From 4795b273bb734f04056babe963d8588ffbf50fb0 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 21 Jul 2015 15:30:40 +0200 Subject: fix MOA-ID-Auth problems --- .../moa/id/auth/MOAIDAuthInitializer.java | 3 +- .../moa/id/config/auth/OAAuthParameter.java | 21 +++++++- .../moa/id/entrypoints/DispatcherServlet.java | 2 +- .../moa/id/moduls/AuthenticationManager.java | 28 ++++++---- .../protocols/pvp2x/config/PVPConfiguration.java | 5 +- .../pvp2x/metadata/MOAMetadataProvider.java | 59 +++++++++++++++++----- .../main/resources/moaid.configuration.beans.xml | 15 ++++-- .../resources/properties/id_messages_de.properties | 3 +- .../protocol_response_statuscodes_de.properties | 1 + 9 files changed, 102 insertions(+), 35 deletions(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java index 65e3b10d7..e1086bbd1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java @@ -22,6 +22,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.PropertyBasedAuthConfigurationProvider; import at.gv.egovernment.moa.id.iaik.config.LoggerConfigImpl; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.util.AxisSecureSocketFactory; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.id.util.SSLUtils; @@ -174,7 +175,7 @@ public class MOAIDAuthInitializer { System.exit(-1); } - + // Starts the session cleaner thread to remove unpicked authentication data AuthenticationSessionCleaner.start(); AuthConfigLoader.start(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 9386330cc..987603227 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -865,7 +865,26 @@ public boolean isRemovePBKFromAuthBlock() { */ @Override public List getReversionsLoggingEventCodes() { - // TODO Auto-generated method stub + String isEnabled = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_REVERSION_LOGS_ENABLED); + if (MiscUtil.isNotEmpty(isEnabled) && Boolean.parseBoolean(isEnabled)) { + String eventCodes = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_REVERSION_LOGS_EVENTCODES); + if (MiscUtil.isNotEmpty(eventCodes)) { + String[] codes = eventCodes.split(","); + List result = new ArrayList(); + for (String el : codes) { + try { + result.add(Integer.valueOf(el.trim())); + + } catch (NumberFormatException e) { + Logger.warn("EventCode can not parsed to Integer.", e); + + } + } + if (!result.isEmpty()) + return result; + + } + } return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 5584e8ca6..45eecec84 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -311,7 +311,7 @@ public class DispatcherServlet extends AuthServlet{ MiscUtil.isNotEmpty(protocolRequest.getRequestID())) { OAAuthParameter oaParams = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(protocolRequest.getOAURL()); - if (oaParams.isSTORKPVPGateway() || !oaParams.isPerformLocalAuthenticationOnInterfederationError()) { + if (!oaParams.isPerformLocalAuthenticationOnInterfederationError()) { // -> send end error to service provider Logger.info("Federated authentication for entity " + protocolRequest.getOAURL() + " FAILED. Sending error message to service provider."); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 06b55fb66..f3c40707e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -400,18 +400,22 @@ public class AuthenticationManager extends MOAIDAuthConstants { Logger.debug("Build PVP 2.1 authentication request"); //get IDP metadata - try { - OAAuthParameter idp = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(target.getRequestedIDP()); - OAAuthParameter sp = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(target.getOAURL()); + + OAAuthParameter idp = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(target.getRequestedIDP()); + OAAuthParameter sp = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(target.getOAURL()); - if (!idp.isInderfederationIDP() || !idp.isInboundSSOInterfederationAllowed()) { - Logger.info("Requested interfederation IDP " + target.getRequestedIDP() + " is not valid for interfederation."); - Logger.info("Switch to local authentication on this IDP ... "); - perfomLocalAuthentication(request, response, target); - return; + if (!idp.isInderfederationIDP() || !idp.isInboundSSOInterfederationAllowed()) { + Logger.info("Requested interfederation IDP " + target.getRequestedIDP() + " is not valid for interfederation."); + Logger.debug("isInderfederationIDP:" + String.valueOf(idp.isInderfederationIDP()) + + " isInboundSSOAllowed:" + String.valueOf(idp.isInboundSSOInterfederationAllowed())); + Logger.info("Switch to local authentication on this IDP ... "); + + perfomLocalAuthentication(request, response, target); + return; - } + } + try { EntityDescriptor idpEntity = MOAMetadataProvider.getInstance(). getEntityDescriptor(target.getRequestedIDP()); @@ -556,7 +560,11 @@ public class AuthenticationManager extends MOAIDAuthConstants { if (requiredLocalAuthentication) { Logger.info("Switch to local authentication on this IDP ... "); - perfomLocalAuthentication(request, response, target); + if (idp.isPerformLocalAuthenticationOnInterfederationError()) + perfomLocalAuthentication(request, response, target); + + else + throw new AuthenticationException("auth.29", new String[]{target.getRequestedIDP()}); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index de58c34a1..87a63a8a0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -115,10 +115,7 @@ public class PVPConfiguration { //generalpvpconfigdb = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig(); props = AuthConfigurationProviderFactory.getInstance().getGeneralPVP2ProperiesConfig(); rootDir = AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir(); - - //load PVP2X metadata for all active online applications - MOAMetadataProvider.getInstance(); - + } catch (ConfigurationException e) { e.printStackTrace(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 389b9825f..824c9be0b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -26,14 +26,11 @@ import java.io.IOException; import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.Collection; -import java.util.Collections; -import java.util.Date; import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Map.Entry; -import java.util.concurrent.CopyOnWriteArrayList; import java.util.Timer; import javax.net.ssl.SSLHandshakeException; @@ -49,7 +46,6 @@ import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider; -import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider.Observer; import org.opensaml.xml.XMLObject; import org.opensaml.xml.parse.BasicParserPool; @@ -74,7 +70,6 @@ public class MOAMetadataProvider implements ObservableMetadataProvider{ private static MOAMetadataProvider instance = null; private static Object mutex = new Object(); - private List observers; public static MOAMetadataProvider getInstance() { @@ -338,8 +333,7 @@ public class MOAMetadataProvider implements ObservableMetadataProvider{ Logger.warn("MetadataProvider can not be destroyed."); } } - - this.observers = Collections.emptyList(); + instance = null; } else { Logger.warn("ReInitalize MOAMetaDataProvider is not possible! MOA-ID Instance has to be restarted manualy"); @@ -348,14 +342,12 @@ public class MOAMetadataProvider implements ObservableMetadataProvider{ private MOAMetadataProvider() { ChainingMetadataProvider chainProvider = new ChainingMetadataProvider(); - this.observers = new CopyOnWriteArrayList(); Logger.info("Loading metadata"); Map providersinuse = new HashMap(); try { - //TODO: database search does not work!!!!! Map allOAs = AuthConfigurationProviderFactory.getInstance().getConfigurationWithWildCard( - MOAIDConfigurationConstants.PREFIX_SERVICES + MOAIDConfigurationConstants.PREFIX_MOAID_SERVICES + ".%." + MOAIDConfigurationConstants.SERVICE_UNIQUEIDENTIFIER); @@ -373,7 +365,7 @@ public class MOAMetadataProvider implements ObservableMetadataProvider{ try { String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); - if (MiscUtil.isNotEmpty(certBase64) || MiscUtil.isNotEmpty(metadataurl)) { + if (MiscUtil.isNotEmpty(certBase64) && MiscUtil.isNotEmpty(metadataurl)) { byte[] cert = Base64Utils.decode(certBase64, false); @@ -543,14 +535,53 @@ public class MOAMetadataProvider implements ObservableMetadataProvider{ return internalProvider.getMetadata(); } - public EntitiesDescriptor getEntitiesDescriptor(String name) + public EntitiesDescriptor getEntitiesDescriptor(String entitiesID) throws MetadataProviderException { - return internalProvider.getEntitiesDescriptor(name); + EntitiesDescriptor entitiesDesc = null; + try { + entitiesDesc = internalProvider.getEntitiesDescriptor(entitiesID); + + if (entitiesDesc == null) { + Logger.debug("Can not find PVP metadata for entityID: " + entitiesID + + " Start refreshing process ..."); + if (refreshMetadataProvider(entitiesID)) + return internalProvider.getEntitiesDescriptor(entitiesID); + + } + + } catch (MetadataProviderException e) { + Logger.debug("Can not find PVP metadata for entityID: " + entitiesID + + " Start refreshing process ..."); + if (refreshMetadataProvider(entitiesID)) + return internalProvider.getEntitiesDescriptor(entitiesID); + + } + + return entitiesDesc; } public EntityDescriptor getEntityDescriptor(String entityID) throws MetadataProviderException { - return internalProvider.getEntityDescriptor(entityID); + EntityDescriptor entityDesc = null; + try { + entityDesc = internalProvider.getEntityDescriptor(entityID); + if (entityDesc == null) { + Logger.debug("Can not find PVP metadata for entityID: " + entityID + + " Start refreshing process ..."); + if (refreshMetadataProvider(entityID)) + return internalProvider.getEntityDescriptor(entityID); + + } + + } catch (MetadataProviderException e) { + Logger.debug("Can not find PVP metadata for entityID: " + entityID + + " Start refreshing process ..."); + if (refreshMetadataProvider(entityID)) + return internalProvider.getEntityDescriptor(entityID); + + } + + return entityDesc; } public List getRole(String entityID, QName roleName) diff --git a/id/server/idserverlib/src/main/resources/moaid.configuration.beans.xml b/id/server/idserverlib/src/main/resources/moaid.configuration.beans.xml index f2b2f5adf..206fde87d 100644 --- a/id/server/idserverlib/src/main/resources/moaid.configuration.beans.xml +++ b/id/server/idserverlib/src/main/resources/moaid.configuration.beans.xml @@ -19,13 +19,22 @@ - + + + + + + + + + + - - + + diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index f5f9f5979..aca37f072 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -44,8 +44,9 @@ auth.23=Das BKU-Selektion Template entspricht nicht der Spezifikation von MOA-ID auth.24=Das Send-Assertion Template entspricht nicht der Spezifikation von MOA-ID 2.x. auth.25=Fehler beim validieren der SZR-Gateway Response. auth.26=SessionID unbekannt. -auth.27=Federated authentication FAILED. +auth.27=Federated authentication FAILED! Assertion from {0} IDP is not valid. auth.28=Transaktion {0} kann nicht weitergef\u00FChrt werden. Wahrscheinlich wurde ein TimeOut erreicht. +auth.29=Federated authentication FAILED! Can not build authentication request for IDP {0} init.00=MOA ID Authentisierung wurde erfolgreich gestartet init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m\u00F6glicherweise nicht verf\u00FCgbar diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index 79d6d5eef..fa332f0c7 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -26,6 +26,7 @@ auth.25=1109 auth.26=1100 auth.27=4401 auth.28=1100 +auth.29=4401 init.00=9199 init.01=9199 -- cgit v1.2.3