From 83c2f5367b684daa9a66fc44396f95cb281cae01 Mon Sep 17 00:00:00 2001 From: "harald.bratko" Date: Wed, 22 Feb 2006 16:00:46 +0000 Subject: =?UTF-8?q?Alle=20Xpath-Ausdr=C3=BCcke=20entfernt;=20Check,=20ob?= =?UTF-8?q?=20Name=20und=20Geburtsdatum=20mit=20den=20entprechenden=20Wert?= =?UTF-8?q?en=20aus=20der=20Personenbindung=20=C3=BCbereinstimmen,=20einge?= =?UTF-8?q?baut?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@629 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../CreateXMLSignatureResponseValidator.java | 82 ++++++++++++---------- 1 file changed, 44 insertions(+), 38 deletions(-) diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 2eafaa297..7693c3170 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -1,12 +1,13 @@ package at.gv.egovernment.moa.id.auth.validator; import org.w3c.dom.Element; +import org.w3c.dom.NodeList; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.SAMLAttribute; import at.gv.egovernment.moa.util.Constants; -import at.gv.egovernment.moa.util.XPathUtils; /** * @@ -17,24 +18,6 @@ import at.gv.egovernment.moa.util.XPathUtils; * @version $Id$ */ public class CreateXMLSignatureResponseValidator { - - /** Xpath prefix for reaching SAML Namespaces */ - private static final String SAML = Constants.SAML_PREFIX + ":"; - /** Xpath prefix for reaching XML-DSIG Namespaces */ - private static final String DSIG = Constants.DSIG_PREFIX + ":"; - /** Xpath expression to the SAML:Assertion element */ - private static final String ROOT = SAML + "Assertion"; - /** Xpath expression to the SAML:NameIdentifier element */ - private static final String SAML_SUBJECT_NAME_IDENTIFIER_XPATH = - SAML + "AttributeStatement/" + SAML + "Subject/" + - SAML + "NameIdentifier"; - /** Xpath expression to the SAML:Attribute element */ - private static final String SAML_ATTRIBUTE_XPATH = - ROOT + "/" + SAML + "AttributeStatement/" + SAML + "Attribute"; - /** Xpath expression to the SAML:AttributeValue element */ - private static final String SAML_ATTRIBUTE_VALUE_XPATH = - SAML + "AttributeValue"; - /** Singleton instance. null, if none has been created. */ private static CreateXMLSignatureResponseValidator instance; @@ -69,52 +52,75 @@ public class CreateXMLSignatureResponseValidator { String oaURL = session.getPublicOAURLPrefix(); boolean businessService = session.getBusinessService(); -// XPathUtils.selectNodeList(createXMLSignatureResponse.getSamlAssertion(),SAML_SUBJECT_NAME_IDENTIFIER_XPATH); + IdentityLink identityLink = session.getIdentityLink(); + + String issuer = createXMLSignatureResponse.getSamlAssertion().getAttribute("Issuer"); + if (issuer == null) { + // should not happen, because parser would dedect this + throw new ValidateException("validator.32", null); + } + String name = identityLink.getName(); + if (!issuer.equals(name)) { + throw new ValidateException("validator.33", new Object[] {issuer, name}); + } + - SAMLAttribute[] samlattributes = createXMLSignatureResponse.getSamlAttributes(); + SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes(); boolean foundOA = false; boolean foundGB = false; boolean foundWBPK = false; - for (int i = 0; i < samlattributes.length; i++) { - if (samlattributes[i].getName().equals("Geschaeftsbereich")) { + for (int i = 0; i < samlAttributes.length; i++) { + SAMLAttribute samlAttribute = samlAttributes[i]; + if (samlAttribute.getName().equals("Geschaeftsbereich")) { if (businessService) { throw new ValidateException("validator.26", null); } - if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { foundGB = true; - if (!gbTarget.equals((String)samlattributes[i].getValue())) { + if (!gbTarget.equals((String)samlAttribute.getValue())) { throw new ValidateException("validator.13", null); } } else { throw new ValidateException("validator.12", null); } } - if (samlattributes[i].getName().equals("OA")) { - if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + if (samlAttribute.getName().equals("OA")) { + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { foundOA = true; - if (!oaURL.equals((String)samlattributes[i].getValue())) { // CHECKS für die AttributeVALUES fehlen noch - throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlattributes[i].getValue()}); + if (!oaURL.equals((String)samlAttribute.getValue())) { // CHECKS für die AttributeVALUES fehlen noch + throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); } } else { throw new ValidateException("validator.15", null); } } - if (samlattributes[i].getName().equals("wbPK")) { + if (samlAttribute.getName().equals("Geburtsdatum")) { + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String samlDateOfBirth = (String)samlAttribute.getValue(); + String dateOfBirth = identityLink.getDateOfBirth(); + if (!samlDateOfBirth.equals(dateOfBirth)) { + throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth}); + } + } else { + throw new ValidateException("validator.35", null); + } + } + if (samlAttribute.getName().equals("wbPK")) { if (!businessService) { throw new ValidateException("validator.27", null); } - if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { foundWBPK = true; try { - Element attrValue = (Element)samlattributes[i].getValue(); + Element attrValue = (Element)samlAttribute.getValue(); String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); - if (!value.equals(session.getIdentityLink().getIdentificationValue())) { + if (!value.equals(identityLink.getIdentificationValue())) { throw new ValidateException("validator.28", null); } - if (!type.equals(session.getIdentityLink().getIdentificationType())) { + if (!type.equals(identityLink.getIdentificationType())) { throw new ValidateException("validator.28", null); } } catch (Exception ex) { @@ -134,9 +140,9 @@ public class CreateXMLSignatureResponseValidator { } //Check if dsig:Signature exists - Element dsigSignature = (Element) XPathUtils.selectSingleNode(createXMLSignatureResponse.getSamlAssertion(),DSIG + "Signature"); - if (dsigSignature==null) throw new ValidateException("validator.05", null); - - + NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); + if (nl.getLength() != 1) { + throw new ValidateException("validator.05", null); + } } } -- cgit v1.2.3