From 31ab8aace485fb61f7c872ebaa143299c6e5dcf1 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 12 Jul 2013 11:06:06 +0200 Subject: SSO Implementation --- .../moa/id/auth/AuthenticationServer.java | 3 +- .../id/auth/data/VerifyXMLSignatureResponse.java | 12 ++ .../moa/id/auth/servlet/LogOutServlet.java | 137 +++++++++++++++ .../auth/servlet/StartAuthenticationServlet.java | 190 --------------------- .../CreateXMLSignatureResponseValidator.java | 8 + .../VerifyXMLSignatureResponseValidator.java | 3 +- .../moa/id/entrypoints/DispatcherServlet.java | 57 ++++++- .../moa/id/moduls/AuthenticationManager.java | 70 ++++---- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 2 + .../moa/id/protocols/saml1/GetArtifactAction.java | 3 - .../moa/id/protocols/saml1/SAML1Protocol.java | 2 + .../id/storage/AuthenticationSessionStoreage.java | 170 ++++++++++++++++-- 12 files changed, 408 insertions(+), 249 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 19af66150..f7c0ff812 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -1850,7 +1850,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { // TODO See Bug #144 // Compare AuthBlock Data with information stored in session, especially // date and time - + CreateXMLSignatureResponseValidator.getInstance().validateSigningDateTime(csresp); + // compares the public keys from the identityLink with the AuthBlock VerifyXMLSignatureResponseValidator.getInstance().validateCertificate( vsresp, session.getIdentityLink()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/VerifyXMLSignatureResponse.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/VerifyXMLSignatureResponse.java index c41de1904..ed54683ca 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/VerifyXMLSignatureResponse.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/VerifyXMLSignatureResponse.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.auth.data; import java.io.Serializable; +import java.util.Date; import iaik.x509.X509Certificate; @@ -64,6 +65,8 @@ public class VerifyXMLSignatureResponse implements Serializable{ */ private int signatureManifestCheckCode = -1; + private Date signingDateTime; + /** * Returns the certificateCheckCode. * @return int @@ -226,4 +229,13 @@ public class VerifyXMLSignatureResponse implements Serializable{ this.signatureManifestCheckCode = signatureManifestCheckCode; } + public Date getSigningDateTime() { + return signingDateTime; + } + + public void setSigningDateTime(Date signingDateTime) { + this.signingDateTime = signingDateTime; + } + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java new file mode 100644 index 000000000..571d4e738 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java @@ -0,0 +1,137 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.auth.servlet; + +import java.io.IOException; +import java.io.PrintWriter; +import java.util.List; + +import javax.servlet.ServletConfig; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; +import javax.swing.text.StyleContext.SmallAttributeSet; + +import org.apache.commons.lang.StringEscapeUtils; +import org.opensaml.saml2.metadata.RequestedAttribute; + +import at.gv.egovernment.moa.id.AuthenticationException; +import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.id.auth.AuthenticationServer; +import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; +import at.gv.egovernment.moa.id.auth.WrongParametersException; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.stork.STORKAuthnRequestProcessor; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.stork.CPEPS; +import at.gv.egovernment.moa.id.config.stork.STORKConfig; +import at.gv.egovernment.moa.id.moduls.AuthenticationManager; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.moduls.RequestStorage; +import at.gv.egovernment.moa.id.moduls.SSOManager; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.HTTPUtils; +import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.StringUtils; +import eu.stork.mw.messages.saml.STORKAuthnRequest; +import eu.stork.vidp.messages.builder.STORKMessagesBuilder; +import eu.stork.vidp.messages.exception.SAMLException; +import eu.stork.vidp.messages.exception.SAMLValidationException; +import eu.stork.vidp.messages.stork.QualityAuthenticationAssuranceLevel; +import eu.stork.vidp.messages.stork.RequestedAttributes; + +public class LogOutServlet extends AuthServlet { + + private static final long serialVersionUID = 3908001651893673395L; + + private static final String REDIRECT_URL = "redirect"; + + protected void doGet(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + + Logger.debug("receive LogOut Request"); + + String redirectUrl = (String) req.getParameter(REDIRECT_URL); + + SSOManager ssomanager = SSOManager.getInstance(); + + //get SSO token from request + String ssoid = ssomanager.getSSOSessionID(req); + + if (ssomanager.isValidSSOSession(ssoid, req)) { + + //TODO: Single LogOut Implementation + + //delete SSO session and MOA session + AuthenticationManager authmanager = AuthenticationManager.getInstance(); + authmanager.logout(req, resp); + Logger.info("User with SSO Id " + ssoid + " is logged out and get redirect to "+ redirectUrl); + } else { + Logger.info("No active SSO session found. User is maybe logout already and get redirect to "+ redirectUrl); + } + + //Remove SSO token + ssomanager.deleteSSOSessionID(req, resp); + + //invalidate Session + req.getSession().invalidate(); + + //Redirect to Application + resp.setStatus(301); + resp.addHeader("Location", redirectUrl); + } + + + protected void doPost(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + + doGet(req, resp); + } + + + /** + * Calls the web application initializer. + * + * @see javax.servlet.Servlet#init(ServletConfig) + */ + public void init(ServletConfig servletConfig) throws ServletException { + try { + super.init(servletConfig); + MOAIDAuthInitializer.initialize(); + Logger.info(MOAIDMessageProvider.getInstance().getMessage("init.00", null)); + } + catch (Exception ex) { + Logger.fatal(MOAIDMessageProvider.getInstance().getMessage("init.02", null), ex); + throw new ServletException(ex); + } + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java deleted file mode 100644 index 16ff65477..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java +++ /dev/null @@ -1,190 +0,0 @@ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.auth.servlet; - -import java.io.IOException; -import java.io.PrintWriter; -import java.util.List; - -import javax.servlet.ServletConfig; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; -import javax.swing.text.StyleContext.SmallAttributeSet; - -import org.apache.commons.lang.StringEscapeUtils; -import org.opensaml.saml2.metadata.RequestedAttribute; - -import at.gv.egovernment.moa.id.AuthenticationException; -import at.gv.egovernment.moa.id.MOAIDException; -import at.gv.egovernment.moa.id.auth.AuthenticationServer; -import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; -import at.gv.egovernment.moa.id.auth.WrongParametersException; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; -import at.gv.egovernment.moa.id.auth.stork.STORKAuthnRequestProcessor; -import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.config.stork.CPEPS; -import at.gv.egovernment.moa.id.config.stork.STORKConfig; -import at.gv.egovernment.moa.id.moduls.IRequest; -import at.gv.egovernment.moa.id.moduls.RequestStorage; -import at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol; -import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; -import at.gv.egovernment.moa.id.util.HTTPUtils; -import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; -import at.gv.egovernment.moa.id.util.ParamValidatorUtils; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.StringUtils; -import eu.stork.mw.messages.saml.STORKAuthnRequest; -import eu.stork.vidp.messages.builder.STORKMessagesBuilder; -import eu.stork.vidp.messages.exception.SAMLException; -import eu.stork.vidp.messages.exception.SAMLValidationException; -import eu.stork.vidp.messages.stork.QualityAuthenticationAssuranceLevel; -import eu.stork.vidp.messages.stork.RequestedAttributes; - -/** - * Servlet requested for starting a MOA ID authentication session. - * Utilizes the {@link AuthenticationServer}. - * - * @author Paul Ivancsics - * @version $Id$ - * @see AuthenticationServer#startAuthentication - */ -public class StartAuthenticationServlet extends AuthServlet { - - /** - * - */ - private static final long serialVersionUID = 3908001651893673395L; - - -/** - * Responds with an HTML form which upon submit requests the identity link - * from the security layer implementation. - *
- * Response: - * - * @see javax.servlet.http.HttpServlet#doGet(HttpServletRequest, HttpServletResponse) - */ - protected void doGet(HttpServletRequest req, HttpServletResponse resp) - throws ServletException, IOException { - - Logger.debug("GET StartAuthentication"); - - String sessionID = req.getParameter(PARAM_SESSIONID); - sessionID = (String) req.getAttribute(PARAM_SESSIONID); - - - - try { - - if (StringUtils.isEmpty(sessionID)) - throw new MOAIDException("auth.18", null); - - sessionID = StringEscapeUtils.escapeHtml(sessionID); - - if (!ParamValidatorUtils.isValidSessionID(sessionID)) - throw new WrongParametersException("StartAuthentication", PARAM_SESSIONID, "auth.12"); - - setNoCachingHeadersInHttpRespone(req, resp); - - - //TODO: Load MOASession - AuthenticationSession moasession = AuthenticationSessionStoreage.getSession(sessionID); - - STORKConfig storkConfig = AuthConfigurationProvider.getInstance().getStorkConfig(); - - Logger.info("Starting authentication for a citizen of country: " + (StringUtils.isEmpty(moasession.getCcc()) ? "AT" : moasession.getCcc())); - // STORK or normal authentication - if (storkConfig.isSTORKAuthentication(moasession.getCcc())) { - //STORK authentication - Logger.trace("Found C-PEPS configuration for citizen of country: " + moasession.getCcc()); - Logger.debug("Starting STORK authentication"); - - //TODO: insert sessionID to STORK!! - AuthenticationServer.startSTORKAuthentication(req, resp, moasession); - - } else { - //normal MOA-ID authentication - Logger.debug("Starting normal MOA-ID authentication"); - - String getIdentityLinkForm = AuthenticationServer.getInstance().startAuthentication(moasession, req.getScheme()); - - resp.setContentType("text/html;charset=UTF-8"); - PrintWriter out = new PrintWriter(resp.getOutputStream()); - out.print(getIdentityLinkForm); - out.flush(); - } - Logger.debug("Finished GET StartAuthentication"); - - } - - catch (WrongParametersException ex) { - handleWrongParameters(ex, req, resp); - } - - catch (MOAIDException ex) { - handleError(null, ex, req, resp); - - } catch (MOADatabaseException e) { - handleError(null, e, req, resp); - } - } - - - /** - * @see javax.servlet.http.HttpServlet#doPost(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) - */ - protected void doPost(HttpServletRequest req, HttpServletResponse resp) - throws ServletException, IOException { - - doGet(req, resp); - } - - - /** - * Calls the web application initializer. - * - * @see javax.servlet.Servlet#init(ServletConfig) - */ - public void init(ServletConfig servletConfig) throws ServletException { - try { - super.init(servletConfig); - MOAIDAuthInitializer.initialize(); - Logger.info(MOAIDMessageProvider.getInstance().getMessage("init.00", null)); - } - catch (Exception ex) { - Logger.fatal(MOAIDMessageProvider.getInstance().getMessage("init.02", null), ex); - throw new ServletException(ex); - } - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index e77dd30d0..115c52688 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -55,6 +55,7 @@ public class CreateXMLSignatureResponseValidator { /** Xpath expression to the dsig:Signature element */ private static final String SIGNATURE_XPATH = Constants.DSIG_PREFIX + ":Signature"; + private static final String XADES_SIGNINGTIME_PATH = Constants.XADES_1_1_1_NS_PREFIX + ":SigningTime"; /** Singleton instance. null, if none has been created. */ private static CreateXMLSignatureResponseValidator instance; @@ -331,4 +332,11 @@ public class CreateXMLSignatureResponseValidator { throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ; } } + + public void validateSigningDateTime( CreateXMLSignatureResponse csresp) throws ValidateException { + + //TODO: insert Time validation!!!! + + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index 90282a28c..892607c16 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -35,6 +35,7 @@ import java.security.interfaces.RSAPublicKey; import java.util.List; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; @@ -154,7 +155,7 @@ public class VerifyXMLSignatureResponseValidator { } } - + /** * Method validateCertificate. * @param verifyXMLSignatureResponse The VerifyXMLSignatureResponse diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 244197379..4c5b82db8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -1,5 +1,7 @@ package at.gv.egovernment.moa.id.entrypoints; +import iaik.util.logging.Log; + import java.io.IOException; import java.util.Iterator; @@ -12,6 +14,7 @@ import javax.servlet.http.HttpSession; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; import at.gv.egovernment.moa.id.auth.WrongParametersException; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.moduls.IAction; @@ -20,11 +23,14 @@ import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.ModulStorage; import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException; import at.gv.egovernment.moa.id.moduls.RequestStorage; +import at.gv.egovernment.moa.id.moduls.SSOManager; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.storage.ExceptionStoreImpl; +import at.gv.egovernment.moa.id.util.HTTPSessionUtils; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.logging.Logger; -public class DispatcherServlet extends AuthServlet { +public class DispatcherServlet extends AuthServlet{ /** * @@ -189,7 +195,31 @@ public class DispatcherServlet extends AuthServlet { AuthenticationManager authmanager = AuthenticationManager.getInstance(); + SSOManager ssomanager = SSOManager.getInstance(); + + //get SSO Cookie for Request + String ssoId = ssomanager.getSSOSessionID(req); + if (moduleAction.needAuthentication(protocolRequest, req, resp)) { + + //check SSO session + if (ssoId != null) { + String correspondingMOASession = ssomanager.existsOldSSOSession(ssoId); + + if (correspondingMOASession != null) { + Log.warn("Request sends an old SSO Session ID("+ssoId+")! " + + "Invalidate the corresponding MOASession with ID="+ correspondingMOASession); + + AuthenticationSessionStoreage.destroySession(correspondingMOASession); + ssomanager.deleteSSOSessionID(req, resp); + } + } + + boolean isValidSSOSession = ssomanager.isValidSSOSession(ssoId, req); + + //TODO: load useSSO from config! + boolean useSSOOA = true; + if (protocolRequest.isPassiv() && protocolRequest.forceAuth()) { // conflict! @@ -206,8 +236,7 @@ public class DispatcherServlet extends AuthServlet { } else if (protocolRequest.isPassiv()) { if (authmanager.tryPerformAuthentication(req, resp) - || authmanager.isAuthenticated(req, - resp)) { + || (isValidSSOSession && useSSOOA) ) { // Passive authentication ok! } else { throw new NoPassivAuthenticationException(); @@ -215,8 +244,7 @@ public class DispatcherServlet extends AuthServlet { } else { if (authmanager.tryPerformAuthentication(req, resp) - || authmanager.isAuthenticated(req, - resp)) { + || (isValidSSOSession && useSSOOA) ) { // Is authenticated .. proceed } else { // Start authentication! @@ -226,11 +254,26 @@ public class DispatcherServlet extends AuthServlet { } } } - + moduleAction.processRequest(protocolRequest, req, resp); + //save SSO session usage in Database + String moasessionID = HTTPSessionUtils.getHTTPSessionString(req.getSession(), + AuthenticationManager.MOA_SESSION, null); + + String newSSOSessionId = ssomanager.storeSSOSessionInformations(moasessionID, protocolRequest.getOAURL()); + + if (newSSOSessionId != null) { + ssomanager.setSSOSessionID(req, resp, newSSOSessionId); + + } else { + ssomanager.deleteSSOSessionID(req, resp); + } + RequestStorage.removePendingRequest(httpSession); - authmanager.logout(req, resp); + + + //authmanager.logout(req, resp); } catch (Throwable e) { e.printStackTrace(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 58fec9790..d04c0b3d5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -66,45 +66,45 @@ public class AuthenticationManager extends AuthServlet { return null; } - /** - * Checks if the session is authenticated - * - * @param request - * @param response - * @return - */ - public boolean isAuthenticated(HttpServletRequest request, - HttpServletResponse response) { - Logger.info("Checking authentication"); - - HttpSession session = request.getSession(); - - String moaSessionID = HTTPSessionUtils.getHTTPSessionString(session, MOA_SESSION, null); - - if(moaSessionID == null) { - Logger.info("NO MOA Session to logout"); - return false; - } - -// AuthenticationSession authSession; -// try { -// authSession = AuthenticationSessionStoreage -// .getSession(moaSessionID); -// -// } catch (MOADatabaseException e) { -// Logger.info("NO MOA Authentication data for ID " + moaSessionID); -// return false; -// } +// /** +// * Checks if the session is authenticated +// * +// * @param request +// * @param response +// * @return +// */ +// public boolean isAuthenticated(HttpServletRequest request, +// HttpServletResponse response) { +// Logger.info("Checking authentication"); +// +// HttpSession session = request.getSession(); +// +// String moaSessionID = HTTPSessionUtils.getHTTPSessionString(session, MOA_SESSION, null); // -// if(authSession == null) { -// Logger.info("NO MOA Authentication data for ID " + moaSessionID); +// if(moaSessionID == null) { +// Logger.info("NO MOA Session to logout"); // return false; // } // -// return authSession.isAuthenticated(); - - return AuthenticationSessionStoreage.isAuthenticated(moaSessionID); - } +//// AuthenticationSession authSession; +//// try { +//// authSession = AuthenticationSessionStoreage +//// .getSession(moaSessionID); +//// +//// } catch (MOADatabaseException e) { +//// Logger.info("NO MOA Authentication data for ID " + moaSessionID); +//// return false; +//// } +//// +//// if(authSession == null) { +//// Logger.info("NO MOA Authentication data for ID " + moaSessionID); +//// return false; +//// } +//// +//// return authSession.isAuthenticated(); +// +// return AuthenticationSessionStoreage.isAuthenticated(moaSessionID); +// } /** * Checks if this request can authenticate a MOA Session diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 9dcef5778..3bbb3bd2a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -174,6 +174,8 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); AssertionConsumerService consumerService = spSSODescriptor.getAssertionConsumerServices().get(assertionidx); AttributeConsumingService attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx); + + //TODO: maybe change to getEntityID() String oaURL = consumerService.getLocation(); String binding = consumerService.getBinding(); String entityID = moaRequest.getEntityMetadata().getEntityID(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java index 3634c9983..2c4b7c4c5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java @@ -32,9 +32,6 @@ public class GetArtifactAction implements IAction { AuthenticationManager authmanager = AuthenticationManager.getInstance(); AuthenticationSession session = authmanager.getAuthenticationSession(httpSession); - -// String oaURL = (String) httpReq.getAttribute(PARAM_OA); -// oaURL = StringEscapeUtils.escapeHtml(oaURL); String oaURL = (String) req.getOAURL(); String target = (String) req.getTarget(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 09314ba37..d6cf84d86 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -95,6 +95,8 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { config.setTarget(oaParam.getTarget()); + //TODO: set reauthenticate if OA.useSSO=false + request.getSession().setAttribute(PARAM_OA, oaURL); request.getSession().setAttribute(PARAM_TARGET, oaParam.getTarget()); return config; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 44f0563b1..8ea6a6633 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -13,6 +13,7 @@ import org.apache.commons.lang.SerializationUtils; import org.hibernate.HibernateException; import org.hibernate.Query; import org.hibernate.Session; +import org.hibernate.Transaction; import at.gv.egovernment.moa.id.AuthenticationException; import at.gv.egovernment.moa.id.MOAIDException; @@ -20,6 +21,8 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.commons.db.HibernateUtil; import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; @@ -93,16 +96,48 @@ public class AuthenticationSessionStoreage { public static void destroySession(String moaSessionID) throws MOADatabaseException { - try { - AuthenticatedSessionStore dbsession = searchInDatabase(moaSessionID); - HibernateUtil.delete(dbsession); + Session session = HibernateUtil.getCurrentSession(); + + List result; + + synchronized (session) { + + session.beginTransaction(); + Query query = session.getNamedQuery("getSessionWithID"); + query.setString("sessionid", moaSessionID); + result = query.list(); + + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() != 1) { + Logger.trace("No entries found."); + throw new MOADatabaseException("No session found with this sessionID"); + } + + AuthenticatedSessionStore dbsession = (AuthenticatedSessionStore) result.get(0); - } catch (MOADatabaseException e) { - Logger.warn("MOASession could not be destroyed."); - throw new MOADatabaseException(e); - } +// //delete old SSO Session Ids +// List oldssosessionids = dbsession.getOldssosessionids(); +// +// for (OldSSOSessionIDStore oldsssid : oldssosessionids) { +// session.delete(oldsssid); +// } +// +// //delete active OA +// List activeOAs = dbsession.getActiveOAsessions(); +// +// for (OASessionStore activeOA : activeOAs) { +// session.delete(activeOA); +// +// } + + //delete MOA Session + session.delete(dbsession); + session.getTransaction().commit(); + } - } // public static void dumpSessionStore() { @@ -141,10 +176,7 @@ public class AuthenticationSessionStoreage { throw new AuthenticationException("TODO!", null); } - - - - + // synchronized (sessionStore) { // if (sessionStore.containsKey(session.getSessionID())) { // AuthenticationSession theSession = sessionStore.get(session @@ -163,6 +195,77 @@ public class AuthenticationSessionStoreage { // throw new AuthenticationException("TODO!", null); } + public static void addSSOInformation(String moaSessionID, String SSOSessionID, + String OAUrl) throws AuthenticationException { + + AuthenticatedSessionStore dbsession; + Transaction tx = null; + + try { + + Session session = HibernateUtil.getCurrentSession(); + List result; + + synchronized (session) { + + tx = session.beginTransaction(); + Query query = session.getNamedQuery("getSessionWithID"); + query.setString("sessionid", moaSessionID); + result = query.list(); + + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() != 1) { + Logger.trace("No entries found."); + throw new MOADatabaseException("No session found with this sessionID"); + } + + dbsession = (AuthenticatedSessionStore) result.get(0); + + //set active OA applications + OASessionStore activeOA = new OASessionStore(); + activeOA.setOaurlprefix(OAUrl); + activeOA.setMoasession(dbsession); + activeOA.setCreated(new Date()); + + List activeOAs = dbsession.getActiveOAsessions(); + activeOAs.add(activeOA); + dbsession.setActiveOAsessions(activeOAs); + + + //Store used SSOId + if (dbsession.getSSOsessionid() != null) { + OldSSOSessionIDStore oldSSOId = new OldSSOSessionIDStore(); + oldSSOId.setOldsessionid(dbsession.getSSOsessionid()); + oldSSOId.setMoasession(dbsession); + + List oldSSOIds = dbsession.getOldssosessionids(); + oldSSOIds.add(oldSSOId); + } + + dbsession.setSSOSession(true); + dbsession.setSSOsessionid(SSOSessionID); + + //Store MOASession + session.saveOrUpdate(dbsession); + + //send transaction + tx.commit(); + } + + } catch (MOADatabaseException e) { + throw new AuthenticationException("No MOASession found with Id="+moaSessionID, null); + + } catch(HibernateException e) { + Logger.warn("Error during database saveOrUpdate. Rollback.", e); + tx.rollback(); + throw new AuthenticationException("SSO Session information can not be stored! --> SSO is deactivated", null); + } + } + + public static AuthenticationSession getSession(String sessionID) throws MOADatabaseException { try { @@ -181,6 +284,49 @@ public class AuthenticationSessionStoreage { } } + public static boolean isValidSessionWithSSOID(String SSOId, String moaSessionId) { + + MiscUtil.assertNotNull(SSOId, "moasessionID"); + Logger.trace("Get authenticated session with SSOID " + SSOId + " from database."); + Session session = HibernateUtil.getCurrentSession(); + + List result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getSessionWithSSOID"); + query.setString("sessionid", SSOId); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() != 1) { + Logger.trace("No entries found."); + return false; + + } else { + AuthenticatedSessionStore dbsession = result.get(0); + + + if (dbsession.getSessionid().equals(moaSessionId) && dbsession.isAuthenticated()) { + Log.info("Found SSO Session Cookie for MOA Session =" + moaSessionId); + return true; + + } else { + Log.warn("Found SSO Session with ID="+ dbsession.getSessionid() + + " but this Session does not match to MOA Sesson ID=" + moaSessionId); + } + + return false; + } + + } + public static void clean(long now, long authDataTimeOut) { Date expioredate = new Date(now - authDataTimeOut); -- cgit v1.2.3