From 7523477ce0884b45a992748a12ea824fa85ea14d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Sun, 26 Nov 2017 21:04:51 +0100 Subject: add String escaping on same methods --- .../moa/id/auth/servlet/AbstractController.java | 3 +- .../id/auth/servlet/IDPSingleLogOutServlet.java | 5 +- .../moa/id/auth/servlet/RedirectServlet.java | 2 +- .../moa/id/moduls/AuthenticationManager.java | 2 +- .../protocols/ProtocolFinalizationController.java | 5 +- .../moa/id/protocols/pvp2x/utils/Digester.java | 48 --- .../id/protocols/pvp2x/utils/PrettyPrinter.java | 323 --------------------- .../at/gv/egovernment/moa/id/util/XMLUtil.java | 143 --------- 8 files changed, 10 insertions(+), 521 deletions(-) delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/PrettyPrinter.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/XMLUtil.java (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java index 5f74d8fdd..67611dd72 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java @@ -254,7 +254,8 @@ public abstract class AbstractController extends MOAIDAuthConstants { //add stacktrace if debug is enabled if (Logger.isTraceEnabled()) { - config.putCustomParameter("stacktrace", getStacktraceFromException(error)); + config.putCustomParameter("stacktrace", + StringEscapeUtils.escapeHtml(getStacktraceFromException(error))); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java index a146f778e..19f3fdc54 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java @@ -28,6 +28,7 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.StringEscapeUtils; import org.opensaml.saml2.core.LogoutResponse; import org.opensaml.saml2.metadata.SingleLogoutService; import org.springframework.beans.factory.annotation.Autowired; @@ -93,9 +94,9 @@ public class IDPSingleLogOutServlet extends AbstractController { String ssoid = ssoManager.getSSOSessionID(req); - Object restartProcessObj = req.getParameter(MOAIDAuthConstants.PARAM_SLORESTART); + Object restartProcessObj = StringEscapeUtils.escapeHtml(req.getParameter(MOAIDAuthConstants.PARAM_SLORESTART)); - Object tokkenObj = req.getParameter(MOAIDAuthConstants.PARAM_SLOSTATUS); + Object tokkenObj = StringEscapeUtils.escapeHtml(req.getParameter(MOAIDAuthConstants.PARAM_SLOSTATUS)); String tokken = null; String status = null; if (tokkenObj != null && tokkenObj instanceof String) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java index be511d888..a7f911845 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java @@ -65,7 +65,7 @@ public class RedirectServlet { Logger.debug("Receive " + RedirectServlet.class + " Request"); String url = req.getParameter(REDIRCT_PARAM_URL); - String target = req.getParameter(MOAIDAuthConstants.PARAM_TARGET); + String target = StringEscapeUtils.escapeHtml(req.getParameter(MOAIDAuthConstants.PARAM_TARGET)); String artifact = req.getParameter(MOAIDAuthConstants.PARAM_SAMLARTIFACT); String interIDP = req.getParameter(MOAIDAuthConstants.INTERFEDERATION_IDP); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index aff2c83ad..3770dad2f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -161,7 +161,7 @@ public class AuthenticationManager extends MOAIDAuthConstants { Logger.info("Remove active user-session"); if(internalMOASsoSessionID == null) { - internalMOASsoSessionID = (String) request.getParameter(PARAM_SESSIONID); + internalMOASsoSessionID = StringEscapeUtils.escapeHtml((String) request.getParameter(PARAM_SESSIONID)); } if(internalMOASsoSessionID == null) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java index 0f9b615a4..aebcf372e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java @@ -27,6 +27,7 @@ import java.io.IOException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.StringEscapeUtils; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; @@ -51,7 +52,7 @@ public class ProtocolFinalizationController extends AbstractAuthProtocolModulCon public void finalizeAuthProtocol(HttpServletRequest req, HttpServletResponse resp) throws MOAIDException, IOException { //read pendingRequest from http request - Object idObject = req.getParameter(PARAM_TARGET_PENDINGREQUESTID); + Object idObject = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_TARGET_PENDINGREQUESTID)); IRequest pendingReq = null; String pendingRequestID = null; if (idObject != null && (idObject instanceof String)) { @@ -61,7 +62,7 @@ public class ProtocolFinalizationController extends AbstractAuthProtocolModulCon } //receive an authentication error - String errorid = req.getParameter(ERROR_CODE_PARAM); + String errorid = StringEscapeUtils.escapeHtml(req.getParameter(ERROR_CODE_PARAM)); if (errorid != null) { try { //load stored exception from database diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java deleted file mode 100644 index d715b8b7b..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java +++ /dev/null @@ -1,48 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.utils; - -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; - -public class Digester { - public static String byteArrayToHexString(byte[] b) { - String result = ""; - for (int i=0; i < b.length; i++) { - result += - Integer.toString( ( b[i] & 0xff ) + 0x100, 16).substring( 1 ); - } - return result; - } - - public static String toSHA1(byte[] convertme) { - MessageDigest md = null; - try { - md = MessageDigest.getInstance("SHA-1"); - } - catch(NoSuchAlgorithmException e) { - e.printStackTrace(); - } - return byteArrayToHexString(md.digest(convertme)); - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/PrettyPrinter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/PrettyPrinter.java deleted file mode 100644 index c40731576..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/PrettyPrinter.java +++ /dev/null @@ -1,323 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.utils; - -import java.io.*; -import javax.xml.parsers.*; -import javax.xml.transform.*; -import javax.xml.transform.dom.*; -import javax.xml.transform.stream.*; - -import org.w3c.dom.Document; - -import org.xml.sax.*; -import org.xml.sax.helpers.*; - - -/** -This class "pretty prints" an XML stream to something more human-readable. -It duplicates the character content with some modifications to whitespace, -restoring line breaks and a simple pattern of indenting child elements. - -This version of the class acts as a SAX 2.0 DefaultHandler, -so to provide the unformatted XML just pass a new instance to a SAX parser. -Its output is via the {@link #toString toString} method. - -One major limitation: we gather character data for elements in a single -buffer, so mixed-content documents will lose a lot of data! This works -best with data-centric documents where elements either have single values -or child elements, but not both. - -@author Will Provost -*/ -/* -Copyright 2002-2003 by Will Provost. -All rights reserved. -*/ -public class PrettyPrinter - extends DefaultHandler -{ - /** - Convenience method to wrap pretty-printing SAX pass over existing content. - */ - public static String prettyPrint (byte[] content) - { - try - { - PrettyPrinter pretty = new PrettyPrinter (); - SAXParserFactory factory = SAXParserFactory.newInstance (); - factory.setFeature - ("http://xml.org/sax/features/namespace-prefixes", true); - factory.newSAXParser ().parse - (new ByteArrayInputStream (content), pretty); - return pretty.toString (); - } - catch (Exception ex) - { - ex.printStackTrace (); - return "EXCEPTION: " + ex.getClass ().getName () + " saying \"" + - ex.getMessage () + "\""; - } - } - - /** - Convenience method to wrap pretty-printing SAX pass over existing content. - */ - public static String prettyPrint (String content) - { - try - { - PrettyPrinter pretty = new PrettyPrinter (); - SAXParserFactory factory = SAXParserFactory.newInstance (); - factory.setFeature - ("http://xml.org/sax/features/namespace-prefixes", true); - factory.newSAXParser ().parse (content, pretty); - return pretty.toString (); - } - catch (Exception ex) - { - ex.printStackTrace (); - return "EXCEPTION: " + ex.getClass ().getName () + " saying \"" + - ex.getMessage () + "\""; - } - } - - /** - Convenience method to wrap pretty-printing SAX pass over existing content. - */ - public static String prettyPrint (InputStream content) - { - try - { - PrettyPrinter pretty = new PrettyPrinter (); - SAXParserFactory factory = SAXParserFactory.newInstance (); - factory.setFeature - ("http://xml.org/sax/features/namespace-prefixes", true); - factory.newSAXParser ().parse (content, pretty); - return pretty.toString (); - } - catch (Exception ex) - { - ex.printStackTrace (); - return "EXCEPTION: " + ex.getClass ().getName () + " saying \"" + - ex.getMessage () + "\""; - } - } - - /** - Convenience method to wrap pretty-printing SAX pass over existing content. - */ - public static String prettyPrint (Document doc) - throws TransformerException - { - try - { - ByteArrayOutputStream buffer = new ByteArrayOutputStream (); - TransformerFactory.newInstance ().newTransformer() - .transform (new DOMSource (doc), new StreamResult (buffer)); - byte[] rawResult = buffer.toByteArray (); - buffer.close (); - - return prettyPrint (rawResult); - } - catch (Exception ex) - { - ex.printStackTrace (); - return "EXCEPTION: " + ex.getClass ().getName () + " saying \"" + - ex.getMessage () + "\""; - } - } - - public static class StreamAdapter - extends OutputStream - { - public StreamAdapter (Writer finalDestination) - { - this.finalDestination = finalDestination; - } - - public void write (int b) - { - out.write (b); - } - - public void flushPretty () - throws IOException - { - PrintWriter finalPrinter = new PrintWriter (finalDestination); - finalPrinter.println - (PrettyPrinter.prettyPrint (out.toByteArray ())); - finalPrinter.close (); - out.close (); - } - - private ByteArrayOutputStream out = new ByteArrayOutputStream (); - Writer finalDestination; - } - - /** - Call this to get the formatted XML post-parsing. - */ - public String toString () - { - return output.toString (); - } - - /** - Prints the XML declaration. - */ - public void startDocument () - throws SAXException - { - output.append ("") - .append (endLine); - } - - /** - Prints a blank line at the end of the reformatted document. - */ - public void endDocument () throws SAXException - { - output.append (endLine); - } - - /** - Writes the start tag for the element. - Attributes are written out, one to a text line. Starts gathering - character data for the element. - */ - public void startElement - (String URI, String name, String qName, Attributes attributes) - throws SAXException - { - if (justHitStartTag) - output.append ('>'); - - output.append (endLine) - .append (indent) - .append ('<') - .append (qName); - - int length = attributes.getLength (); - for (int a = 0; a < length; ++a) - output.append (endLine) - .append (indent) - .append (standardIndent) - .append (attributes.getQName (a)) - .append ("=\"") - .append (attributes.getValue (a)) - .append ('\"'); - - if (length > 0) - output.append (endLine) - .append (indent); - - indent += standardIndent; - currentValue = new StringBuffer (); - justHitStartTag = true; - } - - /** - Checks the {@link #currentValue} buffer to gather element content. - Writes this out if it is available. Writes the element end tag. - */ - public void endElement (String URI, String name, String qName) - throws SAXException - { - indent = indent.substring - (0, indent.length () - standardIndent.length ()); - - if (currentValue == null) - output.append (endLine) - .append (indent) - .append ("'); - else if (currentValue.length () != 0) - output.append ('>') - .append (currentValue.toString ()) - .append ("'); - else - output.append ("/>"); - - currentValue = null; - justHitStartTag = false; - } - - /** - When the {@link #currentValue} buffer is enabled, appends character - data into it, to be gathered when the element end tag is encountered. - */ - public void characters (char[] chars, int start, int length) - throws SAXException - { - if (currentValue != null) - currentValue.append (escape (chars, start, length)); - } - - /** - Filter to pass strings to output, escaping < and & - characters to &lt; and &amp; respectively. - */ - private static String escape (char[] chars, int start, int length) - { - StringBuffer result = new StringBuffer (); - for (int c = start; c < start + length; ++c) - if (chars[c] == '<') - result.append ("<"); - else if (chars[c] == '&') - result.append ("&"); - else - result.append (chars[c]); - - return result.toString (); - } - - /** - This whitespace string is expanded and collapsed to manage the output - indenting. - */ - private String indent = ""; - - /** - A buffer for character data. It is "enabled" in - {@link #startElement startElement} by being initialized to a - new StringBuffer, and then read and reset to - null in {@link #endElement endElement}. - */ - private StringBuffer currentValue = null; - - /** - The primary buffer for accumulating the formatted XML. - */ - private StringBuffer output = new StringBuffer (); - - private boolean justHitStartTag; - - private static final String standardIndent = " "; - private static final String endLine = - System.getProperty ("line.separator"); -} - diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/XMLUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/XMLUtil.java deleted file mode 100644 index d87d510fa..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/XMLUtil.java +++ /dev/null @@ -1,143 +0,0 @@ -/** - * - */ -package at.gv.egovernment.moa.id.util; - -import java.io.File; -import java.io.IOException; -import java.io.Reader; -import java.io.StringReader; -import java.io.StringWriter; - -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; -import javax.xml.parsers.ParserConfigurationException; -import javax.xml.transform.OutputKeys; -import javax.xml.transform.Result; -import javax.xml.transform.Source; -import javax.xml.transform.Transformer; -import javax.xml.transform.TransformerException; -import javax.xml.transform.TransformerFactory; -import javax.xml.transform.dom.DOMSource; -import javax.xml.transform.stream.StreamResult; - -import org.w3c.dom.Document; -import org.w3c.dom.Element; -import org.w3c.dom.Node; -import org.w3c.dom.NodeList; -import org.xml.sax.InputSource; -import org.xml.sax.SAXException; - -/** - * Helper class for XML processing - * @author bzwattendorfer - * - */ -public class XMLUtil { - - /** - * Transforms a string representation to a DOM representation - * @param xmlString XML as string - * @return DOM representation of String - * @throws ParserConfigurationException - * @throws SAXException - * @throws IOException - */ - public static Element stringToDOM(String xmlString) throws ParserConfigurationException, SAXException, IOException { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - dbf.setNamespaceAware(true); - - DocumentBuilder builder = dbf.newDocumentBuilder(); - - Reader reader = new StringReader(xmlString); - InputSource src = new InputSource(reader); - Document domDoc = builder.parse(src); - return domDoc.getDocumentElement(); - } - - /** - * Creates a new and empty XML document - * @return New XML document - * @throws ParserConfigurationException - */ - public static Document createNewDocument() throws ParserConfigurationException { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - dbf.setNamespaceAware(true); - - DocumentBuilder builder = dbf.newDocumentBuilder(); - return builder.newDocument(); - } - - /** - * Transforms an XML to a String - * @param node XML node - * @return String represenation of XML - */ - public static String printXML(Node node) { - TransformerFactory tfactory = TransformerFactory.newInstance(); - Transformer serializer; - try { - serializer = tfactory.newTransformer(); - - serializer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes"); - serializer.setOutputProperty(OutputKeys.ENCODING,"UTF-8"); - - StringWriter output = new StringWriter(); - serializer.transform(new DOMSource(node), new StreamResult(output)); - return output.toString(); - } catch (TransformerException e) { - - throw new RuntimeException(e); - } - } - - /** - * Writes an XML element to a given file - * @param doc XML element - * @param filename Filename of the file where to write XML - */ - public static void writeXmlFile(Element doc, String filename) { - try { - - Source source = new DOMSource(doc); - File file = new File(filename); - Result result = new StreamResult(file); - - Transformer xformer = TransformerFactory.newInstance().newTransformer(); - xformer.transform(source, result); - } catch (Exception e) { - throw new RuntimeException(e); - } - } - - /** - * Gets the first text value of a NodeList - * @param nList NodeList - * @return first text value of a NodeList - */ - public static String getFirstTextValueFromNodeList(NodeList nList) { - if (nList != null && nList.getLength() != 0) { - return nList.item(0).getTextContent(); - } - return null; - } - - /** - * Gets the first element of a Node - * @param parent Node - * @return first element of a Node - */ - public static Element getFirstElement(Node parent) { - Node n = parent.getFirstChild(); - while (n != null && n.getNodeType() != Node.ELEMENT_NODE) { - n = n.getNextSibling(); - } - if (n == null) { - return null; - } - return (Element)n; - } - - - -} -- cgit v1.2.3 From 366c463274f3ca06d500c59c0839feb225b4e0b5 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 27 Nov 2017 12:11:45 +0100 Subject: add escaping on some places --- .../at/gv/egovernment/moa/id/auth/servlet/AbstractController.java | 4 ++-- .../id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java index 67611dd72..dcf337213 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java @@ -91,7 +91,7 @@ public abstract class AbstractController extends MOAIDAuthConstants { resp.setContentType(MediaType.HTML_UTF_8.toString()); resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Internal Server Error!" + "(Errorcode=9199" - +" | Description="+ exception.getMessage() + ")"); + +" | Description="+ StringEscapeUtils.escapeHtml(exception.getMessage()) + ")"); return; } @@ -318,7 +318,7 @@ public abstract class AbstractController extends MOAIDAuthConstants { if (e instanceof ProtocolNotActiveException) { resp.getWriter().write(e.getMessage()); resp.setContentType(MediaType.HTML_UTF_8.toString()); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, e.getMessage()); + resp.sendError(HttpServletResponse.SC_FORBIDDEN, StringEscapeUtils.escapeHtml(e.getMessage())); } else if (e instanceof AuthnRequestValidatorException) { AuthnRequestValidatorException ex = (AuthnRequestValidatorException)e; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java index 2976dc420..c8c6c1fb5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.auth.servlet.interceptor; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.StringEscapeUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.servlet.HandlerInterceptor; import org.springframework.web.servlet.ModelAndView; @@ -76,7 +77,7 @@ public class WebFrontEndSecurityInterceptor implements HandlerInterceptor { Logger.info(errorMsg); response.sendError( HttpServletResponse.SC_FORBIDDEN, - errorMsg); + StringEscapeUtils.escapeHtml(errorMsg)); return false; } else { -- cgit v1.2.3 From 75c7ab602fe14d56217f268ea80e787a5316288a Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 27 Nov 2017 15:30:31 +0100 Subject: fix nullpointer in MandateNaturalPersonBPKAttributeBuilder.java --- .../MandateNaturalPersonBPKAttributeBuilder.java | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java index 6ac517e19..ad469921c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java @@ -57,15 +57,21 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui if (MiscUtil.isEmpty(bpk)) throw new UnavailableAttributeException(BPK_NAME); - - if (type.startsWith(Constants.URN_PREFIX_WBPK)) - type = type.substring((Constants.URN_PREFIX_WBPK + "+").length()); - else if (type.startsWith(Constants.URN_PREFIX_CDID)) - type = type.substring((Constants.URN_PREFIX_CDID + "+").length()); + if (type != null) { + if (type.startsWith(Constants.URN_PREFIX_WBPK)) + type = type.substring((Constants.URN_PREFIX_WBPK + "+").length()); + + else if (type.startsWith(Constants.URN_PREFIX_CDID)) + type = type.substring((Constants.URN_PREFIX_CDID + "+").length()); - else if (type.startsWith(Constants.URN_PREFIX_EIDAS)) - type = type.substring((Constants.URN_PREFIX_EIDAS + "+").length()); + else if (type.startsWith(Constants.URN_PREFIX_EIDAS)) + type = type.substring((Constants.URN_PREFIX_EIDAS + "+").length()); + + } else { + Logger.debug("bPK type is 'null' --> use it as it is"); + + } if (bpk.length() > BPK_MAX_LENGTH) { bpk = bpk.substring(0, BPK_MAX_LENGTH); -- cgit v1.2.3 From f6ef9b2e21af5a55b9f2b360de3cff38c56904d6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 27 Nov 2017 15:33:37 +0100 Subject: add some more escaptions --- .../id/auth/builder/AuthenticationDataBuilder.java | 1 + .../id/auth/servlet/IDPSingleLogOutServlet.java | 4 +- .../gv/egovernment/moa/id/data/EncryptedData.java | 9 +- .../moa/id/moduls/AuthenticationManager.java | 4 +- .../moa/id/storage/DBTransactionStorage.java | 112 +++++++++++++++------ .../moa/id/storage/ITransactionStorage.java | 4 + .../moa/id/util/AbstractEncrytionUtil.java | 25 +++-- .../java/at/gv/egovernment/moa/id/util/Random.java | 12 ++- 8 files changed, 130 insertions(+), 41 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 5a5d0bcf6..cc716f9f8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -352,6 +352,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { authData.setBkuURL(session.getGenericDataFromSession(PVPConstants.EID_CCS_URL_NAME, String.class)); + //TODO: fully switch from STORK QAA to eIDAS LoA //#################################################### //set QAA level includedToGenericAuthData.remove(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java index 19f3fdc54..0397bd501 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java @@ -117,7 +117,7 @@ public class IDPSingleLogOutServlet extends AbstractController { config.putCustomParameter("successMsg", MOAIDMessageProvider.getInstance().getMessage("slo.00", null)); else - config.putCustomParameter("errorMsg", + config.putCustomParameterWithOutEscaption("errorMsg", MOAIDMessageProvider.getInstance().getMessage("slo.01", null)); guiBuilder.build(resp, config, "Single-LogOut GUI"); @@ -213,7 +213,7 @@ public class IDPSingleLogOutServlet extends AbstractController { DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT, null); - config.putCustomParameter("errorMsg", + config.putCustomParameterWithOutEscaption("errorMsg", MOAIDMessageProvider.getInstance().getMessage("slo.01", null)); guiBuilder.build(resp, config, "Single-LogOut GUI"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java index e0484eb1b..4e7a72da6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedData.java @@ -22,12 +22,19 @@ */ package at.gv.egovernment.moa.id.data; +import java.io.Serializable; + /** * @author tlenz * */ -public class EncryptedData { +public class EncryptedData implements Serializable{ + /** + * + */ + private static final long serialVersionUID = 1L; + private byte[] encData = null; private byte[] iv = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 3770dad2f..bb849a8d0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -659,7 +659,7 @@ public class AuthenticationManager extends MOAIDAuthConstants { } else { revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); - config.putCustomParameter("errorMsg", + config.putCustomParameterWithOutEscaption("errorMsg", MOAIDMessageProvider.getInstance().getMessage("slo.01", null)); } @@ -690,7 +690,7 @@ public class AuthenticationManager extends MOAIDAuthConstants { null); revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); - config.putCustomParameter("errorMsg", + config.putCustomParameterWithOutEscaption("errorMsg", MOAIDMessageProvider.getInstance().getMessage("slo.01", null)); try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java index f17e4a99a..2395b913d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java @@ -38,8 +38,11 @@ import org.springframework.stereotype.Repository; import org.springframework.transaction.annotation.Transactional; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.data.EncryptedData; +import at.gv.egovernment.moa.id.util.SessionEncrytionUtil; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -106,18 +109,36 @@ public class DBTransactionStorage implements ITransactionStorage { } } - - public Object getAssertionStore(String key) throws MOADatabaseException{ - return searchInDatabase(key); - } - + public Object get(String key) throws MOADatabaseException { AssertionStore element = searchInDatabase(key); if (element == null) return null; + + Object data = SerializationUtils.deserialize(element.getAssertion()); - return SerializationUtils.deserialize(element.getAssertion()); + //decrypt data if required + Object resultData = null; + if (data instanceof EncryptedData) { + Logger.trace("Find encrypted data. --> Starting decryption process ..."); + try { + byte[] decData = decryptData((EncryptedData)data); + resultData = SerializationUtils.deserialize(decData); + + } catch (BuildException e) { + Logger.warn("Transaction information decryption FAILED.", e); + throw new MOADatabaseException("Transaction information decryption FAILED.", e); + + } + + } else { + Logger.trace("Find unencrypted data. --> Use it as is"); + resultData = data; + + } + + return resultData; } @@ -141,13 +162,34 @@ public class DBTransactionStorage implements ITransactionStorage { } - //Deserialize Assertion + //Deserialize Assertion Object data = SerializationUtils.deserialize(element.getAssertion()); + //decrypt data if required + Object resultData = null; + if (data instanceof EncryptedData) { + Logger.trace("Find encrypted data. --> Starting decryption process ..."); + try { + byte[] decData = decryptData((EncryptedData)data); + resultData = SerializationUtils.deserialize(decData); + + } catch (BuildException e) { + Logger.warn("Transaction information decryption FAILED.", e); + throw new MOADatabaseException("Transaction information decryption FAILED.", e); + + } + + } else { + Logger.trace("Find unencrypted data. --> Use it as is"); + resultData = data; + + } + + //check if assertion has the correct class type try { @SuppressWarnings("unchecked") - T test = (T) Class.forName(element.getType()).cast(data); + T test = (T) Class.forName(element.getType()).cast(resultData); return test; } catch (Exception e) { @@ -198,6 +240,17 @@ public class DBTransactionStorage implements ITransactionStorage { } } + public Object getAssertionStore(String key) throws MOADatabaseException{ + return searchInDatabase(key); + + } + + @Override + public void putAssertionStore(Object element) throws MOADatabaseException{ + entityManager.merge(element); + + } + private void cleanDelete(AssertionStore element) { @@ -245,30 +298,33 @@ public class DBTransactionStorage implements ITransactionStorage { throw new MOADatabaseException("Transaction-Storage can only store objects which implements the 'Seralizable' interface", null); } - - //serialize the Assertion for Database storage - byte[] data = SerializationUtils.serialize((Serializable) value); - element.setAssertion(data); - - //store AssertionStore element to Database - //try { + + try { + //serialize the Assertion for Database storage + byte[] data = SerializationUtils.serialize((Serializable) value); + element.setAssertion(encryptData(data)); + + //store AssertionStore element to Database entityManager.persist(element); - //MOASessionDBUtils.saveOrUpdate(element); - Logger.debug(value.getClass().getName() + " with ID: " + key + " is stored in Database"); -// -// } catch (MOADatabaseException e) { -// Logger.warn("Sessioninformation could not be stored."); -// throw new MOADatabaseException(e); -// -// } + Logger.debug(value.getClass().getName() + " with ID: " + key + " is stored in Database"); + + } catch (BuildException e) { + Logger.warn("Sessioninformation could not be stored."); + throw new MOADatabaseException(e); + + } } + + private static byte[] encryptData(byte[] data) throws BuildException { + EncryptedData encdata = SessionEncrytionUtil.getInstance().encrypt(data); + return SerializationUtils.serialize(encdata); - @Override - public void putAssertionStore(Object element) throws MOADatabaseException{ - // TODO Auto-generated method stub - entityManager.merge(element); - + } + + private static byte[] decryptData(EncryptedData encdata) throws BuildException { + return SessionEncrytionUtil.getInstance().decrypt(encdata); + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java index 53a7f4f5e..51a36d426 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java @@ -114,6 +114,8 @@ public interface ITransactionStorage { /** * Get whole AssertionStoreObject, required for SLO + *
+ * IMPORTANT: This method does NOT decrypt information before storage * * @param key key Id which identifiers the data object * @return The transaction-data object, or null @@ -123,6 +125,8 @@ public interface ITransactionStorage { /** * Put whole AssertionStoreObject to db, required for SLO + *
+ * IMPORTANT: This method does NOT encrypt information before storage * * @param element assertion store object */ diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java index b0d166951..84d40f619 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java @@ -22,9 +22,6 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.util; -import iaik.security.cipher.PBEKey; -import iaik.security.spec.PBEKeyAndParameterSpec; - import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; @@ -35,19 +32,26 @@ import javax.crypto.Cipher; import javax.crypto.KeyGenerator; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.GCMParameterSpec; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.PBEKeySpec; import javax.crypto.spec.SecretKeySpec; - import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException; import at.gv.egovernment.moa.id.data.EncryptedData; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; +import iaik.security.cipher.PBEKey; +import iaik.security.spec.PBEKeyAndParameterSpec; public abstract class AbstractEncrytionUtil { - protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding"; + //protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding"; + + protected static final String CIPHER_MODE = "AES/GCM/NoPadding"; + public static final int GCM_NONCE_LENGTH = 12; // in bytes + public static final int GCM_TAG_LENGTH = 16; // in bytes + protected static final String KEYNAME = "AES"; private SecretKey secret = null; @@ -114,8 +118,15 @@ public abstract class AbstractEncrytionUtil { if (secret != null) { try { - cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); - cipher.init(Cipher.ENCRYPT_MODE, secret); + final byte[] nonce = Random.nextBytes(GCM_NONCE_LENGTH); + +// final byte[] nonce = new byte[GCM_NONCE_LENGTH]; +// SecureRandom.getInstanceStrong().nextBytes(nonce); + + GCMParameterSpec spec = new GCMParameterSpec(GCM_TAG_LENGTH * 8, nonce); + + cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); + cipher.init(Cipher.ENCRYPT_MODE, secret, spec); Logger.debug("Encrypt MOASession"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java index ac2b3c415..38c384c3a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java @@ -151,6 +151,16 @@ public class Random { } +/** + * Creates a new random byte[] + * + * @param size Size of random number in byte + * @return + */ +public static byte[] nextBytes(int size) { + return nextByteRandom(size); + +} public static void seedRandom() { @@ -165,7 +175,7 @@ public class Random { /** * Generate a new random number * - * @param size Size of random number in bits + * @param size Size of random number in byte * @return */ private static synchronized byte[] nextByteRandom(int size) { -- cgit v1.2.3 From ee5d22920aec815371b1b2ca16bc0a2bb61fd987 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 27 Nov 2017 15:34:27 +0100 Subject: add PVP attribute for eIDAS QAA level --- .../at/gv/egovernment/moa/id/data/IAuthData.java | 12 ++++++ .../EIDCitizenQAALevelAttributeBuilder.java | 2 +- .../builder/attributes/EIDSTORKTOKEN.java | 2 +- .../EIDeIDASQAALevelAttributeBuilder.java | 48 ++++++++++++++++++++++ 4 files changed, 62 insertions(+), 2 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDeIDASQAALevelAttributeBuilder.java (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java index e9fef4676..cb3def678 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java @@ -79,7 +79,19 @@ public interface IAuthData { Element getMandate(); String getMandateReferenceValue(); + @Deprecated + /** + * Return STORK QAA level + * + * @return + */ String getQAALevel(); + + /** + * Return authentication QAA level from eIDAS + * + * @return + */ public String getEIDASQAALevel(); String getSessionIndex(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java index cfc6b102c..b254bc305 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java @@ -23,10 +23,10 @@ package at.gv.egovernment.moa.id.protocols.builder.attributes; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +@Deprecated public class EIDCitizenQAALevelAttributeBuilder implements IPVPAttributeBuilder { public String getName() { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSTORKTOKEN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSTORKTOKEN.java index b1474acda..0978cfe90 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSTORKTOKEN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSTORKTOKEN.java @@ -26,7 +26,6 @@ import java.io.IOException; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; @@ -34,6 +33,7 @@ import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; +@Deprecated public class EIDSTORKTOKEN implements IPVPAttributeBuilder { public String getName() { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDeIDASQAALevelAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDeIDASQAALevelAttributeBuilder.java new file mode 100644 index 000000000..ca3dfa765 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDeIDASQAALevelAttributeBuilder.java @@ -0,0 +1,48 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.builder.attributes; + +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; + +public class EIDeIDASQAALevelAttributeBuilder implements IPVPAttributeBuilder { + + public String getName() { + return EID_CITIZEN_EIDAS_QAA_LEVEL_NAME; + } + + public ATT build(IOAAuthParameters oaParam, IAuthData authData, + IAttributeGenerator g) throws AttributeException { + + return g.buildStringAttribute(EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME, + EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, authData.getEIDASQAALevel()); + } + + + public ATT buildEmpty(IAttributeGenerator g) { + return g.buildEmptyAttribute(EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME, + EID_CITIZEN_EIDAS_QAA_LEVEL_NAME); + } + +} -- cgit v1.2.3 From bbc999c5d7912d0658216e7a8f59619135731ebf Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 20 Nov 2017 11:47:29 +0100 Subject: Add PVP metadata SAML2 EntityAttribute resolver filter --- .../pvp2x/metadata/MOAMetadataProvider.java | 2 + .../metadata/PVPEntityCategoryFilter.java | 207 +++++++++++++++++++++ 2 files changed, 209 insertions(+) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index ab355646c..585aac805 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -55,6 +55,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPEntityCategoryFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPMetadataFilterChain; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; import at.gv.egovernment.moa.logging.Logger; @@ -490,6 +491,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException, ConfigurationException { PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate); filterChain.getFilters().add(new SchemaValidationFilter()); + filterChain.getFilters().add(new PVPEntityCategoryFilter()); if (oaParam.isInderfederationIDP()) { Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java new file mode 100644 index 000000000..95d30db49 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java @@ -0,0 +1,207 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; + +import java.util.ArrayList; +import java.util.List; + +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.common.Extensions; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.metadata.AttributeConsumingService; +import org.opensaml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.LocalizedString; +import org.opensaml.saml2.metadata.RequestedAttribute; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.ServiceName; +import org.opensaml.saml2.metadata.provider.FilterException; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.samlext.saml2mdattr.EntityAttributes; +import org.opensaml.xml.XMLObject; + +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.data.Trible; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moaspss.logging.Logger; + +/** + * @author tlenz + * + */ +public class PVPEntityCategoryFilter implements MetadataFilter { + + + + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) + */ + @Override + public void doFilter(XMLObject metadata) throws FilterException { + String entityId = null; + try { + if (metadata instanceof EntitiesDescriptor) { + Logger.trace("Find EnitiesDescriptor ... "); + EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata; + if (entitiesDesc.getEntityDescriptors() != null) { + for (EntityDescriptor el : entitiesDesc.getEntityDescriptors()) + resolveEntityCategoriesToAttributes(el); + + } + + } else if (metadata instanceof EntityDescriptor) { + Logger.trace("Find EntityDescriptor"); + resolveEntityCategoriesToAttributes((EntityDescriptor)metadata); + + + } else + throw new MOAIDException("Invalid Metadata file Root element is no Entities- or EntityDescriptor", null); + + + + } catch (Exception e) { + Logger.warn("SAML2 Metadata processing FAILED: Can not resolve EntityCategories for metadata: " + entityId, e); + + } + } + + private void resolveEntityCategoriesToAttributes(EntityDescriptor metadata) { + Logger.debug("Resolving EntityCategorie for Entity: " + metadata.getEntityID() + " ..."); + Extensions extensions = metadata.getExtensions(); + if (extensions != null) { + List listOfExt = extensions.getUnknownXMLObjects(); + if (listOfExt != null && !listOfExt.isEmpty()) { + for (XMLObject el : listOfExt) { + Logger.trace("Find ExtensionElement: " + el.getElementQName().toString()); + if (el instanceof EntityAttributes) { + EntityAttributes entityAttrElem = (EntityAttributes)el; + if (entityAttrElem.getAttributes() != null) { + Logger.trace("Find EntityAttributes. Start attribute processing ..."); + for (Attribute entityAttr : entityAttrElem.getAttributes()) { + if (entityAttr.getName().equals(PVPConstants.ENTITY_CATEGORY_ATTRIBITE)) { + if (!entityAttr.getAttributeValues().isEmpty()) { + String entityAttrValue = entityAttr.getAttributeValues().get(0).getDOM().getTextContent(); + if (PVPConstants.EGOVTOKEN.equals(entityAttrValue)) { + Logger.debug("Find 'EGOVTOKEN' EntityAttribute. Adding single pvp attributes ... "); + addAttributesToEntityDescriptor(metadata, + buildAttributeList(PVPConstants.EGOVTOKEN_PVP_ATTRIBUTES), + entityAttrValue); + + + } else if (PVPConstants.CITIZENTOKEN.equals(entityAttrValue)) { + Logger.debug("Find 'CITIZENTOKEN' EntityAttribute. Adding single pvp attributes ... "); + addAttributesToEntityDescriptor(metadata, + buildAttributeList(PVPConstants.CITIZENTOKEN_PVP_ATTRIBUTES), + entityAttrValue); + + } else + Logger.info("EntityAttributeValue: " + entityAttrValue + " is UNKNOWN!"); + + } else + Logger.info("EntityAttribute: No attribute value"); + + } else + Logger.info("EntityAttribute: " + entityAttr.getName() + " is NOT supported"); + + } + + } else + Logger.info("Can NOT resolve EntityAttributes! Reason: Only EntityAttributes are supported!"); + + } + } + } + } + + } + + /** + * @param metadata + * @param attrList + */ + private void addAttributesToEntityDescriptor(EntityDescriptor metadata, List attrList, String entityAttr) { + SPSSODescriptor spSSODesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); + if (spSSODesc != null) { + if (spSSODesc.getAttributeConsumingServices() == null || + spSSODesc.getAttributeConsumingServices().isEmpty()) { + Logger.trace("No 'AttributeConsumingServices' found. Added it ..."); + + AttributeConsumingService attributeService = SAML2Utils.createSAMLObject(AttributeConsumingService.class); + attributeService.setIndex(0); + attributeService.setIsDefault(true); + ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class); + serviceName.setName(new LocalizedString("Default Service", "en")); + attributeService.getNames().add(serviceName); + + if (attrList != null && !attrList.isEmpty()) { + attributeService.getRequestAttributes().addAll(attrList); + Logger.info("Add " + attrList.size() + " attributes for 'EntityAttribute': " + entityAttr); + + } + + spSSODesc.getAttributeConsumingServices().add(attributeService); + + } else { + Logger.debug("Find 'AttributeConsumingServices'. Starting updating process ... "); + for (AttributeConsumingService el : spSSODesc.getAttributeConsumingServices()) { + Logger.debug("Update 'AttributeConsumingService' with Index: " + el.getIndex()); + + //load currently requested attributes + List currentlyReqAttr = new ArrayList(); + for (RequestedAttribute reqAttr : el.getRequestAttributes()) + currentlyReqAttr.add(reqAttr.getName()); + + + //check against EntityAttribute List + for (RequestedAttribute entityAttrListEl : attrList) { + if (!currentlyReqAttr.contains(entityAttrListEl.getName())) { + el.getRequestAttributes().add(entityAttrListEl); + + } else + Logger.debug("'AttributeConsumingService' already contains attr: " + entityAttrListEl.getName()); + + } + + } + + } + + } else + Logger.info("Can ONLY add 'EntityAttributes' to 'SPSSODescriptor'"); + + } + + private List buildAttributeList(List> attrSet) { + List requestedAttributes = new ArrayList(); + for (Trible el : attrSet) + requestedAttributes.add(PVPAttributeBuilder.buildReqAttribute(el.getFirst(), el.getSecond(), el.getThird())); + + return requestedAttributes; + + + } + +} -- cgit v1.2.3 From 91b54c413aca1f214de482e7ea899bdec114880d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 28 Nov 2017 10:54:34 +0100 Subject: deactivated PVP EntityCategory mapper as default --- .../PropertyBasedAuthConfigurationProvider.java | 2 +- .../pvp2x/metadata/MOAMetadataProvider.java | 6 ++- .../metadata/PVPEntityCategoryFilter.java | 60 ++++++++++++++-------- 3 files changed, 45 insertions(+), 23 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java index 332604257..d3e340a90 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java @@ -1311,7 +1311,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide String value = properties.getProperty(key); if (MiscUtil.isNotEmpty(value)) - return Boolean.valueOf(value); + return Boolean.valueOf(value.trim()); return defaultValue; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 585aac805..7f6f9b88c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -51,6 +51,7 @@ import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.IDestroyableObject; import at.gv.egovernment.moa.id.auth.IGarbageCollectorProcessing; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; @@ -491,7 +492,10 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException, ConfigurationException { PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate); filterChain.getFilters().add(new SchemaValidationFilter()); - filterChain.getFilters().add(new PVPEntityCategoryFilter()); + filterChain.getFilters().add( + new PVPEntityCategoryFilter(authConfig.getBasicMOAIDConfigurationBoolean( + AuthConfiguration.PROP_KEY_PROTOCOL_PVP_METADATA_ENTITYCATEGORY_RESOLVER, + false))); if (oaParam.isInderfederationIDP()) { Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java index 95d30db49..ed96f1962 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java @@ -54,6 +54,17 @@ import at.gv.egovernment.moaspss.logging.Logger; public class PVPEntityCategoryFilter implements MetadataFilter { + private boolean isUsed = false; + + /** + * Filter to map PVP EntityCategories into a set of single PVP attributes + * + * @param isUsed if true PVP EntityCategories are mapped, otherwise they are ignored + * + */ + public PVPEntityCategoryFilter(boolean isUsed) { + this.isUsed = isUsed; + } /* (non-Javadoc) @@ -61,31 +72,38 @@ public class PVPEntityCategoryFilter implements MetadataFilter { */ @Override public void doFilter(XMLObject metadata) throws FilterException { - String entityId = null; - try { - if (metadata instanceof EntitiesDescriptor) { - Logger.trace("Find EnitiesDescriptor ... "); - EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata; - if (entitiesDesc.getEntityDescriptors() != null) { - for (EntityDescriptor el : entitiesDesc.getEntityDescriptors()) - resolveEntityCategoriesToAttributes(el); + + if (isUsed) { + Logger.trace("Map PVP EntityCategory to single PVP Attributes ... "); + String entityId = null; + try { + if (metadata instanceof EntitiesDescriptor) { + Logger.trace("Find EnitiesDescriptor ... "); + EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata; + if (entitiesDesc.getEntityDescriptors() != null) { + for (EntityDescriptor el : entitiesDesc.getEntityDescriptors()) + resolveEntityCategoriesToAttributes(el); + + } + + } else if (metadata instanceof EntityDescriptor) { + Logger.trace("Find EntityDescriptor"); + resolveEntityCategoriesToAttributes((EntityDescriptor)metadata); - } - - } else if (metadata instanceof EntityDescriptor) { - Logger.trace("Find EntityDescriptor"); - resolveEntityCategoriesToAttributes((EntityDescriptor)metadata); + + } else + throw new MOAIDException("Invalid Metadata file Root element is no Entities- or EntityDescriptor", null); - } else - throw new MOAIDException("Invalid Metadata file Root element is no Entities- or EntityDescriptor", null); - - - - } catch (Exception e) { - Logger.warn("SAML2 Metadata processing FAILED: Can not resolve EntityCategories for metadata: " + entityId, e); + + } catch (Exception e) { + Logger.warn("SAML2 Metadata processing FAILED: Can not resolve EntityCategories for metadata: " + entityId, e); + + } - } + } else + Logger.trace("Filter to map PVP EntityCategory to single PVP Attributes is deactivated"); + } private void resolveEntityCategoriesToAttributes(EntityDescriptor metadata) { -- cgit v1.2.3 From bbeef4d494f2af3b60a8093258887e4223dbe5d7 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 29 Nov 2017 08:13:34 +0100 Subject: Fix problem in SAML2 AuthnRequestValidator --- .../builder/assertion/PVP2AssertionBuilder.java | 3 ++- .../pvp2x/validation/AuthnRequestValidator.java | 24 +++++++++++++--------- 2 files changed, 16 insertions(+), 11 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 45539da3f..196aa47af 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -373,7 +373,8 @@ public class PVP2AssertionBuilder implements PVPConstants { //get NameIDFormat from request AuthnRequest authnReq = (AuthnRequestImpl) authnRequest; - if (authnReq.getNameIDPolicy() != null) { + if (authnReq.getNameIDPolicy() != null && + MiscUtil.isNotEmpty(authnReq.getNameIDPolicy().getFormat())) { nameIDFormat = authnReq.getNameIDPolicy().getFormat(); } else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java index ab8fab5d1..4ae89466d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java @@ -28,6 +28,7 @@ import org.opensaml.saml2.core.NameIDPolicy; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestValidatorException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException; +import at.gv.egovernment.moaspss.logging.Logger; /** * @author tlenz @@ -41,17 +42,20 @@ public class AuthnRequestValidator { NameIDPolicy nameIDPolicy = req.getNameIDPolicy(); if (nameIDPolicy != null) { String nameIDFormat = nameIDPolicy.getFormat(); - - if ( !(nameIDFormat != null && - (NameID.TRANSIENT.equals(nameIDFormat) || - NameID.PERSISTENT.equals(nameIDFormat) || - NameID.UNSPECIFIED.equals(nameIDFormat))) ) { - - throw new NameIDFormatNotSupportedException(nameIDFormat); + if (nameIDFormat != null) { + if ( !(NameID.TRANSIENT.equals(nameIDFormat) || + NameID.PERSISTENT.equals(nameIDFormat) || + NameID.UNSPECIFIED.equals(nameIDFormat)) ) { - } - } - + throw new NameIDFormatNotSupportedException(nameIDFormat); + + } + + } else + Logger.trace("Find NameIDPolicy, but NameIDFormat is 'null'"); + } else + Logger.trace("AuthnRequest includes no 'NameIDPolicy'"); + } -- cgit v1.2.3 From f18f6318f7233b336ea2653f183460f17d6562f0 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 29 Nov 2017 08:13:51 +0100 Subject: update logging --- .../gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java | 2 ++ .../pvp2x/verification/metadata/MetadataSignatureFilter.java | 12 ++++++------ .../pvp2x/verification/metadata/PVPEntityCategoryFilter.java | 11 ++++++++--- 3 files changed, 16 insertions(+), 9 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 216d7a8b1..cdb85c563 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -259,6 +259,8 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); } catch (MOAIDException e) { + String samlRequest = req.getParameter("SAMLRequest"); + Logger.info("Receive INVALID protocol request: " + samlRequest); throw e; } catch (Throwable e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java index 679bdd10f..589713c4b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java @@ -22,8 +22,6 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; -import iaik.x509.X509Certificate; - import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.Iterator; @@ -31,16 +29,15 @@ import java.util.List; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.provider.FilterException; import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.xml.XMLObject; import org.opensaml.xml.security.x509.BasicX509Credential; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier; import at.gv.egovernment.moa.logging.Logger; +import iaik.x509.X509Certificate; public class MetadataSignatureFilter implements MetadataFilter { @@ -87,8 +84,9 @@ public class MetadataSignatureFilter implements MetadataFilter { //CHECK if Entity also match MetaData signature. /*This check is necessary to prepend declaration of counterfeit OA metadata!!*/ + Logger.debug("Validate metadata for entityID: " + entityID + " ..... "); byte[] entityCert = EntityVerifier.fetchSavedCredential(entityID); - + if (entityCert != null) { X509Certificate cert; @@ -99,8 +97,10 @@ public class MetadataSignatureFilter implements MetadataFilter { EntityVerifier.verify(desc, entityCrendential); - //add entity to verified entity-list + //add entity to verified entity-list verifiedEntIT.add(entity); + Logger.debug("Metadata for entityID: " + entityID + " valid"); + } catch (Exception e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java index ed96f1962..caabfea30 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java @@ -112,6 +112,7 @@ public class PVPEntityCategoryFilter implements MetadataFilter { if (extensions != null) { List listOfExt = extensions.getUnknownXMLObjects(); if (listOfExt != null && !listOfExt.isEmpty()) { + Logger.trace("Find #" + listOfExt.size() + " 'Extension' elements "); for (XMLObject el : listOfExt) { Logger.trace("Find ExtensionElement: " + el.getElementQName().toString()); if (el instanceof EntityAttributes) { @@ -150,9 +151,13 @@ public class PVPEntityCategoryFilter implements MetadataFilter { Logger.info("Can NOT resolve EntityAttributes! Reason: Only EntityAttributes are supported!"); } - } - } - } + } + + } else + Logger.trace("'Extension' element is 'null' or empty"); + + } else + Logger.trace("No 'Extension' element found"); } -- cgit v1.2.3