From f51f447ed199dc1c3f5dc750d169462d42b2b6ad Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Fri, 17 Jan 2014 11:50:42 +0100
Subject: load IAIK JCE as security provider
BugFix:
@MandateReferenceValue has to to been added
@SessionStorage hibernate RoleBack in case of no MOASession is found
---
.../egovernment/moa/id/auth/MOAIDAuthInitializer.java | 13 ++++++++++++-
.../egovernment/moa/id/auth/servlet/AuthServlet.java | 11 +++++++++++
.../moa/id/entrypoints/DispatcherServlet.java | 6 +++++-
.../MandateReferenceValueAttributeBuilder.java | 19 ++++++++++---------
.../moa/id/storage/AuthenticationSessionStoreage.java | 1 +
5 files changed, 39 insertions(+), 11 deletions(-)
(limited to 'id/server/idserverlib/src/main/java')
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
index 556d26c67..dbfbdad51 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
@@ -24,11 +24,15 @@
package at.gv.egovernment.moa.id.auth;
+import iaik.cms.ecc.IaikEccProvider;
import iaik.pki.PKIException;
import iaik.pki.jsse.IAIKX509TrustManager;
+import iaik.security.ecc.provider.ECCProvider;
+import iaik.security.provider.IAIK;
import java.io.IOException;
import java.security.GeneralSecurityException;
+import java.security.Security;
import java.util.Properties;
import javax.activation.CommandMap;
@@ -74,6 +78,14 @@ public class MOAIDAuthInitializer {
Logger.info("Default java file.encoding: "
+ System.getProperty("file.encoding"));
+
+ Logger.info("Loading security providers.");
+ IAIK.addAsProvider();
+
+
+// Security.insertProviderAt(new IAIK(), 1);
+// Security.insertProviderAt(new ECCProvider(), 1);
+
//JDK bug workaround according to:
// http://jce.iaik.tugraz.at/products/03_cms/faq/index.php#JarVerifier
// register content data handlers for S/MIME types
@@ -180,5 +192,4 @@ public class MOAIDAuthInitializer {
AuthConfigLoader.start();
}
-
}
\ No newline at end of file
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
index 27ac16157..1b7b317c1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
@@ -23,9 +23,13 @@
package at.gv.egovernment.moa.id.auth.servlet;
+import iaik.security.ecc.provider.ECCProvider;
+import iaik.security.provider.IAIK;
+
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.security.Security;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
@@ -34,6 +38,7 @@ import java.util.Map;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletConfig;
import javax.servlet.ServletContext;
+import javax.servlet.ServletContextEvent;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
@@ -351,6 +356,12 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants {
super.init(servletConfig);
}
+
+// public void contextDestroyed(ServletContextEvent arg0) {
+// Security.removeProvider((new IAIK()).getName());
+// Security.removeProvider((new ECCProvider()).getName());
+// }
+
/**
* Set response headers to avoid caching
*
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
index 225ecb2a2..777081da0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
@@ -2,7 +2,11 @@ package at.gv.egovernment.moa.id.entrypoints;
+import iaik.security.ecc.provider.ECCProvider;
+import iaik.security.provider.IAIK;
+
import java.io.IOException;
+import java.security.Security;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
@@ -478,7 +482,7 @@ public class DispatcherServlet extends AuthServlet{
}
}
-
+
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java
index 5a50473d3..46c6ffb78 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java
@@ -20,17 +20,18 @@ public class MandateReferenceValueAttributeBuilder extends BaseAttributeBuilder
public Attribute build(AuthenticationSession authSession,
OAAuthParameter oaParam, AuthenticationData authData) throws PVP2Exception {
if(authSession.getUseMandate()) {
- Element mandate = authSession.getMandate();
- if(mandate == null) {
- throw new NoMandateDataAvailableException();
- }
- Mandate mandateObject = MandateBuilder.buildMandate(mandate);
- if(mandateObject == null) {
- throw new NoMandateDataAvailableException();
- }
+
+// Element mandate = authSession.getMandate();
+// if(mandate == null) {
+// throw new NoMandateDataAvailableException();
+// }
+// Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+// if(mandateObject == null) {
+// throw new NoMandateDataAvailableException();
+// }
return buildStringAttribute(MANDATE_REFERENCE_VALUE_FRIENDLY_NAME,
- MANDATE_REFERENCE_VALUE_NAME, mandateObject.getMandateID());
+ MANDATE_REFERENCE_VALUE_NAME, authSession.getMandateReferenceValue());
}
return null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
index e40d11128..840c3f2be 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
@@ -209,6 +209,7 @@ public class AuthenticationSessionStoreage {
//Assertion requires an unique artifact
if (result.size() != 1) {
Logger.trace("No entries found.");
+ tx.rollback();
throw new MOADatabaseException("No session found with this sessionID");
}
--
cgit v1.2.3
From 51c45b375485399d36e33f1ab4cf76e9273222e3 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 21 Jan 2014 13:00:34 +0100
Subject: implement SAML2 assertion encryption
---
.../id/protocols/pvp2x/binding/PostBinding.java | 2 +-
.../builder/assertion/PVP2AssertionBuilder.java | 2 +-
.../InvalidAssertionEncryptionException.java | 14 ++++
.../pvp2x/requestHandler/AuthnRequestHandler.java | 94 +++++++++++++++++++++-
4 files changed, 107 insertions(+), 5 deletions(-)
create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java
(limited to 'id/server/idserverlib/src/main/java')
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 232ad315f..2fe52d032 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -67,7 +67,7 @@ public class PostBinding implements IDecoder, IEncoder {
.buildObject();
service.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
service.setLocation(targetLocation);
- context.setOutboundSAMLMessageSigningCredential(credentials);
+ context.setOutboundSAMLMessageSigningCredential(credentials);
context.setPeerEntityEndpoint(service);
// context.setOutboundMessage(authReq);
context.setOutboundSAMLMessage(response);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index f21567245..eaa570ab1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -144,7 +144,7 @@ public class PVP2AssertionBuilder implements PVPConstants {
SPSSODescriptor spSSODescriptor = peerEntity
.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
-
+
Integer aIdx = authnRequest.getAttributeConsumingServiceIndex();
int idx = 0;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java
new file mode 100644
index 000000000..142227a59
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java
@@ -0,0 +1,14 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions;
+
+import org.opensaml.saml2.core.StatusCode;
+
+public class InvalidAssertionEncryptionException extends PVP2Exception {
+
+ private static final long serialVersionUID = 6513388841485355549L;
+
+ public InvalidAssertionEncryptionException() {
+ super("pvp2.16", new Object[]{});
+ this.statusCodeValue = StatusCode.REQUESTER_URI;
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
index fec21df9e..c3884f9d8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
@@ -1,22 +1,45 @@
package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler;
+import java.util.ArrayList;
import java.util.Date;
+import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.joda.time.DateTime;
+import org.opensaml.Configuration;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.impl.EncryptedAssertionBuilder;
+import org.opensaml.saml2.encryption.Encrypter;
+import org.opensaml.saml2.encryption.Encrypter.KeyPlacement;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.security.MetadataCredentialResolver;
+import org.opensaml.security.MetadataCriteria;
import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.xml.encryption.EncryptionConstants;
+import org.opensaml.xml.encryption.EncryptionException;
+import org.opensaml.xml.encryption.EncryptionParameters;
+import org.opensaml.xml.encryption.KeyEncryptionParameters;
+import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
+import org.opensaml.xml.security.credential.Credential;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.criteria.EntityIDCriteria;
+import org.opensaml.xml.security.criteria.UsageCriteria;
+import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory;
+import org.opensaml.xml.security.x509.BasicX509Credential;
+import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.signature.KeyInfo;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
@@ -30,6 +53,8 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionB
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionEncryptionException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.logging.Logger;
@@ -49,10 +74,9 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
EntityDescriptor peerEntity = obj.getEntityMetadata();
Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authSession, peerEntity);
-
+
Response authResponse = SAML2Utils.createSAMLObject(Response.class);
-
Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
//TODO: check!
@@ -67,7 +91,6 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
//SAML2 response required IssueInstant
authResponse.setIssueInstant(new DateTime());
- authResponse.getAssertions().add(assertion);
authResponse.setStatus(SAML2Utils.getSuccessStatus());
Integer aIdx = authnRequest.getAssertionConsumerServiceIndex();
@@ -84,10 +107,75 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
.getAssertionConsumerServices().get(idx);
if (consumerService == null) {
+ //TODO: maybe use default ConsumerService
+
throw new InvalidAssertionConsumerServiceException(idx);
+
}
String oaURL = consumerService.getLocation();
+ //check, if metadata includes an encryption key
+ MetadataCredentialResolver mdCredResolver =
+ new MetadataCredentialResolver(MOAMetadataProvider.getInstance());
+
+ CriteriaSet criteriaSet = new CriteriaSet();
+ criteriaSet.add( new EntityIDCriteria(obj.getSamlRequest().getIssuer().getValue()) );
+ criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) );
+ criteriaSet.add( new UsageCriteria(UsageType.ENCRYPTION) );
+
+ X509Credential encryptionCredentials = null;
+ try {
+ encryptionCredentials = (X509Credential) mdCredResolver.resolveSingle(criteriaSet);
+
+ } catch (SecurityException e2) {
+ Logger.warn("Can not extract the Assertion Encryption-Key from metadata", e2);
+ throw new InvalidAssertionEncryptionException();
+
+ }
+
+ if (encryptionCredentials != null) {
+ //encrypt SAML2 assertion
+
+ try {
+
+ EncryptionParameters dataEncParams = new EncryptionParameters();
+ dataEncParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128);
+
+ List<KeyEncryptionParameters> keyEncParamList = new ArrayList<KeyEncryptionParameters>();
+ KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters();
+
+ keyEncParam.setEncryptionCredential(encryptionCredentials);
+ keyEncParam.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
+ KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration()
+ .getKeyInfoGeneratorManager().getDefaultManager()
+ .getFactory(encryptionCredentials);
+ keyEncParam.setKeyInfoGenerator(kigf.newInstance());
+ keyEncParamList.add(keyEncParam);
+
+ Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList);
+ //samlEncrypter.setKeyPlacement(KeyPlacement.INLINE);
+ samlEncrypter.setKeyPlacement(KeyPlacement.PEER);
+
+ EncryptedAssertion encryptAssertion = null;
+
+ encryptAssertion = samlEncrypter.encrypt(assertion);
+
+ authResponse.getEncryptedAssertions().add(encryptAssertion);
+
+ } catch (EncryptionException e1) {
+ Logger.warn("Can not encrypt the PVP2 assertion", e1);
+ throw new InvalidAssertionEncryptionException();
+
+ }
+
+ } else {
+ authResponse.getAssertions().add(assertion);
+
+ }
+
+
+
+
IEncoder binding = null;
if (consumerService.getBinding().equals(
--
cgit v1.2.3
From dd4a77caa66368ca257fcf5a1f87d0dab90477f5 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 21 Jan 2014 18:00:41 +0100
Subject: BUGFIX: RedirectBinding validate signatures which exists, but
signature is not required
changes for WKO:
Allow Metadata with no AttributeConsumerService
Allow AuthnRequest with no RequestedAuthnContext
Allow AuthnRequest with no AssertionConsumerServiceIndex
Use Metadata->AssertionConsumerService->isDefaut flag
---
.../moa/id/protocols/pvp2x/PVP2XProtocol.java | 25 +++--
.../protocols/pvp2x/binding/RedirectBinding.java | 10 +-
.../builder/assertion/PVP2AssertionBuilder.java | 122 +++++++++++----------
.../pvp2x/requestHandler/AuthnRequestHandler.java | 26 ++++-
.../moa/id/protocols/pvp2x/utils/SAML2Utils.java | 16 +++
.../pvp2x/verification/SAMLVerificationEngine.java | 1 +
6 files changed, 130 insertions(+), 70 deletions(-)
(limited to 'id/server/idserverlib/src/main/java')
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index bef58ab59..dc2330f40 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -124,7 +124,6 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
RequestAbstractType samlReq = moaRequest.getSamlRequest();
//String xml = PrettyPrinter.prettyPrint(SAML2Utils.asDOMDocument(samlReq));
-
//Logger.info("SAML : " + xml);
if(!moaRequest.isVerified()) {
@@ -137,6 +136,12 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
throw new MOAIDException("Unsupported request", new Object[] {});
}
+ EntityDescriptor metadata = moaRequest.getEntityMetadata();
+ if(metadata == null) {
+ throw new NoMetadataInformationException();
+ }
+ SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
+
AuthnRequest authnRequest = (AuthnRequest)samlReq;
Integer aIdx = authnRequest.getAssertionConsumerServiceIndex();
@@ -144,6 +149,9 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
if(aIdx != null) {
assertionidx = aIdx.intValue();
+
+ } else {
+ assertionidx = SAML2Utils.getDefaultAssertionConsumerServiceIndex(spSSODescriptor);
}
aIdx = authnRequest.getAttributeConsumingServiceIndex();
@@ -153,13 +161,14 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
attributeIdx = aIdx.intValue();
}
- EntityDescriptor metadata = moaRequest.getEntityMetadata();
- if(metadata == null) {
- throw new NoMetadataInformationException();
- }
- SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
AssertionConsumerService consumerService = spSSODescriptor.getAssertionConsumerServices().get(assertionidx);
- AttributeConsumingService attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx);
+
+ AttributeConsumingService attributeConsumer = null;
+
+ if (spSSODescriptor.getAttributeConsumingServices() != null &&
+ spSSODescriptor.getAttributeConsumingServices().size() > 0) {
+ attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx);
+ }
String oaURL = moaRequest.getEntityMetadata().getEntityID();
String binding = consumerService.getBinding();
@@ -176,7 +185,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
String useMandate = request.getParameter(PARAM_USEMANDATE);
if(useMandate != null) {
- if(useMandate.equals("true")) {
+ if(useMandate.equals("true") && attributeConsumer != null) {
if(!CheckMandateAttributes.canHandleMandate(attributeConsumer)) {
throw new MandateAttributesNotHandleAbleException();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 418c4a60c..9b43fb999 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -3,11 +3,13 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.jcp.xml.dsig.internal.dom.DOMURIDereferencer;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder;
import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
+import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.Response;
@@ -31,6 +33,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
+import at.gv.egovernment.moa.util.DOMUtils;
public class RedirectBinding implements IDecoder, IEncoder {
@@ -84,13 +87,18 @@ public class RedirectBinding implements IDecoder, IEncoder {
SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(
TrustEngineFactory.getSignatureKnownKeysTrustEngine());
+ SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();
+
+
BasicSecurityPolicy policy = new BasicSecurityPolicy();
policy.getPolicyRules().add(signatureRule);
+ policy.getPolicyRules().add(signedRole);
+
SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver(
policy);
messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
messageContext.setSecurityPolicyResolver(resolver);
-
+
decode.decode(messageContext);
signatureRule.evaluate(messageContext);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index eaa570ab1..d1d79373c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -64,46 +64,48 @@ public class PVP2AssertionBuilder implements PVPConstants {
RequestedAuthnContext reqAuthnContext = authnRequest
.getRequestedAuthnContext();
- if (reqAuthnContext == null) {
- throw new NoAuthContextException();
- }
-
- boolean stork_qaa_1_4_found = false;
-
AuthnContextClassRef authnContextClassRef = SAML2Utils
.createSAMLObject(AuthnContextClassRef.class);
-
- List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext
- .getAuthnContextClassRefs();
- if (reqAuthnContextClassRefIt.size() == 0) {
- stork_qaa_1_4_found = true;
+ if (reqAuthnContext == null) {
authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
-
- } else {
- for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) {
- String qaa_uri = authnClassRef.getAuthnContextClassRef();
- if (qaa_uri.trim().equals(STORK_QAA_1_4)
- || qaa_uri.trim().equals(STORK_QAA_1_3)
- || qaa_uri.trim().equals(STORK_QAA_1_2)
- || qaa_uri.trim().equals(STORK_QAA_1_1)) {
-
- if (authSession.isForeigner()) {
- //TODO: insert QAA check
-
- stork_qaa_1_4_found = false;
-
- } else {
- stork_qaa_1_4_found = true;
- authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
+
+ } else {
+
+ boolean stork_qaa_1_4_found = false;
+
+ List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext
+ .getAuthnContextClassRefs();
+
+ if (reqAuthnContextClassRefIt.size() == 0) {
+ stork_qaa_1_4_found = true;
+ authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
+
+ } else {
+ for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) {
+ String qaa_uri = authnClassRef.getAuthnContextClassRef();
+ if (qaa_uri.trim().equals(STORK_QAA_1_4)
+ || qaa_uri.trim().equals(STORK_QAA_1_3)
+ || qaa_uri.trim().equals(STORK_QAA_1_2)
+ || qaa_uri.trim().equals(STORK_QAA_1_1)) {
+
+ if (authSession.isForeigner()) {
+ //TODO: insert QAA check
+
+ stork_qaa_1_4_found = false;
+
+ } else {
+ stork_qaa_1_4_found = true;
+ authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
+ }
+ break;
}
- break;
}
}
- }
-
- if (!stork_qaa_1_4_found) {
- throw new QAANotSupportedException(STORK_QAA_1_4);
+
+ if (!stork_qaa_1_4_found) {
+ throw new QAANotSupportedException(STORK_QAA_1_4);
+ }
}
// reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs()
@@ -150,10 +152,8 @@ public class PVP2AssertionBuilder implements PVPConstants {
if (aIdx != null) {
idx = aIdx.intValue();
- }
-
- AttributeConsumingService attributeConsumingService = spSSODescriptor
- .getAttributeConsumingServices().get(idx);
+
+ }
AttributeStatement attributeStatement = SAML2Utils
.createSAMLObject(AttributeStatement.class);
@@ -197,32 +197,38 @@ public class PVP2AssertionBuilder implements PVPConstants {
.buildAuthenticationData(authSession, oaParam,
oaParam.getTarget());
- Iterator<RequestedAttribute> it = attributeConsumingService
- .getRequestAttributes().iterator();
- while (it.hasNext()) {
- RequestedAttribute reqAttribut = it.next();
- try {
- Attribute attr = PVPAttributeBuilder.buildAttribute(
- reqAttribut.getName(), authSession, oaParam, authData);
- if (attr == null) {
+ if (spSSODescriptor.getAttributeConsumingServices() != null &&
+ spSSODescriptor.getAttributeConsumingServices().size() > 0) {
+
+ AttributeConsumingService attributeConsumingService = spSSODescriptor
+ .getAttributeConsumingServices().get(idx);
+
+ Iterator<RequestedAttribute> it = attributeConsumingService
+ .getRequestAttributes().iterator();
+ while (it.hasNext()) {
+ RequestedAttribute reqAttribut = it.next();
+ try {
+ Attribute attr = PVPAttributeBuilder.buildAttribute(
+ reqAttribut.getName(), authSession, oaParam, authData);
+ if (attr == null) {
+ if (reqAttribut.isRequired()) {
+ throw new UnprovideableAttributeException(
+ reqAttribut.getName());
+ }
+ } else {
+ attributeStatement.getAttributes().add(attr);
+ }
+ } catch (PVP2Exception e) {
+ Logger.error(
+ "Attribute generation failed! for "
+ + reqAttribut.getFriendlyName(), e);
if (reqAttribut.isRequired()) {
throw new UnprovideableAttributeException(
reqAttribut.getName());
}
- } else {
- attributeStatement.getAttributes().add(attr);
- }
- } catch (PVP2Exception e) {
- Logger.error(
- "Attribute generation failed! for "
- + reqAttribut.getFriendlyName(), e);
- if (reqAttribut.isRequired()) {
- throw new UnprovideableAttributeException(
- reqAttribut.getName());
}
}
}
-
if (attributeStatement.getAttributes().size() > 0) {
assertion.getAttributeStatements().add(attributeStatement);
}
@@ -294,7 +300,7 @@ public class PVP2AssertionBuilder implements PVPConstants {
SubjectConfirmationData subjectConfirmationData = SAML2Utils
.createSAMLObject(SubjectConfirmationData.class);
subjectConfirmationData.setInResponseTo(authnRequest.getID());
- subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(20));
+ subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(5));
//TL: change from entityID to destination URL
AssertionConsumerService consumerService = spSSODescriptor
@@ -319,7 +325,7 @@ public class PVP2AssertionBuilder implements PVPConstants {
audienceRestriction.getAudiences().add(audience);
conditions.setNotBefore(new DateTime());
- conditions.setNotOnOrAfter(new DateTime().plusMinutes(20));
+ conditions.setNotOnOrAfter(new DateTime().plusMinutes(5));
// conditions.setNotOnOrAfter(new DateTime());
conditions.getAudienceRestrictions().add(audienceRestriction);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
index c3884f9d8..4128a406b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
@@ -1,11 +1,13 @@
package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler;
+import java.io.IOException;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.xml.transform.TransformerException;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
@@ -30,6 +32,7 @@ import org.opensaml.xml.encryption.EncryptionConstants;
import org.opensaml.xml.encryption.EncryptionException;
import org.opensaml.xml.encryption.EncryptionParameters;
import org.opensaml.xml.encryption.KeyEncryptionParameters;
+import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.Credential;
@@ -55,6 +58,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedEx
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionEncryptionException;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.PrettyPrinter;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.logging.Logger;
@@ -93,15 +97,18 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
authResponse.setStatus(SAML2Utils.getSuccessStatus());
+ SPSSODescriptor spSSODescriptor = peerEntity
+ .getSPSSODescriptor(SAMLConstants.SAML20P_NS);
+
Integer aIdx = authnRequest.getAssertionConsumerServiceIndex();
int idx = 0;
if (aIdx != null) {
idx = aIdx.intValue();
+
+ } else {
+ idx = SAML2Utils.getDefaultAssertionConsumerServiceIndex(spSSODescriptor);
}
-
- SPSSODescriptor spSSODescriptor = peerEntity
- .getSPSSODescriptor(SAMLConstants.SAML20P_NS);
AssertionConsumerService consumerService = spSSODescriptor
.getAssertionConsumerServices().get(idx);
@@ -201,6 +208,10 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
binding.encodeRespone(req, resp, authResponse, oaURL);
// TODO add remoteSessionID to AuthSession ExternalPVPSessionStore
+// Logger logger = new Logger();
+// logger.debug("Redirect Binding Request = " + PrettyPrinter.prettyPrint(SAML2Utils.asDOMDocument(authResponse)));
+
+
return assertion.getID();
} catch (MessageEncodingException e) {
@@ -209,6 +220,15 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
} catch (SecurityException e) {
Logger.error("Security exception", e);
throw new MOAIDException("pvp2.01", null, e);
+// } catch (TransformerException e) {
+// Logger.error("Security exception", e);
+// throw new MOAIDException("pvp2.01", null, e);
+// } catch (IOException e) {
+// Logger.error("Security exception", e);
+// throw new MOAIDException("pvp2.01", null, e);
+// } catch (MarshallingException e) {
+// Logger.error("Security exception", e);
+// throw new MOAIDException("pvp2.01", null, e);
}
}
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java
index 7bb5b052f..373bca902 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java
@@ -2,6 +2,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.utils;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
+import java.util.List;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilder;
@@ -13,6 +14,8 @@ import org.opensaml.Configuration;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.saml2.core.Status;
import org.opensaml.saml2.core.StatusCode;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.XMLObjectBuilderFactory;
import org.opensaml.xml.io.Marshaller;
@@ -77,4 +80,17 @@ public class SAML2Utils {
status.setStatusCode(statusCode);
return status;
}
+
+ public static int getDefaultAssertionConsumerServiceIndex(SPSSODescriptor spSSODescriptor) {
+
+ List<AssertionConsumerService> assertionConsumerList = spSSODescriptor.getAssertionConsumerServices();
+
+ for (AssertionConsumerService el : assertionConsumerList) {
+ if (el.isDefault())
+ return el.getIndex();
+
+ }
+
+ return 0;
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index 628da6773..4823d7629 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -41,6 +41,7 @@ public class SAMLVerificationEngine {
public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception {
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
+
try {
profileValidator.validate(samlObj.getSignature());
} catch (ValidationException e) {
--
cgit v1.2.3
From f5f8575182680e61068e6225e3fc67b92187ac54 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Wed, 22 Jan 2014 11:47:59 +0100
Subject: add additional log messages
---
.../at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java | 3 +++
.../gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java | 3 +++
2 files changed, 6 insertions(+)
(limited to 'id/server/idserverlib/src/main/java')
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 2fe52d032..9319c306b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -27,6 +27,7 @@ import org.opensaml.xml.security.credential.Credential;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.logging.Logger;
public class PostBinding implements IDecoder, IEncoder {
@@ -45,6 +46,8 @@ public class PostBinding implements IDecoder, IEncoder {
Credential credentials = CredentialProvider
.getIDPSigningCredential();
+ Logger.debug("create SAML POSTBinding response");
+
// VelocityEngine engine =
// VelocityProvider.getClassPathVelocityEngine();
VelocityEngine engine = new VelocityEngine();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 9b43fb999..78b63e041 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
+import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.DOMUtils;
public class RedirectBinding implements IDecoder, IEncoder {
@@ -50,6 +51,8 @@ public class RedirectBinding implements IDecoder, IEncoder {
Credential credentials = CredentialProvider
.getIDPSigningCredential();
+ Logger.debug("create SAML RedirectBinding response");
+
HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
resp, true);
--
cgit v1.2.3
From d9550b5e3f24a0f6013502dcc632c4d2730a6749 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Wed, 22 Jan 2014 13:28:46 +0100
Subject: change PVP2 AssertionBuilder to use the same DateTime at every
position
---
.../pvp2x/builder/assertion/PVP2AssertionBuilder.java | 12 ++++++------
.../protocols/pvp2x/requestHandler/AuthnRequestHandler.java | 6 ++++--
2 files changed, 10 insertions(+), 8 deletions(-)
(limited to 'id/server/idserverlib/src/main/java')
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index d1d79373c..9e2c89583 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -57,7 +57,7 @@ import at.gv.egovernment.moa.util.Constants;
public class PVP2AssertionBuilder implements PVPConstants {
public static Assertion buildAssertion(AuthnRequest authnRequest,
- AuthenticationSession authSession, EntityDescriptor peerEntity)
+ AuthenticationSession authSession, EntityDescriptor peerEntity, DateTime date)
throws MOAIDException {
Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class);
@@ -137,7 +137,7 @@ public class PVP2AssertionBuilder implements PVPConstants {
AuthnStatement authnStatement = SAML2Utils
.createSAMLObject(AuthnStatement.class);
String remoteSessionID = SAML2Utils.getSecureIdentifier();
- authnStatement.setAuthnInstant(new DateTime());
+ authnStatement.setAuthnInstant(date);
// currently dummy id ...
authnStatement.setSessionIndex(remoteSessionID);
authnStatement.setAuthnContext(authnContext);
@@ -300,7 +300,7 @@ public class PVP2AssertionBuilder implements PVPConstants {
SubjectConfirmationData subjectConfirmationData = SAML2Utils
.createSAMLObject(SubjectConfirmationData.class);
subjectConfirmationData.setInResponseTo(authnRequest.getID());
- subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(5));
+ subjectConfirmationData.setNotOnOrAfter(date.plusMinutes(5));
//TL: change from entityID to destination URL
AssertionConsumerService consumerService = spSSODescriptor
@@ -323,9 +323,9 @@ public class PVP2AssertionBuilder implements PVPConstants {
audience.setAudienceURI(peerEntity.getEntityID());
audienceRestriction.getAudiences().add(audience);
- conditions.setNotBefore(new DateTime());
+ conditions.setNotBefore(date);
- conditions.setNotOnOrAfter(new DateTime().plusMinutes(5));
+ conditions.setNotOnOrAfter(date.plusMinutes(5));
// conditions.setNotOnOrAfter(new DateTime());
conditions.getAudienceRestrictions().add(audienceRestriction);
@@ -342,7 +342,7 @@ public class PVP2AssertionBuilder implements PVPConstants {
assertion.setIssuer(issuer);
assertion.setSubject(subject);
assertion.setID(SAML2Utils.getSecureIdentifier());
- assertion.setIssueInstant(new DateTime());
+ assertion.setIssueInstant(date);
return assertion;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
index 4128a406b..89285bad1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
@@ -77,7 +77,9 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
AuthnRequest authnRequest = (AuthnRequest) obj.getSamlRequest();
EntityDescriptor peerEntity = obj.getEntityMetadata();
- Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authSession, peerEntity);
+ DateTime date = new DateTime();
+
+ Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authSession, peerEntity, date);
Response authResponse = SAML2Utils.createSAMLObject(Response.class);
@@ -93,7 +95,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
authResponse.setInResponseTo(authnRequest.getID());
//SAML2 response required IssueInstant
- authResponse.setIssueInstant(new DateTime());
+ authResponse.setIssueInstant(date);
authResponse.setStatus(SAML2Utils.getSuccessStatus());
--
cgit v1.2.3