From ef59662475c60c027c698caacd2423b34b3524d3 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 22 Feb 2016 12:57:46 +0100 Subject: update SSO session-transfer to MOA-ID 3.1.x architecture --- id/server/modules/moa-id-module-ssoTransfer/pom.xml | 18 ++++++++++++++++++ .../ssotransfer/servlet/SSOTransferGUIServlet.java | 20 ++++++++++++-------- .../ssotransfer/task/RestoreSSOSessionTask.java | 6 +----- .../ssotransfer/utils/SSOContainerUtils.java | 21 ++++++++++----------- 4 files changed, 41 insertions(+), 24 deletions(-) diff --git a/id/server/modules/moa-id-module-ssoTransfer/pom.xml b/id/server/modules/moa-id-module-ssoTransfer/pom.xml index 61af328d3..a6399391a 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/pom.xml +++ b/id/server/modules/moa-id-module-ssoTransfer/pom.xml @@ -15,6 +15,24 @@ qrgen 1.4 + + + + com.googlecode.jsontoken + jsontoken + 1.1 + + + javax.servlet + servlet-api + + + google-collections + com.google.collections + + + + \ No newline at end of file diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java index fa7d59beb..fae1b6f4d 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java @@ -31,10 +31,6 @@ import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import net.glxn.qrgen.QRCode; -import net.glxn.qrgen.image.ImageType; - -import org.apache.commons.codec.binary.Base64OutputStream; import org.apache.velocity.VelocityContext; import com.google.gson.JsonObject; @@ -46,17 +42,17 @@ import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.SSOContainerUtils; import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.storage.AssertionStorage; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; -import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; +import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; +import net.glxn.qrgen.QRCode; +import net.glxn.qrgen.image.ImageType; @@ -93,13 +89,21 @@ public class SSOTransferGUIServlet extends AuthServlet { } else { //create first step of SSO Transfer GUI + String authURL = HTTPUtils.extractAuthURLFromRequest(req); + if (!AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(). + contains(authURL)) { + Logger.warn("Requested URL is not allowed.");; + resp.sendError(500, "Requested URL is not allowed."); + + } + String moaSessionID = AuthenticationSessionStoreage.getMOASessionSSOID(ssoid); if (MiscUtil.isNotEmpty(moaSessionID)) { AuthenticationSession authSession = AuthenticationSessionStoreage .getSession(moaSessionID); if(authSession != null) { Date now = new Date(); - String encodedSSOContainer = SSOContainerUtils.generateSignedAndEncryptedSSOContainer(authSession, now); + String encodedSSOContainer = SSOContainerUtils.generateSignedAndEncryptedSSOContainer(authURL, authSession, now); String token = Random.nextRandom(); AssertionStorage.getInstance().put(token, encodedSSOContainer); diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java index 884633a1e..270264099 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java @@ -26,8 +26,6 @@ import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_SESSIONID; import java.io.BufferedReader; import java.io.IOException; -import java.util.Enumeration; -import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -35,7 +33,6 @@ import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang3.BooleanUtils; import org.apache.velocity.VelocityContext; import org.joda.time.DateTime; -import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Response; import com.google.gson.JsonObject; @@ -52,7 +49,6 @@ import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.SSOContainerUtils; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.RequestStorage; import at.gv.egovernment.moa.id.process.api.ExecutionContext; @@ -127,7 +123,7 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { if (PVPConfiguration.getInstance().getIDPPublicPath().equals(entityID)) { // stored SSO session data is from this IDP - start local session reconstruction Response ssoInformation = SSOContainerUtils.validateReceivedSSOContainer(sessionBlob); - SSOContainerUtils.parseSSOContainerToMOASessionDataObject(moasession, ssoInformation); + SSOContainerUtils.parseSSOContainerToMOASessionDataObject(pendingReq, moasession, ssoInformation); // store MOASession into database try { diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java index 8980d3ea7..861dcbf58 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java @@ -22,8 +22,6 @@ */ package at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils; -import iaik.x509.X509Certificate; - import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.StringWriter; @@ -87,7 +85,6 @@ import org.w3c.dom.NodeList; import com.google.gson.JsonObject; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ParseException; @@ -100,10 +97,10 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.MISMandate; +import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSignedException; @@ -116,6 +113,7 @@ import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; +import iaik.x509.X509Certificate; /** * @author tlenz @@ -142,10 +140,10 @@ public class SSOContainerUtils { REQUIRED_ATTRIBUTES = Collections.unmodifiableList(tmp); } - public static void parseSSOContainerToMOASessionDataObject(AuthenticationSession moasession, Response ssoInformation) throws AssertionAttributeExtractorExeption, ConfigurationException { + public static void parseSSOContainerToMOASessionDataObject(IRequest pendingReq, AuthenticationSession moasession, Response ssoInformation) throws AssertionAttributeExtractorExeption, ConfigurationException { AssertionAttributeExtractor attributeExtractor = new AssertionAttributeExtractor(ssoInformation); - String authServiceURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); + String authServiceURL = pendingReq.getAuthURL(); if (authServiceURL.endsWith("/")) moasession.setAuthURL(authServiceURL); else @@ -313,10 +311,10 @@ public class SSOContainerUtils { } - public static String generateSignedAndEncryptedSSOContainer( + public static String generateSignedAndEncryptedSSOContainer(String authURL, AuthenticationSession authSession, Date date) { try { - String entityID = PVPConfiguration.getInstance().getIDPPublicPath(); + String entityID = authURL; AuthnContextClassRef authnContextClassRef = SAML2Utils .createSAMLObject(AuthnContextClassRef.class); authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel()); @@ -347,6 +345,7 @@ public class SSOContainerUtils { IAuthData authData = new SSOTransferAuthenticationData(authSession); Assertion assertion = PVP2AssertionBuilder.buildGenericAssertion( + authURL, entityID, new DateTime(date.getTime()), authnContextClassRef, @@ -356,7 +355,7 @@ public class SSOContainerUtils { sessionIndex, subjectConfirmationData.getNotOnOrAfter()); - String ssoDataBlob = buildSSOContainerObject(assertion, new DateTime(date.getTime())); + String ssoDataBlob = buildSSOContainerObject(authURL, assertion, new DateTime(date.getTime())); JsonObject container = new JsonObject(); container.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_TYPE, "SSO"); @@ -377,13 +376,13 @@ public class SSOContainerUtils { return null; } - private static String buildSSOContainerObject(Assertion assertion, DateTime date) throws ConfigurationException, EncryptionException, CredentialsNotAvailableException, SecurityException, ParserConfigurationException, MarshallingException, SignatureException, TransformerFactoryConfigurationError, TransformerException, IOException { + private static String buildSSOContainerObject(String authURL, Assertion assertion, DateTime date) throws ConfigurationException, EncryptionException, CredentialsNotAvailableException, SecurityException, ParserConfigurationException, MarshallingException, SignatureException, TransformerFactoryConfigurationError, TransformerException, IOException { Response authResponse = SAML2Utils.createSAMLObject(Response.class); Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); //change to entity value from entity name to IDP EntityID (URL) - nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + nissuer.setValue(authURL); nissuer.setFormat(NameID.ENTITY); authResponse.setIssuer(nissuer); -- cgit v1.2.3