From c61850c5607d066a3c322794c1220f26b31103a0 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Wed, 16 May 2018 09:29:09 +0200
Subject: add initial version of Security-Layer 2.0 Authentication module

---
 .../moa/id/auth/builder/DataURLBuilder.java        |  4 ++-
 .../moa/id/auth/servlet/AbstractController.java    |  9 ++++--
 .../AbstractProcessEngineSignalController.java     |  2 +-
 .../moa/id/moduls/AuthenticationManager.java       | 23 ++++++++++++++
 .../at/gv/egovernment/moa/id/util/SSLUtils.java    | 37 ++++++++++++++++++++++
 5 files changed, 71 insertions(+), 4 deletions(-)

(limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
index c78361eda..583bb2ab4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java
@@ -84,7 +84,9 @@ public class DataURLBuilder {
 		
 		dataURL = authBaseURL + authServletName;
 
-    dataURL = addParameter(dataURL, MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, sessionID);
+		if (sessionID != null)
+			dataURL = addParameter(dataURL, MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, sessionID);
+		
   	return dataURL;
   }
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
index f61b9a4da..50cafb4f6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
@@ -134,7 +134,12 @@ public abstract class AbstractController extends MOAIDAuthConstants {
 					
 		try {			
 			//switch to protocol-finalize method to generate a protocol-specific error message
-							
+
+			//log error directly in debug mode
+			if (Logger.isDebugEnabled())
+				Logger.warn(loggedException.getMessage(), loggedException);
+				
+			
 			//put exception into transaction store for redirect
 			String key = Random.nextLongRandom();
 			if (pendingReq != null) {
@@ -147,7 +152,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
 						new ExceptionContainer(null, loggedException),-1);
 				
 			}
-				
+			
 			//build up redirect URL
 			String redirectURL = null;
 			redirectURL = ServletUtils.getBaseUrl(req);	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
index 32f103ca7..18641c090 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java
@@ -55,7 +55,7 @@ public abstract class AbstractProcessEngineSignalController extends AbstractCont
 			// wake up next task
 			processEngine.signal(pendingReq);
 			
-		} catch (Exception ex) {
+		} catch (Exception ex) {		
 			handleError(null, ex, req, resp, pendingReq);
 			
 		} finally {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 7f183c5eb..a24683545 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -92,6 +92,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
 public class AuthenticationManager extends MOAIDAuthConstants {
 
 	private static List<String> reqParameterWhiteListeForModules = new ArrayList<String>();
+	private static List<String> reqHeaderWhiteListeForModules = new ArrayList<String>();
 	
 	public static final String MOA_SESSION = "MoaAuthenticationSession";
 	public static final String MOA_AUTHENTICATED = "MoaAuthenticated";
@@ -321,6 +322,16 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 		
 	}
 	
+	/**
+	 * Add a request header to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext} 
+	 * 
+	 * @param httpReqParam http header name, but never null
+	 */
+	public void addHeaderNameToWhiteList(String httpReqParam) {
+		if (MiscUtil.isNotEmpty(httpReqParam))
+			reqHeaderWhiteListeForModules.add(httpReqParam.toLowerCase());
+		
+	}
 	
 	/**
 	 * Checks if a authenticated MOASession already exists and if {protocolRequest} is authenticated
@@ -422,6 +433,18 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 			}			
 		}
 		
+		//add additional http request parameter to context
+		if (!reqHeaderWhiteListeForModules.isEmpty()) {
+			Enumeration<String> reqHeaderNames = httpReq.getHeaderNames();
+			while(reqHeaderNames.hasMoreElements()) { 
+				String paramName = reqHeaderNames.nextElement();
+				if (MiscUtil.isNotEmpty(paramName) && reqHeaderWhiteListeForModules.contains(paramName.toLowerCase()) ) {
+					executionContext.put(paramName, 
+							StringEscapeUtils.escapeHtml(httpReq.getHeader(paramName)));				
+				}
+			}			
+		}
+		
 		//start process engine
 		startProcessEngine(pendingReq, executionContext);
 		
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
index cd700c74a..611dff3b1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
@@ -89,6 +89,43 @@ public class SSLUtils {
     
   }
   
+  public static SSLSocketFactory getSSLSocketFactory(
+		    ConfigurationProvider conf, String url )
+		    throws IOException, GeneralSecurityException, ConfigurationException, PKIException {
+		    
+			    // else create new SSLSocketFactory
+			    String trustStoreURL = conf.getTrustedCACertificates();
+			    
+			    if (trustStoreURL == null)
+			      throw new ConfigurationException(
+			        "config.08", new Object[] {"TrustedCACertificates"});
+			    
+			    String acceptedServerCertURL = "";
+		 	    
+		   	   //INFO: MOA-ID 2.x always use defaultChainingMode 
+			    
+			    try {	    
+			    	SSLSocketFactory ssf = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory(
+			    					url,
+			    					null,
+			    					trustStoreURL, 
+			    					acceptedServerCertURL, 
+			    					AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode(), 
+			    					AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(),
+			    					AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder(),
+			    					null, 
+			    					null, 
+			    					"pkcs12");
+			    		    	
+			    	return ssf;
+			    	
+			    } catch (SSLConfigurationException e) {
+			    	throw new ConfigurationException(e.getErrorID(), e.getParameters(), e.getE());
+			    	
+			    }
+		  }
+  
+  
   /**
    * Creates an <code>SSLSocketFactory</code> which utilizes an
    * <code>IAIKX509TrustManager</code> for the given trust store,
-- 
cgit v1.2.3