From 7bba49753c8a44fade100d3676ab0a62372d44e1 Mon Sep 17 00:00:00 2001 From: "harald.bratko" Date: Wed, 10 Jan 2007 15:37:52 +0000 Subject: Adapted for MOA-ID 1.4 (validating additional infoboxes). git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@769 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../moa/id/auth/AuthenticationServer.java | 261 +++++++++++++++-- .../builder/AuthenticationAssertionBuilder.java | 88 ++++++ .../AuthenticationBlockAssertionBuilder.java | 107 ++++--- .../AuthenticationDataAssertionBuilder.java | 74 ++--- .../CertInfoVerifyXMLSignatureRequestBuilder.java | 2 +- .../auth/builder/GetIdentityLinkFormBuilder.java | 28 +- .../builder/InfoboxValidatorParamsBuilder.java | 78 +++++ .../moa/id/auth/builder/SelectBKUFormBuilder.java | 4 +- .../builder/VerifyXMLSignatureRequestBuilder.java | 8 +- .../moa/id/auth/data/AuthenticationSession.java | 81 ++++- .../moa/id/auth/data/ExtendedSAMLAttribute.java | 73 +++++ .../id/auth/data/ExtendedSAMLAttributeImpl.java | 137 +++++++++ .../egovernment/moa/id/auth/data/InfoboxToken.java | 65 ++++ .../moa/id/auth/data/InfoboxTokenImpl.java | 129 ++++++++ .../moa/id/auth/data/InfoboxValidatorParams.java | 159 ++++++++++ .../id/auth/data/InfoboxValidatorParamsImpl.java | 326 +++++++++++++++++++++ .../at/gv/egovernment/moa/id/auth/data/Schema.java | 26 ++ .../egovernment/moa/id/auth/data/SchemaImpl.java | 63 ++++ .../parser/CreateXMLSignatureResponseParser.java | 9 +- .../parser/ExtendedInfoboxReadResponseParser.java | 157 ++++++++++ .../auth/parser/IdentityLinkAssertionParser.java | 2 +- .../moa/id/auth/servlet/AuthServlet.java | 2 +- .../id/auth/servlet/VerifyIdentityLinkServlet.java | 40 +-- .../id/auth/validator/IdentityLinkValidator.java | 2 +- .../moa/id/auth/validator/InfoboxValidator.java | 71 +++++ 25 files changed, 1855 insertions(+), 137 deletions(-) create mode 100644 id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java create mode 100644 id.server/src/at/gv/egovernment/moa/id/auth/builder/InfoboxValidatorParamsBuilder.java create mode 100644 id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttribute.java create mode 100644 id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttributeImpl.java create mode 100644 id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxToken.java create mode 100644 id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxTokenImpl.java create mode 100644 id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParams.java create mode 100644 id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParamsImpl.java create mode 100644 id.server/src/at/gv/egovernment/moa/id/auth/data/Schema.java create mode 100644 id.server/src/at/gv/egovernment/moa/id/auth/data/SchemaImpl.java create mode 100644 id.server/src/at/gv/egovernment/moa/id/auth/parser/ExtendedInfoboxReadResponseParser.java create mode 100644 id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java (limited to 'id.server/src/at/gv/egovernment/moa/id/auth') diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 8359623b1..cd4b26df3 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -10,8 +10,10 @@ import java.util.Date; import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; +import java.util.List; import java.util.Map; import java.util.Set; +import java.util.Vector; import javax.xml.transform.TransformerException; @@ -23,36 +25,42 @@ import at.gv.egovernment.moa.id.ParseException; import at.gv.egovernment.moa.id.ServiceException; import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder; import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder; +import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.builder.CertInfoVerifyXMLSignatureRequestBuilder; import at.gv.egovernment.moa.id.auth.builder.CreateXMLSignatureRequestBuilder; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; import at.gv.egovernment.moa.id.auth.builder.GetIdentityLinkFormBuilder; import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilder; +import at.gv.egovernment.moa.id.auth.builder.InfoboxValidatorParamsBuilder; import at.gv.egovernment.moa.id.auth.builder.PersonDataBuilder; import at.gv.egovernment.moa.id.auth.builder.SAMLArtifactBuilder; import at.gv.egovernment.moa.id.auth.builder.SelectBKUFormBuilder; -import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; import at.gv.egovernment.moa.id.auth.parser.CreateXMLSignatureResponseParser; +import at.gv.egovernment.moa.id.auth.parser.ExtendedInfoboxReadResponseParser; import at.gv.egovernment.moa.id.auth.parser.InfoboxReadResponseParser; import at.gv.egovernment.moa.id.auth.parser.SAMLArtifactParser; import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; import at.gv.egovernment.moa.id.auth.validator.CreateXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator; +import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; import at.gv.egovernment.moa.id.auth.validator.ValidateException; import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.ConfigurationProvider; import at.gv.egovernment.moa.id.config.ConnectionParameter; -import at.gv.egovernment.moa.id.config.OAParameter; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameter; +import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameters; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; @@ -65,7 +73,6 @@ import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.DateTimeUtils; import at.gv.egovernment.moa.util.FileUtils; -import at.gv.egovernment.moa.util.OutputXML2File; import at.gv.egovernment.moa.util.StringUtils; /** @@ -338,6 +345,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { ex); } } + String pushInfobox = ""; + VerifyInfoboxParameters verifyInfoboxParameters = oaParam.getVerifyInfoboxParameters(); + if (verifyInfoboxParameters != null) { + pushInfobox = verifyInfoboxParameters.getPushInfobox(); + } String certInfoRequest = new CertInfoVerifyXMLSignatureRequestBuilder().build(oaParam.getSlVersion12()); String certInfoDataURL = new DataURLBuilder().buildDataURL( @@ -351,7 +363,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { infoboxReadRequest, dataURL, certInfoRequest, - certInfoDataURL); + certInfoDataURL, + pushInfobox); return htmlForm; } /** @@ -363,6 +376,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { *
  • Verifies identity link by calling the MOA SP component
  • *
  • Checks certificate authority of identity link
  • *
  • Stores identity link in the session
  • + *
  • Verifies all additional infoboxes returned from the BKU
  • *
  • Creates an authentication block to be signed by the user
  • *
  • Creates and returns a <CreateXMLSignatureRequest> * containg the authentication block, meant to be returned to the @@ -370,13 +384,14 @@ public class AuthenticationServer implements MOAIDAuthConstants { * * * @param sessionID ID of associated authentication session data - * @param xmlInfoboxReadResponse String representation of the - * <InfoboxReadResponse> + * @param infoboxReadResponseParameters The parameters from the response returned from + * the BKU including the <InfoboxReadResponse> * @return String representation of the <CreateXMLSignatureRequest> */ - public String verifyIdentityLink(String sessionID, String xmlInfoboxReadResponse) + public String verifyIdentityLink(String sessionID, Map infoboxReadResponseParameters) throws AuthenticationException, + BuildException, ParseException, ConfigurationException, ValidateException, @@ -384,8 +399,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (isEmpty(sessionID)) throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_IDENTITY_LINK, PARAM_SESSIONID}); + + String xmlInfoboxReadResponse = (String)infoboxReadResponseParameters.get(PARAM_XMLRESPONSE); if (isEmpty(xmlInfoboxReadResponse)) throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_IDENTITY_LINK, PARAM_XMLRESPONSE}); + AuthenticationSession session = getSession(sessionID); if (session.getTimestampIdentityLink() != null) throw new AuthenticationException("auth.01", new Object[] { sessionID }); @@ -427,6 +445,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { ignoreManifestValidationResult); session.setIdentityLink(identityLink); + // now validate the extended infoboxes + verifyInfoboxes(session, infoboxReadResponseParameters); // builds the AUTH-block String authBlock = buildAuthenticationBlock(session); // session.setAuthBlock(authBlock); @@ -446,29 +466,222 @@ public class AuthenticationServer implements MOAIDAuthConstants { /** * Builds an authentication block <saml:Assertion> from given session data. * @param session authentication session + * * @return <saml:Assertion> as a String + * + * @throws BuildException If an error occurs on serializing an extended SAML attribute + * to be appended to the AUTH-Block. */ - private String buildAuthenticationBlock(AuthenticationSession session) { + private String buildAuthenticationBlock(AuthenticationSession session) throws BuildException { IdentityLink identityLink = session.getIdentityLink(); String issuer = identityLink.getName(); String gebDat = identityLink.getDateOfBirth(); String identificationValue = identityLink.getIdentificationValue(); String identificationType = identityLink.getIdentificationType(); String issueInstant = DateTimeUtils.buildDateTime(Calendar.getInstance()); + session.setIssueInstant(issueInstant); String authURL = session.getAuthURL(); String target = session.getTarget(); String oaURL = session.getPublicOAURLPrefix(); - String authBlock = new AuthenticationBlockAssertionBuilder().buildAuthBlock(issuer, - issueInstant, - authURL, - target, - identificationValue, - identificationType, - oaURL, - gebDat); + List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); + String authBlock = new AuthenticationBlockAssertionBuilder().buildAuthBlock( + issuer, + issueInstant, + authURL, + target, + identificationValue, + identificationType, + oaURL, + gebDat, + extendedSAMLAttributes); return authBlock; } + + /** + * Verifies the infoboxes (except of the identity link infobox) returned by the BKU by + * calling appropriate validator classes. + * + * @param session The actual authentication session. + * @param infoboxReadResponseParams The parameters returned from the BKU as response + * to an infobox read request (including the infobox + * tokens to be verified). + * + * @throws AuthenticationException If the verification of at least one infobox fails. + * @throws ConfigurationException If the OAuthParameter cannot be extracted. + */ + private void verifyInfoboxes( + AuthenticationSession session, Map infoboxReadResponseParams) + throws ValidateException, ConfigurationException + { + + AuthConfigurationProvider authConfigurationProvider = AuthConfigurationProvider.getInstance(); + // get the default VerifyInfobox parameters + Map defaultInfoboxParameters = null; + VerifyInfoboxParameters defaultVerifyInfoboxParameters = + authConfigurationProvider.getDefaultVerifyInfoboxParameters(); + if (defaultVerifyInfoboxParameters != null) { + defaultInfoboxParameters = defaultVerifyInfoboxParameters.getInfoboxParameters(); + } + // get the OA specific VerifyInfobox parameters + Map infoboxParameters = null; + OAAuthParameter oaParam = + authConfigurationProvider.getOnlineApplicationParameter(session.getPublicOAURLPrefix()); + VerifyInfoboxParameters verifyInfoboxParameters = oaParam.getVerifyInfoboxParameters(); + if (verifyInfoboxParameters != null) { + Vector authAttributes = new Vector(); + Vector oaAttributes = new Vector(); + infoboxParameters = verifyInfoboxParameters.getInfoboxParameters(); + // get the list of infobox identifiers + List identifiers = verifyInfoboxParameters.getIdentifiers(); + if (identifiers != null) { + // step through the identifiers and verify the infoboxes + Iterator it = identifiers.iterator(); + while (it.hasNext()) { + String identifier = (String)it.next(); + // get the infobox read response from the map of parameters + String infoboxReadResponse = (String)infoboxReadResponseParams.get(identifier); + // get the configuration parameters + VerifyInfoboxParameter verifyInfoboxParameter = null; + Object object = infoboxParameters.get(identifier); + // if not present, use default + if ((object == null) && (defaultInfoboxParameters != null)) { + object = defaultInfoboxParameters.get(identifier); + } + if (object != null) { + verifyInfoboxParameter = (VerifyInfoboxParameter)object; + } + if (infoboxReadResponse != null) { + if (verifyInfoboxParameter == null) { + // should not happen because of the pushinfobox mechanism; check it anyway + Logger.error("No validator for verifying \"" + identifier + "\"-infobox configured."); + throw new ValidateException("validator.41", new Object[] {identifier}); + } else { + String friendlyName = verifyInfoboxParameter.getFriendlyName(); + // get the class for validating the infobox + InfoboxValidator infoboxValidator = null; + try { + Class validatorClass = Class.forName(verifyInfoboxParameter.getValidatorClassName()); + infoboxValidator = (InfoboxValidator) validatorClass.newInstance(); + } catch (Exception e) { + Logger.error("Could not load validator class \"" + verifyInfoboxParameter.getValidatorClassName() + + "\" for \"" + identifier + "\"-infobox: " + e.getMessage()); + throw new ValidateException("validator.42", new Object[] {friendlyName}); + } + Logger.debug("Successfully loaded validator class \"" + verifyInfoboxParameter.getValidatorClassName() + + "\" for \"" + identifier + "\"-infobox."); + // parse the infobox read reponse + List infoboxTokenList = null; + try { + infoboxTokenList = + ExtendedInfoboxReadResponseParser.parseInfoboxReadResponse(infoboxReadResponse, friendlyName); + } catch (ParseException e) { + Logger.error("InfoboxReadResponse for \"" + identifier + + "\"-infobox could not be parsed successfully: " + e.getMessage()); + throw new ValidateException("validator.43", new Object[] {friendlyName}); + } + // build the parameters for validating the infobox + InfoboxValidatorParams infoboxValidatorParams = + InfoboxValidatorParamsBuilder.buildInfoboxValidatorParams( + session, verifyInfoboxParameter, infoboxTokenList); + // now validate the infobox + boolean infoboxValid = false; + try { + infoboxValid = infoboxValidator.validate(infoboxValidatorParams); + } catch (ValidateException e) { + Logger.error("Error validating " + identifier + " infobox:" + e.getMessage()); + throw new ValidateException( + "validator.44", new Object[] {friendlyName}); + } + if (!infoboxValid) { + Logger.info("Validation of " + identifier + " infobox failed."); + throw new ValidateException( + "validator.40", new Object[] {friendlyName, infoboxValidator.getErrorMessage()}); + } + + Logger.info(identifier + " infobox successfully validated."); + + // get the SAML attributes to be appended to the AUTHBlock or to the final + // SAML Assertion + ExtendedSAMLAttribute[] extendedSAMLAttributes = infoboxValidator.getExtendedSamlAttributes(); + if (extendedSAMLAttributes != null) { + int length = extendedSAMLAttributes.length; + for (int i=0; i<CreateXMLSignatureResponse> sent by the * security layer implementation.
    @@ -630,13 +843,15 @@ public class AuthenticationServer implements MOAIDAuthConstants { } String authBlock = oaParam.getProvideAuthBlock() ? session.getAuthBlock() : ""; String samlAssertion = - new AuthenticationDataAssertionBuilder().build(authData, - prPerson, - authBlock, - ilAssertion, - session.getBkuURL(), - signerCertificateBase64, - businessService); + new AuthenticationDataAssertionBuilder().build( + authData, + prPerson, + authBlock, + ilAssertion, + session.getBkuURL(), + signerCertificateBase64, + businessService, + session.getExtendedSAMLAttributesOA()); authData.setSamlAssertion(samlAssertion); return authData; } catch (Throwable ex) { diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java new file mode 100644 index 000000000..241cf0afc --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationAssertionBuilder.java @@ -0,0 +1,88 @@ +package at.gv.egovernment.moa.id.auth.builder; + +import java.io.IOException; +import java.text.MessageFormat; +import java.util.Iterator; +import java.util.List; + +import javax.xml.transform.TransformerException; + +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.id.ParseException; +import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.StringUtils; + +/** + * Base class for building authentication the AUTHBlock and final OA data SAML assertions. + * Encapsulates methods used by the two specific builders + * {@link at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder AuthenticationBlockAssertionBuilder} + * and + * {@link at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder AuthenticationDataAssertionBuilder} + * + * @author Harald Bratko + */ +public class AuthenticationAssertionBuilder { + + /** the NewLine representation in Java*/ + protected static String NL = "\n"; + + protected static String SAML_ATTRIBUTE = + " " + NL + + " {2}" + NL + + " "+ NL; + + /** + * Empty constructor + */ + public AuthenticationAssertionBuilder() { + } + + /** + * Builds the SAML attributes to be appended to the AUTHBlock or to the SAML assertion + * delivered to the online application. + * The method traverses through the list of given SAML attribute objects and builds an + * XML structure (String representation) for each of the attributes. + * + * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock or + * to the SAML assertion delivered to the online application. + * @return A string representation including the XML structures of + * the SAML attributes. + * + * @throws ParseException If an error occurs on serializing an SAML attribute. + */ + protected String buildExtendedSAMLAttributes(List extendedSAMLAttributes) throws ParseException + { + StringBuffer sb = new StringBuffer(); + if (extendedSAMLAttributes!=null) { + Iterator it = extendedSAMLAttributes.iterator(); + while (it.hasNext()) { + ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next(); + Object value = extendedSAMLAttribute.getValue(); + String name = extendedSAMLAttribute.getName(); + String namespace = extendedSAMLAttribute.getNameSpace(); + if (value instanceof String) { + sb.append(MessageFormat.format( SAML_ATTRIBUTE, new Object[] {name, namespace, value})); + } else if (value instanceof Element) { + try { + String serializedValue = DOMUtils.serializeNode((Element)(value)); + serializedValue = StringUtils.removeXMLDeclaration(serializedValue); + sb.append(MessageFormat.format( SAML_ATTRIBUTE, new Object[] {name, namespace, serializedValue})); + } catch (TransformerException e) { + Logger.error("Error on serializing SAML attribute \"" + name + + " (namespace: \"" + namespace + "\"."); + throw new ParseException("parser.05", new Object[] { name, namespace}); + } catch (IOException e) { + Logger.error("Error on serializing SAML attribute \"" + name + + " (namespace: \"" + namespace + "\"."); + throw new ParseException("parser.05", new Object[] { name, namespace}); + } + } + } + } + return sb.toString(); + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index b1fe0a6df..ef50acb3f 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -1,7 +1,11 @@ package at.gv.egovernment.moa.id.auth.builder; import java.text.MessageFormat; +import java.util.List; +import at.gv.egovernment.moa.id.BuildException; +import at.gv.egovernment.moa.id.ParseException; +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; /** @@ -11,41 +15,46 @@ import at.gv.egovernment.moa.util.Constants; * @author Paul Ivancsics * @version $Id$ */ -public class AuthenticationBlockAssertionBuilder implements Constants { - /** the NewLine representation in Java*/ - private static String nl = "\n"; +public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertionBuilder implements Constants { + /** template for the Auth-Block */ private static String AUTH_BLOCK = - "" + nl + - " " + nl + - " " + nl + - " {3}" + nl + - " " + nl + + "" + NL + + " " + NL + + " " + NL + + " {3}" + NL + + " " + NL + "{4}" + - " " + nl + - " {5}" + nl + - " " + nl + - " " + nl + - " {6}" + nl + - " " + nl + - " " + nl + + " " + NL + + " {5}" + NL + + " " + NL + + " " + NL + + " {6}" + NL + + " " + NL + + "{7}" + + " " + NL + ""; private static String GESCHAEFTS_BEREICH_ATTRIBUTE = - " " + nl + - " {0}" + nl + - " " + nl; + " " + NL + + " {0}" + NL + + " " + NL; private static String WBPK_ATTRIBUTE = - " " + nl + - " " + nl + - " " + nl + - " {0}" + nl + - " {1}" + nl + - " " + nl + - " " + nl + - " " + nl; - + " " + NL + + " " + NL + + " " + NL + + " {0}" + NL + + " {1}" + NL + + " " + NL + + " " + NL + + " " + NL; + + /** + * The number of SAML attributes included in this AUTH-Block (without the extended SAML attributes). + */ + public static final int NUM_OF_SAML_ATTRIBUTES = 3; + /** * Constructor for AuthenticationBlockAssertionBuilder. */ @@ -73,17 +82,26 @@ public class AuthenticationBlockAssertionBuilder implements Constants { * application used as input for wbPK computation; * maybe null if the application is a public service * @param oaURL public URL of online application requested + * @param gebDat The date of birth from the identity link. + * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock. + * * @return String representation of authentication block * <saml:Assertion> built + * + * @throws BuildException If an error occurs on serializing an extended SAML attribute + * to be appended to the AUTH-Block. */ - public String buildAuthBlock(String issuer, - String issueInstant, - String authURL, - String target, - String identityLinkValue, - String identityLinkType, - String oaURL, - String GebDat) + public String buildAuthBlock( + String issuer, + String issueInstant, + String authURL, + String target, + String identityLinkValue, + String identityLinkType, + String oaURL, + String gebDat, + List extendedSAMLAttributes) + throws BuildException { String gebeORwbpk = ""; @@ -97,8 +115,23 @@ public class AuthenticationBlockAssertionBuilder implements Constants { GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target }); } - String assertion = MessageFormat.format( - AUTH_BLOCK, new Object[] { wbpkNSDeclaration, issuer, issueInstant, authURL, gebeORwbpk, oaURL, GebDat}); + String assertion; + try { + assertion = MessageFormat.format( + AUTH_BLOCK, new Object[] { + wbpkNSDeclaration, + issuer, + issueInstant, + authURL, + gebeORwbpk, + oaURL, + gebDat, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } catch (ParseException e) { + Logger.error("Error on building AUTH-Block: " + e.getMessage()); + throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); + } + return assertion; } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java index 7e866089d..53520c846 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java @@ -1,10 +1,14 @@ package at.gv.egovernment.moa.id.auth.builder; import java.text.MessageFormat; +import java.util.List; import at.gv.egovernment.moa.id.BuildException; +import at.gv.egovernment.moa.id.ParseException; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.StringUtils; /** * Builder for the authentication data <saml:Assertion> @@ -13,7 +17,7 @@ import at.gv.egovernment.moa.util.Constants; * @author Paul Ivancsics * @version $Id$ */ -public class AuthenticationDataAssertionBuilder implements Constants { +public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionBuilder implements Constants { /** private static String NL contains the NewLine representation in Java*/ private static final String NL = "\n"; /** @@ -38,11 +42,12 @@ public class AuthenticationDataAssertionBuilder implements Constants { " " + NL + " {8}" + NL + " " + NL + - " " + NL + - " {9}" + NL + - " " + NL + + " " + NL + + " {9}" + NL + + " " + NL + "{10}" + - "{11}" + + "{11}" + + "{12}" + " " + NL + ""; /** @@ -54,10 +59,10 @@ public class AuthenticationDataAssertionBuilder implements Constants { " {0}" + NL + " " + NL; - private static final String SIGNER_CERTIFICATE_ATT = - " " + NL + - " {0}" + NL + - " " + NL; + private static final String SIGNER_CERTIFICATE_ATT = + " " + NL + + " {0}" + NL + + " " + NL; /** * Constructor for AuthenticationDataAssertionBuilder. @@ -92,7 +97,10 @@ public class AuthenticationDataAssertionBuilder implements Constants { String xmlIdentityLink, String bkuURL, String signerCertificateBase64, - boolean businessService) throws BuildException { + boolean businessService, + List extendedSAMLAttributes) + throws BuildException + { String isQualifiedCertificate = authData.isQualifiedCertificate() ? "true" : "false"; String publicAuthorityAttribute = ""; @@ -122,33 +130,27 @@ public class AuthenticationDataAssertionBuilder implements Constants { pkValue = authData.getBPK(); } - String assertion = MessageFormat.format(AUTH_DATA, new Object[] { - authData.getAssertionID(), - authData.getIssuer(), - authData.getIssueInstant(), - pkType, - pkValue, - removeXMLDeclaration(xmlAuthBlock), - removeXMLDeclaration(xmlIdentityLink), - removeXMLDeclaration(xmlPersonData), - isQualifiedCertificate, - bkuURL, - publicAuthorityAttribute, - signerCertificateAttribute}); + String assertion; + try { + assertion = MessageFormat.format(AUTH_DATA, new Object[] { + authData.getAssertionID(), + authData.getIssuer(), + authData.getIssueInstant(), + pkType, + pkValue, + StringUtils.removeXMLDeclaration(xmlAuthBlock), + StringUtils.removeXMLDeclaration(xmlIdentityLink), + StringUtils.removeXMLDeclaration(xmlPersonData), + isQualifiedCertificate, + bkuURL, + publicAuthorityAttribute, + signerCertificateAttribute, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } catch (ParseException e) { + Logger.error("Error on building Authentication Data Assertion: " + e.getMessage()); + throw new BuildException("builder.00", new Object[] { "Authentication Data Assertion", e.toString()}); + } return assertion; } - - /** - * Removes the XML declaration from an XML expression. - * @param xmlString XML expression as String - * @return XML expression, XML declaration removed - */ - private String removeXMLDeclaration(String xmlString) { - if (xmlString.startsWith(""; /** special tag in the HTML template to be substituted for the certificate info data URL */ private static final String CERTINFO_DATAURL_TAG = ""; + /** special tag in the HTML template to be substituted for the infoboxes to be pushed from the BKU */ + private static final String PUSHINFOBOX_TAG = ""; /** private static int all contains the representation to replace all tags*/ private static final int ALL = -1; @@ -46,6 +48,9 @@ public class GetIdentityLinkFormBuilder extends Builder { " " + nl + + " " + nl + " " + nl + "" + nl + "
    " + " " + " " - + " //dsig:Signature" + + " " + DSIG + "Signature" + " " + " " // True bei CreateXMLSig Überprüfung +" " + " " @@ -160,7 +162,7 @@ public class VerifyXMLSignatureRequestBuilder { + " " + " " + " " - + " //dsig:Signature" + + " " + DSIG + "Signature" + " " + " " + " "; diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 74e31e45e..50d15007e 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -1,6 +1,7 @@ package at.gv.egovernment.moa.id.auth.data; import java.util.Date; +import java.util.List; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; @@ -12,6 +13,9 @@ import at.gv.egovernment.moa.util.Constants; * @version $Id$ */ public class AuthenticationSession { + + private static String TARGET_PREFIX_ = Constants.URN_PREFIX_CDID + "+"; + /** * session ID */ @@ -63,7 +67,22 @@ public class AuthenticationSession { */ private boolean businessService; - private static String TARGET_PREFIX_ = Constants.URN_PREFIX_CDID + "+"; + /** + * SAML attributes from an extended infobox validation to be appended + * to the SAML assertion delivered to the final online application. + */ + private List extendedSAMLAttributesOA; + + /** + * SAML attributes from an extended infobox validation to be appended + * to the SAML assertion of the AUTHBlock. + */ + private List extendedSAMLAttributesAUTH; + + /** + * The issuing time of the AUTH-Block SAML assertion. + */ + private String issueInstant; /** * Constructor for AuthenticationSession. @@ -273,4 +292,64 @@ public class AuthenticationSession { templateURL = string; } + /** + * Returns the SAML Attributes to be appended to the AUTHBlock. Maybe null. + * + * @return The SAML Attributes to be appended to the AUTHBlock. Maybe null. + */ + public List getExtendedSAMLAttributesAUTH() { + return extendedSAMLAttributesAUTH; + } + + /** + * Sets the SAML Attributes to be appended to the AUTHBlock. + * + * @param extendedSAMLAttributesAUTH The SAML Attributes to be appended to the AUTHBlock. + */ + public void setExtendedSAMLAttributesAUTH( + List extendedSAMLAttributesAUTH) { + this.extendedSAMLAttributesAUTH = extendedSAMLAttributesAUTH; + } + + /** + * Returns the SAML Attributes to be appended to the SAML assertion + * delivered to the online application. Maybe null. + * + * @return The SAML Attributes to be appended to the SAML assertion + * delivered to the online application + */ + public List getExtendedSAMLAttributesOA() { + return extendedSAMLAttributesOA; + } + + /** + * Sets the SAML Attributes to be appended to the SAML assertion + * delivered to the online application. + * + * @param extendedSAMLAttributesOA The SAML Attributes to be appended to the SAML + * assertion delivered to the online application. + */ + public void setExtendedSAMLAttributesOA( + List extendedSAMLAttributesOA) { + this.extendedSAMLAttributesOA = extendedSAMLAttributesOA; + } + + /** + * Returns the issuing time of the AUTH-Block SAML assertion. + * + * @return The issuing time of the AUTH-Block SAML assertion. + */ + public String getIssueInstant() { + return issueInstant; + } + + /** + * Sets the issuing time of the AUTH-Block SAML assertion. + * + * @param issueInstant The issueInstant to set. + */ + public void setIssueInstant(String issueInstant) { + this.issueInstant = issueInstant; + } + } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttribute.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttribute.java new file mode 100644 index 000000000..795079227 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttribute.java @@ -0,0 +1,73 @@ +package at.gv.egovernment.moa.id.auth.data; + +/** + * A SAML-Attribute to be appended to the final SAML-Assertion + * that will be passed to the online application. + */ +public interface ExtendedSAMLAttribute { + /** + * Add this attribute only to the SAML-Assertion + * passed to the online application, but not to + * the AUTH-Block. + */ + public final static int NOT_ADD_TO_AUTHBLOCK = 0; + /** + * Add this attribute to both, the AUTH-Block and the + * final SAML-Assertion passed to the online application. + */ + public final static int ADD_TO_AUTHBLOCK = 1; + /** + * Add this attribute to only the AUTH-Block, but not + * to the final SAML-Assertion passed to the online application. + */ + public final static int ADD_TO_AUTHBLOCK_ONLY = 2; + + /** + * The value of the SAML-Attribute. This must be either a + * org.w3c.Element or a java.lang.String + * object. Each other type will be ignored.
    + * If, for example, the type of the actual SAML-Attribute is a + * <xsd:boolean> the value must be either the String + * "true" or "false". + * Or the <xsd:integer> number 273 + * has to be the String "273". + * + * @return The value of the SAML-Attribute. Must not be null. + */ + public Object getValue(); + + /** + * The name of the SAML-Attribute. + * + * @return The name of the SAML-Attribute. Must not be null. + */ + public String getName(); + + /** + * The namespace of the SAML-Attribute. + * An application will use the context specific namespace URI for the attribute it returns. + * However, if the application cannot explicitely assign a namespace URI, the + * {@link at.gv.egovernment.moa.util.Constants#MOA_NS_URI default} MOA namespace URI + * should be used. + * + * @return The namespace of the SAML-Attribute. Must not be null. + */ + public String getNameSpace(); + + /** + * Specifies if this SAML-Attribute should be added to the AUTH-Block. + *
    + * Depending on the returned value, this SAML-Attribute should be only added to the + * final SAML-Assertion passed to the online application (0), to both, the final + * assertion and the AUTH-Block (1) or to the AUTH-Block only (2). + * + * @return
      + *
    • 0 - add this SAML-Attribute to the final SAML-Assertion only
    • + *
    • 1 - add this SAML-Attribute to both, the final SAML-Assertion and the + * AUTH-Block
    • + *
    • 2 - add this SAML-Attribute to the AUTH-Block only + *
    + */ + public int getAddToAUTHBlock(); + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttributeImpl.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttributeImpl.java new file mode 100644 index 000000000..9aedd86e6 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/ExtendedSAMLAttributeImpl.java @@ -0,0 +1,137 @@ +package at.gv.egovernment.moa.id.auth.data; + +/** + * This class contains SAML attributes to be appended to the SAML assertion delivered to + * the Online application. + * + * @author Harald Bratko + */ +public class ExtendedSAMLAttributeImpl implements ExtendedSAMLAttribute { + + /** + * The value of this SAML attribute. Must be either of type java.lang.String + * or org.w3c.Element. + */ + private Object value_; + + /** + * The name of this SAML attribute. + */ + private String name_; + + /** + * The namespace URI of this SAML attribute. + */ + private String namespace_; + + /** + * Specifies whether this SAML attribute should be appended to AUTH Block. + */ + private int addToAUTHBlock_; + + /** + * Sets this ExtendedSAMLAttribute. + * @param name The name of this SAML Attribute. + * @param value The value of this SAML Attribute. Must be either of type + * java.lang.String or org.w3c.dom.Element. + * @param namespace The namespace of this SAML Attribute. + * @param addToAUTHBlock Specifies if this SAML Attribute should be added to the AUTHBlock. + * The following values are allowed: + *
      + *
    • + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#ADD_TO_AUTHBLOCK} + *
    • + *
    • + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#NOT_ADD_TO_AUTHBLOCK} + *
    • + *
    • + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#ADD_TO_AUTHBLOCK_ONLY} + *
    • + *
    + * + */ + public ExtendedSAMLAttributeImpl(String name, Object value, String namespace, int addToAUTHBlock) { + name_ = name; + value_ = value; + namespace_ = namespace; + addToAUTHBlock_ = addToAUTHBlock; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#getValue() + */ + public Object getValue() { + return value_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#getName() + */ + public String getName() { + return name_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#getNameSpace() + */ + public String getNameSpace() { + return namespace_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#getAddToAUTHBlock() + */ + public int getAddToAUTHBlock() { + return addToAUTHBlock_; + } + + /** + * Specifies if this SAML Attribute should be added to the AUTHBlock. + * + * @param addToAUTHBlock One of the following values: + *
      + *
    • + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#ADD_TO_AUTHBLOCK} + *
    • + *
    • + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#NOT_ADD_TO_AUTHBLOCK} + *
    • + *
    • + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#ADD_TO_AUTHBLOCK_ONLY} + *
    • + *
    + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute#ADD_TO_AUTHBLOCK) + */ + public void setAddToAUTHBlock(int addToAUTHBlock) { + addToAUTHBlock_ = addToAUTHBlock; + } + + /** + * Sets the name of this SAML attribute. + * + * @param name The name of this SAML attribute. + */ + public void setName(String name) { + name_ = name; + } + + /** + * Sets the namespace of this SAML attribute. + * + * @param namespace The namespace to set. + */ + public void setNamespace(String namespace) { + namespace_ = namespace; + } + + /** + * Sets the value of this SAML attribute. + * + * @param value The value of this SAML Attribute. Must be either of type + * java.lang.String or org.w3c.dom.Element. + */ + public void setValue(Object value) { + value_ = value; + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxToken.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxToken.java new file mode 100644 index 000000000..6b1f24aba --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxToken.java @@ -0,0 +1,65 @@ +package at.gv.egovernment.moa.id.auth.data; + +import org.w3c.dom.Element; + +/** + * Contains an infobox token included in an InfoboxReadResponse. + * Depending on whether the token is extracted from an XMLContent or a + * Base64Content it is either returned as DOM element + * ({@link #getXMLToken()}) or base64 encoded string ({@link #getBase64Token()}). + * + * @author Harald Bratko + */ +public interface InfoboxToken { + + /** + * The key of the corresponding infobox. + * This is the value of Key attribute of the <Pair> child + * element in an <AssocArrayData> content of an InfoboxReadResponse. + * Maybe null if the InfoboxReadResponse conatains BinaryFileData. + * + * + * @return The key identifier of the corresponding infobox. + */ + public String getKey(); + + /** + * Specifies if this token is the first token (e.g in an array of tokens) included in an + * InfoboxReadResponse. If true this token is the token to be + * validated by a corresponding + * {@link at.gv.egovernment.moa.id.auth.validator.InfoboxValidator InfoboxValidator}. + * If false this token maybe needed to validate the primary token. + * + * @return True if this token is the first token. + */ + public boolean isPrimary(); + + /** + * Returns the infobox token. + * Maybe null if the token is returned by method {@link #getBase64Token()} + * as base64 encoded string. + *
    + * Note that this token is not validated against the + * application specific schema (e.g. Mandates schema in the mandates context). + * Thus the validating application has to validate the token + * against the appropriate schema. + * + * @return The infobox token. If null the token is returned by method + * {@link #getBase64Token()} as base64 encoded string. + */ + public Element getXMLToken(); + + /** + * Returns the infobox token. + * Maybe null if the token is returned by method {@link #getXMLToken()} + * as a DOM element. + *
    + * Note, that the base64 encoded string actually may include more than one infobox + * elements. + * + * @return The infobox token. If null the token is returned by method + * {@link #getBase64Token()} as base64 encoded string. + */ + public String getBase64Token(); + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxTokenImpl.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxTokenImpl.java new file mode 100644 index 000000000..f1ff30a8a --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxTokenImpl.java @@ -0,0 +1,129 @@ +package at.gv.egovernment.moa.id.auth.data; + +import org.w3c.dom.Element; + +/** + * This class contains an infobox token. + * + * @see at.gv.egovernment.moa.id.auth.data.InfoboxToken + * + * @author Harald Bratko + */ +public class InfoboxTokenImpl implements InfoboxToken { + + /** + * The key of the infobox token. + */ + private String key_; + + /** + * Specifies whether this token is the primary (first in an array) token. + */ + private boolean primary_; + + /** + * The infobox token. + */ + private Element xmlToken_; + + /** + * The base64 encoded infobox token. + */ + private String base64Token_; + + /** + * Sets an XML infobox token. + * + * @param key The key of the infobox token. + * @param primary True this token is the primary (e.g .first in an array) + * token, otherwise false + * @param xmlToken The infobox token. + */ + public InfoboxTokenImpl(String key, boolean primary, Element xmlToken) { + key_ = key; + primary_ = primary; + xmlToken_ = xmlToken; + base64Token_ = null; + } + + /** + * Sets a base64 encoded infobox token. + * + * @param key The key of the infobox token. + * @param primary True this token is the primary (e.g .first in an array) + * token, otherwise false + * @param base64Token The base64 encoded infobox token. + */ + public InfoboxTokenImpl(String key, boolean primary, String base64Token) { + key_ = key; + primary_ = primary; + base64Token_ = base64Token; + xmlToken_ = null; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxToken#getKey() + */ + public String getKey() { + return key_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxToken#isPrimary() + */ + public boolean isPrimary() { + return primary_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxToken#getXMLToken() + */ + public Element getXMLToken() { + return xmlToken_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxToken#getBase64Token() + */ + public String getBase64Token() { + return base64Token_; + } + + /** + * Sets the key of the infobox token. + * + * @param key The key of the infobox token. + */ + public void setKey(String key) { + key_ = key; + } + + /** + * Specifies whether this token is the primary (e.g. first in an array) token. + * + * @param primary True this token is the primary (e.g .first in an array) + * token, otherwise false. + */ + public void setPrimary(boolean primary) { + primary_ = primary; + } + + /** + * Sets the base64 encoded token. + * + * @param base64Token The base64 encoded token. + */ + public void setBase64Token(String base64Token) { + base64Token_ = base64Token; + } + + /** + * Sets the infobox token. + * + * @param xmlToken The infobox token. + */ + public void setXmlToken(Element xmlToken) { + xmlToken_ = xmlToken; + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParams.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParams.java new file mode 100644 index 000000000..26070dc51 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParams.java @@ -0,0 +1,159 @@ + +package at.gv.egovernment.moa.id.auth.data; + +import java.security.PublicKey; +import java.util.List; + +import org.w3c.dom.Element; + +/** + * Parameters for validating an infobox. + * + * This interface is used by MOA-ID to provide parameters to an + * {link at.gv.egovernment.moa.id.auth.validator.InfoboxValidator + * InfoboxValidator}. + * + * @author Harald Bratko + */ +public interface InfoboxValidatorParams { + + /** + * Returns a list of {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken} + * objects. The first token in this list is the one to be validated. Each further token + * maybe needed to validate this first token. + * + * @return A list of {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken} + * objects. + */ + public List getInfoboxTokenList(); + + /** + * Returns the ID of the trust profile to be used for validating + * certificates. Maybe ignored by a validator, if no certificates + * has to be validated. + * + * @return The ID of a trust profile. + */ + public String getTrustProfileID(); + + /** + * Returns schema location URIs that may be needed by the + * validator to parse infobox tokens. + * Each entry in the list is a {@link Schema} specifying the location + * of an XML schema. + * + * @return A list of {@link Schema} objects each of them specifying the + * location of an XML schema. + */ + public List getSchemaLocations(); + + /** + * Returns the URL of the BKU. + * Maybe needed by a validator. + * + * @return The url of the BKU. + */ + public String getBkuURL(); + + /** + * Returns the target parameter. + * null in the case of a business service. + * + * @return The target parameter. + */ + public String getTarget(); + + /** + * Returns true if the application is a business + * service, otherwise false. This may be useful + * for the validating application. + * + * @return True if the application is a business + * service, otherwise false + */ + public boolean getBusinessApplication(); + + /** + * Returns the family name from the identity link. + * Maybe needed by a validator. + * + * @return The family name from the identity link. + */ + public String getFamilyName(); + + /** + * Returns the given name from the identity link. + * Maybe needed by a validator. + * + * @return The given name from the identity link. + */ + public String getGivenName(); + + /** + * The date of birth from the identity link. + * The method returns the value of the + * element from the identity link. + * Maybe needed by a validator. + * + * @return The date of birth from the identity link. + */ + public String getDateOfBirth(); + + /** + * Returns he identification value from the identity + * link. This may be the Stammzahl + * in the case of a public application or the + * wbPK in the case of a business + * application. This parameter is only returned + * if specified within the config file. + * + * @return The identification value from the identity link. + */ + public String getIdentificationValue(); + + /** + * Returns the type of the identification value + * from the identity link. This may be + * especially of interest for business + * applications. + * + * @return The type of the identification value + * from the identity link. + */ + public String getIdentificationType(); + + /** + * Returns the public keys from the identity link. + * Maybe needed by the application. + * + * @return PublicKey[] The public keys from the + * identity link. + */ + public PublicKey[] getPublicKeys(); + + /** + * Returns the identity link. + * A validator may need other data from the identity link, than + * family name, given name, date of birth and identification value. + * The identity link element is only returned if specified within the + * config file. + * + * @return The identity link. + */ + public Element getIdentityLink(); + + /** + * Returns application specific parameters. + * Each child element of this element contains + * a validating application specific parameter. The + * element is passed as specified within the config + * file and its up to the implementing class to + * parse and interprete its children. + * + * @return Application specific parameters. + */ + public Element getApplicationSpecificParams(); + +} + + diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParamsImpl.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParamsImpl.java new file mode 100644 index 000000000..46a67d48b --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/InfoboxValidatorParamsImpl.java @@ -0,0 +1,326 @@ +package at.gv.egovernment.moa.id.auth.data; + +import java.security.PublicKey; +import java.util.List; + +import org.w3c.dom.Element; + +/** + * Parameters for validating an infobox. + * + * This interface is used by MOA-ID to provide parameters to an + * {link at.gv.egovernment.moa.id.auth.validator.InfoboxValidator + * InfoboxValidator}. + * + * @author Harald Bratko + */ +public class InfoboxValidatorParamsImpl implements InfoboxValidatorParams { + + /** + * A list of {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken} objects. + * The first token in this list is the one to be validated. Each further token + * maybe needed to validate this first token. + */ + private List infoboxTokenList_; + + /** + * The ID of the trust profile used for validating certificates. + */ + private String trustProfileID_; + + /** + * The locations of schemas that maybe needed for validating infobox tokens. + */ + private List schemaLocations_; + + /** + * The URL of the BKU. + */ + private String bkuURL_; + + /** + * Specifies whether the current online application is a business or a public application. + */ + private boolean businessApplication_; + + /** + * The target parameter. + */ + private String target_; + + /** + * The family name from the identity link. + */ + private String familyName_; + + /** + * The given name from the identity link. + */ + private String givenName_; + + /** + * The date of birth from the identity link. + */ + private String dateOfBirth_; + + /** + * The date of identification value. + */ + private String identificationValue_; + + /** + * The identification type. + */ + private String identificationType_; + + /** + * The public keys from the identity link. + */ + private PublicKey[] publicKeys_; + + /** + * The identity link. + */ + private Element identityLink_; + + /** + * Application specific parameters. + */ + private Element applicationSpecificParams_; + + /** + * Empty constructor. + */ + public InfoboxValidatorParamsImpl() { + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getInfoboxTokenList() + */ + public List getInfoboxTokenList() { + return infoboxTokenList_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getTrustProfileID() + */ + public String getTrustProfileID() { + return trustProfileID_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getSchemaLocations() + */ + public List getSchemaLocations() { + return schemaLocations_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getBkuURL() + */ + public String getBkuURL() { + return bkuURL_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getTarget() + */ + public String getTarget() { + return target_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getBusinessApplication() + */ + public boolean getBusinessApplication() { + return businessApplication_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getFamilyName() + */ + public String getFamilyName() { + return familyName_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getGivenName() + */ + public String getGivenName() { + return givenName_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getDateOfBirth() + */ + public String getDateOfBirth() { + return dateOfBirth_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getIdentificationValue() + */ + public String getIdentificationValue() { + return identificationValue_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getIdentificationType() + */ + public String getIdentificationType() { + return identificationType_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getPublicKeys() + */ + public PublicKey[] getPublicKeys() { + return publicKeys_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getIdentityLink() + */ + public Element getIdentityLink() { + return identityLink_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams#getApplicationSpecificParams() + */ + public Element getApplicationSpecificParams() { + return applicationSpecificParams_; + } + + /** + * Sets the application specific parameters. + * + * @param applicationSpecificParams The application specific parameters to set. + */ + public void setApplicationSpecificParams(Element applicationSpecificParams) { + applicationSpecificParams_ = applicationSpecificParams; + } + + /** + * Sets the bku URL. + * + * @param bkuURL The bku URL to set. + */ + public void setBkuURL(String bkuURL) { + bkuURL_ = bkuURL; + } + + /** + * Sets the business application parameter. + * + * @param businessApplication The business application parameter to set. + * (True if the application is a business + * application, otherwies false). + */ + public void setBusinessApplication(boolean businessApplication) { + businessApplication_ = businessApplication; + } + + /** + * Sets the date of birth. + * + * @param dateOfBirth The date of birth. + */ + public void setDateOfBirth(String dateOfBirth) { + dateOfBirth_ = dateOfBirth; + } + + /** + * Sets the family name. + * + * @param familyName The family name. + */ + public void setFamilyName(String familyName) { + familyName_ = familyName; + } + + /** + * Sets the given name. + * + * @param givenName The given name. + */ + public void setGivenName(String givenName) { + givenName_ = givenName; + } + + /** + * Sets the identification type. + * + * @param identificationType The identification type. + */ + public void setIdentificationType(String identificationType) { + identificationType_ = identificationType; + } + + /** + * Sets the identification value. + * + * @param identificationValue The identification value. + */ + public void setIdentificationValue(String identificationValue) { + identificationValue_ = identificationValue; + } + + /** + * Sets the identity link. + * + * @param identityLink The identity link. + */ + public void setIdentityLink(Element identityLink) { + identityLink_ = identityLink; + } + + /** + * Sets the infobox token to be validated. + * + * @param infoboxTokenList A list {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken} + * objects. + */ + public void setInfoboxTokenList(List infoboxTokenList) { + infoboxTokenList_ = infoboxTokenList; + } + + /** + * Sets the public Keys. + * + * @param publicKeys The public keys. + */ + public void setPublicKeys(PublicKey[] publicKeys) { + publicKeys_ = publicKeys; + } + + /** + * Sets the schema locations. + * + * @param schemaLocations The schema locations. A list of + * {@link Schema} objects. + */ + public void setSchemaLocations(List schemaLocations) { + schemaLocations_ = schemaLocations; + } + + /** + * Sets the target. + * + * @param target The target. + */ + public void setTarget(String target) { + target_ = target; + } + + + /** + * Sets the ID of the trust profile used for validating certificates. + * + * @param trustProfileID the ID of the trust profile used for validating certificates. + */ + public void setTrustProfileID(String trustProfileID) { + trustProfileID_ = trustProfileID; + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/Schema.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/Schema.java new file mode 100644 index 000000000..c113f16b8 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/Schema.java @@ -0,0 +1,26 @@ +package at.gv.egovernment.moa.id.auth.data; + +/** + * Specifies the location of a schema. + * + * @author Harald Bratko + */ +public interface Schema { + + /** + * The namespace URI of this schema. + * + * @return The namespace of this schema. + */ + public String getNamespace(); + + /** + * The location URI of this schema. + * Relative paths have to be interpreted relative to the + * location of the MOA-ID config file. + * + * @return The location URI of this schema. + */ + public String getSchemaLocation(); + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/SchemaImpl.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/SchemaImpl.java new file mode 100644 index 000000000..e6755b58c --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/SchemaImpl.java @@ -0,0 +1,63 @@ +package at.gv.egovernment.moa.id.auth.data; + +/** + * This class specifies the location of a schema. + * + * @author Harald Bratko + */ +public class SchemaImpl implements Schema { + + /** + * The namespace of this schema. + */ + private String namespace_; + + /** + * The location (URI) of this schema; + */ + private String schemaLocation_; + + /** + * Sets the namespace and schema location URIS of this schema. + * + * @param namespace The namespace URI of this schema. + * @param schemaLocation The location URI of this schema. + */ + public SchemaImpl(String namespace, String schemaLocation) { + namespace_ = namespace; + schemaLocation_ = schemaLocation; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.Schema#getNamespace() + */ + public String getNamespace() { + return namespace_; + } + + /** + * @see at.gv.egovernment.moa.id.auth.data.Schema#getSchemaLocation() + */ + public String getSchemaLocation() { + return schemaLocation_; + } + + /** + * Sets the namespace. + * + * @param namespace The namespace to set. + */ + public void setNamespace(String namespace) { + namespace_ = namespace; + } + + /** + * Sets the location URI of this schema. + * + * @param schemaLocation The schemaLocation to set. + */ + public void setSchemaLocation(String schemaLocation) { + schemaLocation_ = schemaLocation; + } + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java index eb7d76fda..6287c99dd 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/CreateXMLSignatureResponseParser.java @@ -137,11 +137,10 @@ public class CreateXMLSignatureResponseParser { String attrName = XPathUtils.getAttributeValue(samlAttr, "@AttributeName", ""); String attrNamespace = XPathUtils.getAttributeValue(samlAttr, "@AttributeNamespace", ""); Object attrValue; - if ("wbPK".equals(attrName)) { - Element attrValueElem = (Element)XPathUtils.selectSingleNode(samlAttr, SAML_ATTRIBUTE_VALUE_XPATH); - attrValue = DOMUtils.getElementFromNodeList(attrValueElem.getChildNodes()); - } else { - attrValue = XPathUtils.getElementValue(samlAttr, SAML_ATTRIBUTE_VALUE_XPATH, ""); + Element attrValueElem = (Element)XPathUtils.selectSingleNode(samlAttr, SAML_ATTRIBUTE_VALUE_XPATH); + attrValue = DOMUtils.getElementFromNodeList(attrValueElem.getChildNodes()); + if (attrValue == null) { + attrValue = attrValueElem.getFirstChild().getNodeValue(); } samlAttributes.add(new SAMLAttribute(attrName, attrNamespace, attrValue)); } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/ExtendedInfoboxReadResponseParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/ExtendedInfoboxReadResponseParser.java new file mode 100644 index 000000000..e493f07fb --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/ExtendedInfoboxReadResponseParser.java @@ -0,0 +1,157 @@ +package at.gv.egovernment.moa.id.auth.parser; + +import java.util.Iterator; +import java.util.List; +import java.util.Vector; + +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.id.ParseException; +import at.gv.egovernment.moa.id.auth.data.InfoboxToken; +import at.gv.egovernment.moa.id.auth.data.InfoboxTokenImpl; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DOMUtils; + +/** + * Parses and unmarshales InfoboxReadResponse. + * This parser is especially used for parsing additional responses (additional to that + * one containing the IdentityLink retuned from the BKU as an answer of + * a <PushInfobox> request. + */ +public class ExtendedInfoboxReadResponseParser { + + /** + * Hide default constructor. + */ + private ExtendedInfoboxReadResponseParser() { + } + + /** + * Parses and unmarshales the given infoboxReadResponse to a list of + * {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken} objects. + * The method parses the given infoboxReadResponse + * + * @param infoboxReadResponse The infobox read response to be unmarshaled. + * @param infoboxName The name of the infobox the reponse corresponds to. + * + * @return A list of {@link at.gv.egovernment.moa.id.auth.data.InfoboxToken InfoboxToken} + * objects. Maybe empty. + * + * @throws ParseException If an error occurs on parsing and unmarshaling the response. + */ + public static List parseInfoboxReadResponse(String infoboxReadResponse, String infoboxName) + throws ParseException + { + Element infoboxReadResponseElem = null; + try { + Document doc = + DOMUtils.parseDocument(infoboxReadResponse, true, Constants.ALL_SCHEMA_LOCATIONS, null); + infoboxReadResponseElem = doc.getDocumentElement(); + } catch (Exception e) { + Logger.error("InfoboxReadResponse for \"" + infoboxName + + "\"-infobox could not be parsed successfully: " + e.getMessage()); + throw new ParseException("parser.01", new Object[] {infoboxName + "-InfoboxReadResponse"}); + } + + Vector infoboxTokenList = new Vector(); + + if (infoboxReadResponseElem != null) { + // avoid using namespace URI or prefix, because it might change within the response + // (e.g.: sl11-namespace, some child sl10-namespace + List infoboxReadResponseChildren = DOMUtils.getChildElements(infoboxReadResponseElem); + String key = null; + boolean primary = true; + Element infoboxReadResponseChild = (Element)infoboxReadResponseChildren.get(0); + String infoboxReadResponseChildName = infoboxReadResponseChild.getLocalName(); + if (infoboxReadResponseChildName.equals("AssocArrayData")) { + // get the child elements from the element + List assocArrayPairs = DOMUtils.getChildElements(infoboxReadResponseChild); + Iterator assocArrayPairIt = assocArrayPairs.iterator(); + int pairCount = 0; + // step through the elemnts + while (assocArrayPairIt.hasNext()) { + Element assocArrayPair = (Element)assocArrayPairIt.next(); + // check if the element actually a "Pair" element and not only a "key" + if (assocArrayPair.getLocalName().equals("Key")) { + // do not accept only a Key + throw new ParseException("parser.07", new Object[] {infoboxName}); + } + key = assocArrayPair.getAttribute("Key"); + if (pairCount > 0) { + primary = false; + } + pairCount++; + infoboxTokenList.addAll(getTokenFromXMLOrBase64Content(assocArrayPair, infoboxName, key, primary)); + } + + } else if (infoboxReadResponseChildName.equals("BinaryFileData")) { + infoboxTokenList.addAll(getTokenFromXMLOrBase64Content(infoboxReadResponseChild, infoboxName, null, true)); + } + } + return infoboxTokenList; + } + + /** + * Unmarshales the <XMLContent> or + * <Base64Content> child of the given element to a list of + * infobox token. + * + * @param contentParent The elment including the <XMLContent> or + * <Base64Content> child to unmarshal the + * infobox token from. + * @param infoboxName The name of the infobox. + * @param key The key of an AssocArrayData-Pair. + * Maybe null. + * @param primary Specifies whether this token is the first (e.g. in an + * AssocArrayData) token. + * + * @return A infobox token list. + * + * @throws ParseException If the contentParent has no <XMLContent> + * or <Base64Content> child or the + * <XMLContent> is empty. + */ + public static List getTokenFromXMLOrBase64Content( + Element contentParent, + String infoboxName, + String key, + boolean primary) + throws ParseException + { + Vector tokenList = new Vector(); + // get the or + List content = DOMUtils.getChildElements(contentParent); + if (content.size() == 1) { + Element contentElem = (Element)content.get(0); + if (contentElem.getLocalName().equals("XMLContent")) { + List xmlContentChildren = DOMUtils.getChildElements(contentElem); + if (xmlContentChildren.size() == 0) { + throw new ParseException("parser.06", new Object[] {infoboxName, "Inhalt", "XMLContent"}); + } + int xmlCount = 0; + Iterator contentIt = xmlContentChildren.iterator(); + while (contentIt.hasNext()) { + Element xmlToken = (Element)contentIt.next(); + if (xmlCount > 0) { + primary = false; + } + InfoboxToken infoboxToken = new InfoboxTokenImpl(key, primary, xmlToken); + tokenList.add(infoboxToken); + xmlCount++; + } + } else { + String base64Token = contentElem.getFirstChild().getNodeValue(); + InfoboxToken infoboxToken = new InfoboxTokenImpl(key, primary, base64Token); + tokenList.add(infoboxToken); + } + } else { + throw new ParseException("parser.06", + new Object[] {infoboxName, "XMLContent oder Base64Content", contentParent.getLocalName()}); + } + return tokenList; + } + + +} diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java b/id.server/src/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java index 092bc68c9..9d8cff6f5 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java @@ -89,7 +89,7 @@ public class IdentityLinkAssertionParser { + "Identification"; /** Xpath expression to the Identification Value element */ - private static final String PERSON_IDENT_VALUE_XPATH = + public static final String PERSON_IDENT_VALUE_XPATH = PERSON_XPATH + "/" + PDATA diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java b/id.server/src/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java index 70e53d83e..96e8e6dd6 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java @@ -131,7 +131,7 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants { { // request is encoded as mulitpart/form-data FileItemFactory factory = new DiskFileItemFactory(); - ServletFileUpload upload = null;; + ServletFileUpload upload = null; upload = new ServletFileUpload(factory); List items = null; items = upload.parseRequest(req); diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java index 9d5c4b191..2134c1444 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java @@ -2,11 +2,14 @@ package at.gv.egovernment.moa.id.auth.servlet; import java.io.IOException; import java.io.OutputStream; +import java.util.Enumeration; import java.util.Map; +import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import org.apache.commons.fileupload.FileUploadException; @@ -75,29 +78,30 @@ public class VerifyIdentityLinkServlet extends AuthServlet { throw new IOException(e.getMessage()); } String sessionID = req.getParameter(PARAM_SESSIONID); - String infoboxReadResponse = (String)parameters.get(PARAM_XMLRESPONSE); - try { - String createXMLSignatureRequest = - AuthenticationServer.getInstance().verifyIdentityLink(sessionID, infoboxReadResponse); - AuthenticationSession session = AuthenticationServer.getSession(sessionID); - resp.setStatus(307); - String dataURL = new DataURLBuilder().buildDataURL( - session.getAuthURL(), AuthenticationServer.REQ_VERIFY_AUTH_BLOCK, sessionID); - resp.addHeader("Location", dataURL); - - //TODO test impact of explicit setting charset with older versions of BKUs (HotSign) - resp.setContentType("text/xml;charset=UTF-8"); + + try { + AuthenticationSession session = AuthenticationServer.getSession(sessionID); + + String createXMLSignatureRequest = + AuthenticationServer.getInstance().verifyIdentityLink(sessionID, parameters); + resp.setStatus(307); + String dataURL = new DataURLBuilder().buildDataURL( + session.getAuthURL(), AuthenticationServer.REQ_VERIFY_AUTH_BLOCK, sessionID); + resp.addHeader("Location", dataURL); + + //TODO test impact of explicit setting charset with older versions of BKUs (HotSign) + resp.setContentType("text/xml;charset=UTF-8"); OutputStream out = resp.getOutputStream(); out.write(createXMLSignatureRequest.getBytes("UTF-8")); - out.flush(); + out.flush(); out.close(); - Logger.debug("Finished POST VerifyIdentityLink"); - } - catch (MOAIDException ex) { - handleError(null, ex, req, resp); - } + Logger.debug("Finished POST VerifyIdentityLink"); + } + catch (MOAIDException ex) { + handleError(null, ex, req, resp); + } } } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java index 0bd45e3e9..444f706e4 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/IdentityLinkValidator.java @@ -153,7 +153,7 @@ public class IdentityLinkValidator implements Constants { //Check if dsig:Signature exists Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion,ROOT + DSIG + "Signature"); - if (dsigSignature==null) throw new ValidateException("validator.05", null); + if (dsigSignature==null) throw new ValidateException("validator.05", new Object[] {"in der Personenbindung"}); } } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java new file mode 100644 index 000000000..e17e03a20 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/InfoboxValidator.java @@ -0,0 +1,71 @@ +package at.gv.egovernment.moa.id.auth.validator; + +import at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams; +import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; + +/** + * Validates an InfoboxReadResponse. + * An implementing class has to validate the content of the InfoboxReadResponse + * according to the type specific rules and guidelines of the underlying + * application. + * If validation succeeds, the class may provide an array of + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute + * ExtendedSAMLAttributes}. Each of these SAML-Attributes will be either appended to the + * final SAML-Assertion passed to the online application or to the AUTH-Block, + * or to both. + *
    + * If validation fails the implementing class has to provide a short error message. + */ +public interface InfoboxValidator { + + /** + * This method validates an InfoboxReadResponse. + * The method validates the content of the passed infoboxReadResponse + * according to the type specific rules and guidelines of the underlying + * application. + *
    + * The method returns true if validation succeeds. In that case + * method {@link #getExtendedSamlAttributes()} may provide an array of + * {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute + * ExtendedSAMLAttributes} that should be appended to the final SAML-Assertion or the + * AUTH-Block or to both. + *
    + * The method returns false if validation fails. In that case + * method {@link #getErrorMessage()} has to provide a short error description. + * + * @param params {@link at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams + * Parameters} needed by the validator. + * + * @return True if validation succeeds, + * otherwise false. + * + * @throws ValidateException If an error occurs on validating the + * InfoboxReadResponse. + */ + public boolean validate (InfoboxValidatorParams params) + throws ValidateException; + + /** + * Returns an array of {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute + * ExtendedSAMLAttributes} that should be added to the SAML-Assertion + * provided to the online application. + * The SAML-Attributes in that array will be added to the final + * SAML-Assertion, the AUTH-Block, or both, exactly in the order as they are arranged + * in the array this method returns. + * + * @return An array of {@link at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute + * ExtendedSAMLAttributes} that should be added to the SAML-Assertion + * provided to the online application, the AUTH-Block, or both. If no attributes should + * be added this array maybe null or empty. + */ + public ExtendedSAMLAttribute[] getExtendedSamlAttributes(); + + /** + * A short error description that should be displayed by MOA-ID if + * validation of the InfoBoxReadResponse fails. + * + * @return An short error message if validation fails. + */ + public String getErrorMessage(); + +} -- cgit v1.2.3