From 26822fcf41e37e0fedca87489b60304496c9d0f0 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 7 May 2014 16:28:22 +0200 Subject: check SAML2 metadata URL against publicService flag --- .../configuration/data/oa/OAMOAIDPInterfederationConfig.java | 12 +----------- .../struts/action/InterfederationIDPAction.java | 12 ++++++++++++ .../configuration/validation/oa/OAPVP2ConfigValidation.java | 12 ++++++++++-- .../src/main/resources/applicationResources_de.properties | 3 ++- .../src/main/resources/applicationResources_en.properties | 3 ++- 5 files changed, 27 insertions(+), 15 deletions(-) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAMOAIDPInterfederationConfig.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAMOAIDPInterfederationConfig.java index 7dad12477..5db9029bd 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAMOAIDPInterfederationConfig.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAMOAIDPInterfederationConfig.java @@ -114,17 +114,7 @@ public class OAMOAIDPInterfederationConfig implements IOnlineApplicationData { log.info("AttributeQuery URL is not valid"); errors.add(LanguageHelper.getErrorString("validation.interfederation.moaidp.queryurl.valid", request)); - } - - boolean publicServiceAllowed = ValidationHelper.isPublicServiceAllowed(queryURL); - if (!publicServiceAllowed && !general.isBusinessService()) { - log.info("AttributQuery Service URL " + queryURL + " does not allow PublicService."); - errors.add(LanguageHelper.getErrorString("validation.interfederation.moaidp.queryurl.publicservice", - new Object[] {queryURL}, request )); - general.setBusinessService(true); - - } - + } } if (inboundSSO && MiscUtil.isEmpty(queryURL)) { diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/InterfederationIDPAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/InterfederationIDPAction.java index 4c0830ae9..7a05d6497 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/InterfederationIDPAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/InterfederationIDPAction.java @@ -34,6 +34,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.AttributeProviderPlugin; import at.gv.egovernment.moa.id.commons.db.dao.config.MOAIDConfiguration; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; +import at.gv.egovernment.moa.id.commons.validation.ValidationHelper; import at.gv.egovernment.moa.id.configuration.Constants; import at.gv.egovernment.moa.id.configuration.data.FormularCustomization; import at.gv.egovernment.moa.id.configuration.data.OAListElement; @@ -219,6 +220,17 @@ public class InterfederationIDPAction extends BasicOAAction { for (IOnlineApplicationData form : formList.values()) errors.addAll(form.validate(getGeneralOA(), authUser, request)); + + boolean publicServiceAllowed = ValidationHelper.isPublicServiceAllowed(getPvp2OA().getMetaDataURL()); + if (!publicServiceAllowed && !getGeneralOA().isBusinessService()) { + log.info("Metadata URL " + getPvp2OA().getMetaDataURL() + " does not allow PublicService."); + errors.add(LanguageHelper.getErrorString("validation.interfederation.moaidp.metadataurl.publicservice", + new Object[] {getPvp2OA().getMetaDataURL()}, request )); + getGeneralOA().setBusinessService(true); + + } + + if (errors.size() > 0) { log.info("IDP-Configuration with ID " + getGeneralOA().getIdentifier() + " has some errors."); for (String el : errors) diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java index 98d500526..62fc83ab9 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java @@ -30,6 +30,7 @@ import java.util.ArrayList; import java.util.List; import java.util.Timer; +import javax.net.ssl.SSLHandshakeException; import javax.servlet.http.HttpServletRequest; import org.apache.commons.httpclient.MOAHttpClient; @@ -142,8 +143,15 @@ public class OAPVP2ConfigValidation { errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.read", request)); } catch (MetadataProviderException e) { - log.info("MetaDate verification failed"); - errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify", request)); + + if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { + log.info("SSL Server certificate not trusted.", e); + errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.ssl", request)); + + } else { + log.info("MetaDate verification failed", e); + errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify", request)); + } } finally { if (httpProvider != null) diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties index 8e58f4f1d..acadde847 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties @@ -458,13 +458,14 @@ validation.pvp2.metadataurl.read=Unter der angegebenen Metadaten URL konnten kei validation.pvp2.metadata.verify=Die Metadaten konnten nicht mit dem angegebenen Zertifikat verifziert werden. validation.pvp2.certificate.format=Das angegebene PVP2 Zertifikat wei\u00DFt kein g\u00FCltiges Format auf. validation.pvp2.certificate.notfound=Kein PVP2 Zertifikat eingef\u00FCgt. +validation.pvp2.metadata.ssl=Das SSL Serverzertifikat des Metadaten Service ist nicht vertrauensw\u00FCrdig. validation.sso.logouturl.empty=Eine URL zum Single Log-Out Service ist erforderlich. validation.sso.logouturl.valid=Die URL zum Single Log-Out Service wei\u00DFt kein g\u00FCltiges Format auf. validation.interfederation.moaidp.queryurl.valid=Die URL zum zum AttributQuery Service wei\u00DFt kein g\u00FCltiges Format auf. validation.interfederation.moaidp.queryurl.empty=Die URL zum zum AttributQuery Service muss f\u00FCr eingehende Single Sign-On Interfederation konfiguriert werden. -validation.interfederation.moaidp.queryurl.publicservice=Die Domain des AttributQuery Services f\u00FCr diesen IDP erlaubt nur Applikationen aus dem privatwirtschaftlichen Bereich. +validation.interfederation.moaidp.metadataurl.publicservice=Die Domain des Metadaten Services f\u00FCr diesen IDP erlaubt nur Applikationen aus dem privatwirtschaftlichen Bereich. validation.saml1.providestammzahl=ProvideStammZahl kann nicht mit Applikationen aus dem privatwirtschaftlichen Bereich kombiniert werden. diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties index e15f44d87..2871c24e4 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties @@ -456,13 +456,14 @@ validation.pvp2.metadataurl.read=No information could be found under provided UR validation.pvp2.metadata.verify=The metadata could not be verified with the provided certificate. validation.pvp2.certificate.format=The provided PVP2 certificate has invalid format. validation.pvp2.certificate.notfound=There is no PVP2 inserted. +validation.pvp2.metadata.ssl=The SSL server certificate is not trusted. validation.sso.logouturl.empty=URL for Single Log-Out Service is necessary. validation.sso.logouturl.valid=URL for Single Log-Out Service has incorrect format. validation.interfederation.moaidp.queryurl.valid=URL for AttributQuery Service has incorrect format. validation.interfederation.moaidp.queryurl.empty=URL for AttributQuery Service is necessary for inbound Single Sign-On interfederation. -validation.interfederation.moaidp.queryurl.publicservice=The domain of AttributQuery service for that IDP permits private sector only. +validation.interfederation.moaidp.metadataurl.publicservice=The domain of Metadata service for that IDP permits private sector only. validation.saml1.providestammzahl=ProvideSourcePIN cannot be combined with applications from private sector. -- cgit v1.2.3