From b3e9fbc02bce967d7303a024c68851d6471b2685 Mon Sep 17 00:00:00 2001 From: Andreas Fitzek Date: Wed, 26 Jun 2013 15:34:18 +0200 Subject: PVP2 Stork authentication --- .../moa/id/auth/AuthenticationServer.java | 2 ++ .../moa/id/auth/data/AuthenticationSession.java | 10 ++++++ .../moa/id/auth/servlet/GetForeignIDServlet.java | 6 +++- .../moa/id/auth/servlet/PEPSConnectorServlet.java | 6 +++- .../id/auth/servlet/VerifyCertificateServlet.java | 2 +- .../id/auth/servlet/VerifyIdentityLinkServlet.java | 2 +- .../EIDIssuingNationAttributeBuilder.java | 36 ++++++++++++++++++++-- 7 files changed, 57 insertions(+), 7 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 4f35b084f..d9f3ef7e8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -454,6 +454,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.setTemplateURL(templateURL); session.setBusinessService(oaParam.getBusinessService()); session.setModul(modul); + session.setForeignMode(false); session.setAction(action); if (sourceID != null) session.setSourceID(sourceID); @@ -2850,6 +2851,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { moaSession.setDomainIdentifier(oaParam.getIdentityLinkDomainIdentifier()); moaSession.setAction(action); moaSession.setModul(modul); + moaSession.setForeignMode(true); if (sourceID != null) moaSession.setSourceID(sourceID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index aaad1cc1e..e7bd5f511 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -267,6 +267,8 @@ public class AuthenticationSession { private boolean authenticated; private boolean authenticatedUsed = false; + + private boolean foreignMode = false; public boolean isAuthenticatedUsed() { return authenticatedUsed; @@ -1020,4 +1022,12 @@ public class AuthenticationSession { this.mandate = mandate; } + public boolean isForeignMode() { + return foreignMode; + } + + public void setForeignMode(boolean foreignMode) { + this.foreignMode = foreignMode; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java index 6516e64b7..3f775f38e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java @@ -49,6 +49,7 @@ import at.gv.egovernment.moa.id.auth.parser.CreateXMLSignatureResponseParser; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.CreateIdentityLinkResponse; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException; +import at.gv.egovernment.moa.id.moduls.ModulUtils; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.DOMUtils; @@ -179,11 +180,14 @@ public class GetForeignIDServlet extends AuthServlet { String samlArtifactBase64 = AuthenticationServer.getInstance().getForeignAuthenticationData(sessionID); if (!samlArtifactBase64.equals("Redirect to Input Processor")) { - redirectURL = session.getOAURLRequested(); + /*redirectURL = session.getOAURLRequested(); if (!session.getBusinessService()) { redirectURL = addURLParameter(redirectURL, PARAM_TARGET, URLEncoder.encode(session.getTarget(), "UTF-8")); } redirectURL = addURLParameter(redirectURL, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); + redirectURL = resp.encodeRedirectURL(redirectURL);*/ + redirectURL = new DataURLBuilder().buildDataURL(session.getAuthURL(), + ModulUtils.buildAuthURL(session.getModul(), session.getAction()), samlArtifactBase64); redirectURL = resp.encodeRedirectURL(redirectURL); } else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 4ec894d47..731c7581c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -23,6 +23,7 @@ import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.stork.STORKException; import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor; +import at.gv.egovernment.moa.id.moduls.ModulUtils; import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.DOMUtils; @@ -200,11 +201,14 @@ public class PEPSConnectorServlet extends AuthServlet { //redirect String redirectURL = null; if (!samlArtifactBase64.equals("Redirect to Input Processor")) { - redirectURL = moaSession.getOAURLRequested(); + /*redirectURL = moaSession.getOAURLRequested(); if (!moaSession.getBusinessService()) { redirectURL = addURLParameter(redirectURL, PARAM_TARGET, URLEncoder.encode(moaSession.getTarget(), "UTF-8")); } redirectURL = addURLParameter(redirectURL, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); + redirectURL = response.encodeRedirectURL(redirectURL);*/ + redirectURL = new DataURLBuilder().buildDataURL(moaSession.getAuthURL(), + ModulUtils.buildAuthURL(moaSession.getModul(), moaSession.getAction()), samlArtifactBase64); redirectURL = response.encodeRedirectURL(redirectURL); } else { redirectURL = new DataURLBuilder().buildDataURL(moaSession.getAuthURL(), AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, moaSession.getSessionID()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java index 51ec82e2d..d5198a862 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java @@ -146,7 +146,7 @@ public class VerifyCertificateServlet extends AuthServlet { } else { // Foreign Identities Modus - + session.setForeignMode(true); String createXMLSignatureRequest = AuthenticationServer.getInstance().createXMLSignatureRequestForeignID(sessionID, cert); // build dataurl (to the GetForeignIDSerlvet) String dataurl = diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java index 61b55f73d..f2c41a051 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java @@ -141,7 +141,7 @@ public class VerifyIdentityLinkServlet extends AuthServlet { if (createXMLSignatureRequestOrRedirect == null) { // no identity link found - + boolean useMandate = session.getUseMandate(); if (useMandate) { Logger.error("Online-Mandate Mode for foreign citizencs not supported."); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java index 251d263d9..2452e35c9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java @@ -1,8 +1,14 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; +import iaik.x509.X509Certificate; + +import javax.naming.ldap.LdapName; +import javax.naming.ldap.Rdn; + import org.opensaml.saml2.core.Attribute; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.logging.Logger; public class EIDIssuingNationAttributeBuilder extends BaseAttributeBuilder { @@ -12,13 +18,37 @@ public class EIDIssuingNationAttributeBuilder extends BaseAttributeBuilder { public Attribute build(AuthenticationSession authSession) { String countryCode = "AT"; - if(authSession.getStorkAuthnRequest() != null) { - countryCode = authSession.getStorkAuthnRequest().getCitizenCountryCode(); + + + if (authSession.getStorkAuthnRequest() != null) { + countryCode = authSession.getStorkAuthnRequest() + .getCitizenCountryCode(); + } else { + + //TODO: replace with TSL lookup when TSL is ready! + X509Certificate certificate = authSession.getSignerCertificate(); + + if (certificate != null) { + try { + LdapName ln = new LdapName(certificate.getIssuerDN() + .getName()); + for (Rdn rdn : ln.getRdns()) { + if (rdn.getType().equalsIgnoreCase("C")) { + Logger.info("C is: " + rdn.getValue()); + countryCode = rdn.getValue().toString(); + break; + } + } + } catch (Exception e) { + Logger.error("Failed to extract country code from certificate", e); + } + } } + return buildStringAttribute(EID_ISSUING_NATION_FRIENDLY_NAME, EID_ISSUING_NATION_NAME, countryCode); } - + public Attribute buildEmpty() { return buildemptyAttribute(EID_ISSUING_NATION_FRIENDLY_NAME, EID_ISSUING_NATION_NAME); -- cgit v1.2.3