From 8cdac4252e1ea43aada04b71ee95d2509c4a75f3 Mon Sep 17 00:00:00 2001
From: Florian Reimair <florian.reimair@iaik.tugraz.at>
Date: Tue, 21 Jan 2014 16:02:14 +0100
Subject: respect global mandatory state of attributes
---
.../moa/id/auth/AuthenticationServer.java | 354 ++++++++++-----------
.../moa/id/config/stork/STORKConfig.java | 126 ++++----
2 files changed, 239 insertions(+), 241 deletions(-)
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 3857cd15c..0fbcc97b2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -106,6 +106,7 @@ import at.gv.egovernment.moa.id.client.SZRGWClient;
import at.gv.egovernment.moa.id.client.SZRGWClientException;
import at.gv.egovernment.moa.id.commons.db.dao.config.IdentificationNumber;
import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute;
+import at.gv.egovernment.moa.id.commons.db.dao.config.StorkAttribute;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.ConnectionParameter;
@@ -118,7 +119,6 @@ import at.gv.egovernment.moa.id.storage.AssertionStorage;
import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
import at.gv.egovernment.moa.id.storage.DBExceptionStoreImpl;
import at.gv.egovernment.moa.id.util.HTTPUtils;
-import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
import at.gv.egovernment.moa.id.util.Random;
import at.gv.egovernment.moa.id.util.SSLUtils;
import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate;
@@ -138,23 +138,14 @@ import eu.stork.peps.auth.commons.PEPSUtil;
import eu.stork.peps.auth.commons.PersonalAttribute;
import eu.stork.peps.auth.commons.PersonalAttributeList;
import eu.stork.peps.auth.commons.STORKAuthnRequest;
-import eu.stork.peps.auth.engine.SAMLEngine;
import eu.stork.peps.auth.engine.STORKSAMLEngine;
-import eu.stork.peps.auth.engine.core.QAAAttribute;
-import eu.stork.peps.auth.engine.core.RequestedAttribute;
-import eu.stork.peps.auth.engine.core.RequestedAttributes;
-import eu.stork.peps.auth.engine.core.impl.QAAAttributeBuilder;
-import eu.stork.peps.auth.engine.core.impl.RequestedAttributeBuilder;
-import eu.stork.peps.auth.engine.core.impl.RequestedAttributesBuilder;
-import eu.stork.peps.exceptions.SAMLEngineException;
import eu.stork.peps.exceptions.STORKSAMLEngineException;
-import eu.stork.vidp.messages.builder.STORKMessagesBuilder;
import eu.stork.vidp.messages.util.XMLUtil;
/**
* API for MOA ID Authentication Service.<br> {@link AuthenticationSession} is
* stored in a session store and retrieved by giving the session ID.
- *
+ *
* @author Paul Ivancsics
* @version $Id: AuthenticationServer.java 1273 2012-02-27 14:50:18Z kstranacher
* $
@@ -177,7 +168,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
/**
* Returns the single instance of <code>AuthenticationServer</code>.
- *
+ *
* @return the single instance of <code>AuthenticationServer</code>
*/
public static AuthenticationServer getInstance() {
@@ -208,7 +199,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* response to</li>
* </ul>
* </ul>
- *
+ *
* @param authURL
* URL of the servlet to be used as data URL
* @param target
@@ -243,13 +234,13 @@ public class AuthenticationServer implements MOAIDAuthConstants {
if (session == null) {
throw new AuthenticationException("auth.18", new Object[] { });
}
-
+
//load OnlineApplication configuration
OAAuthParameter oaParam =
AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix());
if (oaParam == null)
throw new AuthenticationException("auth.00", new Object[] { session.getPublicOAURLPrefix() });
-
+
//load Template
String template = null;
if (session.getTemplateURL() != null) {
@@ -262,7 +253,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
}
String infoboxReadRequest = "";
-
+
if (session.isSsoRequested()) {
//load identityLink with SSO Target
boolean isbuisness = false;
@@ -272,50 +263,50 @@ public class AuthenticationServer implements MOAIDAuthConstants {
isbuisness = true;
domainIdentifier = ssobusiness.getValue();
}
-
+
//build ReadInfobox request
infoboxReadRequest = new InfoboxReadRequestBuilder().build(
isbuisness, domainIdentifier);
-
+
} else {
//build ReadInfobox request
infoboxReadRequest = new InfoboxReadRequestBuilder().build(
oaParam.getBusinessService(), oaParam
.getIdentityLinkDomainIdentifier());
}
-
+
String dataURL = new DataURLBuilder().buildDataURL(
session.getAuthURL(), REQ_VERIFY_IDENTITY_LINK, session
.getSessionID());
-
+
//removed in MOAID 2.0
String pushInfobox = "";
-
+
// VerifyInfoboxParameters verifyInfoboxParameters = oaParam
// .getVerifyInfoboxParameters();
// if (verifyInfoboxParameters != null) {
// pushInfobox = verifyInfoboxParameters.getPushInfobox();
// session.setPushInfobox(pushInfobox);
// }
-
+
//build CertInfo request
String certInfoRequest = new CertInfoVerifyXMLSignatureRequestBuilder()
.build();
String certInfoDataURL = new DataURLBuilder()
.buildDataURL(session.getAuthURL(), REQ_START_AUTHENTICATION,
session.getSessionID());
-
+
//get Applet Parameters
String appletwidth = req.getParameter(PARAM_APPLET_WIDTH);
String appletheigth = req.getParameter(PARAM_APPLET_HEIGTH);
appletheigth = StringEscapeUtils.escapeHtml(appletheigth);
appletwidth = StringEscapeUtils.escapeHtml(appletwidth);
-
+
String htmlForm = new GetIdentityLinkFormBuilder().build(template,
session.getBkuURL(), infoboxReadRequest, dataURL, certInfoRequest,
certInfoDataURL, pushInfobox, oaParam, appletheigth, appletwidth);
-
+
return htmlForm;
}
@@ -335,7 +326,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* containg the authentication block, meant to be returned to the security
* layer implementation</li>
* </ul>
- *
+ *
* @param sessionID
* ID of associated authentication session data
* @param infoboxReadResponseParameters
@@ -343,7 +334,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* including the <code><InfoboxReadResponse></code>
* @return String representation of the
* <code><CreateXMLSignatureRequest></code>
- * @throws BKUException
+ * @throws BKUException
*/
public String verifyIdentityLink(AuthenticationSession session,
Map<String, String> infoboxReadResponseParameters) throws AuthenticationException,
@@ -360,7 +351,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
if (isEmpty(xmlInfoboxReadResponse))
throw new AuthenticationException("auth.10", new Object[] {
REQ_VERIFY_IDENTITY_LINK, PARAM_XMLRESPONSE });
-
+
AuthConfigurationProvider authConf = AuthConfigurationProvider
.getInstance();
@@ -420,7 +411,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
session.setIdentityLink(identityLink);
// now validate the extended infoboxes
-
+
//Removed in MOA-ID 2.0
//verifyInfoboxes(session, infoboxReadResponseParameters, false);
@@ -443,7 +434,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* containg the authentication block, meant to be returned to the security
* layer implementation</li>
* </ul>
- *
+ *
* @param sessionID
* ID of associated authentication session data
* @param infoboxReadResponseParameters
@@ -468,14 +459,14 @@ public class AuthenticationServer implements MOAIDAuthConstants {
if (certificate.getExtension(OWid) != null) {
session.setOW(true);
}
-
+
}
-
+
} catch (X509ExtensionInitException e) {
Logger.warn("Certificate extension is not readable.");
session.setOW(false);
}
-
+
AuthConfigurationProvider authConf = AuthConfigurationProvider
.getInstance();
@@ -484,10 +475,10 @@ public class AuthenticationServer implements MOAIDAuthConstants {
String returnvalue = getCreateXMLSignatureRequestAuthBlockOrRedirect(session,
authConf, oaParam);
-
+
return returnvalue;
}
-
+
/**
* Processes an <code>Mandate</code> sent by the MIS.<br>
* <ul>
@@ -498,7 +489,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* containg the authentication block, meant to be returned to the security
* layer implementation</li>
* </ul>
- *
+ *
* @param sessionID
* ID of associated authentication session data
* @param infoboxReadResponseParameters
@@ -522,10 +513,10 @@ public class AuthenticationServer implements MOAIDAuthConstants {
// sets the extended SAML attributes for OID (Organwalter)
setExtendedSAMLAttributeForMandatesOID(session, mandate, oaParam
.getBusinessService());
-
+
validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService());
-
-
+
+
} catch (SAXException e) {
throw new AuthenticationException("auth.16",
new Object[] { GET_MIS_SESSIONID }, e);
@@ -539,11 +530,11 @@ public class AuthenticationServer implements MOAIDAuthConstants {
throw new AuthenticationException("auth.16",
new Object[] { GET_MIS_SESSIONID }, e);
}
-
+
}
/**
- *
+ *
* @param session
* @param authConf
* @param oaParam
@@ -588,7 +579,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* <ul>
* <li>Creates an CreateXMLSignatureRequest to be signed by the user</li>
* </ul>
- *
+ *
* @param sessionID
* ID of associated authentication session data
* @param cert
@@ -610,7 +601,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
-
+
return getCreateXMLSignatureRequestForeigID(session, authConf, oaParam,
cert);
}
@@ -648,13 +639,13 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* <li>Verifies signature by calling the MOA SP component</li>
* <li>Returns the signer certificate</li>
* </ul>
- *
+ *
* @param sessionID
* ID of associated authentication session data
* @param createXMLSignatureResponseParameters
* The parameters from the response returned from the BKU
* including the <code><CreateXMLSignatureResponse></code>
- * @throws BKUException
+ * @throws BKUException
*/
public X509Certificate verifyXMLSignature(String sessionID,
Map<String, String> createXMLSignatureResponseParameters)
@@ -708,13 +699,13 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* <li>Verifies signature by calling the MOA SP component</li>
* <li>Returns the signer certificate</li>
* </ul>
- *
+ *
* @param sessionID
* ID of associated authentication session data
* @param readInfoboxResponseParameters
* The parameters from the response returned from the BKU
* including the <code><ReadInfoboxResponse></code>
- * @throws BKUException
+ * @throws BKUException
*/
public X509Certificate getCertificate(String sessionID,
Map<String, String> readInfoboxResponseParameters) throws AuthenticationException,
@@ -744,80 +735,80 @@ public class AuthenticationServer implements MOAIDAuthConstants {
/**
* Builds an authentication block <code><saml:Assertion></code> from
* given session data.
- *
+ *
* @param session
* authentication session
- *
+ *
* @return <code><saml:Assertion></code> as a String
- *
+ *
* @throws BuildException
* If an error occurs on serializing an extended SAML attribute
* to be appended to the AUTH-Block.
*/
private String buildAuthenticationBlock(AuthenticationSession session,
OAAuthParameter oaParam) throws BuildException {
-
+
IdentityLink identityLink = session.getIdentityLink();
String issuer = identityLink.getName();
String gebDat = identityLink.getDateOfBirth();
String identificationValue = null;
String identificationType = null;
-
+
//set empty AuthBlock BPK in case of OW or SSO or bpk is not requested
if (session.isOW() || session.isSsoRequested() || oaParam.isRemovePBKFromAuthBlock()) {
identificationType = "";
identificationValue = "";
-
+
} else if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
if (oaParam.getBusinessService()) {
-
+
String bpkBase64 = new BPKBuilder().buildWBPK(identityLink
.getIdentificationValue(), oaParam.getIdentityLinkDomainIdentifier());
identificationValue = bpkBase64;
-
+
if (oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_WBPK + "+" ))
identificationType = oaParam.getIdentityLinkDomainIdentifier();
else
identificationType = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier();
-
+
} else {
String bpkBase64 = new BPKBuilder().buildBPK(identityLink
.getIdentificationValue(), session.getTarget());
identificationValue = bpkBase64;
identificationType = Constants.URN_PREFIX_CDID + "+" + session.getTarget();
}
-
+
} else {
identificationValue = identityLink.getIdentificationValue();
identificationType = identityLink.getIdentificationType();
-
+
}
-
+
String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar
.getInstance());
session.setIssueInstant(issueInstant);
String authURL = session.getAuthURL();
String target = session.getTarget();
String targetFriendlyName = session.getTargetFriendlyName();
-
+
// Bug #485
// (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105)
// String oaURL = session.getPublicOAURLPrefix();
-
+
List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
-
-
+
+
if (session.isSsoRequested()) {
String oaURL =new String();
try {
oaURL = AuthConfigurationProvider.getInstance().getSSOPublicUrl();
-
+
if (MiscUtil.isNotEmpty(oaURL))
oaURL = oaURL.replaceAll("&", "&");
-
+
} catch (ConfigurationException e) {
}
String authBlock = new AuthenticationBlockAssertionBuilder()
@@ -826,7 +817,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
identificationType, oaURL, gebDat,
extendedSAMLAttributes, session, oaParam);
return authBlock;
-
+
} else {
String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&");
String authBlock = new AuthenticationBlockAssertionBuilder()
@@ -835,20 +826,20 @@ public class AuthenticationServer implements MOAIDAuthConstants {
identificationType, oaURL, gebDat,
extendedSAMLAttributes, session, oaParam);
return authBlock;
- }
+ }
}
-
+
/**
* Verifies the infoboxes (except of the identity link infobox) returned by
* the BKU by calling appropriate validator classes.
- *
+ *
* @param session
* The actual authentication session.
* @param mandate
* The Mandate from the MIS
- *
+ *
* @throws AuthenticationException
* @throws ConfigurationException
* @throws TransformerException
@@ -871,19 +862,19 @@ public class AuthenticationServer implements MOAIDAuthConstants {
verifySAMLAttribute(samlAttribute, i, "MISService",
"MISService");
-
+
}
}
/**
* Verifies the infoboxes (except of the identity link infobox) returned by
* the BKU by calling appropriate validator classes.
- *
+ *
* @param session
* The actual authentication session.
* @param mandate
* The Mandate from the MIS
- *
+ *
* @throws AuthenticationException
* @throws ConfigurationException
* @throws TransformerException
@@ -908,7 +899,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* Adds given SAML Attributes to the current session. They will be appended
* to the final SAML Assertion or the AUTH block. If the attributes are
* already in the list, they will be replaced.
- *
+ *
* @param session
* The current session
* @param extendedSAMLAttributes
@@ -979,7 +970,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* Adds the AUTH block related SAML attributes to the validation result.
* This is needed always before the AUTH block is to be signed, because the
* name of the mandator has to be set
- *
+ *
* @throws ParserConfigurationException
* @throws IOException
* @throws SAXException
@@ -1046,7 +1037,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* Adds the AUTH block related SAML attributes to the validation result.
* This is needed always before the AUTH block is to be signed, because the
* name of the mandator has to be set
- *
+ *
* @throws ParserConfigurationException
* @throws IOException
* @throws SAXException
@@ -1091,7 +1082,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
}
/**
- *
+ *
* @param mandate
* @return
* @throws ParserConfigurationException
@@ -1143,7 +1134,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* <li>Deletes authentication session</li>
* <li>Returns the SAML artifact, encoded BASE64</li>
* </ul>
- *
+ *
* @param sessionID
* session ID of the running authentication session
* @param xmlCreateXMLSignatureReadResponse
@@ -1151,20 +1142,20 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* <code><CreateXMLSignatureResponse></code>
* @return SAML artifact needed for retrieving authentication data, encoded
* BASE64
- * @throws BKUException
+ * @throws BKUException
*/
public String verifyAuthenticationBlock(AuthenticationSession session,
String xmlCreateXMLSignatureReadResponse)
throws AuthenticationException, BuildException, ParseException,
ConfigurationException, ServiceException, ValidateException, BKUException {
-
+
if (session == null)
throw new AuthenticationException("auth.10", new Object[] {
REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID });
if (isEmpty(xmlCreateXMLSignatureReadResponse))
throw new AuthenticationException("auth.10", new Object[] {
REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE });
-
+
AuthConfigurationProvider authConf = AuthConfigurationProvider
.getInstance();
// parses <CreateXMLSignatureResponse>
@@ -1187,7 +1178,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
new CreateXMLSignatureResponseValidator().validateSSO(csresp, session);
else
new CreateXMLSignatureResponseValidator().validate(csresp, session);
-
+
// builds a <VerifyXMLSignatureRequest> for a MOA-SPSS call
List<String> vtids = authConf.getMoaSpAuthBlockVerifyTransformsInfoIDs();
String tpid = authConf.getMoaSpAuthBlockTrustProfileID();
@@ -1226,7 +1217,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
// Compare AuthBlock Data with information stored in session, especially
// date and time
CreateXMLSignatureResponseValidator.getInstance().validateSigningDateTime(csresp);
-
+
// compares the public keys from the identityLink with the AuthBlock
VerifyXMLSignatureResponseValidator.getInstance().validateCertificate(
vsresp, session.getIdentityLink());
@@ -1269,29 +1260,29 @@ public class AuthenticationServer implements MOAIDAuthConstants {
}
}
}
-
+
session.setXMLVerifySignatureResponse(vsresp);
session.setSignerCertificate(vsresp.getX509certificate());
vsresp.setX509certificate(null);
session.setForeigner(false);
-
+
if (session.getUseMandate()) {
// mandate mode
return null;
-
+
} else {
-
+
session.setAuthenticatedUsed(false);
session.setAuthenticated(true);
-
+
String oldsessionID = session.getSessionID();
-
+
//Session is implicte stored in changeSessionID!!!
String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session);
-
+
Logger.info("Changed MOASession " + oldsessionID + " to Session " + newMOASessionID);
Logger.info("Daten angelegt zu MOASession " + newMOASessionID);
-
+
return newMOASessionID;
}
}
@@ -1313,7 +1304,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* <li>Deletes authentication session</li>
* <li>Returns the SAML artifact, encoded BASE64</li>
* </ul>
- *
+ *
* @param sessionID
* session ID of the running authentication session
* @param xmlCreateXMLSignatureReadResponse
@@ -1374,7 +1365,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* <li>Deletes authentication session</li>
* <li>Returns the SAML artifact, encoded BASE64</li>
* </ul>
- *
+ *
* @param sessionID
* session ID of the running authentication session
* @return SAML artifact needed for retrieving authentication data, encoded
@@ -1383,11 +1374,11 @@ public class AuthenticationServer implements MOAIDAuthConstants {
public String getForeignAuthenticationData(AuthenticationSession session)
throws AuthenticationException, BuildException, ParseException,
ConfigurationException, ServiceException, ValidateException {
-
+
if (session == null)
throw new AuthenticationException("auth.10", new Object[] {
REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID });
-
+
// post processing of the infoboxes
Iterator iter = session.getInfoboxValidatorIterator();
boolean formpending = false;
@@ -1430,10 +1421,10 @@ public class AuthenticationServer implements MOAIDAuthConstants {
VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponse();
X509Certificate cert = session.getSignerCertificate();
vsresp.setX509certificate(cert);
-
+
session.setAuthenticatedUsed(false);
session.setAuthenticated(true);
-
+
session.setXMLVerifySignatureResponse(vsresp);
session.setSignerCertificate(vsresp.getX509certificate());
@@ -1447,7 +1438,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
/**
* Builds the AuthenticationData object together with the corresponding
* <code><saml:Assertion></code>
- *
+ *
* @param session
* authentication session
* @param verifyXMLSigResp
@@ -1467,23 +1458,23 @@ public class AuthenticationServer implements MOAIDAuthConstants {
IdentityLink identityLink = session.getIdentityLink();
AuthenticationData authData = new AuthenticationData();
-
+
VerifyXMLSignatureResponse verifyXMLSigResp = session.getXMLVerifySignatureResponse();
-
+
boolean businessService = oaParam.getBusinessService();
-
+
authData.setMajorVersion(1);
authData.setMinorVersion(0);
authData.setAssertionID(Random.nextRandom());
authData.setIssuer(session.getAuthURL());
-
+
authData.setIssueInstant(DateTimeUtils.buildDateTimeUTC(Calendar
.getInstance()));
-
+
//baseID or wbpk in case of BusinessService without SSO or BusinessService SSO
authData.setIdentificationValue(identityLink.getIdentificationValue());
authData.setIdentificationType(identityLink.getIdentificationType());
-
+
authData.setGivenName(identityLink.getGivenName());
authData.setFamilyName(identityLink.getFamilyName());
authData.setDateOfBirth(identityLink.getDateOfBirth());
@@ -1493,25 +1484,25 @@ public class AuthenticationServer implements MOAIDAuthConstants {
authData.setPublicAuthorityCode(verifyXMLSigResp
.getPublicAuthorityCode());
authData.setBkuURL(session.getBkuURL());
-
+
try {
-
+
if (session.getUseMandate() && session.isOW()) {
MISMandate mandate = session.getMISMandate();
authData.setBPK(mandate.getOWbPK());
authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW");
authData.setIdentityLink(identityLink);
-
+
Logger.trace("Authenticated User is OW: " + mandate.getOWbPK());
-
+
} else {
-
+
if (businessService) {
//since we have foreigner, wbPK is not calculated in BKU
if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
-
+
String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier();
-
+
if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) {
// If domainIdentifier starts with prefix
// "urn:publicid:gv.at:wbpk+"; remove this prefix
@@ -1519,47 +1510,47 @@ public class AuthenticationServer implements MOAIDAuthConstants {
.substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length());
Logger.debug("Register and ordernumber prefix stripped off; resulting register string: "
+ registerAndOrdNr);
- }
-
+ }
+
String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr);
authData.setBPK(wbpkBase64);
authData.setBPKType( Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr);
-
+
} else {
authData.setBPK(identityLink.getIdentificationValue());
authData.setBPKType(identityLink.getIdentificationType());
-
+
}
-
+
Logger.trace("Authenticate user with wbPK " + authData.getBPK());
-
+
Element idlassertion = session.getIdentityLink().getSamlAssertion();
//set bpk/wpbk;
Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
prIdentification.getFirstChild().setNodeValue(authData.getBPK());
- //set bkp/wpbk type
+ //set bkp/wpbk type
Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH);
prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType());
-
+
IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion);
IdentityLink idl = idlparser.parseIdentityLink();
authData.setIdentityLink(idl);
-
+
} else {
-
- if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
+
+ if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) {
// only compute bPK if online application is a public service and we have the Stammzahl
String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target);
authData.setBPK(bpkBase64);
authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
}
-
+
Logger.trace("Authenticate user with bPK " + authData.getBPK());
-
+
authData.setIdentityLink(identityLink);
}
}
-
+
return authData;
} catch (Throwable ex) {
@@ -1570,7 +1561,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
/**
* Retrieves a session from the session store.
- *
+ *
* @param id
* session ID
* @return <code>AuthenticationSession</code> stored with given session ID,
@@ -1578,7 +1569,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
*/
public static AuthenticationSession getSession(String id)
throws AuthenticationException {
-
+
AuthenticationSession session;
try {
session = AuthenticationSessionStoreage.getSession(id);
@@ -1586,10 +1577,10 @@ public class AuthenticationServer implements MOAIDAuthConstants {
if (session == null)
throw new AuthenticationException("auth.02", new Object[] { id });
return session;
-
+
} catch (MOADatabaseException e) {
throw new AuthenticationException("parser.04", new Object[] { id });
- }
+ }
}
/**
@@ -1597,38 +1588,38 @@ public class AuthenticationServer implements MOAIDAuthConstants {
*/
public void cleanup() {
long now = new Date().getTime();
-
- //clean AuthenticationSessionStore
-
+
+ //clean AuthenticationSessionStore
+
AuthenticationSessionStoreage.clean(now, sessionTimeOutCreated, sessionTimeOutUpdated);
-
+
//clean AssertionStore
AssertionStorage assertionstore = AssertionStorage.getInstance();
assertionstore.clean(now, authDataTimeOut);
-
- //clean ExeptionStore
+
+ //clean ExeptionStore
DBExceptionStoreImpl exstore = DBExceptionStoreImpl.getStore();
exstore.clean(now, authDataTimeOut);
-
+
}
/**
* Sets the sessionTimeOut.
- *
+ *
* @param seconds
* Time out of the session in seconds
*/
public void setSecondsSessionTimeOutCreated(long seconds) {
sessionTimeOutCreated = seconds * 1000;
}
-
+
public void setSecondsSessionTimeOutUpdated(long seconds) {
sessionTimeOutUpdated = seconds * 1000;
}
/**
* Sets the authDataTimeOut.
- *
+ *
* @param seconds
* Time out for signing AuthData in seconds
*/
@@ -1638,7 +1629,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
/**
* Checks a parameter.
- *
+ *
* @param param
* parameter
* @return true if the parameter is null or empty
@@ -1649,7 +1640,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
/**
* Checks the correctness of SAML attributes and returns its value.
- *
+ *
* @param param
* samlAttribute
* @param i
@@ -1698,7 +1689,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
return value;
}
-
+
/**
* Does the request to the SZR-GW
* @param signature XMLDSIG signature
@@ -1779,13 +1770,13 @@ public class AuthenticationServer implements MOAIDAuthConstants {
return null;
}
-
+
/**
* Starts a MOA-ID authentication process using STORK
* @param req HttpServletRequest
* @param resp HttpServletResponse
* @param ccc Citizen country code
- * @param oaURL URL of the online application
+ * @param oaURL URL of the online application
* @param target Target parameter
* @param targetFriendlyName Friendly Name of Target
* @param authURL Authentication URL
@@ -1797,36 +1788,34 @@ public class AuthenticationServer implements MOAIDAuthConstants {
*/
public static void startSTORKAuthentication(
HttpServletRequest req,
- HttpServletResponse resp,
+ HttpServletResponse resp,
AuthenticationSession moasession) throws MOAIDException, AuthenticationException, WrongParametersException, ConfigurationException {
-
+
if (moasession == null) {
throw new AuthenticationException("auth.18", new Object[] { });
}
-
+
//read configuration paramters of OA
OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moasession.getPublicOAURLPrefix());
if (oaParam == null)
throw new AuthenticationException("auth.00", new Object[] { moasession.getPublicOAURLPrefix() });
-
- //Start of STORK Processing
+
+ //Start of STORK Processing
STORKConfig storkConfig = AuthConfigurationProvider.getInstance().getStorkConfig();
-
+
CPEPS cpeps = storkConfig.getCPEPS(moasession.getCcc());
-
- Logger.debug("Preparing to assemble STORK AuthnRequest witht the following values:");
- String destination = cpeps.getPepsURL().toExternalForm();
+
+ Logger.debug("Preparing to assemble STORK AuthnRequest witt the following values:");
+ String destination = cpeps.getPepsURL().toExternalForm();
Logger.debug("C-PEPS URL: " + destination);
-
+
String acsURL = HTTPUtils.getBaseURL(req) + PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN;
Logger.debug("MOA Assertion Consumer URL (PEPSConnctor): " + acsURL);
-
+
String providerName= oaParam.getFriendlyName();
String issuerValue = HTTPUtils.getBaseURL(req);
Logger.debug("Issuer value: " + issuerValue);
-
-
// prepare collection of required attributes
// - attributes for online application
List<OAStorkAttribute> attributesFromConfig = oaParam.getRequestedAttributes();
@@ -1838,7 +1827,15 @@ public class AuthenticationServer implements MOAIDAuthConstants {
for(OAStorkAttribute current : attributesFromConfig) {
PersonalAttribute newAttribute = new PersonalAttribute();
newAttribute.setName(current.getName());
- newAttribute.setIsRequired(current.isMandatory());
+
+ boolean globallyMandatory = false;
+ for(StorkAttribute currentGlobalAttribute : storkConfig.getStorkAttributes())
+ if(current.getName().equals(currentGlobalAttribute.getName())) {
+ globallyMandatory = currentGlobalAttribute.isMandatory();
+ break;
+ }
+
+ newAttribute.setIsRequired(current.isMandatory() || globallyMandatory);
attributeList.add(newAttribute);
}
@@ -1867,32 +1864,23 @@ public class AuthenticationServer implements MOAIDAuthConstants {
authnRequest.setSpSector(spSector);
authnRequest.setPersonalAttributeList(attributeList);
-// STORKAuthnRequestProcessor.generateSTORKAuthnRequest(
-// destination,
-// acsURL,
-// providerName,
-// issuerValue,
-// qaaLevel,
-// spInstitution,
-// spApplication,
-// spCountry,
-// spSector,
-// requestedAttributes,
-
-// textToBeSigned,
-// "application/xhtml+xml");
+ authnRequest.setEIDCrossBorderShare(true);
+ authnRequest.setEIDCrossSectorShare(true);
+ authnRequest.setEIDSectorShare(true);
+
+ authnRequest.setCitizenCountryCode("LOCAL");
+
Logger.debug("STORK AuthnRequest succesfully assembled.");
STORKSAMLEngine samlEngine = STORKSAMLEngine.getInstance("CONF0");
try {
authnRequest = samlEngine.generateSTORKAuthnRequest(authnRequest);
-// authnRequest = STORKAuthnRequestProcessor.signSTORKAuthnRequest(authnRequest, keyStorePath, keyStorePassword, keyName, keyPassword);
} catch (STORKSAMLEngineException e) {
Logger.error("Could not sign STORK SAML AuthnRequest.", e);
throw new MOAIDException("stork.00", null);
}
-
+
Logger.info("STORK AuthnRequest successfully signed!");
//validate AuthnRequest
@@ -1936,7 +1924,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
Logger.info("STORK AuthnRequest successfully successfully prepared for client with target location: " + authnRequest.getDestination());
}
-
+
/**
* Extracts an X509 Certificate out of an XML signagture element
* @param signedXML XML signature element
@@ -1944,27 +1932,27 @@ public class AuthenticationServer implements MOAIDAuthConstants {
* @throws CertificateException
*/
public static X509Certificate getCertificateFromXML(Element signedXML) throws CertificateException {
-
+
NodeList nList = signedXML.getElementsByTagNameNS(Constants.DSIG_NS_URI, "X509Certificate");
-
+
String base64CertString = XMLUtil.getFirstTextValueFromNodeList(nList);
-
- if (StringUtils.isEmpty(base64CertString)) {
+
+ if (StringUtils.isEmpty(base64CertString)) {
String msg = "XML does not contain a X509Certificate element.";
Logger.error(msg);
throw new CertificateException(msg);
}
-
+
InputStream is = new ByteArrayInputStream(Base64.decode(base64CertString));
-
+
X509Certificate cert;
try {
cert = new X509Certificate(is);
return cert;
-
+
} catch (Throwable e) {
throw new CertificateException(e);
}
}
-
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java
index 25f12af62..e388b39e7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java
@@ -1,5 +1,5 @@
/**
- *
+ *
*/
package at.gv.egovernment.moa.id.config.stork;
@@ -25,119 +25,129 @@ import eu.stork.vidp.messages.util.XMLUtil;
import at.gv.egovernment.moa.id.commons.db.dao.config.SAMLSigningParameter;
import at.gv.egovernment.moa.id.commons.db.dao.config.STORK;
import at.gv.egovernment.moa.id.commons.db.dao.config.SignatureVerificationParameterType;
+import at.gv.egovernment.moa.id.commons.db.dao.config.StorkAttribute;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.StringUtils;
/**
* Encapsulates several STORK configuration parameters according MOA configuration
- *
+ *
* @author bzwattendorfer
*
*/
public class STORKConfig {
-
+
/** STORK SAML signature creation parameters */
private Properties props = null;
private Map<String, CPEPS> cpepsMap = null;
private String basedirectory = null;
private SignatureVerificationParameter sigverifyparam = null;
-
-
+ private List<StorkAttribute> attr = null;
+
+
public STORKConfig(STORK stork, Properties props, String basedirectory) {
this.basedirectory = basedirectory;
this.props = props;
-
+
//create CPEPS map
List<at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS> cpeps = stork.getCPEPS();
cpepsMap = new HashMap<String, CPEPS>();
-
+
for(at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS cpep : cpeps) {
-
+
try {
CPEPS moacpep = new CPEPS(cpep.getCountryCode(), new URL(cpep.getURL()));
-
- List<String> attr = cpep.getAttributeValue();
-
- ArrayList<RequestedAttribute> requestedAttributes = new ArrayList<RequestedAttribute>();
-
- for (String e1 : attr) {
- Element element = XMLUtil.stringToDOM(e1);
- RequestedAttribute requestedAttribute = (RequestedAttribute) SAMLUtil.unmarshallMessage(element);
- requestedAttributes.add(requestedAttribute);
- }
- moacpep.setCountrySpecificRequestedAttributes(requestedAttributes);
-
+
+
+
+// List<String> attr = cpep.getAttributeValue();
+//
+// ArrayList<RequestedAttribute> requestedAttributes = new ArrayList<RequestedAttribute>();
+//
+// for (String e1 : attr) {
+// Element element = XMLUtil.stringToDOM(e1);
+// RequestedAttribute requestedAttribute = (RequestedAttribute) SAMLUtil.unmarshallMessage(element);
+// requestedAttributes.add(requestedAttribute);
+// }
+// moacpep.setCountrySpecificRequestedAttributes(requestedAttributes);
+
cpepsMap.put(cpep.getCountryCode(), moacpep);
-
+
} catch (MalformedURLException e) {
- Logger.warn("Error in MOA-ID Configuration. CPEP entry for country "
+ Logger.warn("Error in MOA-ID Configuration. CPEP entry for country "
+ cpep.getCountryCode() + " has an invalid URL and is ignored.");
- } catch (ParserConfigurationException e) {
- Logger.warn("Error in MOA-ID Configuration. CPEP entry for country "
- + cpep.getCountryCode() + " has an invalid Attribute and is ignored.");
- } catch (SAXException e) {
- Logger.warn("Error in MOA-ID Configuration. CPEP entry for country "
- + cpep.getCountryCode() + " has an invalid Attribute and is ignored.");
- } catch (IOException e) {
- Logger.warn("Error in MOA-ID Configuration. CPEP entry for country "
- + cpep.getCountryCode() + " has an invalid Attribute and is ignored.");
- } catch (MessageEncodingException e) {
- Logger.warn("Error in MOA-ID Configuration. CPEP entry for country "
- + cpep.getCountryCode() + " has an invalid Attribute and is ignored.");
+// } catch (ParserConfigurationException e) {
+// Logger.warn("Error in MOA-ID Configuration. CPEP entry for country "
+// + cpep.getCountryCode() + " has an invalid Attribute and is ignored.");
+// } catch (SAXException e) {
+// Logger.warn("Error in MOA-ID Configuration. CPEP entry for country "
+// + cpep.getCountryCode() + " has an invalid Attribute and is ignored.");
+// } catch (IOException e) {
+// Logger.warn("Error in MOA-ID Configuration. CPEP entry for country "
+// + cpep.getCountryCode() + " has an invalid Attribute and is ignored.");
+// } catch (MessageEncodingException e) {
+// Logger.warn("Error in MOA-ID Configuration. CPEP entry for country "
+// + cpep.getCountryCode() + " has an invalid Attribute and is ignored.");
}
- }
-
- SAMLSigningParameter samlsign = stork.getSAMLSigningParameter();
- if (samlsign == null) {
- Logger.warn("Error in MOA-ID Configuration. No STORK->SAMLSigningParameter configuration found.");
- } else {
- SignatureVerificationParameterType sigverify = samlsign.getSignatureVerificationParameter();
-
- if (sigverify == null) {
- Logger.warn("Error in MOA-ID Configuration. No STORK->SignatureVerificationParameter configuration found.");
-
- } else {
- sigverifyparam = new SignatureVerificationParameter(sigverify.getTrustProfileID());
- }
+// SAMLSigningParameter samlsign = stork.getSAMLSigningParameter(); // TODO Fix nullpointerexception when nothing is configured
+//
+// if (samlsign == null) {
+// Logger.warn("Error in MOA-ID Configuration. No STORK->SAMLSigningParameter configuration found.");
+//
+// } else {
+// SignatureVerificationParameterType sigverify = samlsign.getSignatureVerificationParameter();
+//
+// if (sigverify == null) {
+// Logger.warn("Error in MOA-ID Configuration. No STORK->SignatureVerificationParameter configuration found.");
+//
+// } else {
+// sigverifyparam = new SignatureVerificationParameter(sigverify.getTrustProfileID());
+// }
+// }
+ attr = new ArrayList<StorkAttribute>();
+ for(StorkAttribute current : stork.getAttributes()) {
+ attr.add(current);
}
-
+
}
public SignatureCreationParameter getSignatureCreationParameter() {
-
+
return new SignatureCreationParameter(props, basedirectory);
}
public SignatureVerificationParameter getSignatureVerificationParameter() {
-
- return sigverifyparam;
+
+ return sigverifyparam;
}
public Map<String, CPEPS> getCpepsMap() {
return cpepsMap;
}
-
+
public boolean isSTORKAuthentication(String ccc) {
-
+
if (StringUtils.isEmpty(ccc) || this.cpepsMap.isEmpty())
return false;
-
+
if (this.cpepsMap.containsKey(ccc.toUpperCase()))
return true;
else
return false;
-
+
}
-
+
public CPEPS getCPEPS(String ccc) {
if (isSTORKAuthentication(ccc))
return this.cpepsMap.get(ccc);
else
return null;
}
-
+ public List<StorkAttribute> getStorkAttributes() {
+ return attr;
+ }
}
--
cgit v1.2.3