From a9b2e962d2853b74d314cb9f614cab446a7134c0 Mon Sep 17 00:00:00 2001 From: kstranacher Date: Thu, 26 Jan 2012 21:59:33 +0000 Subject: =?UTF-8?q?*=20optionalen=20useUTC=20Parameter=20in=20Konfig=20ein?= =?UTF-8?q?gef=C3=BCgt=20(damit=20IssueInstant=20in=20SAML=20Assertion=20a?= =?UTF-8?q?uf=20UTC=20einstellbar)=20*=20optionalen=20sourceID=20Parameter?= =?UTF-8?q?=20bei=20MOA-ID=20Aufruf=20eingef=C3=BCgt=20(wird=201:1=20in=20?= =?UTF-8?q?SAML=20Assertion=20=C3=BCbernommen)=20*=20Update=20Doku=20(useU?= =?UTF-8?q?TC,=20sourceID,=20Vollmachten-Profile)=20*=20Ablauf=C3=A4nderun?= =?UTF-8?q?g=20bei=20Vollmachten-Modus=20(Signatur=20Zertifikat=20wird=20a?= =?UTF-8?q?us=20Signatur=20entnommen=20und=20nicht=20mittels=20eigenem=20I?= =?UTF-8?q?nfobox-Request)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1233 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../at/gv/egovernment/moa/util/DateTimeUtils.java | 83 +++++++++------ .../schemas/MOA-ID-Configuration-1.5.1.xsd | 9 +- .../gv/egovernment/moa/util/DateTimeUtilsTest.java | 2 +- id/readme_1.5.1.txt | 2 + .../conf/moa-id/SampleMOAIDConfiguration.xml | 3 +- .../conf/moa-id/SampleMOAIDConfigurationProxy.xml | 3 +- .../SampleMOAIDConfiguration_withTestBKs.xml | 3 +- .../SampleMOAIDConfiguration_withTestBKsProxy.xml | 3 +- id/server/doc/MOA-ID-Configuration-1.5.1.xsd | 9 +- id/server/doc/MOA_ID_1.5_Anhang.pdf | Bin 70517 -> 296723 bytes id/server/doc/moa_id/faqs.htm | 3 +- id/server/doc/moa_id/id-admin.htm | 2 +- id/server/doc/moa_id/id-admin_1.htm | 2 +- id/server/doc/moa_id/id-admin_2.htm | 10 +- id/server/doc/moa_id/id-admin_3.htm | 2 +- id/server/doc/moa_id/id-anwendung.htm | 2 +- id/server/doc/moa_id/id-anwendung_1.htm | 8 +- id/server/doc/moa_id/id-anwendung_2.htm | 3 +- id/server/doc/moa_id/links.htm | 3 +- id/server/doc/moa_id/moa.htm | 2 +- .../moa/id/auth/AuthenticationServer.java | 59 +++++++---- .../moa/id/auth/MOAIDAuthConstants.java | 2 + .../builder/AuthenticationAssertionBuilder.java | 26 +++++ .../AuthenticationDataAssertionBuilder.java | 15 ++- .../moa/id/auth/data/AuthenticationSession.java | 28 +++++- .../auth/servlet/GetAuthenticationDataService.java | 9 +- .../auth/servlet/StartAuthenticationServlet.java | 13 ++- .../servlet/VerifyAuthenticationBlockServlet.java | 112 +++++++++++++++++++-- .../id/auth/servlet/VerifyCertificateServlet.java | 62 +----------- .../id/auth/servlet/VerifyIdentityLinkServlet.java | 2 +- .../moa/id/config/ConfigurationBuilder.java | 1 + .../moa/id/config/auth/OAAuthParameter.java | 21 ++++ .../moa/id/data/AuthenticationData.java | 15 +++ .../moa/id/proxy/builder/SAMLRequestBuilder.java | 2 +- .../moa/id/util/ParamValidatorUtils.java | 30 ++++++ .../id/util/client/mis/simple/MISSimpleClient.java | 19 +++- .../test/abnahme/A/Test100StartAuthentication.java | 16 +-- .../test/abnahme/A/Test300VerifyAuthBlock.java | 4 +- .../A/Test600GetAuthenticationDataService.java | 2 +- .../test/java/test/abnahme/AbnahmeTestCase.java | 2 +- .../moa/id/auth/AuthenticationServerTest.java | 2 +- 41 files changed, 421 insertions(+), 175 deletions(-) diff --git a/common/src/main/java/at/gv/egovernment/moa/util/DateTimeUtils.java b/common/src/main/java/at/gv/egovernment/moa/util/DateTimeUtils.java index 92e845967..d70073db8 100644 --- a/common/src/main/java/at/gv/egovernment/moa/util/DateTimeUtils.java +++ b/common/src/main/java/at/gv/egovernment/moa/util/DateTimeUtils.java @@ -26,6 +26,7 @@ package at.gv.egovernment.moa.util; import java.io.StringWriter; import java.text.ParseException; +import java.text.SimpleDateFormat; import java.util.Calendar; import java.util.Date; import java.util.GregorianCalendar; @@ -48,38 +49,56 @@ public class DateTimeUtils { * @param cal the Calendar value * @return the dateTime value */ - public static String buildDateTime(Calendar cal) { - StringWriter out = new StringWriter(); - out.write("" + cal.get(Calendar.YEAR)); - out.write("-"); - out.write(to2DigitString(cal.get(Calendar.MONTH) + 1)); - out.write("-"); - out.write(to2DigitString(cal.get(Calendar.DAY_OF_MONTH))); - out.write("T"); - out.write(to2DigitString(cal.get(Calendar.HOUR_OF_DAY))); - out.write(":"); - out.write(to2DigitString(cal.get(Calendar.MINUTE))); - out.write(":"); - out.write(to2DigitString(cal.get(Calendar.SECOND))); - int tzOffsetMilliseconds = - cal.get(Calendar.ZONE_OFFSET) + cal.get(Calendar.DST_OFFSET); - if (tzOffsetMilliseconds != 0) { - int tzOffsetMinutes = tzOffsetMilliseconds / (1000 * 60); - int tzOffsetHours = tzOffsetMinutes / 60; - tzOffsetMinutes -= tzOffsetHours * 60; - if (tzOffsetMilliseconds > 0) { - out.write("+"); - out.write(to2DigitString(tzOffsetHours)); - out.write(":"); - out.write(to2DigitString(tzOffsetMinutes)); - } else { - out.write("-"); - out.write(to2DigitString(-tzOffsetHours)); - out.write(":"); - out.write(to2DigitString(-tzOffsetMinutes)); - } - } - return out.toString(); + public static String buildDateTime(Calendar cal, boolean useUTC) { + + if (useUTC) + return buildDateTimeUTC(cal); + else { + StringWriter out = new StringWriter(); + out.write("" + cal.get(Calendar.YEAR)); + out.write("-"); + out.write(to2DigitString(cal.get(Calendar.MONTH) + 1)); + out.write("-"); + out.write(to2DigitString(cal.get(Calendar.DAY_OF_MONTH))); + out.write("T"); + out.write(to2DigitString(cal.get(Calendar.HOUR_OF_DAY))); + out.write(":"); + out.write(to2DigitString(cal.get(Calendar.MINUTE))); + out.write(":"); + out.write(to2DigitString(cal.get(Calendar.SECOND))); + int tzOffsetMilliseconds = + cal.get(Calendar.ZONE_OFFSET) + cal.get(Calendar.DST_OFFSET); + if (tzOffsetMilliseconds != 0) { + int tzOffsetMinutes = tzOffsetMilliseconds / (1000 * 60); + int tzOffsetHours = tzOffsetMinutes / 60; + tzOffsetMinutes -= tzOffsetHours * 60; + if (tzOffsetMilliseconds > 0) { + out.write("+"); + out.write(to2DigitString(tzOffsetHours)); + out.write(":"); + out.write(to2DigitString(tzOffsetMinutes)); + } else { + out.write("-"); + out.write(to2DigitString(-tzOffsetHours)); + out.write(":"); + out.write(to2DigitString(-tzOffsetMinutes)); + } + } + return out.toString(); + } + } + + /** + * Builds a dateTime value in UTC from a Calendar value. + * @param cal the Calendar value + * @return the dateTime value + */ + public static String buildDateTimeUTC(Calendar cal) { + + SimpleDateFormat f = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'"); + f.setTimeZone(TimeZone.getTimeZone("UTC")); + + return f.format(cal.getTime()); } /** diff --git a/common/src/main/resources/resources/schemas/MOA-ID-Configuration-1.5.1.xsd b/common/src/main/resources/resources/schemas/MOA-ID-Configuration-1.5.1.xsd index cc562187a..d16953eab 100644 --- a/common/src/main/resources/resources/schemas/MOA-ID-Configuration-1.5.1.xsd +++ b/common/src/main/resources/resources/schemas/MOA-ID-Configuration-1.5.1.xsd @@ -89,10 +89,16 @@ - + enthält Parameter der Authentisierungs-Komponente + + + + + + @@ -467,6 +473,7 @@ + diff --git a/common/src/test/java/test/at/gv/egovernment/moa/util/DateTimeUtilsTest.java b/common/src/test/java/test/at/gv/egovernment/moa/util/DateTimeUtilsTest.java index 8fdd389a2..3364e9888 100644 --- a/common/src/test/java/test/at/gv/egovernment/moa/util/DateTimeUtilsTest.java +++ b/common/src/test/java/test/at/gv/egovernment/moa/util/DateTimeUtilsTest.java @@ -121,7 +121,7 @@ public class DateTimeUtilsTest extends TestCase { Calendar cal = new GregorianCalendar(TimeZone.getTimeZone(timeZone)); cal.set(year,month, day, hour, min, sec); cal.set(Calendar.MILLISECOND, 0); - String dateTimeBuilt = DateTimeUtils.buildDateTime(cal); + String dateTimeBuilt = DateTimeUtils.buildDateTime(cal, false); assertEquals(dateTimeShould, dateTimeBuilt); } diff --git a/id/readme_1.5.1.txt b/id/readme_1.5.1.txt index 8cf5e7361..e742212df 100644 --- a/id/readme_1.5.1.txt +++ b/id/readme_1.5.1.txt @@ -17,6 +17,8 @@ gleichen Verzeichnis): - Änderung der Konfiguration - für Online-Vollmachten - Fixer Target-Parameter für Online-Applikation konfigurierbar + - Optionaler Parameter zur Angabe der IssueInstant im UTC Format in der SAML-Assertion +- Weiterer optionaler Parameter sourceID beim MOA-ID Aufruf - IAIK Libraries aktualisiert: iaik-moa: Version 1.31 diff --git a/id/server/data/deploy/conf/moa-id/SampleMOAIDConfiguration.xml b/id/server/data/deploy/conf/moa-id/SampleMOAIDConfiguration.xml index 697cadec4..6525642f1 100644 --- a/id/server/data/deploy/conf/moa-id/SampleMOAIDConfiguration.xml +++ b/id/server/data/deploy/conf/moa-id/SampleMOAIDConfiguration.xml @@ -65,7 +65,8 @@ - + + diff --git a/id/server/data/deploy/conf/moa-id/SampleMOAIDConfigurationProxy.xml b/id/server/data/deploy/conf/moa-id/SampleMOAIDConfigurationProxy.xml index 41103cf3c..27bf6681c 100644 --- a/id/server/data/deploy/conf/moa-id/SampleMOAIDConfigurationProxy.xml +++ b/id/server/data/deploy/conf/moa-id/SampleMOAIDConfigurationProxy.xml @@ -76,7 +76,8 @@ - + + diff --git a/id/server/data/deploy/conf/moa-id/SampleMOAIDConfiguration_withTestBKs.xml b/id/server/data/deploy/conf/moa-id/SampleMOAIDConfiguration_withTestBKs.xml index 05c6387e1..eefc7cf6a 100644 --- a/id/server/data/deploy/conf/moa-id/SampleMOAIDConfiguration_withTestBKs.xml +++ b/id/server/data/deploy/conf/moa-id/SampleMOAIDConfiguration_withTestBKs.xml @@ -67,7 +67,8 @@ - + + diff --git a/id/server/data/deploy/conf/moa-id/SampleMOAIDConfiguration_withTestBKsProxy.xml b/id/server/data/deploy/conf/moa-id/SampleMOAIDConfiguration_withTestBKsProxy.xml index 1d8b50537..f9e296c62 100644 --- a/id/server/data/deploy/conf/moa-id/SampleMOAIDConfiguration_withTestBKsProxy.xml +++ b/id/server/data/deploy/conf/moa-id/SampleMOAIDConfiguration_withTestBKsProxy.xml @@ -77,7 +77,8 @@ - + + diff --git a/id/server/doc/MOA-ID-Configuration-1.5.1.xsd b/id/server/doc/MOA-ID-Configuration-1.5.1.xsd index cc562187a..d16953eab 100644 --- a/id/server/doc/MOA-ID-Configuration-1.5.1.xsd +++ b/id/server/doc/MOA-ID-Configuration-1.5.1.xsd @@ -89,10 +89,16 @@ - + enthält Parameter der Authentisierungs-Komponente + + + + + + @@ -467,6 +473,7 @@ + diff --git a/id/server/doc/MOA_ID_1.5_Anhang.pdf b/id/server/doc/MOA_ID_1.5_Anhang.pdf index 454ff933a..f2e5057c7 100644 Binary files a/id/server/doc/MOA_ID_1.5_Anhang.pdf and b/id/server/doc/MOA_ID_1.5_Anhang.pdf differ diff --git a/id/server/doc/moa_id/faqs.htm b/id/server/doc/moa_id/faqs.htm index 0b9ef0415..814d0c9f7 100644 --- a/id/server/doc/moa_id/faqs.htm +++ b/id/server/doc/moa_id/faqs.htm @@ -207,8 +207,7 @@ MOA ist eine Entwicklung des Bundesrechenzentrums BRZ in Zusammenarbeit mit A-Tr
-
© 2003
- +
© 2012

diff --git a/id/server/doc/moa_id/id-admin.htm b/id/server/doc/moa_id/id-admin.htm index 7192f02e2..7d014299e 100644 --- a/id/server/doc/moa_id/id-admin.htm +++ b/id/server/doc/moa_id/id-admin.htm @@ -311,7 +311,7 @@ Die Versionsangaben beziehen sich auf die Versionen, mit denen die MOA ID Webapp

-
© 2004
+
© 2012

diff --git a/id/server/doc/moa_id/id-admin_1.htm b/id/server/doc/moa_id/id-admin_1.htm index 9b18fcdbe..08a1acc73 100644 --- a/id/server/doc/moa_id/id-admin_1.htm +++ b/id/server/doc/moa_id/id-admin_1.htm @@ -539,7 +539,7 @@ Wenn nun versucht wird, eine Transaktion mit einer ungültigen SessionID fort

-
© 2010
+
© 2012

diff --git a/id/server/doc/moa_id/id-admin_2.htm b/id/server/doc/moa_id/id-admin_2.htm index ea4874edd..8a217bfcc 100644 --- a/id/server/doc/moa_id/id-admin_2.htm +++ b/id/server/doc/moa_id/id-admin_2.htm @@ -613,8 +613,9 @@ Hinweis: Um den Online-Vollmachten Modus für eine Online Applikation zu akt Anmeldedaten aufzunehmen. Alle Attribute sind optional und haben den Default-Wert false.
- Das Attribut provideFullMandatorData bestimmt ob bei einer Vollmachten-Anmeldung die vollständigen Vollmacht in der SAML Assertion mitgegeben wird oder nur die Basisdaten wie Name, Geburtsdatum und bPK des Vertreters (bzw. Organwalter/PV) sowie Name, Geburtsdatum und bPK (bzw. Name und Stammzahl bei juristischen Personen) des Vertretenen in der Assertion übermittelt. Bei provideFullMandatorData=false werden nur die Basisdaten übermittelt (Defaulteinstellung). Bei provideFullMandatorData=true wird zusätzlich die gesamte Vollmacht übergeben.

-

Anmerkung: Das Attribut provideStammzahl steht in keinem + Das Attribut provideFullMandatorData bestimmt ob bei einer Vollmachten-Anmeldung die vollständigen Vollmacht in der SAML Assertion mitgegeben wird oder nur die Basisdaten wie Name, Geburtsdatum und bPK des Vertreters (bzw. Organwalter/PV) sowie Name, Geburtsdatum und bPK (bzw. Name und Stammzahl bei juristischen Personen) des Vertretenen in der Assertion übermittelt. Bei provideFullMandatorData=false werden nur die Basisdaten übermittelt (Defaulteinstellung). Bei provideFullMandatorData=true wird zusätzlich die gesamte Vollmacht übergeben.
+ Das Attribut useUTC bestimmt ob IssueInstant in der SAML Assertion als UTC (2012-01-26T18:38:35Z, useUTC=true) oder dem Default-Format (z.B.: 2012-01-26T19:38:35+01:00, useUTC=false) angegeben wird.

+

Anmerkung: Das Attribut provideStammzahl steht in keinem Zusammenhang zum gleichnamigen Attribut VerifyInfoboxes/@provideStammzahl, das angibt ob die Stammzahl an eine Prüfapplikation weitergegeben @@ -921,7 +922,8 @@ Hinweis: Um den Online-Vollmachten Modus für eine Online Applikation zu akt
Mit Hilfe dieses Elements werden die Online-Vollmachten für die Online-Applikation aktiviert. Als Kindelement muss Profiles angegeben werden. Dieses Element beinhaltet eine (Komma-separierte) - Liste von Vollmachten-Identifikatoren, die festlegen mit welchen Vollmachtstypen man sich bei der Online-Applikation anmelden kann.
+ Liste von Vollmachten-Profilen, die festlegen mit welchen Vollmachtstypen man sich bei der Online-Applikation anmelden kann. + Unter https://vollmachten.stammzahlenregister.gv.at/mis/ finden Sie eine Liste der unterstützen Vollmachten-Profile.
Hinweis: Hierzu muss auch die Verbindung zum Online-Vollmachten Service konfiguriert werden - siehe hier

@@ -1453,7 +1455,7 @@ Im Falle einer fehlerhaften neuen Konfiguration wird die ursprüngliche Konf

-
© 2010
+
© 2012

diff --git a/id/server/doc/moa_id/id-admin_3.htm b/id/server/doc/moa_id/id-admin_3.htm index 8b1c74e7c..5b95feca8 100644 --- a/id/server/doc/moa_id/id-admin_3.htm +++ b/id/server/doc/moa_id/id-admin_3.htm @@ -194,7 +194,7 @@ Um das Logging in die Datenbank Log4j bekannt zu machen, muss die Log4j-Konfigur

-
© 2004
+
© 2012

diff --git a/id/server/doc/moa_id/id-anwendung.htm b/id/server/doc/moa_id/id-anwendung.htm index d5057f854..c4cab64e1 100644 --- a/id/server/doc/moa_id/id-anwendung.htm +++ b/id/server/doc/moa_id/id-anwendung.htm @@ -94,7 +94,7 @@ Dies kann unter Mithilfe der Webapplikation MOA-ID-PROXY geschehen, die für

-
© 2003
+
© 2012

diff --git a/id/server/doc/moa_id/id-anwendung_1.htm b/id/server/doc/moa_id/id-anwendung_1.htm index 28f7a5979..ad45ff7e1 100644 --- a/id/server/doc/moa_id/id-anwendung_1.htm +++ b/id/server/doc/moa_id/id-anwendung_1.htm @@ -73,7 +73,7 @@ Projekt moa  Der Aufruf erfolgt durch einen Verweis der Form:
<a href="https://<moa-id-server-und-pfad>/
 StartAuthentication?Target=<geschäftsbereich>
-&OA=<oa-url>&Template=<template-url>&useMandate=false">
+&OA=<oa-url>&Template=<template-url>&useMandate=false&sourceID=<sourceID>"> @@ -92,6 +92,10 @@ StartAuthentication?Target=<geschäftsbereich> + + + +
<moa-id-server-und-pfad>Server und Pfad, wo MOA-ID-AUTH installiert istuseMandate=<true/false> optional; Gibt an ob eine Anmeldung im Online-Vollmachten-Modus durchgeführt werden soll (=true) oder nicht (=false);
sourceID=<sourceID>optional; Gibt eine sourceID an, die (wenn sie gesetzt ist) in der SAML-Assertion aufscheint


@@ -204,7 +208,7 @@ Im folgenden Beispiel wird in den Java Truststore "truststore.jks" mit

-
© 2004
+
© 2012

diff --git a/id/server/doc/moa_id/id-anwendung_2.htm b/id/server/doc/moa_id/id-anwendung_2.htm index df8b10aad..4e2e89d74 100644 --- a/id/server/doc/moa_id/id-anwendung_2.htm +++ b/id/server/doc/moa_id/id-anwendung_2.htm @@ -237,8 +237,7 @@ Falls nötig, kann eine ma

-
© 2003
- +
© 2012

diff --git a/id/server/doc/moa_id/links.htm b/id/server/doc/moa_id/links.htm index ef6c09083..2956c6263 100644 --- a/id/server/doc/moa_id/links.htm +++ b/id/server/doc/moa_id/links.htm @@ -134,8 +134,7 @@ MOA ist eine Entwicklung des Bundesrechenzentrums BRZ in Zusammenarbeit mit A-Tr

-
© 2010 -
+
© 2012

diff --git a/id/server/doc/moa_id/moa.htm b/id/server/doc/moa_id/moa.htm index 94f4a35ea..09fb1c5b6 100644 --- a/id/server/doc/moa_id/moa.htm +++ b/id/server/doc/moa_id/moa.htm @@ -247,7 +247,7 @@ an den Benutzer weitergeleitet und die Anfragen des Benutzers an die OA weiterge

-
© 2010
+
© 2012

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 68e6b950a..a68dca65a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -24,11 +24,15 @@ package at.gv.egovernment.moa.id.auth; +import iaik.ixsil.exceptions.UtilsException; +import iaik.ixsil.util.Utils; import iaik.pki.PKIException; import iaik.x509.X509Certificate; import java.io.ByteArrayInputStream; import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; import java.io.IOException; import java.security.GeneralSecurityException; import java.security.Principal; @@ -49,7 +53,6 @@ import org.apache.xpath.XPathAPI; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; -import org.w3c.dom.NodeList; import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.AuthenticationException; @@ -114,7 +117,6 @@ import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.DateTimeUtils; import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.StringUtils; -import at.gv.egovernment.moa.util.XPathUtils; /** @@ -305,7 +307,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { * @param useMandate Indicates if mandate is used or not * @param templateURL URL providing an HTML template for the HTML form generated * @param templateMandteURL URL providing an HTML template for the HTML form generated (for signing in mandates mode) - * @param scheme determines the protocol used + * @param scheme determines the protocol used + * @param sourceID * @return HTML form * @throws AuthenticationException * @see GetIdentityLinkFormBuilder @@ -320,7 +323,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { String bkuURL, String useMandate, String sessionID, - String scheme) + String scheme, + String sourceID) throws WrongParametersException, AuthenticationException, ConfigurationException, BuildException { String useMandateString = null; @@ -381,7 +385,9 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.setPublicOAURLPrefix(oaParam.getPublicURLPrefix()); session.setAuthURL(authURL); session.setTemplateURL(templateURL); - session.setBusinessService(oaParam.getBusinessService()); + session.setBusinessService(oaParam.getBusinessService()); + if (sourceID != null) + session.setSourceID(sourceID); } // BKU URL has not been set yet, even if session already exists if (bkuURL == null) { @@ -510,17 +516,16 @@ public class AuthenticationServer implements MOAIDAuthConstants { } // for testing new identity link certificate - // https://localhost:8443/moa-id-auth/StartAuthentication?Target=AR&OA=https://localhost:8443/TestMOAID_OA/LoginServletExample // xmlInfoboxReadResponse = null; // try { -// File file = new File("c:/temp/xxxMuster-new-cert_infobox.xml"); +// File file = new File("c:/temp/XXXMuster.xml"); // FileInputStream fis; // // fis = new FileInputStream(file); // byte[] array = Utils.readFromInputStream(fis); // // xmlInfoboxReadResponse = new String(array); -// //System.out.println(xmlInfoboxReadResponse); +// System.out.println(xmlInfoboxReadResponse); // // } catch (FileNotFoundException e) { // // TODO Auto-generated catch block @@ -529,7 +534,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { // // TODO Auto-generated catch block // e.printStackTrace(); // } -// + // parses the @@ -687,7 +692,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { // builds the AUTH-block - String authBlock = buildAuthenticationBlock(session); + String authBlock = buildAuthenticationBlock(session, oaParam); // session.setAuthBlock(authBlock); // builds the @@ -871,14 +876,14 @@ public class AuthenticationServer implements MOAIDAuthConstants { * @throws BuildException If an error occurs on serializing an extended SAML attribute * to be appended to the AUTH-Block. */ - private String buildAuthenticationBlock(AuthenticationSession session) throws BuildException { + private String buildAuthenticationBlock(AuthenticationSession session, OAAuthParameter oaParam) throws BuildException { IdentityLink identityLink = session.getIdentityLink(); String issuer = identityLink.getName(); String gebDat = identityLink.getDateOfBirth(); String identificationValue = identityLink.getIdentificationValue(); String identificationType = identityLink.getIdentificationType(); - String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance()); + String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance(), oaParam.getUseUTC()); session.setIssueInstant(issueInstant); String authURL = session.getAuthURL(); String target = session.getTarget(); @@ -1418,6 +1423,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { // parses CreateXMLSignatureResponse csresp = new CreateXMLSignatureResponseParser(xmlCreateXMLSignatureReadResponse).parseResponse(); + try { String serializedAssertion = DOMUtils.serializeNode(csresp.getSamlAssertion()); session.setAuthBlock(serializedAssertion); @@ -1502,12 +1508,21 @@ public class AuthenticationServer implements MOAIDAuthConstants { } } + OAAuthParameter oaParam = + AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( + session.getPublicOAURLPrefix()); + boolean useUTC = oaParam.getUseUTC(); // builds authentication data and stores it together with a SAML artifact - AuthenticationData authData = buildAuthenticationData(session, vsresp); + AuthenticationData authData = buildAuthenticationData(session, vsresp, useUTC); if (session.getUseMandate()) { // mandate mode + //session.setAssertionAuthBlock(assertionAuthBlock) + + // set signer certificate + session.setSignerCertificate(vsresp.getX509certificate()); + return null; } else { @@ -1521,6 +1536,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.getBkuURL(), session.getAssertionSignerCertificateBase64(), session.getAssertionBusinessService(), + session.getSourceID(), session.getExtendedSAMLAttributesOA()); authData.setSamlAssertion(samlAssertion); @@ -1677,6 +1693,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.getBkuURL(), session.getAssertionSignerCertificateBase64(), session.getAssertionBusinessService(), + session.getSourceID(), session.getExtendedSAMLAttributesOA()); authData.setSamlAssertion(samlAssertion); @@ -1772,9 +1789,14 @@ public class AuthenticationServer implements MOAIDAuthConstants { } VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponse(); - X509Certificate cert = session.getForeignSignerCertificate(); + X509Certificate cert = session.getSignerCertificate(); vsresp.setX509certificate(cert); - AuthenticationData authData = buildAuthenticationData(session, vsresp); + + OAAuthParameter oaParam = + AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( + session.getPublicOAURLPrefix()); + boolean useUTC = oaParam.getUseUTC(); + AuthenticationData authData = buildAuthenticationData(session, vsresp, useUTC); String samlAssertion = @@ -1786,6 +1808,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.getBkuURL(), session.getAssertionSignerCertificateBase64(), session.getAssertionBusinessService(), + session.getSourceID(), session.getExtendedSAMLAttributesOA()); authData.setSamlAssertion(samlAssertion); @@ -1823,7 +1846,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { */ private AuthenticationData buildAuthenticationData( AuthenticationSession session, - VerifyXMLSignatureResponse verifyXMLSigResp) + VerifyXMLSignatureResponse verifyXMLSigResp, + boolean useUTC) throws ConfigurationException, BuildException { IdentityLink identityLink = session.getIdentityLink(); @@ -1836,7 +1860,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { authData.setMinorVersion(0); authData.setAssertionID(Random.nextRandom()); authData.setIssuer(session.getAuthURL()); - authData.setIssueInstant(DateTimeUtils.buildDateTime(Calendar.getInstance())); + authData.setIssueInstant(DateTimeUtils.buildDateTime(Calendar.getInstance(), useUTC)); authData.setIdentificationType(identityLink.getIdentificationType()); authData.setGivenName(identityLink.getGivenName()); authData.setFamilyName(identityLink.getFamilyName()); @@ -1845,6 +1869,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority()); authData.setPublicAuthorityCode(verifyXMLSigResp.getPublicAuthorityCode()); authData.setBkuURL(session.getBkuURL()); + authData.setUseUTC(oaParam.getUseUTC()); boolean provideStammzahl = oaParam.getProvideStammzahl(); if (provideStammzahl) { authData.setIdentificationValue(identityLink.getIdentificationValue()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index 260b3fd01..f3be98ef0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -43,6 +43,8 @@ public interface MOAIDAuthConstants { public static final String PARAM_OA = "OA"; /** servlet parameter "bkuURI" */ public static final String PARAM_BKU = "bkuURI"; + /** servlet parameter "sourceID" */ + public static final String PARAM_SOURCEID = "sourceID"; /** servlet parameter "BKUSelectionTemplate" */ public static final String PARAM_BKUTEMPLATE = "BKUSelectionTemplate"; /** servlet parameter "BKUSelectionTemplate" */ diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java index 8af4e3af5..410d045f0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java @@ -57,6 +57,11 @@ public class AuthenticationAssertionBuilder { " " + NL + " {2}" + NL + " "+ NL; + + protected static String SAML_ATTRIBUTE_NO_NAMESPACE = + " " + NL + + " {1}" + NL + + " "+ NL; /** * Empty constructor @@ -108,5 +113,26 @@ public class AuthenticationAssertionBuilder { } return sb.toString(); } + + /** + * Builds the SAML attributes to be appended to the AUTHBlock or to the SAML assertion + * delivered to the online application. + * The method traverses through the list of given SAML attribute objects and builds an + * XML structure (String representation) for each of the attributes. + * + * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock or + * to the SAML assertion delivered to the online application. + * @return A string representation including the XML structures of + * the SAML attributes. + * + * @throws ParseException If an error occurs on serializing an SAML attribute. + */ + protected String buildSourceIDSAMLAttributes(String sourceID) throws ParseException { + StringBuffer sb = new StringBuffer(); + if (sourceID!=null) + sb.append(MessageFormat.format( SAML_ATTRIBUTE_NO_NAMESPACE, new Object[] {"SourceID", sourceID})); + + return sb.toString(); + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java index 367116c73..7032e09eb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java @@ -69,9 +69,10 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB " " + NL + " {9}" + NL + " " + NL + - "{10}" + - "{11}" + + "{10}" + + "{11}" + "{12}" + + "{13}" + " " + NL + ""; @@ -103,9 +104,10 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB " " + NL + " {10}" + NL + " " + NL + - "{11}" + - "{12}" + + "{11}" + + "{12}" + "{13}" + + "{14}" + " " + NL + ""; /** @@ -156,6 +158,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB String bkuURL, String signerCertificateBase64, boolean businessService, + String sourceID, List extendedSAMLAttributes) throws BuildException { @@ -195,6 +198,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB String assertion; try { + assertion = MessageFormat.format(AUTH_DATA, new Object[] { authData.getAssertionID(), authData.getIssuer(), @@ -206,6 +210,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB StringUtils.removeXMLDeclaration(xmlPersonData), isQualifiedCertificate, bkuURL, + buildSourceIDSAMLAttributes(sourceID), publicAuthorityAttribute, signerCertificateAttribute, buildExtendedSAMLAttributes(extendedSAMLAttributes)}); @@ -244,6 +249,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB String bkuURL, String signerCertificateBase64, boolean businessService, + String sourceID, List extendedSAMLAttributes) throws BuildException { @@ -295,6 +301,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB StringUtils.removeXMLDeclaration(xmlMandateData), isQualifiedCertificate, bkuURL, + buildSourceIDSAMLAttributes(sourceID), publicAuthorityAttribute, signerCertificateAttribute, buildExtendedSAMLAttributes(extendedSAMLAttributes)}); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 3ab8ff819..5a18b720b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -62,6 +62,11 @@ public class AuthenticationSession { * Friendly name for the target, if target is configured via MOA-ID configuration */ private String targetFriendlyName; + + /** + * SourceID + */ + private String sourceID; /** * Indicates if target from configuration is used or not */ @@ -155,7 +160,7 @@ public class AuthenticationSession { private boolean businessService; /** - * Signer certificate of the foreign citizen + * Signer certificate of the foreign citizen or for mandate mode */ private X509Certificate signerCertificate; /** @@ -212,11 +217,11 @@ public class AuthenticationSession { infoboxValidators = new ArrayList(); } - public X509Certificate getForeignSignerCertificate() { + public X509Certificate getSignerCertificate() { return signerCertificate; } - public void setForeignSignerCertificate(X509Certificate signerCertificate) { + public void setSignerCertificate(X509Certificate signerCertificate) { this.signerCertificate = signerCertificate; } @@ -284,6 +289,14 @@ public class AuthenticationSession { return target; } + /** + * Returns the sourceID. + * @return String + */ + public String getSourceID() { + return sourceID; + } + /** * Returns the target friendly name. * @return String @@ -332,6 +345,15 @@ public class AuthenticationSession { this.target = target; } } + + /** + * Sets the sourceID + * @param sourceID The sourceID to set + */ + public void setSourceID(String sourceID) { + this.sourceID = sourceID; + } + /** * Sets the target. If the target includes the target prefix, the prefix will be stripped off. * @param target The target to set diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetAuthenticationDataService.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetAuthenticationDataService.java index da5ad6ab9..b5c72ef9f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetAuthenticationDataService.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetAuthenticationDataService.java @@ -87,6 +87,7 @@ public class GetAuthenticationDataService implements Constants { String statusMessageCode = null; String statusMessage = null; String samlAssertion = ""; + boolean useUTC = false; if (requests.length > 1) { // more than 1 request given as parameter statusCode = "samlp:Requester"; @@ -113,8 +114,11 @@ public class GetAuthenticationDataService implements Constants { requestID = request.getAttribute("RequestID"); String samlArtifact = DOMUtils.getText(samlArtifactElem); try { + AuthenticationData authData = AuthenticationServer.getInstance(). getAuthenticationData(samlArtifact); + + useUTC = authData.getUseUTC(); // success samlAssertion = authData.getSamlAssertion(); statusCode = "samlp:Success"; @@ -135,12 +139,13 @@ public class GetAuthenticationDataService implements Constants { } } try { - String responseID = Random.nextRandom(); - String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance()); + String responseID = Random.nextRandom(); + String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance(), useUTC); if (statusMessage == null) statusMessage = MOAIDMessageProvider.getInstance().getMessage(statusMessageCode, null); responses[0] = new SAMLResponseBuilder().build( responseID, requestID, issueInstant, statusCode, subStatusCode, statusMessage, samlAssertion); + } catch (MOAIDException e) { AxisFault fault = AxisFault.makeFault(e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java index ca3883dad..431af3c31 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java @@ -79,21 +79,22 @@ public class StartAuthenticationServlet extends AuthServlet { authURL = authURL.concat(req.getContextPath() + "/"); String target = req.getParameter(PARAM_TARGET); + String sourceID = req.getParameter(PARAM_SOURCEID); String oaURL = req.getParameter(PARAM_OA); String bkuURL = req.getParameter(PARAM_BKU); String templateURL = req.getParameter(PARAM_TEMPLATE); String sessionID = req.getParameter(PARAM_SESSIONID); String useMandate = req.getParameter(PARAM_USEMANDATE); - // escape parameter strings target = StringEscapeUtils.escapeHtml(target); + sourceID = StringEscapeUtils.escapeHtml(sourceID); oaURL = StringEscapeUtils.escapeHtml(oaURL); bkuURL = StringEscapeUtils.escapeHtml(bkuURL); templateURL = StringEscapeUtils.escapeHtml(templateURL); sessionID = StringEscapeUtils.escapeHtml(sessionID); useMandate = StringEscapeUtils.escapeHtml(useMandate); - + resp.setHeader(HEADER_EXPIRES,HEADER_VALUE_EXPIRES); resp.setHeader(HEADER_PRAGMA,HEADER_VALUE_PRAGMA); resp.setHeader(HEADER_CACHE_CONTROL,HEADER_VALUE_CACHE_CONTROL); @@ -111,7 +112,9 @@ public class StartAuthenticationServlet extends AuthServlet { if (!ParamValidatorUtils.isValidSessionID(sessionID)) throw new WrongParametersException("StartAuthentication", PARAM_SESSIONID, "auth.12"); if (!ParamValidatorUtils.isValidUseMandate(useMandate)) - throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12"); + throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12"); + if (!ParamValidatorUtils.isValidSourceID(sourceID)) + throw new WrongParametersException("StartAuthentication", PARAM_SOURCEID, "auth.12"); OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oaURL); @@ -130,11 +133,11 @@ public class StartAuthenticationServlet extends AuthServlet { if (!ParamValidatorUtils.isValidTarget(target)) throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12"); - getIdentityLinkForm = AuthenticationServer.getInstance().startAuthentication(authURL, target, null, oaURL, templateURL, bkuURL, useMandate, sessionID, req.getScheme()); + getIdentityLinkForm = AuthenticationServer.getInstance().startAuthentication(authURL, target, null, oaURL, templateURL, bkuURL, useMandate, sessionID, req.getScheme(), sourceID); } else { // use target from config - getIdentityLinkForm = AuthenticationServer.getInstance().startAuthentication(authURL, targetConfig, targetFriendlyNameConfig, oaURL, templateURL, bkuURL, useMandate, sessionID, req.getScheme()); + getIdentityLinkForm = AuthenticationServer.getInstance().startAuthentication(authURL, targetConfig, targetFriendlyNameConfig, oaURL, templateURL, bkuURL, useMandate, sessionID, req.getScheme(), sourceID); } resp.setContentType("text/html;charset=UTF-8"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java index f7f9d8fed..17cbe7a3d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java @@ -24,26 +24,40 @@ package at.gv.egovernment.moa.id.auth.servlet; +import iaik.pki.PKIException; +import iaik.x509.X509Certificate; + import java.io.IOException; +import java.security.GeneralSecurityException; import java.util.Map; +import javax.net.ssl.SSLSocketFactory; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.xml.transform.TransformerException; import org.apache.commons.fileupload.FileUploadException; import org.apache.commons.lang.StringEscapeUtils; +import org.w3c.dom.Element; +import at.gv.egovernment.moa.id.AuthenticationException; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.WrongParametersException; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; -import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilderCertificate; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.config.ConnectionParameter; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; -import at.gv.egovernment.moa.id.util.ServletUtils; +import at.gv.egovernment.moa.id.util.SSLUtils; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISSessionId; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClientException; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.URLEncoder; /** @@ -143,27 +157,31 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { String samlArtifactBase64 = AuthenticationServer.getInstance().verifyAuthenticationBlock(sessionID, createXMLSignatureResponse); + if (samlArtifactBase64 == null) { //mandate Mode + + callMISService(session, req, resp); - Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate."); + //Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate."); - String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true); + //String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true); // build dataurl - String dataurl = - new DataURLBuilder().buildDataURL( - session.getAuthURL(), - REQ_VERIFY_CERTIFICATE, - session.getSessionID()); +// String dataurl = +// new DataURLBuilder().buildDataURL( +// session.getAuthURL(), +// REQ_VERIFY_CERTIFICATE, +// session.getSessionID()); //Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)"); //ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl); - Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)"); - ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl); + //Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)"); + //ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl); } + if (!samlArtifactBase64.equals("Redirect to Input Processor")) { redirectURL = session.getOAURLRequested(); if (!session.getBusinessService()) { @@ -187,6 +205,78 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { } } + + /** + * Calls the MIS Service + * @param session + * @throws IOException + */ + private void callMISService(AuthenticationSession session, HttpServletRequest req, HttpServletResponse resp) throws IOException { + + try { + AuthConfigurationProvider authConf= AuthConfigurationProvider.getInstance(); + ConnectionParameter connectionParameters = authConf.getOnlineMandatesConnectionParameter(); + SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters); + + // get identitity link as byte[] + Element elem = session.getIdentityLink().getSamlAssertion(); + String s = DOMUtils.serializeNode(elem); + + System.out.println("IDL: " + s); + + byte[] idl = s.getBytes(); + + // redirect url + // build redirect(to the GetMISSessionIdSerlvet) + String redirectURL = + new DataURLBuilder().buildDataURL( + session.getAuthURL(), + GET_MIS_SESSIONID, + session.getSessionID()); + + String oaURL = session.getOAURLRequested(); + OAAuthParameter oaParam = authConf.getOnlineApplicationParameter(oaURL); + String profiles = oaParam.getMandateProfiles(); + + if (profiles == null) { + Logger.error("No Mandate/Profile for OA configured."); + throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}); + } + + String profilesArray[] = profiles.split(","); + for(int i = 0; i < profilesArray.length; i++) { + profilesArray[i] = profilesArray[i].trim(); + } + + String oaFriendlyName = oaParam.getFriendlyName(); + String mandateReferenceValue = session.getMandateReferenceValue(); + X509Certificate cert = session.getSignerCertificate(); + MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(connectionParameters.getUrl(), idl, cert.getEncoded(), oaFriendlyName, redirectURL, mandateReferenceValue, profilesArray, sslFactory); + String redirectMISGUI = misSessionID.getRedirectURL(); + + if (misSessionID == null) { + Logger.error("Fehler bei Anfrage an Vollmachten Service. MIS Session ID ist null."); + throw new MISSimpleClientException("Fehler bei Anfrage an Vollmachten Service."); + } + + session.setMISSessionID(misSessionID.getSessiondId()); + + resp.setStatus(302); + resp.addHeader("Location", redirectMISGUI); + Logger.debug("REDIRECT TO: " + redirectURL); + } + catch (MOAIDException ex) { + handleError(null, ex, req, resp); + } catch (GeneralSecurityException ex) { + handleError(null, ex, req, resp); + } catch (PKIException e) { + handleError(null, e, req, resp); + } catch (MISSimpleClientException e) { + handleError(null, e, req, resp); + } catch (TransformerException e) { + handleError(null, e, req, resp); + } + } /** * Adds a parameter to a URL. * @param url the URL diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java index acf8b0b64..27f956c40 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java @@ -146,56 +146,8 @@ public class VerifyCertificateServlet extends AuthServlet { if (useMandate) { - // Mandate Modus - // make request to MIS - - AuthConfigurationProvider authConf= AuthConfigurationProvider.getInstance(); - ConnectionParameter connectionParameters = authConf.getOnlineMandatesConnectionParameter(); - SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters); - - // get identitity link as byte[] - Element elem = session.getIdentityLink().getSamlAssertion(); - String s = DOMUtils.serializeNode(elem); - byte[] idl = s.getBytes(); - - // redirect url - // build redirect(to the GetMISSessionIdSerlvet) - String redirectURL = - new DataURLBuilder().buildDataURL( - session.getAuthURL(), - GET_MIS_SESSIONID, - session.getSessionID()); - - String oaURL = session.getOAURLRequested(); - OAAuthParameter oaParam = authConf.getOnlineApplicationParameter(oaURL); - String profiles = oaParam.getMandateProfiles(); - - if (profiles == null) { - Logger.error("No Mandate/Profile for OA configured."); - throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}); - } - - String profilesArray[] = profiles.split(","); - for(int i = 0; i < profilesArray.length; i++) { - profilesArray[i] = profilesArray[i].trim(); - } - - String oaFriendlyName = oaParam.getFriendlyName(); - String mandateReferenceValue = session.getMandateReferenceValue(); - MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(connectionParameters.getUrl(), idl, cert.getEncoded(), oaFriendlyName, redirectURL, mandateReferenceValue, profilesArray, sslFactory); - String redirectMISGUI = misSessionID.getRedirectURL(); - - if (misSessionID == null) { - Logger.error("Fehler bei Anfrage an Vollmachten Service. MIS Session ID ist null."); - throw new MISSimpleClientException("Fehler bei Anfrage an Vollmachten Service."); - } - - session.setMISSessionID(misSessionID.getSessiondId()); - - resp.setStatus(302); - resp.addHeader("Location", redirectMISGUI); - Logger.debug("REDIRECT TO: " + redirectURL); - + Logger.error("Online-Mandate Mode for foreign citizencs not supported."); + throw new AuthenticationException("auth.13", null); } else { // Foreign Identities Modus @@ -218,15 +170,7 @@ public class VerifyCertificateServlet extends AuthServlet { } catch (MOAIDException ex) { handleError(null, ex, req, resp); - } catch (GeneralSecurityException ex) { - handleError(null, ex, req, resp); - } catch (PKIException e) { - handleError(null, e, req, resp); - } catch (MISSimpleClientException e) { - handleError(null, e, req, resp); - } catch (TransformerException e) { - handleError(null, e, req, resp); - } + } } /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java index 6d4a21674..fc5d82936 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java @@ -150,7 +150,7 @@ public class VerifyIdentityLinkServlet extends AuthServlet { // create the InfoboxReadRequest to get the certificate String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true); - // build dataurl (to the GetForeignIDSerlvet) + // build dataurl (to the VerifyCertificateSerlvet) String dataurl = new DataURLBuilder().buildDataURL( session.getAuthURL(), diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java index 7fe85cfae..8cc51bf93 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java @@ -579,6 +579,7 @@ public class ConfigurationBuilder { oap.setProvideIdentityLink(BoolUtils.valueOf(authComponent.getAttribute("provideIdentityLink"))); oap.setProvideCertificate(BoolUtils.valueOf(authComponent.getAttribute("provideCertificate"))); oap.setProvideFullMandatorData(BoolUtils.valueOf(authComponent.getAttribute("provideFullMandatorData"))); + oap.setUseUTC(BoolUtils.valueOf(authComponent.getAttribute("useUTC"))); oap.setBkuSelectionTemplateURL(buildTemplateURL(authComponent, OA_AUTH_COMPONENT_BKUSELECT_TEMPLATE_XPATH, bkuSelectionTemplateURL)); oap.setTemplateURL(buildTemplateURL(authComponent, OA_AUTH_COMPONENT_TEMPLATE_XPATH, templateURL)); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index f85666acf..65e21cbce 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -84,6 +84,9 @@ public class OAAuthParameter extends OAParameter { * determines whether the full mandator data (i.e. the mandate) is to be included in the authentication data */ private boolean provideFullMandatorData; + + /** determines wheter the IssueInstant of the SAML assertion is in UTC or not*/ + private boolean useUTC; /** * url to a template for web page "Auswahl der Bürgerkartenumgebung" */ @@ -191,6 +194,14 @@ public class OAAuthParameter extends OAParameter { return provideFullMandatorData; } + /** + * Returns true if the IssueInstant should be given in UTC, otherwise false. + * @return true if the IssueInstant should be given in UTC, otherwise false. + */ + public boolean getUseUTC() { + return useUTC; + } + /** * Returns the key box identifier. @@ -305,6 +316,16 @@ public class OAAuthParameter extends OAParameter { public void setProvideFullMandatorData(boolean provideFullMandatorData) { this.provideFullMandatorData = provideFullMandatorData; } + + /** + * Sets the useUTC variable. + * @param useUTC The useUTC value to set + */ + public void setUseUTC(boolean useUTC) { + this.useUTC = useUTC; + } + + /** * Sets the key box identifier. diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index 44eb98dad..79f3b4e30 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -107,6 +107,9 @@ public class AuthenticationData { * the corresponding lt;saml:Assertion> */ private String samlAssertion; + + /** useUTC */ + private boolean useUTC; /** * creation timestamp */ @@ -166,6 +169,14 @@ public class AuthenticationData { public String getWBPK() { return wbPK; } + + /** + * Returns useUTC + * @return useUTC + */ + public boolean getUseUTC() { + return useUTC; + } /** * Sets the minorVersion. @@ -215,6 +226,10 @@ public class AuthenticationData { this.wbPK = wbPK; } + public void setUseUTC(boolean useUTC) { + this.useUTC = useUTC; + } + /** * Returns the assertionID. * @return String diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/builder/SAMLRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/builder/SAMLRequestBuilder.java index 5ce952662..2493f42b8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/builder/SAMLRequestBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/builder/SAMLRequestBuilder.java @@ -63,7 +63,7 @@ public class SAMLRequestBuilder implements Constants { */ public Element build(String requestID, String samlArtifactBase64) throws BuildException { try { - String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance()); + String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance(), true); String request = MessageFormat.format(REQUEST, new Object[] {requestID, issueInstant, samlArtifactBase64}); Element requestElem = DOMUtils.parseDocument(request, false, ALL_SCHEMA_LOCATIONS, null).getDocumentElement(); return requestElem; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java index 8c3bccab3..fa220d13d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java @@ -75,6 +75,36 @@ public class ParamValidatorUtils { return false; } + } + + /** + * Checks if the given target is valid + * @param sourceID HTTP parameter from request + * @return + */ + public static boolean isValidSourceID(String sourceID) { + + Logger.debug("Überprüfe Parameter sourceID"); + + // if non parameter is given return true + if (sourceID == null) { + Logger.debug("Parameter Target ist null"); + return true; + } + + + Pattern pattern = Pattern.compile("[\\w-_]{1,50}"); + Matcher matcher = pattern.matcher(sourceID); + boolean b = matcher.matches(); + if (b) { + Logger.debug("Parameter sourceID erfolgreich überprüft"); + return true; + } + else { + Logger.error("Fehler Überprüfung Parameter sourceID. SourceID entspricht nicht den Kriterien (nur Zeichen a-z, A-Z, - und _, sowie 1-50 Zeichen lang)"); + return false; + } + } /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java index 1181253f1..620919c61 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java @@ -149,7 +149,8 @@ public class MISSimpleClient { Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument(); Element mirElement = doc.createElementNS(MIS_NS, "MandateIssueRequest"); Element idlElement = doc.createElementNS(MIS_NS, "IdentityLink"); - + + idlElement.appendChild(doc.createTextNode(new String(Base64.encodeBase64(idl)))); mirElement.appendChild(idlElement); @@ -237,7 +238,18 @@ public class MISSimpleClient { } } - private static Element sendSOAPRequest(String webServiceURL, Element request) throws MISSimpleClientException { + private static Element sendSOAPRequest(String webServiceURL, Element request) throws MISSimpleClientException { + +// try { +// System.out.println("REQUEST-MIS: \n" + DOMUtils.serializeNode(request)); +// } catch (TransformerException e1) { +// // TODO Auto-generated catch block +// e1.printStackTrace(); +// } catch (IOException e1) { +// // TODO Auto-generated catch block +// e1.printStackTrace(); +// } + if (webServiceURL == null) { throw new NullPointerException("Argument webServiceURL must not be null."); } @@ -249,7 +261,8 @@ public class MISSimpleClient { PostMethod post = new PostMethod(webServiceURL); StringRequestEntity re = new StringRequestEntity(DOMUtils.serializeNode(packIntoSOAP(request)),"text/xml", "UTF-8"); post.setRequestEntity(re); - int responseCode = httpclient.executeMethod(post); + int responseCode = httpclient.executeMethod(post); + if (responseCode != 200) { throw new MISSimpleClientException("Invalid HTTP response code " + responseCode); } diff --git a/id/server/idserverlib/src/test/java/test/abnahme/A/Test100StartAuthentication.java b/id/server/idserverlib/src/test/java/test/abnahme/A/Test100StartAuthentication.java index fcf7477c5..818773794 100644 --- a/id/server/idserverlib/src/test/java/test/abnahme/A/Test100StartAuthentication.java +++ b/id/server/idserverlib/src/test/java/test/abnahme/A/Test100StartAuthentication.java @@ -47,7 +47,7 @@ public class Test100StartAuthentication extends AbnahmeTestCase { "http://localhost:9080/", //oaURL "file:" + findXmldata("AuthTemplate.html"), "http://localhost:3495/http-security-layer-request", - null, null, null); + null, null, null, null); htmlForm = killExclusive(htmlForm, "MOASessionID=","\"","DELETED"); //writeXmldata("htmlForm_out.html",htmlForm.getBytes("UTF-8")); assertEquals(readXmldata("htmlForm.html"),htmlForm); @@ -66,7 +66,7 @@ public class Test100StartAuthentication extends AbnahmeTestCase { null, "http://localhost:9080/", //oaURL null, - "http://localhost:3495/http-security-layer-request", null, null, null); + "http://localhost:3495/http-security-layer-request", null, null, null, null); htmlForm = killExclusive(htmlForm, "MOASessionID=","\"","DELETED"); //writeXmldata("htmlForm_out.html",htmlForm.getBytes("UTF-8")); assertEquals(readXmldata("htmlForm.html"),htmlForm); @@ -87,7 +87,7 @@ public class Test100StartAuthentication extends AbnahmeTestCase { "file:" + findXmldata("AuthTemplate.html"), null, null, - null, null); + null, null, null); htmlForm = killExclusive(htmlForm, "MOASessionID=","\"","DELETED"); //writeXmldata("htmlForm_out.html",htmlForm.getBytes("UTF-8")); assertEquals(readXmldata("htmlForm.html"),htmlForm); @@ -106,7 +106,7 @@ public class Test100StartAuthentication extends AbnahmeTestCase { "gb", //target null, "http://localhost:9080/", //oaURL - null, null, null, null, null); + null, null, null, null, null, null); //assertEquals("",htmlForm); System.err.println(this.getName() + " hat KEINE FEHLER geworfen"); fail(this.getName() + " hat KEINE FEHLER geworfen"); @@ -126,7 +126,7 @@ public class Test100StartAuthentication extends AbnahmeTestCase { try { server.startAuthentication("http://localhost:8080/auth", //authURL "gb", null, "http://localhost:9080/", //oaURL - null, null, null, null, null); + null, null, null, null, null, null); System.err.println(this.getName() + " hat KEINE FEHLER geworfen"); fail(this.getName() + " hat KEINE FEHLER geworfen"); } @@ -144,7 +144,7 @@ public class Test100StartAuthentication extends AbnahmeTestCase { try { server.startAuthentication("https://localhost:8443/auth", //authURL "gb", null, "http://host_not_in_config/", //oaURL - null, null, null, null, null); + null, null, null, null, null, null); System.err.println(this.getName() + " hat KEINE FEHLER geworfen"); fail(this.getName() + " hat KEINE FEHLER geworfen"); } @@ -163,7 +163,7 @@ public class Test100StartAuthentication extends AbnahmeTestCase { try { server.startAuthentication("https://localhost:8443/auth", //authURL "gb", null, null, //oaURL - null, null, null, null, null); + null, null, null, null, null, null); System.err.println(this.getName() + " hat KEINE FEHLER geworfen"); fail(this.getName() + " hat KEINE FEHLER geworfen"); } @@ -182,7 +182,7 @@ public class Test100StartAuthentication extends AbnahmeTestCase { try { server.startAuthentication("https://localhost:8443/auth", //authURL null, null, "http://localhost:9080/", //oaURL - null, null, null, null, null); + null, null, null, null, null, null); System.err.println(this.getName() + " hat KEINE FEHLER geworfen"); fail(this.getName() + " hat KEINE FEHLER geworfen"); } diff --git a/id/server/idserverlib/src/test/java/test/abnahme/A/Test300VerifyAuthBlock.java b/id/server/idserverlib/src/test/java/test/abnahme/A/Test300VerifyAuthBlock.java index 6ebb3cf3e..d9cd13259 100644 --- a/id/server/idserverlib/src/test/java/test/abnahme/A/Test300VerifyAuthBlock.java +++ b/id/server/idserverlib/src/test/java/test/abnahme/A/Test300VerifyAuthBlock.java @@ -598,7 +598,7 @@ public class Test300VerifyAuthBlock extends AbnahmeTestCase { authData.setMinorVersion(0); authData.setAssertionID(Random.nextRandom()); authData.setIssuer(session.getAuthURL()); - authData.setIssueInstant(DateTimeUtils.buildDateTime(Calendar.getInstance())); + authData.setIssueInstant(DateTimeUtils.buildDateTime(Calendar.getInstance(), false)); String vpkBase64 = new BPKBuilder().buildBPK( identityLink.getIdentificationValue(), session.getTarget()); authData.setBPK(vpkBase64); @@ -619,7 +619,7 @@ public class Test300VerifyAuthBlock extends AbnahmeTestCase { oaParam.getProvideIdentityLink() ? DOMUtils.serializeNode(identityLink.getSamlAssertion()) : ""; String authBlock = oaParam.getProvideAuthBlock() ? session.getAuthBlock() : ""; String samlAssertion = new AuthenticationDataAssertionBuilder().build( - authData, prPerson, authBlock, ilAssertion, session.getBkuURL(), "", false, null); + authData, prPerson, authBlock, ilAssertion, session.getBkuURL(), "", false, null, null); authData.setSamlAssertion(samlAssertion); return authData; } diff --git a/id/server/idserverlib/src/test/java/test/abnahme/A/Test600GetAuthenticationDataService.java b/id/server/idserverlib/src/test/java/test/abnahme/A/Test600GetAuthenticationDataService.java index a66e6072c..fab258e09 100644 --- a/id/server/idserverlib/src/test/java/test/abnahme/A/Test600GetAuthenticationDataService.java +++ b/id/server/idserverlib/src/test/java/test/abnahme/A/Test600GetAuthenticationDataService.java @@ -228,7 +228,7 @@ public class Test600GetAuthenticationDataService extends AbnahmeTestCase { String request = "" + + DateTimeUtils.buildDateTime(Calendar.getInstance(), false)+"\">" + ""; Element samlPRequest = DOMUtils.parseDocument(request, false, ALL_SCHEMA_LOCATIONS, null).getDocumentElement(); diff --git a/id/server/idserverlib/src/test/java/test/abnahme/AbnahmeTestCase.java b/id/server/idserverlib/src/test/java/test/abnahme/AbnahmeTestCase.java index 69f33f82c..8e38c7673 100644 --- a/id/server/idserverlib/src/test/java/test/abnahme/AbnahmeTestCase.java +++ b/id/server/idserverlib/src/test/java/test/abnahme/AbnahmeTestCase.java @@ -142,7 +142,7 @@ public class AbnahmeTestCase extends MOAIDTestCase { null, null, null, - null); + null, null); String sessionID = parseSessionIDFromForm(htmlForm); return sessionID; } diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/AuthenticationServerTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/AuthenticationServerTest.java index 052c1fed4..187f577a3 100644 --- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/AuthenticationServerTest.java +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/AuthenticationServerTest.java @@ -54,7 +54,7 @@ public class AuthenticationServerTest extends UnitTestCase { public void doTest(String testdataDirectory, String authURL, String target, String oaURL, String bkuURL, String templateURL) throws Exception { String testdataRoot = TESTDATA_ROOT + "xmldata/" + testdataDirectory + "/"; AuthenticationServer server = AuthenticationServer.getInstance(); - String htmlForm = server.startAuthentication(authURL, target, null, oaURL, templateURL, bkuURL, null, null, null); + String htmlForm = server.startAuthentication(authURL, target, null, oaURL, templateURL, bkuURL, null, null, null, null); String sessionID = parseSessionIDFromForm(htmlForm); String infoboxReadResponse = readFile(TESTDATA_ROOT + "xmldata/testperson1/" + "InfoboxReadResponse.xml"); HashMap parameters = new HashMap(1); -- cgit v1.2.3