From 9a377f533a992d19fe264fbd9fd0b096504aba37 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 12 May 2014 16:16:36 +0200 Subject: fix some interfederation problems --- .../moa/id/auth/AuthenticationServer.java | 29 +++++++++-- .../id/config/auth/AuthConfigurationProvider.java | 1 - .../moa/id/entrypoints/DispatcherServlet.java | 17 +++---- .../gv/egovernment/moa/id/moduls/SSOManager.java | 3 +- .../id/storage/AuthenticationSessionStoreage.java | 58 +++++++++++++++------- 5 files changed, 74 insertions(+), 34 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index e83718949..010aead55 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -2,6 +2,7 @@ package at.gv.egovernment.moa.id.auth; import iaik.asn1.ObjectID; +import iaik.pki.PKIRuntimeException; import iaik.util.logging.Log; import iaik.x509.X509Certificate; import iaik.x509.X509ExtensionInitException; @@ -1164,11 +1165,31 @@ public class AuthenticationServer implements MOAIDAuthConstants { vtids, tpid); // debug output - // invokes the call - Element domVsresp = new SignatureVerificationInvoker() - .verifyXMLSignature(domVsreq); - // debug output + Element domVsresp = null; + + try { + // invokes the call + domVsresp = new SignatureVerificationInvoker() + .verifyXMLSignature(domVsreq); + // debug output + + } catch ( ServiceException e) { + Logger.error("Signature verification error. ", e); + Logger.error("Signed Data: " + session.getAuthBlock()); + try { + Logger.error("VerifyRequest: " + DOMUtils.serializeNode(domVsreq)); + } catch (TransformerException e1) { + e1.printStackTrace(); + + } catch (IOException e1) { + e1.printStackTrace(); + + } + + throw e; + } + // parses the VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponseParser( domVsresp).parseData(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 143a04dad..dca0958f3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -63,7 +63,6 @@ import javax.xml.bind.JAXBContext; import javax.xml.bind.Unmarshaller; import org.hibernate.cfg.Configuration; -import org.opensaml.DefaultBootstrap; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index a37026ab4..4eba83ad5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -222,8 +222,10 @@ public class DispatcherServlet extends AuthServlet{ } } - //HttpSession httpSession = req.getSession(); - //Map protocolRequests = null; + //get SSO Cookie for Request + SSOManager ssomanager = SSOManager.getInstance(); + String ssoId = ssomanager.getSSOSessionID(req); + IRequest protocolRequest = null; try { @@ -258,7 +260,8 @@ public class DispatcherServlet extends AuthServlet{ moduleAction = info.getAction(protocolRequest.requestedAction()); //create interfederated mOASession - String sessionID = AuthenticationSessionStoreage.createInterfederatedSession(protocolRequest, true); + String sessionID = + AuthenticationSessionStoreage.createInterfederatedSession(protocolRequest, true, ssoId); req.getParameterMap().put(PARAM_SESSIONID, sessionID); Logger.info("PreProcessing of SSO interfederation response complete. "); @@ -318,16 +321,12 @@ public class DispatcherServlet extends AuthServlet{ } AuthenticationManager authmanager = AuthenticationManager.getInstance(); - SSOManager ssomanager = SSOManager.getInstance(); String moasessionID = null; String newSSOSessionId = null; AuthenticationSession moasession = null; IAuthData authData = null; - - //get SSO Cookie for Request - String ssoId = ssomanager.getSSOSessionID(req); - + boolean needAuthentication = moduleAction.needAuthentication(protocolRequest, req, resp); if (needAuthentication) { @@ -358,7 +357,7 @@ public class DispatcherServlet extends AuthServlet{ isValidSSOSession = ssomanager.isValidSSOSession(ssoId, protocolRequest); - useSSOOA = oaParam.useSSO(); + useSSOOA = oaParam.useSSO() || oaParam.isInderfederationIDP(); //if a legacy request is used SSO should not be allowed, actually diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java index 094cfa31f..f4f89a4ba 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java @@ -130,7 +130,8 @@ public class SSOManager { else { if (protocolRequest != null && protocolRequest instanceof RequestImpl && - storedSession.isInterfederatedSSOSession()) { + storedSession.isInterfederatedSSOSession() && + !storedSession.isAuthenticated()) { if (MiscUtil.isEmpty(((RequestImpl) protocolRequest).getRequestedIDP())) { InterfederationSessionStore selectedIDP = AuthenticationSessionStoreage.searchInterfederatedIDPFORSSOWithMOASession(storedSession.getSessionid()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 74a5e01ad..26922a13b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -215,7 +215,7 @@ public class AuthenticationSessionStoreage { } public static String getMOASessionSSOID(String SSOSessionID) { - MiscUtil.assertNotNull(SSOSessionID, "moasessionID"); + MiscUtil.assertNotNull(SSOSessionID, "SSOsessionID"); Logger.trace("Get authenticated session with SSOID " + SSOSessionID + " from database."); Session session = MOASessionDBUtils.getCurrentSession(); @@ -643,22 +643,44 @@ public class AuthenticationSessionStoreage { return result.get(0).getInderfederation().get(0); } - public static String createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption { - String id = Random.nextRandom(); - AuthenticationSession session = new AuthenticationSession(id); - session.setAuthenticated(true); - session.setAuthenticatedUsed(false); - - AuthenticatedSessionStore dbsession = new AuthenticatedSessionStore(); - dbsession.setSessionid(id); - dbsession.setAuthenticated(isAuthenticated); - dbsession.setInterfederatedSSOSession(true); + public static String createInterfederatedSession(IRequest req, boolean isAuthenticated, String ssoID) throws MOADatabaseException, AssertionAttributeExtractorExeption { + AuthenticatedSessionStore dbsession = null; + + //search for active SSO session + if (MiscUtil.isNotEmpty(ssoID)) { + String moaSession = getMOASessionSSOID(ssoID); + if (MiscUtil.isNotEmpty(moaSession)) { + try { + dbsession = searchInDatabase(moaSession); + + }catch (MOADatabaseException e) { + + } + } + } - //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 + String id = null; Date now = new Date(); - dbsession.setCreated(now); + + //create new MOASession if any exists + if (dbsession == null) { + id = Random.nextRandom(); + dbsession = new AuthenticatedSessionStore(); + dbsession.setSessionid(id); + dbsession.setCreated(now); + + } else { + id = dbsession.getSessionid(); + + } + + dbsession.setInterfederatedSSOSession(true); + dbsession.setAuthenticated(isAuthenticated); dbsession.setUpdated(now); + AuthenticationSession session = new AuthenticationSession(id); + session.setAuthenticated(true); + session.setAuthenticatedUsed(false); dbsession.setSession(SerializationUtils.serialize(session)); //add interfederation information @@ -682,18 +704,16 @@ public class AuthenticationSessionStoreage { idp = new InterfederationSessionStore(); idp.setCreated(now); idp.setIdpurlprefix(req.getInterfederationResponse().getEntityID()); - + idp.setMoasession(dbsession); + idpList.add(idp); + } - AssertionAttributeExtractor extract = new AssertionAttributeExtractor(req.getInterfederationResponse().getResponse()); idp.setSessionIndex(extract.getSessionIndex()); idp.setUserNameID(extract.getNameID()); idp.setAttributesRequested(false); idp.setQAALevel(extract.getQAALevel()); - idp.setMoasession(dbsession); - idpList.add(idp); - - + //store AssertionStore element to Database try { MOASessionDBUtils.saveOrUpdate(dbsession); -- cgit v1.2.3