From 71da4a9bc7e2ff79b2fb4cf8903d15fd75372859 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 19 Jul 2013 11:50:19 +0200 Subject: SSO and Configuration updated TODO: --PVP2 from configuration --UseIFrame for OAs --SSO with mandates --Resign IdentityLink --Encrypted MOASession in Database --- id/server/auth/src/main/webapp/css/index.css | 6 +- .../moa/id/auth/AuthenticationServer.java | 265 ++++++++++----------- .../moa/id/auth/MOAIDAuthConstants.java | 1 + .../AuthenticationBlockAssertionBuilder.java | 125 ++++++++-- .../moa/id/auth/builder/BPKBuilder.java | 7 +- .../builder/InfoboxValidatorParamsBuilder.java | 94 ++++---- .../moa/id/auth/builder/LoginFormBuilder.java | 8 +- .../moa/id/auth/data/AuthenticationSession.java | 33 +-- .../auth/parser/IdentityLinkAssertionParser.java | 2 +- .../StartAuthentificationParameterParser.java | 31 ++- .../moa/id/auth/servlet/RedirectServlet.java | 21 +- .../servlet/VerifyAuthenticationBlockServlet.java | 14 +- .../id/auth/servlet/VerifyIdentityLinkServlet.java | 3 +- .../CreateXMLSignatureResponseValidator.java | 221 ++++++++++++++++- .../moa/id/config/ConnectionParameter.java | 55 +++++ .../id/config/auth/AuthConfigurationProvider.java | 91 +++++++ .../id/config/legacy/BuildFromLegacyConfig.java | 2 +- .../moa/id/data/AuthenticationData.java | 31 ++- .../moa/id/entrypoints/DispatcherServlet.java | 19 +- .../moa/id/moduls/AuthenticationManager.java | 17 +- .../gv/egovernment/moa/id/moduls/SSOManager.java | 17 +- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 3 + .../id/protocols/pvp2x/binding/PostBinding.java | 6 + .../pvp2x/builder/CitizenTokenBuilder.java | 106 ++++----- .../moa/id/protocols/saml1/GetArtifactAction.java | 62 ++--- .../moa/id/protocols/saml1/GetArtifactServlet.java | 140 ----------- .../protocols/saml1/SAML1AuthenticationServer.java | 57 ++--- .../moa/id/protocols/saml1/SAML1Protocol.java | 1 + .../id/storage/AuthenticationSessionStoreage.java | 17 +- .../moa/id/util/ParamValidatorUtils.java | 12 +- .../java/at/gv/egovernment/moa/id/util/Random.java | 38 ++- .../moa/id/util/VelocityLogAdapter.java | 77 ++++++ .../resources/properties/id_messages_de.properties | 5 +- .../resources/resources/templates/loginForm.html | 64 ++++- .../moa/id/commons/db/ConfigurationDBRead.java | 2 +- .../moa/id/commons/db/ConfigurationDBUtils.java | 14 +- .../src/main/resources/config/moaid_config_2.0.xsd | 36 +-- 37 files changed, 1117 insertions(+), 586 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConnectionParameter.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/VelocityLogAdapter.java diff --git a/id/server/auth/src/main/webapp/css/index.css b/id/server/auth/src/main/webapp/css/index.css index 41f5bb2aa..ba6938f9a 100644 --- a/id/server/auth/src/main/webapp/css/index.css +++ b/id/server/auth/src/main/webapp/css/index.css @@ -76,14 +76,14 @@ p#skiplinks a:active { #main { clear:both; position:relative; - margin-left: 50%; + margin-left: 45%; } /* left */ #leftcontent { float:left; - width:220px; + width:250px; margin-bottom: 25px; } @@ -103,7 +103,7 @@ h2#tabheader, h2#contentheader { #bkulogin { overflow:hidden; - width:220px; + width:250px; } #bkukarte { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 214a1df7d..a127dc6b5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -57,6 +57,7 @@ import org.opensaml.xml.util.Base64; import org.opensaml.xml.util.XMLHelper; import org.w3c.dom.Document; import org.w3c.dom.Element; +import org.w3c.dom.Node; import org.w3c.dom.NodeList; import org.xml.sax.SAXException; @@ -87,6 +88,7 @@ import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; import at.gv.egovernment.moa.id.auth.parser.CreateXMLSignatureResponseParser; import at.gv.egovernment.moa.id.auth.parser.ExtendedInfoboxReadResponseParser; +import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.auth.parser.InfoboxReadResponseParser; import at.gv.egovernment.moa.id.auth.parser.SAMLArtifactParser; import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; @@ -104,6 +106,7 @@ import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.CreateIdentity import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClient; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants; +import at.gv.egovernment.moa.id.commons.db.dao.config.IdentificationNumber; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.ConfigurationProvider; @@ -131,7 +134,9 @@ import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.DateTimeUtils; import at.gv.egovernment.moa.util.FileUtils; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; +import at.gv.egovernment.moa.util.XPathUtils; import eu.stork.mw.messages.saml.STORKAuthnRequest; import eu.stork.vidp.messages.builder.STORKMessagesBuilder; import eu.stork.vidp.messages.common.STORKConstants; @@ -419,10 +424,29 @@ public class AuthenticationServer implements MOAIDAuthConstants { } } - //build ReadInfobox request - String infoboxReadRequest = new InfoboxReadRequestBuilder().build( - oaParam.isSlVersion12(), oaParam.getBusinessService(), oaParam + String infoboxReadRequest = ""; + + if (session.isSsoRequested()) { + //load identityLink with SSO Target + boolean isbuisness = false; + String domainIdentifier = ""; + IdentificationNumber ssobusiness = AuthConfigurationProvider.getInstance().getSSOBusinessService(); + if (ssobusiness != null) { + isbuisness = true; + domainIdentifier = ssobusiness.getValue(); + } + + //build ReadInfobox request + infoboxReadRequest = new InfoboxReadRequestBuilder().build( + oaParam.isSlVersion12(), isbuisness, domainIdentifier); + + } else { + //build ReadInfobox request + infoboxReadRequest = new InfoboxReadRequestBuilder().build( + oaParam.isSlVersion12(), oaParam.getBusinessService(), oaParam .getIdentityLinkDomainIdentifier()); + } + String dataURL = new DataURLBuilder().buildDataURL( session.getAuthURL(), REQ_VERIFY_IDENTITY_LINK, session @@ -798,12 +822,14 @@ public class AuthenticationServer implements MOAIDAuthConstants { identityLink.setIdentificationType(null); } else { - String bpkBase64 = new BPKBuilder().buildBPK(identityLink - .getIdentificationValue(), session.getTarget()); - identityLink.setIdentificationValue(bpkBase64); - - //TODO: insert correct Type!!!! - identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget()); + + //TODO: check correctness!!! bpk calcultion is done during Assertion generation +// String bpkBase64 = new BPKBuilder().buildBPK(identityLink +// .getIdentificationValue(), session.getTarget()); +// identityLink.setIdentificationValue(bpkBase64); +// +// //TODO: insert correct Type!!!! +// identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget()); } } // ..BZ @@ -1022,11 +1048,18 @@ public class AuthenticationServer implements MOAIDAuthConstants { Constants.URN_PREFIX_BASEID)) { // only compute bPK if online application is a public service and we // have the Stammzahl - String bpkBase64 = new BPKBuilder().buildBPK(identityLink - .getIdentificationValue(), session.getTarget()); - identificationValue = bpkBase64; - identificationType = Constants.URN_PREFIX_CDID + "+" + session.getTarget(); + + if (session.isSsoRequested()) { + identificationType = ""; + identificationValue = ""; + + } else { + String bpkBase64 = new BPKBuilder().buildBPK(identityLink + .getIdentificationValue(), session.getTarget()); + identificationValue = bpkBase64; + identificationType = Constants.URN_PREFIX_CDID + "+" + session.getTarget(); + } // identityLink.setIdentificationValue(bpkBase64); // identityLink.setIdentificationType(Constants.URN_PREFIX_CDID + "+" + session.getTarget()); @@ -1045,17 +1078,41 @@ public class AuthenticationServer implements MOAIDAuthConstants { // Bug #485 // (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105) // String oaURL = session.getPublicOAURLPrefix(); - String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&"); + List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); - String authBlock = new AuthenticationBlockAssertionBuilder() + + + if (session.isSsoRequested()) { + String oaURL =new String(); + try { + oaURL = AuthConfigurationProvider.getInstance().getSSOPublicUrl(); + + if (MiscUtil.isNotEmpty(oaURL)) + oaURL = oaURL.replaceAll("&", "&"); + + } catch (ConfigurationException e) { + } + String authBlock = new AuthenticationBlockAssertionBuilder() + .buildAuthBlockSSO(issuer, issueInstant, authURL, target, + targetFriendlyName, identificationValue, + identificationType, oaURL, gebDat, + extendedSAMLAttributes, session, oaParam); + return authBlock; + + } else { + String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&"); + String authBlock = new AuthenticationBlockAssertionBuilder() .buildAuthBlock(issuer, issueInstant, authURL, target, targetFriendlyName, identificationValue, identificationType, oaURL, gebDat, - extendedSAMLAttributes, session); + extendedSAMLAttributes, session, oaParam); + return authBlock; + } + - return authBlock; + } /** @@ -1107,7 +1164,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { .buildAuthBlock(issuer, issueInstant, authURL, target, targetFriendlyName, identificationValue, identificationType, oaURL, gebDat, - extendedSAMLAttributes, session); + extendedSAMLAttributes, session, oaParam); return authBlock; } @@ -1807,7 +1864,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE }); } // validates - new CreateXMLSignatureResponseValidator().validate(csresp, session); + if (session.isSsoRequested()) + new CreateXMLSignatureResponseValidator().validateSSO(csresp, session); + else + new CreateXMLSignatureResponseValidator().validate(csresp, session); + // builds a for a MOA-SPSS call List vtids = authConf.getMoaSpAuthBlockVerifyTransformsInfoIDs(); String tpid = authConf.getMoaSpAuthBlockTrustProfileID(); @@ -2191,13 +2252,9 @@ public class AuthenticationServer implements MOAIDAuthConstants { IdentityLink identityLink = session.getIdentityLink(); AuthenticationData authData = new AuthenticationData(); - -// OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() -// .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - + VerifyXMLSignatureResponse verifyXMLSigResp = session.getXMLVerifySignatureResponse(); - boolean useUTC = oaParam.getUseUTC(); - boolean isForeigner = session.isForeigner(); + boolean useUTC = oaParam.getUseUTC(); boolean businessService = oaParam.getBusinessService(); authData.setMajorVersion(1); @@ -2206,7 +2263,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { authData.setIssuer(session.getAuthURL()); authData.setIssueInstant(DateTimeUtils.buildDateTime(Calendar .getInstance(), useUTC)); + + //baseID or wbpk in case of BusinessService without SSO or BusinessService SSO + authData.setIdentificationValue(identityLink.getIdentificationValue()); authData.setIdentificationType(identityLink.getIdentificationType()); + authData.setGivenName(identityLink.getGivenName()); authData.setFamilyName(identityLink.getFamilyName()); authData.setDateOfBirth(identityLink.getDateOfBirth()); @@ -2218,105 +2279,58 @@ public class AuthenticationServer implements MOAIDAuthConstants { authData.setBkuURL(session.getBkuURL()); authData.setUseUTC(oaParam.getUseUTC()); - //TODO: check correctness -// boolean provideStammzahl = oaParam.getProvideStammzahl(); -// if (provideStammzahl) { -// authData.setIdentificationValue(identityLink -// .getIdentificationValue()); -// } - -// String prPerson = new PersonDataBuilder().build(identityLink, -// provideStammzahl); - try { -// String signerCertificateBase64 = ""; -// if (oaParam.getProvideCertifcate()) { -// X509Certificate signerCertificate = verifyXMLSigResp -// .getX509certificate(); -// if (signerCertificate != null) { -// signerCertificateBase64 = Base64Utils -// .encode(signerCertificate.getEncoded()); -// } else { -// Logger -// .info("\"provideCertificate\" is \"true\", but no signer certificate available"); -// } -// } -// authData.setSignerCertificate(signerCertificateBase64); - if(!isForeigner) { - //we have Austrian citizen - if (businessService) { - authData.setBPK(identityLink.getIdentificationValue()); - authData.setBPKType(identityLink.getIdentificationType()); - - } else { - - // OLD! BZ.., calculation of bPK already before sending AUTHBlock - //TL: identitylLink holds the BASEID, bPK is only calculated for AUTHBlock - //authData.setBPK(identityLink.getIdentificationValue()); - - // only compute bPK if online application is a public service and we have the Stammzahl - if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - String bpkBase64 = new BPKBuilder().buildBPK( - identityLink.getIdentificationValue(), target); - authData.setBPK(bpkBase64); - authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); - } - } - } else { - //we have foreigner, thus we have to calculate bPK and wbPK now (after receiving identity link from SZR-GW - if (businessService) { - //since we have foreigner, wbPK is not calculated in BKU - if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + //TODO: resign the IdentityLink!!! + + if (businessService) { + //since we have foreigner, wbPK is not calculated in BKU + if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); - - if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) { - // If domainIdentifier starts with prefix - // "urn:publicid:gv.at:wbpk+"; remove this prefix - registerAndOrdNr = registerAndOrdNr - .substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); - Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " - + registerAndOrdNr); - } + String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); + + if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) { + // If domainIdentifier starts with prefix + // "urn:publicid:gv.at:wbpk+"; remove this prefix + registerAndOrdNr = registerAndOrdNr + .substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); + Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " + + registerAndOrdNr); + } - String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr); - authData.setBPK(wbpkBase64); - authData.setBPKType( Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr); - } + String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr); + authData.setBPK(wbpkBase64); + authData.setBPKType( Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr); } else { + authData.setBPK(identityLink.getIdentificationValue()); + authData.setBPKType(identityLink.getIdentificationType()); + } + + Element idlassertion = session.getIdentityLink().getSamlAssertion(); + //set bpk/wpbk; + Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); + prIdentification.getFirstChild().setNodeValue(authData.getBPK()); + //set bkp/wpbk type + Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); + prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType()); + + IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); + IdentityLink idl = idlparser.parseIdentityLink(); + authData.setIdentityLink(idl); + + } else { - if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - // only compute bPK if online application is a public service and we have the Stammzahl - String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target); - authData.setBPK(bpkBase64); - authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); - } - - + if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + // only compute bPK if online application is a public service and we have the Stammzahl + String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target); + authData.setBPK(bpkBase64); + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); } + authData.setIdentityLink(identityLink); } -// String ilAssertion = oaParam.getProvideIdentityLink() ? identityLink -// .getSerializedSamlAssertion() -// : ""; -// if (!oaParam.getProvideStammzahl()) { -// ilAssertion = StringUtils.replaceAll(ilAssertion, identityLink -// .getIdentificationValue(), ""); -// } -// String authBlock = oaParam.getProvideAuthBlock() ? session -// .getAuthBlock() : ""; - - - //TODO: check, if this elements are in use!!!! -// session.setAssertionAuthBlock(authBlock); -// session.setAssertionAuthData(authData); -// session.setAssertionBusinessService(businessService); -// session.setAssertionIlAssertion(ilAssertion); -// session.setAssertionPrPerson(prPerson); -// session.setAssertionSignerCertificateBase64(signerCertificateBase64); - + return authData; } catch (Throwable ex) { @@ -2325,27 +2339,6 @@ public class AuthenticationServer implements MOAIDAuthConstants { } } - /** - * Creates a new session and puts it into the session store. - * - * @param id - * Session ID - * @return AuthenticationSession created - * @exception AuthenticationException - * thrown when an AuthenticationSession is - * running already for the given session ID - */ - private static AuthenticationSession newSession() - throws AuthenticationException { - - try { - return AuthenticationSessionStoreage.createSession(); - - } catch (MOADatabaseException e) { - throw new AuthenticationException("", null); - } - } - /** * Retrieves a session from the session store. * @@ -2633,6 +2626,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { } } + + //TODO: check Target in case of SSO!! String spSector = StringUtils.isEmpty(moasession.getTarget()) ? "Business" : moasession.getTarget(); String spInstitution = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "UNKNOWN" : oaParam.getFriendlyName(); String spApplication = spInstitution; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index 47bf61db4..e1552a5a6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -48,6 +48,7 @@ public interface MOAIDAuthConstants { public static final String PARAM_BKU = "bkuURI"; public static final String PARAM_MODUL = "MODUL"; public static final String PARAM_ACTION = "ACTION"; + public static final String PARAM_SSO = "SSO"; /** servlet parameter "sourceID" */ public static final String PARAM_SOURCEID = "sourceID"; /** servlet parameter "BKUSelectionTemplate" */ diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index fb45e517d..abb33203c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -59,6 +59,7 @@ import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; /** @@ -120,6 +121,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion * The number of SAML attributes included in this AUTH-Block (without the extended SAML attributes). */ public static final int NUM_OF_SAML_ATTRIBUTES = 4; + public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 3; /** * Constructor for AuthenticationBlockAssertionBuilder. @@ -168,23 +170,14 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion String oaURL, String gebDat, List extendedSAMLAttributes, - AuthenticationSession session) + AuthenticationSession session, + OAAuthParameter oaParam) throws BuildException { session.setSAMLAttributeGebeORwbpk(true); String gebeORwbpk = ""; String wbpkNSDeclaration = ""; - - //reading OA parameters - OAAuthParameter oaParam; - try { - oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( - session.getPublicOAURLPrefix()); - } catch (ConfigurationException e) { - Logger.error("Error on building AUTH-Block: " + e.getMessage()); - throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); - } - + if (target == null) { // OA is a business application if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) { @@ -216,7 +209,6 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion //no business service, adding bPK - System.out.println("identityLinkValue: " + identityLinkValue); if (identityLinkValue != null) { Element bpkSamlValueElement; try { @@ -264,9 +256,15 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion extendedSAMLAttributes.add(oaFriendlyNameAttribute); - //TODO: load special text from OAconfig - //String text = "Hiermit bestätige ich, #NAME#, die Ãœbernahme sämtlicher eingelangter Zustellstücke zum #DATE# um #TIME#."; String text = ""; + try { + OAAuthParameter oaparam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix()); + if (MiscUtil.isNotEmpty(text = oaparam.getAditionalAuthBlockText())) + Logger.info("Use addional AuthBlock Text from OA=" + oaparam.getPublicURLPrefix()); + } catch (ConfigurationException e) { + Logger.warn("Addional AuthBlock Text can not loaded from OA!", e); + } + String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, @@ -406,9 +404,14 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion extendedSAMLAttributes.add(oaFriendlyNameAttribute); //..BZ - //TODO: load special text from OAconfig - //String text = "Hiermit bestätige ich, #NAME#, die Ãœbernahme sämtlicher eingelangter Zustellstücke zum #DATE# um #TIME#."; String text = ""; + try { + OAAuthParameter oaparam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix()); + if (MiscUtil.isNotEmpty(text = oaparam.getAditionalAuthBlockText())) + Logger.info("Use addional AuthBlock Text from OA=" + oaparam.getPublicURLPrefix()); + } catch (ConfigurationException e) { + Logger.warn("Addional AuthBlock Text can not loaded from OA!", e); + } String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, new Object[] { generateSpecialText(text, issuer, issueInstant) }); @@ -464,4 +467,92 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion return null; } + public String buildAuthBlockSSO( + String issuer, + String issueInstant, + String authURL, + String target, + String targetFriendlyName, + String identityLinkValue, + String identityLinkType, + String oaURL, + String gebDat, + List extendedSAMLAttributes, + AuthenticationSession session, + OAAuthParameter oaParam) + throws BuildException + { + session.setSAMLAttributeGebeORwbpk(true); + String gebeORwbpk = ""; + String wbpkNSDeclaration = ""; + + if (target != null) { + + boolean useMandate = session.getUseMandate(); + if (useMandate) { + String mandateReferenceValue = Random.nextRandom(); + // remove leading "-" + if (mandateReferenceValue.startsWith("-")) + mandateReferenceValue = mandateReferenceValue.substring(1); + + session.setMandateReferenceValue(mandateReferenceValue); + + ExtendedSAMLAttribute mandateReferenceValueAttribute = + new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); + + extendedSAMLAttributes.add(mandateReferenceValueAttribute); + } + } + + //adding friendly name of OA + String friendlyname; + try { + friendlyname = AuthConfigurationProvider.getInstance().getSSOFriendlyName(); + + ExtendedSAMLAttribute oaFriendlyNameAttribute = + new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + + extendedSAMLAttributes.add(oaFriendlyNameAttribute); + + + String text = AuthConfigurationProvider.getInstance().getSSOSpecialText(); + + if (MiscUtil.isEmpty(text)) + text=""; + String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, + new Object[] { generateSpecialText(text, issuer, issueInstant) }); + + + + + String assertion; + + assertion = MessageFormat.format( + AUTH_BLOCK, new Object[] { + wbpkNSDeclaration, + issuer, + issueInstant, + authURL, + gebeORwbpk, + oaURL, + gebDat, + specialText, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + + return assertion; + + } catch (ParseException e) { + Logger.error("Error on building AUTH-Block: " + e.getMessage()); + throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); + + } catch (ConfigurationException e) { + Logger.error("Error on building AUTH-Block: " + e.getMessage()); + throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); + } + + + + } + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index 6a9a5b765..023b36d83 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -92,7 +92,12 @@ public class BPKBuilder { identificationValue + ",Register+Registernummer=" + registerAndOrdNr}); } - String basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr; + String basisbegriff; + if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+" )) + basisbegriff = identificationValue + "+" + registerAndOrdNr; + else + basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr; + try { MessageDigest md = MessageDigest.getInstance("SHA-1"); byte[] hash = md.digest(basisbegriff.getBytes("ISO-8859-1")); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java index 913b12d49..0a526ebbe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java @@ -59,52 +59,52 @@ public class InfoboxValidatorParamsBuilder { * * @return Parameters for validating an infobox token. */ - public static InfoboxValidatorParams buildInfoboxValidatorParams( - AuthenticationSession session, - VerifyInfoboxParameter verifyInfoboxParameter, - List infoboxTokenList, - OAAuthParameter oaParam) - { - InfoboxValidatorParamsImpl infoboxValidatorParams = new InfoboxValidatorParamsImpl(); - IdentityLink identityLink = session.getIdentityLink(); - - // the infobox token to validate - infoboxValidatorParams.setInfoboxTokenList(infoboxTokenList); - // configuration parameters - infoboxValidatorParams.setTrustProfileID(verifyInfoboxParameter.getTrustProfileID()); - infoboxValidatorParams.setSchemaLocations(verifyInfoboxParameter.getSchemaLocations()); - infoboxValidatorParams.setApplicationSpecificParams(verifyInfoboxParameter.getApplicationSpecificParams()); - // authentication session parameters - infoboxValidatorParams.setBkuURL(session.getBkuURL()); - infoboxValidatorParams.setTarget(session.getTarget()); - infoboxValidatorParams.setDomainIdentifier(oaParam.getIdentityLinkDomainIdentifier()); - infoboxValidatorParams.setBusinessApplication(session.getBusinessService()); - // parameters from the identity link - infoboxValidatorParams.setFamilyName(identityLink.getFamilyName()); - infoboxValidatorParams.setGivenName(identityLink.getGivenName()); - infoboxValidatorParams.setDateOfBirth(identityLink.getDateOfBirth()); - if (verifyInfoboxParameter.getProvideStammzahl()) { - infoboxValidatorParams.setIdentificationValue(identityLink.getIdentificationValue()); - } - infoboxValidatorParams.setIdentificationType(identityLink.getIdentificationType()); - infoboxValidatorParams.setPublicKeys(identityLink.getPublicKey()); - if (verifyInfoboxParameter.getProvideIdentityLink()) { - Element identityLinkElem = (Element)identityLink.getSamlAssertion().cloneNode(true); - if (!verifyInfoboxParameter.getProvideStammzahl()) { - Element identificationValueElem = - (Element)XPathUtils.selectSingleNode(identityLinkElem, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); - if (identificationValueElem != null) { - identificationValueElem.getFirstChild().setNodeValue(""); - } - } - infoboxValidatorParams.setIdentityLink(identityLinkElem); - } - - //TODO: check if this is Protocol specific - //infoboxValidatorParams.setHideStammzahl(!oaParam.getProvideStammzahl()); - infoboxValidatorParams.setHideStammzahl(true); - - return infoboxValidatorParams; - } +// public static InfoboxValidatorParams buildInfoboxValidatorParams( +// AuthenticationSession session, +// VerifyInfoboxParameter verifyInfoboxParameter, +// List infoboxTokenList, +// OAAuthParameter oaParam) +// { +// InfoboxValidatorParamsImpl infoboxValidatorParams = new InfoboxValidatorParamsImpl(); +// IdentityLink identityLink = session.getIdentityLink(); +// +// // the infobox token to validate +// infoboxValidatorParams.setInfoboxTokenList(infoboxTokenList); +// // configuration parameters +// infoboxValidatorParams.setTrustProfileID(verifyInfoboxParameter.getTrustProfileID()); +// infoboxValidatorParams.setSchemaLocations(verifyInfoboxParameter.getSchemaLocations()); +// infoboxValidatorParams.setApplicationSpecificParams(verifyInfoboxParameter.getApplicationSpecificParams()); +// // authentication session parameters +// infoboxValidatorParams.setBkuURL(session.getBkuURL()); +// infoboxValidatorParams.setTarget(session.getTarget()); +// infoboxValidatorParams.setDomainIdentifier(oaParam.getIdentityLinkDomainIdentifier()); +// infoboxValidatorParams.setBusinessApplication(session.getBusinessService()); +// // parameters from the identity link +// infoboxValidatorParams.setFamilyName(identityLink.getFamilyName()); +// infoboxValidatorParams.setGivenName(identityLink.getGivenName()); +// infoboxValidatorParams.setDateOfBirth(identityLink.getDateOfBirth()); +// if (verifyInfoboxParameter.getProvideStammzahl()) { +// infoboxValidatorParams.setIdentificationValue(identityLink.getIdentificationValue()); +// } +// infoboxValidatorParams.setIdentificationType(identityLink.getIdentificationType()); +// infoboxValidatorParams.setPublicKeys(identityLink.getPublicKey()); +// if (verifyInfoboxParameter.getProvideIdentityLink()) { +// Element identityLinkElem = (Element)identityLink.getSamlAssertion().cloneNode(true); +// if (!verifyInfoboxParameter.getProvideStammzahl()) { +// Element identificationValueElem = +// (Element)XPathUtils.selectSingleNode(identityLinkElem, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); +// if (identificationValueElem != null) { +// identificationValueElem.getFirstChild().setNodeValue(""); +// } +// } +// infoboxValidatorParams.setIdentityLink(identityLinkElem); +// } +// +// //TODO: check if this is Protocol specific +// //infoboxValidatorParams.setHideStammzahl(!oaParam.getProvideStammzahl()); +// infoboxValidatorParams.setHideStammzahl(true); +// +// return infoboxValidatorParams; +// } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java index ed55d660c..5f100d5fe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java @@ -12,8 +12,6 @@ import at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol; import at.gv.egovernment.moa.logging.Logger; public class LoginFormBuilder { - - private static String SERVLET = "./GenerateIframeTemplate"; private static String AUTH_URL = "#AUTH_URL#"; private static String MODUL = "#MODUL#"; @@ -22,6 +20,9 @@ public class LoginFormBuilder { private static String BKU_ONLINE = "#ONLINE#"; private static String BKU_HANDY = "#HANDY#"; private static String BKU_LOCAL = "#LOCAL#"; + private static String CONTEXTPATH = "#CONTEXTPATH#"; + + private static String SERVLET = CONTEXTPATH+"/GenerateIframeTemplate"; private static String template; @@ -48,7 +49,7 @@ public class LoginFormBuilder { return template; } - public static String buildLoginForm(String modul, String action, String oaname) { + public static String buildLoginForm(String modul, String action, String oaname, String contextpath) { String value = getTemplate(); if(value != null) { @@ -61,6 +62,7 @@ public class LoginFormBuilder { value = value.replace(MODUL, modul); value = value.replace(ACTION, action); value = value.replace(OANAME, oaname); + value = value.replace(CONTEXTPATH, contextpath); } return value; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index ffe938d89..94a41a21f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -145,8 +145,6 @@ public class AuthenticationSession implements Serializable { */ private String misSessionID; - private String mandateData; - //store Identitylink /** * identity link read from smartcard @@ -231,6 +229,7 @@ public class AuthenticationSession implements Serializable { private boolean authenticated; private boolean authenticatedUsed = false; + private boolean ssoRequested = false; // /** // * Indicates if target from configuration is used or not @@ -294,15 +293,6 @@ public class AuthenticationSession implements Serializable { public void setAction(String action) { this.action = action; } - - public String getMandateData() { - return mandateData; - } - - public void setMandateData(String mandateData) { - this.mandateData = mandateData; - } - // public AuthenticationData getAuthData() { // return authData; @@ -1106,8 +1096,23 @@ public class AuthenticationSession implements Serializable { }catch (Throwable e) { Logger.warn("Mandate content could not be generated from MISMandate."); return null; - } - - + } } + + /** + * @return the ssoRequested + */ + + //TODO: SSO only allowed without mandates, actually + public boolean isSsoRequested() { + return ssoRequested && !useMandate; + } + + /** + * @param ssoRequested the ssoRequested to set + */ + public void setSsoRequested(boolean ssoRequested) { + this.ssoRequested = ssoRequested; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java index cb3ed5ad9..a468caf73 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java @@ -122,7 +122,7 @@ public class IdentityLinkAssertionParser { + "Value"; /** Xpath expression to the Identification Value element */ - private static final String PERSON_IDENT_TYPE_XPATH = + public static final String PERSON_IDENT_TYPE_XPATH = PERSON_XPATH + "/" + PDATA diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index b0a4f2f8a..3f82c2a4c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -36,6 +36,8 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ String targetFriendlyName = null; + String sso = req.getParameter(PARAM_SSO); + // escape parameter strings //TODO: use URLEncoder.encode!! target = StringEscapeUtils.escapeHtml(target); @@ -44,7 +46,8 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ templateURL = StringEscapeUtils.escapeHtml(templateURL); useMandate = StringEscapeUtils.escapeHtml(useMandate); ccc = StringEscapeUtils.escapeHtml(ccc); - + sso = StringEscapeUtils.escapeHtml(sso); + // check parameter if (!ParamValidatorUtils.isValidOA(oaURL)) throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); @@ -52,7 +55,9 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12"); if (!ParamValidatorUtils.isValidCCC(ccc)) throw new WrongParametersException("StartAuthentication", PARAM_CCC, "auth.12"); - + if (!ParamValidatorUtils.isValidUseMandate(sso)) + throw new WrongParametersException("StartAuthentication", PARAM_SSO, "auth.12"); + //check UseMandate flag String useMandateString = null; boolean useMandateBoolean = false; @@ -68,7 +73,23 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ useMandateBoolean = false; moasession.setUseMandate(useMandateString); - + + + //check useSSO flag + String useSSOString = null; + boolean useSSOBoolean = false; + if ((sso != null) && (sso.compareTo("") != 0)) { + useSSOString = sso; + } else { + useSSOString = "false"; + } + + if (useSSOString.compareToIgnoreCase("true") == 0) + useSSOBoolean = true; + else + useSSOBoolean = false; + moasession.setSsoRequested(useSSOBoolean); + //load OnlineApplication configuration OAAuthParameter oaParam; if (moasession.getPublicOAURLPrefix() != null) { @@ -126,9 +147,11 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ } moasession.setPublicOAURLPrefix(oaParam.getPublicURLPrefix()); + + //TODO: check for SSO moasession.setTarget(target); - moasession.setTargetFriendlyName(targetFriendlyName); moasession.setBusinessService(oaParam.getBusinessService()); + moasession.setTargetFriendlyName(targetFriendlyName); moasession.setDomainIdentifier(oaParam.getIdentityLinkDomainIdentifier()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java index 310f3509c..5a0bd33bf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java @@ -9,6 +9,8 @@ import javax.servlet.http.HttpServletResponse; import at.gv.egovernment.moa.id.auth.builder.RedirectFormBuilder; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.egovernment.moa.util.URLEncoder; @@ -16,16 +18,31 @@ public class RedirectServlet extends AuthServlet{ private static final long serialVersionUID = 1L; - public static final String REDIRCT_GETPARAM = "redirecturl"; + public static final String REDIRCT_PARAM_URL = "redirecturl"; + protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { Logger.info("Receive " + RedirectServlet.class + " Request"); - String url = req.getParameter(REDIRCT_GETPARAM); + String url = req.getParameter(REDIRCT_PARAM_URL); + String target = req.getParameter(PARAM_TARGET); + String artifact = req.getParameter(PARAM_SAMLARTIFACT); Logger.info("Redirect to " + url); + if (MiscUtil.isNotEmpty(target)) { +// redirectURL = addURLParameter(redirectURL, PARAM_TARGET, +// URLEncoder.encode(session.getTarget(), "UTF-8")); + url = addURLParameter(url, PARAM_TARGET, + URLEncoder.encode(target, "UTF-8")); + + + } + url = addURLParameter(url, PARAM_SAMLARTIFACT, + URLEncoder.encode(artifact, "UTF-8")); + url = resp.encodeRedirectURL(url); + String redirect_form = RedirectFormBuilder.buildLoginForm(url); resp.setContentType("text/html;charset=UTF-8"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java index f8a828f6f..adef74370 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java @@ -207,13 +207,17 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { String mandateReferenceValue = session.getMandateReferenceValue(); byte[] cert = session.getEncodedSignerCertificate(); - String targetType = null; - - if(session.getBusinessService()) { - targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+session.getDomainIdentifier(); + //TODO: check in case of SSO!!! + String targetType = null; + if(oaParam.getBusinessService()) { + String id = oaParam.getIdentityLinkDomainIdentifier(); + if (id.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) + targetType = id; + else + targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+session.getDomainIdentifier(); } else { - targetType = AuthenticationSession.TARGET_PREFIX_ + session.getTarget(); + targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java index 8eaa8341c..2f12c7ae6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java @@ -229,7 +229,8 @@ public class VerifyIdentityLinkServlet extends AuthServlet { AuthenticationSessionStoreage.storeSession(session); } catch (MOADatabaseException e) { - throw new AuthenticationException("", null); + Logger.info("No valid MOA session found. Authentification process is abourted."); + throw new AuthenticationException("auth.20", null); } } catch (ParseException ex) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index ba7893412..d0fb1f87f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -35,9 +35,13 @@ import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.SAMLAttribute; +import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; import at.gv.egovernment.moa.util.XPathUtils; @@ -243,9 +247,15 @@ public class CreateXMLSignatureResponseValidator { if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { String samlSpecialText = (String)samlAttribute.getValue(); - //TODO:load Text from OA config - //String text = "Hiermit bestätige ich, #NAME#, die Ãœbernahme sämtlicher eingelangter Zustellstücke zum #DATE# um #TIME#."; - String text = ""; + String text = ""; + try { + OAAuthParameter oaparam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix()); + if (MiscUtil.isNotEmpty(text = oaparam.getAditionalAuthBlockText())) + Logger.info("Use addional AuthBlock Text from OA=" + oaparam.getPublicURLPrefix()); + } catch (ConfigurationException e) { + Logger.warn("Addional AuthBlock Text can not loaded from OA!", e); + } + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, issueInstant); if (!samlSpecialText.equals(specialText)) { @@ -333,6 +343,211 @@ public class CreateXMLSignatureResponseValidator { } } + /** + * The Method validate is used for validating an explicit {@link CreateXMLSignatureResponse} + * @param createXMLSignatureResponse + * @param session + * @throws ValidateException + */ + public void validateSSO(CreateXMLSignatureResponse createXMLSignatureResponse, AuthenticationSession session) + throws ValidateException { + + // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier + + String oaURL; + try { + oaURL = AuthConfigurationProvider.getInstance().getSSOPublicUrl(); + } catch (ConfigurationException e1) { + oaURL = new String(); + } + + IdentityLink identityLink = session.getIdentityLink(); + + Element samlAssertion = createXMLSignatureResponse.getSamlAssertion(); + String issuer = samlAssertion.getAttribute("Issuer"); + if (issuer == null) { + // should not happen, because parser would dedect this + throw new ValidateException("validator.32", null); + } + // replace ' in name with ' + issuer = issuer.replaceAll("'", "'"); + + String issueInstant = samlAssertion.getAttribute("IssueInstant"); + if (!issueInstant.equals(session.getIssueInstant())) { + throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()}); + } + + String name = identityLink.getName(); + + if (!issuer.equals(name)) { + throw new ValidateException("validator.33", new Object[] {issuer, name}); + } + + SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes(); + + boolean foundOA = false; + boolean foundGB = false; + boolean foundWBPK = false; + int offset = 0; + + // check number of SAML aatributes + List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); + int extendedSAMLAttributesNum = 0; + if (extendedSAMLAttributes != null) { + extendedSAMLAttributesNum = extendedSAMLAttributes.size(); + } + int expectedSAMLAttributeNumber = + AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + extendedSAMLAttributesNum; + if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--; + int actualSAMLAttributeNumber = samlAttributes.length; + if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) { + Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + + expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber); + throw new ValidateException( + "validator.36", + new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)}); + } + + SAMLAttribute samlAttribute; + if (!session.getSAMLAttributeGebeORwbpk()) { + offset--; + } + + // check the first attribute (must be "OA") + samlAttribute = samlAttributes[0 + offset]; + if (!samlAttribute.getName().equals("OA")) { + throw new ValidateException( + "validator.37", + new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)}); + } + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundOA = true; + if (!oaURL.equals((String)samlAttribute.getValue())) { // CHECKS für die AttributeVALUES fehlen noch + throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); + } + } else { + throw new ValidateException("validator.15", null); + } + + // check the third attribute (must be "Geburtsdatum") + samlAttribute = samlAttributes[1 + offset]; + if (!samlAttribute.getName().equals("Geburtsdatum")) { + throw new ValidateException( + "validator.37", + new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)}); + } + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String samlDateOfBirth = (String)samlAttribute.getValue(); + String dateOfBirth = identityLink.getDateOfBirth(); + if (!samlDateOfBirth.equals(dateOfBirth)) { + throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth}); + } + } else { + throw new ValidateException("validator.35", null); + } + + // check four attribute could be a special text + samlAttribute = samlAttributes[2 + offset]; + if (!samlAttribute.getName().equals("SpecialText")) { + throw new ValidateException( + "validator.37", + new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(3)}); + } + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String samlSpecialText = (String)samlAttribute.getValue(); + + String text = ""; + try { + if (MiscUtil.isNotEmpty(text = AuthConfigurationProvider.getInstance().getSSOSpecialText())) + Logger.info("Use addional AuthBlock Text from SSO=" +text); + else + text = new String(); + } catch (ConfigurationException e) { + Logger.warn("Addional AuthBlock Text can not loaded from SSO!", e); + } + + + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, issueInstant); + if (!samlSpecialText.equals(specialText)) { + throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); + } + } else { + throw new ValidateException("validator.35", null); + } + + // now check the extended SAML attributes + int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + offset; + if (extendedSAMLAttributes != null) { + Iterator it = extendedSAMLAttributes.iterator(); + while (it.hasNext()) { + ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next(); + samlAttribute = samlAttributes[i]; + String actualName = samlAttribute.getName(); + String expectedName = extendedSAMLAttribute.getName(); + if (!actualName.equals(expectedName)) { + throw new ValidateException( + "validator.38", + new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName }); + } + String actualNamespace = samlAttribute.getNamespace(); + String expectedNamespace = extendedSAMLAttribute.getNameSpace(); + if (!actualNamespace.equals(expectedNamespace)) { + throw new ValidateException( + "validator.38", + new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, }); + } + Object expectedValue = extendedSAMLAttribute.getValue(); + Object actualValue = samlAttribute.getValue(); + try { + if (expectedValue instanceof String) { + // replace \r\n because text might be base64-encoded + String expValue = StringUtils.replaceAll((String)expectedValue,"\r",""); + expValue = StringUtils.replaceAll(expValue,"\n",""); + String actValue = StringUtils.replaceAll((String)actualValue,"\r",""); + actValue = StringUtils.replaceAll(actValue,"\n",""); + if (!expValue.equals(actValue)) { + throw new ValidateException( + "validator.38", + new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue }); + } + } else if (expectedValue instanceof Element) { + // only check the name of the element + String actualElementName = ((Element)actualValue).getNodeName(); + String expectedElementName = ((Element)expectedValue).getNodeName(); + if (!(expectedElementName.equals(actualElementName))){ + throw new ValidateException( + "validator.38", + new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName}); + } + } else { + // should not happen + throw new ValidateException( + "validator.38", + new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()}); + } + } catch (ClassCastException e) { + throw new ValidateException( + "validator.38", + new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()}); + } + i++; + } + } + + + if (!foundOA) throw new ValidateException("validator.14", null); + + //Check if dsig:Signature exists +// NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); +// if (nl.getLength() != 1) { +// throw new ValidateException("validator.05", null); +// } + Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH); + if (dsigSignature == null) { + throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ; + } + } + public void validateSigningDateTime( CreateXMLSignatureResponse csresp) throws ValidateException { //TODO: insert Time validation!!!! diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConnectionParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConnectionParameter.java new file mode 100644 index 000000000..b358a31c9 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConnectionParameter.java @@ -0,0 +1,55 @@ +package at.gv.egovernment.moa.id.config; + +import java.util.Properties; + +import at.gv.egovernment.moa.id.commons.db.dao.config.ConnectionParameterClientAuthType; + +public abstract class ConnectionParameter { + + protected static final String PROP_IDENTIFIER_KEYSTORE = "clientKeyStore"; + protected static final String PROP_IDENTIFIER_KEYSTOREPASSWORD = "clientKeyStorePassword"; + protected static final String PROP_IDENTIFIER_ACCEPEDSERVERCERTS = "acceptedServerCertificates"; + + protected ConnectionParameterClientAuthType database; + protected Properties prop; + protected String basedirectory; + + public ConnectionParameter(ConnectionParameterClientAuthType database, Properties prop, String basedirectory) { + this.database = database; + this.prop = prop; + this.basedirectory = basedirectory; + } + + /** + * Returns the acceptedServerCertificates. + * @return String + */ + public abstract String getAcceptedServerCertificates(); + + /** + * Returns the clientKeyStore. + * @return String + */ + public abstract String getClientKeyStore(); + + /** + * Returns the clientKeyStorePassword. + * @return String + */ + public abstract String getClientKeyStorePassword(); + + + public boolean isHTTPSURL() { + if (database==null) + return false; + else + return database.getURL().indexOf("https") == 0; + } + + public String getUrl() { + if (database == null) + return null; + else + return database.getURL(); + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 922d86fc0..713fd538e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -49,6 +49,7 @@ import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentGeneral; import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModes; import at.gv.egovernment.moa.id.commons.db.dao.config.ForeignIdentities; +import at.gv.egovernment.moa.id.commons.db.dao.config.IdentificationNumber; import at.gv.egovernment.moa.id.commons.db.dao.config.IdentityLinkSigners; import at.gv.egovernment.moa.id.commons.db.dao.config.LegacyAllowed; import at.gv.egovernment.moa.id.commons.db.dao.config.MOAIDConfiguration; @@ -57,6 +58,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineMandates; import at.gv.egovernment.moa.id.commons.db.dao.config.Protocols; import at.gv.egovernment.moa.id.commons.db.dao.config.SLRequestTemplates; +import at.gv.egovernment.moa.id.commons.db.dao.config.SSO; import at.gv.egovernment.moa.id.commons.db.dao.config.SecurityLayer; import at.gv.egovernment.moa.id.commons.db.dao.config.TimeOuts; import at.gv.egovernment.moa.id.commons.db.dao.config.TrustAnchor; @@ -617,6 +619,95 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return null; } + public boolean isSSOBusinessService() throws ConfigurationException { + AuthComponentGeneral auth = getAuthComponentGeneral(); + + SSO sso = auth.getSSO(); + + if (sso!= null) { + if (sso.getIdentificationNumber() != null) + return true; + } + return false; + } + + public IdentificationNumber getSSOBusinessService() throws ConfigurationException { + AuthComponentGeneral auth = getAuthComponentGeneral(); + + SSO sso = auth.getSSO(); + + if (sso!= null) + return sso.getIdentificationNumber(); + + return null; + } + + public String getSSOTarget() throws ConfigurationException { + AuthComponentGeneral auth = getAuthComponentGeneral(); + + SSO sso = auth.getSSO(); + + if (sso!= null) + return sso.getTarget(); + + return null; + } + + public String getSSOFriendlyName() { + AuthComponentGeneral auth; + try { + auth = getAuthComponentGeneral(); + + SSO sso = auth.getSSO(); + + if (sso!= null) + return sso.getFriendlyName(); + + } catch (ConfigurationException e) { + Logger.warn("No SSO FriendlyName found. Use default Name!!!"); + } + return "Default MOA-ID friendly name for SSO"; + } + + public String getSSOSpecialText() { + try { + AuthComponentGeneral auth = getAuthComponentGeneral(); + + SSO sso = auth.getSSO(); + + if (sso!= null) { + String text = sso.getSpecialText(); + if (MiscUtil.isEmpty(text)) + text = new String(); + return text; + } + + + } catch (ConfigurationException e) { + } + return new String(); + } + + public String getSSOPublicUrl() { + try { + AuthComponentGeneral auth = getAuthComponentGeneral(); + + SSO sso = auth.getSSO(); + + if (sso!= null) { + String url = sso.getPublicURL(); + + if (MiscUtil.isEmpty(url)) + url = new String(); + + return url; + } + + } catch (ConfigurationException e) { + } + return new String(); + } + /** * Retruns the STORK Configuration * @return STORK Configuration diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java index 1536b907b..4ee9986ff 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java @@ -189,7 +189,7 @@ public class BuildFromLegacyConfig { generalAuth.setSSO(auth_sso); auth_sso.setTarget("BF"); auth_sso.setFriendlyName("EGIZ MOAID 2.0 Beta"); - + //set SecurityLayer Transformations String[] transformsInfoFileNames = builder.buildTransformsInfoFileNames(builder.getConfigElem(), ConfigurationBuilder.AUTH_SECLAYER_TRANSFORMS_INFO_FILENAME_XPATH); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index efb300a1c..4bbd221a5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -27,6 +27,8 @@ package at.gv.egovernment.moa.id.data; import java.io.Serializable; import java.util.Date; +import at.gv.egovernment.moa.id.auth.data.IdentityLink; + /** * Encapsulates authentication data contained in a <saml:Assertion>. * @@ -67,7 +69,13 @@ public class AuthenticationData implements Serializable { /** * user identification type */ - private String identificationType; + private String identificationType; + + /** + * user identityLink specialized to OAParamter + */ + private IdentityLink identityLink; + /** * application specific user identifier (bPK/wbPK) */ @@ -78,11 +86,6 @@ public class AuthenticationData implements Serializable { */ private String bPKType; - -// /** -// * private sector-specific personal identifier (wbPK) -// */ -// private String wbPK; /** * given name of the user */ @@ -450,5 +453,21 @@ public void setBPKType(String bPKType) { this.bPKType = bPKType; } +/** + * @return the identityLink + */ +public IdentityLink getIdentityLink() { + return identityLink; +} + +/** + * @param identityLink the identityLink to set + */ +public void setIdentityLink(IdentityLink identityLink) { + this.identityLink = identityLink; +} + + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index a453010da..22f4a00ad 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -17,6 +17,7 @@ import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; import at.gv.egovernment.moa.id.auth.WrongParametersException; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.AuthenticationManager; @@ -273,11 +274,17 @@ public class DispatcherServlet extends AuthServlet{ RequestStorage.removePendingRequest(httpSession); - if (useSSOOA || isValidSSOSession) { + String moasessionID = HTTPSessionUtils.getHTTPSessionString(req.getSession(), + AuthenticationManager.MOA_SESSION, null); + + AuthenticationSession moasession = AuthenticationSessionStoreage.getSession(moasessionID); + + if ((useSSOOA || isValidSSOSession) + && moasession.isSsoRequested() + && !moasession.getUseMandate()) //TODO: SSO with mandates requires an OVS extension + { + //save SSO session usage in Database - String moasessionID = HTTPSessionUtils.getHTTPSessionString(req.getSession(), - AuthenticationManager.MOA_SESSION, null); - String newSSOSessionId = ssomanager.storeSSOSessionInformations(moasessionID, protocolRequest.getOAURL()); if (newSSOSessionId != null) { @@ -290,7 +297,9 @@ public class DispatcherServlet extends AuthServlet{ } else { authmanager.logout(req, resp); } - + + ConfigurationDBUtils.closeSession(); + //authmanager.logout(req, resp); } catch (Throwable e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 7c2a9d533..4ec734c41 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -212,18 +212,9 @@ public class AuthenticationManager extends AuthServlet { moasession = getORCreateMOASession(request); //parse request parameter into MOASession - try{ - StartAuthentificationParameterParser.parse(request, response, moasession); - - } - catch (WrongParametersException ex) { - handleWrongParameters(ex, request, response); - } - - catch (MOAIDException ex) { - handleError(null, ex, request, response); - } - + + StartAuthentificationParameterParser.parse(request, response, moasession); + Logger.info("Start Authentication Module: " + moasession.getModul() + " Action: " + moasession.getAction()); @@ -274,7 +265,7 @@ public class AuthenticationManager extends AuthServlet { //Build authentication form String loginForm = LoginFormBuilder.buildLoginForm(target.requestedModule(), - target.requestedAction(), oaParam.getFriendlyName()); + target.requestedAction(), oaParam.getFriendlyName(), request.getContextPath()); //store MOASession try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java index 1e863ec81..84817ba7a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java @@ -1,5 +1,7 @@ package at.gv.egovernment.moa.id.moduls; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.util.List; import javax.servlet.http.Cookie; @@ -13,6 +15,8 @@ import at.gv.egovernment.moa.id.AuthenticationException; import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.HTTPSessionUtils; import at.gv.egovernment.moa.id.util.Random; @@ -34,7 +38,14 @@ public class SSOManager { instance = new SSOManager(); //TODO: move to config based timeout! - sso_timeout = DEFAULTSSOTIMEOUT; + try { + sso_timeout = (int) AuthConfigurationProvider.getInstance().getTimeOuts().getMOASessionUpdated().longValue(); + + } catch (ConfigurationException e) { + Logger.info("SSO Timeout can not be loaded from MOA-ID configuration. Use default Timeout with " + DEFAULTSSOTIMEOUT); + sso_timeout = DEFAULTSSOTIMEOUT; + } + } return instance; @@ -100,10 +111,8 @@ public class SSOManager { public String storeSSOSessionInformations(String moaSessionID, String OAUrl) { - //TODO: use secure random number generation!!!!! String newSSOId = Random.nextRandom(); - - + System.out.println("generate new SSO Tokken (" + newSSOId + ")"); if (MiscUtil.isEmpty(moaSessionID) || MiscUtil.isEmpty(OAUrl)) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 3bbb3bd2a..790c42348 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -48,6 +48,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; +import at.gv.egovernment.moa.id.util.VelocityLogAdapter; public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { @@ -79,6 +80,8 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { actions.put(METADATA, new MetadataAction()); instance = new PVP2XProtocol(); + + new VelocityLogAdapter(); } private static PVP2XProtocol instance = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 6e826005d..97c5e8d20 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -25,6 +25,7 @@ import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; +import at.gv.egovernment.moa.id.auth.stork.VelocityProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; @@ -47,6 +48,7 @@ public class PostBinding implements IDecoder, IEncoder { Credential credentials = CredentialProvider .getIDPSigningCredential(); +// VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine(); VelocityEngine engine = new VelocityEngine(); engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8"); engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8"); @@ -54,6 +56,7 @@ public class PostBinding implements IDecoder, IEncoder { engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath"); engine.setProperty("classpath.resource.loader.class", "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader"); + engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS, "org.apache.velocity.runtime.log.SimpleLog4JLogSystem"); engine.init(); HTTPPostEncoder encoder = new HTTPPostEncoder(engine, @@ -75,6 +78,9 @@ public class PostBinding implements IDecoder, IEncoder { } catch (CredentialsNotAvailableException e) { e.printStackTrace(); throw new SecurityException(e); + } catch (Exception e) { + e.printStackTrace(); + throw new SecurityException(e); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java index e464536de..ab880bb9e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java @@ -102,57 +102,57 @@ public class CitizenTokenBuilder { } - public static AttributeStatement buildCitizenToken(MOARequest obj, - AuthenticationSession authSession) { - AttributeStatement statement = - SAML2Utils.createSAMLObject(AttributeStatement.class); - - //TL: AuthData generation is moved out from VerifyAuthBlockServlet - try { - - //TODO: LOAD oaParam from request and not from MOASession in case of SSO - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() - .getOnlineApplicationParameter(authSession.getPublicOAURLPrefix()); - - AuthenticationData authData = AuthenticationServer.buildAuthenticationData(authSession, - oaParam, - authSession.getTarget()); - - Attribute pvpVersion = buildPVPVersion("2.1"); - Attribute secClass = buildSecClass(3); - Attribute principalName = buildPrincipalName(authData.getFamilyName()); - Attribute givenName = buildGivenName(authData.getGivenName()); - Attribute birthdate = buildBirthday(authData.getDateOfBirth()); - - //TL: getIdentificationValue holds the baseID --> change to pBK - Attribute bpk = buildBPK(authData.getBPK()); - - Attribute eid_citizen_qaa = buildEID_CITIZEN_QAALEVEL(3); - Attribute eid_issuing_nation = buildEID_ISSUING_NATION("AT"); - Attribute eid_sector_for_id = buildEID_SECTOR_FOR_IDENTIFIER(authData.getIdentificationType()); - - statement.getAttributes().add(pvpVersion); - statement.getAttributes().add(secClass); - statement.getAttributes().add(principalName); - statement.getAttributes().add(givenName); - statement.getAttributes().add(birthdate); - statement.getAttributes().add(bpk); - statement.getAttributes().add(eid_citizen_qaa); - statement.getAttributes().add(eid_issuing_nation); - statement.getAttributes().add(eid_sector_for_id); - - return statement; - - } catch (ConfigurationException e) { - - // TODO: check Exception Handling - return null; - } catch (BuildException e) { - - // TODO: check Exception Handling - return null; - } - - - } +// public static AttributeStatement buildCitizenToken(MOARequest obj, +// AuthenticationSession authSession) { +// AttributeStatement statement = +// SAML2Utils.createSAMLObject(AttributeStatement.class); +// +// //TL: AuthData generation is moved out from VerifyAuthBlockServlet +// try { +// +// //TODO: LOAD oaParam from request and not from MOASession in case of SSO +// OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() +// .getOnlineApplicationParameter(authSession.getPublicOAURLPrefix()); +// +// AuthenticationData authData = AuthenticationServer.buildAuthenticationData(authSession, +// oaParam, +// authSession.getTarget()); +// +// Attribute pvpVersion = buildPVPVersion("2.1"); +// Attribute secClass = buildSecClass(3); +// Attribute principalName = buildPrincipalName(authData.getFamilyName()); +// Attribute givenName = buildGivenName(authData.getGivenName()); +// Attribute birthdate = buildBirthday(authData.getDateOfBirth()); +// +// //TL: getIdentificationValue holds the baseID --> change to pBK +// Attribute bpk = buildBPK(authData.getBPK()); +// +// Attribute eid_citizen_qaa = buildEID_CITIZEN_QAALEVEL(3); +// Attribute eid_issuing_nation = buildEID_ISSUING_NATION("AT"); +// Attribute eid_sector_for_id = buildEID_SECTOR_FOR_IDENTIFIER(authData.getIdentificationType()); +// +// statement.getAttributes().add(pvpVersion); +// statement.getAttributes().add(secClass); +// statement.getAttributes().add(principalName); +// statement.getAttributes().add(givenName); +// statement.getAttributes().add(birthdate); +// statement.getAttributes().add(bpk); +// statement.getAttributes().add(eid_citizen_qaa); +// statement.getAttributes().add(eid_issuing_nation); +// statement.getAttributes().add(eid_sector_for_id); +// +// return statement; +// +// } catch (ConfigurationException e) { +// +// // TODO: check Exception Handling +// return null; +// } catch (BuildException e) { +// +// // TODO: check Exception Handling +// return null; +// } +// +// +// } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java index f3df7a4df..47887ddc2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java @@ -79,31 +79,39 @@ public class GetArtifactAction implements IAction { target); String samlArtifactBase64 = saml1server.BuildSAMLArtifact(session, oaParam, authData); - - String redirectURL = oaURL; - session.getOAURLRequested(); - if (!session.getBusinessService()) { - redirectURL = addURLParameter(redirectURL, PARAM_TARGET, - URLEncoder.encode(session.getTarget(), "UTF-8")); - - } - redirectURL = addURLParameter(redirectURL, PARAM_SAMLARTIFACT, - URLEncoder.encode(samlArtifactBase64, "UTF-8")); - redirectURL = httpResp.encodeRedirectURL(redirectURL); - - httpResp.setContentType("text/html"); - httpResp.setStatus(302); -// if (AuthenticationSessionStoreage.isSSOSession(session.getSessionID())) { -// String url = "RedirectServlet?"+RedirectServlet.REDIRCT_GETPARAM+"="+redirectURL; -// httpResp.addHeader("Location", url); -// -// } else { + if (AuthenticationSessionStoreage.isSSOSession(session.getSessionID())) { + String url = "RedirectServlet"; + url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8")); + url = addURLParameter(url, PARAM_TARGET, URLEncoder.encode(oaParam.getTarget(), "UTF-8")); + url = addURLParameter(url, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); + url = httpResp.encodeRedirectURL(url); + + httpResp.setContentType("text/html"); + httpResp.setStatus(302); + httpResp.addHeader("Location", url); + + } else { + String redirectURL = oaURL; + + //session.getOAURLRequested(); + + if (!oaParam.getBusinessService()) { +// redirectURL = addURLParameter(redirectURL, PARAM_TARGET, +// URLEncoder.encode(session.getTarget(), "UTF-8")); + redirectURL = addURLParameter(redirectURL, PARAM_TARGET, + URLEncoder.encode(oaParam.getTarget(), "UTF-8")); + + + } + redirectURL = addURLParameter(redirectURL, PARAM_SAMLARTIFACT, + URLEncoder.encode(samlArtifactBase64, "UTF-8")); + redirectURL = httpResp.encodeRedirectURL(redirectURL); + httpResp.setContentType("text/html"); + httpResp.setStatus(302); httpResp.addHeader("Location", redirectURL); -// } - - Logger.debug("REDIRECT TO: " + redirectURL); - + Logger.debug("REDIRECT TO: " + redirectURL); + } // CONFIRMATION FOR SSO! /* * OAAuthParameter oaParam = @@ -146,10 +154,10 @@ public class GetArtifactAction implements IAction { } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); - } //catch (MOADatabaseException e) { -// // TODO Auto-generated catch block -// e.printStackTrace(); -// } + } catch (MOADatabaseException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } } protected static String addURLParameter(String url, String paramname, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java deleted file mode 100644 index 3a2f4ee9f..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java +++ /dev/null @@ -1,140 +0,0 @@ -package at.gv.egovernment.moa.id.protocols.saml1; - -import iaik.util.logging.Log; - -import java.io.IOException; - -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; - -import org.apache.commons.lang.StringEscapeUtils; - -import at.gv.egovernment.moa.id.AuthenticationException; -import at.gv.egovernment.moa.id.BuildException; -import at.gv.egovernment.moa.id.auth.WrongParametersException; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; -import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.moduls.AuthenticationManager; -import at.gv.egovernment.moa.id.util.ParamValidatorUtils; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.URLEncoder; - -public class GetArtifactServlet extends AuthServlet { - - /** - * - */ - private static final long serialVersionUID = 3593264832041467899L; - - /** - * Constructor for GetArtifactServlet. - */ - public GetArtifactServlet() { - super(); - } - - @Override - protected void doGet(HttpServletRequest req, HttpServletResponse resp) - throws ServletException, IOException { - - Log.err("Sollte nicht mehr verwendet werden!!!!"); - throw new ServletException("The Servlet Class + " + GetArtifactServlet.class - + " is out of date!!!"); - -// HttpSession httpSession = req.getSession(); -// -// AuthenticationManager authmanager = AuthenticationManager.getInstance(); -// AuthenticationSession session = authmanager.getAuthenticationSession(httpSession); -// -// String oaURL = (String) req.getAttribute(PARAM_OA); -// oaURL = StringEscapeUtils.escapeHtml(oaURL); -// -// String target = (String) req.getAttribute(PARAM_TARGET); -// target = StringEscapeUtils.escapeHtml(target); -// -// try { -// -// // check parameter -// if (!ParamValidatorUtils.isValidOA(oaURL)) -// throw new WrongParametersException("StartAuthentication", -// PARAM_OA, "auth.12"); -// -// if (oaURL == null) { -// oaURL = session.getOAURLRequested(); -// } -// -// if (oaURL == null) { -// throw new WrongParametersException("StartAuthentication", -// PARAM_OA, "auth.12"); -// } -// -// String samlArtifactBase64 = SAML1AuthenticationServer -// .BuildSAMLArtifact(session); -// -// String redirectURL = oaURL; -// session.getOAURLRequested(); -// if (!session.getBusinessService()) { -// redirectURL = addURLParameter(redirectURL, PARAM_TARGET, -// URLEncoder.encode(session.getTarget(), "UTF-8")); -// -// } -// redirectURL = addURLParameter(redirectURL, PARAM_SAMLARTIFACT, -// URLEncoder.encode(samlArtifactBase64, "UTF-8")); -// redirectURL = resp.encodeRedirectURL(redirectURL); -// -// resp.setContentType("text/html"); -// resp.setStatus(302); -// -// resp.addHeader("Location", redirectURL); -// Logger.debug("REDIRECT TO: " + redirectURL); -// -// // CONFIRMATION FOR SSO! -// /* -// * OAAuthParameter oaParam = -// * AuthConfigurationProvider.getInstance(). -// * getOnlineApplicationParameter(oaURL); -// * -// * String friendlyName = oaParam.getFriendlyName(); if(friendlyName -// * == null) { friendlyName = oaURL; } -// * -// * -// * LoginConfirmationBuilder builder = new -// * LoginConfirmationBuilder(); -// * builder.addParameter(PARAM_SAMLARTIFACT, samlArtifactBase64); -// * String form = builder.finish(oaURL, session.getIdentityLink() -// * .getName(), friendlyName); -// */ -// -// /* -// resp.setContentType("text/html"); -// -// OutputStream out = resp.getOutputStream(); -// out.write(form.getBytes("UTF-8")); -// out.flush(); -// out.close();*/ -// -// } catch (WrongParametersException ex) { -// handleWrongParameters(ex, req, resp); -// } catch (ConfigurationException e) { -// // TODO Auto-generated catch block -// e.printStackTrace(); -// } catch (BuildException e) { -// // TODO Auto-generated catch block -// e.printStackTrace(); -// } catch (AuthenticationException e) { -// // TODO Auto-generated catch block -// e.printStackTrace(); -// } - - } - - @Override - protected void doPost(HttpServletRequest req, HttpServletResponse resp) - throws ServletException, IOException { - doGet(req, resp); - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 1b516fe19..2a7147bcb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -128,17 +128,6 @@ public class SAML1AuthenticationServer extends AuthenticationServer { AuthenticationData authData) throws ConfigurationException, BuildException, AuthenticationException { - //TODO: check, if this is correct!!!! -// String samlAssertion = new AuthenticationDataAssertionBuilder().build( -// authData, session.getAssertionPrPerson(), -// session.getAssertionAuthBlock(), -// session.getAssertionIlAssertion(), session.getBkuURL(), -// session.getAssertionSignerCertificateBase64(), -// session.getAssertionBusinessService(), -// session.getExtendedSAMLAttributesOA(), useCondition, -// conditionLength); - - //Load SAML1 Parameter from OA config OASAML1 saml1parameter = oaParam.getSAML1Parameter(); @@ -162,7 +151,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { //set prPersion boolean provideStammzahl = saml1parameter.isProvideStammzahl(); - String prPerson = new PersonDataBuilder().build(session.getIdentityLink(), + String prPerson = new PersonDataBuilder().build(authData.getIdentityLink(), provideStammzahl); //set Authblock @@ -170,18 +159,18 @@ public class SAML1AuthenticationServer extends AuthenticationServer { .getAuthBlock() : ""; //set IdentityLink for assortion - String ilAssertion = saml1parameter.isProvideIdentityLink() ? session.getIdentityLink() + String ilAssertion = saml1parameter.isProvideIdentityLink() ? authData.getIdentityLink() .getSerializedSamlAssertion() : ""; if (!saml1parameter.isProvideStammzahl()) { - ilAssertion = StringUtils.replaceAll(ilAssertion, session.getIdentityLink() + ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink() .getIdentificationValue(), ""); } String samlAssertion; if (session.getUseMandate()) { - List oaAttributes = session.getExtendedSAMLAttributesOA();; + List oaAttributes = session.getExtendedSAMLAttributesOA(); if (saml1parameter.isProvideFullMandatorData()) { @@ -250,7 +239,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { } } - String mandateDate = generateMandateDate(session, oaParam); + String mandateDate = generateMandateDate(session, oaParam, authData); samlAssertion = new AuthenticationDataAssertionBuilder().buildMandate( authData, @@ -280,22 +269,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { } authData.setSamlAssertion(samlAssertion); - - //is removed from MOA-ID 2.0 config -// String assertionFile = AuthConfigurationProvider.getInstance() -// .getGenericConfigurationParameter( -// "AuthenticationServer.WriteAssertionToFile"); -// if (!ParepUtils.isEmpty(assertionFile)) -// try { -// ParepUtils.saveStringToFile(samlAssertion, new File( -// assertionFile)); -// } catch (IOException e) { -// throw new BuildException("builder.00", new Object[] { -// "AuthenticationData", e.toString() }, e); -// } - - - //TODO: get sourceID from oaConfig!!! + String samlArtifact = new SAMLArtifactBuilder().build( session.getAuthURL(), session.getSessionID(), saml1parameter.getSourceID()); @@ -314,7 +288,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { } private String generateMandateDate(AuthenticationSession session, - OAAuthParameter oaParam + OAAuthParameter oaParam, AuthenticationData authData ) throws AuthenticationException, BuildException, ParseException, ConfigurationException, ServiceException, ValidateException { @@ -364,10 +338,19 @@ public class SAML1AuthenticationServer extends AuthenticationServer { .equals(identificationType)) { // now we calculate the wbPK and do so if we got it from the // BKU - identificationType = Constants.URN_PREFIX_WBPK + "+" - + session.getDomainIdentifier(); + + + //load IdentityLinkDomainType from OAParam + String type = oaParam.getIdentityLinkDomainIdentifier(); + if (type.startsWith(Constants.URN_PREFIX_WBPK + "+")) + identificationType = type; + else + identificationType = Constants.URN_PREFIX_WBPK + "+" + + type; + + identificationValue = new BPKBuilder().buildWBPK( - identificationValue, session.getDomainIdentifier()); + identificationValue, identificationType); ParepUtils .HideStammZahlen(prPerson, true, null, null, true); } @@ -379,7 +362,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { tempIdentityLink.setIdentificationValue(identificationValue); tempIdentityLink.setPrPerson(prPerson); try { - tempIdentityLink.setSamlAssertion(session.getIdentityLink() + tempIdentityLink.setSamlAssertion(authData.getIdentityLink() .getSamlAssertion()); } catch (Exception e) { throw new ValidateException("validator.64", null); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index d6cf84d86..fad25bc20 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -95,6 +95,7 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { config.setTarget(oaParam.getTarget()); + //TODO: set reauthenticate if OA.useSSO=false request.getSession().setAttribute(PARAM_OA, oaURL); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 90c938e7f..73308e607 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -117,22 +117,7 @@ public class AuthenticationSessionStoreage { } AuthenticatedSessionStore dbsession = (AuthenticatedSessionStore) result.get(0); - -// //delete old SSO Session Ids -// List oldssosessionids = dbsession.getOldssosessionids(); -// -// for (OldSSOSessionIDStore oldsssid : oldssosessionids) { -// session.delete(oldsssid); -// } -// -// //delete active OA -// List activeOAs = dbsession.getActiveOAsessions(); -// -// for (OASessionStore activeOA : activeOAs) { -// session.delete(activeOA); -// -// } - + //delete MOA Session session.delete(dbsession); session.getTransaction().commit(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java index be8e475f2..d6bef8d53 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java @@ -308,18 +308,18 @@ public class ParamValidatorUtils implements MOAIDAuthConstants{ Logger.debug("Parameter MOASessionId ist null"); return true; } - - - Pattern pattern = Pattern.compile("[0-9-]*"); + + Pattern pattern = Pattern.compile("[0-9-]*"); Matcher matcher = pattern.matcher(sessionID); boolean b = matcher.matches(); if (b) { Logger.debug("Parameter MOASessionId erfolgreich ueberprueft"); return true; } - else { - Logger.error("Fehler Ueberpruefung Parameter MOASessionId. MOASessionId entspricht nicht den Kriterien (nur Zeichen 0-9 und -)"); - return false; + else { + Logger.error("Fehler Ueberpruefung Parameter MOASessionId. MOASessionId entspricht nicht den Kriterien (nur Zeichen 0-9 und -)"); + return false; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java index d006dcdfc..f1d0ecd45 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java @@ -24,9 +24,16 @@ package at.gv.egovernment.moa.id.util; + +import iaik.security.random.SeedGenerator; + +import java.io.IOException; import java.nio.ByteBuffer; import java.security.SecureRandom; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; + /** * Random number generator used to generate ID's * @author Paul Ivancsics @@ -35,21 +42,36 @@ import java.security.SecureRandom; public class Random { /** random number generator used */ - private static SecureRandom random = new SecureRandom(); + //private static SecureRandom random = new SecureRandom(); + private static SecureRandom random; + private static SeedGenerator seedgenerator; + + static { + random = iaik.security.random.SHA256FIPS186Random.getDefault(); + seedgenerator = iaik.security.random.AutoSeedGenerator.getDefault(); + + + } /** * Creates a new random number, to be used as an ID. * * @return random long as a String */ public static String nextRandom() { - - byte[] b = new byte[16]; // 16 bytes = 128 bits - random.nextBytes(b); - - ByteBuffer bb = ByteBuffer.wrap(b); - long l = bb.getLong(); + byte[] b = new byte[32]; // 32 bytes = 256 bits + random.nextBytes(b); + + ByteBuffer bb = ByteBuffer.wrap(b); + long l = bb.getLong(); + return "" + l; + + + } + + public static void seedRandom() { - return "" + l; + if (seedgenerator.seedAvailable()) + random.setSeed(seedgenerator.getSeed()); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/VelocityLogAdapter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/VelocityLogAdapter.java new file mode 100644 index 000000000..caa8f1769 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/VelocityLogAdapter.java @@ -0,0 +1,77 @@ +package at.gv.egovernment.moa.id.util; + +import org.apache.velocity.app.Velocity; +import org.apache.velocity.runtime.RuntimeServices; +import org.apache.velocity.runtime.log.LogChute; + +import at.gv.egovernment.moa.logging.Logger; + +public class VelocityLogAdapter implements LogChute { + + public VelocityLogAdapter() { + try + { + /* + * register this class as a logger with the Velocity singleton + * (NOTE: this would not work for the non-singleton method.) + */ + Velocity.setProperty(Velocity.RUNTIME_LOG_LOGSYSTEM, this ); + Velocity.init(); + } + catch (Exception e) + { + Logger.error("Failed to register Velocity logger"); + } + } + + public void init(RuntimeServices arg0) throws Exception { + } + + public boolean isLevelEnabled(int arg0) { + switch(arg0) { + case LogChute.DEBUG_ID: + return Logger.isDebugEnabled(); + case LogChute.TRACE_ID: + return Logger.isTraceEnabled(); + default: + return true; + } + } + + public void log(int arg0, String arg1) { + switch(arg0) { + case LogChute.DEBUG_ID: + Logger.debug(arg1); + break; + case LogChute.TRACE_ID: + Logger.trace(arg1); + break; + case LogChute.INFO_ID: + Logger.info(arg1); + break; + case LogChute.WARN_ID: + Logger.warn(arg1); + break; + case LogChute.ERROR_ID: + default: + Logger.error(arg1); + break; + } + } + + public void log(int arg0, String arg1, Throwable arg2) { + switch(arg0) { + case LogChute.DEBUG_ID: + case LogChute.TRACE_ID: + case LogChute.INFO_ID: + case LogChute.WARN_ID: + Logger.warn(arg1, arg2); + break; + case LogChute.ERROR_ID: + default: + Logger.error(arg1, arg2); + break; + } + } + +} diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 25f1fef9d..f5745873f 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -34,9 +34,10 @@ auth.13=Vollmachtenmodus f�r ausl�ndische B�rger wird nicht unterst�tzt. auth.14=Zertifikat konnte nicht ausgelesen werden. auth.15=Fehler bei Anfrage an Vollmachten Service. auth.16=Fehler bei Abarbeitung der Vollmacht in "{0}" -auth.17=Vollmachtenmodus für nicht-öffentlichen Bereich wird nicht unterstützt. +auth.17=Vollmachtenmodus f�r nicht-�ffentlichen Bereich wird nicht unterst�tzt. auth.18=Keine MOASessionID vorhanden -auth.19=Die Authentifizierung kann nicht passiv durchgeführt werden. +auth.19=Die Authentifizierung kann nicht passiv durchgef�hrt werden. +auth.20=No valid MOA session found. Authentification process is abourted. init.00=MOA ID Authentisierung wurde erfolgreich gestartet init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m?glicherweise nicht verf?gbar diff --git a/id/server/idserverlib/src/main/resources/resources/templates/loginForm.html b/id/server/idserverlib/src/main/resources/resources/templates/loginForm.html index fe17a6d37..38ef53475 100644 --- a/id/server/idserverlib/src/main/resources/resources/templates/loginForm.html +++ b/id/server/idserverlib/src/main/resources/resources/templates/loginForm.html @@ -2,10 +2,10 @@ - - - - + + + + @@ -140,7 +180,7 @@ --> - +