From 996774dbf06b037d9f843e57a2cfac9bcc111a51 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 24 May 2019 08:14:55 +0200 Subject: update Demo-OA to illustrate SAML2 SubjectNameId --- .../egovernment/moa/id/demoOA/Configuration.java | 16 +++++++- .../moa/id/demoOA/servlet/pvp2/Authenticate.java | 44 +++++++++++++--------- .../id/demoOA/servlet/pvp2/DemoApplication.java | 23 ++++++++--- .../moa/id/demoOA/utils/ApplicationBean.java | 9 +++++ id/oa/src/main/webapp/demoapp.jsp | 6 ++- id/oa/src/main/webapp/index.jsp | 2 + 6 files changed, 76 insertions(+), 24 deletions(-) diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java index 09069ac7f..8ada01cb6 100644 --- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java +++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java @@ -182,6 +182,21 @@ public class Configuration { return Boolean.parseBoolean(props.getProperty("general.login.pvp2.binding.resp.redirect", "false")); } + + public boolean setAuthnContextClassRef() { + return Boolean.parseBoolean(props.getProperty("general.login.pvp2.req.set.authncontextclassref", "true")); + } + + public String getScopeRequesterId() { + return props.getProperty("general.login.pvp2.sp.requesterId"); + } + + public boolean setNameIdPolicy() { + return Boolean.parseBoolean(props.getProperty("general.login.pvp2.req.set.nameIDPolicy", "true")); + } + + + public void initializePVP2Login() throws ConfigurationException { if (!pvp2logininitialzied) initalPVP2Login(); @@ -276,6 +291,5 @@ public class Configuration { throw new ConfigurationException("PVP2 authentification can not be initialized.", e); } } - } diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java index 4c909ff80..0671b8c14 100644 --- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java +++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java @@ -35,6 +35,7 @@ import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import org.apache.commons.lang3.RandomUtils; +import org.apache.commons.lang3.StringUtils; import org.apache.velocity.app.VelocityEngine; import org.apache.velocity.runtime.RuntimeConstants; import org.joda.time.DateTime; @@ -52,6 +53,8 @@ import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.NameIDPolicy; import org.opensaml.saml2.core.NameIDType; import org.opensaml.saml2.core.RequestedAuthnContext; +import org.opensaml.saml2.core.RequesterID; +import org.opensaml.saml2.core.Scoping; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder; @@ -136,11 +139,12 @@ public class Authenticate extends HttpServlet { issuer.setFormat(NameIDType.ENTITY); authReq.setIssuer(issuer); - NameIDPolicy policy = SAML2Utils - .createSAMLObject(NameIDPolicy.class); - policy.setAllowCreate(true); - policy.setFormat(NameID.PERSISTENT); - authReq.setNameIDPolicy(policy); + if (config.setNameIdPolicy()) { + NameIDPolicy policy = SAML2Utils.createSAMLObject(NameIDPolicy.class); + policy.setAllowCreate(true); + policy.setFormat(NameID.PERSISTENT); + authReq.setNameIDPolicy(policy); + } String entityname = config.getPVP2IDPMetadataEntityName(); if (MiscUtil.isEmpty(entityname)) { @@ -183,20 +187,26 @@ public class Authenticate extends HttpServlet { //authReq.setDestination("http://test.test.test"); + if (config.setAuthnContextClassRef()) { + RequestedAuthnContext reqAuthContext = + SAML2Utils.createSAMLObject(RequestedAuthnContext.class); + AuthnContextClassRef authnClassRef = + SAML2Utils.createSAMLObject(AuthnContextClassRef.class); + authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4"); + reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM); + reqAuthContext.getAuthnContextClassRefs().add(authnClassRef); + authReq.setRequestedAuthnContext(reqAuthContext); + } - RequestedAuthnContext reqAuthContext = - SAML2Utils.createSAMLObject(RequestedAuthnContext.class); - - AuthnContextClassRef authnClassRef = - SAML2Utils.createSAMLObject(AuthnContextClassRef.class); - - authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4"); - - reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM); - - reqAuthContext.getAuthnContextClassRefs().add(authnClassRef); + if (StringUtils.isNotEmpty(config.getScopeRequesterId())) { + Scoping scope = SAML2Utils.createSAMLObject(Scoping.class); + RequesterID requesterId = SAML2Utils.createSAMLObject(RequesterID.class); + requesterId.setRequesterID(config.getScopeRequesterId()); + scope.getRequesterIDs().add(requesterId ); + authReq.setScoping(scope ); + + } - authReq.setRequestedAuthnContext(reqAuthContext); //sign authentication request KeyStore keyStore = config.getPVP2KeyStore(); diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java index aeb4d8eac..e36a880ba 100644 --- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java +++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java @@ -198,11 +198,7 @@ public class DemoApplication extends HttpServlet { } - //set assertion - org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse); - String assertion = DOMUtils.serializeNode(doc); - bean.setAssertion(assertion); - + if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { List saml2assertions = new ArrayList(); @@ -245,12 +241,28 @@ public class DemoApplication extends HttpServlet { } + samlResponse.getAssertions().clear(); + samlResponse.getAssertions().addAll(saml2assertions); + + //set assertion + org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse); + String assertion = DOMUtils.serializeNode(doc); + bean.setAssertion(assertion); + + String principleId = null; String givenName = null; String familyName = null; String birthday = null; for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { + try { + principleId = saml2assertion.getSubject().getNameID().getValue(); + + } catch (Exception e) { + log.warn("Can not read SubjectNameId", e); + } + //loop through the nodes to get what we want List attributeStatements = saml2assertion.getAttributeStatements(); for (int i = 0; i < attributeStatements.size(); i++) @@ -277,6 +289,7 @@ public class DemoApplication extends HttpServlet { } + bean.setPrincipleId(principleId); bean.setDateOfBirth(birthday); bean.setFamilyName(familyName); bean.setGivenName(givenName); diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/utils/ApplicationBean.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/utils/ApplicationBean.java index 05c253b6e..59090cbcc 100644 --- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/utils/ApplicationBean.java +++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/utils/ApplicationBean.java @@ -32,6 +32,7 @@ public class ApplicationBean implements Serializable { private String givenName; private String dateOfBirth; private String assertion; + private String principleId; private boolean isLogin = false; @@ -122,6 +123,14 @@ public class ApplicationBean implements Serializable { public void setSuccessMessage(String successMessage) { this.successMessage = successMessage; } + + public String getPrincipleId() { + return principleId; + } + public void setPrincipleId(String principleId) { + this.principleId = principleId; + } + diff --git a/id/oa/src/main/webapp/demoapp.jsp b/id/oa/src/main/webapp/demoapp.jsp index c6b005deb..7d511a5ce 100644 --- a/id/oa/src/main/webapp/demoapp.jsp +++ b/id/oa/src/main/webapp/demoapp.jsp @@ -31,7 +31,11 @@
- + + + + + diff --git a/id/oa/src/main/webapp/index.jsp b/id/oa/src/main/webapp/index.jsp index 49f3e3e3a..628d3e7a3 100644 --- a/id/oa/src/main/webapp/index.jsp +++ b/id/oa/src/main/webapp/index.jsp @@ -21,6 +21,8 @@ -- cgit v1.2.3
Benutzerdaten:PrincipleId: <%= bean.getPrincipleId()%>
Benutzerdaten: <%= bean.getGivenName()%>  <%= bean.getFamilyName()%>  <%= bean.getDateOfBirth()%>