From 9aed84d1b240ccb6c8e460c04dbeeca66d979dc9 Mon Sep 17 00:00:00 2001 From: "peter.danner" Date: Wed, 29 Nov 2006 20:57:05 +0000 Subject: binding support enhanced git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@731 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../moa/id/proxy/servlet/ProxyServlet.java | 83 ++++++++++++++++++---- 1 file changed, 71 insertions(+), 12 deletions(-) (limited to 'id.server/src') diff --git a/id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java b/id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java index ff0f3a171..3d5220419 100644 --- a/id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java +++ b/id.server/src/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java @@ -64,6 +64,8 @@ public class ProxyServlet extends HttpServlet { /** Name of the Parameter for the SAMLArtifact */ private static final String PARAM_SAMLARTIFACT = "SAMLArtifact"; + /** Name of the Attribute for marking the session as authenticated*/ + private static final String ATT_AUTHDATAFETCHED = "AuthDataFetched"; /** Name of the Attribute for the PublicURLPrefix */ private static final String ATT_PUBLIC_URLPREFIX = "PublicURLPrefix"; /** Name of the Attribute for the RealURLPrefix */ @@ -174,7 +176,8 @@ public class ProxyServlet extends HttpServlet { } catch (ProxyException ex) { throw new ProxyException("proxy.14", new Object[] {ex.getMessage()}, ex); } - + session.setAttribute(ATT_AUTHDATAFETCHED, "true"); + // read configuration data ProxyConfigurationProvider proxyConf = ProxyConfigurationProvider.getInstance(); OAProxyParameter oaParam = proxyConf.getOnlineApplicationParameter(urlRequested); @@ -351,6 +354,7 @@ public class ProxyServlet extends HttpServlet { private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map loginHeaders, Map loginParameters, String publicURLPrefix, String realURLPrefix, SSLSocketFactory ssf, String binding) throws IOException { + String originBinding = binding; String browserUserID = ""; String browserPassword = ""; //URL url = new URL(realURLPrefix); @@ -371,10 +375,12 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map String plaintextcredentials = new String(bplaintextcredentials); browserUserID = plaintextcredentials.substring(0,plaintextcredentials.indexOf(":")); browserPassword = plaintextcredentials.substring(plaintextcredentials.indexOf(":")+1); - //Logger.debug("Analyzing authorization-header from browser: " + headerKeyValue + "gives UN:PW=" + browserUserID + ":" + browserPassword ); + //deactivate following line for security + //if (INTERNAL_DEBUG) Logger.debug("Analyzing authorization-header from browser: " + headerKeyValue + "gives UN:PW=" + browserUserID + ":" + browserPassword ); } if (headerKeyValue.substring(0,9).equalsIgnoreCase("Negotiate")) { - //Logger.debug("Analyzing authorization-header from browser: Found NTLM Aut.: " + headerKeyValue + "gives UN:PW=" + browserUserID + ":" + browserPassword ); + //deactivate following line for security + //if (INTERNAL_DEBUG) Logger.debug("Analyzing authorization-header from browser: Found NTLM Aut.: " + headerKeyValue + "gives UN:PW=" + browserUserID + ":" + browserPassword ); } } else @@ -390,10 +396,46 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map } } + // collect login headers, possibly overwriting headers from request String authorizationvalue=""; if (req.getSession().getAttribute(ATT_OA_AUTHORIZATION_HEADER)==null) { + if (OAConfiguration.BINDUNG_NOMATCH.equals(binding)) { + int loginTry = getLoginTry(req); + Logger.debug("Binding: mode = " + OAConfiguration.BINDUNG_NOMATCH + "(try #" + Integer.toString(loginTry) + ")"); + if (loginTry==1) { + binding = OAConfiguration.BINDUNG_FULL; + } else { + binding = OAConfiguration.BINDUNG_USERNAME; + } + } + + /* Soll auch bei anderen bindings zuerst ein passwort probiert werden können: + //if we have the first Login-Try and we have Binding to Username and a predefined Password we try this one first + // full binding will be covered by next block + if (loginTry==1 && !OAConfiguration.BINDUNG_FULL.equals(binding)) { + //1st try: if we have a password, try this one first + for (Iterator iter = loginHeaders.keySet().iterator(); iter.hasNext();) { + String headerKey = (String) iter.next(); + String headerKeyValue = (String) loginHeaders.get(headerKey); + if (isBasicAuthenticationHeader(headerKey, headerKeyValue)) { + String credentials = headerKeyValue.substring(6); + byte [] bplaintextcredentials = Base64Utils.decode(credentials, true); + String plaintextcredentials = new String(bplaintextcredentials); + String password = plaintextcredentials.substring(plaintextcredentials.indexOf(":")+1); + if (password!=null && !password.equals("")) { + Logger.debug("Binding: found predefined password. Trying full binding first"); + binding = OAConfiguration.BINDUNG_FULL; + break; + } + } + } + } + */ + + + //we have a connection with not having logged on if (loginHeaders != null && (browserPassword.length()!=0 || browserUserID.length()!=0 || OAConfiguration.BINDUNG_FULL.equals(binding))) { for (Iterator iter = loginHeaders.keySet().iterator(); iter.hasNext();) { @@ -402,7 +444,7 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map //customize loginheaders if necessary if (isBasicAuthenticationHeader(headerKey, headerKeyValue)) { - if ( OAConfiguration.BINDUNG_FULL.equals(binding)) { + if (OAConfiguration.BINDUNG_FULL.equals(binding)) { authorizationvalue = headerKeyValue; Logger.debug("Binding: full binding to user established"); } else { @@ -480,7 +522,8 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map String uid = plaintextcredentials.substring(0,plaintextcredentials.indexOf(":")); String pwd = plaintextcredentials.substring(plaintextcredentials.indexOf(":")+1); //Sollte AuthorizationInfo vom HTTPClient benutzt werden: cb.addBasicAuthorization(publicURLPrefix, uid, pwd); - //if (Logger.isDebugEnabled()) LogStr = LogStr + " >UserID:Password< >" + uid + ":" + pwd + "<"; + //deactivate following line for security + //if (INTERNAL_DEBUG && Logger.isDebugEnabled()) LogStr = LogStr + " >UserID:Password< >" + uid + ":" + pwd + "<"; } conn.setRequestProperty(headerKey, headerValue); if (INTERNAL_DEBUG) Logger.debug(LogStr); @@ -528,13 +571,13 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map } // connect + if (INTERNAL_DEBUG) Logger.debug("Connect Request"); conn.connect(); + if (INTERNAL_DEBUG) Logger.debug("Connect Response"); // check login tries if (conn.getResponseCode()==HttpURLConnection.HTTP_UNAUTHORIZED) { - String oa_loginTry = (String) req.getSession().getAttribute(ATT_OA_LOGINTRY); - int loginTry = 1; - if (oa_loginTry!=null) loginTry = Integer.parseInt(oa_loginTry)+1; + int loginTry = getLoginTry(req); req.getSession().setAttribute(ATT_OA_LOGINTRY, Integer.toString(loginTry)); if (loginTry > MAX_OA_LOGINTRY) { Logger.debug("Found 401 UNAUTHORIZED, maximum tries exceeded; leaving..."); @@ -545,7 +588,7 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map - if (conn.getResponseCode()==HttpURLConnection.HTTP_UNAUTHORIZED && OAConfiguration.BINDUNG_FULL.equals(binding)) { + if (conn.getResponseCode()==HttpURLConnection.HTTP_UNAUTHORIZED && OAConfiguration.BINDUNG_FULL.equals(originBinding)) { Logger.debug("Found 401 UNAUTHORIZED, leaving..."); cb.disconnect(conn); return conn.getResponseCode(); @@ -578,8 +621,11 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map // Überschrift im Browser-Passworteingabedialog setzen (sonst ist der reale host eingetragen) if (headerKey.equalsIgnoreCase("WWW-Authenticate") && headerValue.startsWith("Basic realm=\"")) { headerValue = "Basic realm=\"" + publicURLPrefix + "\""; - if (OAConfiguration.BINDUNG_USERNAME.equals(binding)) headerValue = "Basic realm=\"Bitte Passwort eingeben\""; - if (OAConfiguration.BINDUNG_NONE.equals(binding)) headerValue = "Basic realm=\"Bitte Benutzername und Passwort eingeben\""; + if (OAConfiguration.BINDUNG_USERNAME.equals(originBinding) || OAConfiguration.BINDUNG_NOMATCH.equals(originBinding)) { + headerValue = "Basic realm=\"Bitte Passwort eingeben\""; + } else if (OAConfiguration.BINDUNG_NONE.equals(originBinding)) { + headerValue = "Basic realm=\"Bitte Benutzername und Passwort eingeben\""; + } } String respHeader[] = new String[2]; if ((conn.getResponseCode()==HttpURLConnection.HTTP_UNAUTHORIZED) && headerKey.equalsIgnoreCase("content-length")) { @@ -590,7 +636,7 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map respHeader[0]= headerKey; respHeader[1]= headerValue; - if (!(OAConfiguration.BINDUNG_FULL.equals(binding) && OAConfiguration.LOGINTYPE_STATELESS.equals(loginType) && headerKey.equalsIgnoreCase("WWW-Authenticate") && headerValue.startsWith("Basic realm=\""))) { + if (!(OAConfiguration.BINDUNG_FULL.equals(originBinding) && OAConfiguration.LOGINTYPE_STATELESS.equals(loginType) && headerKey.equalsIgnoreCase("WWW-Authenticate") && headerValue.startsWith("Basic realm=\""))) { respHeaders.add(respHeader); if (INTERNAL_DEBUG) Logger.debug("Resp header " + headerKey + ": " + headerValue); } else { @@ -680,6 +726,19 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map return conn.getResponseCode(); } + +/** + * Gets the current amount of the login try at the online application + * + * @param req the HttpServletRequest + * @return the number off the current login try + */ +private int getLoginTry(HttpServletRequest req) { + String oa_loginTry = (String) req.getSession().getAttribute(ATT_OA_LOGINTRY); + int loginTry = 1; + if (oa_loginTry!=null) loginTry = Integer.parseInt(oa_loginTry)+1; + return loginTry; +} /** * Determines whether a HTTP header is a basic authentication header of the kind "Authorization: Basic ..." * -- cgit v1.2.3