From 14b0f46d1aa0b266547ac43dfc7a4ed2256cfc71 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 7 May 2014 17:17:18 +0200 Subject: use MOA SSL SocketFactory for AttributQueryRequests --- .../id/auth/builder/AuthenticationDataBuilder.java | 48 ++++++++++++++++++---- .../moa/id/protocols/pvp2x/PVPConstants.java | 2 + .../pvp2x/metadata/MOAMetadataProvider.java | 3 +- 3 files changed, 43 insertions(+), 10 deletions(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 33c150927..a1a51f6c1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -32,6 +32,7 @@ import java.util.List; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; +import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeQuery; @@ -61,12 +62,16 @@ import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; +import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType; import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; +import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.moduls.IRequest; @@ -173,18 +178,24 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { authdata.setBPK(interfIDP.getUserNameID()); } else { + //get attributes from interfederated IDP + OAAuthParameter idp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(interfIDP.getIdpurlprefix()); + getAuthDataFromInterfederation(authdata, session, oaParam, protocolRequest, interfIDP, idp, reqAttributes); + //mark attribute request as used try { - interfIDP.setAttributesRequested(true); - MOASessionDBUtils.saveOrUpdate(interfIDP); + if (idp.isInterfederationSSOStorageAllowed()) { + interfIDP.setAttributesRequested(true); + MOASessionDBUtils.saveOrUpdate(interfIDP); + + } else { + MOASessionDBUtils.delete(interfIDP); + } } catch (MOADatabaseException e) { Logger.error("MOASession interfederation information can not stored to database.", e); } - - //get attributes from interfederated IDP - getAuthDataFromInterfederation(authdata, session, oaParam, protocolRequest, interfIDP, reqAttributes); } } else { @@ -217,13 +228,14 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { * @param oaParam * @param protocolRequest * @param interfIDP + * @param idp * @param reqQueryAttr * @throws ConfigurationException */ private static void getAuthDataFromInterfederation( AuthenticationData authdata, AuthenticationSession session, IOAAuthParameters oaParam, IRequest req, - InterfederationSessionStore interfIDP, List reqQueryAttr) throws BuildException, ConfigurationException{ + InterfederationSessionStore interfIDP, OAAuthParameter idp, List reqQueryAttr) throws BuildException, ConfigurationException{ try { List attributs = null; @@ -243,9 +255,9 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { attributs = req.getRequestedAttributes(); } - - //collect attributes by using BackChannel communication - String endpoint = oaParam.getIDPAttributQueryServiceURL(); + + //collect attributes by using BackChannel communication + String endpoint = idp.getIDPAttributQueryServiceURL(); if (MiscUtil.isEmpty(endpoint)) { Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix()); throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null); @@ -265,6 +277,24 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { soapContext.setOutboundMessage(soapRequest); HttpClientBuilder clientBuilder = new HttpClientBuilder(); + if (endpoint.startsWith("https")) { + try { + SecureProtocolSocketFactory sslprotocolsocketfactory = + new MOAHttpProtocolSocketFactory( + PVPConstants.SSLSOCKETFACTORYNAME, + AuthConfigurationProvider.getInstance().getCertstoreDirectory(), + AuthConfigurationProvider.getInstance().getTrustedCACertificates(), + null, + ChainingModeType.fromValue(AuthConfigurationProvider.getInstance().getDefaultChainingMode()), + AuthConfigurationProvider.getInstance().isTrustmanagerrevoationchecking()); + clientBuilder.setHttpsProtocolSocketFactory(sslprotocolsocketfactory ); + + } catch (MOAHttpProtocolSocketFactoryException e) { + Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore."); + + } + } + HttpSOAPClient soapClient = new HttpSOAPClient(clientBuilder.buildClient(), parserPool); //send request to IDP diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java index dafaf6279..47c297914 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java @@ -27,6 +27,8 @@ import org.opensaml.xml.signature.SignatureConstants; public interface PVPConstants { + public static final String SSLSOCKETFACTORYNAME = "MOAMetaDataProvider"; + public static final String DEFAULT_SIGNING_METHODE = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256; public static final String DEFAULT_DIGESTMETHODE = SignatureConstants.ALGO_ID_DIGEST_SHA256; public static final String DEFAULT_SYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 5c8e181a7..f29c0eaef 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -53,6 +53,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain; import at.gv.egovernment.moa.logging.Logger; @@ -338,7 +339,7 @@ public class MOAMetadataProvider implements MetadataProvider { if (metadataURL.startsWith("https:")) { try { MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( - "MOAMetaDataProvider", + PVPConstants.SSLSOCKETFACTORYNAME, AuthConfigurationProvider.getInstance().getCertstoreDirectory(), AuthConfigurationProvider.getInstance().getTrustedCACertificates(), null, -- cgit v1.2.3