From c034f4156169801d44308e8e505bb9c7e0cc33fb Mon Sep 17 00:00:00 2001 From: "peter.danner" Date: Fri, 2 Feb 2007 00:48:51 +0000 Subject: HPI Identifikation als Alternative zu wbPK im businessService-Modus git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@805 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../moa/id/auth/AuthenticationServer.java | 3 +- .../AuthenticationBlockAssertionBuilder.java | 19 ++-- .../moa/id/auth/data/AuthenticationSession.java | 30 +++++- .../CreateXMLSignatureResponseValidator.java | 111 +++++++++++---------- .../moa/id/config/ConfigurationBuilder.java | 9 +- 5 files changed, 111 insertions(+), 61 deletions(-) (limited to 'id.server/src/at') diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index cd4b26df3..2baa172f1 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -493,7 +493,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { identificationType, oaURL, gebDat, - extendedSAMLAttributes); + extendedSAMLAttributes, + session); return authBlock; } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index ef50acb3f..4493333c2 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -5,6 +5,7 @@ import java.util.List; import at.gv.egovernment.moa.id.BuildException; import at.gv.egovernment.moa.id.ParseException; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; @@ -100,19 +101,25 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion String identityLinkType, String oaURL, String gebDat, - List extendedSAMLAttributes) + List extendedSAMLAttributes, + AuthenticationSession session) throws BuildException { - + session.setSAMLAttributeGebeORwbpk(true); String gebeORwbpk = ""; String wbpkNSDeclaration = ""; if (target == null) { // OA is a business application - gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; + if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) { + // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator + gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); + wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; + } else { + // We do not have a wbPK, therefore no SAML-Attribute is provided + session.setSAMLAttributeGebeORwbpk(false); + } } else { - gebeORwbpk = MessageFormat.format( - GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target }); + gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target }); } String assertion; diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 50d15007e..12d29ba82 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -66,13 +66,19 @@ public class AuthenticationSession { * service or not */ private boolean businessService; - + /** * SAML attributes from an extended infobox validation to be appended * to the SAML assertion delivered to the final online application. */ private List extendedSAMLAttributesOA; + /** + * The boolean value for either a target or a wbPK is provided as + * SAML Attribute in the SAML Assertion or not. + */ + private boolean samlAttributeGebeORwbpk; + /** * SAML attributes from an extended infobox validation to be appended * to the SAML assertion of the AUTHBlock. @@ -334,6 +340,28 @@ public class AuthenticationSession { this.extendedSAMLAttributesOA = extendedSAMLAttributesOA; } + /** + * Returns the boolean value for either a target or a wbPK is + * provided as SAML Attribute in the SAML Assertion or not. + * + * @return true either a target or a wbPK is provided as SAML Attribute + * in the SAML Assertion or false if not. + */ + public boolean getSAMLAttributeGebeORwbpk() { + return this.samlAttributeGebeORwbpk; + } + + /** + * Sets the boolean value for either a target or a wbPK is + * provided as SAML Attribute in the SAML Assertion or not. + * + * @param samlAttributeGebeORwbpk The boolean for value either a target or + * wbPK is provided as SAML Attribute in the SAML Assertion or not. + */ + public void setSAMLAttributeGebeORwbpk(boolean samlAttributeGebeORwbpk) { + this.samlAttributeGebeORwbpk = samlAttributeGebeORwbpk; + } + /** * Returns the issuing time of the AUTH-Block SAML assertion. * diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 78f62de50..efb33ea59 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -87,6 +87,7 @@ public class CreateXMLSignatureResponseValidator { boolean foundOA = false; boolean foundGB = false; boolean foundWBPK = false; + int offset = 0; // check number of SAML aatributes List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); @@ -96,6 +97,7 @@ public class CreateXMLSignatureResponseValidator { } int expectedSAMLAttributeNumber = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum; + if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--; int actualSAMLAttributeNumber = samlAttributes.length; if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) { Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + @@ -105,58 +107,63 @@ public class CreateXMLSignatureResponseValidator { new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)}); } - // check the first attribute ("Geschaeftsbereich" or "wbPK") - SAMLAttribute samlAttribute = samlAttributes[0]; - if (businessService) { - if (!samlAttribute.getName().equals("wbPK")) { - if (samlAttribute.getName().equals("Geschaeftsbereich")) { - throw new ValidateException("validator.26", null); - } else { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)}); - } - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundWBPK = true; - try { - Element attrValue = (Element)samlAttribute.getValue(); - String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); - String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); - if (!value.equals(identityLink.getIdentificationValue())) { - throw new ValidateException("validator.28", null); - } - if (!type.equals(identityLink.getIdentificationType())) { - throw new ValidateException("validator.28", null); - } - } catch (Exception ex) { - throw new ValidateException("validator.29", null); - } - } else { - throw new ValidateException("validator.30", null); - } + SAMLAttribute samlAttribute; + if (session.getSAMLAttributeGebeORwbpk()) { + // check the first attribute ("Geschaeftsbereich" or "wbPK") + samlAttribute = samlAttributes[0]; + if (businessService) { + if (!samlAttribute.getName().equals("wbPK")) { + if (samlAttribute.getName().equals("Geschaeftsbereich")) { + throw new ValidateException("validator.26", null); + } else { + throw new ValidateException( + "validator.37", + new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)}); + } + } + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundWBPK = true; + try { + Element attrValue = (Element)samlAttribute.getValue(); + String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); + String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); + if (!value.equals(identityLink.getIdentificationValue())) { + throw new ValidateException("validator.28", null); + } + if (!type.equals(identityLink.getIdentificationType())) { + throw new ValidateException("validator.28", null); + } + } catch (Exception ex) { + throw new ValidateException("validator.29", null); + } + } else { + throw new ValidateException("validator.30", null); + } + } else { + if (!samlAttribute.getName().equals("Geschaeftsbereich")) { + if (samlAttribute.getName().equals("wbPK")) { + throw new ValidateException("validator.26", null); + } else { + throw new ValidateException( + "validator.37", + new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)}); + } + } + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundGB = true; + if (!gbTarget.equals((String)samlAttribute.getValue())) { + throw new ValidateException("validator.13", null); + } + } else { + throw new ValidateException("validator.12", null); + } + } } else { - if (!samlAttribute.getName().equals("Geschaeftsbereich")) { - if (samlAttribute.getName().equals("wbPK")) { - throw new ValidateException("validator.26", null); - } else { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)}); - } - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundGB = true; - if (!gbTarget.equals((String)samlAttribute.getValue())) { - throw new ValidateException("validator.13", null); - } - } else { - throw new ValidateException("validator.12", null); - } + offset--; } - + // check the second attribute (must be "OA") - samlAttribute = samlAttributes[1]; + samlAttribute = samlAttributes[1 + offset]; if (!samlAttribute.getName().equals("OA")) { throw new ValidateException( "validator.37", @@ -172,7 +179,7 @@ public class CreateXMLSignatureResponseValidator { } // check the third attribute (must be "Geburtsdatum") - samlAttribute = samlAttributes[2]; + samlAttribute = samlAttributes[2 + offset]; if (!samlAttribute.getName().equals("Geburtsdatum")) { throw new ValidateException( "validator.37", @@ -189,7 +196,7 @@ public class CreateXMLSignatureResponseValidator { } // now check the extended SAML attributes - int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES; + int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset; if (extendedSAMLAttributes != null) { Iterator it = extendedSAMLAttributes.iterator(); while (it.hasNext()) { @@ -250,7 +257,7 @@ public class CreateXMLSignatureResponseValidator { if (!foundOA) throw new ValidateException("validator.14", null); if (businessService) { - if (!foundWBPK) throw new ValidateException("validator.31", null); + if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) throw new ValidateException("validator.31", null); } else { if (!foundGB) throw new ValidateException("validator.11", null); } diff --git a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java index ebb29c26d..43c018e76 100644 --- a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java @@ -472,7 +472,14 @@ public class ConfigurationBuilder { Logger.error("Missing \"IdentificationNumber\" for OA of type \"businessService\""); throw new ConfigurationException("config.02", null); } - oap.setIdentityLinkDomainIdentifier(buildIdentityLinkDomainIdentifier(identificationNumberChild)); + if ("false".equalsIgnoreCase(oAElem.getAttribute("calculateHPI"))) { + oap.setIdentityLinkDomainIdentifier(buildIdentityLinkDomainIdentifier(identificationNumberChild)); + } else { + // If we have business service and want to dealt with GDA, the security layer can be advised to calulate + // the Health Professional Identifier HPI instead of the wbPK + Logger.info("OA uses HPI for Identification"); + oap.setIdentityLinkDomainIdentifier(Constants.URN_PREFIX_HPI); + } // if OA type is "businessSErvice" set slVersion to 1.2 and ignore parameter in config file Logger.info("OA type is \"businessService\"; setting Security Layer version to 1.2"); -- cgit v1.2.3