+ <version>1.04_moa</version>
</dependency>
<dependency>
<groupId>iaik.prod</groupId>
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java
index 95347c265..09069ac7f 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java
@@ -174,6 +174,14 @@ public class Configuration {
}
+ public boolean useRedirectBindingRequest() {
+ return Boolean.parseBoolean(props.getProperty("general.login.pvp2.binding.req.redirect", "true"));
+ }
+
+ public boolean useRedirectBindingResponse() {
+ return Boolean.parseBoolean(props.getProperty("general.login.pvp2.binding.resp.redirect", "false"));
+ }
+
public void initializePVP2Login() throws ConfigurationException {
if (!pvp2logininitialzied)
initalPVP2Login();
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java
index d6d2b32da..00e7c3619 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java
@@ -34,4 +34,5 @@ public class Constants {
public static final String SESSION_NAMEID = "pvp2nameID";
public static final String SESSION_NAMEIDFORMAT = "pvp2nameIDFormat";
+
}
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java
index 2641797ed..4c909ff80 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java
@@ -34,11 +34,15 @@ import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
+import org.apache.commons.lang3.RandomUtils;
+import org.apache.velocity.app.VelocityEngine;
+import org.apache.velocity.runtime.RuntimeConstants;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
@@ -107,8 +111,13 @@ public class Authenticate extends HttpServlet {
SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
authReq.setID(gen.generateIdentifier());
+ String relayState = String.valueOf(RandomUtils.nextLong());
- authReq.setAssertionConsumerServiceIndex(0);
+ if (config.useRedirectBindingResponse())
+ authReq.setAssertionConsumerServiceIndex(1);
+ else
+ authReq.setAssertionConsumerServiceIndex(0);
+
authReq.setAttributeConsumingServiceIndex(0);
authReq.setIssueInstant(new DateTime());
@@ -152,17 +161,24 @@ public class Authenticate extends HttpServlet {
for (SingleSignOnService sss :
idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) {
-// //Get the service address for the binding you wish to use
-// if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) {
-// redirectEndpoint = sss;
-// }
+ //Get the service address for the binding you wish to use
+ if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI) && !config.useRedirectBindingRequest()) {
+ redirectEndpoint = sss;
+ }
//Get the service address for the binding you wish to use
- if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
+ if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) && config.useRedirectBindingRequest()) {
redirectEndpoint = sss;
}
}
+
+ if (redirectEndpoint == null) {
+ log.warn("Can not find valid EndPoint for SAML2 response");
+ throw new ConfigurationException("Can not find valid EndPoint for SAML2 response");
+
+ }
+
authReq.setDestination(redirectEndpoint.getLocation());
//authReq.setDestination("http://test.test.test");
@@ -195,49 +211,54 @@ public class Authenticate extends HttpServlet {
signer.setSigningCredential(authcredential);
authReq.setSignature(signer);
- //generate Http-POST Binding message
-// VelocityEngine engine = new VelocityEngine();
-// engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
-// engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
-// engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
-// engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
-// engine.setProperty("classpath.resource.loader.class",
-// "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
-// engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS,
-// "org.apache.velocity.runtime.log.SimpleLog4JLogSystem");
-// engine.init();
-//
-// HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
-// "templates/pvp_postbinding_template.html");
-// HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
-// response, true);
-// BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
-// SingleSignOnService service = new SingleSignOnServiceBuilder()
-// .buildObject();
-// service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
-// service.setLocation(redirectEndpoint.getLocation());;
-//
-// context.setOutboundSAMLMessageSigningCredential(authcredential);
-// context.setPeerEntityEndpoint(service);
-// context.setOutboundSAMLMessage(authReq);
-// context.setOutboundMessageTransport(responseAdapter);
-
- //generate Redirect Binding message
- HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
- HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
- response, true);
- BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
- SingleSignOnService service = new SingleSignOnServiceBuilder()
- .buildObject();
- service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
- service.setLocation(redirectEndpoint.getLocation());
- context.setOutboundSAMLMessageSigningCredential(authcredential);
- context.setPeerEntityEndpoint(service);
- context.setOutboundSAMLMessage(authReq);
- context.setOutboundMessageTransport(responseAdapter);
- //context.setRelayState(relayState);
-
- encoder.encode(context);
+
+ if (!config.useRedirectBindingRequest()) {
+ //generate Http-POST Binding message
+ VelocityEngine engine = new VelocityEngine();
+ engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+ engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
+ engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+ engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
+ engine.setProperty("classpath.resource.loader.class",
+ "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
+ engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS,
+ "org.apache.velocity.runtime.log.SimpleLog4JLogSystem");
+ engine.init();
+
+ HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
+ "templates/pvp_postbinding_template.html");
+ HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
+ response, true);
+ BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+ SingleSignOnService service = new SingleSignOnServiceBuilder()
+ .buildObject();
+ service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
+ service.setLocation(redirectEndpoint.getLocation());;
+ context.setOutboundSAMLMessageSigningCredential(authcredential);
+ context.setPeerEntityEndpoint(service);
+ context.setOutboundSAMLMessage(authReq);
+ context.setOutboundMessageTransport(responseAdapter);
+ context.setRelayState(relayState);
+ encoder.encode(context);
+
+ } else {
+ //generate Redirect Binding message
+ HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
+ HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
+ response, true);
+ BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+ SingleSignOnService service = new SingleSignOnServiceBuilder()
+ .buildObject();
+ service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+ service.setLocation(redirectEndpoint.getLocation());
+ context.setOutboundSAMLMessageSigningCredential(authcredential);
+ context.setPeerEntityEndpoint(service);
+ context.setOutboundSAMLMessage(authReq);
+ context.setOutboundMessageTransport(responseAdapter);
+ context.setRelayState(relayState);
+ encoder.encode(context);
+
+ }
} catch (Exception e) {
log.warn("Authentication Request can not be generated", e);
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
index 75b54cfc4..d28f94fd6 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java
@@ -234,13 +234,20 @@ public class BuildMetadata extends HttpServlet {
//set HTTP-POST Binding assertion consumer service
AssertionConsumerService postassertionConsumerService =
- SAML2Utils.createSAMLObject(AssertionConsumerService.class);
-
+ SAML2Utils.createSAMLObject(AssertionConsumerService.class);
postassertionConsumerService.setIndex(0);
postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
postassertionConsumerService.setLocation(serviceURL + Constants.SERVLET_PVP2ASSERTION);
spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService);
+ //set HTTP-Redirect Binding assertion consumer service
+ AssertionConsumerService redirectassertionConsumerService =
+ SAML2Utils.createSAMLObject(AssertionConsumerService.class);
+ redirectassertionConsumerService.setIndex(1);
+ redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+ redirectassertionConsumerService.setLocation(serviceURL + Constants.SERVLET_PVP2ASSERTION);
+ spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService);
+
//set Single Log-Out service
SingleLogoutService sloService = SAML2Utils.createSAMLObject(SingleLogoutService.class);
sloService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java
index cfc170011..93622f828 100644
--- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java
+++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java
@@ -38,6 +38,9 @@ import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
+import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;
+import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
+import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.EncryptedAssertion;
@@ -46,10 +49,14 @@ import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.security.MetadataCredentialResolverFactory;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.security.SAMLSignatureProfileValidator;
+import org.opensaml.ws.security.SecurityPolicyResolver;
+import org.opensaml.ws.security.provider.BasicSecurityPolicy;
+import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
@@ -91,6 +98,7 @@ public class DemoApplication extends HttpServlet {
ApplicationBean bean = new ApplicationBean();
+ log.debug("Receive request on secure-area endpoint ...");
String method = request.getMethod();
HttpSession session = request.getSession();
@@ -101,11 +109,44 @@ public class DemoApplication extends HttpServlet {
return;
}
- if (method.equals("POST")) {
-
- try {
- Configuration config = Configuration.getInstance();
+ try {
+ Configuration config = Configuration.getInstance();
+ Response samlResponse = null;
+
+ if (method.equals("GET")) {
+ log.debug("Find possible SAML2 Redirect-Binding response ...");
+ HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(new BasicParserPool());
+ BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
+
+ messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request));
+ messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
+
+ messageContext.setMetadataProvider(config.getMetaDataProvier());
+
+ MetadataCredentialResolver resolver = new MetadataCredentialResolver(config.getMetaDataProvier());
+ List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();
+ keyInfoProvider.add(new DSAKeyValueProvider());
+ keyInfoProvider.add(new RSAKeyValueProvider());
+ keyInfoProvider.add(new InlineX509DataProvider());
+ KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
+ keyInfoProvider);
+ ExplicitKeySignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine(
+ resolver, keyInfoResolver);
+
+ SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(engine);
+ SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();
+ BasicSecurityPolicy policy = new BasicSecurityPolicy();
+ policy.getPolicyRules().add(signatureRule);
+ policy.getPolicyRules().add(signedRole);
+ SecurityPolicyResolver resolver1 = new StaticSecurityPolicyResolver(policy);
+ messageContext.setSecurityPolicyResolver(resolver1);
+ decode.decode(messageContext);
+
+ log.info("PVP2 Assertion with Redirect-Binding is valid");
+
+ } else if (method.equals("POST")) {
+ log.debug("Find possible SAML2 Post-Binding response ...");
//Decode with HttpPost Binding
HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool());
BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
@@ -114,7 +155,7 @@ public class DemoApplication extends HttpServlet {
request));
decode.decode(messageContext);
- Response samlResponse = (Response) messageContext.getInboundMessage();
+ samlResponse = (Response) messageContext.getInboundMessage();
Signature sign = samlResponse.getSignature();
if (sign == null) {
@@ -148,116 +189,117 @@ public class DemoApplication extends HttpServlet {
ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver);
trustEngine.validate(sign, criteriaSet);
- log.info("PVP2 Assertion is valid");
+ log.info("PVP2 Assertion with POST-Binding is valid");
- //set assertion
- org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse);
- String assertion = DOMUtils.serializeNode(doc);
- bean.setAssertion(assertion);
+ } else {
+ bean.setErrorMessage("Die Demoapplikation unterstützt nur SAML2 POST-Binding.");
+ setAnser(request, response, bean);
+ return;
- if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+ }
- List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
-
- //check encrypted Assertion
- List<EncryptedAssertion> encryAssertionList = samlResponse.getEncryptedAssertions();
- if (encryAssertionList != null && encryAssertionList.size() > 0) {
- //decrypt assertions
-
- log.debug("Found encryped assertion. Start decryption ...");
-
- KeyStore keyStore = config.getPVP2KeyStore();
-
- X509Credential authDecCredential = new KeyStoreX509CredentialAdapter(
- keyStore,
- config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(),
- config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray());
-
-
- StaticKeyInfoCredentialResolver skicr =
- new StaticKeyInfoCredentialResolver(authDecCredential);
-
- ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
- encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
- encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
- encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
-
- Decrypter samlDecrypter =
- new Decrypter(null, skicr, encryptedKeyResolver);
-
- for (EncryptedAssertion encAssertion : encryAssertionList) {
- saml2assertions.add(samlDecrypter.decrypt(encAssertion));
-
- }
-
- log.debug("Assertion decryption finished. ");
-
- } else {
- saml2assertions = samlResponse.getAssertions();
+ //set assertion
+ org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse);
+ String assertion = DOMUtils.serializeNode(doc);
+ bean.setAssertion(assertion);
+
+ if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+
+ List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
- }
+ //check encrypted Assertion
+ List<EncryptedAssertion> encryAssertionList = samlResponse.getEncryptedAssertions();
+ if (encryAssertionList != null && encryAssertionList.size() > 0) {
+ //decrypt assertions
- String givenName = null;
- String familyName = null;
- String birthday = null;
+ log.debug("Found encryped assertion. Start decryption ...");
- for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
-
- //loop through the nodes to get what we want
- List<AttributeStatement> attributeStatements = saml2assertion.getAttributeStatements();
- for (int i = 0; i < attributeStatements.size(); i++)
- {
- List<Attribute> attributes = attributeStatements.get(i).getAttributes();
- for (int x = 0; x < attributes.size(); x++)
- {
- String strAttributeName = attributes.get(x).getDOM().getAttribute("Name");
+ KeyStore keyStore = config.getPVP2KeyStore();
+
+ X509Credential authDecCredential = new KeyStoreX509CredentialAdapter(
+ keyStore,
+ config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(),
+ config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray());
+
+
+ StaticKeyInfoCredentialResolver skicr =
+ new StaticKeyInfoCredentialResolver(authDecCredential);
+
+ ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
+ encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
+ encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
+ encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
+
+ Decrypter samlDecrypter =
+ new Decrypter(null, skicr, encryptedKeyResolver);
+
+ for (EncryptedAssertion encAssertion : encryAssertionList) {
+ saml2assertions.add(samlDecrypter.decrypt(encAssertion));
- if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME))
- familyName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
- if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME))
- givenName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
-
- if (strAttributeName.equals(PVPConstants.BIRTHDATE_NAME)) {
- birthday = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
- }
- }
- }
- request.getSession().setAttribute(Constants.SESSION_NAMEIDFORMAT,
- saml2assertion.getSubject().getNameID().getFormat());
- request.getSession().setAttribute(Constants.SESSION_NAMEID,
- saml2assertion.getSubject().getNameID().getValue());
-
}
-
- bean.setDateOfBirth(birthday);
- bean.setFamilyName(familyName);
- bean.setGivenName(givenName);
- bean.setLogin(true);
-
- setAnser(request, response, bean);
- return;
+ log.debug("Assertion decryption finished. ");
} else {
- bean.setErrorMessage("Der Anmeldevorgang wurde abgebrochen.<br>Eine genaue Beschreibung des Fehlers finden Sie in der darunterliegenden Assertion.");
- setAnser(request, response, bean);
- return;
+ saml2assertions = samlResponse.getAssertions();
+
+ }
+
+ String givenName = null;
+ String familyName = null;
+ String birthday = null;
+
+ for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
+
+ //loop through the nodes to get what we want
+ List<AttributeStatement> attributeStatements = saml2assertion.getAttributeStatements();
+ for (int i = 0; i < attributeStatements.size(); i++)
+ {
+ List<Attribute> attributes = attributeStatements.get(i).getAttributes();
+ for (int x = 0; x < attributes.size(); x++)
+ {
+ String strAttributeName = attributes.get(x).getDOM().getAttribute("Name");
+
+ if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME))
+ familyName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
+ if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME))
+ givenName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
+
+ if (strAttributeName.equals(PVPConstants.BIRTHDATE_NAME)) {
+ birthday = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
+ }
+ }
+ }
+ request.getSession().setAttribute(Constants.SESSION_NAMEIDFORMAT,
+ saml2assertion.getSubject().getNameID().getFormat());
+ request.getSession().setAttribute(Constants.SESSION_NAMEID,
+ saml2assertion.getSubject().getNameID().getValue());
}
+
+ bean.setDateOfBirth(birthday);
+ bean.setFamilyName(familyName);
+ bean.setGivenName(givenName);
+ bean.setLogin(true);
+
+ setAnser(request, response, bean);
+ return;
+
- } catch (Exception e) {
- log.warn(e);
- bean.setErrorMessage("Internal Error: " + e.getMessage());
+ } else {
+ bean.setErrorMessage("Der Anmeldevorgang wurde abgebrochen.<br>Eine genaue Beschreibung des Fehlers finden Sie in der darunterliegenden Assertion.");
setAnser(request, response, bean);
return;
+
}
- } else {
- bean.setErrorMessage("Die Demoapplikation unterstützt nur SAML2 POST-Binding.");
+ } catch (Exception e) {
+ log.warn(e);
+ bean.setErrorMessage("Internal Error: " + e.getMessage());
setAnser(request, response, bean);
return;
-
}
+
}
private void setAnser(HttpServletRequest request, HttpServletResponse response, ApplicationBean answersBean) throws ServletException, IOException {
diff --git a/id/readme_3.2.3.txt b/id/readme_3.2.3.txt
new file mode 100644
index 000000000..edb75f6de
--- /dev/null
+++ b/id/readme_3.2.3.txt
@@ -0,0 +1,732 @@
+===============================================================================
+MOA ID Version Release 3.2.3 - Wichtige Informationen zur Installation
+===============================================================================
+
+-------------------------------------------------------------------------------
+A. Neuerungen/Änderungen
+-------------------------------------------------------------------------------
+
+Mit MOA ID Version 3.2.3 wurden folgende Neuerungen und Änderungen eingeführt,
+die jetzt erstmals in der Veröffentlichung enthalten sind (siehe auch
+history.txt im gleichen Verzeichnis).
+
+- Änderungen
+ - Behebung eines möglichen Problems mit JAVA JDK 8u141
+ - Behebung eines möglichen Thread Look Problems während Zertifikatsprüfung
+ - Bug-Fixes
+ - Stabilitätsverbesserungen
+
+-------------------------------------------------------------------------------
+B. Durchführung eines Updates
+-------------------------------------------------------------------------------
+
+Es wird generell eine Neuinstallation lt. Handbuch empfohlen! Dennoch ist auch
+eine Aktualisierung bestehender Installationen möglich. Je nachdem von welcher
+MOA-ID Version ausgegangen wird ergibt sich eine Kombination der nachfolgend
+angebebenen Updateschritte.
+
+Hinweis: Wenn Sie die bestehende Konfiguration von MOA-ID 2.x.x in MOA-ID 3.2.x
+reimportieren möchten, so muss diese vor dem Update mit Hilfe der import/export
+Funktion der grafischen Konfigurationsoberfläche in eine Datei exportiert werden.
+Diese Datei dient dann als Basis für den Import in MOA-ID 3.2.x.
+
+...............................................................................
+A.1 Durchführung eines Updates von Version 3.2.x auf Version 3.2.3
+...............................................................................
+1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.2.3.zip) in
+ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST
+ bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation
+ für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war
+ als auch das komplette Verzeichnis moa-id-auth.
+
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+ CATALINA_HOME_ID/webapps.
+
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+ CATALINA_HOME_ID/webapps.
+
+6. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis
+ JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach.
+
+7. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das
+ Verzeichnis JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr
+ unterstuetzt).
+
+8. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+ Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.1 Durchführung eines Updates von Version 3.1.x auf Version 3.2.3
+...............................................................................
+1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.2.3.zip) in
+ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST
+ bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation
+ für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war
+ als auch das komplette Verzeichnis moa-id-auth.
+
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+ CATALINA_HOME_ID/webapps.
+
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+ CATALINA_HOME_ID/webapps.
+
+6. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis
+ JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach.
+
+7. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das
+ Verzeichnis JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr
+ unterstuetzt).
+
+8. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth
+ Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties
+ a.) moasession.jpaVendorAdapter.generateDdl=true
+ moasession.dbcp.connectionProperties=
+ moasession.dbcp.initialSize=5
+ moasession.dbcp.maxActive=100
+ moasession.dbcp.maxIdle=8
+ moasession.dbcp.minIdle=5
+ moasession.dbcp.maxWaitMillis=-1
+ moasession.dbcp.testOnBorrow=true
+ moasession.dbcp.testOnReturn=false
+ moasession.dbcp.testWhileIdle=false
+ moasession.dbcp.validationQuery=select 1
+ b.) advancedlogging.jpaVendorAdapter.generateDdl=true
+ advancedlogging.dbcp.initialSize=0
+ advancedlogging.dbcp.maxActive=50
+ advancedlogging.dbcp.maxIdle=8
+ advancedlogging.dbcp.minIdle=0
+ advancedlogging.dbcp.maxWaitMillis=-1
+ advancedlogging.dbcp.testOnBorrow=true
+ advancedlogging.dbcp.testOnReturn=false
+ advancedlogging.dbcp.testWhileIdle=false
+ advancedlogging.dbcp.validationQuery=SELECT 1
+ c.) *.hibernate.connection.url=... um den GET Parameter '&serverTimezone=UTC' erweitern
+ d.) configuration.ssl.validation.revocation.method.order=crl,ocsp
+ e.) Zusätzliche neu, aber optionale Parameter finden Sie in der Beispielkonfiguration
+
+9. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+ Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.1 Durchführung eines Updates von Version 3.0.x auf Version 3.2.3
+...............................................................................
+1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.2.2.zip) in
+ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST
+ bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation
+ für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war
+ als auch das komplette Verzeichnis moa-id-auth.
+
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+ CATALINA_HOME_ID/webapps.
+
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+ CATALINA_HOME_ID/webapps.
+
+6. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis
+ JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach.
+
+7. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das
+ Verzeichnis JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr
+ unterstuetzt).
+
+8. Update der TrustStores für WebService Zugriffe.
+ a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\certs\ca-certs
+ in das Verzeichnis CATALINA_HOME\conf\moa-id\certs\ca-certs.
+ b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\certs\certstore\toBeAdded
+ in das Verzeichnis CATALINA_HOME\conf\moa-id\certs\certstore\toBeAdded.
+
+9. Hinzufügen der zusätzlichen Konfigurationsparameter in der
+ MOA-ID-Configuration Konfigurationsdatei
+ CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties
+ a.) dbcp.validationQuery=..... (SQL Query zum Validieren der
+ Datenbankverbindung
+ z.B: "SELECT 1" für mySQL
+ "select 1 from dual" für OracleDB)
+
+10. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth
+ Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties
+ a.) configuration.dbcp.validationQuery=..... (SQL Query zum
+ Validieren der Datenbankverbindung
+ z.B: "SELECT 1" für mySQL
+ "select 1 from dual" für OracleDB)
+ b.) moasession.jpaVendorAdapter.generateDdl=true
+ moasession.dbcp.connectionProperties=
+ moasession.dbcp.initialSize=5
+ moasession.dbcp.maxActive=100
+ moasession.dbcp.maxIdle=8
+ moasession.dbcp.minIdle=5
+ moasession.dbcp.maxWaitMillis=-1
+ moasession.dbcp.testOnBorrow=true
+ moasession.dbcp.testOnReturn=false
+ moasession.dbcp.testWhileIdle=false
+ moasession.dbcp.validationQuery=select 1
+ c.) advancedlogging.jpaVendorAdapter.generateDdl=true
+ advancedlogging.dbcp.initialSize=0
+ advancedlogging.dbcp.maxActive=50
+ advancedlogging.dbcp.maxIdle=8
+ advancedlogging.dbcp.minIdle=0
+ advancedlogging.dbcp.maxWaitMillis=-1
+ advancedlogging.dbcp.testOnBorrow=true
+ advancedlogging.dbcp.testOnReturn=false
+ advancedlogging.dbcp.testWhileIdle=false
+ advancedlogging.dbcp.validationQuery=SELECT 1
+ d.) *.hibernate.connection.url=... um den GET Parameter '&serverTimezone=UTC' erweitern
+ e.) configuration.ssl.validation.revocation.method.order=crl,ocsp
+ f.) Zusätzliche neu, aber optionale Parameter finden Sie in der Beispielkonfigration
+
+11. Update der Default html-Templates für die Bürgerkartenauswahl.
+ a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates
+ in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates.
+ b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates
+ in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates.
+
+12. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+ Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.3 Durchführung eines Updates von Version 2.2.1 auf Version 3.2.3
+...............................................................................
+
+1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.2.2.zip) in
+ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST
+ bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation
+ für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war und
+ moa-id-configuration.war als auch das komplette Verzeichnis moa-id-auth
+ und das komplette Verzeichnis moa-id-configuration.
+
+4. Erstellen Sie eine Sicherungskopie aller "*.jar"-Dateien im Verzeichnis
+ CATALINA_HOME_ID\endorsed und loeschen Sie diese Dateien danach.
+
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+ CATALINA_HOME_ID/webapps.
+
+6. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+ CATALINA_HOME_ID/webapps.
+
+7. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis
+ JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach.
+
+8. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das
+ Verzeichnis JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr
+ unterstuetzt).
+
+9. Update des Cert-Stores.
+ Kopieren Sie den Inhalt des Verzeichnisses
+ MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis
+ CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie
+ vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann
+ bejahen sie das.
+
+10. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen
+ wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile
+ beibehalten wollen, dann gehen Sie vor, wie in Punkt b).
+
+ a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen:
+
+ 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles.
+ 2) Kopieren Sie das Verzeichnis
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis
+ CATALINA_HOME\conf\moa-spss.
+
+ b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie
+ folgt vor, um die Profile auf den aktuellen Stand zu bringen:
+
+ 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den
+ entsprechenden Profilen im Verzeichnis
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren
+ Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt
+ der einzelnen Profile aus der Distribution
+ (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden
+ Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles)
+ kopieren und dabei die vorhandenen gleichnamigen Zertifikate
+ überschreiben), also z.B: Kopieren des Inhalts von
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\
+ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach
+ CATALINA_HOME\conf\moa-spss\trustProfiles\
+ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw.
+
+11. Update der Default html-Templates für die Bürgerkartenauswahl.
+
+ a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates
+ in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates.
+ b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates
+ in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates.
+
+12. Update der STORK Konfiguration
+ a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork
+ in das Verzeichnis CATALINA_HOME\conf\moa-id\stork.
+ b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration ->
+ 2.4 Konfiguration des SamlEngines an.
+
+13. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei
+ CATALINA_HOME\conf\moa-id\moa-id.properties
+
+14. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Configration Konfigurationsdatei
+ CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties
+
+15. Hinzufügen der zusätzlichen Konfigurationsdatei in der MOA-ID-Configuration
+ CATALINA_HOME\conf\moa-id-configuration\userdatabase.properties
+
+16. Update der Tomcat Start-Skripts:
+ - Die Konfigurationsdateien für MOA-ID-Auth und MOA-ID-Configuration müssen
+ nur als URI (file:/...) übergeben werden.
+
+17. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+ Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.4 Durchführung eines Updates von Version 2.2.0 auf Version 2.2.1
+...............................................................................
+1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.2.1.zip) in
+ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST
+ bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation
+ für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war und
+ moa-id-configuration.war als auch das komplette Verzeichnis moa-id-auth
+ und das komplette Verzeichnis moa-id-configuration.
+
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+ CATALINA_HOME_ID/webapps.
+
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+ CATALINA_HOME_ID/webapps.
+
+6. Update des Cert-Stores.
+ Kopieren Sie den Inhalt des Verzeichnisses
+ MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis
+ CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie
+ vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann
+ bejahen sie das.
+
+7. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen
+ wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile
+ beibehalten wollen, dann gehen Sie vor, wie in Punkt b).
+
+ a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen:
+
+ 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles.
+ 2) Kopieren Sie das Verzeichnis
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis
+ CATALINA_HOME\conf\moa-spss.
+
+ b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie
+ folgt vor, um die Profile auf den aktuellen Stand zu bringen:
+
+ 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den
+ entsprechenden Profilen im Verzeichnis
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren
+ Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt
+ der einzelnen Profile aus der Distribution
+ (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden
+ Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles)
+ kopieren und dabei die vorhandenen gleichnamigen Zertifikate
+ überschreiben), also z.B: Kopieren des Inhalts von
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\
+ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach
+ CATALINA_HOME\conf\moa-spss\trustProfiles\
+ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw.
+
+8. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+ Logging von MOA ID beim Einlesen der Konfiguration.
+
+...............................................................................
+B.1 Durchführung eines Updates von Version 2.1.2 auf Version 2.2.0
+...............................................................................
+ 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.2.0.zip) in
+ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST
+ bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation
+ für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war und
+ moa-id-configuration.war als auch das komplette Verzeichnis moa-id-auth
+ und das komplette Verzeichnis moa-id-configuration.
+
+4. Erstellen Sie eine Sicherungskopie aller "*.jar"-Dateien im Verzeichnis
+ CATALINA_HOME_ID\endorsed und loeschen Sie diese Dateien danach.
+
+6. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+ CATALINA_HOME_ID/webapps.
+
+7. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+ CATALINA_HOME_ID/webapps.
+
+8. Kopieren der folgenden Dateien:
+ Sollte die Datei bereits vorhanden sein erstellen Sie ein Backup der
+ Datei bevor Sie diese durch die neue Version ersetzen.
+ a.) MOA_ID_AUTH_INST/conf/moa-id/stork/StorkSamlEngine_VIDP.xml ->
+ CATALINA_HOME/conf/moa-id/stork/StorkSamlEngine_VIDP.xml
+ b.) MOA_ID_AUTH_INST/conf/moa-id/stork/StorkSamlEngine_outgoing.xml ->
+ CATALINA_HOME/conf/moa-id/stork/StorkSamlEngine_outgoing.xml
+
+9. Dem STORK KeyStores unter MOA_ID_AUTH_INST/conf/moa-id/keys/storkDemoKeys.jks
+ (Passwort=local-demo) wurden neue vertrauenswürdige Zertifikate hinzugefügt.
+ Gleichen Sie bei Bedarf die Zertifikate dieses KeyStores mit Ihrem aktuell
+ verwendeten KeyStore ab.
+
+10. Update des Cert-Stores.
+ Kopieren Sie den Inhalt des Verzeichnisses
+ MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis
+ CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie
+ vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann
+ bejahen sie das.
+
+11. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen
+ wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile
+ beibehalten wollen, dann gehen Sie vor, wie in Punkt b).
+
+ a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen:
+
+ 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles.
+ 2) Kopieren Sie das Verzeichnis
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis
+ CATALINA_HOME\conf\moa-spss.
+
+ b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie
+ folgt vor, um die Profile auf den aktuellen Stand zu bringen:
+
+ 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den
+ entsprechenden Profilen im Verzeichnis
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren
+ Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt
+ der einzelnen Profile aus der Distribution
+ (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden
+ Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles)
+ kopieren und dabei die vorhandenen gleichnamigen Zertifikate
+ überschreiben), also z.B: Kopieren des Inhalts von
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\
+ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach
+ CATALINA_HOME\conf\moa-spss\trustProfiles\
+ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw.
+
+
+12. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+ Logging von MOA ID beim Einlesen der Konfiguration.
+
+...............................................................................
+B.2 Durchführung eines Updates von Version 2.1.1 auf Version 2.1.2
+...............................................................................
+ 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.2.zip) in
+ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST
+ bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation
+ für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war und
+ moa-id-configuration.war als auch das komplette Verzeichnis moa-id-auth
+ und das komplette Verzeichnis moa-id-configuration.
+
+4. Erstellen Sie eine Sicherungskopie aller "*.jar"-Dateien im Verzeichnis
+ CATALINA_HOME_ID\endorsed und loeschen Sie diese Dateien danach.
+
+5. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\endorsed in das
+ Verzeichnis CATALINA_HOME_ID\endorsed
+
+6. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+ CATALINA_HOME_ID/webapps.
+
+7. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+ CATALINA_HOME_ID/webapps.
+
+8. Kopieren der folgenden Dateien
+ a.) MOA_ID_AUTH_INST/conf/moa-id/stork/StorkSamlEngine_VIDP.xml ->
+ CATALINA_HOME/conf/moa-id/stork/StorkSamlEngine_VIDP.xml
+ Sollte die Datei bereits vorhanden sein erstellen Sie ein Backup der
+ Datei slo_template.html bevor Sie diese durch die neue Version ersetzen.
+
+9. Dem STORK KeyStores unter MOA_ID_AUTH_INST/conf/moa-id/keys/storkDemoKeys.jks
+ (Passwort=local-demo) wurden neue vertrauenswürdige Zertifikate hinzugefügt.
+ Gleichen Sie bei Bedarf die Zertifikate dieses KeyStores mit Ihrem aktuell
+ verwendeten KeyStore ab.
+
+10. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+ Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.3 Durchführung eines Updates von Version 2.1.0 auf Version 2.1.1
+...............................................................................
+ 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.0.zip) in
+ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST
+ bezeichnet.
+
+3. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis
+ JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach.
+
+4. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das
+ Verzeichnis JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr
+ unterstuetzt).
+
+5. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation
+ für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als
+ auch das komplette Verzeichnis moa-id-auth.
+
+6. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+ CATALINA_HOME_ID/webapps.
+
+7. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+ CATALINA_HOME_ID/webapps.
+
+8. Hinzufügen der zusätzlichen Konfigurationsparameter in der
+ MOA-ID-Configuration Konfigurationsdatei
+ CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties
+ a.) general.moaconfig.key=..... (Passwort zum Ver- und
+ Entschlüsseln von Konfigurationsparametern in der Datenbank)
+
+9. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth
+ Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties
+ a.) configuration.moaconfig.key=..... (Passwort zum Ver- und
+ Entschlüsseln von Konfigurationsparametern in der Datenbank)
+
+10. Kopieren der folgenden Dateien
+ a.) MOA_ID_AUTH_INST/conf/moa-id/htmlTemplates/slo_template.html ->
+ CATALINA_HOME/conf/moa-id/htmlTemplates/slo_template.html
+ Sollte die Datei bereits vorhanden sein erstellen Sie ein Backup der
+ Datei slo_template.html bevor Sie diese durch die neue Version ersetzen.
+
+11. Update des Cert-Stores.
+ Kopieren Sie den Inhalt des Verzeichnisses
+ MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis
+ CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie
+ vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann
+ bejahen sie das.
+
+12. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen
+ wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile
+ beibehalten wollen, dann gehen Sie vor, wie in Punkt b).
+
+ a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen:
+
+ 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles.
+ 2) Kopieren Sie das Verzeichnis
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis
+ CATALINA_HOME\conf\moa-spss.
+
+ b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie
+ folgt vor, um die Profile auf den aktuellen Stand zu bringen:
+
+ 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den
+ entsprechenden Profilen im Verzeichnis
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren
+ Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt
+ der einzelnen Profile aus der Distribution
+ (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden
+ Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles)
+ kopieren und dabei die vorhandenen gleichnamigen Zertifikate
+ überschreiben), also z.B: Kopieren des Inhalts von
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\
+ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach
+ CATALINA_HOME\conf\moa-spss\trustProfiles\
+ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw.
+
+13. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+ Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.4 Durchführung eines Updates von Version 2.0.1 auf Version 2.1.0
+...............................................................................
+ 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.0.zip) in
+ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST
+ bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation
+ für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als
+ auch das komplette Verzeichnis moa-id-auth.
+
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+ CATALINA_HOME_ID/webapps.
+
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+ CATALINA_HOME_ID/webapps.
+
+6. Update der STORK Konfiguration
+ a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork
+ in das Verzeichnis CATALINA_HOME\conf\moa-id\stork.
+ b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration ->
+ 2.4 Konfiguration des SamlEngines an.
+
+7. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Configuration Konfigurationsdatei
+ CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties
+ a.) general.ssl.certstore=certs/certstore
+ b.) general.ssl.truststore=certs/truststore
+
+8. Kopieren des folgenden zusätzlichen Ordners MOA_ID_AUTH_INST/conf/moa-id-configuration/certs
+ nach CATALINA_HOME\conf\moa-id-configuration\
+
+9. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei
+ CATALINA_HOME\conf\moa-id\moa-id.properties und Anpassung an das zu verwendeten Schlüsselpaar.
+ a.) protocols.pvp2.idp.ks.assertion.encryption.alias=pvp_assertion
+ protocols.pvp2.idp.ks.assertion.encryption.keypassword=password
+
+10. Kopieren der folgenden zusätzlichen Ordner aus MOA_ID_AUTH_INST/conf/moa-id/
+ nach CATALINA_HOME\conf\moa-id\
+ a.) MOA_ID_AUTH_INST/conf/moa-id/SLTemplates -> CATALINA_HOME\conf\moa-id\
+ b.) MOA_ID_AUTH_INST/conf/moa-id/htmlTemplates/slo_template.html ->
+ CATALINA_HOME/conf/moa-id/htmlTemplates/slo_template.html
+
+11. Neuinitialisieren des Datenbank Schema für die MOA-Session. Hierfür stehen
+ zwei Varianten zur Verfügung.
+ a.) Ändern Sie in der Konfigurationsdatei für das Modul MOA-ID-Auth
+ CATALINA_HOME\conf\moa-id\moa-id.properties die Zeile
+ moasession.hibernate.hbm2ddl.auto=update
+ zu
+ moasession.hibernate.hbm2ddl.auto=create
+ Danach werden die Tabellen beim nächsten Startvorgang neu generiert.
+
+ b.) Löschen Sie alle Tabellen aus dem Datenbank Schema für die MOA-Sessixson
+ Informationen per Hand. Alle Tabellen werden beim nächsten Start autmatisch neu generiert.
+
+12 . Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+ Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.5 Durchführung eines Updates von Version 2.0-RC1 auf Version 2.0.1
+...............................................................................
+
+1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird.
+ Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an.
+
+2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.0.1.zip) in
+ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST
+ bezeichnet.
+ Für MOA ID Proxy:
+ Entpacken Sie die Distribution von MOA-ID-Proxy (moa-id-proxy-2.0.1.zip) in
+ ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_PROXY_INST
+ bezeichnet.
+
+3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth
+ beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps,
+ wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation
+ für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als
+ auch das komplette Verzeichnis moa-id-auth.
+
+4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach
+ CATALINA_HOME_ID/webapps.
+
+5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach
+ CATALINA_HOME_ID/webapps.
+
+6. Update des Cert-Stores.
+ Kopieren Sie den Inhalt des Verzeichnisses
+ MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis
+ CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie
+ vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann
+ bejahen sie das.
+
+7. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen
+ wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile
+ beibehalten wollen, dann gehen Sie vor, wie in Punkt b).
+
+ a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen:
+
+ 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles.
+ 2) Kopieren Sie das Verzeichnis
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis
+ CATALINA_HOME\conf\moa-spss.
+
+ b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie
+ folgt vor, um die Profile auf den aktuellen Stand zu bringen:
+
+ 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den
+ entsprechenden Profilen im Verzeichnis
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren
+ Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt
+ der einzelnen Profile aus der Distribution
+ (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden
+ Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles)
+ kopieren und dabei die vorhandenen gleichnamigen Zertifikate
+ überschreiben), also z.B: Kopieren des Inhalts von
+ MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\
+ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach
+ CATALINA_HOME\conf\moa-spss\trustProfiles\
+ MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw.
+
+8. Update der Default html-Templates für die Bürgerkartenauswahl.
+
+ a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates
+ in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates.
+ b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates
+ in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates.
+
+9. Update der STORK Konfiguration
+ a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork
+ in das Verzeichnis CATALINA_HOME\conf\moa-id\stork.
+ b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration ->
+ 2.4 Konfiguration des SamlEngines an.
+
+10. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei
+ CATALINA_HOME\conf\moa-id\moa-id.properties
+
+ a.) configuration.validation.certificate.QC.ignore=false
+ b.) protocols.pvp2.assertion.encryption.active=false
+
+11. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im
+ Logging von MOA ID beim Einlesen der Konfiguration.
+
+
+...............................................................................
+B.6 Durchführung eines Updates von Version <= 1.5.1
+...............................................................................
+
+Bitte führen Sie eine Neuinstallation von MOA ID laut Handbuch durch und passen
+Sie die mitgelieferte Musterkonfiguration entsprechend Ihren Bedürfnissen unter
+Zuhilfenahme Ihrer bisherigen Konfiguration an.
+
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html
index 64e88a688..4ea9a4873 100644
--- a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html
+++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html
@@ -31,11 +31,9 @@
<form action="${action}" method="post" target="_parent">
<div>
- #if($RelayState)<input type="hidden" name="RelayState"
- value="${RelayState}" />#end #if($SAMLRequest)<input type="hidden"
- name="SAMLRequest" value="${SAMLRequest}" />#end #if($SAMLResponse)<input
- type="hidden" name="SAMLResponse" value="${SAMLResponse}" />#end
-
+ #if($RelayState) <input type="hidden" name="RelayState" value="${RelayState}"/> #end
+ #if($SAMLRequest) <input type="hidden" name="SAMLRequest" value="${SAMLRequest}" /> #end
+ #if($SAMLResponse) <inputtype="hidden" name="SAMLResponse" value="${SAMLResponse}" /> #end
</div>
<noscript>
<div>
diff --git a/id/server/data/deploy/conf/moa-id/log4j.properties b/id/server/data/deploy/conf/moa-id/log4j.properties
index d83e8e550..f37100a5b 100644
--- a/id/server/data/deploy/conf/moa-id/log4j.properties
+++ b/id/server/data/deploy/conf/moa-id/log4j.properties
@@ -19,8 +19,7 @@ log4j.logger.at.gv.egovernment.moa.id.configuration=info,CONFIGTOOL
# configure the stdout appender
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
-#log4j.appender.stdout.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} | %20c | %10t | %m%n
-log4j.appender.stdout.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} |%20.20c | %10t | %m%n
+log4j.appender.stdout.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} |%20.20c | %10t | %m%n
# configure the rolling file appender (R)
log4j.appender.R=org.apache.log4j.RollingFileAppender
@@ -28,7 +27,7 @@ log4j.appender.R.File=${catalina.base}/logs/moa-id.log
log4j.appender.R.MaxFileSize=10000KB
log4j.appender.R.MaxBackupIndex=1
log4j.appender.R.layout=org.apache.log4j.PatternLayout
-log4j.appender.R.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} | %t | %m%n
+log4j.appender.R.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} | %t | %m%n
# configure the rolling file appender (R)
log4j.appender.CONFIGTOOL=org.apache.log4j.RollingFileAppender
@@ -36,4 +35,4 @@ log4j.appender.CONFIGTOOL.File=${catalina.base}/logs/moa-id-webgui.log
log4j.appender.CONFIGTOOL.MaxFileSize=10000KB
log4j.appender.CONFIGTOOL.MaxBackupIndex=1
log4j.appender.CONFIGTOOL.layout=org.apache.log4j.PatternLayout
-log4j.appender.CONFIGTOOL.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} | %t | %m%n \ No newline at end of file
+log4j.appender.CONFIGTOOL.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} | %t | %m%n \ No newline at end of file
diff --git a/id/server/doc/handbook/config/config.html b/id/server/doc/handbook/config/config.html
index 0361442ac..84590aaee 100644
--- a/id/server/doc/handbook/config/config.html
+++ b/id/server/doc/handbook/config/config.html
@@ -1724,20 +1724,6 @@ Soll die B&uuml;rgerkartenauswahl weiterhin, wie in MOA-ID 1.5.1 im Kontext der
<td align="center">X</td>
<td>&Uuml;ber diese Funktion k&ouml;nnen drei zus&auml;tzliche SecurtityLayer-Request Templates f&uuml;r diese Online-Applikation definiert werden. Diese hier definierten Templates dienen als zus&auml;tzliche WhiteList f&uuml;r Templates welche im &bdquo;StartAuthentication&ldquo; Request mit dem Parameter &bdquo;template&ldquo; &uuml;bergeben werden. Sollte im &bdquo;StartAuthentication&ldquo; Request der Parameter &bdquo;template&ldquo; fehlen, es wurde jedoch eine &bdquo;bkuURL&ldquo; &uuml;bergeben, dann wird f&uuml;r den Authentifizierungsvorgang das erste Template in dieser Liste verwendet. Detailinformationen zum <a href="./../protocol/protocol.html#allgemeines_legacy">Legacy Request</a> finden Sie im Kapitel Protokolle.</td>
</tr>
- <tr>
- <td>BKU-Selection Template</td>
- <td>&nbsp;</td>
- <td align="center">X</td>
- <td align="center">X</td>
- <td>Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates f&uuml;r die B&uuml;rgerkartenauswahl. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus <a href="#import_template_bku">Kapitel 4.1</a> umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle f&uuml;r Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen. </td>
- </tr>
- <tr>
- <td>Send-Assertion Template</td>
- <td>&nbsp;</td>
- <td align="center">X</td>
- <td align="center">X</td>
- <td>Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates f&uuml;r die zus&auml;tzliche Anmeldeabfrage im Falle einer Single Sign-On Anmeldung. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus <a href="#import_template_sso">Kapitel 4.2</a> umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle f&uuml;r Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen.</td>
- </tr>
</table>
<h4><a name="konfigurationsparameter_oa_testcredentials" id="uebersicht_zentraledatei_aktualisierung10"></a> 3.2.3 Test Identit&auml;ten</h4>
<p>In diesem Abschnitt k&ouml;nnen f&uuml;r diese Online-Applikation Testidentit&auml;ten erlaubt werden. Diese Testidentit&auml;ten k&ouml;nnen auch bei produktiven Instanzen freigeschalten werden, da die Unterschiedung zwischen Produkt- und Testidentit&auml;t anhand einer speziellen OID im Signaturzertifikat der Testidentit&auml;t getroffen wird. Folgende Konfigurationsparameter stehen hierf&uuml;r zur Verf&uuml;gung.</p>
@@ -2007,6 +1993,13 @@ Soll die B&uuml;rgerkartenauswahl weiterhin, wie in MOA-ID 1.5.1 im Kontext der
<td align="center">&nbsp;</td>
<td>Zertifikat mit dem die Metadaten der Online-Applikation signiert sind. Dieses wird ben&ouml;tigt um die Metadaten zu verifizieren.</td>
</tr>
+ <tr>
+ <td>SAML2 Post-Binding Template</td>
+ <td>&nbsp;</td>
+ <td align="center">X</td>
+ <td align="center">X</td>
+ <td>Pfad zum online-applikationsspezifischen Template f&uuml;r SAML2 (PVP2 S-Profil) http POST-Binding. Relative Pfadangaben werden dabei relativ zum Verzeichnis, in dem sich die MOA-ID-Auth Basiskonfigurationsdatei befindet, interpretiert. Das Template kann ausschlie&szlig;lich aus dem Dateisystem geladen werden.</td>
+ </tr>
</table>
<h5><a name="konfigurationsparameter_oa_protocol_openIDConnect" id="uebersicht_zentraledatei_aktualisierung27"></a>3.2.8.3 OpenID Connect</h5>
<p>In diesem Bereich erfolgt die applikationsspezifische Konfiguration f&uuml;r OpenID Connect (OAuth 2.0). </p>
@@ -2074,7 +2067,30 @@ wenn die individuelle Security-Layer Transformation den Formvorschriften der Sp
<td align="center">X</td>
<td>Wird diese Option gew&auml;hlt wird im AuthBlock, welcher im Anmeldevorgang signiert wird, keine bPK oder wbPK dargestellt.</td>
</tr>
+ <tr>
+ <td>BKU-Selection Template</td>
+ <td>&nbsp;</td>
+ <td align="center">X</td>
+ <td align="center">X</td>
+ <td>Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates f&uuml;r die B&uuml;rgerkartenauswahl. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus <a href="#import_template_bku">Kapitel 4.1</a> umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle f&uuml;r Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen. </td>
+ </tr>
+ <tr>
+ <td>Send-Assertion Template</td>
+ <td>&nbsp;</td>
+ <td align="center">X</td>
+ <td align="center">X</td>
+ <td>Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates f&uuml;r die zus&auml;tzliche Anmeldeabfrage im Falle einer Single Sign-On Anmeldung. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus <a href="#import_template_sso">Kapitel 4.2</a> umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle f&uuml;r Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen.</td>
+ </tr>
+ <tr>
+ <td>Vollmachtenservice Auswahlseite Template</td>
+ <td>&nbsp;</td>
+ <td align="center">X</td>
+ <td align="center">X</td>
+ <td>Pfad zum online-applikationsspezifischen Template zur Auswahl des gew&uuml;nschten Vollmachtenservices. Relative Pfadangaben werden dabei relativ zum Verzeichnis, in dem sich die MOA-ID-Auth Basiskonfigurationsdatei befindet, interpretiert. Das Template kann ausschlie&szlig;lich aus dem Dateisystem geladen werden.</td>
+ </tr>
</table>
+<h5>&nbsp;</h5>
+<h5>&nbsp;</h5>
<h5><a name="konfigurationsparameter_oa_additional_formular" id="uebersicht_zentraledatei_aktualisierung29"></a>3.2.9.1 Login-Fenster Konfiguration</h5>
<p>Diese Konfigurationsparameter bieten zus&auml;tzliche Einstellungen f&uuml;r eine Anpassung der B&uuml;rgerkartenauswahl welche von MOA-ID-Auth generiert wird.
Zur besseren Handhabung werden die angegebenen Parameter direkt in einer Vorschau dargestellt.
diff --git a/id/server/doc/handbook/install/install.html b/id/server/doc/handbook/install/install.html
index aa4114539..db96cda3c 100644
--- a/id/server/doc/handbook/install/install.html
+++ b/id/server/doc/handbook/install/install.html
@@ -235,8 +235,8 @@ https://&lt;host&gt;:&lt;port&gt;/egiz-configuration-webapp/</pre>
<h5><a name="webservice_basisinstallation_logging_format" id="webservice_basisinstallation_logging_format"></a>2.1.3.1 Format der Log-Meldungen</h5>
<p> Anhand einer konkreten Log-Meldung wird das Format der MOA SP/SS Log-Meldungen erl&auml;utert: </p>
<pre>
-INFO | 01 21:25:26,540 | Thread-3 | TID=1049225059594-100 NID=node1
- MSG=Starte neue Transaktion: TID=1049225059594-100, Service=SignatureVerification
+ INFO | 2017-09-18 10:29:22,904 | SID-7947921060553739539 | TID-4708232418268334030 | https://sso.demosp.at/handysignatur
+ | ajp-nio-28109-exec-7 | No SSO Session cookie found
</pre>
<p> Der Wert <code>INFO</code> besagt, dass die Log-Meldung im Log-Level <code>INFO</code> entstanden ist. Folgende Log-Levels existieren:</p>
<ul>
@@ -257,7 +257,10 @@ INFO | 01 21:25:26,540 | Thread-3 | TID=1049225059594-100 NID=node1
</li>
</ul>
<p>Der n&auml;chste Wert <code>01 21:25:26,540</code> gibt den Zeitpunkt an, zu dem die Log-Meldung generiert wurde (in diesem Fall den 1. Tag im aktuellen Monat, sowie die genaue Uhrzeit). </p>
- <p> Der Wert <code>Thread-3</code> bezeichnet den Thread, von dem die Anfrage bearbeitet wird.</p>
+ <p>Der Wert <code>SID-7947921060553739539</code> bezeichnet die SessionID, welche diesem Request zugeordnet wurde. Eine SessionID ist innerhalb einer SSO auch &uuml;ber mehrere Authentifizierungsrequests eindeutig. Das Loggen der SessionID kann mittels <code>%X{sessionId}</code> in der log4j Konfiguration gesetzt werden</p>
+ <p>Der Wert <code>TID-4708232418268334030</code> bezeichnet die TransactionsID, welche diesem Request zugeordnet wurde. Eine TransactionsID ist innerhalb eines Authentifizierungsrequests eindeutig. Das Loggen der TransactionsID kann mittels <code>%X{transactionId}</code> in der log4j Konfiguration gesetzt werden</p>
+ <p>Der Wert <code>https://sso.demosp.at/handysignatur</code> bezeichnet die Online Applikation (eindeutiger Identifier dieses Service Providers) f&uuml;r welchen dieser Authentifizierungsrequest durchgef&uuml;hrt wird. Das Loggen des OA Identifiers kann mittels <code>%X{oaId}</code> in der log4j Konfiguration gesetzt werden</p>
+ <p>Der Wert <code>ajp-nio-28109-exec-7</code> bezeichnet den Thread, von dem die Anfrage bearbeitet wird.</p>
<p> Der Rest der Zeile einer Log-Meldung ist der eigentliche Text, mit dem das System bestimmte Informationen anzeigt. Im Fehlerfall ist h&auml;ufig ein Java Stack-Trace angef&uuml;gt, der eine genauere Ursachen-Forschung erm&ouml;glicht.</p>
<h5> <a name="webservice_basisinstallation_logging_messages" id="webservice_basisinstallation_logging_messages"></a>2.1.3.2 Wichtige Log-Meldungen</h5>
<p> Neben den im Abschnitt <a href="#webservice_basisinstallation_installation_tomcatstartstop_verify">2.1.2.4.3</a> beschriebenen Log-Meldungen, die anzeigen, ob das Service ordnungsgem&auml;&szlig; gestartet wurde, geben nachfolgenden Log-Meldungen Aufschluss &uuml;ber die Abarbeitung von Anfragen. </p>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
index b57e6ed69..55b1a7c9a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java
@@ -69,6 +69,7 @@ public class StatisticLogger implements IStatisticLogger{
private static final String GENERIC_LOCALBKU = ":3496/https-security-layer-request";
private static final String GENERIC_HANDYBKU = "https://www.handy-signatur.at/";
+ private static final String GENERIC_ONLINE_BKU = "bkuonline";
private static final String MANTATORTYPE_JUR = "jur";
private static final String MANTATORTYPE_NAT = "nat";
@@ -422,8 +423,13 @@ public class StatisticLogger implements IStatisticLogger{
return IOAAuthParameters.HANDYBKU;
}
- Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.ONLINEBKU);
- return IOAAuthParameters.ONLINEBKU;
+ if (bkuURL.contains(GENERIC_ONLINE_BKU)) {
+ Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.ONLINEBKU);
+ return IOAAuthParameters.ONLINEBKU;
+ }
+
+ Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.AUTHTYPE_OTHERS);
+ return IOAAuthParameters.AUTHTYPE_OTHERS;
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java
index 6d53fd510..0b066f3b9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java
@@ -23,10 +23,8 @@
package at.gv.egovernment.moa.id.advancedlogging;
-import java.util.Date;
-
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
-import at.gv.egovernment.moa.util.MiscUtil;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
/**
* @author tlenz
@@ -34,6 +32,43 @@ import at.gv.egovernment.moa.util.MiscUtil;
*/
public class TransactionIDUtils {
+ /**
+ * Set all MDC variables from pending request to this threat context<br>
+ * These includes SessionID, TransactionID, and unique service-provider identifier
+ *
+ * @param pendingRequest
+ */
+ public static void setAllLoggingVariables(IRequest pendingRequest) {
+ setTransactionId(pendingRequest.getUniqueTransactionIdentifier());
+ setSessionId(pendingRequest.getUniqueSessionIdentifier());
+ setServiceProviderId(pendingRequest.getOnlineApplicationConfiguration().getPublicURLPrefix());
+
+ }
+
+ /**
+ * Remove all MDC variables from this threat context
+ *
+ */
+ public static void removeAllLoggingVariables() {
+ removeSessionId();
+ removeTransactionId();
+ removeServiceProviderId();
+
+ }
+
+
+ public static void setServiceProviderId(String oaUniqueId) {
+ org.apache.log4j.MDC.put(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID, oaUniqueId);
+ org.slf4j.MDC.put(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID, oaUniqueId);
+
+ }
+
+ public static void removeServiceProviderId() {
+ org.apache.log4j.MDC.remove(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID);
+ org.slf4j.MDC.remove(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID);
+
+ }
+
public static void setTransactionId(String pendingRequestID) {
org.apache.log4j.MDC.put(MOAIDAuthConstants.MDC_TRANSACTION_ID,
"TID-" + pendingRequestID);
@@ -50,9 +85,9 @@ public class TransactionIDUtils {
public static void setSessionId(String uniqueSessionId) {
org.apache.log4j.MDC.put(MOAIDAuthConstants.MDC_SESSION_ID,
- "TID-" + uniqueSessionId);
+ "SID-" + uniqueSessionId);
org.slf4j.MDC.put(MOAIDAuthConstants.MDC_SESSION_ID,
- "TID-" + uniqueSessionId);
+ "SID-" + uniqueSessionId);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java
index bbb322a4f..34d0d4be1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java
@@ -74,20 +74,26 @@ public class AuthenticationSessionCleaner implements Runnable {
ExceptionContainer exContainer = (ExceptionContainer) entry;
if (exContainer.getExceptionThrown() != null) {
- //add session and transaction ID to log if exists
+ //add session, transaction, and service-provider IDs into logging context if exists
if (MiscUtil.isNotEmpty(exContainer.getUniqueTransactionID()))
TransactionIDUtils.setTransactionId(exContainer.getUniqueTransactionID());
if (MiscUtil.isNotEmpty(exContainer.getUniqueSessionID()))
TransactionIDUtils.setSessionId(exContainer.getUniqueSessionID());
+ if (MiscUtil.isNotEmpty(exContainer.getUniqueServiceProviderId()))
+ TransactionIDUtils.setServiceProviderId(exContainer.getUniqueServiceProviderId());
+
//log exception to technical log
logExceptionToTechnicalLog(exContainer.getExceptionThrown());
//remove session and transaction ID from thread
- TransactionIDUtils.removeSessionId();
- TransactionIDUtils.removeTransactionId();
- }
+ TransactionIDUtils.removeAllLoggingVariables();
+
+ } else {
+ Logger.warn("Receive an ExceptionContainer that includes no 'Exception' object. Somethinge is suspect!!!!!");
+
+ }
}
} catch (Exception e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java
index c582050ad..710008714 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java
@@ -32,7 +32,7 @@ import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration;
import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder;
-import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad;
import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
@@ -68,10 +68,10 @@ public class GenerateBKUSelectionFrameTask extends AbstractAuthServletTask {
throw new AuthenticationException("auth.00", new Object[] { pendingReq.getOAURL() });
}
-
- IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+
+ IGUIBuilderConfiguration config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
pendingReq,
- ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_BKUSELECTION,
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_BKUSELECTION,
GeneralProcessEngineSignalController.ENDPOINT_BKUSELECTION_EVALUATION);
guiBuilder.build(response, config, "BKU-Selection form");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java
index ca99e9ba3..475009cf2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java
@@ -31,7 +31,7 @@ import org.springframework.stereotype.Component;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration;
import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder;
-import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad;
import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
@@ -67,10 +67,10 @@ public class GenerateSSOConsentEvaluatorFrameTask extends AbstractAuthServletTas
//store pending request
requestStoreage.storePendingRequest(pendingReq);
- //build consents evaluator form
- IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+ //build consents evaluator form
+ IGUIBuilderConfiguration config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
pendingReq,
- ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_SENDASSERTION,
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_SENDASSERTION,
GeneralProcessEngineSignalController.ENDPOINT_SENDASSERTION_EVALUATION);
guiBuilder.build(response, config, "SendAssertion-Evaluation");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
index 1431911a3..353261085 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
@@ -33,6 +33,7 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.ExceptionHandler;
import com.google.common.net.MediaType;
+
import at.gv.egovernment.moa.id.advancedlogging.IStatisticLogger;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
@@ -139,13 +140,11 @@ public abstract class AbstractController extends MOAIDAuthConstants {
if (pendingReq != null) {
revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR);
transactionStorage.put(key,
- new ExceptionContainer(pendingReq.getUniqueSessionIdentifier(),
- pendingReq.getUniqueTransactionIdentifier(), loggedException),-1);
+ new ExceptionContainer(pendingReq, loggedException),-1);
} else {
transactionStorage.put(key,
- new ExceptionContainer(null,
- null, loggedException),-1);
+ new ExceptionContainer(null, loggedException),-1);
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
index 0ce7b0050..32f103ca7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
@@ -45,11 +45,7 @@ public abstract class AbstractProcessEngineSignalController extends AbstractCont
//change pending-request ID
requestStorage.changePendingRequestID(pendingReq);
pendingRequestID = pendingReq.getRequestID();
-
- //add transactionID and unique sessionID to Logger
- TransactionIDUtils.setSessionId(pendingReq.getUniqueSessionIdentifier());
- TransactionIDUtils.setTransactionId(pendingReq.getUniqueTransactionIdentifier());
-
+
// process instance is mandatory
if (pendingReq.getProcessInstanceId() == null) {
throw new MOAIllegalStateException("process.03", new Object[]{"MOA session does not provide process instance id."});
@@ -64,8 +60,7 @@ public abstract class AbstractProcessEngineSignalController extends AbstractCont
} finally {
//MOASessionDBUtils.closeSession();
- TransactionIDUtils.removeTransactionId();
- TransactionIDUtils.removeSessionId();
+ TransactionIDUtils.removeAllLoggingVariables();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java
index 9b658d81b..416e787a7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java
@@ -34,7 +34,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder;
-import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.IRequest;
@@ -71,17 +71,17 @@ public class GUILayoutBuilderServlet extends AbstractController {
IRequest pendingReq = extractPendingRequest(req);
//initialize GUI builder configuration
- ServiceProviderSpecificGUIFormBuilderConfiguration config = null;
+ SPSpecificGUIBuilderConfigurationWithDBLoad config = null;
if (pendingReq != null)
- config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+ config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
pendingReq,
- ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_CSS,
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_CSS,
null);
else
- config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+ config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
HTTPUtils.extractAuthURLFromRequest(req),
- ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_CSS,
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_CSS,
null);
//build GUI component
@@ -100,17 +100,17 @@ public class GUILayoutBuilderServlet extends AbstractController {
IRequest pendingReq = extractPendingRequest(req);
//initialize GUI builder configuration
- ServiceProviderSpecificGUIFormBuilderConfiguration config = null;
+ SPSpecificGUIBuilderConfigurationWithDBLoad config = null;
if (pendingReq != null)
- config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+ config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
pendingReq,
- ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_JS,
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_JS,
GeneralProcessEngineSignalController.ENDPOINT_BKUSELECTION_EVALUATION);
else
- config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+ config = new SPSpecificGUIBuilderConfigurationWithDBLoad(
HTTPUtils.extractAuthURLFromRequest(req),
- ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_JS,
+ SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_JS,
GeneralProcessEngineSignalController.ENDPOINT_BKUSELECTION_EVALUATION);
//build GUI component
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java
index bedc67513..466364adb 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java
@@ -57,8 +57,8 @@ public class UniqueSessionIdentifierInterceptor implements HandlerInterceptor {
String uniqueSessionIdentifier = ssomanager.getUniqueSessionIdentifier(ssoId);
if (MiscUtil.isEmpty(uniqueSessionIdentifier))
uniqueSessionIdentifier = Random.nextRandom();
- TransactionIDUtils.setSessionId(uniqueSessionIdentifier);
+ TransactionIDUtils.setSessionId(uniqueSessionIdentifier);
request.setAttribute(MOAIDConstants.UNIQUESESSIONIDENTIFIER, uniqueSessionIdentifier);
return true;
@@ -79,8 +79,8 @@ public class UniqueSessionIdentifierInterceptor implements HandlerInterceptor {
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
throws Exception {
- // TODO Auto-generated method stub
-
+ TransactionIDUtils.removeAllLoggingVariables();
+
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java
index 1c6fdcb65..4820b6fdc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java
@@ -24,6 +24,8 @@ package at.gv.egovernment.moa.id.data;
import java.io.Serializable;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+
/**
* @author tlenz
*
@@ -34,13 +36,21 @@ public class ExceptionContainer implements Serializable {
private Throwable exceptionThrown = null;
private String uniqueSessionID = null;
private String uniqueTransactionID = null;
+ private String uniqueServiceProviderId = null;
/**
*
*/
- public ExceptionContainer(String uniqueSessionID, String uniqueTransactionID, Throwable exception) {
- this.uniqueSessionID = uniqueSessionID;
- this.uniqueTransactionID = uniqueTransactionID;
+ public ExceptionContainer(IRequest pendingReq, Throwable exception) {
+ if (pendingReq != null) {
+ this.uniqueSessionID = pendingReq.getUniqueSessionIdentifier();
+ this.uniqueTransactionID = pendingReq.getUniqueTransactionIdentifier();
+
+ if (pendingReq.getOnlineApplicationConfiguration() != null)
+ this.uniqueServiceProviderId = pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix();
+
+ }
+
this.exceptionThrown = exception;
}
@@ -62,6 +72,14 @@ public class ExceptionContainer implements Serializable {
public String getUniqueTransactionID() {
return uniqueTransactionID;
}
+
+ /**
+ * @return the uniqueServiceProviderId
+ */
+ public String getUniqueServiceProviderId() {
+ return uniqueServiceProviderId;
+ }
+
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index ab0a1ec40..7c581d470 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -47,6 +47,7 @@ import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
+import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions;
import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
@@ -202,6 +203,14 @@ public class AuthenticationManager extends MOAIDAuthConstants {
public AuthenticationSession doAuthentication(HttpServletRequest httpReq,
HttpServletResponse httpResp, RequestImpl pendingReq) throws MOADatabaseException, ServletException, IOException, MOAIDException {
+ //load OA configuration from pending request
+ IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
+
+ //set logging context and log unique OA identifier to revision log
+ TransactionIDUtils.setServiceProviderId(pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix());
+ revisionsLogger.logEvent(oaParam,
+ pendingReq, MOAIDEventConstants.AUTHPROCESS_SERVICEPROVIDER, pendingReq.getOAURL());
+
//generic authentication request validation
if (pendingReq.isPassiv()
&& pendingReq.forceAuth()) {
@@ -236,12 +245,8 @@ public class AuthenticationManager extends MOAIDAuthConstants {
boolean isValidSSOSession = ssoManager.isValidSSOSession(ssoId, pendingReq);
// check if Service-Provider allows SSO sessions
- IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
boolean useSSOOA = oaParam.useSSO() || oaParam.isInderfederationIDP();
-
- revisionsLogger.logEvent(oaParam,
- pendingReq, MOAIDEventConstants.AUTHPROCESS_SERVICEPROVIDER, pendingReq.getOAURL());
-
+
//if a legacy request is used SSO should not be allowed in case of mandate authentication
boolean isUseMandateRequested = LegacyHelper.isUseMandateRequested(httpReq);
@@ -615,7 +620,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
//send SLO response to SLO request issuer
SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq);
LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs());
- sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);
+ sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq);
} else {
//print SLO information directly
@@ -651,7 +656,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
if (pvpReq != null) {
SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq);
LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
- sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);
+ sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq);
revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java
index eec48e0f3..90ccb3c27 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java
@@ -52,9 +52,8 @@ public class RequestStorage implements IRequestStorage{
}
//set transactionID and sessionID to Logger
- TransactionIDUtils.setTransactionId(pendingRequest.getUniqueTransactionIdentifier());
- TransactionIDUtils.setSessionId(pendingRequest.getUniqueSessionIdentifier());
-
+ TransactionIDUtils.setAllLoggingVariables(pendingRequest);
+
return pendingRequest;
} catch (MOADatabaseException | NullPointerException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java
new file mode 100644
index 000000000..b05e60e94
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java
@@ -0,0 +1,114 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.opemsaml;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.OutputStreamWriter;
+import java.io.Writer;
+
+import org.apache.velocity.VelocityContext;
+import org.apache.velocity.app.VelocityEngine;
+import org.opensaml.common.binding.SAMLMessageContext;
+import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
+import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.ws.transport.http.HTTPOutTransport;
+import org.opensaml.ws.transport.http.HTTPTransportUtils;
+
+import at.gv.egovernment.moa.id.auth.frontend.builder.GUIFormBuilderImpl;
+import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOAIDHTTPPostEncoder extends HTTPPostEncoder {
+
+ private VelocityEngine velocityEngine;
+ private IGUIBuilderConfiguration guiConfig;
+ private GUIFormBuilderImpl guiBuilder;
+
+ /**
+ * @param engine
+ * @param templateId
+ */
+ public MOAIDHTTPPostEncoder(IGUIBuilderConfiguration guiConfig, GUIFormBuilderImpl guiBuilder, VelocityEngine engine) {
+ super(engine, null);
+ this.velocityEngine = engine;
+ this.guiConfig = guiConfig;
+ this.guiBuilder = guiBuilder;
+
+ }
+
+ /**
+ * Base64 and POST encodes the outbound message and writes it to the outbound transport.
+ *
+ * @param messageContext current message context
+ * @param endpointURL endpoint URL to which to encode message
+ *
+ * @throws MessageEncodingException thrown if there is a problem encoding the message
+ */
+ protected void postEncode(SAMLMessageContext messageContext, String endpointURL) throws MessageEncodingException {
+ Logger.debug("Invoking Velocity template to create POST body");
+ InputStream is = null;
+ try {
+ //build Velocity Context from GUI input paramters
+ VelocityContext context = guiBuilder.generateVelocityContextFromConfiguration(guiConfig);
+
+ //load template
+ is = guiBuilder.getTemplateInputStream(guiConfig);
+
+ //populate velocity context with SAML2 parameters
+ populateVelocityContext(context, messageContext, endpointURL);
+
+ //populate transport parameter
+ HTTPOutTransport outTransport = (HTTPOutTransport) messageContext.getOutboundMessageTransport();
+ HTTPTransportUtils.addNoCacheHeaders(outTransport);
+ HTTPTransportUtils.setUTF8Encoding(outTransport);
+ HTTPTransportUtils.setContentType(outTransport, "text/html");
+
+ //evaluate template and write content to response
+ Writer out = new OutputStreamWriter(outTransport.getOutgoingStream(), "UTF-8");
+ velocityEngine.evaluate(context, out, "SAML2_POST_BINDING", new BufferedReader(new InputStreamReader(is)));
+ out.flush();
+
+ } catch (Exception e) {
+ Logger.error("Error invoking Velocity template", e);
+ throw new MessageEncodingException("Error creating output document", e);
+
+ } finally {
+ if (is != null) {
+ try {
+ is.close();
+
+ } catch (IOException e) {
+ Logger.error("Can NOT close GUI-Template InputStream.", e);
+ }
+ }
+
+ }
+ }
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
index 365a31fe1..643e30ac9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
@@ -39,6 +39,7 @@ import org.opensaml.saml2.core.Response;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.xml.security.SecurityException;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
@@ -79,6 +80,7 @@ public class AttributQueryAction implements IAction {
@Autowired private IDPCredentialProvider pvpCredentials;
@Autowired private AuthConfiguration authConfig;
@Autowired(required=true) private MOAMetadataProvider metadataProvider;
+ @Autowired(required=true) ApplicationContext springContext;
private final static List<String> DEFAULTSTORKATTRIBUTES = Arrays.asList(
new String[]{PVPConstants.EID_STORK_TOKEN_NAME});
@@ -141,9 +143,9 @@ public class AttributQueryAction implements IAction {
metadataProvider, issuerEntityID, attrQuery, date,
assertion, authConfig.isPVP2AssertionEncryptionActive());
- SoapBinding decoder = new SoapBinding();
+ SoapBinding decoder = springContext.getBean("PVPSOAPBinding", SoapBinding.class);
decoder.encodeRespone(httpReq, httpResp, authResponse, null, null,
- pvpCredentials.getIDPAssertionSigningCredential());
+ pvpCredentials.getIDPAssertionSigningCredential(), pendingReq);
return null;
} catch (MessageEncodingException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java
index aac49844e..9d60ae4b2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java
@@ -35,6 +35,7 @@ import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.xml.security.SecurityException;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
@@ -62,6 +63,7 @@ public class AuthenticationAction implements IAction {
@Autowired IDPCredentialProvider pvpCredentials;
@Autowired AuthConfiguration authConfig;
@Autowired(required=true) private MOAMetadataProvider metadataProvider;
+ @Autowired(required=true) ApplicationContext springContext;
public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq,
HttpServletResponse httpResp, IAuthData authData) throws MOAIDException {
@@ -102,11 +104,11 @@ public class AuthenticationAction implements IAction {
if (consumerService.getBinding().equals(
SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
- binding = new RedirectBinding();
+ binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class);
} else if (consumerService.getBinding().equals(
SAMLConstants.SAML2_POST_BINDING_URI)) {
- binding = new PostBinding();
+ binding = springContext.getBean("PVPPOSTBinding", PostBinding.class);
}
@@ -117,7 +119,7 @@ public class AuthenticationAction implements IAction {
try {
binding.encodeRespone(httpReq, httpResp, authResponse,
consumerService.getLocation(), moaRequest.getRelayState(),
- pvpCredentials.getIDPAssertionSigningCredential());
+ pvpCredentials.getIDPAssertionSigningCredential(), req);
//set protocol type
sloInformation.setProtocolType(req.requestedModule());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index a7a249eed..216d7a8b1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -444,13 +444,13 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
IEncoder encoder = null;
if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
- encoder = new RedirectBinding();
+ encoder = applicationContext.getBean("PVPRedirectBinding", RedirectBinding.class);
} else if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) {
- encoder = new PostBinding();
+ encoder = applicationContext.getBean("PVPPOSTBinding", PostBinding.class);
} else if (pvpRequest.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
- encoder = new SoapBinding();
+ encoder = applicationContext.getBean("PVPSOAPBinding", SoapBinding.class);
}
if(encoder == null) {
@@ -465,7 +465,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
X509Credential signCred = pvpCredentials.getIDPAssertionSigningCredential();
encoder.encodeRespone(request, response, samlResponse, pvpRequest.getConsumerURL(),
- relayState, signCred);
+ relayState, signCred, protocolRequest);
return true;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
index ff703d585..f709da213 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java
@@ -111,7 +111,7 @@ public class SingleLogOutAction implements IAction {
//LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, null);
Logger.info("Sending SLO success message to requester ...");
- sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());
+ sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState(), pvpReq);
return null;
} else {
@@ -127,7 +127,7 @@ public class SingleLogOutAction implements IAction {
//LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, null);
Logger.info("Sending SLO success message to requester ...");
- sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState());
+ sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState(), pvpReq);
return null;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
index 3b2fb3687..ccbef6e6c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
@@ -31,6 +31,7 @@ import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
public interface IEncoder {
@@ -43,12 +44,13 @@ public interface IEncoder {
* @param targetLocation URL, where the request should be transmit
* @param relayState token for session handling
* @param credentials Credential to sign the request object
+ * @param pendingReq Internal MOA-ID request object that contains session-state informations but never null
* @throws MessageEncodingException
* @throws SecurityException
* @throws PVP2Exception
*/
public void encodeRequest(HttpServletRequest req,
- HttpServletResponse resp, RequestAbstractType request, String targetLocation, String relayState, Credential credentials)
+ HttpServletResponse resp, RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
throws MessageEncodingException, SecurityException, PVP2Exception;
/**
@@ -59,10 +61,11 @@ public interface IEncoder {
* @param targetLocation URL, where the request should be transmit
* @param relayState token for session handling
* @param credentials Credential to sign the response object
+ * @param pendingReq Internal MOA-ID request object that contains session-state informations but never null
* @throws MessageEncodingException
* @throws SecurityException
*/
public void encodeRespone(HttpServletRequest req,
- HttpServletResponse resp, StatusResponseType response, String targetLocation, String relayState, Credential credentials)
+ HttpServletResponse resp, StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
throws MessageEncodingException, SecurityException, PVP2Exception;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 9977e607b..c7688c14b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -25,13 +25,11 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.apache.velocity.app.VelocityEngine;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.binding.decoding.URIComparator;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
-import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
@@ -49,8 +47,17 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+import at.gv.egovernment.moa.id.auth.frontend.builder.GUIFormBuilderImpl;
+import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithFileSystemLoad;
import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
+import at.gv.egovernment.moa.id.opemsaml.MOAIDHTTPPostEncoder;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
@@ -62,10 +69,14 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
+@Service("PVPPOSTBinding")
public class PostBinding implements IDecoder, IEncoder {
+
+ @Autowired(required=true) AuthConfiguration authConfig;
+ @Autowired(required=true) GUIFormBuilderImpl guiBuilder;
public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
- RequestAbstractType request, String targetLocation, String relayState, Credential credentials)
+ RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
throws MessageEncodingException, SecurityException {
try {
@@ -75,9 +86,18 @@ public class PostBinding implements IDecoder, IEncoder {
//load default PVP security configurations
MOADefaultBootstrap.initializeDefaultPVPConfiguration();
- VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine();
- HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
- "resources/templates/pvp_postbinding_template.html");
+ //initialize POST binding encoder with template decoration
+ IGUIBuilderConfiguration guiConfig =
+ new SPSpecificGUIBuilderConfigurationWithFileSystemLoad(
+ pendingReq,
+ "pvp_postbinding_template.html",
+ MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL,
+ null,
+ authConfig.getRootConfigFileDir());
+ MOAIDHTTPPostEncoder encoder = new MOAIDHTTPPostEncoder(guiConfig, guiBuilder,
+ VelocityProvider.getClassPathVelocityEngine());
+
+ //set OpenSAML2 process parameter into binding context dao
HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
resp, true);
BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
@@ -103,22 +123,27 @@ public class PostBinding implements IDecoder, IEncoder {
}
public void encodeRespone(HttpServletRequest req, HttpServletResponse resp,
- StatusResponseType response, String targetLocation, String relayState, Credential credentials)
+ StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
throws MessageEncodingException, SecurityException {
try {
-// X509Credential credentials = credentialProvider
-// .getIDPAssertionSigningCredential();
-
//load default PVP security configurations
MOADefaultBootstrap.initializeDefaultPVPConfiguration();
Logger.debug("create SAML POSTBinding response");
- VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine();
-
- HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
- "resources/templates/pvp_postbinding_template.html");
+ //initialize POST binding encoder with template decoration
+ IGUIBuilderConfiguration guiConfig =
+ new SPSpecificGUIBuilderConfigurationWithFileSystemLoad(
+ pendingReq,
+ "pvp_postbinding_template.html",
+ MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL,
+ null,
+ authConfig.getRootConfigFileDir());
+ MOAIDHTTPPostEncoder encoder = new MOAIDHTTPPostEncoder(guiConfig, guiBuilder,
+ VelocityProvider.getClassPathVelocityEngine());
+
+ //set OpenSAML2 process parameter into binding context dao
HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
resp, true);
BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 279038967..4f44a6202 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -50,7 +50,9 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
+import org.springframework.stereotype.Service;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
@@ -62,10 +64,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
+@Service("PVPRedirectBinding")
public class RedirectBinding implements IDecoder, IEncoder {
public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
- RequestAbstractType request, String targetLocation, String relayState, Credential credentials)
+ RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
throws MessageEncodingException, SecurityException {
// try {
@@ -100,7 +103,7 @@ public class RedirectBinding implements IDecoder, IEncoder {
public void encodeRespone(HttpServletRequest req, HttpServletResponse resp,
StatusResponseType response, String targetLocation, String relayState,
- Credential credentials) throws MessageEncodingException, SecurityException {
+ Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException {
// try {
// X509Credential credentials = credentialProvider
// .getIDPAssertionSigningCredential();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
index 94d91694a..552b64ac6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
@@ -48,7 +48,9 @@ import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.signature.SignableXMLObject;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
@@ -60,6 +62,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
+@Service("PVPSOAPBinding")
public class SoapBinding implements IDecoder, IEncoder {
@Autowired(required=true) private MOAMetadataProvider metadataProvider;
@@ -136,13 +139,13 @@ public class SoapBinding implements IDecoder, IEncoder {
}
public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
- RequestAbstractType request, String targetLocation, String relayState, Credential credentials)
+ RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
throws MessageEncodingException, SecurityException, PVP2Exception {
}
public void encodeRespone(HttpServletRequest req, HttpServletResponse resp,
- StatusResponseType response, String targetLocation, String relayState, Credential credentials)
+ StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq)
throws MessageEncodingException, SecurityException, PVP2Exception {
// try {
// Credential credentials = credentialProvider
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java
index 01ef4a43d..f29418853 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java
@@ -44,6 +44,8 @@ import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.xml.security.SecurityException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.commons.api.IRequest;
@@ -64,6 +66,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
@Service("PVPAuthnRequestBuilder")
public class PVPAuthnRequestBuilder {
+ @Autowired(required=true) ApplicationContext springContext;
/**
* Build a PVP2.x specific authentication request
@@ -202,17 +205,17 @@ public class PVPAuthnRequestBuilder {
IEncoder binding = null;
if (endpoint.getBinding().equals(
SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
- binding = new RedirectBinding();
+ binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class);
} else if (endpoint.getBinding().equals(
SAMLConstants.SAML2_POST_BINDING_URI)) {
- binding = new PostBinding();
+ binding = springContext.getBean("PVPPOSTBinding", PostBinding.class);
}
//encode message
binding.encodeRequest(null, httpResp, authReq,
- endpoint.getLocation(), pendingReq.getRequestID(), config.getAuthnRequestSigningCredential());
+ endpoint.getLocation(), pendingReq.getRequestID(), config.getAuthnRequestSigningCredential(), pendingReq);
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
index de59e6055..4fef52aec 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
@@ -59,6 +59,7 @@ import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureConstants;
import org.opensaml.xml.signature.Signer;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
import org.springframework.stereotype.Service;
import org.w3c.dom.Document;
@@ -95,7 +96,9 @@ import at.gv.egovernment.moa.logging.Logger;
public class SingleLogOutBuilder {
@Autowired(required=true) private MOAMetadataProvider metadataProvider;
+ @Autowired(required=true) ApplicationContext springContext;
@Autowired private IDPCredentialProvider credentialProvider;
+
public void checkStatusCode(ISLOInformationContainer sloContainer, LogoutResponse logOutResp) {
Status status = logOutResp.getStatus();
@@ -185,15 +188,15 @@ public class SingleLogOutBuilder {
public void sendFrontChannelSLOMessage(SingleLogoutService consumerService,
LogoutResponse sloResp, HttpServletRequest req, HttpServletResponse resp,
- String relayState) throws MOAIDException {
+ String relayState, PVPTargetConfiguration pvpReq) throws MOAIDException {
IEncoder binding = null;
if (consumerService.getBinding().equals(
SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
- binding = new RedirectBinding();
+ binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class);
} else if (consumerService.getBinding().equals(
SAMLConstants.SAML2_POST_BINDING_URI)) {
- binding = new PostBinding();
+ binding = springContext.getBean("PVPPOSTBinding", PostBinding.class);
}
@@ -204,7 +207,7 @@ public class SingleLogOutBuilder {
try {
binding.encodeRespone(req, resp, sloResp,
consumerService.getLocation(), relayState,
- credentialProvider.getIDPAssertionSigningCredential());
+ credentialProvider.getIDPAssertionSigningCredential(), pvpReq);
} catch (MessageEncodingException e) {
Logger.error("Message Encoding exception", e);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
index 2ded32bac..d05d180e1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java
@@ -55,6 +55,12 @@ public class EntityVerifier {
try {
IOAAuthParameters oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID);
+ if (oa == null) {
+ Logger.debug("No OnlineApplication with EntityID: " + entityID);
+ return null;
+
+ }
+
String certBase64 = oa.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE);
if (MiscUtil.isNotEmpty(certBase64)) {
return Base64Utils.decode(certBase64, false);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java
index f37ae0b0b..d30ce4924 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java
@@ -44,9 +44,9 @@ import iaik.security.ec.common.ECParameterSpec;
import iaik.security.ec.common.ECPublicKey;
import iaik.security.ec.common.ECStandardizedParameterFactory;
import iaik.security.ec.common.EllipticCurve;
+import iaik.security.ec.math.field.AbstractPrimeField;
import iaik.security.ec.math.field.Field;
import iaik.security.ec.math.field.FieldElement;
-import iaik.security.ec.math.field.PrimeField;
public class ECDSAKeyValueConverter
{
@@ -221,7 +221,7 @@ public class ECDSAKeyValueConverter
// Value xValue = FieldFactory.getInstance().getPrimeFieldValue(new BigInteger(publicKeyXStr, 10));
// publicKeyPointX = field.newElement(xValue);
- PrimeField pf = (PrimeField) field;
+ AbstractPrimeField pf = (AbstractPrimeField) field;
publicKeyPointX = pf.newElement(new BigInteger(publicKeyXStr, 10));
// Value yValue = FieldFactory.getInstance().getPrimeFieldValue(new BigInteger(publicKeyYStr, 10));
// publicKeyPointY = field.newElement(yValue);
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html b/id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html
deleted file mode 100644
index f5bca7f1f..000000000
--- a/id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html
+++ /dev/null
@@ -1,193 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
-<html>
-<head>
-<BASE href="<BASE_href>">
- <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
- <title>Berufsm&auml;&szlig;ige Parteieinvertretung</title>
-</head>
-<body>
- Berufsm&auml;&szlig;ige Parteienvertretung einer
- nat&uuml;rlichen/juristischen Person
- <form name="ProcessInputForm" method="post" accept-charset="UTF-8"
- enctype="application/x-www-form-urlencoded" action="<BKU>">
- <table width="80%" border="0">
- <tr />
- <tr />
- <tr>
- <td colspan="3"><em>Vertreter:</em></td>
- </tr>
- <tr>
- <td align="right" width="20%">Vorname&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpgivenname_" type="text" disabled="true"
- id="rpgivenname" value="<rpgivenname>" size="50" readonly="true" />
- </td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Name&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpfamilyname_" type="text" disabled="true"
- id="rpfamilyname" value="<rpfamilyname>" size="50" readonly="true" />
- </td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Geburtsdatum&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpdobyear_" type="text" disabled="true"
- id="rpdobyear" value="<rpdobyear>" size="4" maxlength="4"
- readonly="true" /> - <input name="rpdobmonth_" type="text"
- disabled="true" id="rpdobmonth" value="<rpdobmonth>" size="2"
- maxlength="2" readonly="true" /> - <input name="rpdobday_"
- type="text" disabled="true" id="rpdobday" value="<rpdobday>"
- size="2" maxlength="2" readonly="true" /></td>
- <td></td>
- </tr>
- <tr>
- <td colspan="2"><br /> <em>Ich bin berufsm&auml;&szlig;ig
- berechtigt f&uuml;r die nachfolgend genannte Person in deren Namen
- mit der B&uuml;rgerkarte einzuschreiten.</em></td>
- <td>&nbsp;</td>
- </tr>
- <tr>
- <td colspan="3"><br /> <em>Vertretene Person:</em></td>
- </tr>
- <tr>
- <td colspan="3"><input name="physical_" type="radio"
- physdisabled="" value="true" physselected="" />&nbsp;nat&uuml;rliche
- Person:&nbsp;</td>
- </tr>
- <tr>
- <td align="right">Vorname&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="givenname_" type="text" id="givenname"
- value="<givenname>" physdisabled="" size="50" />&nbsp;<img
- src="img/info.gif" title="Vorname laut ZMR Schreibweise" alt="Info"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Name&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="familyname_" type="text" id="familyname"
- value="<familyname>" physdisabled="" size="50" />&nbsp;<img
- src="img/info.gif" title="Familienname laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Geburtsdatum&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="dobyear_" type="text" id="dobyear" size="4"
- maxlength="4" value="<dobyear>" physdisabled="" /> - <input
- name="dobmonth_" type="text" id="dobmonth" size="2" maxlength="2"
- value="<dobmonth>" physdisabled="" /> - <input name="dobday_"
- type="text" id="dobday" size="2" maxlength="2" value="<dobday>"
- physdisabled="" />&nbsp;<img src="img/info.gif"
- title="Format: JJJJ-MM-TT" alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="center"><em>optional:</em></td>
- <td colspan="2" />
- </tr>
- <tr>
- <td align="right">Stra&szlig;e&nbsp;</td>
- <td><input name="streetname_" type="text" id="streetname"
- value="<streetname>" physdisabled="" size="50" />&nbsp;<img
- src="img/info.gif" title="Stra&szlig;e laut ZMR Schreibweise"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Hausnummer&nbsp;</td>
- <td><input name="buildingnumber_" type="text"
- id="buildingnumber" value="<buildingnumber>" physdisabled=""
- size="50" />&nbsp;<img src="img/info.gif"
- title="Hausnummer laut ZMR Schreibweise" alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Einh. Nr.&nbsp;</td>
- <td><input name="unit_" type="text" id="unit" value="<unit>"
- size="50" physdisabled="" />&nbsp;<img src="img/info.gif"
- title="Nutzungseinheitsnummer laut ZMR Schreibweise" alt="Info"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Postleitzahl&nbsp;</td>
- <td><input name="postalcode_" type="text" id="postalcode"
- value="<postalcode>" size="50" physdisabled="" />&nbsp;<img
- src="img/info.gif" title="Postleitzahl laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Gemeinde&nbsp;</td>
- <td><input name="municipality_" type="text" id="municipality"
- value="<municipality>" size="50" physdisabled="" />&nbsp;<img
- src="img/info.gif" title="Gemeinde laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td colspan="3">&nbsp;</td>
- </tr>
- <tr>
- <td colspan="3"><input name="physical_" type="radio"
- cbdisabled="" value="false" cbselected=""/ >&nbsp;juristische
- Person:&nbsp;</td>
- </tr>
- <tr>
- <td align="right">Name&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" src="img/stern.gif"
- alt="Stern" width="10" height="16" /></td>
- <td><input name="fullname_" type="text" cbdisabled=""
- id="fullname" value="<fullname>" size="50" />&nbsp;<img
- src="img/info.gif"
- title="Name der Organisation laut ZMR Schreibweise" alt="Info"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right" nowrap="nowrap"><select
- name="cbidentificationtype_" size="1" cbseldisabled="">
- <option value="urn:publicid:gv.at:baseid+XFN" fnselected="">Firmenbuchnummer</option>
- <option value="urn:publicid:gv.at:baseid+XZVR" vrselected="">Vereinsnummer</option>
- <option value="urn:publicid:gv.at:baseid+XERSB" ersbselected="">Ord.Nr.im
- Erg&auml;nzungsreg.</option>
- </select>&nbsp;<img title=" Dieses Feld muss ausgef&uuml;llt sein!"
- src="img/stern.gif" alt="Stern" width="10" height="16" /></td>
- <td><input name="cbidentificationvalue_" type="text"
- cbdisabled="" id="cbidentificationvalue"
- value="<cbidentificationvalue>" size="50" />&nbsp;<img
- src="img/info.gif" title="Ordnungsbegriff laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- </table>
- <br />
- <errortext>
- <p>
- <em>Bitte halten Sie Ihre B&uuml;rgerkartenumgebung bereit.</em>
- </p>
- <p>
- <input name="XMLRequest" type="hidden"
- value="&lt;?xml version='1.0' encoding='UTF-8'?>&lt;NullOperationRequest xmlns='http://www.buergerkarte.at/namespaces/securitylayer/1.2#'/>" />
- <input name="DataURL" type="hidden" value="<DataURL>" /> <input
- type="submit" name="Submit" value=" Weiter " /> <input
- name="Clear" type="reset" id="Clear"
- value="Formular zur&uuml;cksetzen" />
- </p>
- <br />
- </form>
-</body>
-</html>
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html b/id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html
deleted file mode 100644
index cffc46981..000000000
--- a/id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html
+++ /dev/null
@@ -1,235 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
-
-<html>
-<head>
-<BASE href="<BASE_href>">
- <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
- <title>Berufsm&auml;&szlig;ige Parteieinvertretung</title>
- <link href="css/styles.css" type="text/css" rel="stylesheet">
- <link href="css/styles_opera.css" type="text/css" rel="stylesheet">
- <link href="css/mandates.css" type="text/css" rel="stylesheet">
-
- <script src="formallg.js" type="text/javascript"></script>
- <script src="fa.js" type="text/javascript"></script>
-</head>
-<body>
-
-
- <div class="hleft">
- <!--Stammzahlenregisterbehörde<br/>-->
- &nbsp;
- <!--Ballhausplatz 2<br/>-->
- <!--1014 Wien-->
- </div>
- <div class="hright" align="right">
- <img src="img/egov_schrift.gif" alt="E-Gov Logo" />
- </div>
- <div class="htitle" align="left">
- <h1>Berufsm&auml;&szlig;ige Parteienvertretung</h1>
- </div>
- <div class="leiste1" align="center">Bitte beachten Sie</div>
- <div class="leiste2" align="center"></div>
- <div class="leiste3">
- <img title=" Dieses Feld muss ausgefüllt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" />&nbsp; Feld muss
- ausgef&uuml;llt sein
- </div>
- <div class="leiste3">
- <img title=" Hilfe zum Ausfüllen " alt="Info" src="img/info.gif"
- width="10" height="16" />&nbsp; Ausf&uuml;llhilfe
- </div>
- <div class="leiste3">
- <img title=" Angabe bitte ergänzen oder richtig stellen! "
- alt="Rufezeichen" src="img/rufezeichen.gif" width="10" height="16" />&nbsp;
- Fehlerhinweis
- </div>
- <div style="clear: both">&nbsp;</div>
-
- <h2>Berufsm&auml;&szlig;ige Parteienvertretung einer
- nat&uuml;rlichen/juristischen Person</h2>
- <div class="boundingbox">
- <form name="ProcessInputForm" method="post" accept-charset="UTF-8"
- enctype="application/x-www-form-urlencoded" action="<BKU>">
- <table width="80%" border="0">
- <tr />
- <tr />
- <tr>
- <td colspan="3"><em>Vertreter:</em></td>
- </tr>
- <tr>
- <td align="right" width="20%">Vorname&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpgivenname_" type="text" disabled="true"
- id="rpgivenname" value="<rpgivenname>" size="50" readonly="true" />
- </td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Name&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpfamilyname_" type="text" disabled="true"
- id="rpfamilyname" value="<rpfamilyname>" size="50" readonly="true" />
- </td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Geburtsdatum&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpdobyear_" type="text" disabled="true"
- id="rpdobyear" value="<rpdobyear>" size="4" maxlength="4"
- readonly="true" /> - <input name="rpdobmonth_" type="text"
- disabled="true" id="rpdobmonth" value="<rpdobmonth>" size="2"
- maxlength="2" readonly="true" /> - <input name="rpdobday_"
- type="text" disabled="true" id="rpdobday" value="<rpdobday>"
- size="2" maxlength="2" readonly="true" /></td>
- <td></td>
- </tr>
- <tr>
- <td colspan="2"><br /> <em>Ich bin berufsm&auml;&szlig;ig
- berechtigt f&uuml;r die nachfolgend genannte Person in deren
- Namen mit der B&uuml;rgerkarte einzuschreiten.</em></td>
- <td>&nbsp;</td>
- </tr>
- <tr>
- <td colspan="3"><br /> <em>Vertretene Person:</em></td>
- </tr>
- <tr>
- <td colspan="3"><input name="physical_" type="radio"
- physdisabled="" value="true" physselected="" />&nbsp;nat&uuml;rliche
- Person:&nbsp;</td>
- </tr>
- <tr>
- <td align="right">Vorname&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="givenname_" type="text" id="givenname"
- value="<givenname>" physdisabled="" size="50" />&nbsp;<img
- src="img/info.gif" title="Vorname laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Name&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="familyname_" type="text" id="familyname"
- value="<familyname>" physdisabled="" size="50" />&nbsp;<img
- src="img/info.gif" title="Familienname laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Geburtsdatum&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="dobyear_" type="text" id="dobyear" size="4"
- maxlength="4" value="<dobyear>" physdisabled="" /> - <input
- name="dobmonth_" type="text" id="dobmonth" size="2" maxlength="2"
- value="<dobmonth>" physdisabled="" /> - <input name="dobday_"
- type="text" id="dobday" size="2" maxlength="2" value="<dobday>"
- physdisabled="" />&nbsp;<img src="img/info.gif"
- title="Format: JJJJ-MM-TT" alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="center"><em>optional:</em></td>
- <td colspan="2" />
- </tr>
- <tr>
- <td align="right">Stra&szlig;e&nbsp;</td>
- <td><input name="streetname_" type="text" id="streetname"
- value="<streetname>" physdisabled="" size="50" />&nbsp;<img
- src="img/info.gif" title="Stra&szlig;e laut ZMR Schreibweise"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Hausnummer&nbsp;</td>
- <td><input name="buildingnumber_" type="text"
- id="buildingnumber" value="<buildingnumber>" physdisabled=""
- size="50" />&nbsp;<img src="img/info.gif"
- title="Hausnummer laut ZMR Schreibweise" alt="Info" border="0" />
- </td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Einh. Nr.&nbsp;</td>
- <td><input name="unit_" type="text" id="unit" value="<unit>"
- size="50" physdisabled="" />&nbsp;<img src="img/info.gif"
- title="Nutzungseinheitsnummer laut ZMR Schreibweise" alt="Info"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Postleitzahl&nbsp;</td>
- <td><input name="postalcode_" type="text" id="postalcode"
- value="<postalcode>" size="50" physdisabled="" />&nbsp;<img
- src="img/info.gif" title="Postleitzahl laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Gemeinde&nbsp;</td>
- <td><input name="municipality_" type="text" id="municipality"
- value="<municipality>" size="50" physdisabled="" />&nbsp;<img
- src="img/info.gif" title="Gemeinde laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td colspan="3">&nbsp;</td>
- </tr>
- <tr>
- <td colspan="3"><input name="physical_" type="radio"
- cbdisabled="" value="false" cbselected=""/ >&nbsp;juristische
- Person:&nbsp;</td>
- </tr>
- <tr>
- <td align="right">Name&nbsp;<img
- title=" Dieses Feld muss ausgef&uuml;llt sein!"
- src="img/stern.gif" alt="Stern" width="10" height="16" /></td>
- <td><input name="fullname_" type="text" cbdisabled=""
- id="fullname" value="<fullname>" size="50" />&nbsp;<img
- src="img/info.gif"
- title="Name der Organisation laut ZMR Schreibweise" alt="Info"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right" nowrap="nowrap"><select
- name="cbidentificationtype_" size="1" cbseldisabled="">
- <option value="urn:publicid:gv.at:baseid+XFN" fnselected="">Firmenbuchnummer</option>
- <option value="urn:publicid:gv.at:baseid+XZVR" vrselected="">Vereinsnummer</option>
- <option value="urn:publicid:gv.at:baseid+XERSB" ersbselected="">Ord.Nr.im
- Erg&auml;nzungsreg.</option>
- </select>&nbsp;<img title=" Dieses Feld muss ausgef&uuml;llt sein!"
- src="img/stern.gif" alt="Stern" width="10" height="16" /></td>
- <td><input name="cbidentificationvalue_" type="text"
- cbdisabled="" id="cbidentificationvalue"
- value="<cbidentificationvalue>" size="50" />&nbsp;<img
- src="img/info.gif" title="Ordnungsbegriff laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- </table>
- <br />
- <errortext>
- <p>
- <em>Bitte halten Sie Ihre B&uuml;rgerkartenumgebung bereit.</em>
- </p>
- <p>
- <input name="XMLRequest" type="hidden"
- value="&lt;?xml version='1.0' encoding='UTF-8'?>&lt;NullOperationRequest xmlns='http://www.buergerkarte.at/namespaces/securitylayer/1.2#'/>" />
- <input name="DataURL" type="hidden" value="<DataURL>" /> <input
- type="submit" name="Submit" value=" Weiter " /> <input
- name="Clear" type="reset" id="Clear"
- value="Formular zur&uuml;cksetzen" />
- </p>
- <br />
- </form>
- </div>
-</body>
-</html>
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html b/id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html
deleted file mode 100644
index f47ee53ff..000000000
--- a/id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html
+++ /dev/null
@@ -1,16 +0,0 @@
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-
- <body>
- <form action="${action}" method="post" target="_parent">
- <div>
- <input type="hidden" name="SAMLResponse" value="${SAMLResponse}"/>
- </div>
- <p>Please indicate the gender of the represented.</p>
- <div>
- <input type="submit" name="gender" value="M"/>
- <input type="submit" name="gender" value="F"/>
- </div>
- </form>
-
- </body>
-</html> \ No newline at end of file
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm b/id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm
deleted file mode 100644
index 7fcc1bb36..000000000
--- a/id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm
+++ /dev/null
@@ -1,36 +0,0 @@
-##
-## Velocity Template for OASIS WEBFORM BINDING
-##
-## Velocity context may contain the following properties
-## action - String - the action URL for the form
-## signresponse - String - the Base64 encoded SAML Request
-## verifyresponse - String - the Base64 encoded SAML Response
-## clienturl - String - URL where the USer gets redirected after the signature process
-
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-
- <body onload="document.forms[0].submit()">
- <noscript>
- <p>
- <strong>Note:</strong> Since your browser does not support JavaScript,
- you must press the Continue button once to proceed.
- </p>
- </noscript>
-
- <form action="${action}" method="post">
- <div>
- #if($signrequest)<input type="hidden" name="signrequest" value="${signrequest}"/>#end
-
- #if($verifyrequest)<input type="hidden" name="verifyrequest" value="${verifyrequest}"/>#end
- #if($clienturl)<input type="hidden" name="clienturl" value="${clienturl}"/>#end
-
- </div>
- <noscript>
- <div>
- <input type="submit" value="Continue"/>
- </div>
- </noscript>
- </form>
-
- </body>
-</html> \ No newline at end of file
diff --git a/id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html b/id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html
new file mode 100644
index 000000000..45c183215
--- /dev/null
+++ b/id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html
@@ -0,0 +1,46 @@
+## ## Velocity Template for SAML 2 HTTP-POST binding ## ## Velocity
+##context may contain the following properties ## action - String - the
+##action URL for the form ## RelayState - String - the relay state for the
+##message ## SAMLRequest - String - the Base64 encoded SAML Request ##
+##SAMLResponse - String - the Base64 encoded SAML Response
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+
+<body onload="document.forms[0].submit()">
+ <noscript>
+ <p>
+ <strong>Note:</strong> Since your browser does not support
+ JavaScript, you must press the Continue button once to proceed.
+ </p>
+ </noscript>
+
+
+ <div id="alert">Your login is being processed. Thank you for
+ waiting.</div>
+
+ <style type="text/css">
+<!--
+#alert {
+ margin: 100px 250px;
+ font-family: Verdana, Arial, Helvetica, sans-serif;
+ font-size: 14px;
+ font-weight: normal;
+}
+-->
+</style>
+
+ <form action="${action}" method="post" target="_parent">
+ <div>
+ #if($RelayState) <input type="hidden" name="RelayState" value="${RelayState}"/> #end
+ #if($SAMLRequest) <input type="hidden" name="SAMLRequest" value="${SAMLRequest}" /> #end
+ #if($SAMLResponse) <input type="hidden" name="SAMLResponse" value="${SAMLResponse}" /> #end
+ </div>
+ <noscript>
+ <div>
+ <input type="submit" value="Continue" />
+ </div>
+ </noscript>
+ </form>
+
+</body>
+</html> \ No newline at end of file
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
index b16941f51..d8d3dbeee 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java
@@ -171,8 +171,10 @@ public class MOAIDAuthConstants extends MOAIDConstants{
public static final String REGEX_PATTERN_TARGET = "^[A-Za-z]{2}(-.*)?$";
+ //MDC variables for logging
public static final String MDC_TRANSACTION_ID = "transactionId";
public static final String MDC_SESSION_ID = "sessionId";
+ public static final String MDC_SERVICEPROVIDER_ID = "oaId";
//AuthnRequest IssueInstant validation
public static final int TIME_JITTER = 5; //all 5 minutes time jitter
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
index 971e401ca..bba6d0541 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java
@@ -43,6 +43,7 @@ public interface IOAAuthParameters {
public static final String LOCALBKU = "local";
public static final String INDERFEDERATEDIDP = "interfederated";
public static final String EIDAS = "eIDAS";
+ public static final String AUTHTYPE_OTHERS = "others";
/**
* Get the full key/value configuration for this online application
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
index b8284c8f9..5091195d8 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java
@@ -143,7 +143,9 @@ public class ConfigurationMigrationUtils {
if (MiscUtil.isNotEmpty(oa.getEventCodes())) {
result.put(MOAIDConfigurationConstants.SERVICE_REVERSION_LOGS_EVENTCODES, oa.getEventCodes());
}
-
+
+ result.put(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL, oa.getMandateServiceSelectionTemplateURL());
+ result.put(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL, oa.getSaml2PostBindingTemplateURL());
//convert target
String target_full = oa.getTarget();
@@ -769,6 +771,9 @@ public class ConfigurationMigrationUtils {
}
dbOA.setSelectedSZRGWServiceURL(oa.get(MOAIDConfigurationConstants.SERVICE_EXTERNAL_SZRGW_SERVICE_URL));
+
+ dbOA.setMandateServiceSelectionTemplateURL(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL));
+ dbOA.setSaml2PostBindingTemplateURL(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL));
if (Boolean.valueOf(oa.get(MOAIDConfigurationConstants.SERVICE_BUSINESSSERVICE))) {
dbOA.setType(MOA_CONFIG_BUSINESSSERVICE);
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
index 9fe90daa4..b72034002 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java
@@ -105,6 +105,9 @@ public final class MOAIDConfigurationConstants extends MOAIDConstants {
public static final String SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETHEIGHT = SERVICE_AUTH_TEMPLATES_CUSTOMIZATION + ".applet.hight";
public static final String SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETWIDTH = SERVICE_AUTH_TEMPLATES_CUSTOMIZATION + ".applet.width";
+ public static final String SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL = SERVICE_AUTH_TEMPLATES + ".saml2.postbinding.url";
+ public static final String SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL = SERVICE_AUTH_TEMPLATES + ".elga.mandateserviceselection.url";
+
private static final String SERVICE_AUTH_TESTCREDENTIALS = AUTH + "." + TESTCREDENTIALS;
public static final String SERVICE_AUTH_TESTCREDENTIALS_ENABLED = SERVICE_AUTH_TESTCREDENTIALS + ".enabled";
public static final String SERVICE_AUTH_TESTCREDENTIALS_OIDs = SERVICE_AUTH_TESTCREDENTIALS + ".oids";
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java
index 4aee10bc1..196923ce6 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java
@@ -109,10 +109,44 @@ public class OnlineApplication
@XmlTransient
protected String selectedSZRGWServiceURL = null;
+ @XmlTransient
+ protected String saml2PostBindingTemplateURL = null;
+
+ @XmlTransient
+ protected String mandateServiceSelectionTemplateURL = null;
+
/**
+ * @return the saml2PostBindingTemplateURL
+ */
+ public String getSaml2PostBindingTemplateURL() {
+ return saml2PostBindingTemplateURL;
+ }
+
+ /**
+ * @param saml2PostBindingTemplateURL the saml2PostBindingTemplateURL to set
+ */
+ public void setSaml2PostBindingTemplateURL(String saml2PostBindingTemplateURL) {
+ this.saml2PostBindingTemplateURL = saml2PostBindingTemplateURL;
+ }
+
+ /**
+ * @return the mandateServiceSelectionTemplateURL
+ */
+ public String getMandateServiceSelectionTemplateURL() {
+ return mandateServiceSelectionTemplateURL;
+ }
+
+ /**
+ * @param mandateServiceSelectionTemplateURL the mandateServiceSelectionTemplateURL to set
+ */
+ public void setMandateServiceSelectionTemplateURL(String mandateServiceSelectionTemplateURL) {
+ this.mandateServiceSelectionTemplateURL = mandateServiceSelectionTemplateURL;
+ }
+
+ /**
* @return the selectedSZRGWServiceURL
*/
public String getSelectedSZRGWServiceURL() {
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
index 109390132..abf2d211c 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java
@@ -49,7 +49,6 @@ package at.gv.egovernment.moa.id.commons.utils.ssl;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
-import java.security.Security;
import java.util.HashMap;
import java.util.Map;
@@ -66,8 +65,6 @@ import at.gv.egovernment.moaspss.logging.LoggingContextManager;
import iaik.pki.DefaultPKIConfiguration;
import iaik.pki.PKIException;
import iaik.pki.PKIFactory;
-//import iaik.pki.jsse.IAIKX509TrustManager;
-import iaik.security.provider.IAIK;
/**
@@ -83,18 +80,18 @@ public class SSLUtils {
/** SSLSocketFactory store, mapping URL->SSLSocketFactory **/
private static Map<String, SSLSocketFactory> sslSocketFactories = new HashMap<String, SSLSocketFactory>();
- /**
- * Initializes the SSLSocketFactory store.
- */
- public static void initialize() {
- sslSocketFactories = new HashMap<String, SSLSocketFactory>();
- // JSSE Abhängigkeit
- //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
- Security.addProvider(new IAIK());
- //System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
-
-
- }
+// /**
+// * Initializes the SSLSocketFactory store.
+// */
+// public static void initialize() {
+// sslSocketFactories = new HashMap<String, SSLSocketFactory>();
+// // JSSE Abhängigkeit
+// //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
+// Security.addProvider(new IAIK());
+// //System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
+//
+//
+// }
/**
* IAIK PKI module and MOA-SIG uses a ThreadLocal variable for logging
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
index 129478270..2a4e3b362 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java
@@ -394,6 +394,12 @@ public interface Constants {
public static final String SAML2_METADATA_SCHEMA_LOCATION =
SCHEMA_ROOT + "saml-schema-metadata-2.0.xsd";
+
+ /* Prefix and Schema definition for eIDAS specific SAML2 extensions*/
+ public static final String SAML2_eIDAS_EXTENSIONS_PREFIX = "eidas";
+ public static final String SAML2_eIDAS_EXTENSIONS = "http://eidas.europa.eu/saml-extensions";
+ public static final String SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION = SCHEMA_ROOT + "eIDAS_saml_extensions.xsd";
+
/**
* Contains all namespaces and local schema locations for XML schema
* definitions relevant for MOA. For use in validating XML parsers.
@@ -427,7 +433,8 @@ public interface Constants {
+ (STORK_NS_URI + " " + STORK_SCHEMA_LOCATION + " ")
+ (STORKP_NS_URI + " " + STORKP_SCHEMA_LOCATION + " ")
+ (SAML2_METADATA_URI + " " + SAML2_METADATA_SCHEMA_LOCATION + " ")
- + (XENC_NS_URI + " " + XENC_SCHEMA_LOCATION);
+ + (XENC_NS_URI + " " + XENC_SCHEMA_LOCATION)
+ + (SAML2_eIDAS_EXTENSIONS + " " + SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION);
/** URN prefix for bPK and wbPK. */
public static final String URN_PREFIX = "urn:publicid:gv.at";
diff --git a/id/server/moa-id-commons/src/main/resources/resources/schemas/eIDAS_saml_extensions.xsd b/id/server/moa-id-commons/src/main/resources/resources/schemas/eIDAS_saml_extensions.xsd
new file mode 100644
index 000000000..76b82a267
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/resources/resources/schemas/eIDAS_saml_extensions.xsd
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:eidas="http://eidas.europa.eu/saml-extensions" targetNamespace="http://eidas.europa.eu/saml-extensions" elementFormDefault="qualified" attributeFormDefault="unqualified">
+
+ <xsd:element name="SPType" type="eidas:SPTypeType"/>
+ <xsd:simpleType name="SPTypeType">
+ <xsd:restriction base="xsd:string">
+ <xsd:enumeration value="public"/>
+ <xsd:enumeration value="private"/>
+ </xsd:restriction>
+ </xsd:simpleType>
+
+ <xsd:element name="RequestedAttributes" type="eidas:RequestedAttributesType"/>
+ <xsd:complexType name="RequestedAttributesType">
+ <xsd:sequence>
+ <xsd:element minOccurs="0" maxOccurs="unbounded" ref="eidas:RequestedAttribute"/>
+ </xsd:sequence>
+ </xsd:complexType>
+
+ <xsd:element name="RequestedAttribute" type="eidas:RequestedAttributeType"/>
+ <xsd:complexType name="RequestedAttributeType">
+ <xsd:sequence>
+ <xsd:element name="AttributeValue" minOccurs="0" maxOccurs="unbounded" type="xsd:anyType"/>
+ </xsd:sequence>
+ <xsd:attribute name="Name" type="xsd:string" use="required"/>
+ <xsd:attribute name="NameFormat" type="xsd:anyURI" use="required" />
+ <xsd:attribute name="isRequired" type="xsd:boolean" use="required"/>
+ <xsd:attribute name="FriendlyName" type="xsd:string" use="optional"/>
+ <xsd:anyAttribute namespace="##other" processContents="lax" />
+ </xsd:complexType>
+
+</xsd:schema>
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
index 63df81b3c..4bb4b0e27 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
@@ -39,7 +39,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
* @author tlenz
*
*/
-public class ServiceProviderSpecificGUIFormBuilderConfiguration extends AbstractGUIFormBuilderConfiguration {
+public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration extends AbstractGUIFormBuilderConfiguration {
public static final String VIEW_BKUSELECTION = "loginFormFull.html";
public static final String VIEW_SENDASSERTION = "sendAssertionFormFull.html";
@@ -53,7 +53,7 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract
public static final String PARAM_OANAME = "OAName";
public static final String PARAM_COUNTRYLIST = "countryList";
- private IRequest pendingReq = null;
+ protected IRequest pendingReq = null;
/**
* @param authURL PublicURLPrefix of the IDP but never null
@@ -61,7 +61,7 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract
* @param formSubmitEndpoint EndPoint on which the form should be submitted,
* or null if the form must not submitted
*/
- public ServiceProviderSpecificGUIFormBuilderConfiguration(String authURL, String viewName,
+ public AbstractServiceProviderSpecificGUIFormBuilderConfiguration(String authURL, String viewName,
String formSubmitEndpoint) {
super(authURL, viewName, formSubmitEndpoint);
@@ -73,7 +73,7 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract
* @param formSubmitEndpoint EndPoint on which the form should be submitted,
* or null if the form must not submitted
*/
- public ServiceProviderSpecificGUIFormBuilderConfiguration(IRequest pendingReq, String viewName,
+ public AbstractServiceProviderSpecificGUIFormBuilderConfiguration(IRequest pendingReq, String viewName,
String formSubmitEndpoint) {
super(pendingReq.getAuthURL(), viewName, formSubmitEndpoint);
this.pendingReq = pendingReq;
@@ -97,10 +97,11 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract
IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
if (oaParam != null) {
params.put(PARAM_OANAME, oaParam.getFriendlyName());
-
-
+
if (oaParam.isShowStorkLogin())
addCountrySelection(params, oaParam);
+ else
+ params.put(PARAM_COUNTRYLIST, "");
FormBuildUtils.customiceLayoutBKUSelection(params, oaParam);
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java
index e8cd60afb..285c90163 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java
@@ -78,24 +78,16 @@ public class GUIFormBuilderImpl implements IGUIFormBuilder {
build(httpResp, config, getInternalContentType(config), loggerName);
}
-
-
+
@Override
public void build(HttpServletResponse httpResp, IGUIBuilderConfiguration config,
String contentType, String loggerName) throws GUIBuildException {
InputStream is = null;
try {
- String viewName = config.getViewName();
+ String viewName = config.getViewName();
+ is = getTemplateInputStream(config);
- //load Tempate
- is = getInternalTemplate(config);
- if (is == null) {
- Logger.warn("No GUI with viewName:" + viewName + " FOUND.");
- throw new GUIBuildException("No GUI with viewName:" + viewName + " FOUND.");
-
- }
-
//build Velocity Context from input paramters
VelocityContext context = buildContextFromViewParams(config.getViewParameters());
@@ -137,6 +129,35 @@ public class GUIFormBuilderImpl implements IGUIFormBuilder {
}
+ /**
+ * Generate a new {@link VelocityContext} and populate it with MOA-ID GUI parameters
+ *
+ * @param config
+ * @return
+ */
+ public VelocityContext generateVelocityContextFromConfiguration(IGUIBuilderConfiguration config) {
+ return buildContextFromViewParams(config.getViewParameters());
+
+ }
+
+ /**
+ * Load the template from different resources
+ *
+ * @param config
+ * @return An {@link InputStream} but never null. The {@link InputStream} had to be closed be the invoking method
+ * @throws GUIBuildException
+ */
+ public InputStream getTemplateInputStream(IGUIBuilderConfiguration config) throws GUIBuildException {
+ InputStream is = getInternalTemplate(config);
+ if (is == null) {
+ Logger.warn("No GUI with viewName:" + config.getViewName() + " FOUND.");
+ throw new GUIBuildException("No GUI with viewName:" + config.getViewName() + " FOUND.");
+
+ }
+ return is;
+
+ }
+
private String getInternalContentType(IGUIBuilderConfiguration config) {
if (MiscUtil.isEmpty(config.getDefaultContentType()))
return DEFAULT_CONTENT_TYPE;
@@ -167,7 +188,7 @@ public class GUIFormBuilderImpl implements IGUIFormBuilder {
} catch (Exception e) {
//load template from classpath as backup
- Logger.info("GUI template:" + viewName + " is not found in configuration directory. "
+ Logger.debug("GUI template:" + viewName + " is not found in configuration directory. "
+ " Load template from project library ... ");
try {
pathLocation = getInternalClasspathTemplateDir(config) + viewName;
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java
index 198220e97..8e8a63094 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java
@@ -64,4 +64,5 @@ public interface IGUIFormBuilder {
*/
void build(HttpServletResponse httpResp, IGUIBuilderConfiguration config, String contentType,
String loggerName) throws GUIBuildException;
+
}
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java
new file mode 100644
index 000000000..13d8d3bb7
--- /dev/null
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java
@@ -0,0 +1,82 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.frontend.builder;
+
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+
+/**
+ * @author tlenz
+ *
+ */
+public class SPSpecificGUIBuilderConfigurationWithDBLoad extends AbstractServiceProviderSpecificGUIFormBuilderConfiguration {
+
+ /**
+ * @param authURL PublicURLPrefix of the IDP but never null
+ * @param viewName Name of the template (with suffix) but never null
+ * @param formSubmitEndpoint EndPoint on which the form should be submitted,
+ * or null if the form must not submitted
+ */
+ public SPSpecificGUIBuilderConfigurationWithDBLoad(String authURL, String viewName,
+ String formSubmitEndpoint) {
+ super(authURL, viewName, formSubmitEndpoint);
+
+ }
+
+ /**
+ * @param Current processed pending-request DAO but never null
+ * @param viewName Name of the template (with suffix) but never null
+ * @param formSubmitEndpoint EndPoint on which the form should be submitted,
+ * or null if the form must not submitted
+ */
+ public SPSpecificGUIBuilderConfigurationWithDBLoad(IRequest pendingReq, String viewName,
+ String formSubmitEndpoint) {
+ super(pendingReq, viewName, formSubmitEndpoint);
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String)
+ */
+ @Override
+ public InputStream getTemplate(String viewName) {
+ if (pendingReq != null && pendingReq.getOnlineApplicationConfiguration() != null) {
+
+ byte[] oatemplate = null;
+ if (VIEW_BKUSELECTION.equals(viewName))
+ oatemplate = pendingReq.getOnlineApplicationConfiguration().getBKUSelectionTemplate();
+
+ else if (VIEW_SENDASSERTION.equals(viewName))
+ oatemplate = pendingReq.getOnlineApplicationConfiguration().getSendAssertionTemplate();
+
+ // OA specific template requires a size of 8 bits minimum
+ if (oatemplate != null && oatemplate.length > 7)
+ return new ByteArrayInputStream(oatemplate);
+ }
+
+ return null;
+ }
+
+}
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java
new file mode 100644
index 000000000..b5c50004b
--- /dev/null
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java
@@ -0,0 +1,110 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.frontend.builder;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
+
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.FileUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+public class SPSpecificGUIBuilderConfigurationWithFileSystemLoad extends AbstractServiceProviderSpecificGUIFormBuilderConfiguration {
+
+ private String configKeyIdentifier = null;
+ private String configRootContextDir = null;
+
+ /**
+ * @param authURL PublicURLPrefix of the IDP but never null
+ * @param viewName Name of the template (with suffix) but never null
+ * @param configKeyIdentifier Identifier of the configuration key in OA configuration that holds the filesystem URI to template
+ * @param formSubmitEndpoint EndPoint on which the form should be submitted
+ * @param configRootContextDir Path to MOA-ID-Auth configuration root directory
+ * or null if the form must not submitted
+ */
+ public SPSpecificGUIBuilderConfigurationWithFileSystemLoad(String authURL, String viewName,
+ String configKeyIdentifier, String formSubmitEndpoint, String configRootContextDir) {
+ super(authURL, viewName, formSubmitEndpoint);
+ this.configKeyIdentifier = configKeyIdentifier;
+ this.configRootContextDir = configRootContextDir;
+
+ }
+
+ /**
+ * @param Current processed pending-request DAO but never null
+ * @param viewName Name of the template (with suffix) but never null
+ * @param configKeyIdentifier Identifier of the configuration key in OA configuration that holds the filesystem URI to template
+ * @param formSubmitEndpoint EndPoint on which the form should be submitted
+ * @param configRootContextDir Path to MOA-ID-Auth configuration root directory
+ */
+ public SPSpecificGUIBuilderConfigurationWithFileSystemLoad(IRequest pendingReq, String viewName,
+ String configKeyIdentifier, String formSubmitEndpoint, String configRootContextDir) {
+ super(pendingReq, viewName, formSubmitEndpoint);
+ this.configKeyIdentifier = configKeyIdentifier;
+ this.configRootContextDir = configRootContextDir;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String)
+ */
+ @Override
+ public InputStream getTemplate(String viewName) {
+ if (pendingReq != null && pendingReq.getOnlineApplicationConfiguration() != null &&
+ configKeyIdentifier != null) {
+ try {
+ String templateURL = pendingReq.getOnlineApplicationConfiguration().getConfigurationValue(configKeyIdentifier);
+ if (MiscUtil.isNotEmpty(templateURL)) {
+ String absURL = FileUtils.makeAbsoluteURL(templateURL, configRootContextDir);
+ if (!absURL.startsWith("file:")) {
+ Logger.warn("GUI template are only loadable from filesystem! "
+ + "(templateURL: " + absURL + ")");
+ return null;
+ }
+
+ Logger.debug("Load template URL for view: " + viewName + " from: " + absURL);
+ URI uri = new URL(absURL).toURI();
+ return new FileInputStream(new File(uri));
+
+ }
+ } catch (FileNotFoundException | URISyntaxException | MalformedURLException e) {
+ Logger.warn("Template for view: " + viewName + " is NOT loadable! -> Switch to default template", e);
+
+ }
+ }
+ Logger.trace("NO ServiceProvider specific template for view: " + viewName + " available");
+ return null;
+ }
+
+}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java
index a09f0a2a8..602914229 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java
@@ -46,10 +46,16 @@
package at.gv.egovernment.moa.id.auth.parser;
+import java.io.IOException;
+
+import javax.xml.transform.TransformerException;
+
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import at.gv.egovernment.moa.id.auth.exception.ParseException;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.util.DOMUtils;
/**
* Parses an <code>&lt;ErrorResponse&gt;</code>.
@@ -84,15 +90,30 @@ public class ErrorResponseParser {
*/
public ErrorResponseParser(Element errorElement) throws ParseException {
if (errorElement != null) {
- String namespace = errorElement.getNamespaceURI();
- NodeList nl = errorElement.getElementsByTagNameNS(namespace, "ErrorCode");
- if (nl.getLength() == 1) {
- errorCode_ = ((Element)nl.item(0)).getFirstChild().getNodeValue();
- }
- nl = errorElement.getElementsByTagNameNS(namespace, "Info");
- if (nl.getLength() == 1) {
- errorInfo_ = ((Element)nl.item(0)).getFirstChild().getNodeValue();
- }
+ try {
+ String namespace = errorElement.getNamespaceURI();
+ NodeList nl = errorElement.getElementsByTagNameNS(namespace, "ErrorCode");
+ if (nl.getLength() == 1) {
+ errorCode_ = ((Element)nl.item(0)).getFirstChild().getNodeValue();
+ }
+ nl = errorElement.getElementsByTagNameNS(namespace, "Info");
+ if (nl.getLength() == 1 && ((Element)nl.item(0)).getFirstChild() != null) {
+ errorInfo_ = ((Element)nl.item(0)).getFirstChild().getNodeValue();
+
+ }
+ } catch ( Exception e) {
+ try {
+ if (Logger.isDebugEnabled())
+ Logger.warn("Can not extract error code from BKU response. Full-response: " + DOMUtils.serializeNode(errorElement), e) ;
+ else
+ Logger.warn("Can not extract error code from BKU response. Exception: " + e.getMessage()) ;
+
+ } catch (TransformerException | IOException e1) {
+ Logger.warn("Can not extract error code from BKU response.", e);
+ Logger.warn("Can not serialize error response.", e1);
+
+ }
+ }
}
}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java
index 275a85129..154092b03 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java
@@ -150,6 +150,7 @@ public class InfoboxReadResponseParser {
if ("InfoboxReadResponse".equals(responseElem.getLocalName())) {
infoBoxElem_ = responseElem;
+
} else {
ErrorResponseParser erp = new ErrorResponseParser(responseElem);
throw new BKUException("auth.08",
diff --git a/id/server/modules/moa-id-module-eIDAS/pom.xml b/id/server/modules/moa-id-module-eIDAS/pom.xml
index 5bdead8b2..f3d8eeb36 100644
--- a/id/server/modules/moa-id-module-eIDAS/pom.xml
+++ b/id/server/modules/moa-id-module-eIDAS/pom.xml
@@ -12,11 +12,11 @@
<properties>
<repositoryPath>${basedir}/../../../../repository</repositoryPath>
- <eidas-commons.version>1.3.0</eidas-commons.version>
- <eidas-light-commons.version>1.3.0</eidas-light-commons.version>
- <eidas-saml-engine.version>1.3.0</eidas-saml-engine.version>
- <eidas-encryption.version>1.3.0</eidas-encryption.version>
- <eidas-configmodule.version>1.3.0</eidas-configmodule.version>
+ <eidas-commons.version>1.4.0-SNAPSHOT</eidas-commons.version>
+ <eidas-light-commons.version>1.4.0-SNAPSHOT</eidas-light-commons.version>
+ <eidas-saml-engine.version>1.4.0-SNAPSHOT</eidas-saml-engine.version>
+ <eidas-encryption.version>1.4.0-SNAPSHOT</eidas-encryption.version>
+ <eidas-configmodule.version>1.4.0-SNAPSHOT</eidas-configmodule.version>
</properties>
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index c0101b553..d975b6e0a 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -69,6 +69,8 @@ public class Constants {
public static final String CONIG_PROPS_EIDAS_METADATA_URLS_LIST_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".metadata.url";
+ public static final String CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".bpk.target.";
+
//timeouts and clock skews
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
index 6f1d75bfe..c55b5a749 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
@@ -31,7 +31,6 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.BooleanUtils;
-import org.apache.commons.lang3.StringUtils;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
@@ -41,6 +40,7 @@ import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
import com.google.common.net.MediaType;
@@ -306,7 +306,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
context.put("RelayState", pendingReq.getRequestID());
- Logger.debug("Using assertion consumer url as action: " + authnReqEndpoint.getLocation());
+ Logger.debug("Using SingleSignOnService url as action: " + authnReqEndpoint.getLocation());
context.put("action", authnReqEndpoint.getLocation());
Logger.debug("Starting template merge");
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java
index d0c003b31..bb52d2ffe 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java
@@ -168,12 +168,12 @@ public class NewMoaEidasMetadata {
}
private void generateDigest(Extensions eidasExtensions) throws EIDASSAMLEngineException {
- if (!(StringUtils.isEmpty(this.params.getDigestMethods()))) {
- Set<String> signatureMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getDigestMethods());
+ if (!(StringUtils.isEmpty(this.params.getSigningMethods()))) {
+ Set<String> signatureMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getSigningMethods());
Set<String> digestMethods = new HashSet();
for (String signatureMethod : signatureMethods) {
digestMethods.add(CertificateUtil.validateDigestAlgorithm(signatureMethod));
- }
+ }
for (String digestMethod : digestMethods) {
DigestMethod dm = (DigestMethod) BuilderFactoryUtil.buildXmlObject(DigestMethod.DEF_ELEMENT_NAME);
if (dm != null) {
@@ -203,7 +203,7 @@ public class NewMoaEidasMetadata {
generateDigest(eidasExtensions);
if (!(StringUtils.isEmpty(this.params.getSigningMethods()))) {
- Set<String> signMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getDigestMethods());
+ Set<String> signMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getSigningMethods());
for (String signMethod : signMethods) {
SigningMethod sm = (SigningMethod) BuilderFactoryUtil
.buildXmlObject(SigningMethod.DEF_ELEMENT_NAME);
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
index d469ca28c..02a5df098 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
@@ -28,6 +28,7 @@ import java.net.URL;
import java.util.HashMap;
import java.util.Map;
+import org.opensaml.common.xml.SAMLSchemaBuilder;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.XMLConfigurator;
@@ -107,6 +108,9 @@ public class SAMLEngineUtils {
//overwrite eIDAS response validator suite because Condition-Valitator has not time jitter
initOpenSAMLConfig("own-saml-eidasnode-config.xml");
+ //add eIDAS specific SAML2 extensions to eIDAS Schema validatior
+ SAMLSchemaBuilder.addExtensionSchema(
+ at.gv.egovernment.moa.util.Constants.SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION);
eIDASEngine = engine;
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 940b91b44..4b67370d6 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -56,6 +56,7 @@ import at.gv.egovernment.moa.id.commons.MOAIDConstants;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
import at.gv.egovernment.moa.id.moduls.RequestImpl;
import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController;
import at.gv.egovernment.moa.logging.Logger;
@@ -283,14 +284,22 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
} else {
String[] splittedTarget = eIDASTarget.split("\\+");
if (!splittedTarget[2].equalsIgnoreCase(reqCC)) {
- Logger.error("Configuration for eIDAS-node:" + samlReq.getIssuer()
+ Logger.debug("Configuration for eIDAS-node:" + samlReq.getIssuer()
+ " Destination Country from request (" + reqCC
- + ") does not match to configuration:" + eIDASTarget);
- throw new MOAIDException("eIDAS.01",
- new Object[]{"Destination Country from request does not match to configuration"});
+ + ") does not match to configuration:" + eIDASTarget
+ + " --> Perform additional organisation check ...");
+
+ //check if eIDAS domain for bPK calculation is a valid target
+ if (!iseIDASTargetAValidOrganisation(reqCC, splittedTarget[2])) {
+ throw new MOAIDException("eIDAS.01",
+ new Object[]{"Destination Country from request does not match to configuration"});
+
+ }
+
}
- Logger.debug("CountryCode from request matches eIDAS-node configuration target");
+ Logger.debug("CountryCode from request matches eIDAS-node configuration target: " + eIDASTarget);
+
}
@@ -439,6 +448,20 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) {
return false;
}
+
+ private boolean iseIDASTargetAValidOrganisation(String reqCC, String bPKTargetArea) {
+ if (MiscUtil.isNotEmpty(reqCC)) {
+ List<String> allowedOrganisations = KeyValueUtils.getListOfCSVValues(
+ authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX + reqCC.toLowerCase()));
+ if (allowedOrganisations.contains(bPKTargetArea)) {
+ Logger.debug(bPKTargetArea + " is a valid OrganisationIdentifier for request-country: "+ reqCC);
+ return true;
+ }
+ }
+
+ Logger.info("OrganisationIdentifier: " + bPKTargetArea + " is not allowed for country: " + reqCC);
+ return false;
+ }
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd b/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd
new file mode 100644
index 000000000..76b82a267
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:eidas="http://eidas.europa.eu/saml-extensions" targetNamespace="http://eidas.europa.eu/saml-extensions" elementFormDefault="qualified" attributeFormDefault="unqualified">
+
+ <xsd:element name="SPType" type="eidas:SPTypeType"/>
+ <xsd:simpleType name="SPTypeType">
+ <xsd:restriction base="xsd:string">
+ <xsd:enumeration value="public"/>
+ <xsd:enumeration value="private"/>
+ </xsd:restriction>
+ </xsd:simpleType>
+
+ <xsd:element name="RequestedAttributes" type="eidas:RequestedAttributesType"/>
+ <xsd:complexType name="RequestedAttributesType">
+ <xsd:sequence>
+ <xsd:element minOccurs="0" maxOccurs="unbounded" ref="eidas:RequestedAttribute"/>
+ </xsd:sequence>
+ </xsd:complexType>
+
+ <xsd:element name="RequestedAttribute" type="eidas:RequestedAttributeType"/>
+ <xsd:complexType name="RequestedAttributeType">
+ <xsd:sequence>
+ <xsd:element name="AttributeValue" minOccurs="0" maxOccurs="unbounded" type="xsd:anyType"/>
+ </xsd:sequence>
+ <xsd:attribute name="Name" type="xsd:string" use="required"/>
+ <xsd:attribute name="NameFormat" type="xsd:anyURI" use="required" />
+ <xsd:attribute name="isRequired" type="xsd:boolean" use="required"/>
+ <xsd:attribute name="FriendlyName" type="xsd:string" use="optional"/>
+ <xsd:anyAttribute namespace="##other" processContents="lax" />
+ </xsd:complexType>
+
+</xsd:schema>
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java
index 98f8d13c7..52970e240 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java
@@ -30,7 +30,7 @@ import org.springframework.stereotype.Component;
import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration;
import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder;
-import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithFileSystemLoad;
import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
@@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConsta
import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateUtils;
import at.gv.egovernment.moa.id.auth.servlet.GeneralProcessEngineSignalController;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
import at.gv.egovernment.moa.logging.Logger;
@@ -60,11 +61,13 @@ public class SelectMandateServiceTask extends AbstractAuthServletTask {
//check if Service-Provider allows ELGA-mandates
if (ELGAMandateUtils.checkServiceProviderAgainstELGAModulConfigration(authConfig, pendingReq)) {
Logger.trace("Build GUI for mandate-service selection ...");
-
- IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
- pendingReq,
- ELGAMandatesAuthConstants.TEMPLATE_MANDATE_SERVICE_SELECTION,
- GeneralProcessEngineSignalController.ENDPOINT_GENERIC);
+
+ IGUIBuilderConfiguration config = new SPSpecificGUIBuilderConfigurationWithFileSystemLoad(
+ pendingReq,
+ ELGAMandatesAuthConstants.TEMPLATE_MANDATE_SERVICE_SELECTION,
+ MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL,
+ GeneralProcessEngineSignalController.ENDPOINT_GENERIC,
+ authConfig.getRootConfigFileDir());
guiBuilder.build(response, config, "Mandate-Service selection");