From 0436de6184c1a95d463da52929e3bf60923d6e04 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 13 Dec 2021 09:23:09 +0100 Subject: update third-party libs and resolve API issues --- .../auth/pvp2/servlets/SLOBasicServlet.java | 433 +++++++++++---------- 1 file changed, 221 insertions(+), 212 deletions(-) (limited to 'id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java index c70d34d7e..a880e800b 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java @@ -62,217 +62,226 @@ import at.gv.egovernment.moa.util.MiscUtil; * */ public class SLOBasicServlet extends HttpServlet { - private static final long serialVersionUID = -4547240664871845098L; - private static final Logger log = LoggerFactory - .getLogger(SLOBasicServlet.class); - - private ConfigurationProvider config; - - public SLOBasicServlet() throws ConfigurationException { - config = ConfigurationProvider.getInstance(); - config.initializePVP2Login(); - } - - protected LogoutRequest createLogOutRequest(String nameID, String nameIDFormat, HttpServletRequest request) throws SLOException { - try { - LogoutRequest sloReq = SAML2Utils.createSAMLObject(LogoutRequest.class); - SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator(); - sloReq.setID(gen.generateIdentifier()); - sloReq.setIssueInstant(new DateTime()); - NameID name = SAML2Utils.createSAMLObject(NameID.class); - Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); - - String serviceURL = config.getPublicUrlPreFix(request); - if (!serviceURL.endsWith("/")) - serviceURL = serviceURL + "/"; - name.setValue(serviceURL); - issuer.setValue(serviceURL); - issuer.setFormat(NameIDType.ENTITY); - sloReq.setIssuer(issuer); - - NameID userNameID = SAML2Utils.createSAMLObject(NameID.class); - sloReq.setNameID(userNameID); - userNameID.setFormat(nameIDFormat); - userNameID.setValue(nameID); - - return sloReq; - - } catch (NoSuchAlgorithmException e) { - log.warn("Single LogOut request createn FAILED. ", e); - throw new SLOException(); - - } - - } - - protected LogoutResponse processLogOutRequest(LogoutRequest sloReq, HttpServletRequest request) throws NoSuchAlgorithmException { - //check response destination - String serviceURL = config.getPublicUrlPreFix(request); - if (!serviceURL.endsWith("/")) - serviceURL = serviceURL + "/"; - - String responseDestination = sloReq.getDestination(); - if (MiscUtil.isEmpty(responseDestination) || - !responseDestination.startsWith(serviceURL)) { - log.warn("PVPResponse destination does not match requested destination"); - return createSLOResponse(sloReq, StatusCode.REQUESTER_URI, request); - } - - AuthenticationManager authManager = AuthenticationManager.getInstance(); - if (authManager.isActiveUser(sloReq.getNameID().getValue())) { - AuthenticatedUser authUser = authManager.getActiveUser(sloReq.getNameID().getValue()); - log.info("User " + authUser.getGivenName() + " " + authUser.getFamilyName() + " with nameID:" - + authUser.getNameID() + " get logged out by Single LogOut request."); - authManager.removeActiveUser(authUser); - HttpSession session = request.getSession(false); - if (session != null) - session.invalidate(); - return createSLOResponse(sloReq, StatusCode.SUCCESS_URI, request); - - } else { - log.debug("Single LogOut not possible! User with nameID:" + sloReq.getNameID().getValue() + " is not found."); - return createSLOResponse(sloReq, StatusCode.SUCCESS_URI, request); - - } - - } - - protected LogoutResponse createSLOResponse(LogoutRequest sloReq, String statusCodeURI, HttpServletRequest request) throws NoSuchAlgorithmException { - LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class); - SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator(); - sloResp.setID(gen.generateIdentifier()); - sloResp.setInResponseTo(sloReq.getID()); - sloResp.setIssueInstant(new DateTime()); - NameID name = SAML2Utils.createSAMLObject(NameID.class); - Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); - - String serviceURL = config.getPublicUrlPreFix(request); - if (!serviceURL.endsWith("/")) - serviceURL = serviceURL + "/"; - name.setValue(serviceURL); - issuer.setValue(serviceURL); - issuer.setFormat(NameIDType.ENTITY); - sloResp.setIssuer(issuer); - - Status status = SAML2Utils.createSAMLObject(Status.class); - sloResp.setStatus(status); - StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); - statusCode.setValue(statusCodeURI); - status.setStatusCode(statusCode ); - - return sloResp; - } - - protected void validateLogOutResponse(LogoutResponse sloResp, String reqID, HttpServletRequest request, HttpServletResponse response) throws PVP2Exception { - //ckeck InResponseTo matchs requestID - if (MiscUtil.isEmpty(reqID)) { - log.info("NO Sigle LogOut request ID"); - throw new PVP2Exception("NO Sigle LogOut request ID"); - } - - if (!reqID.equals(sloResp.getInResponseTo())) { - log.warn("SLORequestID does not match SLO Response ID!"); - throw new PVP2Exception("SLORequestID does not match SLO Response ID!"); - - } - - //check response destination - String serviceURL = config.getPublicUrlPreFix(request); - if (!serviceURL.endsWith("/")) - serviceURL = serviceURL + "/"; - - String responseDestination = sloResp.getDestination(); - if (MiscUtil.isEmpty(responseDestination) || - !responseDestination.startsWith(serviceURL)) { - log.warn("PVPResponse destination does not match requested destination"); - throw new PVP2Exception("SLO response destination does not match requested destination"); - } - - request.getSession().invalidate(); - - if (sloResp.getStatus().getStatusCode().getValue().equals(StatusCode.PARTIAL_LOGOUT_URI)) { - log.warn("Single LogOut process is not completed."); - request.getSession().setAttribute(Constants.SESSION_SLOERROR, - LanguageHelper.getErrorString("webpages.slo.error", request)); - - - } else if (sloResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { - - if (sloResp.getStatus().getStatusCode().getStatusCode() != null && - !sloResp.getStatus().getStatusCode().getStatusCode().equals(StatusCode.PARTIAL_LOGOUT_URI)) { - log.info("Single LogOut process complete."); - request.getSession().setAttribute(Constants.SESSION_SLOSUCCESS, - LanguageHelper.getErrorString("webpages.slo.success", request)); - - } else { - log.warn("Single LogOut process is not completed."); - request.getSession().setAttribute(Constants.SESSION_SLOERROR, - LanguageHelper.getErrorString("webpages.slo.error", request)); - - } - - } else { - log.warn("Single LogOut response sends an unsupported statustype " + sloResp.getStatus().getStatusCode().getValue()); - request.getSession().setAttribute(Constants.SESSION_SLOERROR, - LanguageHelper.getErrorString("webpages.slo.error", request)); - - } - String redirectURL = serviceURL + Constants.SERVLET_LOGOUT; - redirectURL = response.encodeRedirectURL(redirectURL); - response.setContentType("text/html"); - response.setStatus(302); - response.addHeader("Location", redirectURL); - - } - - protected SingleLogoutService findIDPFrontChannelSLOService() throws - ConfigurationException, SLOException { - - String entityname = config.getPVP2IDPMetadataEntityName(); - if (MiscUtil.isEmpty(entityname)) { - log.info("No IDP EntityName configurated"); - throw new ConfigurationException("No IDP EntityName configurated"); - } - - //get IDP metadata from metadataprovider - HTTPMetadataProvider idpmetadata = config.getMetaDataProvier(); - try { - EntityDescriptor idpEntity = idpmetadata.getEntityDescriptor(entityname); - if (idpEntity == null) { - log.info("IDP EntityName is not found in IDP Metadata"); - throw new ConfigurationException("IDP EntityName is not found in IDP Metadata"); - - } - - //select authentication-service url from metadata - SingleLogoutService redirectEndpoint = null; - for (SingleLogoutService sss : - idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleLogoutServices()) { - - //Get the service address for the binding you wish to use - if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) - redirectEndpoint = sss; - - else if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI) && - redirectEndpoint == null) - redirectEndpoint = sss; - } - - if (redirectEndpoint == null) { - log.warn("Single LogOut FAILED: IDP implements no frontchannel SLO service."); - throw new SLOException("Single LogOut FAILED: IDP implements no frontchannel SLO service."); - } - - return redirectEndpoint; - } catch (MetadataProviderException e) { - log.info("IDP EntityName is not found in IDP Metadata", e); - throw new ConfigurationException("IDP EntityName is not found in IDP Metadata"); - - } - } - - protected ConfigurationProvider getConfig() { - return config; - } + private static final long serialVersionUID = -4547240664871845098L; + private static final Logger log = LoggerFactory + .getLogger(SLOBasicServlet.class); + + private final ConfigurationProvider config; + + public SLOBasicServlet() throws ConfigurationException { + config = ConfigurationProvider.getInstance(); + config.initializePVP2Login(); + } + + protected LogoutRequest createLogOutRequest(String nameID, String nameIDFormat, HttpServletRequest request) + throws SLOException { + try { + final LogoutRequest sloReq = SAML2Utils.createSAMLObject(LogoutRequest.class); + final SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator(); + sloReq.setID(gen.generateIdentifier()); + sloReq.setIssueInstant(new DateTime()); + final NameID name = SAML2Utils.createSAMLObject(NameID.class); + final Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); + + String serviceURL = config.getPublicUrlPreFix(request); + if (!serviceURL.endsWith("/")) { + serviceURL = serviceURL + "/"; + } + name.setValue(serviceURL); + issuer.setValue(serviceURL); + issuer.setFormat(NameIDType.ENTITY); + sloReq.setIssuer(issuer); + + final NameID userNameID = SAML2Utils.createSAMLObject(NameID.class); + sloReq.setNameID(userNameID); + userNameID.setFormat(nameIDFormat); + userNameID.setValue(nameID); + + return sloReq; + + } catch (final NoSuchAlgorithmException e) { + log.warn("Single LogOut request createn FAILED. ", e); + throw new SLOException(); + + } + + } + + protected LogoutResponse processLogOutRequest(LogoutRequest sloReq, HttpServletRequest request) + throws NoSuchAlgorithmException { + // check response destination + String serviceURL = config.getPublicUrlPreFix(request); + if (!serviceURL.endsWith("/")) { + serviceURL = serviceURL + "/"; + } + + final String responseDestination = sloReq.getDestination(); + if (MiscUtil.isEmpty(responseDestination) || + !responseDestination.startsWith(serviceURL)) { + log.warn("PVPResponse destination does not match requested destination"); + return createSLOResponse(sloReq, StatusCode.REQUESTER_URI, request); + } + + final AuthenticationManager authManager = AuthenticationManager.getInstance(); + if (authManager.isActiveUser(sloReq.getNameID().getValue())) { + final AuthenticatedUser authUser = authManager.getActiveUser(sloReq.getNameID().getValue()); + log.info("User " + authUser.getGivenName() + " " + authUser.getFamilyName() + " with nameID:" + + authUser.getNameID() + " get logged out by Single LogOut request."); + authManager.removeActiveUser(authUser); + final HttpSession session = request.getSession(false); + if (session != null) { + session.invalidate(); + } + return createSLOResponse(sloReq, StatusCode.SUCCESS_URI, request); + + } else { + log.debug("Single LogOut not possible! User with nameID:" + sloReq.getNameID().getValue() + + " is not found."); + return createSLOResponse(sloReq, StatusCode.SUCCESS_URI, request); + + } + + } + + protected LogoutResponse createSLOResponse(LogoutRequest sloReq, String statusCodeURI, + HttpServletRequest request) throws NoSuchAlgorithmException { + final LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class); + final SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator(); + sloResp.setID(gen.generateIdentifier()); + sloResp.setInResponseTo(sloReq.getID()); + sloResp.setIssueInstant(new DateTime()); + final NameID name = SAML2Utils.createSAMLObject(NameID.class); + final Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); + + String serviceURL = config.getPublicUrlPreFix(request); + if (!serviceURL.endsWith("/")) { + serviceURL = serviceURL + "/"; + } + name.setValue(serviceURL); + issuer.setValue(serviceURL); + issuer.setFormat(NameIDType.ENTITY); + sloResp.setIssuer(issuer); + + final Status status = SAML2Utils.createSAMLObject(Status.class); + sloResp.setStatus(status); + final StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); + statusCode.setValue(statusCodeURI); + status.setStatusCode(statusCode); + + return sloResp; + } + + protected void validateLogOutResponse(LogoutResponse sloResp, String reqID, HttpServletRequest request, + HttpServletResponse response) throws PVP2Exception { + // ckeck InResponseTo matchs requestID + if (MiscUtil.isEmpty(reqID)) { + log.info("NO Sigle LogOut request ID"); + throw new PVP2Exception("NO Sigle LogOut request ID"); + } + + if (!reqID.equals(sloResp.getInResponseTo())) { + log.warn("SLORequestID does not match SLO Response ID!"); + throw new PVP2Exception("SLORequestID does not match SLO Response ID!"); + + } + + // check response destination + String serviceURL = config.getPublicUrlPreFix(request); + if (!serviceURL.endsWith("/")) { + serviceURL = serviceURL + "/"; + } + + final String responseDestination = sloResp.getDestination(); + if (MiscUtil.isEmpty(responseDestination) || + !responseDestination.startsWith(serviceURL)) { + log.warn("PVPResponse destination does not match requested destination"); + throw new PVP2Exception("SLO response destination does not match requested destination"); + } + + request.getSession().invalidate(); + + if (sloResp.getStatus().getStatusCode().getValue().equals(StatusCode.PARTIAL_LOGOUT_URI)) { + log.warn("Single LogOut process is not completed."); + request.getSession().setAttribute(Constants.SESSION_SLOERROR, + LanguageHelper.getErrorString("webpages.slo.error", request)); + + } else if (sloResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { + + if (sloResp.getStatus().getStatusCode().getStatusCode() != null && + !sloResp.getStatus().getStatusCode().getStatusCode().equals(StatusCode.PARTIAL_LOGOUT_URI)) { + log.info("Single LogOut process complete."); + request.getSession().setAttribute(Constants.SESSION_SLOSUCCESS, + LanguageHelper.getErrorString("webpages.slo.success", request)); + + } else { + log.warn("Single LogOut process is not completed."); + request.getSession().setAttribute(Constants.SESSION_SLOERROR, + LanguageHelper.getErrorString("webpages.slo.error", request)); + + } + + } else { + log.warn("Single LogOut response sends an unsupported statustype " + sloResp.getStatus().getStatusCode() + .getValue()); + request.getSession().setAttribute(Constants.SESSION_SLOERROR, + LanguageHelper.getErrorString("webpages.slo.error", request)); + + } + String redirectURL = serviceURL + Constants.SERVLET_LOGOUT; + redirectURL = response.encodeRedirectURL(redirectURL); + response.setContentType("text/html"); + response.setStatus(302); + response.addHeader("Location", redirectURL); + + } + + protected SingleLogoutService findIDPFrontChannelSLOService() throws ConfigurationException, SLOException { + + final String entityname = config.getPVP2IDPMetadataEntityName(); + if (MiscUtil.isEmpty(entityname)) { + log.info("No IDP EntityName configurated"); + throw new ConfigurationException("No IDP EntityName configurated"); + } + + // get IDP metadata from metadataprovider + final HTTPMetadataProvider idpmetadata = config.getMetaDataProvier(); + try { + final EntityDescriptor idpEntity = idpmetadata.getEntityDescriptor(entityname); + if (idpEntity == null) { + log.info("IDP EntityName is not found in IDP Metadata"); + throw new ConfigurationException("IDP EntityName is not found in IDP Metadata"); + + } + + // select authentication-service url from metadata + SingleLogoutService redirectEndpoint = null; + for (final SingleLogoutService sss : idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS) + .getSingleLogoutServices()) { + + // Get the service address for the binding you wish to use + if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { + redirectEndpoint = sss; + } else if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI) && + redirectEndpoint == null) { + redirectEndpoint = sss; + } + } + + if (redirectEndpoint == null) { + log.warn("Single LogOut FAILED: IDP implements no frontchannel SLO service."); + throw new SLOException("Single LogOut FAILED: IDP implements no frontchannel SLO service."); + } + + return redirectEndpoint; + } catch (final MetadataProviderException e) { + log.info("IDP EntityName is not found in IDP Metadata", e); + throw new ConfigurationException("IDP EntityName is not found in IDP Metadata"); + + } + } + + protected ConfigurationProvider getConfig() { + return config; + } } -- cgit v1.2.3