From 56ce62018a9f29f54991d7ea26c74da86305ee0a Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 7 Mar 2014 15:25:00 +0100 Subject: first test for authentication which requires no browser session (req.getSession()) --- .../moa/id/auth/AuthenticationServer.java | 10 +- .../moa/id/auth/servlet/LogOutServlet.java | 3 +- .../moa/id/auth/servlet/PEPSConnectorServlet.java | 9 +- .../id/auth/servlet/VerifyIdentityLinkServlet.java | 3 +- .../moa/id/entrypoints/DispatcherServlet.java | 118 +++++---------------- .../moa/id/moduls/AuthenticationManager.java | 2 +- .../egovernment/moa/id/moduls/RequestStorage.java | 81 ++++++-------- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 2 +- .../moa/id/protocols/saml1/SAML1Protocol.java | 4 +- 9 files changed, 82 insertions(+), 150 deletions(-) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 9ac9986c8..fd47c5f53 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -1886,7 +1886,9 @@ public class AuthenticationServer implements MOAIDAuthConstants { String providerName= oaParam.getFriendlyName(); Logger.debug("Issuer value: " + issuerValue); - String acsURL = issuerValue + PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN; +// String acsURL = issuerValue + PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN + String acsURL = new DataURLBuilder().buildDataURL(issuerValue, + PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN, moasession.getSessionID()); Logger.debug("MOA Assertion Consumer URL (PEPSConnctor): " + acsURL); // prepare collection of required attributes @@ -1979,8 +1981,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { //send moasession.setStorkAuthnRequest(authnRequest); - HttpSession httpSession = req.getSession(); - httpSession.setAttribute("MOA-Session-ID", moasession.getSessionID()); +// HttpSession httpSession = req.getSession(); +// httpSession.setAttribute("MOA-Session-ID", moasession.getSessionID()); Logger.info("Preparing to send STORK AuthnRequest."); @@ -2002,7 +2004,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { resp.getOutputStream().write(writer.toString().getBytes()); } catch (Exception e) { Logger.error("Error sending STORK SAML AuthnRequest.", e); - httpSession.invalidate(); + //httpSession.invalidate(); throw new MOAIDException("stork.02", new Object[] { destination }); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java index f3495966a..12cf54e16 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java @@ -88,8 +88,7 @@ public class LogOutServlet extends AuthServlet { AuthenticationManager authmanager = AuthenticationManager.getInstance(); String moasessionid = AuthenticationSessionStoreage.getMOASessionID(ssoid); - RequestStorage.removePendingRequest(RequestStorage.getPendingRequest(req.getSession()), - AuthenticationSessionStoreage.getPendingRequestID(moasessionid)); + RequestStorage.removePendingRequest(AuthenticationSessionStoreage.getPendingRequestID(moasessionid)); authmanager.logout(req, resp, moasessionid); Logger.info("User with SSO Id " + ssoid + " is logged out and get redirect to "+ redirectUrl); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index c6cd5cd86..7c96c2194 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -40,6 +40,7 @@ import javax.xml.bind.JAXBElement; import javax.xml.transform.stream.StreamSource; import org.apache.commons.io.IOUtils; +import org.apache.commons.lang.StringEscapeUtils; import org.apache.velocity.Template; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; @@ -112,8 +113,10 @@ public class PEPSConnectorServlet extends AuthServlet { super.checkIfHTTPisAllowed(request.getRequestURL().toString()); Logger.debug("Trying to find MOA Session-ID"); - HttpSession httpSession = request.getSession(); - String moaSessionID = (String) httpSession.getAttribute("MOA-Session-ID"); + String moaSessionID = request.getParameter(PARAM_SESSIONID); + + // escape parameter strings + moaSessionID= StringEscapeUtils.escapeHtml(moaSessionID); if (StringUtils.isEmpty(moaSessionID)) { //No authentication session has been started before @@ -308,7 +311,7 @@ public class PEPSConnectorServlet extends AuthServlet { response.getOutputStream().write(writer.toString().getBytes()); } catch (Exception e1) { Logger.error("Error sending gender retrival form.", e1); - httpSession.invalidate(); +// httpSession.invalidate(); throw new MOAIDException("stork.10", null); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java index 7c2a032a1..72b479112 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java @@ -147,8 +147,7 @@ public class VerifyIdentityLinkServlet extends AuthServlet { throw new IOException(e.getMessage()); } String sessionID = req.getParameter(PARAM_SESSIONID); - - + // escape parameter strings sessionID = StringEscapeUtils.escapeHtml(sessionID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 31c6f43c5..487e86b34 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -109,41 +109,24 @@ public class DispatcherServlet extends AuthServlet{ Object idObject = req.getParameter(PARAM_TARGET_PENDINGREQUESTID); - Map errorRequests = RequestStorage.getPendingRequest(req.getSession()); + //Map errorRequests = RequestStorage.getPendingRequest(req.getSession()); String pendingRequestID = null; if (idObject != null && (idObject instanceof String)) { - if (errorRequests.containsKey((String)idObject)) - pendingRequestID = (String) idObject; + pendingRequestID = (String) idObject; } if (throwable != null) { - if (errorRequests != null) { - - synchronized (errorRequests) { IRequest errorRequest = null; if (pendingRequestID != null) { - errorRequest = errorRequests.get(pendingRequestID); + errorRequest = RequestStorage.getPendingRequest(pendingRequestID); - //remove the - RequestStorage.removePendingRequest(errorRequests, pendingRequestID); - } - else { - if (errorRequests.size() > 1) { - handleErrorNoRedirect(throwable.getMessage(), throwable, - req, resp); - - } else { - Set keys = errorRequests.keySet(); - errorRequest = errorRequests.get(keys.toArray()[0]); - RequestStorage.removeAllPendingRequests(req.getSession()); - } - } if (errorRequest != null) { - + RequestStorage.removePendingRequest(pendingRequestID); + try { IModulInfo handlingModule = ModulStorage .getModuleByPath(errorRequest @@ -177,16 +160,9 @@ public class DispatcherServlet extends AuthServlet{ } handleErrorNoRedirect(throwable.getMessage(), throwable, req, resp); - - } else { - // TODO: use better string - handleErrorNoRedirect("UNKOWN ERROR DETECTED!", null, req, - resp); - } return; } - } Object moduleObject = req.getParameter(PARAM_TARGET_MODULE); String module = null; @@ -247,32 +223,24 @@ public class DispatcherServlet extends AuthServlet{ } } - HttpSession httpSession = req.getSession(); - Map protocolRequests = null; + //HttpSession httpSession = req.getSession(); + //Map protocolRequests = null; IRequest protocolRequest = null; try { - protocolRequests = RequestStorage.getPendingRequest(httpSession); - Object idObject = req.getParameter(PARAM_TARGET_PENDINGREQUESTID); - if (protocolRequests != null && - idObject != null && (idObject instanceof String)) { + if (idObject != null && (idObject instanceof String)) { protocolRequestID = (String) idObject; - + protocolRequest = RequestStorage.getPendingRequest(protocolRequestID); + //get IRequest if it exits - if (protocolRequests.containsKey(protocolRequestID)) { - protocolRequest = protocolRequests.get(protocolRequestID); + if (protocolRequest != null) { Logger.debug(DispatcherServlet.class.getName()+": Found PendingRequest with ID " + protocolRequestID); } else { - Logger.error("No PendingRequest with ID " + protocolRequestID + " found.!"); - - Set mapkeys = protocolRequests.keySet(); - for (String el : mapkeys) - Logger.debug("PendingRequest| ID=" + el + " OAIdentifier=" + protocolRequests.get(el)); - + Logger.error("No PendingRequest with ID " + protocolRequestID + " found.!"); handleErrorNoRedirect("Während des Anmeldevorgangs ist ein Fehler aufgetreten. Bitte versuchen Sie es noch einmal.", null, req, resp); return; @@ -282,43 +250,25 @@ public class DispatcherServlet extends AuthServlet{ protocolRequest = info.preProcess(req, resp, action); if (protocolRequest != null) { + + //Start new Authentication + protocolRequest.setAction(action); + protocolRequest.setModule(module); + protocolRequestID = Random.nextRandom(); + protocolRequest.setRequestID(protocolRequestID); - if(protocolRequests != null) { + RequestStorage.setPendingRequest(protocolRequest); - Set mapkeys = protocolRequests.keySet(); - for (String el : mapkeys) { - IRequest value = protocolRequests.get(el); - - if (value.getOAURL().equals(protocolRequest.getOAURL())) { - - if(!AuthenticationSessionStoreage.deleteSessionWithPendingRequestID(el)) { - Logger.warn(DispatcherServlet.class.getName()+": NO MOASession with PendingRequestID " + el + " found. Delete all user sessions!"); - RequestStorage.removeAllPendingRequests(req.getSession()); - - } else { - RequestStorage.removePendingRequest(protocolRequests, el); - } - } - } - - } else { - protocolRequests = new ConcurrentHashMap(); - } + Logger.debug(DispatcherServlet.class.getName()+": Create PendingRequest with ID " + protocolRequestID + "."); + + } else { + Logger.error("Failed to generate a valid protocol request!"); + resp.setContentType("text/html;charset=UTF-8"); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!"); + return; - synchronized (protocolRequest) { - synchronized (protocolRequests) { - - //Start new Authentication - protocolRequest.setAction(action); - protocolRequest.setModule(module); - protocolRequestID = Random.nextRandom(); - protocolRequest.setRequestID(protocolRequestID); - protocolRequests.put(protocolRequestID, protocolRequest); - Logger.debug(DispatcherServlet.class.getName()+": Create PendingRequest with ID " + protocolRequestID + "."); - } - } } - + } catch (ProtocolNotActiveException e) { resp.getWriter().write(e.getMessage()); resp.setContentType("text/html;charset=UTF-8"); @@ -338,18 +288,8 @@ public class DispatcherServlet extends AuthServlet{ return; } - - if (protocolRequest == null) { - Logger.error("Failed to generate a valid protocol request!"); - resp.setContentType("text/html;charset=UTF-8"); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!"); - return; - - } } - - RequestStorage.setPendingRequest(httpSession, protocolRequests); - + AuthenticationManager authmanager = AuthenticationManager.getInstance(); SSOManager ssomanager = SSOManager.getInstance(); @@ -470,7 +410,7 @@ public class DispatcherServlet extends AuthServlet{ String assertionID = moduleAction.processRequest(protocolRequest, req, resp, moasession); - RequestStorage.removePendingRequest(protocolRequests, protocolRequestID); + RequestStorage.removePendingRequest(protocolRequestID); if (needAuthentication) { boolean isSSOSession = MiscUtil.isNotEmpty(newSSOSessionId); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 666224b3a..03a61d08f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -252,7 +252,7 @@ public class AuthenticationManager extends AuthServlet { } //set MOAIDSession - request.getSession().setAttribute(MOA_SESSION, moasession.getSessionID()); + //request.getSession().setAttribute(MOA_SESSION, moasession.getSessionID()); response.setContentType("text/html;charset=UTF-8"); PrintWriter out = new PrintWriter(response.getOutputStream()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java index bfe1151c4..21b4e2b65 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java @@ -22,64 +22,53 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.moduls; -import java.util.Map; - -import javax.servlet.http.HttpSession; - +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.storage.AssertionStorage; import at.gv.egovernment.moa.logging.Logger; public class RequestStorage { - private static final String PENDING_REQUEST = "PENDING_REQUEST"; - - public static Map getPendingRequest(HttpSession session) { + public static IRequest getPendingRequest(String pendingReqID) { - - Object obj = session.getAttribute(PENDING_REQUEST); - if (obj != null) { - synchronized (obj) { - if (obj instanceof Map) { - if (((Map) obj).size() > 0) { - if ( ((Map) obj).keySet().toArray()[0] instanceof String) { - if (((Map) obj).get(((Map) obj).keySet().toArray()[0]) - instanceof IRequest) { - return (Map) obj; - - - - } - } - } - } - } - session.setAttribute(PENDING_REQUEST, null); - } + try { + AssertionStorage storage = AssertionStorage.getInstance(); + IRequest pendingRequest = storage.get(pendingReqID, IRequest.class); + return pendingRequest; + + } catch (MOADatabaseException e) { + Logger.info("No PendingRequst found with pendingRequestID " + pendingReqID); return null; + + } } - public static void setPendingRequest(HttpSession session, Map request) { - session.setAttribute(PENDING_REQUEST, request); - } - - public static void removeAllPendingRequests(HttpSession session) { - - Logger.debug(RequestStorage.class.getName()+": Remove all PendingRequests"); + public static void setPendingRequest(Object pendingRequest) throws MOAIDException { + try { + AssertionStorage storage = AssertionStorage.getInstance(); + + if (pendingRequest instanceof IRequest) { + storage.put(((IRequest)pendingRequest).getRequestID(), pendingRequest); + + } else { + throw new MOAIDException("auth.20", null); + + } + + } catch (MOADatabaseException e) { + Logger.warn("Pending Request with ID=" + ((IRequest)pendingRequest).getRequestID() + + " can not stored.", e); + throw new MOAIDException("auth.20", null); + } - session.setAttribute(PENDING_REQUEST, null); } - public static void removePendingRequest(Map requestmap, String requestID) { - - if (requestmap != null && requestID != null) { + public static void removePendingRequest(String requestID) { - synchronized (requestmap) { - - if (requestmap.containsKey(requestID)) { - requestmap.remove(requestID); - Logger.debug(RequestStorage.class.getName()+": Remove PendingRequest with ID " + requestID); - - } - } + if (requestID != null) { + AssertionStorage storage = AssertionStorage.getInstance(); + storage.remove(requestID); + } } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 1d85f29bf..db83233fe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -245,7 +245,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { } } - request.getSession().setAttribute(PARAM_OA, oaURL); + //request.getSession().setAttribute(PARAM_OA, oaURL); return config; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index e587ef0e1..d82bd1496 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -125,8 +125,8 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { config.setTarget(oaParam.getTarget()); - request.getSession().setAttribute(PARAM_OA, oaURL); - request.getSession().setAttribute(PARAM_TARGET, oaParam.getTarget()); +// request.getSession().setAttribute(PARAM_OA, oaURL); +// request.getSession().setAttribute(PARAM_TARGET, oaParam.getTarget()); return config; } -- cgit v1.2.3 From 333ed628cc5be8dfbece822d9caff0a8fe49438a Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 10 Mar 2014 08:42:26 +0100 Subject: Improvement for cluster operations - only use http GET parameter for session management and no information from browser sessions. --- .../moa/id/auth/servlet/PEPSConnectorServlet.java | 18 +++++-- .../moa/id/protocols/pvp2x/binding/MOARequest.java | 62 ++++++++++++++++++---- .../id/protocols/pvp2x/binding/PostBinding.java | 2 +- .../protocols/pvp2x/binding/RedirectBinding.java | 2 +- .../pvp2x/requestHandler/AuthnRequestHandler.java | 3 +- 5 files changed, 67 insertions(+), 20 deletions(-) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 7c96c2194..83d0ced20 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -52,6 +52,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.stork.STORKException; import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor; import at.gv.egovernment.moa.id.auth.stork.VelocityProvider; @@ -62,6 +63,7 @@ import at.gv.egovernment.moa.id.moduls.ModulUtils; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.HTTPUtils; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.StringUtils; import at.gv.util.xsd.xmldsig.SignatureType; @@ -123,9 +125,18 @@ public class PEPSConnectorServlet extends AuthServlet { Logger.error("MOA-SessionID was not found, no previous AuthnRequest had been started"); throw new AuthenticationException("auth.02", new Object[] { moaSessionID }); } - + + if (!ParamValidatorUtils.isValidSessionID(moaSessionID)) + throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_SESSIONID, "auth.12"); + pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(moaSessionID); + //load MOASession from database + AuthenticationSession moaSession = AuthenticationServer.getSession(moaSessionID); + + //change MOASessionID + moaSessionID = AuthenticationSessionStoreage.changeSessionID(moaSession); + Logger.info("Found MOA sessionID: " + moaSessionID); Logger.debug("Beginning to extract SAMLResponse out of HTTP Request"); @@ -166,10 +177,7 @@ public class PEPSConnectorServlet extends AuthServlet { } Logger.info("Got SAML response with authentication success message."); - - //check if authentication request was created before - AuthenticationSession moaSession = AuthenticationServer.getSession(moaSessionID); - + Logger.debug("MOA session is still valid"); STORKAuthnRequest storkAuthnRequest = moaSession.getStorkAuthnRequest(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java index d28c5eeec..c1104f9f5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java @@ -24,27 +24,51 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding; import java.io.Serializable; +import org.opensaml.Configuration; import org.opensaml.saml2.core.RequestAbstractType; +import org.opensaml.saml2.core.impl.RequestAbstractTypeMarshaller; +import org.opensaml.saml2.core.impl.RequestAbstractTypeUnmarshaller; import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.io.Unmarshaller; +import org.opensaml.xml.io.UnmarshallerFactory; +import org.opensaml.xml.io.UnmarshallingException; +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; +import at.gv.egovernment.moa.logging.Logger; public class MOARequest implements Serializable{ private static final long serialVersionUID = 2395131650841669663L; - private RequestAbstractType samlRequest; - private EntityDescriptor entityMetadata; + private Element samlRequest; private boolean verified = false; - + private String entityID = null; + public MOARequest(RequestAbstractType request) { - samlRequest = request; + samlRequest = request.getDOM(); } public RequestAbstractType getSamlRequest() { - return samlRequest; + UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); + Unmarshaller unmashaller = unmarshallerFactory.getUnmarshaller(samlRequest); + + try { + return (RequestAbstractType) unmashaller.unmarshall(samlRequest); + + } catch (UnmarshallingException e) { + Logger.warn("AuthnRequest Unmarshaller error", e); + return null; + } + } public void setSamlRequest(RequestAbstractType request) { - this.samlRequest = request; + this.samlRequest = request.getDOM(); } public boolean isVerified() { @@ -55,13 +79,29 @@ public class MOARequest implements Serializable{ this.verified = verified; } - public EntityDescriptor getEntityMetadata() { - return entityMetadata; + public EntityDescriptor getEntityMetadata() throws NoMetadataInformationException { + + try { + return MOAMetadataProvider.getInstance().getEntityDescriptor(this.entityID); + + } catch (MetadataProviderException e) { + Logger.warn("No Metadata for EntitiyID " + entityID); + throw new NoMetadataInformationException(); + } } - public void setEntityMetadata(EntityDescriptor entityMetadata) { - this.entityMetadata = entityMetadata; + /** + * @return the entitiyID + */ + public String getEntityID() { + return entityID; + } + + /** + * @param entitiyID the entitiyID to set + */ + public void setEntityID(String entitiyID) { + this.entityID = entitiyID; } - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index af29054e1..d00b1cc16 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -128,7 +128,7 @@ public class PostBinding implements IDecoder, IEncoder { MOARequest request = new MOARequest(inboundMessage); request.setVerified(false); - request.setEntityMetadata(messageContext.getPeerEntityMetadata()); + request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); return request; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 7c9cc6259..f09178f55 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -131,7 +131,7 @@ public class RedirectBinding implements IDecoder, IEncoder { .getInboundMessage(); MOARequest request = new MOARequest(inboundMessage); request.setVerified(true); - request.setEntityMetadata(messageContext.getPeerEntityMetadata()); + request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); return request; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index 4d143058b..b6ab357b8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -154,8 +154,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { } - //TODO: insert!!!!!! - if (encryptionCredentials != null && false) { + if (encryptionCredentials != null) { //encrypt SAML2 assertion try { -- cgit v1.2.3 From 5b31c460806ae2e1900a3df323e7fecfdb798e32 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 10 Mar 2014 08:42:49 +0100 Subject: update ConfigTool and Handbook --- .../src/main/resources/applicationResources.properties | 2 +- id/server/doc/handbook/config/config.html | 13 +++++++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/id/ConfigWebTool/src/main/resources/applicationResources.properties b/id/ConfigWebTool/src/main/resources/applicationResources.properties index 914c4cd62..830a638a1 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources.properties @@ -107,7 +107,7 @@ webpages.moaconfig.certificates.trustmanagerrev=TrustManagerRevocationChecking webpages.moaconfig.certificates.trustCACerts=TrustedCACertificates webpages.moaconfig.certificates.chainingmode=ChainingMode webpages.moaconfig.timeout.header=Session TimeOuts -webpages.moaconfig.timeout.assertion=Assertion [sec] +webpages.moaconfig.timeout.assertion=Anmeldedaten [sec] webpages.moaconfig.timeout.MOASessionCreated=SSO Session authentifiziert [sec] webpages.moaconfig.timeout.MOASessionUpdated=SSO Session letzter Zugriff [sec] webpages.moaconfig.moasp.header=MOA-SP Konfiguration diff --git a/id/server/doc/handbook/config/config.html b/id/server/doc/handbook/config/config.html index b41389798..4d8976776 100644 --- a/id/server/doc/handbook/config/config.html +++ b/id/server/doc/handbook/config/config.html @@ -960,9 +960,14 @@ Checking Beschreibung - Assertion + Anmeldedaten 300 - Gibt die Zeitspanne in Sekunden an, für die die Anmeldedaten in der Authentisierungskomponente (MOA-ID-Auth) zum Abholen durch die eine nachfolgende Applikation bereitstehen. Nach Ablauf dieser Zeitspanne werden die Anmeldedaten gelöscht. +

Gibt die Zeitspanne in Sekunden an, für die Anmeldedaten, temporäre Sessiondaten oder Assertions in der Authentisierungskomponente (MOA-ID-Auth) vorrätig gehalten werden. Nach Ablauf dieser Zeitspanne werden diese Daten gelöscht oder der Anmeldevorgang abgebrochen. Dieser Parameter hat Einfluss auf folgende Funktionen:

+
    +
  • maximale Zeitspanne eines Anmeldevorgangs vom Authentification Request bis zur Authentification Response gerechnet.
  • +
  • maximale Zeitspanne welche einer Online-Applikation zum Abholen der Anmeldedaten zur Verfügung steht. (SAML mit Artifact Binding und OpenID Connect)
  • +
  • maximale Zeitspanne zum Abholen zusätzlicher STORK2 Attribute (Zeitdauer je Attribut)
  • +
SSO Session authentifiziert @@ -1418,11 +1423,11 @@ Soll die Bürgerkartenauswahl weiterhin, wie in MOA-ID 1.5.1 im Kontext der     X - Definiert ob eine Online-Applikation ausschließlich Anmeldungen mittels Online-Vollmachten unterstützt. Wenn ja, wird in während der BKU-Auswahl die Option in Vertretung für eine Anmeldung in Vertretung standardmäßig aktiviert und diese Einstellung kann durch die BenutzerIn oder den Benutzer nicht geändert werden.. + Definiert ob eine Online-Applikation ausschließlich Anmeldungen mittels Online-Vollmachten unterstützt. Wenn ja, wird in während der BKU-Auswahl die Option in Vertretung für eine Anmeldung in Vertretung standardmäßig aktiviert und diese Einstellung kann durch die BenutzerIn oder den Benutzer nicht geändert werden.

 

-

Hinweis: Werden für die Online-Applikation eigene Templates für die Bürgerkartenauswahl oder die zusätzliche Anmeldeabfrage im SSO Fall (siehe Abschnitt 3.2.2) verwendet, stehen alle Konfigurationsparameter die Einfluss auf die BKU-Auswahl haben nicht zur Verfügung.

+

Hinweis: Werden für die Online-Applikation eigene Templates für die Bürgerkartenauswahl oder die zusätzliche Anmeldeabfrage im SSO Fall (siehe Abschnitt 3.2.2) verwendet, stehen alle Konfigurationsparameter die Einfluss auf die BKU-Auswahl haben nicht zur Verfügung. Die Funktionalität der entsprechenden Parameter hat jedoch weiterhin Einfluss auf den Anmeldevorgang.

3.2.4 Single Sign-On (SSO)

Dieser Abschnitt behandelt online-applikationsspezifische Einstellungen zu Single Sign-On

-- cgit v1.2.3