From 0436de6184c1a95d463da52929e3bf60923d6e04 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 13 Dec 2021 09:23:09 +0100 Subject: update third-party libs and resolve API issues --- .../auth/pvp2/servlets/SLOFrontChannelServlet.java | 443 +++++++++++---------- 1 file changed, 226 insertions(+), 217 deletions(-) (limited to 'id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java index 274aa21bf..ac9d65cbf 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOFrontChannelServlet.java @@ -77,221 +77,230 @@ import at.gv.egovernment.moa.util.MiscUtil; */ public class SLOFrontChannelServlet extends SLOBasicServlet { - private static final long serialVersionUID = -6280199681356977759L; - private static final Logger log = LoggerFactory - .getLogger(SLOFrontChannelServlet.class); - - /** - * @throws ConfigurationException - */ - public SLOFrontChannelServlet() throws ConfigurationException { - super(); - } - - /** - * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse - * response) - */ - protected void doGet(HttpServletRequest request, - HttpServletResponse response) throws ServletException, IOException { - try { - if (MiscUtil.isNotEmpty(request.getParameter(Constants.REQUEST_USERSLO))) { - //process user initiated single logout process - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); - - if (authUserObj == null) { - log.warn("No user information found. Single Log-Out not possible"); - buildErrorMessage(request, response); - - } - - AuthenticatedUser authUser = (AuthenticatedUser) authUserObj; - - String nameIDFormat = authUser.getNameIDFormat(); - String nameID = authUser.getNameID(); - - //remove user - AuthenticationManager authManager = AuthenticationManager.getInstance(); - authManager.removeActiveUser(authUser); - - if (MiscUtil.isEmpty(nameID) || MiscUtil.isEmpty(nameIDFormat)) { - log.warn("No user information found. Single Log-Out not possible"); - buildErrorMessage(request, response); - - } else - log.info("Fount user information for user nameID: " + nameID - + " , nameIDFormat: " + nameIDFormat - + ". Build Single Log-Out request ..."); - - //build SLO request to IDP - LogoutRequest sloReq = createLogOutRequest(nameID, nameIDFormat, request); - - request.getSession().setAttribute(Constants.SESSION_PVP2REQUESTID, sloReq.getID()); - - //send message - sendMessage(request, response, sloReq, null); - - } else { - //process PVP 2.1 single logout process - HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( - new BasicParserPool()); - BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); - messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request)); - messageContext.setMetadataProvider(getConfig().getMetaDataProvier()); - - SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( - PVP2Utils.getTrustEngine(getConfig())); - SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule(); - BasicSecurityPolicy policy = new BasicSecurityPolicy(); - policy.getPolicyRules().add(signatureRule); - policy.getPolicyRules().add(signedRole); - SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver( - policy); - messageContext.setSecurityPolicyResolver(resolver); - messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); - - decode.decode(messageContext); - - signatureRule.evaluate(messageContext); - - - processMessage(request, response, - messageContext.getInboundMessage(), messageContext.getRelayState()); - - } - - } catch (SLOException e) { - log.error("Single LogOut processing error.", e); - buildErrorMessage(request, response); - - } catch (ConfigurationException e) { - log.error("Single LogOut processing error.", e); - buildErrorMessage(request, response); - - } catch (PVP2Exception e) { - log.error("Single LogOut processing error.", e); - buildErrorMessage(request, response); - - } catch (SecurityPolicyException e) { - log.error("Single LogOut processing error.", e); - buildErrorMessage(request, response); - - } catch (MessageDecodingException e) { - log.error("Single LogOut processing error.", e); - buildErrorMessage(request, response); - - } catch (SecurityException e) { - log.error("Single LogOut processing error.", e); - buildErrorMessage(request, response); - - } catch (NoSuchAlgorithmException e) { - log.error("Single LogOut processing error.", e); - buildErrorMessage(request, response); - - } - } - - /** - * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse - * response) - */ - protected void doPost(HttpServletRequest request, - HttpServletResponse response) throws ServletException, IOException { - try { - HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool()); - BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); - messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request)); - decode.decode(messageContext); - - PVP2Utils.validateSignature((SignableXMLObject) messageContext.getInboundMessage(), getConfig()); - - processMessage(request, response, - messageContext.getInboundMessage(), messageContext.getRelayState()); - - - } catch (MessageDecodingException e) { - log.error("Single LogOut processing error.", e); - buildErrorMessage(request, response); - - } catch (SecurityException e) { - log.error("Single LogOut processing error.", e); - buildErrorMessage(request, response); - - } catch (ValidationException e) { - log.error("Single LogOut processing error.", e); - buildErrorMessage(request, response); - - } catch (ConfigurationException e) { - log.error("Single LogOut processing error.", e); - buildErrorMessage(request, response); - - } catch (PVP2Exception e) { - log.error("Single LogOut processing error.", e); - buildErrorMessage(request, response); - - } catch (NoSuchAlgorithmException e) { - log.error("Single LogOut processing error.", e); - buildErrorMessage(request, response); - - } - } - - private void buildErrorMessage(HttpServletRequest request, HttpServletResponse response) { - - request.getSession().setAttribute(Constants.SESSION_SLOERROR, - LanguageHelper.getErrorString("webpages.slo.error", request)); - - //check response destination - String serviceURL = getConfig().getPublicUrlPreFix(request); - if (!serviceURL.endsWith("/")) - serviceURL = serviceURL + "/"; - - String redirectURL = serviceURL + Constants.SERVLET_LOGOUT; - redirectURL = response.encodeRedirectURL(redirectURL); - response.setContentType("text/html"); - response.setStatus(302); - response.addHeader("Location", redirectURL); - } - - private void processMessage(HttpServletRequest request, HttpServletResponse response, - XMLObject xmlObject, String relayState) throws ConfigurationException, PVP2Exception, NoSuchAlgorithmException { - if (xmlObject instanceof LogoutRequest) { - LogoutResponse sloResp = - processLogOutRequest((LogoutRequest) xmlObject, request); - sendMessage(request, response, sloResp, relayState); - - } else if (xmlObject instanceof LogoutResponse) { - LogoutResponse sloResp = (LogoutResponse) xmlObject; - - String reqID = (String) request.getSession().getAttribute(Constants.SESSION_PVP2REQUESTID); - request.getSession().setAttribute(Constants.SESSION_PVP2REQUESTID, null); - validateLogOutResponse(sloResp, reqID, request, response); - - } - } - - private void sendMessage(HttpServletRequest request, HttpServletResponse response, - RequestAbstractType sloReq, String relayState) throws ConfigurationException, PVP2Exception { - SingleLogoutService sloService = findIDPFrontChannelSLOService(); - sloReq.setDestination(sloService.getLocation()); - sendMessage(request, response, sloReq, sloService, relayState); - } - - private void sendMessage(HttpServletRequest request, HttpServletResponse response, - StatusResponseType sloReq, String relayState) throws ConfigurationException, PVP2Exception { - SingleLogoutService sloService = findIDPFrontChannelSLOService(); - sloReq.setDestination(sloService.getLocation()); - sendMessage(request, response, sloReq, sloService, relayState); - } - - private void sendMessage(HttpServletRequest request, HttpServletResponse response, - SignableSAMLObject sloReq, SingleLogoutService sloService, String relayState) throws ConfigurationException, PVP2Exception { - X509Credential authcredential = PVP2Utils.signMessage((AbstractSignableXMLObject) sloReq, getConfig()); - if (sloService.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) - PVP2Utils.postBindingEncoder(request, response, sloReq, authcredential, sloService.getLocation(), relayState); - - else if (sloService.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) - PVP2Utils.redirectBindingEncoder(request, response, sloReq, authcredential, sloService.getLocation(), relayState); - } - + private static final long serialVersionUID = -6280199681356977759L; + private static final Logger log = LoggerFactory + .getLogger(SLOFrontChannelServlet.class); + + /** + * @throws ConfigurationException + */ + public SLOFrontChannelServlet() throws ConfigurationException { + super(); + } + + /** + * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse + * response) + */ + @Override + protected void doGet(HttpServletRequest request, + HttpServletResponse response) throws ServletException, IOException { + try { + if (MiscUtil.isNotEmpty(request.getParameter(Constants.REQUEST_USERSLO))) { + // process user initiated single logout process + final Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + + if (authUserObj == null) { + log.warn("No user information found. Single Log-Out not possible"); + buildErrorMessage(request, response); + + } + + final AuthenticatedUser authUser = (AuthenticatedUser) authUserObj; + + final String nameIDFormat = authUser.getNameIDFormat(); + final String nameID = authUser.getNameID(); + + // remove user + final AuthenticationManager authManager = AuthenticationManager.getInstance(); + authManager.removeActiveUser(authUser); + + if (MiscUtil.isEmpty(nameID) || MiscUtil.isEmpty(nameIDFormat)) { + log.warn("No user information found. Single Log-Out not possible"); + buildErrorMessage(request, response); + + } else { + log.info("Fount user information for user nameID: " + nameID + + " , nameIDFormat: " + nameIDFormat + + ". Build Single Log-Out request ..."); + } + + // build SLO request to IDP + final LogoutRequest sloReq = createLogOutRequest(nameID, nameIDFormat, request); + + request.getSession().setAttribute(Constants.SESSION_PVP2REQUESTID, sloReq.getID()); + + // send message + sendMessage(request, response, sloReq, null); + + } else { + // process PVP 2.1 single logout process + final HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( + new BasicParserPool()); + final BasicSAMLMessageContext messageContext = + new BasicSAMLMessageContext<>(); + messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request)); + messageContext.setMetadataProvider(getConfig().getMetaDataProvier()); + + final SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( + PVP2Utils.getTrustEngine(getConfig())); + final SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule(); + final BasicSecurityPolicy policy = new BasicSecurityPolicy(); + policy.getPolicyRules().add(signatureRule); + policy.getPolicyRules().add(signedRole); + final SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver( + policy); + messageContext.setSecurityPolicyResolver(resolver); + messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); + + decode.decode(messageContext); + + signatureRule.evaluate(messageContext); + + processMessage(request, response, + messageContext.getInboundMessage(), messageContext.getRelayState()); + + } + + } catch (final SLOException e) { + log.error("Single LogOut processing error.", e); + buildErrorMessage(request, response); + + } catch (final ConfigurationException e) { + log.error("Single LogOut processing error.", e); + buildErrorMessage(request, response); + + } catch (final PVP2Exception e) { + log.error("Single LogOut processing error.", e); + buildErrorMessage(request, response); + + } catch (final SecurityPolicyException e) { + log.error("Single LogOut processing error.", e); + buildErrorMessage(request, response); + + } catch (final MessageDecodingException e) { + log.error("Single LogOut processing error.", e); + buildErrorMessage(request, response); + + } catch (final SecurityException e) { + log.error("Single LogOut processing error.", e); + buildErrorMessage(request, response); + + } catch (final NoSuchAlgorithmException e) { + log.error("Single LogOut processing error.", e); + buildErrorMessage(request, response); + + } + } + + /** + * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse + * response) + */ + @Override + protected void doPost(HttpServletRequest request, + HttpServletResponse response) throws ServletException, IOException { + try { + final HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool()); + final BasicSAMLMessageContext messageContext = + new BasicSAMLMessageContext<>(); + messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request)); + decode.decode(messageContext); + + PVP2Utils.validateSignature((SignableXMLObject) messageContext.getInboundMessage(), getConfig()); + + processMessage(request, response, + messageContext.getInboundMessage(), messageContext.getRelayState()); + + } catch (final MessageDecodingException e) { + log.error("Single LogOut processing error.", e); + buildErrorMessage(request, response); + + } catch (final SecurityException e) { + log.error("Single LogOut processing error.", e); + buildErrorMessage(request, response); + + } catch (final ValidationException e) { + log.error("Single LogOut processing error.", e); + buildErrorMessage(request, response); + + } catch (final ConfigurationException e) { + log.error("Single LogOut processing error.", e); + buildErrorMessage(request, response); + + } catch (final PVP2Exception e) { + log.error("Single LogOut processing error.", e); + buildErrorMessage(request, response); + + } catch (final NoSuchAlgorithmException e) { + log.error("Single LogOut processing error.", e); + buildErrorMessage(request, response); + + } + } + + private void buildErrorMessage(HttpServletRequest request, HttpServletResponse response) { + + request.getSession().setAttribute(Constants.SESSION_SLOERROR, + LanguageHelper.getErrorString("webpages.slo.error", request)); + + // check response destination + String serviceURL = getConfig().getPublicUrlPreFix(request); + if (!serviceURL.endsWith("/")) { + serviceURL = serviceURL + "/"; + } + + String redirectURL = serviceURL + Constants.SERVLET_LOGOUT; + redirectURL = response.encodeRedirectURL(redirectURL); + response.setContentType("text/html"); + response.setStatus(302); + response.addHeader("Location", redirectURL); + } + + private void processMessage(HttpServletRequest request, HttpServletResponse response, + XMLObject xmlObject, String relayState) throws ConfigurationException, PVP2Exception, + NoSuchAlgorithmException { + if (xmlObject instanceof LogoutRequest) { + final LogoutResponse sloResp = + processLogOutRequest((LogoutRequest) xmlObject, request); + sendMessage(request, response, sloResp, relayState); + + } else if (xmlObject instanceof LogoutResponse) { + final LogoutResponse sloResp = (LogoutResponse) xmlObject; + + final String reqID = (String) request.getSession().getAttribute(Constants.SESSION_PVP2REQUESTID); + request.getSession().setAttribute(Constants.SESSION_PVP2REQUESTID, null); + validateLogOutResponse(sloResp, reqID, request, response); + + } + } + + private void sendMessage(HttpServletRequest request, HttpServletResponse response, + RequestAbstractType sloReq, String relayState) throws ConfigurationException, PVP2Exception { + final SingleLogoutService sloService = findIDPFrontChannelSLOService(); + sloReq.setDestination(sloService.getLocation()); + sendMessage(request, response, sloReq, sloService, relayState); + } + + private void sendMessage(HttpServletRequest request, HttpServletResponse response, + StatusResponseType sloReq, String relayState) throws ConfigurationException, PVP2Exception { + final SingleLogoutService sloService = findIDPFrontChannelSLOService(); + sloReq.setDestination(sloService.getLocation()); + sendMessage(request, response, sloReq, sloService, relayState); + } + + private void sendMessage(HttpServletRequest request, HttpServletResponse response, + SignableSAMLObject sloReq, SingleLogoutService sloService, String relayState) + throws ConfigurationException, PVP2Exception { + final X509Credential authcredential = PVP2Utils.signMessage((AbstractSignableXMLObject) sloReq, + getConfig()); + if (sloService.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { + PVP2Utils.postBindingEncoder(request, response, sloReq, authcredential, sloService.getLocation(), + relayState); + } else if (sloService.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { + PVP2Utils.redirectBindingEncoder(request, response, sloReq, authcredential, sloService.getLocation(), + relayState); + } + } + } -- cgit v1.2.3