From 3546cafb4942247edf298996186fcdfa32eb9954 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 17 Dec 2013 08:33:18 +0100 Subject: First version for testing -> Exthex OAuth implementation --- .../moa/id/configuration/Constants.java | 1 + .../id/configuration/data/oa/OAOAuth20Config.java | 82 ++++ .../configuration/struts/action/EditOAAction.java | 500 ++++++++++----------- .../validation/oa/OAOAUTH20ConfigValidation.java | 33 ++ 4 files changed, 363 insertions(+), 253 deletions(-) create mode 100644 id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAOAuth20Config.java create mode 100644 id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAOAUTH20ConfigValidation.java (limited to 'id/ConfigWebTool/src/main/java/at') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java index 9dc49bba8..536cc0522 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java @@ -23,6 +23,7 @@ public class Constants { public static final String SESSION_PVP2REQUESTID = "pvp2requestid"; public static final String SESSION_RETURNAREA = "returnarea"; public static final String SESSION_BKUFORMPREVIEW = "bkuformpreview"; + public static final String SESSION_OAUTH20SECRET = "oauth20secret"; public static enum STRUTS_RETURNAREA_VALUES {adminRequestsInit, main, usermanagementInit}; diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAOAuth20Config.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAOAuth20Config.java new file mode 100644 index 000000000..b153e02a8 --- /dev/null +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAOAuth20Config.java @@ -0,0 +1,82 @@ +package at.gv.egovernment.moa.id.configuration.data.oa; + +import java.util.ArrayList; +import java.util.List; +import java.util.UUID; + +import org.apache.commons.lang.StringUtils; +import org.apache.log4j.Logger; + +import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentOA; +import at.gv.egovernment.moa.id.commons.db.dao.config.OAOAUTH20; +import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; +import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util; + +public class OAOAuth20Config { + + private final Logger log = Logger.getLogger(OAOAuth20Config.class); + + private String clientId = null; + private String clientSecret = null; + private String redirectUri = null; + + public OAOAuth20Config() { + } + + public List parse(OnlineApplication dbOAConfig) { + List errors = new ArrayList(); + + AuthComponentOA authdata = dbOAConfig.getAuthComponentOA(); + if (authdata != null) { + OAOAUTH20 config = authdata.getOAOAUTH20(); + // set client id to public url prefix + this.clientId = dbOAConfig.getPublicURLPrefix(); + + // validate secret + if (StringUtils.isNotEmpty(config.getOAuthClientSecret())) { + this.clientSecret = config.getOAuthClientSecret(); + } else { + this.generateClientSecret(); + } + + // validate redirectUri + if (StringUtils.isNotEmpty(config.getOAuthRedirectUri()) && OAuth20Util.isUrl(config.getOAuthRedirectUri())) { + this.redirectUri = config.getOAuthRedirectUri(); + } else { + errors.add(LanguageHelper.getErrorString("error.oa.oauth.redirecturi")); + } + } + + return errors; + } + + public String getClientId() { + return clientId; + } + + public void setClientId(String clientId) { + this.clientId = clientId; + } + + public String getClientSecret() { + return clientSecret; + } + + public void setClientSecret(String clientSecret) { + this.clientSecret = clientSecret; + } + + public String getRedirectUri() { + return redirectUri; + } + + public void setRedirectUri(String redirectUri) { + this.redirectUri = redirectUri; + } + + public void generateClientSecret() { + this.clientSecret = UUID.randomUUID().toString(); + } + +} diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java index 04b4da19a..fc66eede4 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java @@ -19,7 +19,6 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; -import org.apache.commons.lang.StringUtils; import org.apache.log4j.Logger; import org.apache.struts2.interceptor.ServletRequestAware; import org.apache.struts2.interceptor.ServletResponseAware; @@ -35,6 +34,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.IdentificationNumber; import at.gv.egovernment.moa.id.commons.db.dao.config.MOAIDConfiguration; import at.gv.egovernment.moa.id.commons.db.dao.config.MOAKeyBoxSelector; import at.gv.egovernment.moa.id.commons.db.dao.config.Mandates; +import at.gv.egovernment.moa.id.commons.db.dao.config.OAOAUTH20; import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1; import at.gv.egovernment.moa.id.commons.db.dao.config.OASSO; @@ -46,12 +46,12 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.TemplatesType; import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType; import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.configuration.Constants; import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider; import at.gv.egovernment.moa.id.configuration.data.FormularCustomization; import at.gv.egovernment.moa.id.configuration.data.oa.OAGeneralConfig; +import at.gv.egovernment.moa.id.configuration.data.oa.OAOAuth20Config; import at.gv.egovernment.moa.id.configuration.data.oa.OAPVP2Config; import at.gv.egovernment.moa.id.configuration.data.oa.OASAML1Config; import at.gv.egovernment.moa.id.configuration.data.oa.OASSOConfig; @@ -63,28 +63,27 @@ import at.gv.egovernment.moa.id.configuration.validation.FormularCustomizationVa import at.gv.egovernment.moa.id.configuration.validation.TargetValidator; import at.gv.egovernment.moa.id.configuration.validation.ValidationHelper; import at.gv.egovernment.moa.id.configuration.validation.oa.OAGeneralConfigValidation; +import at.gv.egovernment.moa.id.configuration.validation.oa.OAOAUTH20ConfigValidation; import at.gv.egovernment.moa.id.configuration.validation.oa.OAPVP2ConfigValidation; import at.gv.egovernment.moa.id.configuration.validation.oa.OASAML1ConfigValidation; import at.gv.egovernment.moa.id.configuration.validation.oa.OASSOConfigValidation; import at.gv.egovernment.moa.id.configuration.validation.oa.OASTORKConfigValidation; import at.gv.egovernment.moa.id.util.FormBuildUtils; -import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.util.MiscUtil; import com.opensymphony.xwork2.ActionSupport; -public class EditOAAction extends ActionSupport implements ServletRequestAware, -ServletResponseAware { - +public class EditOAAction extends ActionSupport implements ServletRequestAware, ServletResponseAware { + private final Logger log = Logger.getLogger(EditOAAction.class); private static final long serialVersionUID = 1L; - + private HttpServletRequest request; private HttpServletResponse response; - private AuthenticatedUser authUser; + private AuthenticatedUser authUser; private String oaidobj; private boolean newOA; @@ -96,17 +95,18 @@ ServletResponseAware { private boolean isMetaDataRefreshRequired = false; private String nextPage; - + private OAGeneralConfig generalOA = new OAGeneralConfig(); private OAPVP2Config pvp2OA = new OAPVP2Config(); private OASAML1Config saml1OA = new OASAML1Config(); private OASSOConfig ssoOA = new OASSOConfig(); + private OAOAuth20Config oauth20OA = new OAOAuth20Config(); private OASTORKConfig storkOA; private FormularCustomization formOA = new FormularCustomization(); private InputStream stream; - //STRUTS actions + // STRUTS actions public String inital() { HttpSession session = request.getSession(); if (session == null) { @@ -127,40 +127,39 @@ ServletResponseAware { oaid = Long.valueOf(oaidobj); UserDatabase userdb = null; - OnlineApplication onlineapplication = null;; + OnlineApplication onlineapplication = null; if (authUser.isAdmin()) onlineapplication = ConfigurationDBRead.getOnlineApplication(oaid); else { userdb = ConfigurationDBRead.getUserWithID(authUser.getUserID()); - - if (!authUser.isAdmin() && userdb.isIsMailAddressVerified() != null - && !userdb.isIsMailAddressVerified()) { + + if (!authUser.isAdmin() && userdb.isIsMailAddressVerified() != null && !userdb.isIsMailAddressVerified()) { log.info("Online-Applikation managemant disabled. Mail address is not verified."); addActionError(LanguageHelper.getErrorString("error.editoa.mailverification")); return Constants.STRUTS_SUCCESS; } - - //TODO: change to direct Database operation + // TODO: change to direct Database operation List oas = userdb.getOnlineApplication(); for (OnlineApplication oa : oas) { if (oa.getHjid() == oaid) { onlineapplication = oa; break; } - } + } if (onlineapplication == null) { addActionError(LanguageHelper.getErrorString("errors.edit.oa.oaid", request)); return Constants.STRUTS_ERROR; } } - + generalOA.parse(onlineapplication); ssoOA.parse(onlineapplication); saml1OA.parse(onlineapplication); - + oauth20OA.parse(onlineapplication); + session.setAttribute(Constants.SESSION_OAUTH20SECRET, this.oauth20OA.getClientSecret()); Map map = new HashMap(); map.putAll(FormBuildUtils.getDefaultMap()); @@ -172,14 +171,13 @@ ServletResponseAware { if (errors.size() > 0) { for (String el : errors) - addActionError(el); + addActionError(el); } subTargetSet = MiscUtil.isNotEmpty(generalOA.getTarget_subsector()); - //set UserSpezific OA Parameters - if (!authUser.isAdmin()) - generateUserSpecificConfigurationOptions(userdb); + // set UserSpezific OA Parameters + if (!authUser.isAdmin()) generateUserSpecificConfigurationOptions(userdb); ConfigurationDBUtils.closeSession(); session.setAttribute(Constants.SESSION_OAID, oaid); @@ -194,24 +192,23 @@ ServletResponseAware { public String newOA() { log.debug("insert new Online-Application"); - + HttpSession session = request.getSession(); if (session == null) { log.info("No http Session found."); return Constants.STRUTS_ERROR; } - + session.setAttribute(Constants.SESSION_OAID, null); nextPage = Constants.STRUTS_RETURNAREA_VALUES.main.name(); Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; - + UserDatabase userdb = ConfigurationDBRead.getUserWithID(authUser.getUserID()); - if (!authUser.isAdmin() && userdb.isIsMailAddressVerified() != null - && !userdb.isIsMailAddressVerified()) { + if (!authUser.isAdmin() && userdb.isIsMailAddressVerified() != null && !userdb.isIsMailAddressVerified()) { log.info("Online-Applikation managemant disabled. Mail address is not verified."); addActionError(LanguageHelper.getErrorString("error.editoa.mailverification")); return Constants.STRUTS_SUCCESS; @@ -227,10 +224,8 @@ ServletResponseAware { } } - //set UserSpezific OA Parameters - if (!authUser.isAdmin()) - generateUserSpecificConfigurationOptions(userdb); - + // set UserSpezific OA Parameters + if (!authUser.isAdmin()) generateUserSpecificConfigurationOptions(userdb); ConfigurationDBUtils.closeSession(); @@ -240,6 +235,9 @@ ServletResponseAware { session.setAttribute(Constants.SESSION_BKUFORMPREVIEW, null); + this.oauth20OA.generateClientSecret(); + session.setAttribute(Constants.SESSION_OAUTH20SECRET, this.oauth20OA.getClientSecret()); + return Constants.STRUTS_OA_EDIT; } @@ -252,25 +250,24 @@ ServletResponseAware { Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; - + Object formidobj = session.getAttribute(Constants.SESSION_FORMID); if (formidobj != null && formidobj instanceof String) { String formid = (String) formidobj; if (!formid.equals(formID)) { - log.warn("FormIDs does not match. Some suspect Form is received from user " - + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + log.warn("FormIDs does not match. Some suspect Form is received from user " + authUser.getFamilyName() + + authUser.getGivenName() + authUser.getUserID()); return Constants.STRUTS_ERROR; - } + } } else { - log.warn("FormIDs does not match. Some suspect Form is received from user " - + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + log.warn("FormIDs does not match. Some suspect Form is received from user " + authUser.getFamilyName() + + authUser.getGivenName() + authUser.getUserID()); return Constants.STRUTS_ERROR; } session.setAttribute(Constants.SESSION_FORMID, null); UserDatabase userdb = ConfigurationDBRead.getUserWithID(authUser.getUserID()); - if (!authUser.isAdmin() && - userdb.isIsMailAddressVerified() != null && !userdb.isIsMailAddressVerified()) { + if (!authUser.isAdmin() && userdb.isIsMailAddressVerified() != null && !userdb.isIsMailAddressVerified()) { log.info("Online-Applikation managemant disabled. Mail address is not verified."); addActionError(LanguageHelper.getErrorString("error.editoa.mailverification")); return Constants.STRUTS_SUCCESS; @@ -282,21 +279,22 @@ ServletResponseAware { Object oadbid = request.getSession().getAttribute(Constants.SESSION_OAID); Long oaid = (long) -1; - if (oadbid != null ) { + if (oadbid != null) { try { - oaid = (Long) oadbid; + oaid = (Long) oadbid; if (oaid < 0 || oaid > Long.MAX_VALUE) { addActionError(LanguageHelper.getErrorString("errors.edit.oa.oaid", request)); - return Constants.STRUTS_ERROR; + return Constants.STRUTS_ERROR; } - } catch (Throwable t) { + } + catch (Throwable t) { addActionError(LanguageHelper.getErrorString("errors.edit.oa.oaid", request)); - return Constants.STRUTS_ERROR; + return Constants.STRUTS_ERROR; } } - //valid DBID and check entry + // valid DBID and check entry String oaidentifier = generalOA.getIdentifier(); if (MiscUtil.isEmpty(oaidentifier)) { log.info("Empty OA identifier"); @@ -306,14 +304,14 @@ ServletResponseAware { if (!ValidationHelper.validateURL(oaidentifier)) { log.warn("OnlineapplikationIdentifier is not a valid URL: " + oaidentifier); - errors.add(LanguageHelper.getErrorString("validation.general.oaidentifier.valid", - new Object[] {ValidationHelper.getNotValidOAIdentifierCharacters()} )); + errors.add(LanguageHelper.getErrorString("validation.general.oaidentifier.valid", + new Object[] { ValidationHelper.getNotValidOAIdentifierCharacters() })); } else { - + if (oaid == -1) { onlineapplication = ConfigurationDBRead.getOnlineApplication(oaidentifier); newOA = true; - if (onlineapplication != null) { + if (onlineapplication != null) { log.info("The OAIdentifier is not unique"); errors.add(LanguageHelper.getErrorString("validation.general.oaidentifier.notunique")); } @@ -322,7 +320,7 @@ ServletResponseAware { onlineapplication = ConfigurationDBRead.getOnlineApplication(oaid); if (!oaidentifier.equals(onlineapplication.getPublicURLPrefix())) { - if (ConfigurationDBRead.getOnlineApplication(oaidentifier) != null) { + if (ConfigurationDBRead.getOnlineApplication(oaidentifier) != null) { log.info("The OAIdentifier is not unique"); errors.add(LanguageHelper.getErrorString("validation.general.oaidentifier.notunique")); } @@ -331,113 +329,104 @@ ServletResponseAware { } } - //set UserSpezific OA Parameters - if (!authUser.isAdmin()) - generateUserSpecificConfigurationOptions(userdb); + // set UserSpezific OA Parameters + if (!authUser.isAdmin()) generateUserSpecificConfigurationOptions(userdb); - //check form + // check form OAGeneralConfigValidation validatior_general = new OAGeneralConfigValidation(); OAPVP2ConfigValidation validatior_pvp2 = new OAPVP2ConfigValidation(); OASAML1ConfigValidation validatior_saml1 = new OASAML1ConfigValidation(); OASSOConfigValidation validatior_sso = new OASSOConfigValidation(); OASTORKConfigValidation validator_stork = new OASTORKConfigValidation(); FormularCustomizationValitator validator_form = new FormularCustomizationValitator(); + OAOAUTH20ConfigValidation validatior_oauth20 = new OAOAUTH20ConfigValidation(); - errors.addAll(validatior_general.validate(generalOA, authUser.isAdmin())); + errors.addAll(validatior_general.validate(generalOA, authUser.isAdmin())); errors.addAll(validatior_pvp2.validate(pvp2OA)); errors.addAll(validatior_saml1.validate(saml1OA, generalOA)); errors.addAll(validatior_sso.validate(ssoOA, authUser.isAdmin())); - errors.addAll(validator_stork.validate(storkOA)); + errors.addAll(validator_stork.validate(storkOA)); errors.addAll(validator_form.validate(formOA)); + errors.addAll(validatior_oauth20.validate(oauth20OA)); - //Do not allow SSO in combination with special BKUSelection features - if (ssoOA.isUseSSO() && - ( formOA.isOnlyMandateAllowed() || !formOA.isShowMandateLoginButton()) ) { + // Do not allow SSO in combination with special BKUSelection features + if (ssoOA.isUseSSO() && (formOA.isOnlyMandateAllowed() || !formOA.isShowMandateLoginButton())) { log.warn("Special BKUSelection features can not be used in combination with SSO"); - errors.add(LanguageHelper.getErrorString("validation.general.bkuselection.specialfeatures.valid")); + errors.add(LanguageHelper.getErrorString("validation.general.bkuselection.specialfeatures.valid")); } if (errors.size() > 0) { log.info("OAConfiguration with ID " + generalOA.getIdentifier() + " has some errors."); for (String el : errors) - addActionError(el); + addActionError(el); formID = Random.nextRandom(); session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } else { - + boolean newentry = false; if (onlineapplication == null) { onlineapplication = new OnlineApplication(); newentry = true; onlineapplication.setIsActive(false); - + if (!authUser.isAdmin()) { onlineapplication.setIsAdminRequired(true); } else isMetaDataRefreshRequired = true; - } else { - if (!authUser.isAdmin() && - !onlineapplication.getPublicURLPrefix(). - equals(generalOA.getIdentifier())) { + if (!authUser.isAdmin() && !onlineapplication.getPublicURLPrefix().equals(generalOA.getIdentifier())) { onlineapplication.setIsAdminRequired(true); onlineapplication.setIsActive(false); - log.info("User with ID " + authUser.getUserID() - + " change OA-PublicURLPrefix. Reaktivation is required."); + log.info("User with ID " + authUser.getUserID() + " change OA-PublicURLPrefix. Reaktivation is required."); } } - if ( (onlineapplication.isIsAdminRequired() == null) || - (authUser.isAdmin() && generalOA.isActive() - && onlineapplication.isIsAdminRequired()) ) { + if ((onlineapplication.isIsAdminRequired() == null) + || (authUser.isAdmin() && generalOA.isActive() && onlineapplication.isIsAdminRequired())) { onlineapplication.setIsAdminRequired(false); isMetaDataRefreshRequired = true; - if (onlineapplication.getHjid() != null) - userdb = ConfigurationDBRead.getUsersWithOADBID(onlineapplication.getHjid()); + if (onlineapplication.getHjid() != null) userdb = ConfigurationDBRead.getUsersWithOADBID(onlineapplication.getHjid()); - if (userdb != null && !userdb.isIsAdmin() ) { + if (userdb != null && !userdb.isIsAdmin()) { try { - MailHelper.sendUserOnlineApplicationActivationMail( - userdb.getGivenname(), - userdb.getFamilyname(), - userdb.getInstitut(), - onlineapplication.getPublicURLPrefix(), - userdb.getMail()); - } catch (ConfigurationException e) { + MailHelper.sendUserOnlineApplicationActivationMail(userdb.getGivenname(), userdb.getFamilyname(), + userdb.getInstitut(), onlineapplication.getPublicURLPrefix(), userdb.getMail()); + } + catch (ConfigurationException e) { log.warn("Sending Mail to User " + userdb.getMail() + " failed", e); } - } + } } if (pvp2OA.getMetaDataURL() != null) { try { - if (isMetaDataRefreshRequired || !pvp2OA.getMetaDataURL(). - equals(onlineapplication.getAuthComponentOA().getOAPVP2().getMetadataURL())) { - + if (isMetaDataRefreshRequired + || !pvp2OA.getMetaDataURL().equals(onlineapplication.getAuthComponentOA().getOAPVP2().getMetadataURL())) { + log.debug("Set PVP2 Metadata refresh flag."); MOAIDConfiguration moaconfig = ConfigurationDBRead.getMOAIDConfiguration(); moaconfig.setPvp2RefreshItem(new Date()); ConfigurationDBUtils.saveOrUpdate(moaconfig); - + } - } catch (Throwable e) { + } + catch (Throwable e) { log.info("Found no MetadataURL in OA-Databaseconfig!", e); } } - String error = saveOAConfigToDatabase(onlineapplication, newentry); if (MiscUtil.isNotEmpty(error)) { log.warn("OA configuration can not be stored!"); @@ -449,7 +438,7 @@ ServletResponseAware { } } - Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA); + Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA); if (nextPageAttr != null && nextPageAttr instanceof String) { nextPage = (String) nextPageAttr; session.setAttribute(Constants.SESSION_RETURNAREA, null); @@ -458,33 +447,29 @@ ServletResponseAware { nextPage = Constants.STRUTS_RETURNAREA_VALUES.main.name(); } - if (onlineapplication.isIsAdminRequired()) { int numoas = 0; int numusers = 0; List openOAs = ConfigurationDBRead.getAllNewOnlineApplications(); - if (openOAs != null) - numoas = openOAs.size(); + if (openOAs != null) numoas = openOAs.size(); List openUsers = ConfigurationDBRead.getAllNewUsers(); - if (openUsers != null) - numusers = openUsers.size(); + if (openUsers != null) numusers = openUsers.size(); try { addActionMessage(LanguageHelper.getGUIString("webpages.oaconfig.success.admin", generalOA.getIdentifier(), request)); - if (numusers > 0 || numoas > 0) - MailHelper.sendAdminMail(numoas, numusers); + if (numusers > 0 || numoas > 0) MailHelper.sendAdminMail(numoas, numusers); - } catch (ConfigurationException e) { + } + catch (ConfigurationException e) { log.warn("Sending Mail to Admin failed.", e); } } else - addActionMessage(LanguageHelper.getGUIString("webpages.oaconfig.success", generalOA.getIdentifier(), request)); + addActionMessage(LanguageHelper.getGUIString("webpages.oaconfig.success", generalOA.getIdentifier(), request)); - request.getSession().setAttribute(Constants.SESSION_OAID, null); ConfigurationDBUtils.closeSession(); @@ -498,8 +483,8 @@ ServletResponseAware { log.info("No http Session found."); return Constants.STRUTS_ERROR; } - - Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA); + + Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA); if (nextPageAttr != null && nextPageAttr instanceof String) { nextPage = (String) nextPageAttr; session.setAttribute(Constants.SESSION_RETURNAREA, null); @@ -531,28 +516,27 @@ ServletResponseAware { if (formidobj != null && formidobj instanceof String) { String formid = (String) formidobj; if (!formid.equals(formID)) { - log.warn("FormIDs does not match. Some suspect Form is received from user " - + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + log.warn("FormIDs does not match. Some suspect Form is received from user " + authUser.getFamilyName() + + authUser.getGivenName() + authUser.getUserID()); return Constants.STRUTS_ERROR; - } + } } else { - log.warn("FormIDs does not match. Some suspect Form is received from user " - + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + log.warn("FormIDs does not match. Some suspect Form is received from user " + authUser.getFamilyName() + + authUser.getGivenName() + authUser.getUserID()); return Constants.STRUTS_ERROR; } session.setAttribute(Constants.SESSION_FORMID, null); - Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA); + Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA); if (nextPageAttr != null && nextPageAttr instanceof String) { nextPage = (String) nextPageAttr; } else { nextPage = Constants.STRUTS_RETURNAREA_VALUES.main.name(); } - + UserDatabase userdb = ConfigurationDBRead.getUserWithID(authUser.getUserID()); - if (!authUser.isAdmin() && userdb.isIsMailAddressVerified() != null && - !userdb.isIsMailAddressVerified()) { + if (!authUser.isAdmin() && userdb.isIsMailAddressVerified() != null && !userdb.isIsMailAddressVerified()) { log.info("Online-Applikation managemant disabled. Mail address is not verified."); addActionError(LanguageHelper.getErrorString("error.editoa.mailverification")); return Constants.STRUTS_SUCCESS; @@ -570,32 +554,31 @@ ServletResponseAware { } else { if (ValidationHelper.isValidOAIdentifier(oaidentifier)) { log.warn("IdentificationNumber contains potentail XSS characters: " + oaidentifier); - addActionError(LanguageHelper.getErrorString("validation.general.oaidentifier.valid", - new Object[] {ValidationHelper.getNotValidOAIdentifierCharacters()} )); + addActionError(LanguageHelper.getErrorString("validation.general.oaidentifier.valid", + new Object[] { ValidationHelper.getNotValidOAIdentifierCharacters() })); formID = Random.nextRandom(); session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } } - + OnlineApplication onlineapplication = ConfigurationDBRead.getOnlineApplication(oaidentifier); request.getSession().setAttribute(Constants.SESSION_OAID, null); - try { if (MiscUtil.isNotEmpty(onlineapplication.getAuthComponentOA().getOAPVP2().getMetadataURL())) { - + MOAIDConfiguration moaconfig = ConfigurationDBRead.getMOAIDConfiguration(); moaconfig.setPvp2RefreshItem(new Date()); ConfigurationDBUtils.saveOrUpdate(moaconfig); - + } - } catch (Throwable e) { + } + catch (Throwable e) { log.info("Found no MetadataURL in OA-Databaseconfig!", e); } - if (ConfigurationDBUtils.delete(onlineapplication)) { if (!authUser.isAdmin()) { @@ -611,7 +594,8 @@ ServletResponseAware { try { ConfigurationDBUtils.saveOrUpdate(user); - } catch (MOADatabaseException e) { + } + catch (MOADatabaseException e) { log.warn("User information can not be updated in database", e); addActionError(LanguageHelper.getGUIString("error.db.oa.store", request)); return Constants.STRUTS_ERROR; @@ -627,15 +611,13 @@ ServletResponseAware { } else { ConfigurationDBUtils.closeSession(); addActionError(LanguageHelper.getGUIString("webpages.oaconfig.delete.error", generalOA.getIdentifier(), request)); - return Constants.STRUTS_SUCCESS; + return Constants.STRUTS_SUCCESS; } - - } public String bkuFramePreview() { - + String preview = null; HttpSession session = request.getSession(); @@ -651,12 +633,11 @@ ServletResponseAware { if (mapobj != null && mapobj instanceof Map) { ConfigurationProvider config = ConfigurationProvider.getInstance(); - String templateURL = config.getConfigRootDir() + - ConfigurationProvider.HTMLTEMPLATE_DIR + - ConfigurationProvider.HTMLTEMPLATE_FILE; + String templateURL = config.getConfigRootDir() + ConfigurationProvider.HTMLTEMPLATE_DIR + + ConfigurationProvider.HTMLTEMPLATE_FILE; File file = new File(templateURL); - input = new FileInputStream(file); + input = new FileInputStream(file); String contextpath = config.getMOAIDInstanceURL(); if (MiscUtil.isEmpty(contextpath)) { @@ -667,7 +648,6 @@ ServletResponseAware { preview = LoginFormBuilder.getTemplate(input); preview = preview.replace(LoginFormBuilder.CONTEXTPATH, contextpath); - Map map = (Map) mapobj; request.setCharacterEncoding("UTF-8"); @@ -679,22 +659,20 @@ ServletResponseAware { String[] query = URLDecoder.decode(request.getQueryString()).split("&"); value = query[1].substring("value=".length()); } - + synchronized (map) { - + if (MiscUtil.isNotEmpty(module)) { - if (map.containsKey("#"+module+"#")) { + if (map.containsKey("#" + module + "#")) { if (MiscUtil.isNotEmpty(value)) { - if (FormBuildUtils.FONTFAMILY.contains(module) || - FormBuildUtils.HEADER_TEXT.contains(module) || - value.startsWith("#")) - map.put("#"+module+"#", value); + if (FormBuildUtils.FONTFAMILY.contains(module) || FormBuildUtils.HEADER_TEXT.contains(module) + || value.startsWith("#")) + map.put("#" + module + "#", value); else - map.put("#"+module+"#", "#"+value); - + map.put("#" + module + "#", "#" + value); + } else { - map.put("#"+module+"#", - FormBuildUtils.getDefaultMap().get("#"+module+"#")); + map.put("#" + module + "#", FormBuildUtils.getDefaultMap().get("#" + module + "#")); } } } @@ -705,12 +683,13 @@ ServletResponseAware { preview = LanguageHelper.getErrorString("error.bkuformpreview.notpossible"); } - - } catch (Exception e) { + + } + catch (Exception e) { log.warn("BKUSelection Preview can not be generated.", e); preview = LanguageHelper.getErrorString("error.bkuformpreview.notpossible"); - } + } } stream = new ByteArrayInputStream(preview.getBytes()); @@ -719,15 +698,14 @@ ServletResponseAware { } private String saveOAConfigToDatabase(OnlineApplication dboa, boolean newentry) { - + AuthComponentOA authoa = dboa.getAuthComponentOA(); - if (authoa == null) { + if (authoa == null) { authoa = new AuthComponentOA(); dboa.setAuthComponentOA(authoa); } - - if (authUser.isAdmin()) - dboa.setIsActive(generalOA.isActive()); + + if (authUser.isAdmin()) dboa.setIsActive(generalOA.isActive()); dboa.setFriendlyName(generalOA.getFriendlyName()); dboa.setCalculateHPI(generalOA.isCalculateHPI()); @@ -736,8 +714,7 @@ ServletResponseAware { if (authUser.isAdmin()) dboa.setKeyBoxIdentifier(MOAKeyBoxSelector.fromValue(generalOA.getKeyBoxIdentifier())); else { - if (newentry) - dboa.setKeyBoxIdentifier(MOAKeyBoxSelector.SECURE_SIGNATURE_KEYPAIR); + if (newentry) dboa.setKeyBoxIdentifier(MOAKeyBoxSelector.SECURE_SIGNATURE_KEYPAIR); } dboa.setPublicURLPrefix(generalOA.getIdentifier()); @@ -752,46 +729,37 @@ ServletResponseAware { num = at.gv.egovernment.moa.util.StringUtils.deleteLeadingZeros(num); - //num = StringUtils.leftPad(num, 7, '0'); + // num = StringUtils.leftPad(num, 7, '0'); } - if (num.startsWith(Constants.IDENIFICATIONTYPE_ZVR)) - num = num.substring(Constants.IDENIFICATIONTYPE_ZVR.length()); + if (num.startsWith(Constants.IDENIFICATIONTYPE_ZVR)) num = num.substring(Constants.IDENIFICATIONTYPE_ZVR.length()); - if (num.startsWith(Constants.IDENIFICATIONTYPE_ERSB)) - num = num.substring(Constants.IDENIFICATIONTYPE_ERSB.length()); + if (num.startsWith(Constants.IDENIFICATIONTYPE_ERSB)) num = num.substring(Constants.IDENIFICATIONTYPE_ERSB.length()); IdentificationNumber idnumber = new IdentificationNumber(); - idnumber.setValue( - Constants.PREFIX_WPBK + - generalOA.getIdentificationType() + - "+" + - num); + idnumber.setValue(Constants.PREFIX_WPBK + generalOA.getIdentificationType() + "+" + num); authoa.setIdentificationNumber(idnumber); - } - else { + } else { dboa.setType(null); if (authUser.isAdmin()) { - if (MiscUtil.isNotEmpty(generalOA.getTarget_admin()) && - generalOA.isAdminTarget() ) { + if (MiscUtil.isNotEmpty(generalOA.getTarget_admin()) && generalOA.isAdminTarget()) { dboa.setTarget(generalOA.getTarget_admin()); dboa.setTargetFriendlyName(generalOA.getTargetFriendlyName()); } else { String target = generalOA.getTarget(); - + if (MiscUtil.isNotEmpty(generalOA.getTarget_subsector()) && subTargetSet) dboa.setTarget(target + "-" + generalOA.getTarget_subsector()); else dboa.setTarget(target); String targetname = TargetValidator.getTargetFriendlyName(target); - if (MiscUtil.isNotEmpty(targetname)) - dboa.setTargetFriendlyName(targetname); + if (MiscUtil.isNotEmpty(targetname)) dboa.setTargetFriendlyName(targetname); } @@ -800,7 +768,7 @@ ServletResponseAware { if (MiscUtil.isNotEmpty(generalOA.getTarget())) { String target = generalOA.getTarget(); - + if (MiscUtil.isNotEmpty(generalOA.getTarget_subsector()) && subTargetSet) dboa.setTarget(target + "-" + generalOA.getTarget_subsector()); @@ -808,11 +776,10 @@ ServletResponseAware { dboa.setTarget(target); String targetname = TargetValidator.getTargetFriendlyName(target); - if (MiscUtil.isNotEmpty(targetname)) - dboa.setTargetFriendlyName(targetname); + if (MiscUtil.isNotEmpty(targetname)) dboa.setTargetFriendlyName(targetname); } - } + } } BKUURLS bkuruls = new BKUURLS(); @@ -822,7 +789,7 @@ ServletResponseAware { bkuruls.setLocalBKU(generalOA.getBkuLocalURL()); bkuruls.setOnlineBKU(generalOA.getBkuOnlineURL()); } - + TemplatesType templates = authoa.getTemplates(); if (templates == null) { templates = new TemplatesType(); @@ -849,15 +816,15 @@ ServletResponseAware { if (authUser.isAdmin()) { templates.setAditionalAuthBlockText(generalOA.getAditionalAuthBlockText()); - + List template = templates.getTemplate(); if (generalOA.isLegacy()) { - + if (template == null) template = new ArrayList(); else template.clear(); - + if (MiscUtil.isNotEmpty(generalOA.getSLTemplateURL1())) { TemplateType el = new TemplateType(); el.setURL(generalOA.getSLTemplateURL1()); @@ -875,10 +842,9 @@ ServletResponseAware { } } else { - if (template != null && template.size() > 0) - template.clear(); + if (template != null && template.size() > 0) template.clear(); } - + bkuselectioncustom.setBackGroundColor(parseColor(formOA.getBackGroundColor())); bkuselectioncustom.setFrontColor(parseColor(formOA.getFrontColor())); @@ -889,19 +855,19 @@ ServletResponseAware { bkuselectioncustom.setButtonBackGroundColor(parseColor(formOA.getButton_BackGroundColor())); bkuselectioncustom.setButtonBackGroundColorFocus(parseColor(formOA.getButton_BackGroundColorFocus())); bkuselectioncustom.setButtonFontColor(parseColor(formOA.getButton_FrontColor())); - + if (MiscUtil.isNotEmpty(formOA.getAppletRedirectTarget())) bkuselectioncustom.setAppletRedirectTarget(formOA.getAppletRedirectTarget()); - bkuselectioncustom.setFontType(formOA.getFontType()); - + bkuselectioncustom.setFontType(formOA.getFontType()); + } - - //set default transformation if it is empty + + // set default transformation if it is empty List transformsInfo = authoa.getTransformsInfo(); if (transformsInfo == null) { - //TODO: set OA specific transformation if it is required - + // TODO: set OA specific transformation if it is required + } OAPVP2 pvp2 = authoa.getOAPVP2(); @@ -913,17 +879,18 @@ ServletResponseAware { pvp2.setMetadataURL(pvp2OA.getMetaDataURL()); try { - if (pvp2OA.getFileUpload() != null) - pvp2.setCertificate(pvp2OA.getCertificate()); + if (pvp2OA.getFileUpload() != null) pvp2.setCertificate(pvp2OA.getCertificate()); - } catch (CertificateException e) { + } + catch (CertificateException e) { log.info("Uploaded Certificate can not be found", e); return LanguageHelper.getErrorString("validation.pvp2.certificate.notfound"); - } catch (IOException e) { + } + catch (IOException e) { log.info("Uploaded Certificate can not be parsed", e); return LanguageHelper.getErrorString("validation.pvp2.certificate.format"); } - + OASAML1 saml1 = authoa.getOASAML1(); if (saml1 == null) { saml1 = new OASAML1(); @@ -934,7 +901,7 @@ ServletResponseAware { if (authUser.isAdmin()) { saml1.setIsActive(saml1OA.isActive()); } - + if (saml1.isIsActive() != null && saml1.isIsActive()) { saml1.setProvideAUTHBlock(saml1OA.isProvideAuthBlock()); saml1.setProvideCertificate(saml1OA.isProvideCertificate()); @@ -943,8 +910,8 @@ ServletResponseAware { saml1.setProvideStammzahl(saml1OA.isProvideStammZahl()); saml1.setUseCondition(saml1OA.isUseCondition()); saml1.setConditionLength(BigInteger.valueOf(saml1OA.getConditionLength())); - //TODO: set sourceID - //saml1.setSourceID(""); + // TODO: set sourceID + // saml1.setSourceID(""); } OASSO sso = authoa.getOASSO(); @@ -955,42 +922,60 @@ ServletResponseAware { } sso.setUseSSO(ssoOA.isUseSSO()); - if (authUser.isAdmin()) - sso.setAuthDataFrame(ssoOA.isShowAuthDataFrame()); + if (authUser.isAdmin()) sso.setAuthDataFrame(ssoOA.isShowAuthDataFrame()); sso.setSingleLogOutURL(ssoOA.getSingleLogOutURL()); - STORK stork = authoa.getSTORK(); if (stork == null) { - //TODO: make stork configurable + // TODO: make stork configurable } - + + if (oauth20OA != null) { + log.debug("Saving OAuth 2.0 configuration:"); + OAOAUTH20 oaOAuth20 = authoa.getOAOAUTH20(); + if (oaOAuth20 == null) { + oaOAuth20 = new OAOAUTH20(); + authoa.setOAOAUTH20(oaOAuth20); + } + + oaOAuth20.setOAuthClientId(generalOA.getIdentifier()); + // oaOAuth20.setOAuthClientSecret(oauth20OA.getClientSecret()); + oaOAuth20.setOAuthRedirectUri(oauth20OA.getRedirectUri()); + log.debug("client id: " + oauth20OA.getClientId()); + log.debug("client secret: " + oauth20OA.getClientSecret()); + log.debug("redirect uri:" + oauth20OA.getRedirectUri()); + + oaOAuth20.setOAuthClientSecret((String) request.getSession().getAttribute(Constants.SESSION_OAUTH20SECRET)); + request.getSession().setAttribute(Constants.SESSION_OAUTH20SECRET, null); + + } + try { if (newentry) { ConfigurationDBUtils.save(dboa); - + if (!authUser.isAdmin()) { UserDatabase user = ConfigurationDBRead.getUserWithID(authUser.getUserID()); - + List useroas = user.getOnlineApplication(); - if (useroas == null) - useroas = new ArrayList(); + if (useroas == null) useroas = new ArrayList(); useroas.add(dboa); - ConfigurationDBUtils.saveOrUpdate(user); + ConfigurationDBUtils.saveOrUpdate(user); } } else ConfigurationDBUtils.saveOrUpdate(dboa); - } catch (MOADatabaseException e) { + } + catch (MOADatabaseException e) { log.warn("Online-Application can not be stored.", e); return LanguageHelper.getErrorString("error.db.oa.store"); } - + return null; } @@ -1009,9 +994,8 @@ ServletResponseAware { private void generateUserSpecificConfigurationOptions(UserDatabase userdb) { if (userdb.isIsMandateUser() != null && userdb.isIsMandateUser()) { - String bpk = userdb.getBpk(); - if (bpk.startsWith(Constants.IDENIFICATIONTYPE_BASEID_FN) || - bpk.startsWith(Constants.IDENIFICATIONTYPE_BASEID_ZVR)) { + String bpk = userdb.getBpk(); + if (bpk.startsWith(Constants.IDENIFICATIONTYPE_BASEID_FN) || bpk.startsWith(Constants.IDENIFICATIONTYPE_BASEID_ZVR)) { onlyBusinessService = true; generalOA.setBusinessService(true); @@ -1023,15 +1007,12 @@ ServletResponseAware { generalOA.setIdentificationType(split[1].substring(1)); if (bpk.startsWith(Constants.IDENIFICATIONTYPE_BASEID_FN)) - generalOA.setIdentificationNumber( - at.gv.egovernment.moa.util.StringUtils.deleteLeadingZeros(split[2])); + generalOA.setIdentificationNumber(at.gv.egovernment.moa.util.StringUtils.deleteLeadingZeros(split[2])); else generalOA.setIdentificationNumber(split[2]); } - - } public String setGeneralOAConfig() { @@ -1059,179 +1040,185 @@ ServletResponseAware { return Constants.STRUTS_SUCCESS; } - - //Getter and Setter + // Getter and Setter public void setServletResponse(HttpServletResponse arg0) { this.response = arg0; } - + public void setServletRequest(HttpServletRequest arg0) { this.request = arg0; } - + public HttpServletRequest getRequest() { return request; } - + public void setRequest(HttpServletRequest request) { this.request = request; } - + public HttpServletResponse getResponse() { return response; } - + public void setResponse(HttpServletResponse response) { this.response = response; } - + public OAGeneralConfig getGeneralOA() { return generalOA; } - + public void setGeneralOA(OAGeneralConfig generalOA) { this.generalOA = generalOA; } - + public OAPVP2Config getPvp2OA() { return pvp2OA; } - + public void setPvp2OA(OAPVP2Config pvp2oa) { pvp2OA = pvp2oa; } - + public OASAML1Config getSaml1OA() { return saml1OA; } - + public void setSaml1OA(OASAML1Config saml1oa) { saml1OA = saml1oa; } - + public OASSOConfig getSsoOA() { return ssoOA; } - + public void setSsoOA(OASSOConfig ssoOA) { this.ssoOA = ssoOA; } - + public OASTORKConfig getStorkOA() { return storkOA; } - + public void setStorkOA(OASTORKConfig storkOA) { this.storkOA = storkOA; } - + /** - * @param oaidobj the oaidobj to set + * @param oaidobj + * the oaidobj to set */ public void setOaidobj(String oaidobj) { this.oaidobj = oaidobj; } - + /** * @return the authUser */ public AuthenticatedUser getAuthUser() { return authUser; } - + /** * @return the newOA */ public boolean isNewOA() { return newOA; } - + /** - * @param newOA the newOA to set + * @param newOA + * the newOA to set */ public void setNewOA(boolean newOA) { this.newOA = newOA; } - + /** * @return the nextPage */ public String getNextPage() { return nextPage; } - + /** * @return the formID */ public String getFormID() { return formID; } - + /** - * @param formID the formID to set + * @param formID + * the formID to set */ public void setFormID(String formID) { this.formID = formID; } - + /** * @return the onlyBusinessService */ public boolean isOnlyBusinessService() { return onlyBusinessService; } - + /** - * @param onlyBusinessService the onlyBusinessService to set + * @param onlyBusinessService + * the onlyBusinessService to set */ public void setOnlyBusinessService(boolean onlyBusinessService) { this.onlyBusinessService = onlyBusinessService; } - + /** * @return the subTargetSet */ public boolean isSubTargetSet() { return subTargetSet; } - + /** - * @param subTargetSet the subTargetSet to set + * @param subTargetSet + * the subTargetSet to set */ public void setSubTargetSet(boolean subTargetSet) { this.subTargetSet = subTargetSet; } - + /** * @return the deaktivededBusinessService */ public boolean isDeaktivededBusinessService() { return deaktivededBusinessService; } - + /** - * @param deaktivededBusinessService the deaktivededBusinessService to set + * @param deaktivededBusinessService + * the deaktivededBusinessService to set */ public void setDeaktivededBusinessService(boolean deaktivededBusinessService) { this.deaktivededBusinessService = deaktivededBusinessService; } - + /** * @return the formOA */ public FormularCustomization getFormOA() { return formOA; } - + /** - * @param formOA the formOA to set + * @param formOA + * the formOA to set */ public void setFormOA(FormularCustomization formOA) { this.formOA = formOA; } - + /** * @return the stream */ @@ -1239,5 +1226,12 @@ ServletResponseAware { return stream; } + public OAOAuth20Config getOauth20OA() { + return oauth20OA; + } + + public void setOauth20OA(OAOAuth20Config oauth20OA) { + this.oauth20OA = oauth20OA; + } } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAOAUTH20ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAOAUTH20ConfigValidation.java new file mode 100644 index 000000000..867abafc3 --- /dev/null +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAOAUTH20ConfigValidation.java @@ -0,0 +1,33 @@ +package at.gv.egovernment.moa.id.configuration.validation.oa; + +import java.util.ArrayList; +import java.util.List; + +import org.apache.commons.lang.StringUtils; +import org.apache.log4j.Logger; + +import at.gv.egovernment.moa.id.configuration.data.oa.OAOAuth20Config; +import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util; + +public class OAOAUTH20ConfigValidation { + + private static final Logger log = Logger.getLogger(OAOAUTH20ConfigValidation.class); + + public List validate(OAOAuth20Config form) { + + List errors = new ArrayList(); + + // validate secret +// if (StringUtils.isEmpty(form.getClientSecret())) { +// errors.add(LanguageHelper.getErrorString("error.oa.oauth.clientSecret")); +// } + + // validate redirectUri + if (StringUtils.isNotEmpty(form.getRedirectUri()) && !OAuth20Util.isUrl(form.getRedirectUri())) { + errors.add(LanguageHelper.getErrorString("error.oa.oauth.redirecturi")); + } + + return errors; + } +} -- cgit v1.2.3 From ddd803e73a4519132ce2257c621b54d004f2235f Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 19 Dec 2013 07:41:42 +0100 Subject: BugFix: NullPointerException --- .../gv/egovernment/moa/id/configuration/data/oa/OAOAuth20Config.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'id/ConfigWebTool/src/main/java/at') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAOAuth20Config.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAOAuth20Config.java index b153e02a8..3d2e35ec5 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAOAuth20Config.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAOAuth20Config.java @@ -34,14 +34,14 @@ public class OAOAuth20Config { this.clientId = dbOAConfig.getPublicURLPrefix(); // validate secret - if (StringUtils.isNotEmpty(config.getOAuthClientSecret())) { + if (config != null && StringUtils.isNotEmpty(config.getOAuthClientSecret())) { this.clientSecret = config.getOAuthClientSecret(); } else { this.generateClientSecret(); } // validate redirectUri - if (StringUtils.isNotEmpty(config.getOAuthRedirectUri()) && OAuth20Util.isUrl(config.getOAuthRedirectUri())) { + if (config != null && StringUtils.isNotEmpty(config.getOAuthRedirectUri()) && OAuth20Util.isUrl(config.getOAuthRedirectUri())) { this.redirectUri = config.getOAuthRedirectUri(); } else { errors.add(LanguageHelper.getErrorString("error.oa.oauth.redirecturi")); -- cgit v1.2.3 From 8b4b3a97cdbdfc4158781982f6e9fc2900871198 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 17 Jan 2014 11:56:10 +0100 Subject: Exthex Version 0.2 --- .../moa/id/configuration/Constants.java | 3 --- .../id/configuration/data/oa/OAOAuth20Config.java | 27 +++++++++++++--------- .../configuration/struts/action/EditOAAction.java | 21 ++++------------- 3 files changed, 20 insertions(+), 31 deletions(-) (limited to 'id/ConfigWebTool/src/main/java/at') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java index 7f3a2129a..536cc0522 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java @@ -48,11 +48,8 @@ public class Constants { public static final String PUBLICSERVICE_URL_POSTFIX = ".gv.at"; public static final String IDENIFICATIONTYPE_FN = "FN"; - public static final String IDENIFICATIONTYPE_FN_TYPE = "Firmenbuchnummer"; public static final String IDENIFICATIONTYPE_ERSB = "ERSB"; - public static final String IDENIFICATIONTYPE_ERSB_TYPE = "ERJPZahl"; public static final String IDENIFICATIONTYPE_ZVR = "ZVR"; - public static final String IDENIFICATIONTYPE_ZVR_TYPE = "Vereinsnummer"; public static final String IDENIFICATIONTYPE_BASEID = "urn:publicid:gv.at:baseid+"; public static final String IDENIFICATIONTYPE_BASEID_FN = IDENIFICATIONTYPE_BASEID + "X" + IDENIFICATIONTYPE_FN; diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAOAuth20Config.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAOAuth20Config.java index 3d2e35ec5..63aa1a1cb 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAOAuth20Config.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAOAuth20Config.java @@ -29,22 +29,27 @@ public class OAOAuth20Config { AuthComponentOA authdata = dbOAConfig.getAuthComponentOA(); if (authdata != null) { - OAOAUTH20 config = authdata.getOAOAUTH20(); // set client id to public url prefix this.clientId = dbOAConfig.getPublicURLPrefix(); - // validate secret - if (config != null && StringUtils.isNotEmpty(config.getOAuthClientSecret())) { - this.clientSecret = config.getOAuthClientSecret(); - } else { - this.generateClientSecret(); - } + OAOAUTH20 config = authdata.getOAOAUTH20(); - // validate redirectUri - if (config != null && StringUtils.isNotEmpty(config.getOAuthRedirectUri()) && OAuth20Util.isUrl(config.getOAuthRedirectUri())) { - this.redirectUri = config.getOAuthRedirectUri(); + if (config != null) { + // validate secret + if (StringUtils.isNotEmpty(config.getOAuthClientSecret())) { + this.clientSecret = config.getOAuthClientSecret(); + } else { + this.generateClientSecret(); + } + + // validate redirectUri + if (StringUtils.isNotEmpty(config.getOAuthRedirectUri()) && OAuth20Util.isUrl(config.getOAuthRedirectUri())) { + this.redirectUri = config.getOAuthRedirectUri(); + } else { + errors.add(LanguageHelper.getErrorString("error.oa.oauth.redirecturi")); + } } else { - errors.add(LanguageHelper.getErrorString("error.oa.oauth.redirecturi")); + this.generateClientSecret(); } } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java index f6f742c5c..fc66eede4 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java @@ -724,34 +724,21 @@ public class EditOAAction extends ActionSupport implements ServletRequestAware, dboa.setType(Constants.MOA_CONFIG_BUSINESSSERVICE); String num = generalOA.getIdentificationNumber().replaceAll(" ", ""); - String type = null; if (num.startsWith(Constants.IDENIFICATIONTYPE_FN)) { num = num.substring(Constants.IDENIFICATIONTYPE_FN.length()); num = at.gv.egovernment.moa.util.StringUtils.deleteLeadingZeros(num); // num = StringUtils.leftPad(num, 7, '0'); - type = Constants.IDENIFICATIONTYPE_FN_TYPE; } - if (num.startsWith(Constants.IDENIFICATIONTYPE_ZVR)) { - num = num.substring(Constants.IDENIFICATIONTYPE_ZVR.length()); - type = Constants.IDENIFICATIONTYPE_ZVR_TYPE; - } + if (num.startsWith(Constants.IDENIFICATIONTYPE_ZVR)) num = num.substring(Constants.IDENIFICATIONTYPE_ZVR.length()); - if (num.startsWith(Constants.IDENIFICATIONTYPE_ERSB)) { - num = num.substring(Constants.IDENIFICATIONTYPE_ERSB.length()); - type = Constants.IDENIFICATIONTYPE_ERSB_TYPE; - } + if (num.startsWith(Constants.IDENIFICATIONTYPE_ERSB)) num = num.substring(Constants.IDENIFICATIONTYPE_ERSB.length()); IdentificationNumber idnumber = new IdentificationNumber(); - idnumber.setType(type); - idnumber.setValue( - Constants.PREFIX_WPBK + - generalOA.getIdentificationType() + - "+" + - num); - + idnumber.setValue(Constants.PREFIX_WPBK + generalOA.getIdentificationType() + "+" + num); + authoa.setIdentificationNumber(idnumber); } else { -- cgit v1.2.3 From 51c45b375485399d36e33f1ab4cf76e9273222e3 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 21 Jan 2014 13:00:34 +0100 Subject: implement SAML2 assertion encryption --- .../id/configuration/auth/pvp2/Authenticate.java | 2 +- .../id/configuration/auth/pvp2/BuildMetadata.java | 29 +++++++++--- .../config/ConfigurationProvider.java | 8 ++++ .../configuration/struts/action/IndexAction.java | 53 +++++++++++++++++++++- 4 files changed, 83 insertions(+), 9 deletions(-) (limited to 'id/ConfigWebTool/src/main/java/at') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java index 8684b8cc1..7e00b8084 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java @@ -150,7 +150,7 @@ public class Authenticate extends HttpServlet { redirectEndpoint = sss; } } - + authReq.setDestination(redirectEndpoint.getLocation()); RequestedAuthnContext reqAuthContext = diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java index fa02443dc..cdb28922c 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java @@ -142,21 +142,38 @@ public class BuildMetadata extends HttpServlet { entitiesSignKeyDescriptor.setUse(UsageType.SIGNING); entitiesSignKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(signingcredential)); Signature entitiesSignature = getSignature(signingcredential); - + spEntitiesDescriptor.setSignature(entitiesSignature); + + //Set AuthRequest Signing certificate X509Credential authcredential = new KeyStoreX509CredentialAdapter( keyStore, config.getPVP2KeystoreAuthRequestKeyAlias(), - config.getPVP2KeystoreAuthRequestKeyPassword().toCharArray()); - - - //Set AuthRequest Signing certificate + config.getPVP2KeystoreAuthRequestKeyPassword().toCharArray()); KeyDescriptor signKeyDescriptor = SAML2Utils .createSAMLObject(KeyDescriptor.class); signKeyDescriptor.setUse(UsageType.SIGNING); signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential)); - spEntitiesDescriptor.setSignature(entitiesSignature); spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); + + //set AuthRequest encryption certificate + if (MiscUtil.isNotEmpty(config.getPVP2KeystoreAuthRequestEncryptionKeyAlias())) { + X509Credential authEncCredential = new KeyStoreX509CredentialAdapter( + keyStore, + config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(), + config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray()); + KeyDescriptor encryKeyDescriptor = SAML2Utils + .createSAMLObject(KeyDescriptor.class); + encryKeyDescriptor.setUse(UsageType.ENCRYPTION); + encryKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authEncCredential)); + spSSODescriptor.getKeyDescriptors().add(encryKeyDescriptor); + + } else { + log.warn("No Assertion Encryption-Key defined. This setting is not recommended!"); + + } + + NameIDFormat persistentnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); persistentnameIDFormat.setFormat(NameIDType.PERSISTENT); diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java index fb468967c..6b30c0cfa 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java @@ -258,6 +258,14 @@ public class ConfigurationProvider { return props.getProperty("general.login.pvp2.keystore.authrequest.key.password"); } + public String getPVP2KeystoreAuthRequestEncryptionKeyAlias() { + return props.getProperty("general.login.pvp2.keystore.authrequest.encryption.key.alias"); + } + + public String getPVP2KeystoreAuthRequestEncryptionKeyPassword() { + return props.getProperty("general.login.pvp2.keystore.authrequest.encryption.key.password"); + } + public String getPVP2IDPMetadataURL() { return props.getProperty("general.login.pvp2.idp.metadata.url"); } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java index c82746dbc..b5896aecf 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java @@ -1,5 +1,6 @@ package at.gv.egovernment.moa.id.configuration.struts.action; +import java.security.KeyStore; import java.util.ArrayList; import java.util.Date; import java.util.Enumeration; @@ -23,18 +24,24 @@ import org.opensaml.saml2.binding.decoding.HTTPPostDecoder; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.Conditions; +import org.opensaml.saml2.core.EncryptedAssertion; import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.Subject; import org.opensaml.saml2.core.SubjectConfirmation; import org.opensaml.saml2.core.SubjectConfirmationData; +import org.opensaml.saml2.encryption.Decrypter; +import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.security.MetadataCredentialResolver; import org.opensaml.security.MetadataCredentialResolverFactory; import org.opensaml.security.MetadataCriteria; import org.opensaml.security.SAMLSignatureProfileValidator; import org.opensaml.ws.transport.http.HttpServletRequestAdapter; +import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver; +import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; +import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.CriteriaSet; import org.opensaml.xml.security.credential.UsageType; @@ -43,9 +50,12 @@ import org.opensaml.xml.security.criteria.UsageCriteria; import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver; import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver; import org.opensaml.xml.security.keyinfo.KeyInfoProvider; +import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider; import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider; import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider; +import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; +import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.Signature; import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine; @@ -261,8 +271,47 @@ public class IndexAction extends ActionSupport implements ServletRequestAware, if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { - List saml2assertions = samlResponse.getAssertions(); - + List saml2assertions = new ArrayList(); + + //check encrypted Assertion + List encryAssertionList = samlResponse.getEncryptedAssertions(); + if (encryAssertionList != null && encryAssertionList.size() > 0) { + //decrypt assertions + + log.debug("Found encryped assertion. Start decryption ..."); + + KeyStore keyStore = config.getPVP2KeyStore(); + + X509Credential authDecCredential = new KeyStoreX509CredentialAdapter( + keyStore, + config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(), + config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray()); + + + StaticKeyInfoCredentialResolver skicr = + new StaticKeyInfoCredentialResolver(authDecCredential); + + ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); + encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); + encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); + encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); + + Decrypter samlDecrypter = + new Decrypter(null, skicr, encryptedKeyResolver); + + for (EncryptedAssertion encAssertion : encryAssertionList) { + saml2assertions.add(samlDecrypter.decrypt(encAssertion)); + + } + + log.debug("Assertion decryption finished. "); + + } else { + saml2assertions = samlResponse.getAssertions(); + + } + + if (MiscUtil.isEmpty(authID)) { log.info("NO AuthRequestID"); return Constants.STRUTS_ERROR; -- cgit v1.2.3 From dd4a77caa66368ca257fcf5a1f87d0dab90477f5 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 21 Jan 2014 18:00:41 +0100 Subject: BUGFIX: RedirectBinding validate signatures which exists, but signature is not required changes for WKO: Allow Metadata with no AttributeConsumerService Allow AuthnRequest with no RequestedAuthnContext Allow AuthnRequest with no AssertionConsumerServiceIndex Use Metadata->AssertionConsumerService->isDefaut flag --- .../at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java | 3 ++- .../gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) (limited to 'id/ConfigWebTool/src/main/java/at') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java index 7e00b8084..e298bcdb3 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java @@ -146,7 +146,8 @@ public class Authenticate extends HttpServlet { for (SingleSignOnService sss : idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) { - if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { //Get the service address for the binding you wish to use + //Get the service address for the binding you wish to use + if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { redirectEndpoint = sss; } } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java index cdb28922c..9c6f39b30 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java @@ -204,6 +204,7 @@ public class BuildMetadata extends HttpServlet { spSSODescriptor.setWantAssertionsSigned(true); spSSODescriptor.setAuthnRequestsSigned(true); + AttributeConsumingService attributeService = SAML2Utils.createSAMLObject(AttributeConsumingService.class); -- cgit v1.2.3 From 1f46df486fbab558fb3e935dfed160f26e698ac0 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 24 Jan 2014 08:04:12 +0100 Subject: -- Solve merge problems (AuthnRequestHandler.java & mandateReferenceValueAttributeBuilder) -- Change sessionmanagement betweem AuthAction and TokenAction to AssertionStorage class -- add class definieten to HTML config element --- .../moa/id/configuration/config/ConfigurationProvider.java | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'id/ConfigWebTool/src/main/java/at') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java index 6b30c0cfa..e50515326 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java @@ -206,11 +206,8 @@ public class ConfigurationProvider { } public boolean isPVP2LoginActive() { - if (!pvp2logininitialzied) - return false; - - String result = props.getProperty("general.login.pvp2.isactive", "false"); - return Boolean.parseBoolean(result); + + return Boolean.parseBoolean(props.getProperty("general.login.pvp2.isactive", "false")); } public boolean isPVP2LoginBusinessService() { -- cgit v1.2.3 From cea2f395ec773b386ec628d60120752cf320f6b6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 27 Jan 2014 16:27:02 +0100 Subject: add PVP2 Demo Application change SZRGWClient to JAXWs --- .../egovernment/moa/id/configuration/config/ConfigurationProvider.java | 2 ++ 1 file changed, 2 insertions(+) (limited to 'id/ConfigWebTool/src/main/java/at') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java index e50515326..e43a46496 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java @@ -91,6 +91,8 @@ public class ConfigurationProvider { fis = new FileInputStream(propertiesFile); props.load(fis); + fis.close(); + // initialize hibernate synchronized (ConfigurationProvider.class) { -- cgit v1.2.3