aboutsummaryrefslogtreecommitdiff
path: root/id
diff options
context:
space:
mode:
Diffstat (limited to 'id')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java213
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java18
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java38
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java9
9 files changed, 251 insertions, 38 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 03a61d08f..b76863602 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -24,12 +24,37 @@ package at.gv.egovernment.moa.id.moduls;
import java.io.IOException;
import java.io.PrintWriter;
+import java.security.NoSuchAlgorithmException;
import java.util.List;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.joda.time.DateTime;
+import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.Issuer;
+import org.opensaml.saml2.core.NameID;
+import org.opensaml.saml2.core.NameIDPolicy;
+import org.opensaml.saml2.core.NameIDType;
+import org.opensaml.saml2.core.RequestedAuthnContext;
+import org.opensaml.saml2.core.Subject;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml2.metadata.SingleSignOnService;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.security.MetadataCredentialResolver;
+import org.opensaml.security.MetadataCredentialResolverFactory;
+import org.opensaml.security.MetadataCriteria;
+import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.xml.security.CriteriaSet;
+import org.opensaml.xml.security.SecurityException;
+import org.opensaml.xml.security.criteria.EntityIDCriteria;
+
import at.gv.egovernment.moa.id.auth.builder.LoginFormBuilder;
import at.gv.egovernment.moa.id.auth.builder.SendAssertionFormBuilder;
import at.gv.egovernment.moa.id.auth.builder.StartAuthenticationBuilder;
@@ -42,9 +67,17 @@ import at.gv.egovernment.moa.id.auth.servlet.AuthServlet;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.ArtifactBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moa.util.StringUtils;
public class AuthenticationManager extends AuthServlet {
@@ -148,16 +181,158 @@ public class AuthenticationManager extends AuthServlet {
public void doAuthentication(HttpServletRequest request,
HttpServletResponse response, IRequest target)
throws ServletException, IOException, MOAIDException {
+
Logger.info("Starting authentication ...");
+
+ if (MiscUtil.isEmpty(target.getRequestedIDP())) {
+ perfomLocalAuthentication(request, response, target);
+
+ } else {
+ Logger.info("Use IDP " + target.getRequestedIDP() + " for authentication ...");
+ buildPVP21AuthenticationRequest(request, response, target);
+
+ }
+ }
+
+ public void sendTransmitAssertionQuestion(HttpServletRequest request,
+ HttpServletResponse response, IRequest target, OAAuthParameter oaParam)
+ throws ServletException, IOException, MOAIDException {
+
+ String form = SendAssertionFormBuilder.buildForm(target.requestedModule(),
+ target.requestedAction(), target.getRequestID(), oaParam, request.getContextPath());
+
+ response.setContentType("text/html;charset=UTF-8");
+ PrintWriter out = new PrintWriter(response.getOutputStream());
+ out.print(form);
+ out.flush();
+ }
+
+ private void buildPVP21AuthenticationRequest(HttpServletRequest request,
+ HttpServletResponse response, IRequest target)
+ throws ServletException, IOException, MOAIDException {
+
+ boolean requiredLocalAuthentication = true;
+
+ Logger.debug("Build PVP 2.1 authentication request");
+
+ //get IDP metadata
+ try {
+ EntityDescriptor idpEntity = MOAMetadataProvider.getInstance().
+ getEntityDescriptor(target.getRequestedIDP());
+
+ if (idpEntity != null ) {
+
+ //fetch endpoint from IDP metadata
+ SingleSignOnService redirectEndpoint = null;
+ for (SingleSignOnService sss :
+ idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) {
+
+ // use POST binding as default if it exists
+ if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) {
+ redirectEndpoint = sss;
+
+ } else if ( sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) &&
+ redirectEndpoint == null )
+ redirectEndpoint = sss;
+ }
+
+ if (redirectEndpoint != null) {
+
+ AuthnRequest authReq = SAML2Utils
+ .createSAMLObject(AuthnRequest.class);
+ SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
+ authReq.setID(gen.generateIdentifier());
+
+ //send passive AuthnRequest
+ authReq.setIsPassive(true);
-// if (!ParamValidatorUtils.isValidOA(target.getOAURL()))
-// throw new WrongParametersException("StartAuthentication", PARAM_OA,
-// "auth.12");
-//
-// if (target.getOAURL() == null) {
-// throw new WrongParametersException("StartAuthentication", PARAM_OA,
-// "auth.12");
-// }
+ authReq.setAssertionConsumerServiceIndex(0);
+ authReq.setIssueInstant(new DateTime());
+ Subject subject = SAML2Utils.createSAMLObject(Subject.class);
+ NameID name = SAML2Utils.createSAMLObject(NameID.class);
+ Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
+
+ String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath();
+ name.setValue(serviceURL);
+ issuer.setValue(serviceURL);
+
+ subject.setNameID(name);
+ authReq.setSubject(subject);
+ issuer.setFormat(NameIDType.ENTITY);
+ authReq.setIssuer(issuer);
+ NameIDPolicy policy = SAML2Utils
+ .createSAMLObject(NameIDPolicy.class);
+ policy.setAllowCreate(true);
+ policy.setFormat(NameID.TRANSIENT);
+ authReq.setNameIDPolicy(policy);
+
+ authReq.setDestination(redirectEndpoint.getLocation());
+
+ RequestedAuthnContext reqAuthContext =
+ SAML2Utils.createSAMLObject(RequestedAuthnContext.class);
+
+ AuthnContextClassRef authnClassRef =
+ SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
+ authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4");
+ reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);
+ reqAuthContext.getAuthnContextClassRefs().add(authnClassRef);
+ authReq.setRequestedAuthnContext(reqAuthContext);
+
+
+ IEncoder binding = null;
+ if (redirectEndpoint.getBinding().equals(
+ SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
+ binding = new RedirectBinding();
+
+ } else if (redirectEndpoint.getBinding().equals(
+ SAMLConstants.SAML2_POST_BINDING_URI)) {
+ binding = new PostBinding();
+
+ }
+
+ binding.encodeRequest(request, response, authReq,
+ redirectEndpoint.getLocation(), target.getRequestID());
+
+ //build and send request without an error
+ requiredLocalAuthentication = false;
+
+ } else {
+ Logger.warn("Requested IDP " + target.getRequestedIDP()
+ + " does not support POST or Redirect Binding.");
+
+ }
+
+ } else {
+ Logger.warn("Requested IDP " + target.getRequestedIDP()
+ + " is not found in InterFederation configuration");
+
+ }
+
+ } catch (MetadataProviderException e) {
+ Logger.error("IDP metadata error." , e);
+
+ } catch (NoSuchAlgorithmException e) {
+ Logger.error("Build IDP authentication request FAILED.", e);
+
+ } catch (MessageEncodingException e) {
+ Logger.error("Build IDP authentication request FAILED.", e);
+
+ } catch (SecurityException e) {
+ Logger.error("Build IDP authentication request FAILED.", e);
+
+ }
+
+ if (requiredLocalAuthentication) {
+ Logger.info("Switch to local authentication on this IDP ... ");
+ perfomLocalAuthentication(request, response, target);
+ }
+ }
+
+
+ private void perfomLocalAuthentication(HttpServletRequest request,
+ HttpServletResponse response, IRequest target)
+ throws ServletException, IOException, MOAIDException {
+ Logger.debug("Starting authentication on this IDP ...");
setNoCachingHeadersInHttpRespone(request, response);
@@ -183,17 +358,12 @@ public class AuthenticationManager extends AuthServlet {
if (legacyallowed && legacyparamavail) {
- //parse request parameter into MOASession
-
+ //parse request parameter into MOASession
StartAuthentificationParameterParser.parse(request, response, moasession, target);
Logger.info("Start Authentication Module: " + moasession.getModul()
+ " Action: " + moasession.getAction());
-
- //start authentication process
-// session.getServletContext().getNamedDispatcher("StartAuthentication")
-// .forward(request, response);
-
+
StartAuthenticationBuilder startauth = StartAuthenticationBuilder.getInstance();
String getIdentityLinkForm = startauth.build(moasession, request, response);
@@ -260,17 +430,4 @@ public class AuthenticationManager extends AuthServlet {
out.flush();
}
}
-
- public void sendTransmitAssertionQuestion(HttpServletRequest request,
- HttpServletResponse response, IRequest target, OAAuthParameter oaParam)
- throws ServletException, IOException, MOAIDException {
-
- String form = SendAssertionFormBuilder.buildForm(target.requestedModule(),
- target.requestedAction(), target.getRequestID(), oaParam, request.getContextPath());
-
- response.setContentType("text/html;charset=UTF-8");
- PrintWriter out = new PrintWriter(response.getOutputStream());
- out.print(form);
- out.flush();
- }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
index 2ef24c084..a33d39ba7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
@@ -33,7 +33,8 @@ public interface IRequest {
public void setAction(String action);
public String getTarget();
public void setRequestID(String id);
- public String getRequestID();
+ public String getRequestID();
+ public String getRequestedIDP();
//public void setTarget();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
index b9b1742e4..d3ab640f1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
@@ -36,6 +36,7 @@ public class RequestImpl implements IRequest, Serializable{
private String action = null;
private String target = null;
private String requestID;
+ private String requestedIDP = null;
public void setOAURL(String value) {
@@ -102,4 +103,21 @@ public class RequestImpl implements IRequest, Serializable{
public String getRequestID() {
return requestID;
}
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.moduls.IRequest#getRequestedIDP()
+ */
+ @Override
+ public String getRequestedIDP() {
+ return requestedIDP;
+ }
+
+ /**
+ * @param requestedIDP the requestedIDP to set
+ */
+ public void setRequestedIDP(String requestedIDP) {
+ this.requestedIDP = requestedIDP;
+ }
+
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java
index 43a17af23..1a2a02037 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java
@@ -49,7 +49,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableEx
public class ArtifactBinding implements IDecoder, IEncoder {
public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
- RequestAbstractType request, String targetLocation)
+ RequestAbstractType request, String targetLocation, String relayState)
throws MessageEncodingException, SecurityException {
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
index f7dfd055c..de5548a44 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java
@@ -34,7 +34,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
public interface IEncoder {
public void encodeRequest(HttpServletRequest req,
- HttpServletResponse resp, RequestAbstractType request, String targetLocation)
+ HttpServletResponse resp, RequestAbstractType request, String targetLocation, String relayState)
throws MessageEncodingException, SecurityException, PVP2Exception;
/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 11e280d8f..b190ca24e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -47,6 +47,7 @@ import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
import org.opensaml.xml.security.x509.X509Credential;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
@@ -56,10 +57,38 @@ import at.gv.egovernment.moa.logging.Logger;
public class PostBinding implements IDecoder, IEncoder {
public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
- RequestAbstractType request, String targetLocation)
+ RequestAbstractType request, String targetLocation, String relayState)
throws MessageEncodingException, SecurityException {
- // TODO Auto-generated method stub
+
+ try {
+ X509Credential credentials = CredentialProvider
+ .getIDPAssertionSigningCredential();
+
+ VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine();
+ HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
+ "resources/templates/pvp_postbinding_template.html");
+ HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
+ resp, true);
+ BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+ SingleSignOnService service = new SingleSignOnServiceBuilder().buildObject();
+ service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
+ service.setLocation(targetLocation);;
+
+ context.setOutboundSAMLMessageSigningCredential(credentials);
+ context.setPeerEntityEndpoint(service);
+ context.setOutboundSAMLMessage(request);
+ context.setOutboundMessageTransport(responseAdapter);
+ context.setRelayState(relayState);
+ encoder.encode(context);
+
+ } catch (CredentialsNotAvailableException e) {
+ e.printStackTrace();
+ throw new SecurityException(e);
+ } catch (Exception e) {
+ e.printStackTrace();
+ throw new SecurityException(e);
+ }
}
public void encodeRespone(HttpServletRequest req, HttpServletResponse resp,
@@ -117,9 +146,7 @@ public class PostBinding implements IDecoder, IEncoder {
RequestAbstractType inboundMessage = (RequestAbstractType) messageContext
.getInboundMessage();
-
-
-
+
MOARequest request = new MOARequest(inboundMessage);
request.setVerified(false);
@@ -159,4 +186,5 @@ public class PostBinding implements IDecoder, IEncoder {
public boolean handleDecode(String action, HttpServletRequest req) {
return (req.getMethod().equals("POST"));
}
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index dc6a1f637..f8eb84c02 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -61,7 +61,7 @@ import at.gv.egovernment.moa.util.DOMUtils;
public class RedirectBinding implements IDecoder, IEncoder {
public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
- RequestAbstractType request, String targetLocation)
+ RequestAbstractType request, String targetLocation, String relayState)
throws MessageEncodingException, SecurityException {
// TODO: implement
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
index 1d41654eb..d2a4d4f60 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java
@@ -77,7 +77,7 @@ public class SoapBinding implements IDecoder, IEncoder {
}
public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
- RequestAbstractType request, String targetLocation)
+ RequestAbstractType request, String targetLocation, String relayState)
throws MessageEncodingException, SecurityException, PVP2Exception {
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java
index 9ea33c8ef..23b8b3f7a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java
@@ -210,4 +210,13 @@ public class MOASTORKRequest implements IRequest, Serializable {
else
return this.storkAuthnRequest.getAssertionConsumerServiceURL();
}
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.moduls.IRequest#getRequestedIDP()
+ */
+ @Override
+ public String getRequestedIDP() {
+ // TODO Auto-generated method stub
+ return null;
+ }
}