From 8f3f0922e06cc0fdd9f2d7562061a15570435e12 Mon Sep 17 00:00:00 2001 From: Klaus Stranacher Date: Wed, 25 Jun 2014 09:59:26 +0200 Subject: Retention interval in MOA-SPSS standard configuration (for MOA-ID deployment) set --- .../data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/id/server/data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml b/id/server/data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml index 14acd54f2..9759f1ac5 100644 --- a/id/server/data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml +++ b/id/server/data/deploy/conf/moa-spss/SampleMOASPSSConfiguration.xml @@ -65,6 +65,18 @@ + + + + CN=a-sign-corporate-light-03,OU=a-sign-corporate-light-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT + 1825 + + + + CN=a-sign-corporate-light-02,OU=a-sign-corporate-light-02,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT + 1825 + + -- cgit v1.2.3 From f57b189815b6f26710071fe18bf858fdff4a63d1 Mon Sep 17 00:00:00 2001 From: Klaus Stranacher Date: Wed, 25 Jun 2014 15:29:40 +0200 Subject: Exclude iaik_pki_module (from TSL library) --- spss/server/serverlib/pom.xml | 2 +- spss/server/serverws/.project | 7 +++++++ spss/server/serverws/pom.xml | 8 +++++++- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/spss/server/serverlib/pom.xml b/spss/server/serverlib/pom.xml index 3c29cd88c..f762ecdf6 100644 --- a/spss/server/serverlib/pom.xml +++ b/spss/server/serverlib/pom.xml @@ -144,7 +144,7 @@ iaik - iaik_tsl + iaik_tsl iaik diff --git a/spss/server/serverws/.project b/spss/server/serverws/.project index 4faa086c3..8150d984e 100644 --- a/spss/server/serverws/.project +++ b/spss/server/serverws/.project @@ -5,6 +5,11 @@ + + org.eclipse.wst.jsdt.core.javascriptValidator + + + org.eclipse.jdt.core.javabuilder @@ -27,9 +32,11 @@ + org.eclipse.jem.workbench.JavaEMFNature org.eclipse.jdt.core.javanature org.eclipse.m2e.core.maven2Nature org.eclipse.wst.common.project.facet.core.nature org.eclipse.wst.common.modulecore.ModuleCoreNature + org.eclipse.wst.jsdt.core.jsNature diff --git a/spss/server/serverws/pom.xml b/spss/server/serverws/pom.xml index 56168a586..9159242ef 100644 --- a/spss/server/serverws/pom.xml +++ b/spss/server/serverws/pom.xml @@ -91,7 +91,7 @@ MOA.spss.server moa-spss-lib - + MOA @@ -104,6 +104,12 @@ iaik iaik_tsl + + + iaik_pki_module + iaik + + log4j -- cgit v1.2.3 From 7830437391cf5fe927605e82492d79fdb872059e Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 30 Jun 2014 12:51:41 +0200 Subject: Log an error if authblock transformation is not found --- .../moa/id/config/legacy/BuildFromLegacyConfig.java | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java index e6e77911a..9554e3ca5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java @@ -29,7 +29,6 @@ import java.io.IOException; import java.io.InputStream; import java.math.BigInteger; import java.net.URI; -import java.net.URL; import java.nio.file.Path; import java.util.ArrayList; import java.util.Arrays; @@ -242,13 +241,19 @@ public class BuildFromLegacyConfig { for (int i=0; i Date: Mon, 30 Jun 2014 13:26:02 +0200 Subject: add checkbox to choose if all errors should be send back to online application --- .../id/configuration/data/oa/OASAML1Config.java | 21 +++++++++++++++++ .../resources/applicationResources_de.properties | 1 + .../resources/applicationResources_en.properties | 1 + .../src/main/webapp/jsp/snippets/OA/saml1.jsp | 8 +++++++ .../id/config/legacy/BuildFromLegacyConfig.java | 1 + .../moa/id/protocols/saml1/SAML1Protocol.java | 27 +++++++++++++--------- .../src/main/resources/config/moaid_config_2.0.xsd | 1 + 7 files changed, 49 insertions(+), 11 deletions(-) diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OASAML1Config.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OASAML1Config.java index 8d7d02048..7b5575a90 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OASAML1Config.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OASAML1Config.java @@ -42,6 +42,7 @@ public class OASAML1Config implements IOnlineApplicationData{ private Boolean provideCertificate = false; private Boolean provideFullMandateData = false; private Boolean useCondition = false; + private Boolean provideAllErrors = true; private int conditionLength = -1; @@ -71,6 +72,9 @@ public class OASAML1Config implements IOnlineApplicationData{ provideIdentityLink = saml1.isProvideIdentityLink(); provideStammZahl = saml1.isProvideStammzahl(); + if (saml1.isProvideAllErrors() != null) + provideAllErrors = saml1.isProvideAllErrors(); + if (saml1.isUseCondition() != null) useCondition = saml1.isUseCondition(); @@ -122,6 +126,7 @@ public class OASAML1Config implements IOnlineApplicationData{ saml1.setProvideIdentityLink(isProvideIdentityLink()); saml1.setProvideStammzahl(isProvideStammZahl()); saml1.setUseCondition(isUseCondition()); + saml1.setProvideAllErrors(provideAllErrors); saml1.setConditionLength(BigInteger.valueOf(getConditionLength())); // TODO: set sourceID // saml1.setSourceID(""); @@ -185,5 +190,21 @@ public class OASAML1Config implements IOnlineApplicationData{ */ public void setActive(boolean isActive) { this.isActive = isActive; + } + + /** + * @return the provideAllErrors + */ + public Boolean getProvideAllErrors() { + return provideAllErrors; + } + + /** + * @param provideAllErrors the provideAllErrors to set + */ + public void setProvideAllErrors(Boolean provideAllErrors) { + this.provideAllErrors = provideAllErrors; } + + } diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties index 5b7f2cc01..e4e7a0b63 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties @@ -295,6 +295,7 @@ webpages.oaconfig.saml1.provideCertificate=Zertifikat \u00FCbertragen webpages.oaconfig.saml1.provideFullMandateData=Vollst\u00E4ndige Vollmacht \u00FCbertragen webpages.oaconfig.saml1.useCondition=Usecondition webpages.oaconfig.saml1.conditionLength=ConditionLength +webpages.oaconfig.saml1.provideAllErrors=Fehlermeldungen an OA \u00FCbertragen webpages.oaconfig.protocols.pvp2.header=PVP2.x Konfiguration webpages.oaconfig.pvp2.reload=PVP2.x konfiguration neu laden diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties index cc6e98964..dcf36103b 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties @@ -293,6 +293,7 @@ webpages.oaconfig.saml1.provideCertificate=Transfer certificate webpages.oaconfig.saml1.provideFullMandateData=Transfer complete mandate data webpages.oaconfig.saml1.useCondition=Use condition webpages.oaconfig.saml1.conditionLength=Condition length +webpages.oaconfig.saml1.provideAllErrors=Transfer errors to application webpages.oaconfig.protocols.pvp2.header=PVP2.x configuration webpages.oaconfig.pvp2.reload=Load new PVP2.x configuration diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/saml1.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/saml1.jsp index 4fd02aa61..a004a03a3 100644 --- a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/saml1.jsp +++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/saml1.jsp @@ -45,6 +45,14 @@ key="webpages.oaconfig.saml1.provideFullMandateData" cssClass="checkbox"> +
+ + + <%--


diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java index 9554e3ca5..864be253a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java @@ -453,6 +453,7 @@ public class BuildFromLegacyConfig { oa_saml1.setProvideStammzahl(oa.getProvideStammzahl()); oa_saml1.setUseCondition(oa.getUseCondition()); oa_saml1.setIsActive(true); + oa_saml1.setProvideAllErrors(false); //OA_PVP2 OAPVP2 oa_pvp2 = new OAPVP2(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 399e7fa22..9c8c52e87 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -166,21 +166,26 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { IRequest protocolRequest) throws Throwable{ - SAML1AuthenticationServer saml1authentication = SAML1AuthenticationServer.getInstace(); + OAAuthParameter oa = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(protocolRequest.getOAURL()); + if (!oa.getSAML1Parameter().isProvideAllErrors()) + return false; - String samlArtifactBase64 = saml1authentication.BuildErrorAssertion(e, protocolRequest); + else { + SAML1AuthenticationServer saml1authentication = SAML1AuthenticationServer.getInstace(); + String samlArtifactBase64 = saml1authentication.BuildErrorAssertion(e, protocolRequest); - String url = AuthConfigurationProvider.getInstance().getPublicURLPrefix() + "/RedirectServlet"; - url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(protocolRequest.getOAURL(), "UTF-8")); - url = addURLParameter(url, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); - url = response.encodeRedirectURL(url); + String url = AuthConfigurationProvider.getInstance().getPublicURLPrefix() + "/RedirectServlet"; + url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(protocolRequest.getOAURL(), "UTF-8")); + url = addURLParameter(url, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); + url = response.encodeRedirectURL(url); - response.setContentType("text/html"); - response.setStatus(302); - response.addHeader("Location", url); - Logger.debug("REDIRECT TO: " + url); + response.setContentType("text/html"); + response.setStatus(302); + response.addHeader("Location", url); + Logger.debug("REDIRECT TO: " + url); - return true; + return true; + } } public IAction getAction(String action) { diff --git a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd index 2d5542b98..8bc532236 100644 --- a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd +++ b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd @@ -859,6 +859,7 @@ + -- cgit v1.2.3 From d8a98ad0bb51b55963b3672180ad092b5890bf7b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 2 Jul 2014 12:40:59 +0200 Subject: update readme_2.1.0-RC3.txt --- id/readme_2.1.0-RC3.txt | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/id/readme_2.1.0-RC3.txt b/id/readme_2.1.0-RC3.txt index 8f8a7b62d..19e0e9091 100644 --- a/id/readme_2.1.0-RC3.txt +++ b/id/readme_2.1.0-RC3.txt @@ -14,14 +14,15 @@ gleichen Verzeichnis): - IDP Interfederation für Single Sign-On - MOA-ID Truststore wird auch für Bezug PVP 2.1 metadaten über https verwendet. - Definition neuer Fehlercodes + - Single LogOut Unterstützung für PVP 2.1 (SAML2) als Feature mit Betastatus - Änderungen - Anpassung VIDP Code für STORK - - MOA-ID-Konfigurationstool mit überarbeiteter Online-Applikationskonfiguration - - Kleinere Bug-Fixes + - MOA-ID-Konfigurationstool mit überarbeiteter Online-Applikationskonfiguration - Anpassung der protokollspezifischen Fehlerrückgabe - - Anpassungen für die Verwendung von Oracle Datenbanksystemen - + - Anpassungen für die Verwendung von Oracle Datenbanksystemen + - Kleinere Bug-Fixes + ------------------------------------------------------------------------------- B. Durchführung eines Updates ------------------------------------------------------------------------------- -- cgit v1.2.3 From 7886beb95d7aeeb6439d81c09f297f0c4fceeb8c Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 2 Jul 2014 12:41:27 +0200 Subject: set correct target type element --- .../egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index a82a51d07..670ce8b3d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -303,17 +303,14 @@ public class PEPSConnectorServlet extends AuthServlet { // retrieve target //TODO: check in case of SSO!!! String targetType = null; - String targetValue = null; if(oaParam.getBusinessService()) { String id = oaParam.getIdentityLinkDomainIdentifier(); if (id.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) - targetValue = id.substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); + targetType = id; else - targetValue = moaSession.getDomainIdentifier(); - targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_; + targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_ + moaSession.getDomainIdentifier(); } else { - targetType = AuthenticationSession.TARGET_PREFIX_; - targetValue = oaParam.getTarget(); + targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); } Logger.debug("Starting connecting SZR Gateway"); @@ -322,7 +319,7 @@ public class PEPSConnectorServlet extends AuthServlet { try { identityLink = STORKResponseProcessor.connectToSZRGateway(authnResponse.getPersonalAttributeList(), oaParam.getFriendlyName(), - targetType, targetValue, + targetType, null, oaParam.getMandateProfiles()); } catch (STORKException e) { // this is really nasty but we work against the system here. We are supposed to get the gender attribute from -- cgit v1.2.3 From 37ffa16c121e5be8ad3c060b007ed200359007ea Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 2 Jul 2014 12:44:45 +0200 Subject: actually, STORK response processing does not verify the signature of signedDoc attribute --> check if signature verification response exists. --- .../moa/id/auth/builder/AuthenticationDataBuilder.java | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index c0e1dd3ca..9af2f5ee5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -478,11 +478,19 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { authData.setGivenName(identityLink.getGivenName()); authData.setFamilyName(identityLink.getFamilyName()); authData.setDateOfBirth(identityLink.getDateOfBirth()); - authData.setQualifiedCertificate(verifyXMLSigResp - .isQualifiedCertificate()); - authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority()); - authData.setPublicAuthorityCode(verifyXMLSigResp - .getPublicAuthorityCode()); + + if (verifyXMLSigResp != null) { + authData.setQualifiedCertificate(verifyXMLSigResp + .isQualifiedCertificate()); + authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority()); + authData.setPublicAuthorityCode(verifyXMLSigResp + .getPublicAuthorityCode()); + + } else { + Logger.warn("No signature verfication response found!"); + + } + authData.setBkuURL(session.getBkuURL()); authData.setStorkAttributes(session.getStorkAttributes()); -- cgit v1.2.3 From b3814742f6a15524a7204246e8ccda666d06befd Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 3 Jul 2014 12:52:57 +0200 Subject: solve bug with specialtext and ' in identitylink BKU remove ' encoding and response includes ' --- .../CreateXMLSignatureResponseValidator.java | 32 ++++++++++++---------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 762d9af2c..bc3b30334 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -288,15 +288,16 @@ public class CreateXMLSignatureResponseValidator { } if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { String samlSpecialText = (String)samlAttribute.getValue(); + samlSpecialText = samlSpecialText.replaceAll("'", "'"); - String text = ""; - try { + String text = ""; + try { OAAuthParameter oaparam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix()); if (MiscUtil.isNotEmpty(text = oaparam.getAditionalAuthBlockText())) Logger.info("Use addional AuthBlock Text from OA=" + oaparam.getPublicURLPrefix()); - } catch (ConfigurationException e) { - Logger.warn("Addional AuthBlock Text can not loaded from OA!", e); - } + } catch (ConfigurationException e) { + Logger.warn("Addional AuthBlock Text can not loaded from OA!", e); + } String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); @@ -516,22 +517,23 @@ public class CreateXMLSignatureResponseValidator { } if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { String samlSpecialText = (String)samlAttribute.getValue(); + samlSpecialText = samlSpecialText.replaceAll("'", "'"); - String text = ""; - try { - if (MiscUtil.isNotEmpty(text = AuthConfigurationProvider.getInstance().getSSOSpecialText())) + String text = ""; + try { + if (MiscUtil.isNotEmpty(text = AuthConfigurationProvider.getInstance().getSSOSpecialText())) Logger.info("Use addional AuthBlock Text from SSO=" +text); else text = new String(); - } catch (ConfigurationException e) { - Logger.warn("Addional AuthBlock Text can not loaded from SSO!", e); - } + } catch (ConfigurationException e) { + Logger.warn("Addional AuthBlock Text can not loaded from SSO!", e); + } - String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); - if (!samlSpecialText.equals(specialText)) { - throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); - } + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, identityLink.getName(), identityLink.getDateOfBirth(), identityLink.getIssueInstant()); + if (!samlSpecialText.equals(specialText)) { + throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); + } } else { throw new ValidateException("validator.35", null); } -- cgit v1.2.3 From 667e2aa623bec0ccadf9c47d3c993e896ad5bc9a Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 3 Jul 2014 13:57:20 +0200 Subject: update handbook and change version to 2.1.0 --- id/server/auth/src/main/webapp/index.html | 2 +- id/server/doc/handbook/protocol/idp_metadata.xml | 137 +++++++++++++++------ id/server/doc/handbook/protocol/protocol.html | 30 ++++- .../CreateXMLSignatureResponseValidator.java | 2 +- pom.xml | 4 +- 5 files changed, 130 insertions(+), 45 deletions(-) diff --git a/id/server/auth/src/main/webapp/index.html b/id/server/auth/src/main/webapp/index.html index a411663b2..4d4529730 100644 --- a/id/server/auth/src/main/webapp/index.html +++ b/id/server/auth/src/main/webapp/index.html @@ -14,7 +14,7 @@
-

MOA-ID 2.1.0-RC3

+

MOA-ID 2.1.0

Inhalt

    diff --git a/id/server/doc/handbook/protocol/idp_metadata.xml b/id/server/doc/handbook/protocol/idp_metadata.xml index 2d2990917..e8915332e 100644 --- a/id/server/doc/handbook/protocol/idp_metadata.xml +++ b/id/server/doc/handbook/protocol/idp_metadata.xml @@ -1,18 +1,18 @@ - + - + - YPy6KJGNTbmKTzmLbQ3wsDhGgz8ktuUjud19b9xoHe0= + IjxuoZphYVmZdZ5HfoVDr35r2b1V840+SMeC89IO/SQ= - Zg4iaALZ/pNrthme8PaH5iiWZQ+ay30oC14RJab99im9atRDd6tb5RGmmuKY0KXpxetHUnBp5yA8I2Oh+tUuaq4Vbhewq1k9TytZmo83KMJbWBwtPWhbgET/i40CcngDiKPZLSt793WJ/LJpFtj/YidJaq2Z4k5Mj4RUr/SBMdH2HN+fZio/K9uyGy7hOLWKIU9zrSj1sOeMvqwyT6vD8h2s2qWV4TZai2PMxUSMgqqmJS3be2yoI68+5JHX3lgdQ9xRfhasxk//hK/rx39UiljIKxRRUpq1V2TGimK6YYNKrimzzVznCoB25h1+NMF8vQvwSRj085MAQkeQ14gedw== + JILQKKPvsK7onsMweJauAcGEniFGJ5bXEOvfYhxAYCB+dXL6pH87USD1v9UqycllBDqQE/Rp2tPtqo11CjdcKs0KkceQCZjzmDlVPqMZrgh0FerTSysF0fcPKoKeAtqqk+WSu7Xk9lU+PCxGArGA+vBLTRRbAOuZpE7ORrS7AF2m5uaO1YOKfO0GN+LoxTiygI2aeqKsKMlPkboh4ZuEjv1ht9xUHeQtAf/MHtaXZDvaRQPXALf0oCRnDWpiiqvKdARJq5NXrrbrdow/M1FpoddtE0Mu65AsorIdXoPSXJnLhw/zDfHv82PQo0pW7ujc0yJY+5VzfURMZOyKmrfCmg== MIIEFTCCAv2gAwIBAgIJAI/HXXgQpJtFMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNVBAYTAkFUMRMw @@ -37,7 +37,7 @@ cfmNJhb06H+6mmHz929Bk4HuHoQj8X8= - + @@ -64,55 +64,114 @@ cfmNJhb06H+6mmHz929Bk4HuHoQj8X8= + urn:oasis:names:tc:SAML:2.0:nameid-format:persistent urn:oasis:names:tc:SAML:2.0:nameid-format:transient urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified - - + + + + + + + + + + + + + + + + - - - - - - - - - - - - + - - - + + + + + - - - - - - + - + + + + - - - - - - - - + + + - - + + + + + + + + + MIIEFTCCAv2gAwIBAgIJAI/HXXgQpJtFMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNVBAYTAkFUMRMw +EQYDVQQIEwpTb21lLVN0YXRlMQ0wCwYDVQQHEwRHcmF6MQ0wCwYDVQQKEwRFR0laMSIwIAYDVQQD +ExlNT0EtSUQgSURQIChUZXN0LVZlcnNpb24pMB4XDTE0MDEyMTA4NDAxOFoXDTE1MDEyMTA4NDAx +OFowZDELMAkGA1UEBhMCQVQxEzARBgNVBAgTClNvbWUtU3RhdGUxDTALBgNVBAcTBEdyYXoxDTAL +BgNVBAoTBEVHSVoxIjAgBgNVBAMTGU1PQS1JRCBJRFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFETzd0nLV2P4pUGnlLKj3V+MZ4bUyYkNK5NnkzB0PO8hm +tsrdg+HSNsnPiU5KvD26tFpxq9lfibZcAp9JHFqjA/capOHcTDhYkTvJcSdaKJzttTPy4wivTbRu +y+ocK9jjz6g8BFvP9wQ5/k2AwFaqj0SeJt0jJTn4CZ8XMNozA2hwkQA2heuMtOl24Ie9PRC3/Af7 +utV2CNfV2MysGHIxazsZDIgFF+5/nybyR1yiIxKb0BYDh3gbNdyH5uLVBHOP4hvzQN5Z1xc/cdzq +lzKn/4v6HJraNn00xLzK6nrG6gB6HvDok2l8T1Cc7f8I+sNlO2aM8rY4hGSGCfhiL6IFAgMBAAGj +gckwgcYwHQYDVR0OBBYEFKG3LzuPtAGCXUPTw3fo9dtsS9wWMIGWBgNVHSMEgY4wgYuAFKG3LzuP +tAGCXUPTw3fo9dtsS9wWoWikZjBkMQswCQYDVQQGEwJBVDETMBEGA1UECBMKU29tZS1TdGF0ZTEN +MAsGA1UEBxMER3JhejENMAsGA1UEChMERUdJWjEiMCAGA1UEAxMZTU9BLUlEIElEUCAoVGVzdC1W +ZXJzaW9uKYIJAI/HXXgQpJtFMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAME3wzEi +UAcF2pCDtMMJzX4IDhSkWNuvWtSMMy8Vgtcc2t570teIKh+qNKQWZyX3QFVE6ovDABg3ZUhn780l +G4/t6aMOUEeGg4udl7l0QRBRbdd+9oc0Aw5dQqku02AQ6wQd695PLj+F0GeA7cdef90aLPu6Rwa5 +z5BiKpReJZoul3NpjQXz7A1IslZOlIhEDcFUlBSn/+QfLOeNDKurvPT0OzUGSGfrv0AoniNHc/fz +lfyRmgFbzAVHedU5cIxcE0yHtEKFjFSVwtGng9rTJpoOoY4pvGvAHlw6GEgO+HwFukPDtnvY8vi/ +cfmNJhb06H+6mmHz929Bk4HuHoQj8X8= + + + + + + + MIIEFTCCAv2gAwIBAgIJAI/HXXgQpJtFMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNVBAYTAkFUMRMw +EQYDVQQIEwpTb21lLVN0YXRlMQ0wCwYDVQQHEwRHcmF6MQ0wCwYDVQQKEwRFR0laMSIwIAYDVQQD +ExlNT0EtSUQgSURQIChUZXN0LVZlcnNpb24pMB4XDTE0MDEyMTA4NDAxOFoXDTE1MDEyMTA4NDAx +OFowZDELMAkGA1UEBhMCQVQxEzARBgNVBAgTClNvbWUtU3RhdGUxDTALBgNVBAcTBEdyYXoxDTAL +BgNVBAoTBEVHSVoxIjAgBgNVBAMTGU1PQS1JRCBJRFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFETzd0nLV2P4pUGnlLKj3V+MZ4bUyYkNK5NnkzB0PO8hm +tsrdg+HSNsnPiU5KvD26tFpxq9lfibZcAp9JHFqjA/capOHcTDhYkTvJcSdaKJzttTPy4wivTbRu +y+ocK9jjz6g8BFvP9wQ5/k2AwFaqj0SeJt0jJTn4CZ8XMNozA2hwkQA2heuMtOl24Ie9PRC3/Af7 +utV2CNfV2MysGHIxazsZDIgFF+5/nybyR1yiIxKb0BYDh3gbNdyH5uLVBHOP4hvzQN5Z1xc/cdzq +lzKn/4v6HJraNn00xLzK6nrG6gB6HvDok2l8T1Cc7f8I+sNlO2aM8rY4hGSGCfhiL6IFAgMBAAGj +gckwgcYwHQYDVR0OBBYEFKG3LzuPtAGCXUPTw3fo9dtsS9wWMIGWBgNVHSMEgY4wgYuAFKG3LzuP +tAGCXUPTw3fo9dtsS9wWoWikZjBkMQswCQYDVQQGEwJBVDETMBEGA1UECBMKU29tZS1TdGF0ZTEN +MAsGA1UEBxMER3JhejENMAsGA1UEChMERUdJWjEiMCAGA1UEAxMZTU9BLUlEIElEUCAoVGVzdC1W +ZXJzaW9uKYIJAI/HXXgQpJtFMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAME3wzEi +UAcF2pCDtMMJzX4IDhSkWNuvWtSMMy8Vgtcc2t570teIKh+qNKQWZyX3QFVE6ovDABg3ZUhn780l +G4/t6aMOUEeGg4udl7l0QRBRbdd+9oc0Aw5dQqku02AQ6wQd695PLj+F0GeA7cdef90aLPu6Rwa5 +z5BiKpReJZoul3NpjQXz7A1IslZOlIhEDcFUlBSn/+QfLOeNDKurvPT0OzUGSGfrv0AoniNHc/fz +lfyRmgFbzAVHedU5cIxcE0yHtEKFjFSVwtGng9rTJpoOoY4pvGvAHlw6GEgO+HwFukPDtnvY8vi/ +cfmNJhb06H+6mmHz929Bk4HuHoQj8X8= + + + + + urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + + + EGIZ E-Government Innovationszentrum diff --git a/id/server/doc/handbook/protocol/protocol.html b/id/server/doc/handbook/protocol/protocol.html index b98561d7e..e7658875c 100644 --- a/id/server/doc/handbook/protocol/protocol.html +++ b/id/server/doc/handbook/protocol/protocol.html @@ -32,7 +32,11 @@
  • Single Sign-On
    • -
  • SSO Logout
    • +
  • SSO Logout +
      +
    1. Single LogOut
      2. +
    +
  • Legacy Request (Bürgerkartenauswahl beim Service Provider)
    • @@ -109,6 +113,11 @@ Redirect Binding Attribut Query für IDP Interfederation https://<host>:<port>/moa-id-auth/pvp2/attributequery + + PVP 2.1 + Single LogOut + https://<host>:<port>/moa-id-auth/pvp2/redirect + OpenID Connect Authentifizierungsrequest
    @@ -132,11 +141,17 @@ Redirect Binding

    http://<host>:<port>/moa-id-auth/services/GetAuthenticationData

    - SSO Logout + SSO LogOut LogOut

    https://<host>:<port>/moa-id-auth/LogOut

    http://<host>:<port>/moa-id-auth/LogOut

    + + IDP Single LogOut + Single LogOut +

    https://<host>:<port>/moa-id-auth/idpSingleLogout

    +

    http://<host>:<port>/moa-id-auth/idpSingleLogout

    +

    1.2 Übersicht der möglichen Attribute

    Die nachfolgende Tabelle beinhaltet eine Liste aller Attribute die vom Modul MOA-ID-Auth an die Online-Applikation zurückgeliefert werden können, sofern diese nach der Authentifizierung zur Verfügung stehen. Alle Namen beziehen sich auf den Attributnamen im jeweiligen Protokoll. Detailinformationen zu den einzelnen Attributen finden Sie in der PVP 2.1 Spezifikation der der STORK Spezifikation.

    @@ -882,6 +897,17 @@ https://<host>:<port>/moa-id-auth/LogOut 
    https://demo.egiz.gv.at/moa-id-auth/LogOut?redirect=https://demo.egiz.gv.at/demoportal-openID_demo

    Hinweis: Dieses Service bietet jedoch NICHT eine vollständige Single Log-Out Funktionalität wie sie im SAML 2 Protokoll vorgesehen ist, sondern beendet ausschließlich die SSO Session in der MOA-ID-Auth Instanz.

    +

    1.5.1 Single LogOut

    +

    Ab der Version 2.1 unterstützt das Modul MOA-ID-Auth Single LogOut (SLO) laut SAML2 Spezifikation. Die SLO Funktionaltität steht jedoch nur für Online-Applikationen zur Verfügung welche als Authentifizierungsprotokoll PVP 2.1 verwenden. Für alle anderen Authentifizierungsprotokolle steht aktuell kein SLO zur Verfügung.

    +

    Für Single LogOut stehen sowohl IDP initialisiertes SLO als auch Service Provider initialisiertes SLO zur Verfügung. Als Einsprungpunkt für IDP initialisiertes SLO stellt das Modul MOA-ID-Auth folgende Web Adressen zur Verfügung. Nach dem Aufruf dieses Services wird der Single LogOut Vorgang gestartet. Nach erfolgreicher Bearbeitung aller SLO Requests / Response erfolgt die Statusausgabe in den Browser.

    +
    https://<host>:<port>/moa-id-auth/idpSingleLogout
    +

    bzw.

    +
    http://<host>:<port>/moa-id-auth/idpSingleLogout
    +

     

    +

    Die Endpunkte für Service Provider initialisietes SLO finden Sie in den PVP 2.1 Metadaten.

    +

     

    +

    Hinweis: Wenn Single Sign-On mit Authentifizierungsprotokollen, welche kein SLO untersützen verwendet wurde, schlägt der Single LogOut Vorgang auf jeden Fall fehl, da der Benutzer an den jeweiligen Online-Applikationen nicht angemeldet werden kann. Die SSO Session am Identityprovider wird jedoch auf jeden Fall beendet

    +

     

    1.6 Legacy Request (Bürgerkartenauswahl beim Service Provider)

    Soll die Bürgerkartenauswahl jedoch weiterhin, wie aus MOA-ID 1.5.1 bekannt direkt in der Online-Applikation des Service Providers erfolgen muss für das jeweilige Protokoll der Legacy Modus aktiviert werden. Wird der Legacy Modus verwendet muss jedoch zusätzlich zu den protokollspezifischen Parametern mindestens der Parameter bkuURI, welcher die gewählte Bürgerkartenumgebung enthält, im Authentifizierungsrequest an MOA-ID-Auth übergeben werden (siehe Protokoll SAML 1). Die folgenden Parameter stehen bei Verwendung des Legacy Modus unabhängig vom verwendeten Protokoll zur Verfügung und bilden den gesamten Umfang der Bürgerkartenauswahl, wie aus MOA-ID 1.5.1 bekannt, ab.

    diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index bc3b30334..547a86bd9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -530,7 +530,7 @@ public class CreateXMLSignatureResponseValidator { } - String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, identityLink.getName(), identityLink.getDateOfBirth(), identityLink.getIssueInstant()); + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); if (!samlSpecialText.equals(specialText)) { throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); } diff --git a/pom.xml b/pom.xml index a7d01649d..2888425d1 100644 --- a/pom.xml +++ b/pom.xml @@ -12,10 +12,10 @@ UTF-82.0.0 - 2.1.0-RC3 + 2.1.02.0.02.0.1 - 1.1.0-RC3 + 1.1.02.0.2 -- cgit v1.2.3 From d4037454494f7aac6b4e60050104244a481930ca Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 4 Jul 2014 14:01:53 +0200 Subject: store OA businessservice identification type --- .../moa/id/configuration/data/oa/OATargetConfiguration.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java index 4036bc25f..e988cc292 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java @@ -181,7 +181,9 @@ public class OATargetConfiguration implements IOnlineApplicationData { num = num.substring(Constants.IDENIFICATIONTYPE_ERSB.length()); } - IdentificationNumber idnumber = new IdentificationNumber(); + IdentificationNumber idnumber = authoa.getIdentificationNumber(); + if (idnumber == null) + idnumber = new IdentificationNumber(); if (getIdentificationType().equals(Constants.IDENIFICATIONTYPE_STORK)) { idnumber.setValue(Constants.PREFIX_STORK + "AT" + "+" + num); -- cgit v1.2.3 From b6b155c4d55a31a13d189f50831fb7fa8c504b90 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 7 Jul 2014 10:52:29 +0200 Subject: update to MOA-SPSS 2.0.1 --- spss/server/history.txt | 9 +++++++++ spss/server/readme.update.txt | 8 ++++---- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/spss/server/history.txt b/spss/server/history.txt index 651524419..2e549f37a 100644 --- a/spss/server/history.txt +++ b/spss/server/history.txt @@ -1,3 +1,12 @@ +############## +2.0.1 +############## + +- Sicherheitsupdates: + - Update axis-iaik.jar +- Sonstiges: + - kleinere Anpassungen + ############## 2.0.0 ############## diff --git a/spss/server/readme.update.txt b/spss/server/readme.update.txt index 07d100272..c7e6cd9d1 100644 --- a/spss/server/readme.update.txt +++ b/spss/server/readme.update.txt @@ -1,11 +1,11 @@ ====================================================================== - Update einer bestehenden MOA-SPSS-Installation auf Version 2.0.0 + Update einer bestehenden MOA-SPSS-Installation auf Version 2.0.1 ====================================================================== Es gibt zwei Moeglichkeiten (im Folgenden als "Update Variante A" und "Update Variante B" bezeichnet), das Update von MOA-SPSS auf Version -2.0.0 durchzufuehren. Update Variante A geht dabei den Weg ueber eine +2.0.1 durchzufuehren. Update Variante A geht dabei den Weg ueber eine vorangestellte Neuinstallation, waehrend Variante B direkt eine bestehende Installation aktualisiert. @@ -16,7 +16,7 @@ JAVA_HOME bezeichnet das Wurzelverzeichnis der JDK-Installation CATALINA_HOME bezeichnet das Wurzelverzeichnis der Tomcat-Installation MOA_SPSS_INST bezeichnet das Verzeichnis, in das Sie die Datei -moa-spss-2.0.0.zip entpackt haben. +moa-spss-2.0.1.zip entpackt haben. ================= Update Variante A @@ -53,7 +53,7 @@ Update Variante B 1.) Erstellen Sie eine Sicherungskopie des kompletten Tomcat-Verzeichnisses Ihrer MOA-SPSS-Installation. -2.) Entpacken Sie die Datei "moa-spss-2.0.0.zip" in das Verzeichnis MOA_SPSS_INST. +2.) Entpacken Sie die Datei "moa-spss-2.0.1.zip" in das Verzeichnis MOA_SPSS_INST. 3.) Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach. -- cgit v1.2.3