From 96407baacd66fef7f3581a5377180a152795bd78 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 14 Jul 2014 09:02:30 +0200 Subject: add additionl trustmanagerrevoationchecking default value --- .../gv/egovernment/moa/id/configuration/data/GeneralMOAIDConfig.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/GeneralMOAIDConfig.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/GeneralMOAIDConfig.java index 681641834..f29780f05 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/GeneralMOAIDConfig.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/GeneralMOAIDConfig.java @@ -159,7 +159,8 @@ public class GeneralMOAIDConfig { if (authgen != null) { alternativeSourceID = authgen.getAlternativeSourceID(); certStoreDirectory = authgen.getCertStoreDirectory(); - trustmanagerrevocationcheck = authgen.isTrustManagerRevocationChecking(); + if (authgen.isTrustManagerRevocationChecking() != null) + trustmanagerrevocationcheck = authgen.isTrustManagerRevocationChecking(); publicURLPrefix = authgen.getPublicURLPreFix(); -- cgit v1.2.3 From a25c112bc34957cdaaf7dbb950c229666da52499 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 15 Jul 2014 12:32:46 +0200 Subject: solve Sub-Target problems in MOA-ID-Configuration --- .../data/oa/OATargetConfiguration.java | 23 ++++++++++++++++++++-- .../webapp/jsp/snippets/OA/targetConfiguration.jsp | 4 ++-- pom.xml | 2 +- 3 files changed, 24 insertions(+), 5 deletions(-) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java index e988cc292..550844700 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java @@ -83,7 +83,6 @@ public class OATargetConfiguration implements IOnlineApplicationData { @Override public List parse(OnlineApplication dbOA, AuthenticatedUser authUser, HttpServletRequest request) { - subTargetSet = MiscUtil.isNotEmpty(getTarget_subsector()); String target_full = dbOA.getTarget(); if (MiscUtil.isNotEmpty(target_full)) { @@ -95,8 +94,10 @@ public class OATargetConfiguration implements IOnlineApplicationData { if (TargetValidator.isValidTarget(target_split[0])) { target = target_split[0]; - if (target_split.length > 1) + if (target_split.length > 1) { target_subsector = target_split[1]; + subTargetSet = true; + } } else { target = ""; @@ -367,4 +368,22 @@ public class OATargetConfiguration implements IOnlineApplicationData { public void setDeaktivededBusinessService(boolean deaktivededBusinessService) { this.deaktivededBusinessService = deaktivededBusinessService; } + + + /** + * @return the subTargetSet + */ + public boolean isSubTargetSet() { + return subTargetSet; + } + + + /** + * @param subTargetSet the subTargetSet to set + */ + public void setSubTargetSet(boolean subTargetSet) { + this.subTargetSet = subTargetSet; + } + + } diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/targetConfiguration.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/targetConfiguration.jsp index 261966a86..b8bd1dc02 100644 --- a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/targetConfiguration.jsp +++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/targetConfiguration.jsp @@ -46,8 +46,8 @@ - 2.1.0 2.0.0 2.0.1 - 1.1.0 + 1.1.0.1 2.0.2 -- cgit v1.2.3 From a777e9ba26db80ca30ed97a4910e3003aaae8b46 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 4 Nov 2014 07:30:10 +0100 Subject: add metadata schema validation filters --- .../auth/pvp2/MetaDataVerificationFilter.java | 3 +-- .../validation/oa/OAPVP2ConfigValidation.java | 17 ++++++++++++++++- .../protocols/pvp2x/metadata/MOAMetadataProvider.java | 4 ++++ .../metadata/InterfederatedIDPPublicServiceFilter.java | 1 - 4 files changed, 21 insertions(+), 4 deletions(-) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java index 332adaa80..7bf2cf93f 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java @@ -46,7 +46,6 @@ public class MetaDataVerificationFilter implements MetadataFilter { public void doFilter(XMLObject metadata) throws FilterException { if (metadata instanceof EntitiesDescriptor) { EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; - if(entitiesDescriptor.getSignature() == null) { throw new FilterException("Root element of metadata file has to be signed", null); } @@ -57,7 +56,7 @@ public class MetaDataVerificationFilter implements MetadataFilter { throw new FilterException("Invalid Metadata file Root element is no EntitiesDescriptor", null); } - } if (metadata instanceof EntityDescriptor) { + } if (metadata instanceof EntityDescriptor) { try { EntityDescriptor entity = (EntityDescriptor) metadata; if (entity.getSignature() != null) diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java index 40e243d0b..a64a0eaf1 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java @@ -36,8 +36,10 @@ import javax.servlet.http.HttpServletRequest; import org.apache.commons.httpclient.MOAHttpClient; import org.apache.log4j.Logger; import org.opensaml.Configuration; +import org.opensaml.common.xml.SAMLSchemaBuilder; import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider; import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.saml2.metadata.provider.MetadataFilterChain; import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.io.MarshallerFactory; @@ -58,6 +60,7 @@ import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider; import at.gv.egovernment.moa.id.configuration.data.oa.OAPVP2Config; import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; import at.gv.egovernment.moa.util.MiscUtil; public class OAPVP2ConfigValidation { @@ -127,16 +130,28 @@ public class OAPVP2ConfigValidation { log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.", e); } + + List filterList = new ArrayList(); + filterList.add(new MetaDataVerificationFilter(credential)); + filterList.add(new SchemaValidationFilter()); + MetadataFilterChain filter = new MetadataFilterChain(); + filter.setFilters(filterList); httpProvider = new HTTPMetadataProvider(timer, httpClient, form.getMetaDataURL()); httpProvider.setParserPool(new BasicParserPool()); httpProvider.setRequireValidMetadata(true); - httpProvider.setMetadataFilter(new MetaDataVerificationFilter(credential)); + httpProvider.setMetadataFilter(filter); httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours + + httpProvider.setRequireValidMetadata(true); + httpProvider.initialize(); + + + if (httpProvider.getMetadata() == null) { log.info("Metadata could be received but validation FAILED."); errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.validation", request)); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index cba64e080..12afa14bc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -57,6 +57,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -324,6 +325,7 @@ public class MOAMetadataProvider implements MetadataProvider { private MetadataFilterChain buildMetadataFilterChain(OnlineApplication oa, String metadataURL, byte[] certificate) throws CertificateException { MetadataFilterChain filterChain = new MetadataFilterChain(metadataURL, certificate); + filterChain.getFilters().add(new SchemaValidationFilter()); if (oa.isIsInterfederationIDP() != null && oa.isIsInterfederationIDP()) { Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies"); @@ -374,6 +376,8 @@ public class MOAMetadataProvider implements MetadataProvider { httpProvider.setMetadataFilter(filter); httpProvider.initialize(); + httpProvider.setRequireValidMetadata(true); + return httpProvider; } catch (Throwable e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java index 3d608fd6d..4d9b97a52 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java @@ -26,7 +26,6 @@ import org.opensaml.saml2.metadata.provider.FilterException; import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.xml.XMLObject; -import at.gv.egovernment.moa.id.commons.db.dao.config.InterfederationIDPType; import at.gv.egovernment.moa.id.commons.validation.ValidationHelper; import at.gv.egovernment.moa.logging.Logger; -- cgit v1.2.3 From fe077762d22fca69bc39741616166755bee82c7d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 4 Nov 2014 09:26:42 +0100 Subject: do not list STORK-PVP gateways in OA lists --- .../at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java index 150483dd8..8ed1f3a88 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java @@ -63,7 +63,8 @@ public class FormDataHelper { if ( !((dboa.isIsInterfederationIDP() != null && dboa.isIsInterfederationIDP()) || (dboa.getAuthComponentOA().getOASTORK() != null && dboa.getAuthComponentOA().getOASTORK().isVidpEnabled() != null - && dboa.getAuthComponentOA().getOASTORK().isVidpEnabled()))) { + && dboa.getAuthComponentOA().getOASTORK().isVidpEnabled()) || + (dboa.isIsInterfederationGateway() != null && dboa.isIsInterfederationGateway() ))) { formOAs.add(addOAFormListElement(dboa, ServiceType.OA)); } } -- cgit v1.2.3 From 306b421d07f29ed6a0e6a009a38c2f558a7e310d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 24 Nov 2014 09:29:34 +0100 Subject: fix configTool list OA problem --- .../at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java index 150483dd8..b66bf878a 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java @@ -60,7 +60,8 @@ public class FormDataHelper { for (OnlineApplication dboa : dbOAs) { - if ( !((dboa.isIsInterfederationIDP() != null && dboa.isIsInterfederationIDP()) || + if ( !((dboa.isIsInterfederationIDP() != null && dboa.isIsInterfederationIDP()) || + (dboa.isIsInterfederationGateway() != null && dboa.isIsInterfederationGateway()) || (dboa.getAuthComponentOA().getOASTORK() != null && dboa.getAuthComponentOA().getOASTORK().isVidpEnabled() != null && dboa.getAuthComponentOA().getOASTORK().isVidpEnabled()))) { -- cgit v1.2.3 From 6e32481ed5ac19a82165f229e690184e824a3008 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 27 Nov 2014 07:04:29 +0100 Subject: fix wrong error message if SSL server certificate is not trusted --- .../moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java index 40e243d0b..964a10a1b 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java @@ -126,6 +126,9 @@ public class OAPVP2ConfigValidation { } catch (ConfigurationException e) { log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.", e); + } catch (CertificateException e) { + log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.", e); + } httpProvider = @@ -157,6 +160,8 @@ public class OAPVP2ConfigValidation { } catch (MetadataProviderException e) { + + //TODO: check exception handling if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { log.info("SSL Server certificate not trusted.", e); errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.ssl", request)); -- cgit v1.2.3 From 309f381c1ef98a82a23da42cda99734032b73bf4 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 4 Dec 2014 09:56:03 +0100 Subject: change exception handling for TrustStore configuration --- .../moa/id/configuration/config/ConfigurationProvider.java | 8 ++++---- .../id/configuration/validation/oa/OAPVP2ConfigValidation.java | 5 +---- 2 files changed, 5 insertions(+), 8 deletions(-) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java index 957479b29..e6000319e 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java @@ -437,23 +437,23 @@ public class ConfigurationProvider { return parseVersionFromManifest(); } - public String getCertStoreDirectory() throws CertificateException { + public String getCertStoreDirectory() throws ConfigurationException { String dir = props.getProperty("general.ssl.certstore"); if (MiscUtil.isNotEmpty(dir)) return FileUtils.makeAbsoluteURL(dir, configRootDir); else - throw new CertificateException("No SSLCertStore configured use default JAVA TrustStore."); + throw new ConfigurationException("No SSLCertStore configured use default JAVA TrustStore."); } - public String getTrustStoreDirectory() throws CertificateException { + public String getTrustStoreDirectory() throws ConfigurationException { String dir = props.getProperty("general.ssl.truststore"); if (MiscUtil.isNotEmpty(dir)) return FileUtils.makeAbsoluteURL(dir, configRootDir); else - throw new CertificateException("No SSLTrustStore configured use default JAVA TrustStore."); + throw new ConfigurationException("No SSLTrustStore configured use default JAVA TrustStore."); } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java index 964a10a1b..d122b6bde 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java @@ -126,10 +126,7 @@ public class OAPVP2ConfigValidation { } catch (ConfigurationException e) { log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.", e); - } catch (CertificateException e) { - log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.", e); - - } + } httpProvider = new HTTPMetadataProvider(timer, httpClient, form.getMetaDataURL()); -- cgit v1.2.3 From 85984d9432521ea4e14039d37d434f863c492cf1 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 19 Dec 2014 10:31:04 +0100 Subject: fix TestOID configuration problem --- .../data/oa/OAAuthenticationData.java | 48 ++++++++++++++-------- .../oa/OAAuthenticationDataValidation.java | 6 ++- 2 files changed, 35 insertions(+), 19 deletions(-) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java index 0e65b7dca..a9c914f74 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java @@ -30,6 +30,7 @@ import java.util.Map; import javax.servlet.http.HttpServletRequest; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentOA; import at.gv.egovernment.moa.id.commons.db.dao.config.BKUURLS; import at.gv.egovernment.moa.id.commons.db.dao.config.DefaultBKUs; @@ -40,6 +41,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; import at.gv.egovernment.moa.id.commons.db.dao.config.TemplatesType; import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentials; +import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentialsCredentialOIDItem; import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType; import at.gv.egovernment.moa.id.configuration.Constants; import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; @@ -207,8 +209,9 @@ public class OAAuthenticationData implements IOnlineApplicationData { } if (oaauth.getTestCredentials() != null) { - enableTestCredentials = oaauth.getTestCredentials().isEnableTestCredentials(); - testCredentialOIDs = oaauth.getTestCredentials().getCredentialOID(); + enableTestCredentials = oaauth.getTestCredentials().isEnableTestCredentials(); + testCredentialOIDs = new ArrayList(); + testCredentialOIDs.addAll(oaauth.getTestCredentials().getCredentialOID()); } @@ -315,12 +318,20 @@ public class OAAuthenticationData implements IOnlineApplicationData { if (enableTestCredentials) { TestCredentials testing = authoa.getTestCredentials(); - if (testing == null) - testing = new TestCredentials(); - - testing.setEnableTestCredentials(enableTestCredentials); + if (testing != null) + ConfigurationDBUtils.delete(testing); + + testing = new TestCredentials(); + authoa.setTestCredentials(testing); + testing.setEnableTestCredentials(enableTestCredentials); testing.setCredentialOID(testCredentialOIDs); + } else { + TestCredentials testing = authoa.getTestCredentials(); + if (testing != null) { + testing.setEnableTestCredentials(false); + } + } return null; @@ -576,12 +587,14 @@ public class OAAuthenticationData implements IOnlineApplicationData { */ public String getTestCredentialOIDs() { String value = null; - for (String el : testCredentialOIDs) { - if (value == null) - value = el; - else - value += "," + el; + if (testCredentialOIDs != null) { + for (String el : testCredentialOIDs) { + if (value == null) + value = el; + else + value += "," + el; + } } return value; @@ -595,12 +608,13 @@ public class OAAuthenticationData implements IOnlineApplicationData { * @param testCredentialOIDs the testCredentialOIDs to set */ public void setTestCredentialOIDs(String testCredentialOIDs) { - String[] oidList = testCredentialOIDs.split(","); + if (MiscUtil.isNotEmpty(testCredentialOIDs)) { + String[] oidList = testCredentialOIDs.split(","); - this.testCredentialOIDs = new ArrayList(); - for (int i=0; i(); + for (int i=0; i Date: Fri, 19 Dec 2014 10:31:45 +0100 Subject: fix problem with empty database --- .../moa/id/configuration/struts/action/EditGeneralConfigAction.java | 3 +++ .../java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java index 31c29aef0..4236c0d13 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java @@ -241,6 +241,9 @@ public class EditGeneralConfigAction extends BasicAction { } MOAIDConfiguration dbconfig = ConfigurationDBRead.getMOAIDConfiguration(); + if (dbconfig == null) + dbconfig = new MOAIDConfiguration(); + AuthComponentGeneral dbauth = dbconfig.getAuthComponentGeneral(); if (dbauth == null) { diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java index a3f445fcf..6efdd6223 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java @@ -152,7 +152,7 @@ public class ConfigurationDBRead { if (result.size() == 0) { Logger.trace("No entries found. Create fresh instance."); - return new MOAIDConfiguration(); + return null; } return (MOAIDConfiguration) result.get(0); -- cgit v1.2.3 From 7a829a509f470bddc73ac55584db9c29a9312784 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 19 Dec 2014 10:32:09 +0100 Subject: fix errormessage --- .../egovernment/moa/id/configuration/struts/action/ListOAsAction.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java index 7f7f083c9..335dbc91e 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java @@ -133,7 +133,7 @@ public class ListOAsAction extends BasicAction { } else { if (ValidationHelper.containsPotentialCSSCharacter(friendlyname, false)) { log.warn("SearchOA textfield contains potential XSS characters"); - addActionError(LanguageHelper.getErrorString("validation.general.oafriendlyname", + addActionError(LanguageHelper.getErrorString("validation.general.oafriendlyname.valid", new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request)); return Constants.STRUTS_SUCCESS; } -- cgit v1.2.3 From 9e3e7423eb938082ce60af97ecb359b166715bd3 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 19 Dec 2014 10:32:34 +0100 Subject: fix OA PublicPrefix validation --- .../configuration/struts/action/BasicOAAction.java | 25 +++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java index 5a9787069..26d97484b 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java @@ -291,8 +291,17 @@ public class BasicOAAction extends BasicAction { } else { - if (oaid == -1) { - onlineapplication = ConfigurationDBRead.getOnlineApplication(oaidentifier); + if (oaid == -1) { + List oaList = ConfigurationDBRead.getAllOnlineApplications(); + for (OnlineApplication el : oaList) { + if (el.getPublicURLPrefix().startsWith(oaidentifier) ) + onlineapplication = el; + + } + if (onlineapplication == null) { + onlineapplication = ConfigurationDBRead.getOnlineApplication(oaidentifier); + + } setNewOA(true); if (onlineapplication != null) { log.info("The OAIdentifier is not unique"); @@ -306,7 +315,17 @@ public class BasicOAAction extends BasicAction { onlineapplication = ConfigurationDBRead.getOnlineApplication(oaid); if (!oaidentifier.equals(onlineapplication.getPublicURLPrefix())) { - if (ConfigurationDBRead.getOnlineApplication(oaidentifier) != null) { + OnlineApplication dbOA = null; + List oaList = ConfigurationDBRead.getAllOnlineApplications(); + for (OnlineApplication el : oaList) { + if (el.getPublicURLPrefix().startsWith(oaidentifier) ) + dbOA = el; + + } + if (dbOA == null) + dbOA = ConfigurationDBRead.getOnlineApplication(oaidentifier); + + if ( (dbOA != null && !dbOA.getHjid().equals(oaid))) { log.info("The OAIdentifier is not unique"); throw new BasicOAActionException( LanguageHelper.getErrorString("validation.general.oaidentifier.notunique", request), -- cgit v1.2.3 From 33a37cce841e6c48ab044cd153aa7ed7cfffc6cc Mon Sep 17 00:00:00 2001 From: Thomas Knall Date: Wed, 14 Jan 2015 12:41:54 +0100 Subject: Apply some minor fixes. - Add some FIXMEs. - Fix moa-id-auth web.xml and switch to Servlet 3.0. - Fix moa-id-auth logging (replace commons-logging with commons-logging-slf4j bridge, use log4j native binding). - Adjust logging of periodical tasks (no more logging at info level). --- .../auth/pvp2/servlets/Authenticate.java | 1 + id/server/auth/pom.xml | 21 +++++++++++++++++++++ .../moa/id/auth/MOAIDAuthInitializer.java | 2 +- .../moa/id/config/auth/AuthConfigLoader.java | 2 +- .../moa/id/commons/utils/ssl/SSLUtils.java | 1 + 5 files changed, 25 insertions(+), 2 deletions(-) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/Authenticate.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/Authenticate.java index 390b8c476..f7406c42e 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/Authenticate.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/Authenticate.java @@ -84,6 +84,7 @@ public class Authenticate extends HttpServlet { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setNamespaceAware(true); try { + // FIXME[tlenz]: Neither DocumentBuilderFactory nor DocumentBuilder is guaranteed to be thread-safe! builder = factory.newDocumentBuilder(); } catch (ParserConfigurationException e) { log.warn("PVP2 AuthenticationServlet can not be initialized.", e); diff --git a/id/server/auth/pom.xml b/id/server/auth/pom.xml index dd75ee6aa..7db6ce648 100644 --- a/id/server/auth/pom.xml +++ b/id/server/auth/pom.xml @@ -112,11 +112,25 @@ axis-wsdl4j axis + + commons-logging + commons-logging + MOA.id.server moa-id-lib + + + commons-logging + commons-logging + + + ch.qos.logback + logback-classic + + eu.stork @@ -173,6 +187,13 @@ provided + + + org.slf4j + jcl-over-slf4j + 1.7.10 + + diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java index c3575470f..d4ce8670e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java @@ -148,7 +148,7 @@ public class MOAIDAuthInitializer { } } - // FIXME[@tlenz]: iaik.prod:iaik_X509TrustManager requires iaik.IAIKRuntimeException (should have been moved from iaik.server.modules (iaik.prod:iaik_moa:1.51)) + // FIXME[@tlenz]: iaik.prod:iaik_X509TrustManager requires iaik.IAIKRuntimeException which might have been moved to iaik.server.modules (iaik.prod:iaik_moa:1.51)) // Initializes IAIKX509TrustManager logging /* String log4jConfigURL = System.getProperty("log4j.configuration"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigLoader.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigLoader.java index b02c0946c..593b72658 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigLoader.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigLoader.java @@ -40,7 +40,7 @@ public class AuthConfigLoader implements Runnable { try { Thread.sleep(INTERVAL * 1000); - Logger.info("check for new config."); + Logger.trace("check for new config."); MOAIDConfiguration moaidconfig = ConfigurationDBRead.getMOAIDConfiguration(); if (moaidconfig != null) { diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java index 68437a04d..dfd549b6a 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java @@ -177,6 +177,7 @@ public class SSLUtils { // This call fixes a bug occuring when PKIConfiguration is // initialized by the MOA-SP initialization code, in case // MOA-SP is called by API + // FIXME[tlenz]: Requires IAIKX509TrustManager (iaik.prod:iaik_X509TrustManager requires iaik.IAIKRuntimeException which might have been moved to iaik.server.modules (iaik.prod:iaik_moa:1.51))) MOAIDTrustManager.initializeLoggingContext(); IAIKX509TrustManager tm = new MOAIDTrustManager(acceptedServerCertURL); tm.init(cfg, profile); -- cgit v1.2.3 From 1679466b77e29ff8181b1b01a320c3548e28a349 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 19 Feb 2015 14:46:06 +0100 Subject: fix some possible problems --- .../auth/pvp2/servlets/Authenticate.java | 52 +++++++++++++--------- .../moa/id/auth/MOAIDAuthInitializer.java | 3 +- .../moa/id/commons/utils/ssl/SSLUtils.java | 1 - 3 files changed, 31 insertions(+), 25 deletions(-) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/Authenticate.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/Authenticate.java index f7406c42e..a511a3c88 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/Authenticate.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/Authenticate.java @@ -75,34 +75,42 @@ public class Authenticate extends HttpServlet { private static final long serialVersionUID = 1L; private static final Logger log = LoggerFactory - .getLogger(Authenticate.class); - /** - * @see HttpServlet#HttpServlet() - */ - public Authenticate() { - super(); - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + .getLogger(Authenticate.class); + + private static DocumentBuilderFactory factory = null; + + static { + initialDocumentBuilderFactory(); + } + + synchronized private static void initialDocumentBuilderFactory() { + factory = DocumentBuilderFactory.newInstance(); factory.setNamespaceAware(true); + + } + + public Document asDOMDocument(XMLObject object) throws IOException, + MarshallingException, TransformerException, ParserConfigurationException { try { - // FIXME[tlenz]: Neither DocumentBuilderFactory nor DocumentBuilder is guaranteed to be thread-safe! - builder = factory.newDocumentBuilder(); + DocumentBuilder builder = null; + synchronized (factory) { + builder = factory.newDocumentBuilder(); + + } + + Document document = builder.newDocument(); + Marshaller out = Configuration.getMarshallerFactory().getMarshaller( + object); + out.marshall(object, document); + return document; + } catch (ParserConfigurationException e) { log.warn("PVP2 AuthenticationServlet can not be initialized.", e); - + throw e; } + } - - DocumentBuilder builder; - - public Document asDOMDocument(XMLObject object) throws IOException, - MarshallingException, TransformerException { - Document document = builder.newDocument(); - Marshaller out = Configuration.getMarshallerFactory().getMarshaller( - object); - out.marshall(object, document); - return document; - } - + protected void process(HttpServletRequest request, HttpServletResponse response, Map legacyParameter) throws ServletException, IOException { try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java index d4ce8670e..025c4c652 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java @@ -147,8 +147,7 @@ public class MOAIDAuthInitializer { .toString() }, ex); } } - - // FIXME[@tlenz]: iaik.prod:iaik_X509TrustManager requires iaik.IAIKRuntimeException which might have been moved to iaik.server.modules (iaik.prod:iaik_moa:1.51)) + // Initializes IAIKX509TrustManager logging /* String log4jConfigURL = System.getProperty("log4j.configuration"); diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java index dfd549b6a..68437a04d 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java @@ -177,7 +177,6 @@ public class SSLUtils { // This call fixes a bug occuring when PKIConfiguration is // initialized by the MOA-SP initialization code, in case // MOA-SP is called by API - // FIXME[tlenz]: Requires IAIKX509TrustManager (iaik.prod:iaik_X509TrustManager requires iaik.IAIKRuntimeException which might have been moved to iaik.server.modules (iaik.prod:iaik_moa:1.51))) MOAIDTrustManager.initializeLoggingContext(); IAIKX509TrustManager tm = new MOAIDTrustManager(acceptedServerCertURL); tm.init(cfg, profile); -- cgit v1.2.3 From e1c2c42aabf3b1207547dd40b91dc93921303c4a Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 7 Apr 2015 10:19:21 +0200 Subject: add configuration property to deactivate PVP metadata schema validation --- .../moa/id/configuration/config/ConfigurationProvider.java | 5 +++++ .../configuration/validation/oa/OAPVP2ConfigValidation.java | 11 ++++++++++- .../conf/moa-id-configuration/moa-id-configtool.properties | 2 ++ 3 files changed, 17 insertions(+), 1 deletion(-) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java index e6000319e..8ac7b40d4 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java @@ -462,6 +462,11 @@ public class ConfigurationProvider { } + public boolean isPVPMetadataSchemaValidationActive() { + return Boolean.parseBoolean(props.getProperty("general.pvp.schemavalidation", "true")); + + } + private void initalPVP2Login() throws ConfigurationException { try { diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java index 8e1dd6e64..ba77b601b 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java @@ -133,7 +133,16 @@ public class OAPVP2ConfigValidation { List filterList = new ArrayList(); filterList.add(new MetaDataVerificationFilter(credential)); - filterList.add(new SchemaValidationFilter()); + + try { + filterList.add(new SchemaValidationFilter( + ConfigurationProvider.getInstance().isPVPMetadataSchemaValidationActive())); + + } catch (ConfigurationException e) { + log.warn("Configuration access FAILED!", e); + + } + MetadataFilterChain filter = new MetadataFilterChain(); filter.setFilters(filterList); diff --git a/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties index 7c71fadcb..b10913d69 100644 --- a/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties +++ b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties @@ -15,6 +15,8 @@ general.ssl.truststore=certs/truststore general.moaconfig.key=ConfigurationEncryptionKey +general.pvp.schemavalidation=true + ##Mail general.mail.host=smtp.localhost... #general.mail.host.port= -- cgit v1.2.3 From 70aa50b21c2e9ef9318ed72ae90a67d984db33a7 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 14 Apr 2015 16:57:02 +0200 Subject: fix possible NullPointerException if no OA is found --- .../moa/id/configuration/struts/action/BasicOAAction.java | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java index 26d97484b..82390c49c 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java @@ -291,13 +291,17 @@ public class BasicOAAction extends BasicAction { } else { - if (oaid == -1) { + if (oaid == -1) { List oaList = ConfigurationDBRead.getAllOnlineApplications(); - for (OnlineApplication el : oaList) { - if (el.getPublicURLPrefix().startsWith(oaidentifier) ) - onlineapplication = el; + + if (oaList != null) { + for (OnlineApplication el : oaList) { + if (el.getPublicURLPrefix().startsWith(oaidentifier) ) + onlineapplication = el; + } } + if (onlineapplication == null) { onlineapplication = ConfigurationDBRead.getOnlineApplication(oaidentifier); -- cgit v1.2.3 From 1b019f2d114b158676b8fa4acc0e2f1c06beeac2 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 14 Apr 2015 16:57:59 +0200 Subject: fix problem with Authenticated sessions --- .../configuration/filter/AuthenticationFilter.java | 26 +++++++++++----------- 1 file changed, 13 insertions(+), 13 deletions(-) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java index d13696d51..8ddeb9ebc 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java @@ -134,21 +134,20 @@ public class AuthenticationFilter implements Filter{ log.trace("Request URL: " + requestURL); - AuthenticationManager authManager = AuthenticationManager.getInstance(); - if (!authManager.isActiveUser(authuser)) { - //user is not active anymore. Invalidate session and reauthenticate user - String authID = (String) session.getAttribute(Constants.SESSION_PVP2REQUESTID); - session.invalidate(); - authuser = null; + AuthenticationManager authManager = AuthenticationManager.getInstance(); + if (!authManager.isActiveUser(authuser) && !this.isExcluded(requestURL)) { + if (!this.isExcluded(requestURL)) { + //user is not active anymore. Invalidate session and reauthenticate user + String authID = (String) session.getAttribute(Constants.SESSION_PVP2REQUESTID); + session.invalidate(); + authuser = null; - //TODO: set infotext - - session = httpServletRequest.getSession(true); - session.setAttribute(Constants.SESSION_PVP2REQUESTID, authID); - } - - if (authuser == null && !this.isExcluded(requestURL)) { + //TODO: set infotext + session = httpServletRequest.getSession(true); + session.setAttribute(Constants.SESSION_PVP2REQUESTID, authID); + } + if (config.isLoginDeaktivated()) { //add dummy Daten log.warn("Authentication is deaktivated. Dummy authentication-information are used!"); @@ -178,6 +177,7 @@ public class AuthenticationFilter implements Filter{ } } else { + if (MiscUtil.isNotEmpty(getAuthenticatedPage())) { log.debug("Unable to find authentication data. Authenticated page is given so there is no need to save original request url. " + (loginPageForward ? "Forwarding" : "Redirecting") + " to login page \"" + loginPage + "\"."); -- cgit v1.2.3 From a6189a32a78d2b3ed096356f6b7e0049c8870b21 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 14 Apr 2015 16:59:25 +0200 Subject: update error handling in PVP metadata verification filter implemetations --- .../auth/pvp2/MetaDataVerificationFilter.java | 12 +++-- .../validation/oa/OAPVP2ConfigValidation.java | 31 +++++++++--- .../resources/applicationResources_de.properties | 4 +- .../resources/applicationResources_en.properties | 4 +- .../filter/SchemaValidationException.java | 43 ++++++++++++++++ .../filter/SignatureValidationException.java | 58 ++++++++++++++++++++++ .../pvp2x/metadata/MOAMetadataProvider.java | 14 +++++- .../metadata/MetadataSignatureFilter.java | 5 +- .../metadata/SchemaValidationFilter.java | 7 ++- 9 files changed, 155 insertions(+), 23 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SchemaValidationException.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SignatureValidationException.java (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java index 7bf2cf93f..104ea51f5 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java @@ -32,6 +32,7 @@ import org.opensaml.xml.XMLObject; import org.opensaml.xml.security.x509.BasicX509Credential; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier; public class MetaDataVerificationFilter implements MetadataFilter { @@ -43,17 +44,18 @@ public class MetaDataVerificationFilter implements MetadataFilter { } - public void doFilter(XMLObject metadata) throws FilterException { + public void doFilter(XMLObject metadata) throws SignatureValidationException { + if (metadata instanceof EntitiesDescriptor) { EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; if(entitiesDescriptor.getSignature() == null) { - throw new FilterException("Root element of metadata file has to be signed", null); + throw new SignatureValidationException("Root element of metadata file has to be signed"); } try { processEntitiesDescriptor(entitiesDescriptor); } catch (MOAIDException e) { - throw new FilterException("Invalid Metadata file Root element is no EntitiesDescriptor", null); + throw new SignatureValidationException("Invalid signature element in EntitiesDescriptor"); } } if (metadata instanceof EntityDescriptor) { @@ -63,10 +65,10 @@ public class MetaDataVerificationFilter implements MetadataFilter { EntityVerifier.verify(entity, this.credential); else - throw new FilterException("Root element of metadata file has to be signed", null); + throw new SignatureValidationException("Root element of metadata file has to be signed", null); } catch (MOAIDException e) { - throw new FilterException("Invalid Metadata file Root element is no EntitiesDescriptor", null); + throw new SignatureValidationException("Invalid signature element in EntityDescriptor", null); } } } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java index ba77b601b..37a170267 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java @@ -60,6 +60,8 @@ import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider; import at.gv.egovernment.moa.id.configuration.data.oa.OAPVP2Config; import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; import at.gv.egovernment.moa.util.MiscUtil; @@ -181,15 +183,28 @@ public class OAPVP2ConfigValidation { } catch (MetadataProviderException e) { - - //TODO: check exception handling - if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { - log.info("SSL Server certificate not trusted.", e); - errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.ssl", request)); + try { + if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { + log.info("SSL Server certificate not trusted.", e); + errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.ssl", request)); + + } else if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) { + log.info("MetaDate verification failed", e); + errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.sig", request)); + + } else if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) { + log.info("MetaDate verification failed", e); + errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.schema", request)); + + } else { + log.info("MetaDate verification failed", e); + errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.general", request)); + } + + } catch (Exception e1) { + log.info("MetaDate verification failed", e1); + errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.general", request)); - } else { - log.info("MetaDate verification failed", e); - errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify", request)); } } finally { diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties index 072f44981..c888a2d77 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties @@ -487,7 +487,9 @@ validation.stork.ap.attributes.valid=Ung\u00FCltige Attributconfiguration f\u00F validation.pvp2.metadataurl.empty=Keine Metadaten URL angegeben. validation.pvp2.metadataurl.valid=Die Metadaten URL wei\u00DFt kein g\u00FCltiges URL Format auf. validation.pvp2.metadataurl.read=Unter der angegebenen Metadaten URL konnten keine Informationen abgerufen werden. -validation.pvp2.metadata.verify=Die Metadaten konnten nicht mit dem angegebenen Zertifikat verifziert werden. +validation.pvp2.metadata.verify.sig=Die Metadaten konnten nicht mit dem angegebenen Zertifikat verifziert werden. +validation.pvp2.metadata.verify.schema=Die Schema-Validierung der Metadaten ist fehlgeschlagen. +validation.pvp2.metadata.verify.general=Bei der Validierung der Metadaten ist ein allgemeiner Fehler aufgetreten. validation.pvp2.certificate.format=Das angegebene PVP2 Zertifikat wei\u00DFt kein g\u00FCltiges Format auf. validation.pvp2.certificate.notfound=Kein PVP2 Zertifikat eingef\u00FCgt. validation.pvp2.metadata.ssl=Das SSL Serverzertifikat des Metadaten Service ist nicht vertrauensw\u00FCrdig. diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties index b717377e0..43dcfeac8 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties @@ -485,7 +485,9 @@ validation.stork.ap.attributes.valid=Invalid attribute configuration for Attribu validation.pvp2.metadataurl.empty=There is no metadata URL provided. validation.pvp2.metadataurl.valid=The metadata URL has invalid URL format . validation.pvp2.metadataurl.read=No information could be found under provided URL. -validation.pvp2.metadata.verify=The metadata could not be verified with the provided certificate. +validation.pvp2.metadata.verify.sig=The metadata could not be verified with the provided certificate. +validation.pvp2.metadata.verify.schema=Metadata schema validation FAILED. +validation.pvp2.metadata.verify.general=Metadata validation has an generic error. validation.pvp2.certificate.format=The provided PVP2 certificate has invalid format. validation.pvp2.certificate.notfound=There is no PVP2 inserted. validation.pvp2.metadata.ssl=The SSL server certificate is not trusted. diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SchemaValidationException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SchemaValidationException.java new file mode 100644 index 000000000..8da5edeed --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SchemaValidationException.java @@ -0,0 +1,43 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter; + +import org.opensaml.saml2.metadata.provider.FilterException; + +/** + * @author tlenz + * + */ +public class SchemaValidationException extends FilterException { + + /** + * @param string + */ + public SchemaValidationException(String string) { + super(string); + + } + + private static final long serialVersionUID = 1L; + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SignatureValidationException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SignatureValidationException.java new file mode 100644 index 000000000..86a6a777b --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SignatureValidationException.java @@ -0,0 +1,58 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter; + +import org.opensaml.saml2.metadata.provider.FilterException; + +/** + * @author tlenz + * + */ +public class SignatureValidationException extends FilterException { + + /** + * @param string + */ + public SignatureValidationException(String string) { + super(string); + + } + + /** + * @param e + */ + public SignatureValidationException(Exception e) { + super(e); + } + + /** + * @param string + * @param object + */ + public SignatureValidationException(String string, Exception e) { + super(string, e); + } + + private static final long serialVersionUID = 1L; + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 12afa14bc..d493ef9e0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -55,6 +55,8 @@ import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; @@ -380,10 +382,18 @@ public class MOAMetadataProvider implements MetadataProvider { return httpProvider; - } catch (Throwable e) { + } catch (Throwable e) { if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { Logger.warn("SSL-Server certificate for metadata " - + metadataURL + " not trusted.", e); + + metadataURL + " not trusted.", e); + + } if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) { + Logger.warn("Signature verification for metadata" + + metadataURL + " FAILED.", e); + + } if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) { + Logger.warn("Schema validation for metadata " + + metadataURL + " FAILED.", e); } Logger.error( diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java index 0405fa114..6dac4bba1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java @@ -39,6 +39,7 @@ import org.opensaml.xml.security.x509.BasicX509Credential; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier; import at.gv.egovernment.moa.logging.Logger; @@ -126,7 +127,7 @@ public class MetadataSignatureFilter implements MetadataFilter { desc.getEntityDescriptors().addAll(verifiedEntIT); } - public void doFilter(XMLObject metadata) throws FilterException { + public void doFilter(XMLObject metadata) throws SignatureValidationException { try { if (metadata instanceof EntitiesDescriptor) { EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; @@ -155,7 +156,7 @@ public class MetadataSignatureFilter implements MetadataFilter { Logger.info("Metadata signature policy check done OK"); } catch (MOAIDException e) { Logger.warn("Metadata signature policy check FAILED.", e); - throw new FilterException(e); + throw new SignatureValidationException(e); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java index 382adb108..f73b541bf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java @@ -22,8 +22,6 @@ */ package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; -import java.io.IOException; - import org.opensaml.saml2.metadata.provider.FilterException; import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.xml.XMLObject; @@ -38,6 +36,7 @@ import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; import at.gv.egovernment.moa.logging.Logger; /** @@ -69,7 +68,7 @@ public class SchemaValidationFilter implements MetadataFilter { * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) */ @Override - public void doFilter(XMLObject arg0) throws FilterException { + public void doFilter(XMLObject arg0) throws SchemaValidationException { String errString = null; @@ -100,7 +99,7 @@ public class SchemaValidationFilter implements MetadataFilter { } - throw new FilterException("Metadata Schema validation FAILED with message: "+ errString); + throw new SchemaValidationException("Metadata Schema validation FAILED with message: "+ errString); } else Logger.info("Metadata Schema validation check is DEACTIVATED!"); -- cgit v1.2.3 From 387169d0d5f022dea6ad5cd5ecc5a31ce9bf21d9 Mon Sep 17 00:00:00 2001 From: Bojan Suzic Date: Mon, 11 May 2015 14:29:43 +0200 Subject: velocity engine init exception handling --- .../at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'id/ConfigWebTool/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java index 3d66a4b19..3b2e0bd08 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/PVP2Utils.java @@ -125,7 +125,10 @@ public class PVP2Utils { log.warn("Encode PVP 2.1 message FAILED.", e); throw new PVP2Exception("Encode PVP 2.1 message FAILED.", e); - } + } catch (Exception ex) { + log.warn("Initialization exception", ex); + throw new PVP2Exception("Initializing Velocity engine FAILED.", ex); + } } -- cgit v1.2.3