From c1f3b45adb46f2a7a2c93df278d2b8189eb2fc91 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 6 Jun 2014 13:47:48 +0200 Subject: solve some SLO bugs --- .../moa/id/configuration/auth/pvp2/PVP2Utils.java | 36 +++++++++++++--------- .../auth/pvp2/servlets/BuildMetadata.java | 8 ++--- .../auth/pvp2/servlets/SLOBasicServlet.java | 1 - .../auth/pvp2/servlets/SLOFrontChannelServlet.java | 8 +++-- 4 files changed, 31 insertions(+), 22 deletions(-) diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java index 5032222d0..3d66a4b19 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java @@ -63,6 +63,7 @@ import org.opensaml.xml.security.keyinfo.KeyInfoProvider; import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider; import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider; import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider; +import org.opensaml.xml.security.trust.TrustedCredentialTrustEngine; import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.AbstractSignableXMLObject; @@ -164,29 +165,34 @@ public class PVP2Utils { } } + public static ExplicitKeySignatureTrustEngine getTrustEngine(ConfigurationProvider configuration) { + //Verify Signature + List keyInfoProvider = new ArrayList(); + keyInfoProvider.add(new DSAKeyValueProvider()); + keyInfoProvider.add(new RSAKeyValueProvider()); + keyInfoProvider.add(new InlineX509DataProvider()); + + KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( + keyInfoProvider); + + MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory(); + MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(configuration.getMetaDataProvier()); + + return new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver); + + } + public static void validateSignature(SignableXMLObject msg, ConfigurationProvider configuration) throws SecurityException, ValidationException { //Validate Signature SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); profileValidator.validate(msg.getSignature()); - - //Verify Signature - List keyInfoProvider = new ArrayList(); - keyInfoProvider.add(new DSAKeyValueProvider()); - keyInfoProvider.add(new RSAKeyValueProvider()); - keyInfoProvider.add(new InlineX509DataProvider()); - - KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( - keyInfoProvider); - - MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory(); - MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(configuration.getMetaDataProvier()); - + CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS)); criteriaSet.add(new EntityIDCriteria(configuration.getPVP2IDPMetadataEntityName())); criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); - - ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver); + + ExplicitKeySignatureTrustEngine trustEngine = getTrustEngine(configuration); trustEngine.validate(msg.getSignature(), criteriaSet); } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/BuildMetadata.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/BuildMetadata.java index 5265aed86..f121babc6 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/BuildMetadata.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/BuildMetadata.java @@ -242,10 +242,10 @@ public class BuildMetadata extends HttpServlet { redirectBindingService.setLocation(serviceURL + Constants.SERVLET_SLO_FRONT); spSSODescriptor.getSingleLogoutServices().add(redirectBindingService); - SingleLogoutService soapBindingService = SAML2Utils.createSAMLObject(SingleLogoutService.class); - soapBindingService.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); - soapBindingService.setLocation(serviceURL + Constants.SERVLET_SLO_BACK); - spSSODescriptor.getSingleLogoutServices().add(soapBindingService); +// SingleLogoutService soapBindingService = SAML2Utils.createSAMLObject(SingleLogoutService.class); +// soapBindingService.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); +// soapBindingService.setLocation(serviceURL + Constants.SERVLET_SLO_BACK); +// spSSODescriptor.getSingleLogoutServices().add(soapBindingService); spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java index 69adcc661..38c858918 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java @@ -78,7 +78,6 @@ public class SLOBasicServlet extends HttpServlet { LogoutRequest sloReq = SAML2Utils.createSAMLObject(LogoutRequest.class); SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator(); sloReq.setID(gen.generateIdentifier()); - request.getSession().setAttribute(Constants.SESSION_PVP2REQUESTID, sloReq.getID()); sloReq.setIssueInstant(new DateTime()); NameID name = SAML2Utils.createSAMLObject(NameID.class); Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java index eb5752982..67921c689 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java @@ -120,6 +120,8 @@ public class SLOFrontChannelServlet extends SLOBasicServlet { //build SLO request to IDP LogoutRequest sloReq = createLogOutRequest(nameID, nameIDFormat, request); + request.getSession().setAttribute(Constants.SESSION_PVP2REQUESTID, sloReq.getID()); + //send message sendMessage(request, response, sloReq, null); @@ -132,7 +134,7 @@ public class SLOFrontChannelServlet extends SLOBasicServlet { messageContext.setMetadataProvider(getConfig().getMetaDataProvier()); SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( - TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + PVP2Utils.getTrustEngine(getConfig())); SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule(); BasicSecurityPolicy policy = new BasicSecurityPolicy(); policy.getPolicyRules().add(signatureRule); @@ -141,9 +143,11 @@ public class SLOFrontChannelServlet extends SLOBasicServlet { policy); messageContext.setSecurityPolicyResolver(resolver); messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); + + decode.decode(messageContext); signatureRule.evaluate(messageContext); - decode.decode(messageContext); + processMessage(request, response, messageContext.getInboundMessage(), messageContext.getRelayState()); -- cgit v1.2.3