From 103aa707a18f80f4fa811ccbf917e7274f020ef7 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 3 Oct 2017 16:21:55 +0200 Subject: add functionality to put additional parameters on executioncontext --- .../moa/id/moduls/AuthenticationManager.java | 32 ++++++++++++++++++---- 1 file changed, 27 insertions(+), 5 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 7c581d470..aff2c83ad 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.moduls; import java.io.IOException; +import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; import java.util.Enumeration; @@ -90,6 +91,7 @@ import at.gv.egovernment.moa.util.MiscUtil; @Service("MOAID_AuthenticationManager") public class AuthenticationManager extends MOAIDAuthConstants { + private static List reqParameterWhiteListeForModules = new ArrayList(); public static final String MOA_SESSION = "MoaAuthenticationSession"; public static final String MOA_AUTHENTICATED = "MoaAuthenticated"; @@ -308,6 +310,18 @@ public class AuthenticationManager extends MOAIDAuthConstants { } } + /** + * Add a request parameter to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext} + * + * @param httpReqParam http parameter name, but never null + */ + public void addParameterNameToWhiteList(String httpReqParam) { + if (MiscUtil.isNotEmpty(httpReqParam)) + reqParameterWhiteListeForModules.add(httpReqParam); + + } + + /** * Checks if a authenticated MOASession already exists and if {protocolRequest} is authenticated * @@ -386,17 +400,25 @@ public class AuthenticationManager extends MOAIDAuthConstants { executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_ISLEGACYREQUEST, leagacyMode); executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, !leagacyMode && MiscUtil.isEmpty(pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class))); + + //add X509 SSL client certificate if exist + if (httpReq.getAttribute("javax.servlet.request.X509Certificate") != null) { + Logger.debug("Find SSL-client-certificate on request --> Add it to context"); + executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE, + ((X509Certificate[])httpReq.getAttribute("javax.servlet.request.X509Certificate"))); + + } - //add leagcy parameters to context - if (leagacyMode) { + //add additional http request parameter to context + if (!reqParameterWhiteListeForModules.isEmpty() || leagacyMode) { Enumeration reqParamNames = httpReq.getParameterNames(); while(reqParamNames.hasMoreElements()) { String paramName = reqParamNames.nextElement(); if (MiscUtil.isNotEmpty(paramName) && - MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName)) + ( MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName) + || reqParameterWhiteListeForModules.contains(paramName) )) executionContext.put(paramName, - StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName))); - + StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName))); } } -- cgit v1.2.3