From ad40ae9233c5f2a32c983962d655e686af546677 Mon Sep 17 00:00:00 2001
From: Thomas Knall
Date: Thu, 22 Jan 2015 12:13:07 +0100
Subject: Add mandate process support (MOAID-60).
- Refactor moa-id auth web.xml
-- Group the servlets with their corresponding mappings.
-- Replace servlets for mappings "/GetMISSessionID", "/VerifyAuthBlock", "/VerifyCertificate" and "/VerifyIdentityLink".
-- Remove disabled declarations.
- Replace link http://jigsaw.w3.org/css-validator/images/vcss-blue with https://... within the internal templates (loginFormFull.html, sendAssertionFormFull.html, ...).
- Set classes deprecated: GetMISSessionIDServlet, VerifyCertificateServlet
- ProcessEngineSignalServlet: make GET delegate to PUT
- Replace some "implements MOAIDAuthConstants" with "import static MOAIDAuthConstants.*".
- Add detailed Javadoc to *Task.java.
- Update DefaultAuthentication.process.xml for mandate
- Add GetMISSessionIDTask and VerifyCertificateTask.
- Add adapter class for iaik.IAIKRuntimeException in order to satisfy some library's bogus dependendies.
---
id/server/auth/src/main/webapp/WEB-INF/web.xml | 272 +++++-------------
.../htmlTemplates/loginFormFull.html | 2 +-
.../htmlTemplates/sendAssertionFormFull.html | 2 +-
.../conf/moa-id/htmlTemplates/loginFormFull.html | 2 +-
.../htmlTemplates/sendAssertionFormFull.html | 2 +-
.../conf/moa-id/htmlTemplates/slo_template.html | 2 +-
id/server/doc/htmlTemplates/BKU-selection.html | 2 +-
id/server/doc/htmlTemplates/sendAssertion.html | 2 +-
.../id/auth/servlet/GetMISSessionIDServlet.java | 7 +-
.../auth/servlet/ProcessEngineSignalServlet.java | 39 ++-
.../id/auth/servlet/VerifyCertificateServlet.java | 9 +-
.../moa/id/auth/tasks/AbstractAuthServletTask.java | 68 ++---
.../id/auth/tasks/CreateIdentityLinkFormTask.java | 36 +++
.../moa/id/auth/tasks/GetMISSessionIDTask.java | 182 ++++++++++++
.../auth/tasks/VerifyAuthenticationBlockTask.java | 56 ++--
.../moa/id/auth/tasks/VerifyCertificateTask.java | 166 +++++++++++
.../moa/id/auth/tasks/VerifyIdentityLinkTask.java | 319 +++++++++++----------
.../protocols/pvp2x/exceptions/loginFormFull.html | 2 +-
.../src/main/java/iaik/IAIKRuntimeException.java | 18 ++
.../processes/DefaultAuthentication.process.xml | 23 +-
.../resources/templates/loginFormFull.html | 2 +-
.../resources/templates/sendAssertionFormFull.html | 2 +-
.../resources/templates/slo_template.html | 2 +-
23 files changed, 769 insertions(+), 448 deletions(-)
create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/GetMISSessionIDTask.java
create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyCertificateTask.java
create mode 100644 id/server/idserverlib/src/main/java/iaik/IAIKRuntimeException.java
diff --git a/id/server/auth/src/main/webapp/WEB-INF/web.xml b/id/server/auth/src/main/webapp/WEB-INF/web.xml
index 477cce57b..1dd3b7a40 100644
--- a/id/server/auth/src/main/webapp/WEB-INF/web.xml
+++ b/id/server/auth/src/main/webapp/WEB-INF/web.xml
@@ -36,41 +36,67 @@
requestContextFilter
/*
+
+
+ UrlRewriteFilter
+ org.tuckey.web.filters.urlrewrite.UrlRewriteFilter
+
+
+ UrlRewriteFilter
+ /*
+
-
-
Generate BKU Request template
GenerateIframeTemplate
GenerateIframeTemplate
at.gv.egovernment.moa.id.auth.servlet.GenerateIFrameTemplateServlet
+
+ GenerateIframeTemplate
+ /GenerateIframeTemplate
+
+
RedirectServlet
RedirectServlet
at.gv.egovernment.moa.id.auth.servlet.RedirectServlet
+
+ RedirectServlet
+ /RedirectServlet
+
+
MonitoringServlet
MonitoringServlet
at.gv.egovernment.moa.id.auth.servlet.MonitoringServlet
+
+ MonitoringServlet
+ /MonitoringServlet
+
+
SSOSendAssertionServlet
SSOSendAssertionServlet
at.gv.egovernment.moa.id.auth.servlet.SSOSendAssertionServlet
-
+
+
+ SSOSendAssertionServlet
+ /SSOSendAssertionServlet
+
+
SSO LogOut
LogOut
LogOut
at.gv.egovernment.moa.id.auth.servlet.LogOutServlet
+
+ LogOut
+ /LogOut
+
IDP Single LogOut Service
@@ -78,25 +104,10 @@
IDPSLO
at.gv.egovernment.moa.id.auth.servlet.IDPSingleLogOutServlet
-
-
- Verify identity link coming from security layer
- VerifyIdentityLink
- VerifyIdentityLink
- at.gv.egovernment.moa.id.auth.servlet.VerifyIdentityLinkServlet
-
-
- Verify the certificate coming from security layer
- VerifyCertificate
- VerifyCertificate
- at.gv.egovernment.moa.id.auth.servlet.VerifyCertificateServlet
-
-
- Get the MIS session ID coming from security layer
- GetMISSessionID
- GetMISSessionID
- at.gv.egovernment.moa.id.auth.servlet.GetMISSessionIDServlet
-
+
+ IDPSLO
+ /idpSingleLogout
+
Gets the foreign eID from security layer
@@ -104,223 +115,84 @@
GetForeignID
at.gv.egovernment.moa.id.auth.servlet.GetForeignIDServlet
-
-
- Verify AUTH block coming from security layer
- VerifyAuthBlock
- VerifyAuthBlock
- at.gv.egovernment.moa.id.auth.servlet.VerifyAuthenticationBlockServlet
-
-
+
+ GetForeignID
+ /GetForeignID
+
+
Apache-Axis Servlet
AxisServlet
org.apache.axis.transport.http.AxisServlet
+
+ AxisServlet
+ /services/*
+
-
-
- Servlet receiving STORK SAML Response Messages from
- different C-PEPS
+ Servlet receiving STORK SAML Response Messages from different C-PEPS
PEPSConnectorServlet
PEPSConnectorServlet
-
- at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet
+ at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet
+
+ PEPSConnectorServlet
+ /PEPSConnector
+
+
- Servlet receiving STORK SAML Response Messages from
- different C-PEPS
+ Servlet receiving STORK SAML Response Messages from different C-PEPS
PEPSConnectorWithLocalSigningServlet
PEPSConnectorWithLocalSigningServlet
-
- at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorWithLocalSigningServlet
+ at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorWithLocalSigningServlet
-
-
+
+ PEPSConnectorWithLocalSigningServlet
+ /PEPSConnectorWithLocalSigning
+
+
Dispatcher Servlet
DispatcherServlet
at.gv.egovernment.moa.id.entrypoints.DispatcherServlet
1
-
-
-
- at.gv.egovernment.moa.id.protocols.saml1.GetArtifactServlet
- at.gv.egovernment.moa.id.protocols.saml1.GetArtifactServlet
-
+
+ DispatcherServlet
+ /dispatcher
+
- Resumes a suspended process engine task.
+ Resumes a suspended process task.
ProcessEngineSignal
ProcessEngineSignal
at.gv.egovernment.moa.id.auth.servlet.ProcessEngineSignalServlet
-
-
-
-
- DispatcherServlet
- /dispatcher
-
-
-
-
-
-
-
-
-
-
- GenerateIframeTemplate
- /GenerateIframeTemplate
-
-
- RedirectServlet
- /RedirectServlet
-
-
- MonitoringServlet
- /MonitoringServlet
-
- SSOSendAssertionServlet
- /SSOSendAssertionServlet
-
-
- LogOut
- /LogOut
-
-
- IDPSLO
- /idpSingleLogout
-
-
-
ProcessEngineSignal
- /VerifyIdentityLink
-
-
- VerifyCertificate
- /VerifyCertificate
-
-
- GetMISSessionID
/GetMISSessionID
-
-
- GetForeignID
- /GetForeignID
-
-
-
-
-
-
- ProcessEngineSignal
/VerifyAuthBlock
+ /VerifyCertificate
+ /VerifyIdentityLink
-
-
- AxisServlet
- /services/*
-
-
- PEPSConnectorServlet
- /PEPSConnector
-
-
- PEPSConnectorWithLocalSigningServlet
- /PEPSConnectorWithLocalSigning
-
-
-
-
-
- UrlRewriteFilter
- org.tuckey.web.filters.urlrewrite.UrlRewriteFilter
-
-
-
- UrlRewriteFilter
- /*
-
-
5
+
500
/errorpage.jsp
-
+
BASIC
UserDatabase
-
- The role that is required to log in to the moa Application
-
+ The role that is required to log in to the moa Application
moa-admin
+
diff --git a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html
index ef070b8eb..d0af6401b 100644
--- a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html
+++ b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html
@@ -837,7 +837,7 @@
src="#CONTEXTPATH#/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
diff --git a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/sendAssertionFormFull.html b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/sendAssertionFormFull.html
index b80d654cc..1a3e683de 100644
--- a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/sendAssertionFormFull.html
+++ b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/sendAssertionFormFull.html
@@ -608,7 +608,7 @@
diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html
index f19cc5320..5b534fca3 100644
--- a/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html
+++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html
@@ -837,7 +837,7 @@
src="#CONTEXTPATH#/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/sendAssertionFormFull.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/sendAssertionFormFull.html
index b80d654cc..1a3e683de 100644
--- a/id/server/data/deploy/conf/moa-id/htmlTemplates/sendAssertionFormFull.html
+++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/sendAssertionFormFull.html
@@ -608,7 +608,7 @@
diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/slo_template.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/slo_template.html
index 6cefe4054..9a621998c 100644
--- a/id/server/data/deploy/conf/moa-id/htmlTemplates/slo_template.html
+++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/slo_template.html
@@ -450,7 +450,7 @@
src="$contextpath/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
diff --git a/id/server/doc/htmlTemplates/BKU-selection.html b/id/server/doc/htmlTemplates/BKU-selection.html
index ef070b8eb..d0af6401b 100644
--- a/id/server/doc/htmlTemplates/BKU-selection.html
+++ b/id/server/doc/htmlTemplates/BKU-selection.html
@@ -837,7 +837,7 @@
src="#CONTEXTPATH#/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
diff --git a/id/server/doc/htmlTemplates/sendAssertion.html b/id/server/doc/htmlTemplates/sendAssertion.html
index b80d654cc..1a3e683de 100644
--- a/id/server/doc/htmlTemplates/sendAssertion.html
+++ b/id/server/doc/htmlTemplates/sendAssertion.html
@@ -608,7 +608,7 @@
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
index 20c32a3ec..dd5253e77 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
@@ -67,6 +67,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
+import at.gv.egovernment.moa.id.auth.tasks.GetMISSessionIDTask;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
import at.gv.egovernment.moa.id.config.ConnectionParameter;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
@@ -83,7 +84,7 @@ import at.gv.egovernment.moa.util.DOMUtils;
/**
* Servlet requested for getting the foreign eID provided by the security layer
* implementation. Utilizes the {@link AuthenticationServer}.
- *
+ * @deprecated Use {@link GetMISSessionIDTask} instead.
*/
public class GetMISSessionIDServlet extends AuthServlet {
@@ -136,6 +137,10 @@ public class GetMISSessionIDServlet extends AuthServlet {
Logger.debug("POST GetMISSessionIDServlet");
+ if (System.currentTimeMillis() > 0) {
+ throw new IllegalStateException(getClass().getName() + " should not be called any more.");
+ }
+
resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,
MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessEngineSignalServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessEngineSignalServlet.java
index 1ea8631c6..849ccf5db 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessEngineSignalServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessEngineSignalServlet.java
@@ -17,19 +17,46 @@ import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
import com.datentechnik.process_engine.ProcessInstance;
+/**
+ * Servlet that resumes a suspended process (in case of asynchronous tasks).
+ *
+ * @author tknall
+ *
+ */
public class ProcessEngineSignalServlet extends AuthServlet {
private static final long serialVersionUID = 1L;
+ /**
+ * Sets response headers that prevent caching (code taken from {@link AuthServlet}).
+ *
+ * @param resp
+ * The HttpServletResponse.
+ */
+ private void setNoCachingHeaders(HttpServletResponse resp) {
+ resp.setHeader(HEADER_EXPIRES, HEADER_VALUE_EXPIRES);
+ resp.setHeader(HEADER_PRAGMA, HEADER_VALUE_PRAGMA);
+ resp.setHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL);
+ resp.addHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL_IE);
+ }
+
+ /**
+ * Processes a GET request, delegating the call to {@link #doPost(HttpServletRequest, HttpServletResponse)}.
+ */
+ @Override
+ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+ this.doPost(req, resp);
+ }
+
+ /**
+ * Resumes the current process instance that has been suspended due to an asynchronous task. The process instance is
+ * retrieved from the MOA session referred to by the request parameter {@link MOAIDAuthConstants#PARAM_SESSIONID}.
+ */
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String sessionID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_SESSIONID));
- resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES, MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
- resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA, MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
- resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL, MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
- resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL, MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
-
+ setNoCachingHeaders(resp);
try {
// check parameter
@@ -44,7 +71,7 @@ public class ProcessEngineSignalServlet extends AuthServlet {
if (session.getProcessInstanceId() == null) {
throw new IllegalStateException("MOA session does not provide process instance id.");
}
-
+
// wake up next task
ProcessInstance pi = getProcessEngine().getProcessInstance(session.getProcessInstanceId());
getProcessEngine().signal(pi);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
index a3397f561..36e219a97 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
@@ -65,6 +65,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
+import at.gv.egovernment.moa.id.auth.tasks.VerifyCertificateTask;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
@@ -77,6 +78,7 @@ import at.gv.egovernment.moa.spss.util.CertificateUtils;
* Servlet requested for getting the foreign eID
* provided by the security layer implementation.
* Utilizes the {@link AuthenticationServer}.
+ * @deprecated Use {@link VerifyCertificateTask} instead.
*
*/
public class VerifyCertificateServlet extends AuthServlet {
@@ -124,6 +126,9 @@ public class VerifyCertificateServlet extends AuthServlet {
protected void doPost(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
+ if (System.currentTimeMillis() > 0) {
+ throw new IllegalStateException(getClass().getName() + " should not be called any more.");
+ }
Logger.debug("POST VerifyCertificateServlet");
resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
@@ -180,7 +185,8 @@ public class VerifyCertificateServlet extends AuthServlet {
throw new MOAIDException("session store error", null);
}
- ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyCertificate");
+ ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyCertificate");
+
}
else {
@@ -210,7 +216,6 @@ public class VerifyCertificateServlet extends AuthServlet {
ServletUtils.writeCreateXMLSignatureRequest(resp, session, createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "GetForeignID", dataurl);
-
Logger.debug("Send CreateXMLSignatureRequest to BKU");
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/AbstractAuthServletTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/AbstractAuthServletTask.java
index d43e8cf68..d5b869777 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/AbstractAuthServletTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/AbstractAuthServletTask.java
@@ -1,5 +1,7 @@
package at.gv.egovernment.moa.id.auth.tasks;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
@@ -9,7 +11,6 @@ import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
-import java.util.Set;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletContext;
@@ -25,10 +26,10 @@ import org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.apache.commons.lang3.ArrayUtils;
import at.gv.egovernment.moa.id.advancedlogging.StatisticLogger;
-import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
+import at.gv.egovernment.moa.id.auth.servlet.AuthServlet;
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.entrypoints.DispatcherServlet;
import at.gv.egovernment.moa.id.storage.DBExceptionStoreImpl;
@@ -36,11 +37,17 @@ import at.gv.egovernment.moa.id.storage.IExceptionStore;
import at.gv.egovernment.moa.id.util.ServletUtils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
-import at.gv.egovernment.moa.util.URLDecoder;
import com.datentechnik.process_engine.springweb.AbstractSpringWebSupportedTask;
-public abstract class AbstractAuthServletTask extends AbstractSpringWebSupportedTask implements MOAIDAuthConstants {
+/**
+ * Task based counterpart to {@link AuthServlet}, providing the same utility methods (error handling, parameter parsing
+ * etc.).
The code has been taken from {@link AuthServlet}.
+ *
+ * @author tknall
+ *
+ */
+public abstract class AbstractAuthServletTask extends AbstractSpringWebSupportedTask {
protected static final String ERROR_CODE_PARAM = "errorid";
@@ -75,14 +82,10 @@ public abstract class AbstractAuthServletTask extends AbstractSpringWebSupported
.getRequestDispatcher("/errorpage-auth.jsp");
try {
- resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,
- MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
- resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,
- MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
- resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,
- MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
- resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,
- MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+ resp.setHeader(HEADER_EXPIRES, HEADER_VALUE_EXPIRES);
+ resp.setHeader(HEADER_PRAGMA, HEADER_VALUE_PRAGMA);
+ resp.setHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL);
+ resp.addHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL_IE);
dispatcher.forward(req, resp);
} catch (ServletException e) {
@@ -179,15 +182,7 @@ public abstract class AbstractAuthServletTask extends AbstractSpringWebSupported
RequestDispatcher dispatcher = context
.getRequestDispatcher("/errorpage-auth.jsp");
try {
- resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,
- MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
- resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,
- MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
- resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,
- MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
- resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,
- MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
-
+ setNoCachingHeaders(resp);
dispatcher.forward(req, resp);
} catch (ServletException e) {
Logger.error(e);
@@ -324,32 +319,17 @@ public abstract class AbstractAuthServletTask extends AbstractSpringWebSupported
return bout.toString();
}
-
-
-// public void contextDestroyed(ServletContextEvent arg0) {
-// Security.removeProvider((new IAIK()).getName());
-// Security.removeProvider((new ECCProvider()).getName());
-// }
-
/**
- * Set response headers to avoid caching
+ * Sets response headers that prevent caching (code taken from {@link AuthServlet}).
*
- * @param request
- * HttpServletRequest
- * @param response
- * HttpServletResponse
+ * @param resp
+ * The HttpServletResponse.
*/
- protected void setNoCachingHeadersInHttpRespone(HttpServletRequest request,
- HttpServletResponse response) {
- response.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,
- MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
- response.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,
- MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
- response.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,
- MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
- response.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,
- MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
-
+ private void setNoCachingHeaders(HttpServletResponse resp) {
+ resp.setHeader(HEADER_EXPIRES, HEADER_VALUE_EXPIRES);
+ resp.setHeader(HEADER_PRAGMA, HEADER_VALUE_PRAGMA);
+ resp.setHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL);
+ resp.addHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL_IE);
}
/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/CreateIdentityLinkFormTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/CreateIdentityLinkFormTask.java
index 4c87bb689..70afd477d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/CreateIdentityLinkFormTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/CreateIdentityLinkFormTask.java
@@ -1,5 +1,7 @@
package at.gv.egovernment.moa.id.auth.tasks;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+
import java.io.PrintWriter;
import javax.servlet.http.HttpServletRequest;
@@ -8,6 +10,7 @@ import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang3.ObjectUtils;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.builder.StartAuthenticationBuilder;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
@@ -22,6 +25,39 @@ import at.gv.egovernment.moa.util.StringUtils;
import com.datentechnik.process_engine.api.ExecutionContext;
+/**
+ * Creates a http form including an embedded {@code InfoBoxReadRequest} for reading the identity link.
+ * In detail:
+ *
+ * - Renames the moa session id.
+ * - Removes ExecutionContext property {@link MOAIDAuthConstants#PARAM_SESSIONID}.
+ * - Creates the http form mentioned above.
+ * - Returns the http form via HttpServletResponse.
+ *
+ * Expects:
+ *
+ * - HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_SESSIONID} or
+ * - ExecutionContext property {@link MOAIDAuthConstants#PARAM_SESSIONID} (in case of legacy authentication without CCE selection, where the moa session is not provided by request parameter).
+ *
+ * Result:
+ *
+ * - The identity link form via HttpServletResponse.
+ *
+ * Possible branches:
+ *
+ * - In case of STORK authentication
+ *
+ * - Creates STORK auth SAML request.
+ * - Creates and returns a form for submitting the SAML request to the CPEPS (post binding).
+ * - Returns the form via HttpServletResponse.
+ *
+ *
+ *
+ * Code taken from {@link at.gv.egovernment.moa.id.auth.servlet.GenerateIFrameTemplateServlet}.
+ * @author tknall
+ * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
+ *
+ */
public class CreateIdentityLinkFormTask extends AbstractAuthServletTask {
@Override
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/GetMISSessionIDTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/GetMISSessionIDTask.java
new file mode 100644
index 000000000..40e33ae43
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/GetMISSessionIDTask.java
@@ -0,0 +1,182 @@
+package at.gv.egovernment.moa.id.auth.tasks;
+
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+import iaik.pki.PKIException;
+
+import java.security.GeneralSecurityException;
+import java.util.List;
+
+import javax.net.ssl.SSLSocketFactory;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.commons.lang.StringEscapeUtils;
+import org.xml.sax.SAXException;
+
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.config.ConnectionParameter;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.moduls.ModulUtils;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
+import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+import at.gv.egovernment.moa.id.util.SSLUtils;
+import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate;
+import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.DOMUtils;
+
+import com.datentechnik.process_engine.api.ExecutionContext;
+
+/**
+ * Retrieves a mandate from the online mandate issuing service.
+ * In detail:
+ *
+ * - Renames the moa session id.
+ * - Retrieves the mandate referenced within the moa session from the online (external) mandate issuing service.
+ * - Verifies the mandate.
+ * - Puts mandate into moa session.
+ * - Redirects back to {@code /dispatcher} in order to finalize the authentication.
+ *
+ * Expects:
+ *
+ * - HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_SESSIONID}
+ *
+ * Result:
+ *
+ * - Mandate put into moa session.
+ * - Redirect to {@code /dispatcher}.
+ *
+ * Code taken from {@link at.gv.egovernment.moa.id.auth.servlet.GetMISSessionIDServlet}.
+ * @author tknall
+ * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
+ *
+ */
+public class GetMISSessionIDTask extends AbstractAuthServletTask {
+
+ @Override
+ public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
+ throws Exception {
+
+ Logger.debug("POST GetMISSessionIDServlet");
+
+ String sessionID = req.getParameter(PARAM_SESSIONID);
+
+ // escape parameter strings
+ sessionID = StringEscapeUtils.escapeHtml(sessionID);
+
+ AuthenticationSession session = null;
+ String pendingRequestID = null;
+ try {
+ // check parameter
+ if (!ParamValidatorUtils.isValidSessionID(sessionID))
+ throw new WrongParametersException("VerifyCertificate",
+ PARAM_SESSIONID, "auth.12");
+
+ pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
+
+ session = AuthenticationServer.getSession(sessionID);
+
+ //change MOASessionID
+ sessionID = AuthenticationSessionStoreage.changeSessionID(session);
+
+ String misSessionID = session.getMISSessionID();
+
+ AuthConfigurationProvider authConf = AuthConfigurationProvider
+ .getInstance();
+ ConnectionParameter connectionParameters = authConf
+ .getOnlineMandatesConnectionParameter();
+ SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(
+ AuthConfigurationProvider.getInstance(),
+ connectionParameters);
+
+ List list = MISSimpleClient.sendGetMandatesRequest(
+ connectionParameters.getUrl(), misSessionID, sslFactory);
+
+ if (list == null || list.size() == 0) {
+ Logger.error("Keine Vollmacht gefunden.");
+ throw new AuthenticationException("auth.15", null);
+ }
+
+ // for now: list contains only one element
+ MISMandate mandate = (MISMandate) list.get(0);
+
+ // TODO[tlenz]: UTF-8 ?
+ String sMandate = new String(mandate.getMandate());
+ if (sMandate == null || sMandate.compareToIgnoreCase("") == 0) {
+ Logger.error("Mandate is empty.");
+ throw new AuthenticationException("auth.15",
+ new Object[] { GET_MIS_SESSIONID });
+ }
+
+ //check if it is a parsable XML
+ byte[] byteMandate = mandate.getMandate();
+ // TODO[tlenz]: UTF-8 ?
+ String stringMandate = new String(byteMandate);
+ DOMUtils.parseDocument(stringMandate, false,
+ null, null).getDocumentElement();
+
+ // extract RepresentationType
+ AuthenticationServer.getInstance().verifyMandate(session, mandate);
+
+ session.setMISMandate(mandate);
+ session.setAuthenticatedUsed(false);
+ session.setAuthenticated(true);
+
+ //set QAA Level four in case of card authentifcation
+ session.setQAALevel(PVPConstants.STORK_QAA_1_4);
+
+ String oldsessionID = session.getSessionID();
+
+ //Session is implicite stored in changeSessionID!!!
+ String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session);
+
+ Logger.info("Changed MOASession " + oldsessionID + " to Session " + newMOASessionID);
+ Logger.info("Daten angelegt zu MOASession " + newMOASessionID);
+
+ String redirectURL = new DataURLBuilder().buildDataURL(
+ session.getAuthURL(),
+ ModulUtils.buildAuthURL(session.getModul(),
+ session.getAction(), pendingRequestID), newMOASessionID);
+ redirectURL = resp.encodeRedirectURL(redirectURL);
+
+ // TODO[branch]: Final step back to /dispatcher
+
+ resp.setContentType("text/html");
+ resp.setStatus(302);
+ resp.addHeader("Location", redirectURL);
+ Logger.debug("REDIRECT TO: " + redirectURL);
+
+ } catch (MOAIDException ex) {
+ handleError(null, ex, req, resp, pendingRequestID);
+
+ } catch (GeneralSecurityException ex) {
+ handleError(null, ex, req, resp, pendingRequestID);
+
+ } catch (PKIException e) {
+ handleError(null, e, req, resp, pendingRequestID);
+
+ } catch (SAXException e) {
+ handleError(null, e, req, resp, pendingRequestID);
+
+ } catch (ParserConfigurationException e) {
+ handleError(null, e, req, resp, pendingRequestID);
+
+ } catch (Exception e) {
+ Logger.error("MISMandateValidation has an interal Error.", e);
+
+ }
+ finally {
+ ConfigurationDBUtils.closeSession();
+ }
+
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyAuthenticationBlockTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyAuthenticationBlockTask.java
index ff1bc8cd1..24fea05c9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyAuthenticationBlockTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyAuthenticationBlockTask.java
@@ -38,30 +38,44 @@ import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.DOMUtils;
import com.datentechnik.process_engine.api.ExecutionContext;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+/**
+ * Verifies the signed authentication block (provided as {@code CreateXMLSignatureResponse}).
+ * In detail:
+ *
+ * - Renames the moa session id.
+ * - Takes the {@code CreateXMLSignatureResponse} from POST parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE}.
+ * - Verifies the {@code CreateXMLSignatureResponse}.
+ * - Updates moa session.
+ * - Redirects back to {@code /dispatcher} in order to finalize the authentication.
+ *
+ * Expects:
+ *
+ * - HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_SESSIONID}
+ * - HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE} containing a {@code CreateXMLSignatureResponse}.
+ *
+ * Result:
+ *
+ * - Authentication data put into moa session.
+ * - Redirect to {@code /dispatcher}.
+ *
+ * Possible branches:
+ *
+ * - In case of mandate mode
+ *
+ * - Creates a mandate session at the external mandate issuing service.
+ * - Redirects the user's browser to the online mandate issuing service GUI.
+ *
+ *
+ *
+ * Code taken from {@link at.gv.egovernment.moa.id.auth.servlet.VerifyAuthenticationBlockServlet}.
+ * @author tknall
+ * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
+ *
+ */
public class VerifyAuthenticationBlockTask extends AbstractAuthServletTask {
- /**
- * Verifies the signed authentication block and redirects the browser
- * to the online application requested, adding a parameter needed for
- * retrieving the authentication data.
- *
- * Request parameters:
- *
- * - MOASessionID: ID of associated authentication session
- * - XMLResponse:
<CreateXMLSignatureResponse>
- *
- * Response:
- *
- * - Status:
302
- * - Header
"Location"
: URL of the online application requested, with
- * parameters "Target"
(only if the online application is
- * a public service) and "SAMLArtifact"
added
- * - Error status:
500
- *
- * @see AuthenticationServer#verifyAuthenticationBlock
- * @see javax.servlet.http.HttpServlet#doPost(HttpServletRequest, HttpServletResponse)
- */
@Override
public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
throws Exception {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyCertificateTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyCertificateTask.java
new file mode 100644
index 000000000..979e64888
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyCertificateTask.java
@@ -0,0 +1,166 @@
+package at.gv.egovernment.moa.id.auth.tasks;
+
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+import iaik.x509.X509Certificate;
+
+import java.io.IOException;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.fileupload.FileUploadException;
+import org.apache.commons.lang.StringEscapeUtils;
+
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
+import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+import at.gv.egovernment.moa.id.util.ServletUtils;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.spss.util.CertificateUtils;
+
+import com.datentechnik.process_engine.api.ExecutionContext;
+
+/**
+ * Parses the certificate from {@code InfoBoxReadResponse} (via POST parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE}), creates the auth block to be signed and returns a {@code CreateXMLSignatureRequest} for auth block signature.
+ * In detail:
+ *
+ * - Renames the moa session id.
+ * - Retrieves the certificate via {@code InfoBoxReadResponse} from POST parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE}.
+ * - Verifies the certificate.
+ * - Creates the auth block to be signed using information from the certificate (Organwalter, foreign citizen.
+ * - Puts it in a {@code CreateXMLSignatureRequest}.
+ * - Updates moa session.
+ * - Responds with {@code CreateXMLSignatureRequest}.
+ *
+ * Expects:
+ *
+ * - HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_SESSIONID}
+ * - HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE} containing a {@code InfoBoxReadResponse}.
+ *
+ * Result:
+ *
+ * - {@code CreateXMLSignatureRequest} send as HttpServletResponse (for CCE).
+ *
+ * Code taken from {@link at.gv.egovernment.moa.id.auth.servlet.VerifyCertificateServlet}.
+ * @author tknall
+ * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
+ *
+ */
+public class VerifyCertificateTask extends AbstractAuthServletTask {
+
+ @Override
+ public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
+ throws Exception {
+
+ // note: code taken from at.gv.egovernment.moa.id.auth.servlet.VerifyCertificateServlet
+
+ Logger.debug("POST VerifyCertificateServlet");
+
+ String pendingRequestID = null;
+
+ Map parameters;
+ try
+ {
+ parameters = getParameters(req);
+ } catch (FileUploadException e)
+ {
+ Logger.error("Parsing mulitpart/form-data request parameters failed: " + e.getMessage());
+ throw new IOException(e.getMessage());
+ }
+ String sessionID = req.getParameter(PARAM_SESSIONID);
+
+ // escape parameter strings
+ sessionID = StringEscapeUtils.escapeHtml(sessionID);
+
+ pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
+
+ AuthenticationSession session = null;
+ try {
+ // check parameter
+ if (!ParamValidatorUtils.isValidSessionID(sessionID))
+ throw new WrongParametersException("VerifyCertificate", PARAM_SESSIONID, "auth.12");
+
+ session = AuthenticationServer.getSession(sessionID);
+
+ //change MOASessionID
+ sessionID = AuthenticationSessionStoreage.changeSessionID(session);
+
+ X509Certificate cert = AuthenticationServer.getInstance().getCertificate(sessionID, parameters);
+ if (cert == null) {
+ Logger.error("Certificate could not be read.");
+ throw new AuthenticationException("auth.14", null);
+ }
+
+ boolean useMandate = session.getUseMandate();
+
+
+ if (useMandate) {
+
+ // verify certificate for OrganWalter
+ String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().verifyCertificate(session, cert);
+
+ try {
+ AuthenticationSessionStoreage.storeSession(session);
+ } catch (MOADatabaseException e) {
+ throw new MOAIDException("session store error", null);
+ }
+
+ // TODO[branch]: Mandate; respond with CXSR for authblock signature, dataURL "/VerifyAuthBlock"
+ ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyCertificate");
+
+ }
+ else {
+
+
+ String countrycode = CertificateUtils.getIssuerCountry(cert);
+ if (countrycode != null) {
+ if (countrycode.compareToIgnoreCase("AT") == 0) {
+ Logger.error("Certificate issuer country code is \"AT\". Login not support in foreign identities mode.");
+ throw new AuthenticationException("auth.22", null);
+ }
+ }
+
+ // Foreign Identities Modus
+ String createXMLSignatureRequest = AuthenticationServer.getInstance().createXMLSignatureRequestForeignID(session, cert);
+ // build dataurl (to the GetForeignIDSerlvet)
+ String dataurl =
+ new DataURLBuilder().buildDataURL(
+ session.getAuthURL(),
+ REQ_GET_FOREIGN_ID,
+ session.getSessionID());
+
+ try {
+ AuthenticationSessionStoreage.storeSession(session);
+ } catch (MOADatabaseException e) {
+ throw new MOAIDException("session store error", null);
+ }
+
+ // TODO[branch]: Foreign citizen; respond with CXSR for authblock signature, dataURL "/GetForeignID"
+ ServletUtils.writeCreateXMLSignatureRequest(resp, session, createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "GetForeignID", dataurl);
+
+ Logger.debug("Send CreateXMLSignatureRequest to BKU");
+ }
+ }
+ catch (MOAIDException ex) {
+ handleError(null, ex, req, resp, pendingRequestID);
+
+ } catch (Exception e) {
+ Logger.error("CertificateValidation has an interal Error.", e);
+ }
+
+
+ finally {
+ ConfigurationDBUtils.closeSession();
+ }
+
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyIdentityLinkTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyIdentityLinkTask.java
index ec12643ec..c24e42b3a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyIdentityLinkTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyIdentityLinkTask.java
@@ -1,5 +1,7 @@
package at.gv.egovernment.moa.id.auth.tasks;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+
import java.io.IOException;
import java.util.Map;
@@ -28,176 +30,179 @@ import at.gv.egovernment.moa.logging.Logger;
import com.datentechnik.process_engine.api.ExecutionContext;
+/**
+ * Verifies the identity link and prepares auth block signature if identity link provided, or triggers reading the subject's certificate if not provided.
+ * In detail:
+ *
+ * - Renames the moa session id.
+ * - Parses the identity link retrieves as {@code InfoBoxReadResponse} from POST parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE}.
+ * - Verifies the identity link.
+ * - Creates the auth block to be signed.
+ * - Updates moa session.
+ * - Creates and returns a {@code CreateXMLSignatureRequest} via HttpServletResponse.
+ *
+ * Expects:
+ *
+ * - HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_SESSIONID}
+ * - HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE} containing a {@code InfoBoxReadResponse}.
+ *
+ * Result:
+ *
+ * - Identity link put into moa session.
+ * - Returns {@code CreateXMLSignatureRequest} via HttpServletResponse (for CCE).
+ *
+ * Possible branches:
+ *
+ * - In case of foreign citizen or in case of mandate
+ *
+ * - Create {@code InfoBoxReadRequest} for reading the subjects certificate.
+ * - Set DataURL {@code /VerifyCertificate}.
+ * - Respond with {@code InfoBoxReadRequest}.
+ *
+ *
+ *
+ * Code taken from {@link at.gv.egovernment.moa.id.auth.servlet.VerifyIdentityLinkServlet}.
+ * @author tknall
+ * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
+ *
+ */
public class VerifyIdentityLinkTask extends AbstractAuthServletTask {
- /**
- * Verifies the identity link and responds with a new
- * CreateXMLSignatureRequest
or a new
- * InfoboxReadRequest
(in case of a foreign eID card).
- *
- * Request parameters:
- *
- * - MOASessionID: ID of associated authentication session
- * - XMLResponse:
<InfoboxReadResponse>
- *
- * Response:
- *
- * - Content type:
"text/xml"
- * - Content: see return value of {@link AuthenticationServer#verifyIdentityLink}
- * - Error status:
500
- *
- * @see javax.servlet.http.HttpServlet#doPost(HttpServletRequest, HttpServletResponse)
- */
@Override
public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
throws Exception {
-
+
// note: code taken from at.gv.egovernment.moa.id.auth.servlet.VerifyIdentityLinkServlet
- Logger.debug("POST VerifyIdentityLink");
-
- Map parameters;
- String pendingRequestID = null;
-
- try
- {
- parameters = getParameters(req);
-
- } catch (Exception e)
- {
- Logger.error("Parsing mulitpart/form-data request parameters failed: " + e.getMessage());
- throw new IOException(e.getMessage());
- }
- String sessionID = req.getParameter(PARAM_SESSIONID);
-
- // escape parameter strings
+ Logger.debug("POST VerifyIdentityLink");
+
+ Map parameters;
+ String pendingRequestID = null;
+
+ try {
+ parameters = getParameters(req);
+ } catch (Exception e) {
+ Logger.error("Parsing mulitpart/form-data request parameters failed: " + e.getMessage());
+ throw new IOException(e.getMessage());
+ }
+ String sessionID = req.getParameter(PARAM_SESSIONID);
+
+ // escape parameter strings
sessionID = StringEscapeUtils.escapeHtml(sessionID);
-
+
pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
-
- resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
- resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
- resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
- resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
-
-
- try {
- // check parameter
- if (!ParamValidatorUtils.isValidSessionID(sessionID))
- throw new WrongParametersException("VerifyIdentityLink", PARAM_SESSIONID, "auth.12");
-
-
- AuthenticationSession session = AuthenticationServer.getSession(sessionID);
-
- //change MOASessionID
- sessionID = AuthenticationSessionStoreage.changeSessionID(session);
-
- String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().verifyIdentityLink(session, parameters);
-
- Logger.debug(createXMLSignatureRequestOrRedirect);
-
-
- if (createXMLSignatureRequestOrRedirect == null) {
- // no identity link found
-
- boolean useMandate = session.getUseMandate();
- if (useMandate) {
- Logger.error("Online-Mandate Mode for foreign citizencs not supported.");
- throw new AuthenticationException("auth.13", null);
- }
- // TODO[branch]: Foreign citizen; respond with IRR for certificates, dataURL = "/VerifyCertificate"
-
- try {
-
- Logger.info("Send InfoboxReadRequest to BKU to get signer certificate.");
-
- // create the InfoboxReadRequest to get the certificate
- String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
-
- // build dataurl (to the VerifyCertificateSerlvet)
- String dataurl =
- new DataURLBuilder().buildDataURL(
- session.getAuthURL(),
- REQ_VERIFY_CERTIFICATE,
- session.getSessionID());
-
- ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
-
-
- }
- catch(Exception e) {
- handleError(null, e, req, resp, pendingRequestID);
- }
-
- }
- else {
- boolean useMandate = session.getUseMandate();
-
- if (useMandate) { // Mandate modus
-
- // TODO[branch]: Mandate; respond with IRR for certificates, dataURL = "/VerifyCertificate"
-
- // read certificate and set dataurl to
- Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate.");
-
-
- String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
-
- // build dataurl (to the GetForeignIDSerlvet)
- String dataurl =
- new DataURLBuilder().buildDataURL(
- session.getAuthURL(),
- REQ_VERIFY_CERTIFICATE,
- session.getSessionID());
-
- //Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)");
- //ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
-
- Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)");
- ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
-
- }
- else {
- Logger.info("Normal");
-
- // TODO[branch]: Default behaviour; respond with CXSR for authblock signature, dataURL "/VerifyAuthBlock"
-
- OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
- .getOnlineApplicationParameter(session.getPublicOAURLPrefix());
- AuthConfigurationProvider authConf = AuthConfigurationProvider
- .getInstance();
-
- createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance()
- .getCreateXMLSignatureRequestAuthBlockOrRedirect(session,
- authConf, oaParam);
-
- ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink");
- }
- }
-
+
+ resp.setHeader(HEADER_EXPIRES, HEADER_VALUE_EXPIRES);
+ resp.setHeader(HEADER_PRAGMA, HEADER_VALUE_PRAGMA);
+ resp.setHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL);
+ resp.addHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL_IE);
+
+ try {
+ // check parameter
+ if (!ParamValidatorUtils.isValidSessionID(sessionID))
+ throw new WrongParametersException("VerifyIdentityLink", PARAM_SESSIONID, "auth.12");
+
+ AuthenticationSession session = AuthenticationServer.getSession(sessionID);
+
+ // change MOASessionID
+ sessionID = AuthenticationSessionStoreage.changeSessionID(session);
+
+ String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().verifyIdentityLink(session,
+ parameters);
+
+ Logger.debug(createXMLSignatureRequestOrRedirect);
+
+ if (createXMLSignatureRequestOrRedirect == null) {
+ // no identity link found
+
+ boolean useMandate = session.getUseMandate();
+ if (useMandate) {
+ Logger.error("Online-Mandate Mode for foreign citizencs not supported.");
+ throw new AuthenticationException("auth.13", null);
+ }
+ // TODO[branch]: Foreign citizen; respond with IRR for certificates, dataURL = "/VerifyCertificate"
+
+ try {
+
+ Logger.info("Send InfoboxReadRequest to BKU to get signer certificate.");
+
+ // create the InfoboxReadRequest to get the certificate
+ String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
+
+ // build dataurl (to the VerifyCertificateSerlvet)
+ String dataurl = new DataURLBuilder().buildDataURL(session.getAuthURL(), REQ_VERIFY_CERTIFICATE,
+ session.getSessionID());
+
+ ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest,
+ AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+
+ } catch (Exception e) {
+ handleError(null, e, req, resp, pendingRequestID);
+ }
+
+ } else {
+ boolean useMandate = session.getUseMandate();
+
+ if (useMandate) { // Mandate modus
+
+ // TODO[branch]: Mandate; respond with IRR for certificates, dataURL = "/VerifyCertificate"
+
+ // read certificate and set dataurl to
+ Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate.");
+
+ String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
+
+ // build dataurl (to the GetForeignIDSerlvet)
+ String dataurl = new DataURLBuilder().buildDataURL(session.getAuthURL(), REQ_VERIFY_CERTIFICATE,
+ session.getSessionID());
+
+ // Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)");
+ // ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest,
+ // AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+
+ Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)");
+ ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest,
+ AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+
+ } else {
+ Logger.info("Normal");
+
+ // TODO[branch]: Default behaviour; respond with CXSR for authblock signature, dataURL
+ // "/VerifyAuthBlock"
+
+ OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
+ session.getPublicOAURLPrefix());
+ AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
+
+ createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance()
+ .getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam);
+
+ ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session,
+ createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT,
+ "VerifyIdentityLink");
+ }
+ }
+
try {
AuthenticationSessionStoreage.storeSession(session);
-
+
} catch (MOADatabaseException e) {
Logger.info("No valid MOA session found. Authentification process is abourted.");
throw new AuthenticationException("auth.20", null);
}
- }
- catch (ParseException ex) {
- handleError(null, ex, req, resp, pendingRequestID);
-
- } catch (MOAIDException ex) {
- handleError(null, ex, req, resp, pendingRequestID);
-
- } catch (Exception e) {
- Logger.error("IdentityLinkValidation has an interal Error.", e);
- }
-
- finally {
- ConfigurationDBUtils.closeSession();
- }
- }
-
-
-
+ } catch (ParseException ex) {
+ handleError(null, ex, req, resp, pendingRequestID);
+
+ } catch (MOAIDException ex) {
+ handleError(null, ex, req, resp, pendingRequestID);
+
+ } catch (Exception e) {
+ Logger.error("IdentityLinkValidation has an interal Error.", e);
+ }
+
+ finally {
+ ConfigurationDBUtils.closeSession();
+ }
+ }
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/loginFormFull.html b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/loginFormFull.html
index 3eff06daf..5ae76ed96 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/loginFormFull.html
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/loginFormFull.html
@@ -842,7 +842,7 @@ input {
src="#CONTEXTPATH#/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
diff --git a/id/server/idserverlib/src/main/java/iaik/IAIKRuntimeException.java b/id/server/idserverlib/src/main/java/iaik/IAIKRuntimeException.java
new file mode 100644
index 000000000..968d3491d
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/iaik/IAIKRuntimeException.java
@@ -0,0 +1,18 @@
+package iaik;
+
+/**
+ * Adapter class providing {@code iaik.RuntimeException} for libraries that have not been updated in order to consider
+ * the fact that the class {@code IAIKRuntimeException} has been moved.
+ *
+ * @author tknall
+ *
+ */
+public class IAIKRuntimeException extends iaik.server.modules.IAIKRuntimeException {
+
+ private static final long serialVersionUID = 1L;
+
+ public IAIKRuntimeException(String reason, Throwable wrapped, String uniqueIdentifier) {
+ super(reason, wrapped, uniqueIdentifier);
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/resources/resources/processes/DefaultAuthentication.process.xml b/id/server/idserverlib/src/main/resources/resources/processes/DefaultAuthentication.process.xml
index dd27d8a01..8ac58bd4b 100644
--- a/id/server/idserverlib/src/main/resources/resources/processes/DefaultAuthentication.process.xml
+++ b/id/server/idserverlib/src/main/resources/resources/processes/DefaultAuthentication.process.xml
@@ -5,16 +5,27 @@
- National authentication with Austrian Citizen Card and mobile signature.
- Legacy authentication for foreign citizens using MOCCA supported signature cards.
-->
+
+
+
+
+
-
-
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html b/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html
index 7e2ddc491..e293d8456 100644
--- a/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html
+++ b/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html
@@ -837,7 +837,7 @@
src="#CONTEXTPATH#/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html b/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html
index e75bef70c..033a574b9 100644
--- a/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html
+++ b/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html
@@ -545,7 +545,7 @@ button:hover,button:focus,button:active,.sendButton:hover,.sendButton:focus,.sen
src="#CONTEXTPATH#/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html b/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html
index b241e85cf..8976b2bd6 100644
--- a/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html
+++ b/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html
@@ -436,7 +436,7 @@
src="$contextpath/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
--
cgit v1.2.3