From b166ec2361980aeb9f288125afd5716099a21f7c Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 10 Jul 2014 12:42:05 +0200 Subject: solve TrustManagerRevocationCheck problem with legacy config import --- .../at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java | 2 ++ 1 file changed, 2 insertions(+) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java index 864be253a..1240ed8f3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java @@ -151,6 +151,8 @@ public class BuildFromLegacyConfig { if (genericConfiguration.containsKey(ConfigurationProvider.TRUST_MANAGER_REVOCATION_CHECKING)) authGeneral.setTrustManagerRevocationChecking( Boolean.valueOf((String)genericConfiguration.get(ConfigurationProvider.TRUST_MANAGER_REVOCATION_CHECKING))); + else + authGeneral.setTrustManagerRevocationChecking(true); if (genericConfiguration.containsKey(ConfigurationProvider.DIRECTORY_CERTSTORE_PARAMETER_PROPERTY)) authGeneral.setCertStoreDirectory( -- cgit v1.2.3 From 96407baacd66fef7f3581a5377180a152795bd78 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 14 Jul 2014 09:02:30 +0200 Subject: add additionl trustmanagerrevoationchecking default value --- .../java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java | 2 +- .../gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java index 88ed7885f..24def1e02 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java @@ -124,7 +124,7 @@ public class ConfigurationProvider { protected String certstoreDirectory; - protected boolean trustmanagerrevoationchecking; + protected boolean trustmanagerrevoationchecking = true; /** * Returns the main configuration file directory used to configure MOA-ID diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 6fc1d28c1..32625ca03 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -1038,10 +1038,11 @@ public class AuthConfigurationProvider extends ConfigurationProvider { private void setTrustManagerRevocationChecking() throws ConfigurationException { AuthComponentGeneral auth = getAuthComponentGeneral(); - if (auth.getGeneralConfiguration() != null) + if (auth.getGeneralConfiguration() != null && + auth.getGeneralConfiguration().isTrustManagerRevocationChecking() != null) trustmanagerrevoationchecking = auth.getGeneralConfiguration().isTrustManagerRevocationChecking(); else { - Logger.warn("Error in MOA-ID Configuration. No CertStoreDirectory defined."); + Logger.warn("No TrustMangerRevoationChecking defined. Use default value = TRUE"); throw new ConfigurationException("config.02", null); } } -- cgit v1.2.3 From 6f70c39d276b3758da06e3121208e2f1ed0009a3 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 4 Nov 2014 10:03:08 +0100 Subject: remove subject->nameID from AuthnRequest --- .../at/gv/egovernment/moa/id/moduls/AuthenticationManager.java | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index a4d63b144..dab89b7c3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -422,16 +422,10 @@ public class AuthenticationManager extends AuthServlet { authReq.setAssertionConsumerServiceIndex(0); authReq.setIssueInstant(new DateTime()); - Subject subject = SAML2Utils.createSAMLObject(Subject.class); - NameID name = SAML2Utils.createSAMLObject(NameID.class); - Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); - + Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath(); - name.setValue(serviceURL); issuer.setValue(serviceURL); - subject.setNameID(name); - authReq.setSubject(subject); issuer.setFormat(NameIDType.ENTITY); authReq.setIssuer(issuer); NameIDPolicy policy = SAML2Utils -- cgit v1.2.3 From 99b46131e3ef3753af9f1d17516cf900fd095b4d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 4 Nov 2014 10:43:51 +0100 Subject: add STORK-QAA to PVP SecClass mapping --- .../id/auth/builder/AuthenticationDataBuilder.java | 2 +- .../moa/id/moduls/AuthenticationManager.java | 58 +++++++++++++++++++--- .../egovernment/moa/id/util/PVPtoSTORKMapper.java | 22 +++++++- 3 files changed, 74 insertions(+), 8 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 52488c3cb..7aa4cd1f7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -536,7 +536,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } else { Logger.debug("Found PVP QAA level. QAA mapping process starts ... "); - String mappedQAA = PVPtoSTORKMapper.getInstance().mapQAALevel(qaaLevel); + String mappedQAA = PVPtoSTORKMapper.getInstance().mapToQAALevel(qaaLevel); if (MiscUtil.isNotEmpty(mappedQAA)) authData.setQAALevel(mappedQAA); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index dab89b7c3..333bd35f1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -77,6 +77,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.SLOInformationContainer; import at.gv.egovernment.moa.id.data.SLOInformationImpl; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; @@ -87,9 +88,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest; import at.gv.egovernment.moa.id.storage.AssertionStorage; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; +import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; @@ -381,6 +384,7 @@ public class AuthenticationManager extends AuthServlet { //get IDP metadata try { OAAuthParameter idp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(target.getRequestedIDP()); + OAAuthParameter sp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(target.getOAURL()); if (!idp.isInderfederationIDP() || !idp.isInboundSSOInterfederationAllowed()) { Logger.info("Requested interfederation IDP " + target.getRequestedIDP() + " is not valid for interfederation."); @@ -389,7 +393,7 @@ public class AuthenticationManager extends AuthServlet { return; } - + EntityDescriptor idpEntity = MOAMetadataProvider.getInstance(). getEntityDescriptor(target.getRequestedIDP()); @@ -409,7 +413,7 @@ public class AuthenticationManager extends AuthServlet { redirectEndpoint == null ) redirectEndpoint = sss; } - + if (redirectEndpoint != null) { AuthnRequest authReq = SAML2Utils @@ -440,13 +444,55 @@ public class AuthenticationManager extends AuthServlet { SAML2Utils.createSAMLObject(RequestedAuthnContext.class); AuthnContextClassRef authnClassRef = - SAML2Utils.createSAMLObject(AuthnContextClassRef.class); - authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4"); + SAML2Utils.createSAMLObject(AuthnContextClassRef.class); + + if (sp != null && sp.isSTORKPVPGateway()){ + //use PVP SecClass instead of STORK QAA level + String secClass = null; + if (target instanceof MOASTORKRequest) { + + try { + MOASTORKRequest storkReq = (MOASTORKRequest) target; + secClass = PVPtoSTORKMapper.getInstance().mapToSecClass( + PVPConstants.STORK_QAA_PREFIX + storkReq.getStorkAuthnRequest().getQaa()); + + } catch (Exception e) { + Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e); + + } + } + + if (MiscUtil.isNotEmpty(secClass)) + authnClassRef.setAuthnContextClassRef(secClass); + else + authnClassRef.setAuthnContextClassRef("http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3"); + + } else { + if (target instanceof MOASTORKRequest) { + //use requested QAA level from STORK request + try { + MOASTORKRequest storkReq = (MOASTORKRequest) target; + authnClassRef.setAuthnContextClassRef( + PVPConstants.STORK_QAA_PREFIX + storkReq.getStorkAuthnRequest().getQaa()); + Logger.debug("Use STORK-QAA level " + authnClassRef.getAuthnContextClassRef() + + " from STORK request"); + + } catch (Exception e) { + Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e); + + } + + } + + if (MiscUtil.isEmpty(authnClassRef.getAuthnContextClassRef())) + authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4"); + + } + reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM); reqAuthContext.getAuthnContextClassRefs().add(authnClassRef); authReq.setRequestedAuthnContext(reqAuthContext); - - + IEncoder binding = null; if (redirectEndpoint.getBinding().equals( SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java index 0ea03e29d..fe3b780fb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java @@ -36,6 +36,7 @@ import at.gv.egovernment.moa.util.MiscUtil; public class PVPtoSTORKMapper { private static final String PVP_SECCLASS_PREFIX = "http://www.ref.gv.at/ns/names/agiz/pvp/"; + private static final String STORK_QAA_PREFIX = "http://www.stork.gov.eu/1.0/"; private static final String MAPPING_RESOURCE = "resources/properties/pvp-stork_mapping.properties"; @@ -67,12 +68,31 @@ public class PVPtoSTORKMapper { } + /**Map a STORK QAA level to PVP SecClass + * + * @param STORK-QAA level + * @return PVP SecClass pvpQAALevel + */ + public String mapToSecClass(String storkQAALevel) { + if (mapping != null) { + String input = storkQAALevel.substring(STORK_QAA_PREFIX.length()); + String mappedQAA = mapping.getProperty(input); + if (MiscUtil.isNotEmpty(mappedQAA)) { + Logger.info("Map STORK-QAA " + storkQAALevel + " to PVP SecClass " + mappedQAA); + return mappedQAA; + + } + } + Logger.warn("No mapping for STORK-QAA " + storkQAALevel +" !"); + return null; + } + /**Map a PVP SecClass to STORK QAA level * * @param PVP SecClass pvpQAALevel * @return STORK-QAA level */ - public String mapQAALevel(String pvpQAALevel) { + public String mapToQAALevel(String pvpQAALevel) { if (mapping != null) { String input = pvpQAALevel.substring(PVP_SECCLASS_PREFIX.length()); String mappedQAA = mapping.getProperty(input); -- cgit v1.2.3 From 3e3109fbf3f93f52919f0ba6089b5488f598c149 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 4 Nov 2014 11:40:33 +0100 Subject: add clock screw to assertion time validation --- .../id/protocols/pvp2x/verification/SAMLVerificationEngine.java | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index 4ba93f8fe..2247ad227 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -174,10 +174,14 @@ public class SAMLVerificationEngine { for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { Conditions conditions = saml2assertion.getConditions(); - DateTime notbefore = conditions.getNotBefore(); + DateTime notbefore = conditions.getNotBefore().minusMinutes(5); DateTime notafter = conditions.getNotOnOrAfter(); if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { - Logger.warn("PVP2 Assertion is out of Date"); + Logger.warn("PVP2 Assertion is out of Date. " + + "{ Current : " + new DateTime() + + " NotBefore: " + notbefore + + " NotAfter : " + notafter + + " }"); } else { validatedassertions.add(saml2assertion); -- cgit v1.2.3 From b8ce6db7bdc9576ae8daef6ea2b1a8da45a2a735 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 4 Nov 2014 12:11:21 +0100 Subject: update minimal required attribute set for interfederated assertions --- .../protocols/pvp2x/utils/AssertionAttributeExtractor.java | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index f0373e214..26b3bfbd1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -54,8 +54,7 @@ public class AssertionAttributeExtractor { private final List minimalAttributeNameList = Arrays.asList( PVPConstants.PRINCIPAL_NAME_NAME, - PVPConstants.GIVEN_NAME_NAME, - PVPConstants.BIRTHDATE_NAME); + PVPConstants.GIVEN_NAME_NAME); public AssertionAttributeExtractor(StatusResponseType samlResponse) throws AssertionAttributeExtractorExeption { @@ -119,16 +118,21 @@ public class AssertionAttributeExtractor { //first check if a bPK or an encrypted bPK is available if (attributs.containsKey(PVPConstants.ENC_BPK_LIST_NAME) || - (attributs.containsKey(PVPConstants.BPK_NAME) && attributs.containsKey(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME))) { + (attributs.containsKey(PVPConstants.BPK_NAME))) { boolean flag = true; for (String attr : attributeNameList) { - if (!attributs.containsKey(attr)) + if (!attributs.containsKey(attr)) { flag = false; + Logger.debug("Assertion contains no Attribute " + attr); + + } + } return flag; - } + } + Logger.debug("Assertion contains no bPK or encryptedbPK."); return false; } -- cgit v1.2.3 From 0acb196f1a070ae31ca9cdb888dbf966460441c6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 4 Nov 2014 12:12:11 +0100 Subject: fix sessionTimeOut extraction from interfederated session --- .../id/auth/builder/AuthenticationDataBuilder.java | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 7aa4cd1f7..d5a6a1b70 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -43,6 +43,7 @@ import javax.xml.bind.Marshaller; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeQuery; +import org.opensaml.saml2.core.AuthnStatement; import org.opensaml.saml2.core.Response; import org.opensaml.ws.soap.common.SOAPException; import org.opensaml.xml.XMLObject; @@ -271,12 +272,13 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { AssertionAttributeExtractor extractor = new AssertionAttributeExtractor(intfResp); - if (!extractor.containsAllRequiredAttributes()) { + if (!extractor.containsAllRequiredAttributes()) { + Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ..."); //collect attributes by using BackChannel communication String endpoint = idp.getIDPAttributQueryServiceURL(); if (MiscUtil.isEmpty(endpoint)) { - Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix()); - throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null); + Logger.error("No AttributeQueryURL for interfederationIDP " + idp.getPublicURLPrefix()); + throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + idp.getPublicURLPrefix(), null); } //build attributQuery request @@ -761,8 +763,19 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { authData.setSsoSession(true); authData.setInterfederatedSSOSession(true); - if (extractor.getFullAssertion().getConditions() != null && extractor.getFullAssertion().getConditions().getNotOnOrAfter() != null) + if (extractor.getFullAssertion().getAuthnStatements() != null + && extractor.getFullAssertion().getAuthnStatements().size() > 0) { + for (AuthnStatement el : extractor.getFullAssertion().getAuthnStatements()) { + if (el.getSessionNotOnOrAfter() != null) { + authData.setSsoSessionValidTo(el.getSessionNotOnOrAfter().toDate()); + break; + } + } + + } else { authData.setSsoSessionValidTo(extractor.getFullAssertion().getConditions().getNotOnOrAfter().toDate()); + + } //only for SAML1 if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel())) -- cgit v1.2.3 From 37384244fd52e2ee22608f1504aee825a1966113 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 4 Nov 2014 12:32:23 +0100 Subject: remove a not standardize prefix from PVP BPK attribute value. - this is a workaround for LFRZ Stammportal interfederation --- .../moa/id/auth/builder/AuthenticationDataBuilder.java | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index d5a6a1b70..d19080c25 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -368,6 +368,14 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { if (extractor.containsAttribute(PVPConstants.BPK_NAME)) { String pvpbPK = extractor.getSingleAttributeValue(PVPConstants.BPK_NAME); + + if (pvpbPK.startsWith("bPK:")) { + Logger.warn("Attribute " + PVPConstants.BPK_NAME + + " contains a not standardize prefix! Staring attribute value correction process ..."); + pvpbPK = pvpbPK.substring("bPK:".length()); + + } + String[] spitted = pvpbPK.split(":"); authData.setBPK(spitted[1]); if (MiscUtil.isEmpty(authData.getBPKType())) { -- cgit v1.2.3 From 6865934e3b6e20dd145025703e51af8b4b259e1b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 4 Nov 2014 14:45:38 +0100 Subject: add fix to correct invalid encoded EID_SECTOR_FOR_IDENTIFIER PVP attribute values --- .../moa/id/auth/builder/AuthenticationDataBuilder.java | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index d19080c25..bae5bb1f6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -360,12 +360,25 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { authData.setFamilyName(extractor.getSingleAttributeValue(PVPConstants.PRINCIPAL_NAME_NAME)); authData.setGivenName(extractor.getSingleAttributeValue(PVPConstants.GIVEN_NAME_NAME)); authData.setDateOfBirth(extractor.getSingleAttributeValue(PVPConstants.BIRTHDATE_NAME)); - authData.setBPKType(extractor.getSingleAttributeValue(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)); authData.setCcc(extractor.getSingleAttributeValue(PVPConstants.EID_ISSUING_NATION_NAME)); authData.setBkuURL(extractor.getSingleAttributeValue(PVPConstants.EID_CCS_URL_NAME)); authData.setIdentificationValue(extractor.getSingleAttributeValue(PVPConstants.EID_SOURCE_PIN_NAME)); authData.setIdentificationType(extractor.getSingleAttributeValue(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)); + + if (extractor.containsAttribute(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { + String bpkType = extractor.getSingleAttributeValue(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME); + if (bpkType.startsWith(Constants.URN_PREFIX_CDID) && + !bpkType.substring(Constants.URN_PREFIX_CDID.length(), + Constants.URN_PREFIX_CDID.length() + 1).equals("+")) { + Logger.warn("Receive uncorrect encoded bBKType attribute " + bpkType + " Starting attribute value correction ... "); + bpkType = Constants.URN_PREFIX_CDID + "+" + bpkType.substring(Constants.URN_PREFIX_CDID.length() + 1); + + } + + authData.setBPKType(bpkType); + } + if (extractor.containsAttribute(PVPConstants.BPK_NAME)) { String pvpbPK = extractor.getSingleAttributeValue(PVPConstants.BPK_NAME); -- cgit v1.2.3 From 9a859b2e6f94042ef0665eb4f63248e48978a059 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 4 Nov 2014 14:46:07 +0100 Subject: update STORK attribute provider implementation --- .../id/protocols/stork2/AttributeCollector.java | 31 ++++++++----- .../id/protocols/stork2/MOAAttributeProvider.java | 2 +- .../PVPAuthenticationProvider.java | 53 +++++++++++----------- 3 files changed, 48 insertions(+), 38 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java index e3b9992aa..192f139eb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java @@ -121,7 +121,7 @@ public class AttributeCollector implements IAction { if (authnResponse.getPersonalAttributeList().size() > 0) { Logger.info("Response from external attribute provider contains " + authnResponse.getPersonalAttributeList().size() + " attributes."); - addOrUpdateAll(container.getResponse().getPersonalAttributeList(), authnResponse.getPersonalAttributeList()); + container.getResponse().setPersonalAttributeList(addOrUpdateAll(container.getResponse().getPersonalAttributeList(), authnResponse.getPersonalAttributeList())); } } @@ -157,7 +157,7 @@ public class AttributeCollector implements IAction { // - insert the embedded attribute(s) into the container if (null != newAttributes) - addOrUpdateAll(container.getResponse().getPersonalAttributeList(), newAttributes); + container.getResponse().setPersonalAttributeList(addOrUpdateAll(container.getResponse().getPersonalAttributeList(), newAttributes)); // see if we need some more attributes SLOInformationImpl sloInfo = (SLOInformationImpl) processRequest(container, httpReq, httpResp, authData, oaParam); @@ -203,7 +203,8 @@ public class AttributeCollector implements IAction { IPersonalAttributeList aquiredAttributes = new PersonalAttributeList(); currentAttribute.setStatus(AttributeStatusType.NOT_AVAILABLE.value()); aquiredAttributes.add((PersonalAttribute) currentAttribute.clone()); - addOrUpdateAll(container.getResponse().getPersonalAttributeList(), aquiredAttributes); + container.getResponse().setPersonalAttributeList( + addOrUpdateAll(container.getResponse().getPersonalAttributeList(), aquiredAttributes)); // - check if we can find a suitable AttributeProvider Plugin Iterator attibuteProvidersInterator = AttributeProviderFactory.getConfiguredPlugins(oaParam.getStorkAPs()); @@ -247,7 +248,7 @@ public class AttributeCollector implements IAction { Logger.error("We have no suitable plugin for obtaining the attribute '" + currentAttribute.getName() + "'"); } else // else, update any existing attributes - addOrUpdateAll(container.getResponse().getPersonalAttributeList(), aquiredAttributes); + container.getResponse().setPersonalAttributeList(addOrUpdateAll(container.getResponse().getPersonalAttributeList(), aquiredAttributes)); } Logger.info("collecting attributes done"); @@ -296,15 +297,21 @@ public class AttributeCollector implements IAction { * * @param target the target * @param source the source + * @return * @throws MOAIDException */ - private void addOrUpdateAll(IPersonalAttributeList target, IPersonalAttributeList source) throws MOAIDException { + private PersonalAttributeList addOrUpdateAll(IPersonalAttributeList target, IPersonalAttributeList source) throws MOAIDException { + + PersonalAttributeList updatedList = new PersonalAttributeList(); + for (PersonalAttribute el : target) + updatedList.add(el); + Logger.debug("Updating " + source.size() + " attributes..."); for (PersonalAttribute current : source) { Logger.debug("treating " + current.getName()); // check if we need to update the current pa - if (target.containsKey(current.getName())) { + if (updatedList.containsKey(current.getName())) { PersonalAttribute existing = target.get(current.getName()); if(!(existing.isEmptyValue() && existing.isEmptyComplexValue())) if(!(existing.getValue().equals(current.getValue()) || existing.getComplexValue().equals(current.getComplexValue()))) { @@ -312,14 +319,16 @@ public class AttributeCollector implements IAction { throw new MOAIDException("stork.16", new Object[] {existing.getName()}); } - target.get(current.getName()).setStatus(current.getStatus()); - target.get(current.getName()).setValue(current.getValue()); - target.get(current.getName()).setComplexValue(current.getComplexValue()); + updatedList.get(current.getName()).setStatus(current.getStatus()); + updatedList.get(current.getName()).setValue(current.getValue()); + updatedList.get(current.getName()).setComplexValue(current.getComplexValue()); } else - target.add(current); + updatedList.add(current); - Logger.debug("...successfully treated " + current.getName()); + Logger.debug("...successfully treated " + current.getName()); } + + return updatedList; } /* (non-Javadoc) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java index 993514ec7..755102bf3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java @@ -71,7 +71,7 @@ public class MOAAttributeProvider { public MOAAttributeProvider(IAuthData authData, MOASTORKRequest moastorkRequest) { this.authData = authData; this.moastorkRequest = moastorkRequest; - Logger.debug("identity " + authData.getIdentificationType() + " " + authData.getIdentificationValue()); + } public void populateAttribute(PersonalAttributeList attributeList, PersonalAttribute requestedAttribute ) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java index 96aa55bcf..a026bac81 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java @@ -193,33 +193,34 @@ public class PVPAuthenticationProvider extends AttributeProvider { public IPersonalAttributeList parse(HttpServletRequest httpReq) throws UnsupportedAttributeException, MOAIDException { - Logger.info(this.getClass().getSimpleName() + " tries to extract SAMLResponse out of HTTP Request"); + throw new UnsupportedAttributeException(); - //extract STORK Response from HTTP Request - //Decodes SAML Response - byte[] decSamlToken; - try { - decSamlToken = PEPSUtil.decodeSAMLToken(httpReq.getParameter("SAMLResponse")); - } catch(NullPointerException e) { - throw new UnsupportedAttributeException(); - } - - //Get SAMLEngine instance - STORKSAMLEngine engine = STORKSAMLEngine.getInstance("VIDP"); - - STORKAuthnResponse authnResponse = null; - try { - //validate SAML Token - Logger.debug("Starting validation of SAML response"); - authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) httpReq.getRemoteHost()); - Logger.info("SAML response successfully verified!"); - - }catch(STORKSAMLEngineException e){ - Logger.error("Failed to verify STORK SAML Response", e); - throw new MOAIDException("stork.05", null); - } - - return authnResponse.getPersonalAttributeList(); +// Logger.info(this.getClass().getSimpleName() + " tries to extract SAMLResponse out of HTTP Request"); +// //extract STORK Response from HTTP Request +// //Decodes SAML Response +// byte[] decSamlToken; +// try { +// decSamlToken = PEPSUtil.decodeSAMLToken(httpReq.getParameter("SAMLResponse")); +// } catch(NullPointerException e) { +// throw new UnsupportedAttributeException(); +// } +// +// //Get SAMLEngine instance +// STORKSAMLEngine engine = STORKSAMLEngine.getInstance("VIDP"); +// +// STORKAuthnResponse authnResponse = null; +// try { +// //validate SAML Token +// Logger.debug("Starting validation of SAML response"); +// authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) httpReq.getRemoteHost()); +// Logger.info("SAML response successfully verified!"); +// +// }catch(STORKSAMLEngineException e){ +// Logger.error("Failed to verify STORK SAML Response", e); +// throw new MOAIDException("stork.05", null); +// } +// +// return authnResponse.getPersonalAttributeList(); } -- cgit v1.2.3 From b39bc0239d1e4a4d4a8b0fe708ee24c7709b9454 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 24 Nov 2014 08:14:16 +0100 Subject: add MSOrganisation attribute for ISA 1.18 --- .../id/auth/builder/AuthenticationDataBuilder.java | 6 +++++ .../moa/id/data/AuthenticationData.java | 28 ++++++++++++++-------- .../at/gv/egovernment/moa/id/data/IAuthData.java | 7 ++++-- .../id/protocols/stork2/MOAAttributeProvider.java | 8 +++++-- .../moa/id/protocols/stork2/STORKPVPUtilits.java | 2 +- 5 files changed, 36 insertions(+), 15 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index bae5bb1f6..731925c1b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -767,6 +767,12 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } } + //set PVP OU attribute + if (extractor.containsAttribute(PVPConstants.OU_NAME)) { + authData.setPvpAttribute_OU(extractor.getSingleAttributeValue(PVPConstants.OU_NAME)); + Logger.debug("Found PVP 'OU' attribute in response -> " + authData.getPvpAttribute_OU()); + + } //set STORK attributes if (extractor.containsAttribute(PVPConstants.EID_STORK_TOKEN_NAME)) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index 65c413ef9..05b008515 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -133,7 +133,9 @@ public class AuthenticationData implements IAuthData, Serializable { private String authBlock = null; private List encbPKList = null; + //ISA 1.18 attributes private List roles = null; + private String pvpAttribute_OU = null; private boolean useMandate = false; private MISMandate mandate = null; @@ -707,6 +709,7 @@ public class AuthenticationData implements IAuthData, Serializable { return roles; } + //ISA 1.18 attributes /** * @param roles the roles to set */ @@ -716,26 +719,31 @@ public class AuthenticationData implements IAuthData, Serializable { this.roles.add(role); } + + /** + * @return the pvpAttribute_OU + */ + public String getPvpAttribute_OU() { + return pvpAttribute_OU; + } + + /** + * @param pvpAttribute_OU the pvpAttribute_OU to set + */ + public void setPvpAttribute_OU(String pvpAttribute_OU) { + this.pvpAttribute_OU = pvpAttribute_OU; + } /* (non-Javadoc) * @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService() */ @Override public boolean isBusinessService() { - // TODO Auto-generated method stub return this.businessService; } public void setIsBusinessService(boolean flag) { this.businessService = flag; - } - - - - - - - - + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java index ebbf62ce7..ccc90a031 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java @@ -69,7 +69,9 @@ public interface IAuthData { IdentityLink getIdentityLink(); byte[] getSignerCertificate(); String getAuthBlock(); - + + //ISA 1.18 attributes + String getPvpAttribute_OU(); List getAuthenticationRoles(); boolean isPublicAuthority(); @@ -90,5 +92,6 @@ public interface IAuthData { String getCcc(); STORKAuthnRequest getStorkAuthnRequest(); String getStorkAuthnResponse(); - IPersonalAttributeList getStorkAttributes(); + IPersonalAttributeList getStorkAttributes(); + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java index 755102bf3..499265319 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java @@ -59,13 +59,17 @@ public class MOAAttributeProvider { static { Map tempSimpleMap = new HashMap(); tempSimpleMap.put("givenName", "getGivenName"); - tempSimpleMap.put("surname", "getFamilyName"); + tempSimpleMap.put("surname", "getFamilyName"); + tempSimpleMap.put("MSOrganization", "getPvpAttribute_OU"); storkAttributeSimpleMapping = Collections.unmodifiableMap(tempSimpleMap); + Map tempFunctionMap = new HashMap(); tempFunctionMap.put("eIdentifier", "geteIdentifier"); tempFunctionMap.put("ECApplicationRole","getECApplicationRole"); tempFunctionMap.put("dateOfBirth", "getFormatedDateOfBirth"); + tempFunctionMap.put("MSOrganization", "getMSOrganization"); storkAttributeFunctionMapping = Collections.unmodifiableMap(tempFunctionMap); + } public MOAAttributeProvider(IAuthData authData, MOASTORKRequest moastorkRequest) { @@ -129,7 +133,7 @@ public class MOAAttributeProvider { } return storkRoles; } - + private String getFormatedDateOfBirth() { if (authData.getDateOfBirth() != null) { DateFormat fmt = new SimpleDateFormat("yyyyMMdd"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java index d923eccde..123d32af4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java @@ -32,7 +32,7 @@ import java.util.List; public class STORKPVPUtilits { public static final List attributesRequirePVPAuthentication = - Arrays.asList("ECApplicationRole"); + Arrays.asList("ECApplicationRole", "MSOrganization"); -- cgit v1.2.3 From 50416e97cfe3c633cf3e146b85856bc0b418bfd0 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 24 Nov 2014 08:15:53 +0100 Subject: use OA target from request, if SAML1 is used. for legacy applications --- .../id/auth/parser/StartAuthentificationParameterParser.java | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index 1bc3702e4..a123569d5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -132,12 +132,13 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ String targetFriendlyNameConfig = oaParam.getTargetFriendlyName(); if (StringUtils.isEmpty(targetConfig) -// || (module.equals(SAML1Protocol.PATH) && -// !StringUtils.isEmpty(target)) + || (module.equals(SAML1Protocol.PATH) && + !StringUtils.isEmpty(target)) ) { - // no target attribut is given in OA config - // target is used from request - // check parameter + //INFO: ONLY SAML1 legacy mode + // if SAML1 is used and target attribute is given in request + // use requested target + // check target parameter if (!ParamValidatorUtils.isValidTarget(target)) { Logger.error("Selected target is invalid. Using target: " + target); throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12"); -- cgit v1.2.3 From 720477bf5951aa4a307e1150e8a34d373f66e62b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 24 Nov 2014 09:29:51 +0100 Subject: fix problem with SLO and interfederation --- .../pvp2x/builder/SingleLogOutBuilder.java | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java index 01139d95c..50f42d928 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -43,6 +43,7 @@ import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.StatusMessage; import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.saml2.metadata.SSODescriptor; import org.opensaml.saml2.metadata.SingleLogoutService; @@ -348,17 +349,29 @@ public class SingleLogOutBuilder { public static SingleLogoutService getResponseSLODescriptor(PVPTargetConfiguration spRequest) throws NoMetadataInformationException, NOSLOServiceDescriptorException { MOARequest moaReq = (MOARequest) spRequest.getRequest(); EntityDescriptor metadata = moaReq.getEntityMetadata(); - SPSSODescriptor spsso = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); + SSODescriptor ssodesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); + + if (ssodesc == null) { + Logger.debug("No PVP SPSSO descriptor found --> search IDPSSO descriptor"); + ssodesc = metadata.getIDPSSODescriptor(SAMLConstants.SAML20P_NS); + + } + + if (ssodesc == null) { + Logger.error("Found no SLO ServiceDescriptor in Metadata"); + throw new NOSLOServiceDescriptorException("NO SLO ServiceDescriptor", null); + } + SingleLogoutService sloService = null; - for (SingleLogoutService el : spsso.getSingleLogoutServices()) { + for (SingleLogoutService el : ssodesc.getSingleLogoutServices()) { if (el.getBinding().equals(spRequest.getBinding())) sloService = el; } if (sloService == null) { - if (spsso.getSingleLogoutServices().size() != 0) - sloService = spsso.getSingleLogoutServices().get(0); + if (ssodesc.getSingleLogoutServices().size() != 0) + sloService = ssodesc.getSingleLogoutServices().get(0); else { Logger.error("Found no SLO ServiceDescriptor in Metadata"); -- cgit v1.2.3 From 539feb77b1244e691f1735403a5c040cf11ebd9f Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 24 Nov 2014 09:54:56 +0100 Subject: send SLO success statuscode if no active SSO session is found - no SSO session cookie - no SP information in session database for requested nameID --- .../egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java index b22941216..aa154b84b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java @@ -135,8 +135,10 @@ public class SingleLogOutAction implements IAction { if (MiscUtil.isEmpty(ssoID)) { Logger.warn("Can not find active Session. Single LogOut not possible!"); SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); - SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); + //LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); + LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, pvpReq, null); + Logger.info("Sending SLO success message to requester ..."); + SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); return null; } else { @@ -147,7 +149,9 @@ public class SingleLogOutAction implements IAction { } catch (MOADatabaseException e) { Logger.warn("Can not find active Session. Single LogOut not possible!"); SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); + //LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); + LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, pvpReq, null); + Logger.info("Sending SLO success message to requester ..."); SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); return null; -- cgit v1.2.3 From a904d1ef6313a7d510882ada132f7e90b39a0c64 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 24 Nov 2014 14:33:54 +0100 Subject: fix possible problems with PVP roles and role parameters --- .../moa/id/data/AuthenticationRoleFactory.java | 35 +++++++++++++--------- .../egovernment/moa/id/util/PVPtoSTORKMapper.java | 9 ++++-- 2 files changed, 27 insertions(+), 17 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRoleFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRoleFactory.java index 8915b2442..b3b29f6c5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRoleFactory.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRoleFactory.java @@ -26,6 +26,7 @@ import java.util.Arrays; import java.util.List; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz @@ -51,23 +52,29 @@ public class AuthenticationRoleFactory { List param = Arrays.asList(params.split(",")); String test = new String(); for (String el : param) { - test = test.concat(el); - if (!test.endsWith("\\") || - (test.endsWith("\\\\") && !test.endsWith("\\\\\\")) ) { - String[] keyValue = test.split("="); - if (keyValue.length < 2) { - role.addParameter(keyValue[0].trim(), ""); - Logger.debug("Add authentication roleparameter with key=" + keyValue[0].trim()); + if (MiscUtil.isNotEmpty(el)) { + test = test.concat(el); + if (!test.endsWith("\\") || + (test.endsWith("\\\\") && !test.endsWith("\\\\\\")) ) { + String[] keyValue = test.split("="); + if (keyValue.length < 2) { + role.addParameter(keyValue[0].trim(), ""); + Logger.debug("Add authentication roleparameter with key=" + keyValue[0].trim()); - } else { - role.addParameter(keyValue[0].trim(), keyValue[1].trim()); - Logger.debug("Add authentication roleparameter with key=" + keyValue[0].trim() - + " value=" + keyValue[1].trim()); + } else { + role.addParameter(keyValue[0].trim(), keyValue[1].trim()); + Logger.debug("Add authentication roleparameter with key=" + keyValue[0].trim() + + " value=" + keyValue[1].trim()); - } + } - test = new String(); - } + test = new String(); + + } else { + test = test.substring(0, test.length()-1).concat(","); + + } + } } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java index fe3b780fb..5ef9494f4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java @@ -113,13 +113,16 @@ public class PVPtoSTORKMapper { */ public String map(AuthenticationRole el) { if (mapping != null) { - String ecRole = mapping.getProperty(el.getRawRoleString()); + //String ecRole = mapping.getProperty(el.getRawRoleString()); + String ecRole = mapping.getProperty(el.getRoleName()); if (MiscUtil.isNotEmpty(ecRole)) { - Logger.info("Map PVPRole " + el.getRawRoleString() + " to ECRole " + ecRole); + //Logger.info("Map PVPRole " + el.getRawRoleString() + " to ECRole " + ecRole); + Logger.info("Map PVPRole " + el.getRoleName() + " to ECRole " + ecRole); return ecRole; } } - Logger.warn("NO mapping for PVPRole "+ el.getRawRoleString() + " !"); + //Logger.warn("NO mapping for PVPRole "+ el.getRawRoleString() + " !"); + Logger.warn("NO mapping for PVPRole "+ el.getRoleName() + " !"); return null; } } -- cgit v1.2.3 From f02943b7b4257bb9f16bd2e9f9d9dfb5a2f17944 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 24 Nov 2014 17:17:41 +0100 Subject: change interfederation with short SAML1 assertion: insert baseID if it is requested and available --- .../moa/id/protocols/saml1/SAML1AuthenticationServer.java | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 65e520cc3..c8a480cac 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -64,6 +64,7 @@ import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; import at.gv.util.xsd.persondata.IdentificationType; import at.gv.util.xsd.persondata.IdentificationType.Value; @@ -222,8 +223,14 @@ public class SAML1AuthenticationServer extends AuthenticationServer { Value value = new Value(); id.setValue(value ); - id.setType(Constants.URN_PREFIX_BASEID); - value.setValue(""); + id.setType(authData.getIdentificationType()); + //add baseID if it is requested and available + if ( MiscUtil.isNotEmpty(authData.getIdentificationValue()) && + saml1parameter.isProvideIdentityLink() ) + value.setValue(authData.getIdentificationValue()); + else + value.setValue(""); + familyName.setValue(authData.getFamilyName()); familyName.setPrimary("undefined"); name.getGivenName().add(authData.getGivenName()); -- cgit v1.2.3 From 9ebec8cfa0e56467314bbd983d87640411b12ce3 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 24 Nov 2014 17:19:27 +0100 Subject: rebuild SAML1 target parameter functionality for legacy applications --- .../id/auth/builder/AuthenticationDataBuilder.java | 27 ++++++++++++++-------- .../servlet/GenerateIFrameTemplateServlet.java | 17 ++++++++++---- .../moa/id/protocols/saml1/GetArtifactAction.java | 4 ++-- .../moa/id/protocols/saml1/SAML1Protocol.java | 11 ++++++--- 4 files changed, 39 insertions(+), 20 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 731925c1b..5fb4d6be8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -215,7 +215,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } else { //build AuthenticationData from MOASession - buildAuthDataFormMOASession(authdata, session, oaParam); + buildAuthDataFormMOASession(authdata, session, oaParam, protocolRequest); } @@ -323,7 +323,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } //parse response information to authData - buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam); + buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam, req); } catch (SOAPException e) { throw new BuildException("builder.06", null, e); @@ -350,7 +350,8 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { AuthenticationData authData, AuthenticationSession session, AssertionAttributeExtractor extractor, - IOAAuthParameters oaParam) + IOAAuthParameters oaParam, + IRequest req) throws BuildException, AssertionAttributeExtractorExeption { Logger.debug("Build AuthData from assertion starts ...."); @@ -536,7 +537,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } //build OA specific bPK/wbPK information - buildOAspecificbPK(oaParam, authData, + buildOAspecificbPK(req, oaParam, authData, authData.getIdentificationValue(), authData.getIdentificationType()); @@ -544,7 +545,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { if (MiscUtil.isEmpty(authData.getBPK())) { Logger.debug("Calcutlate bPK from baseID"); - buildOAspecificbPK(oaParam, authData, + buildOAspecificbPK(req, oaParam, authData, authData.getIdentificationValue(), authData.getIdentificationType()); @@ -845,7 +846,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } private static void buildAuthDataFormMOASession(AuthenticationData authData, AuthenticationSession session, - IOAAuthParameters oaParam) throws BuildException, ConfigurationException { + IOAAuthParameters oaParam, IRequest protocolRequest) throws BuildException, ConfigurationException { IdentityLink identityLink = session.getIdentityLink(); @@ -959,7 +960,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { Logger.trace("Authenticated User is OW: " + mandate.getOWbPK()); } else { - buildOAspecificbPK(oaParam, authData, + buildOAspecificbPK(protocolRequest, oaParam, authData, identityLink.getIdentificationValue(), identityLink.getIdentificationType()); @@ -1003,7 +1004,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } - private static void buildOAspecificbPK(IOAAuthParameters oaParam, AuthenticationData authData, String baseID, String baseIDType) throws BuildException { + private static void buildOAspecificbPK(IRequest protocolRequest, IOAAuthParameters oaParam, AuthenticationData authData, String baseID, String baseIDType) throws BuildException { if (oaParam.getBusinessService()) { //since we have foreigner, wbPK is not calculated in BKU @@ -1024,9 +1025,15 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { if (baseIDType.equals(Constants.URN_PREFIX_BASEID)) { // only compute bPK if online application is a public service and we have the Stammzahl - String bpkBase64 = new BPKBuilder().buildBPK(baseID, oaParam.getTarget()); + String target = null; + if (protocolRequest instanceof SAML1RequestImpl) + target = protocolRequest.getTarget(); + else + target = oaParam.getTarget(); + + String bpkBase64 = new BPKBuilder().buildBPK(baseID, target); authData.setBPK(bpkBase64); - authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + target); } Logger.trace("Authenticate user with bPK " + authData.getBPK()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java index 2ef8ab5ec..99a7dce89 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java @@ -45,6 +45,9 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.moduls.RequestStorage; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.logging.Logger; @@ -116,11 +119,15 @@ public class GenerateIFrameTemplateServlet extends AuthServlet { else { - //load Parameters from config - String target = oaParam.getTarget(); - - - + //get Target from config or from request in case of SAML 1 + String target = null; + IRequest pendingReq = RequestStorage.getPendingRequest(pendingRequestID); + if (MiscUtil.isNotEmpty(pendingReq.getTarget()) && + pendingReq.requestedModule().equals(SAML1Protocol.PATH)) + target = pendingReq.getTarget(); + else + target = oaParam.getTarget(); + String bkuURL = oaParam.getBKUURL(bkuid); if (MiscUtil.isEmpty(bkuURL)) { Logger.info("No OA specific BKU defined. Use BKU from default configuration"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java index 67f780b3a..4cdd1db01 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java @@ -83,7 +83,7 @@ public class GetArtifactAction implements IAction { String url = AuthConfigurationProvider.getInstance().getPublicURLPrefix() + "/RedirectServlet"; url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8")); if (!oaParam.getBusinessService()) - url = addURLParameter(url, PARAM_TARGET, URLEncoder.encode(oaParam.getTarget(), "UTF-8")); + url = addURLParameter(url, PARAM_TARGET, URLEncoder.encode(req.getTarget(), "UTF-8")); url = addURLParameter(url, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); url = httpResp.encodeRedirectURL(url); @@ -95,7 +95,7 @@ public class GetArtifactAction implements IAction { String redirectURL = oaURL; if (!oaParam.getBusinessService()) { redirectURL = addURLParameter(redirectURL, PARAM_TARGET, - URLEncoder.encode(oaParam.getTarget(), "UTF-8")); + URLEncoder.encode(req.getTarget(), "UTF-8")); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 8f7f17e2e..9934c339d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -132,7 +132,7 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { if (!ParamValidatorUtils.isValidOA(oaURL)) throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); - + config.setOAURL(oaURL); Logger.info("Dispatch SAML1 Request: OAURL=" + oaURL); @@ -156,8 +156,13 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { new Object[] { null }); } - config.setSourceID(sourceID); - config.setTarget(oaParam.getTarget()); + config.setSourceID(sourceID); + if (MiscUtil.isNotEmpty(target)) + config.setTarget(target); + + else + config.setTarget(oaParam.getTarget()); + return config; } -- cgit v1.2.3 From d222f975e7ad212264dab7cb7a0c39ec40478222 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 4 Dec 2014 09:57:17 +0100 Subject: STORK<->PVP AttributeProvider : fix problem with more then one attribute in configuration --- .../protocols/stork2/attributeproviders/PVPAuthenticationProvider.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java index a026bac81..7f06c604b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java @@ -80,7 +80,7 @@ public class PVPAuthenticationProvider extends AttributeProvider { this.moastorkRequest = moastorkRequest; // break if we cannot handle the requested attribute - if (!attributes.contains(attribute.getName())) { + if (!getSupportedAttributeNames().contains(attribute.getName())) { Logger.info("Attribute " + attribute.getName() + " not supported by the provider: " + getAttrProviderName()); throw new UnsupportedAttributeException(); -- cgit v1.2.3