From 77c3560745fcba9e3975472dd77cb928924fb35f Mon Sep 17 00:00:00 2001 From: kstranacher Date: Thu, 6 Oct 2011 19:15:53 +0000 Subject: =?UTF-8?q?MOA-ID:=20-=20Fixed=20Bug=20#556=20(https://egovlabs.gv?= =?UTF-8?q?.at/tracker/index.php=3Ffunc=3Ddetail&aid=3D556&group=5Fid=3D6&?= =?UTF-8?q?atid=3D105)=20-=20Update=20Einbindung=20Online-Vollmachten=20(V?= =?UTF-8?q?or=20Auswahl=20der=20Vollmacht=20werden=20die=20Signaturdaten?= =?UTF-8?q?=20signiert)=20-=20Update=20Transformationen=20(f=C3=BCr=20Onli?= =?UTF-8?q?ne-Vollmachten)=20-=20=C3=84nderung=20der=20Konfiguration=20f?= =?UTF-8?q?=C3=BCr=20Online-Vollmachten=20(keine=20Templates=20mehr=20f?= =?UTF-8?q?=C3=BCr=20Online-Vollmachten;=20Attribute=20provideMandatorDate?= =?UTF-8?q?=20in=20OA-Konfiguration)=20-=20sampleTemplates=20in=20Standard?= =?UTF-8?q?-Konfiguration=20gel=C3=B6scht=20-=20Update=20der=20Standard-Ko?= =?UTF-8?q?nfigurationen=20MOA-SPSS:=20-=20Library=20aktualisiert:=20Axis?= =?UTF-8?q?=20-=20Version=201.0=5FIAIK=20(gepatchte=20Variante=20von=20Axi?= =?UTF-8?q?s=201.0=20zur=20Vermeidung=20von=20XXE=20Attacken)=20-=20axis-1?= =?UTF-8?q?.0=5FIAIK.jar=20zu=20repository=20hinzugef=C3=BCgt?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1217 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../moa/id/auth/AuthenticationServer.java | 432 ++++++++++++--------- .../AuthenticationBlockAssertionBuilder.java | 47 +-- .../AuthenticationDataAssertionBuilder.java | 123 ++++++ .../moa/id/auth/builder/SAMLArtifactBuilder.java | 10 +- .../moa/id/auth/data/AuthenticationSession.java | 173 +++++++-- .../id/auth/servlet/GetMISSessionIDServlet.java | 68 ++-- .../auth/servlet/ProcessValidatorInputServlet.java | 2 +- .../servlet/VerifyAuthenticationBlockServlet.java | 24 ++ .../id/auth/servlet/VerifyCertificateServlet.java | 111 +++--- .../id/auth/servlet/VerifyIdentityLinkServlet.java | 30 +- .../id/util/client/mis/simple/MISSimpleClient.java | 19 +- 11 files changed, 669 insertions(+), 370 deletions(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 94fd4f28e..9e15e04dd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -550,7 +550,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { // now validate the extended infoboxes verifyInfoboxes(session, infoboxReadResponseParameters, !oaParam.getProvideStammzahl()); - return getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam, false); + return getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam); } @@ -571,7 +571,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * the BKU including the <InfoboxReadResponse> * @return String representation of the <CreateXMLSignatureRequest> */ - public String verifyMandate(String sessionID, MISMandate mandate) + public void verifyMandate(String sessionID, MISMandate mandate) throws AuthenticationException, BuildException, @@ -591,28 +591,25 @@ public class AuthenticationServer implements MOAIDAuthConstants { AuthenticationSession session = getSession(sessionID); - AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance(); - - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( session.getPublicOAURLPrefix()); - try { - // set extended SAML attributes - setExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService()); - } catch (SAXException e) { - throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e); - } catch (IOException e) { - throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e); - } catch (ParserConfigurationException e) { - throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e); - } catch (TransformerException e) { - throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e); + if (oaParam.getProvideFullMandatorData()) { + try { + // set extended SAML attributes if provideMandatorData is true + setExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService()); + } catch (SAXException e) { + throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e); + } catch (IOException e) { + throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e); + } catch (ParserConfigurationException e) { + throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e); + } catch (TransformerException e) { + throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e); + } } - - - return getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam, true); + } /** @@ -625,7 +622,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * @throws BuildException * @throws ValidateException */ - public String getCreateXMLSignatureRequestAuthBlockOrRedirect(AuthenticationSession session, AuthConfigurationProvider authConf, OAAuthParameter oaParam, boolean fromMandate) + public String getCreateXMLSignatureRequestAuthBlockOrRedirect(AuthenticationSession session, AuthConfigurationProvider authConf, OAAuthParameter oaParam) throws ConfigurationException, BuildException, @@ -638,7 +635,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (oaParam==null) oaParam = AuthConfigurationProvider.getInstance(). getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - if (!fromMandate) { +// if (!fromMandate) { //BZ.., calculate bPK for signing to be already present in AuthBlock IdentityLink identityLink = session.getIdentityLink(); if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { @@ -649,11 +646,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { identityLink.setIdentificationValue(bpkBase64); } //..BZ - } +// } // builds the AUTH-block - String authBlock = buildAuthenticationBlock(session, fromMandate); + String authBlock = buildAuthenticationBlock(session); // session.setAuthBlock(authBlock); // builds the @@ -837,7 +834,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * @throws BuildException If an error occurs on serializing an extended SAML attribute * to be appended to the AUTH-Block. */ - private String buildAuthenticationBlock(AuthenticationSession session, boolean fromMandate) throws BuildException { + private String buildAuthenticationBlock(AuthenticationSession session) throws BuildException { IdentityLink identityLink = session.getIdentityLink(); String issuer = identityLink.getName(); String gebDat = identityLink.getDateOfBirth(); @@ -862,8 +859,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { oaURL, gebDat, extendedSAMLAttributes, - session, - fromMandate); + session); return authBlock; } @@ -949,7 +945,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { throw new ValidateException("validator.43", new Object[] {friendlyName}); } // set compatibility mode for mandates infobox and all infoboxes (it is possible to be a parep infobox) - session.setMandateCompatibilityMode(ParepConfiguration.isMandateCompatibilityMode(verifyInfoboxParameter.getApplicationSpecificParams())); + //session.setMandateCompatibilityMode(ParepConfiguration.isMandateCompatibilityMode(verifyInfoboxParameter.getApplicationSpecificParams())); // check for party representation in mandates infobox if (Constants.INFOBOXIDENTIFIER_MANDATES.equalsIgnoreCase(identifier) && !((infoboxTokenList == null || infoboxTokenList.size() == 0))){ //We need app specific parameters @@ -1187,6 +1183,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { Vector extendedSamlAttributes = new Vector(); + extendedSamlAttributes.clear(); //extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(ParepValidator.EXT_SAML_MANDATE_RAW, mandate, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); @@ -1404,72 +1401,189 @@ public class AuthenticationServer implements MOAIDAuthConstants { } - // Exchange person data information by a mandate if needed - boolean mandateMode = session.getUseMandate(); + // builds authentication data and stores it together with a SAML artifact + AuthenticationData authData = buildAuthenticationData(session, vsresp); - List oaAttributes = session.getExtendedSAMLAttributesOA(); - IdentityLink replacementIdentityLink = null; + if (session.getUseMandate()) { + // mandate mode + return null; + } + else { + + String samlAssertion = + new AuthenticationDataAssertionBuilder().build( + authData, + session.getAssertionPrPerson(), + session.getAssertionAuthBlock(), + session.getAssertionIlAssertion(), + session.getBkuURL(), + session.getAssertionSignerCertificateBase64(), + session.getAssertionBusinessService(), + session.getExtendedSAMLAttributesOA()); + authData.setSamlAssertion(samlAssertion); + + String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile"); + if (!ParepUtils.isEmpty(assertionFile)) + try { + ParepUtils.saveStringToFile(samlAssertion, new File(assertionFile)); + } catch (IOException e) { + throw new BuildException( + "builder.00", + new Object[] { "AuthenticationData", e.toString()}, + e); + } + + String samlArtifact = + new SAMLArtifactBuilder().build(session.getAuthURL(), session.getSessionID()); + storeAuthenticationData(samlArtifact, authData); + + // invalidates the authentication session + sessionStore.remove(sessionID); + Logger.info( + "Anmeldedaten zu MOASession " + sessionID + " angelegt, SAML Artifakt " + samlArtifact); + return samlArtifact; + + } + + + + + } + + /** + * Processes a <CreateXMLSignatureResponse> sent by the + * security layer implementation.
+ * + * + * @param sessionID session ID of the running authentication session + * @param xmlCreateXMLSignatureReadResponse String representation of the + * <CreateXMLSignatureResponse> + * @return SAML artifact needed for retrieving authentication data, encoded BASE64 + */ + public String verifyAuthenticationBlockMandate( + String sessionID, + Element mandate) + throws + AuthenticationException, + BuildException, + ParseException, + ConfigurationException, + ServiceException, + ValidateException { + + if (isEmpty(sessionID)) + throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID}); + AuthenticationSession session = getSession(sessionID); + //AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance(); -// if (mandateMode) { -// Iterator it = oaAttributes.iterator(); -// //ExtendedSAMLAttribute samlAttribute = (ExtendedSAMLAttribute)it.next(); -// Element mandate = session.getMandateElem(); -// replacementIdentityLink = new IdentityLink(); -// Element mandator = ParepUtils.extractMandator(mandate); -// String dateOfBirth = ""; -// Element prPerson = null; -// String familyName = ""; -// String givenName = ""; -// String identificationType = ""; -// String identificationValue = ""; -// if (mandator != null) { -// boolean physical = ParepUtils.isPhysicalPerson(mandator); -// if (physical) { -// familyName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:FamilyName/text()"); -// givenName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:GivenName/text()"); -// dateOfBirth = ParepUtils.extractMandatorDateOfBirth(mandator); -// } else { -// familyName = ParepUtils.extractMandatorFullName(mandator); -// } -// identificationType = ParepUtils.getIdentification(mandator, "Type"); -// identificationValue = ParepUtils.extractMandatorWbpk(mandator); -// prPerson = ParepUtils.extractPrPersonOfMandate(mandate); -// if (physical && session.getBusinessService() && identificationType!=null && Constants.URN_PREFIX_BASEID.equals(identificationType)) { -// // now we calculate the wbPK and do so if we got it from the BKU -// identificationType = Constants.URN_PREFIX_WBPK + "+" + session.getDomainIdentifier(); -// identificationValue = new BPKBuilder().buildWBPK(identificationValue, session.getDomainIdentifier()); -// ParepUtils.HideStammZahlen(prPerson, true, null, null, true); -// } -// -// -// replacementIdentityLink.setDateOfBirth(dateOfBirth); -// replacementIdentityLink.setFamilyName(familyName); -// replacementIdentityLink.setGivenName(givenName); -// replacementIdentityLink.setIdentificationType(identificationType); -// replacementIdentityLink.setIdentificationValue(identificationValue); -// replacementIdentityLink.setPrPerson(prPerson); -// try { -// replacementIdentityLink.setSamlAssertion(session.getIdentityLink().getSamlAssertion()); -// } catch (Exception e) { -// throw new ValidateException("validator.64", null); -// } -// -// } -// -// } + + IdentityLink tempIdentityLink = null; + + if (session.getUseMandate()) { + tempIdentityLink = new IdentityLink(); + Element mandator = ParepUtils.extractMandator(mandate); + String dateOfBirth = ""; + Element prPerson = null; + String familyName = ""; + String givenName = ""; + String identificationType = ""; + String identificationValue = ""; + if (mandator != null) { + boolean physical = ParepUtils.isPhysicalPerson(mandator); + if (physical) { + familyName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:FamilyName/text()"); + givenName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:GivenName/text()"); + dateOfBirth = ParepUtils.extractMandatorDateOfBirth(mandator); + } else { + familyName = ParepUtils.extractMandatorFullName(mandator); + } + identificationType = ParepUtils.getIdentification(mandator, "Type"); + identificationValue = ParepUtils.extractMandatorWbpk(mandator); + prPerson = ParepUtils.extractPrPersonOfMandate(mandate); + if (physical && session.getBusinessService() && identificationType!=null && Constants.URN_PREFIX_BASEID.equals(identificationType)) { + // now we calculate the wbPK and do so if we got it from the BKU + identificationType = Constants.URN_PREFIX_WBPK + "+" + session.getDomainIdentifier(); + identificationValue = new BPKBuilder().buildWBPK(identificationValue, session.getDomainIdentifier()); + ParepUtils.HideStammZahlen(prPerson, true, null, null, true); + } + + + tempIdentityLink.setDateOfBirth(dateOfBirth); + tempIdentityLink.setFamilyName(familyName); + tempIdentityLink.setGivenName(givenName); + tempIdentityLink.setIdentificationType(identificationType); + tempIdentityLink.setIdentificationValue(identificationValue); + tempIdentityLink.setPrPerson(prPerson); + try { + tempIdentityLink.setSamlAssertion(session.getIdentityLink().getSamlAssertion()); + } catch (Exception e) { + throw new ValidateException("validator.64", null); + } + + } + + } // builds authentication data and stores it together with a SAML artifact - AuthenticationData authData = buildAuthenticationData(session, vsresp, replacementIdentityLink); - String samlArtifact = - new SAMLArtifactBuilder().build(session.getAuthURL(), session.getSessionID()); - storeAuthenticationData(samlArtifact, authData); + AuthenticationData authData = session.getAssertionAuthData(); //buildAuthenticationData(session, vsresp, replacementIdentityLink); - // invalidates the authentication session - sessionStore.remove(sessionID); - Logger.info( - "Anmeldedaten zu MOASession " + sessionID + " angelegt, SAML Artifakt " + samlArtifact); - return samlArtifact; + Element mandatePerson = tempIdentityLink.getPrPerson(); + String mandateData = null; + try { + mandateData = DOMUtils.serializeNode(mandatePerson); + } catch (TransformerException e1) { + throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}); + } catch (IOException e1) { + throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}); + } + + String samlAssertion = + new AuthenticationDataAssertionBuilder().buildMandate( + authData, + session.getAssertionPrPerson(), + mandateData, + session.getAssertionAuthBlock(), + session.getAssertionIlAssertion(), + session.getBkuURL(), + session.getAssertionSignerCertificateBase64(), + session.getAssertionBusinessService(), + session.getExtendedSAMLAttributesOA()); + authData.setSamlAssertion(samlAssertion); + + String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile"); + if (!ParepUtils.isEmpty(assertionFile)) + try { + ParepUtils.saveStringToFile(samlAssertion, new File(assertionFile)); + } catch (IOException e) { + throw new BuildException( + "builder.00", + new Object[] { "AuthenticationData", e.toString()}, + e); + } + + String samlArtifact = + new SAMLArtifactBuilder().build(session.getAuthURL(), session.getSessionID()); + storeAuthenticationData(samlArtifact, authData); + + // invalidates the authentication session + sessionStore.remove(sessionID); + Logger.info( + "Anmeldedaten zu MOASession " + sessionID + " angelegt, SAML Artifakt " + samlArtifact); + return samlArtifact; + } /** @@ -1540,79 +1654,45 @@ public class AuthenticationServer implements MOAIDAuthConstants { } } - // Exchange person data information by a mandate if needed - List oaAttributes = session.getExtendedSAMLAttributesOA(); - IdentityLink replacementIdentityLink = null; - if (session.isMandateCompatibilityMode() && oaAttributes != null && oaAttributes.size()>0) { - // look if we have a mandate - boolean foundMandate = false; - Iterator it = oaAttributes.iterator(); - while (!foundMandate && it.hasNext()) { - ExtendedSAMLAttribute samlAttribute = (ExtendedSAMLAttribute)it.next(); - if (ParepValidator.EXT_SAML_MANDATE_RAW.equals(samlAttribute.getName())) { - Object value = samlAttribute.getValue(); - if (value instanceof Element) { - Element mandate = (Element) value; - replacementIdentityLink = new IdentityLink(); - Element mandator = ParepUtils.extractMandator(mandate); - String dateOfBirth = ""; - Element prPerson = null; - String familyName = ""; - String givenName = ""; - String identificationType = ""; - String identificationValue = ""; - if (mandator != null) { - boolean physical = ParepUtils.isPhysicalPerson(mandator); - if (physical) { - familyName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:FamilyName/text()"); - givenName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:GivenName/text()"); - dateOfBirth = ParepUtils.extractMandatorDateOfBirth(mandator); - } else { - familyName = ParepUtils.extractMandatorFullName(mandator); - } - identificationType = ParepUtils.getIdentification(mandator, "Type"); - identificationValue = ParepUtils.extractMandatorWbpk(mandator); - prPerson = ParepUtils.extractPrPersonOfMandate(mandate); - if (physical && session.getBusinessService() && identificationType!=null && Constants.URN_PREFIX_BASEID.equals(identificationType)) { - // now we calculate the wbPK and do so if we got it from the BKU - identificationType = Constants.URN_PREFIX_WBPK + "+" + session.getDomainIdentifier(); - identificationValue = new BPKBuilder().buildWBPK(identificationValue, session.getDomainIdentifier()); - ParepUtils.HideStammZahlen(prPerson, true, null, null, true); - } - - } - replacementIdentityLink.setDateOfBirth(dateOfBirth); - replacementIdentityLink.setFamilyName(familyName); - replacementIdentityLink.setGivenName(givenName); - replacementIdentityLink.setIdentificationType(identificationType); - replacementIdentityLink.setIdentificationValue(identificationValue); - replacementIdentityLink.setPrPerson(prPerson); - try { - replacementIdentityLink.setSamlAssertion(session.getIdentityLink().getSamlAssertion()); - } catch (Exception e) { - throw new ValidateException("validator.64", null); - } - } else { - Logger.info("The type of Mandate SAML-Attribute is not \"org.w3c.dom.Element\""); - throw new ValidateException("validator.64", null); - } - } - } - } - VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponse(); X509Certificate cert = session.getForeignSignerCertificate(); vsresp.setX509certificate(cert); - AuthenticationData authData = buildAuthenticationData(session, vsresp, replacementIdentityLink); - String samlArtifact = - new SAMLArtifactBuilder().build(session.getAuthURL(), session.getSessionID()); - storeAuthenticationData(samlArtifact, authData); - - // invalidates the authentication session - sessionStore.remove(sessionID); - Logger.info( - "Anmeldedaten zu MOASession " + sessionID + " angelegt, SAML Artifakt " + samlArtifact); - return samlArtifact; + AuthenticationData authData = buildAuthenticationData(session, vsresp); + + + String samlAssertion = + new AuthenticationDataAssertionBuilder().build( + authData, + session.getAssertionPrPerson(), + session.getAssertionAuthBlock(), + session.getAssertionIlAssertion(), + session.getBkuURL(), + session.getAssertionSignerCertificateBase64(), + session.getAssertionBusinessService(), + session.getExtendedSAMLAttributesOA()); + authData.setSamlAssertion(samlAssertion); + + String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile"); + if (!ParepUtils.isEmpty(assertionFile)) + try { + ParepUtils.saveStringToFile(samlAssertion, new File(assertionFile)); + } catch (IOException e) { + throw new BuildException( + "builder.00", + new Object[] { "AuthenticationData", e.toString()}, + e); + } + + String samlArtifact = + new SAMLArtifactBuilder().build(session.getAuthURL(), session.getSessionID()); + storeAuthenticationData(samlArtifact, authData); + + // invalidates the authentication session + sessionStore.remove(sessionID); + Logger.info( + "Anmeldedaten zu MOASession " + sessionID + " angelegt, SAML Artifakt " + samlArtifact); + + return samlArtifact; } /** @@ -1626,18 +1706,10 @@ public class AuthenticationServer implements MOAIDAuthConstants { */ private AuthenticationData buildAuthenticationData( AuthenticationSession session, - VerifyXMLSignatureResponse verifyXMLSigResp, - IdentityLink replacementIdentityLink) + VerifyXMLSignatureResponse verifyXMLSigResp) throws ConfigurationException, BuildException { - IdentityLink identityLink; - if (replacementIdentityLink == null) { - identityLink = session.getIdentityLink(); - } else { - // We have got data form a mandate we need now to use to stay compatible with applications - identityLink = replacementIdentityLink; - } - + IdentityLink identityLink = session.getIdentityLink(); AuthenticationData authData = new AuthenticationData(); OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( @@ -1661,6 +1733,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { authData.setIdentificationValue(identityLink.getIdentificationValue()); } String prPerson = new PersonDataBuilder().build(identityLink, provideStammzahl); + try { String signerCertificateBase64 = ""; if (oaParam.getProvideCertifcate()) { @@ -1696,22 +1769,17 @@ public class AuthenticationServer implements MOAIDAuthConstants { ilAssertion = StringUtils.replaceAll(ilAssertion, identityLink.getIdentificationValue(), ""); } String authBlock = oaParam.getProvideAuthBlock() ? session.getAuthBlock() : ""; - String samlAssertion = - new AuthenticationDataAssertionBuilder().build( - authData, - prPerson, - authBlock, - ilAssertion, - session.getBkuURL(), - signerCertificateBase64, - businessService, - session.getExtendedSAMLAttributesOA()); - authData.setSamlAssertion(samlAssertion); - String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile"); - if (!ParepUtils.isEmpty(assertionFile)) ParepUtils.saveStringToFile(samlAssertion, new File(assertionFile)); //Ex: "c:/saml_assertion.xml" - + session.setAssertionAuthBlock(authBlock); + session.setAssertionAuthData(authData); + session.setAssertionBusinessService(businessService); + session.setAssertionIlAssertion(ilAssertion); + session.setAssertionPrPerson(prPerson); + session.setAssertionSignerCertificateBase64(signerCertificateBase64); + return authData; + + } catch (Throwable ex) { throw new BuildException( "builder.00", @@ -1735,7 +1803,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { } AuthenticationData authData = null; synchronized (authenticationDataStore) { - System.out.println("assertionHandle: " + assertionHandle); + //System.out.println("assertionHandle: " + assertionHandle); authData = (AuthenticationData) authenticationDataStore.get(assertionHandle); if (authData == null) { Logger.error("Assertion not found for SAML Artifact: " + samlArtifact); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index d48054e4b..35c4244c6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -49,6 +49,7 @@ import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; @@ -154,15 +155,14 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion String oaURL, String gebDat, List extendedSAMLAttributes, - AuthenticationSession session, - boolean fromMandate) + AuthenticationSession session) throws BuildException { session.setSAMLAttributeGebeORwbpk(true); String gebeORwbpk = ""; String wbpkNSDeclaration = ""; - //BZ.., reading OA parameters + //reading OA parameters OAAuthParameter oaParam; try { oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( @@ -171,7 +171,6 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion Logger.error("Error on building AUTH-Block: " + e.getMessage()); throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); } - //..BZ if (target == null) { @@ -181,12 +180,11 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; - //BZ.., adding type of wbPK domain identifier + //adding type of wbPK domain identifier ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute); - //..BZ } else { // We do not have a wbPK, therefore no SAML-Attribute is provided @@ -194,13 +192,11 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion } } else { // OA is a govermental application - //BZ.. String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); //gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target }); gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" }); - //..BZ - //BZ.., no business service, adding bPK + //no business service, adding bPK Element bpkSamlValueElement; try { @@ -213,34 +209,41 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion // String s = xmlToString(bpkSamlValueElement); // System.out.println("bpkSamlValueElement: " + s); - - if (!fromMandate) { - ExtendedSAMLAttribute bpkAttribute = - new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - //System.out.println("extendedSAMLAttributes: " + extendedSAMLAttributes.size()); - - extendedSAMLAttributes.add(bpkAttribute); - } + ExtendedSAMLAttribute bpkAttribute = + new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + extendedSAMLAttributes.add(bpkAttribute); + + boolean useMandate = session.getUseMandate(); + if (useMandate) { + String mandateReferenceValue = Random.nextRandom(); + // remove leading "-" + if (mandateReferenceValue.startsWith("-")) + mandateReferenceValue = mandateReferenceValue.substring(1); + + session.setMandateReferenceValue(mandateReferenceValue); + + ExtendedSAMLAttribute mandateReferenceValueAttribute = + new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); + + extendedSAMLAttributes.add(mandateReferenceValueAttribute); + } //gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; - //..BZ } - //BZ.., adding friendly name of OA + //adding friendly name of OA String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); ExtendedSAMLAttribute oaFriendlyNameAttribute = new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); extendedSAMLAttributes.add(oaFriendlyNameAttribute); - //..BZ String assertion; - try { + try { assertion = MessageFormat.format( AUTH_BLOCK, new Object[] { wbpkNSDeclaration, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java index 640c60e49..367116c73 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java @@ -74,6 +74,40 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB "{12}" + " " + NL + ""; + + /** + * XML template for the <saml:Assertion> to be built + */ + private static final String AUTH_DATA_MANDATE = + "" + NL + + "" + NL + + " " + NL + + " " + NL + + " {4}" + NL + + " " + NL + + " " + MOA_NS_URI + "cm" + NL + + " {5}{6}" + NL + + " " + NL + + " " + NL + + " " + NL + + " {7}" + NL + + " " + NL + + " " + NL + + " {8}" + NL + + " " + NL + + " " + NL + + " {9}" + NL + + " " + NL + + " " + NL + + " {10}" + NL + + " " + NL + + "{11}" + + "{12}" + + "{13}" + + " " + NL + + ""; /** * XML template for the <saml:Attribute> named "isPublicAuthority", * to be inserted into the <saml:Assertion> @@ -181,5 +215,94 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB } return assertion; } + + /** + * Builds the authentication data <saml:Assertion>. + * + * @param authData the AuthenticationData to build the + * <saml:Assertion> from + * @param xmlPersonData lt;pr:Person> element as a String + * @param xmlAuthBlock authentication block to be included in a + * lt;saml:SubjectConfirmationData> element; may include + * the "Stammzahl" or not; may be empty + * @param xmlIdentityLink the IdentityLink + * @param signerCertificateBase64 Base64 encoded certificate of the signer. Maybe + * an empty string if the signer certificate should not be provided. + * Will be ignored if the businessService parameter is + * set to false. + * @param businessService true if the online application is a + * business service, otherwise false + * @return the <saml:Assertion> + * @throws BuildException if an error occurs during the build process + */ + public String buildMandate( + AuthenticationData authData, + String xmlPersonData, + String xmlMandateData, + String xmlAuthBlock, + String xmlIdentityLink, + String bkuURL, + String signerCertificateBase64, + boolean businessService, + List extendedSAMLAttributes) + throws BuildException + { + + String isQualifiedCertificate = authData.isQualifiedCertificate() ? "true" : "false"; + String publicAuthorityAttribute = ""; + if (authData.isPublicAuthority()) { + String publicAuthorityIdentification = authData.getPublicAuthorityCode(); + if (publicAuthorityIdentification == null) + publicAuthorityIdentification = "True"; + publicAuthorityAttribute = MessageFormat.format( + PUBLIC_AUTHORITY_ATT, new Object[] { publicAuthorityIdentification }); + } + + + String signerCertificateAttribute = ""; + if (signerCertificateBase64 != "") { + signerCertificateAttribute = MessageFormat.format( + SIGNER_CERTIFICATE_ATT, new Object[] { signerCertificateBase64 }); + } + + String pkType; + String pkValue; + if (businessService) { + pkType = authData.getIdentificationType(); + pkValue = authData.getWBPK(); + + } else { + // always has the bPK as type/value + pkType = URN_PREFIX_BPK; + pkValue = authData.getBPK(); + } + +// System.out.println("pkType; " + pkType); +// System.out.println("pkValue; " + pkValue); + + String assertion; + try { + + assertion = MessageFormat.format(AUTH_DATA_MANDATE, new Object[] { + authData.getAssertionID(), + authData.getIssuer(), + authData.getIssueInstant(), + pkType, + pkValue, + StringUtils.removeXMLDeclaration(xmlAuthBlock), + StringUtils.removeXMLDeclaration(xmlIdentityLink), + StringUtils.removeXMLDeclaration(xmlPersonData), + StringUtils.removeXMLDeclaration(xmlMandateData), + isQualifiedCertificate, + bkuURL, + publicAuthorityAttribute, + signerCertificateAttribute, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } catch (ParseException e) { + Logger.error("Error on building Authentication Data Assertion: " + e.getMessage()); + throw new BuildException("builder.00", new Object[] { "Authentication Data Assertion", e.toString()}); + } + return assertion; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java index 556b0cb6a..41e4cd37d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java @@ -74,8 +74,8 @@ public class SAMLArtifactBuilder { // alternative sourceId String alternativeSourceID = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter(GENERIC_CONFIG_PARAM_SOURCEID); - System.out.println("alternativeSourceID: " + alternativeSourceID); - System.out.println("authURL: " + authURL); + //System.out.println("alternativeSourceID: " + alternativeSourceID); + //System.out.println("authURL: " + authURL); if (!ParepUtils.isEmpty(alternativeSourceID)) { // if generic config parameter "AuthenticationServer.SourceID" is given, use that sourceID instead of authURL; @@ -85,7 +85,7 @@ public class SAMLArtifactBuilder { sourceID = md.digest(authURL.getBytes()); } - System.out.println("sourceID: " + new String(sourceID)); + //System.out.println("sourceID: " + new String(sourceID)); byte[] assertionHandle = md.digest(sessionID.getBytes()); ByteArrayOutputStream out = new ByteArrayOutputStream(42); @@ -94,9 +94,9 @@ public class SAMLArtifactBuilder { out.write(sourceID, 0, 20); out.write(assertionHandle, 0, 20); byte[] samlArtifact = out.toByteArray(); - System.out.println("samlArtifact: " + new String(samlArtifact)); + //System.out.println("samlArtifact: " + new String(samlArtifact)); String samlArtifactBase64 = Base64Utils.encode(samlArtifact); - System.out.println("samlArtifact Base64: " + samlArtifactBase64); + //System.out.println("samlArtifact Base64: " + samlArtifactBase64); return samlArtifactBase64; } catch (Throwable ex) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index bae95c2a6..61e4cd28b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -36,6 +36,7 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils; +import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; @@ -87,25 +88,41 @@ public class AuthenticationSession { private boolean useMandate; /** - * Selected mandate + * Reference value for mandate */ - private Element mandateElem; + private String mandateReferenceValue; /** - * @return the mandateElem - */ - public Element getMandateElem() { - return mandateElem; - } - - /** - * @param mandateElem the mandateElem to set - */ - public void setMandateElem(Element mandateElem) { - this.mandateElem = mandateElem; - } - - /** + * Authentication data for the assertion + */ + private AuthenticationData assertionAuthData; + + /** + * Persondata for the assertion + */ + private String assertionPrPerson; + + /** + * Authblock for the assertion + */ + private String assertionAuthBlock; + + /** + * Identitylink assertion for the (MOA) assertion + */ + private String assertionIlAssertion; + + /** + * Signer certificate (base64 encoded) for the assertion + */ + private String assertionSignerCertificateBase64; + + /** + * bussiness service for the assertion + */ + boolean assertionBusinessService; + + /** * SessionID for MIS */ private String misSessionID; @@ -176,14 +193,7 @@ public class AuthenticationSession { */ private String pushInfobox; - /** - * AppSpecificConfiguration entry of then mandates infobox-validator. Tells - * whether person data from the representative have to be exchanged by data - * from the mandate - */ - private boolean mandateCompatibilityMode = false; - - + /** * Constructor for AuthenticationSession. @@ -562,20 +572,6 @@ public class AuthenticationSession { return null; } - /** - * @return the mandateCompatibilityMode - */ - public boolean isMandateCompatibilityMode() { - return mandateCompatibilityMode; - } - - /** - * @param mandateCompatibilityMode the mandateCompatibilityMode to set - */ - public void setMandateCompatibilityMode(boolean mandateCompatibilityMode) { - this.mandateCompatibilityMode = mandateCompatibilityMode; - } - /** * Returns domain identifier (the register and number in the register parameter). * null in the case of not a business service. @@ -660,4 +656,105 @@ public class AuthenticationSession { public String getMISSessionID() { return this.misSessionID; } + + /** + * @return the assertionAuthData + */ + public AuthenticationData getAssertionAuthData() { + return assertionAuthData; + } + + /** + * @param assertionAuthData the assertionAuthData to set + */ + public void setAssertionAuthData(AuthenticationData assertionAuthData) { + this.assertionAuthData = assertionAuthData; + } + + /** + * @return the assertionPrPerson + */ + public String getAssertionPrPerson() { + return assertionPrPerson; + } + + /** + * @param assertionPrPerson the assertionPrPerson to set + */ + public void setAssertionPrPerson(String assertionPrPerson) { + this.assertionPrPerson = assertionPrPerson; + } + + /** + * @return the assertionAuthBlock + */ + public String getAssertionAuthBlock() { + return assertionAuthBlock; + } + + /** + * @param assertionAuthBlock the assertionAuthBlock to set + */ + public void setAssertionAuthBlock(String assertionAuthBlock) { + this.assertionAuthBlock = assertionAuthBlock; + } + + /** + * @return the assertionIlAssertion + */ + public String getAssertionIlAssertion() { + return assertionIlAssertion; + } + + /** + * @param assertionIlAssertion the assertionIlAssertion to set + */ + public void setAssertionIlAssertion(String assertionIlAssertion) { + this.assertionIlAssertion = assertionIlAssertion; + } + + /** + * @return the assertionSignerCertificateBase64 + */ + public String getAssertionSignerCertificateBase64() { + return assertionSignerCertificateBase64; + } + + /** + * @param assertionSignerCertificateBase64 the assertionSignerCertificateBase64 to set + */ + public void setAssertionSignerCertificateBase64(String assertionSignerCertificateBase64) { + this.assertionSignerCertificateBase64 = assertionSignerCertificateBase64; + } + + /** + * @return the assertionBusinessService + */ + public boolean getAssertionBusinessService() { + return assertionBusinessService; + } + + /** + * @param assertionBusinessService the assertionBusinessService to set + */ + public void setAssertionBusinessService(boolean assertionBusinessService) { + this.assertionBusinessService = assertionBusinessService; + } + + /** + * @return the mandateReferenceValue + */ + public String getMandateReferenceValue() { + return mandateReferenceValue; + } + + /** + * @param mandateReferenceValue the mandateReferenceValue to set + */ + public void setMandateReferenceValue(String mandateReferenceValue) { + this.mandateReferenceValue = mandateReferenceValue; + } + + } + diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java index b1ae12084..977784a6b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java @@ -27,7 +27,6 @@ package at.gv.egovernment.moa.id.auth.servlet; import iaik.pki.PKIException; import java.io.IOException; -import java.io.PrintWriter; import java.security.GeneralSecurityException; import java.util.List; @@ -38,16 +37,14 @@ import javax.servlet.http.HttpServletResponse; import javax.xml.parsers.ParserConfigurationException; import org.apache.commons.lang.StringEscapeUtils; -import org.w3c.dom.Document; +import org.w3c.dom.Element; import org.xml.sax.SAXException; -import at.gv.egovernment.moa.id.BuildException; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.WrongParametersException; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; -import at.gv.egovernment.moa.id.auth.builder.GetIdentityLinkFormBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.ConnectionParameter; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; @@ -58,6 +55,7 @@ import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient; import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClientException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.URLEncoder; /** * Servlet requested for getting the foreign eID @@ -139,8 +137,6 @@ public class GetMISSessionIDServlet extends AuthServlet { String misSessionID = session.getMISSessionID(); - //System.out.println("MIS Session ID (GetMISServlet): " + misSessionID); - AuthConfigurationProvider authConf= AuthConfigurationProvider.getInstance(); ConnectionParameter connectionParameters = authConf.getOnlineMandatesConnectionParameter(); SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters); @@ -158,31 +154,36 @@ public class GetMISSessionIDServlet extends AuthServlet { // for now: list contains only one element MISMandate mandate = (MISMandate)list.get(0); - + // verify mandate signature - String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().verifyMandate(sessionID, mandate); + AuthenticationServer.getInstance().verifyMandate(sessionID, mandate); byte[] byteMandate = mandate.getMandate(); String stringMandate = new String(byteMandate); - Document mandateDoc = DOMUtils.parseDocument(stringMandate, false, null, null); - session.setMandateElem(mandateDoc.getDocumentElement()); - //System.out.println("stringMandate: " + stringMandate); + Element mandateDoc = DOMUtils.parseDocument(stringMandate, false, null, null).getDocumentElement(); + //session.setMandateElem(mandateDoc.getDocumentElement()); - String dataurl = - new DataURLBuilder().buildDataURL( - session.getAuthURL(), - REQ_VERIFY_AUTH_BLOCK, - session.getSessionID()); - - Logger.debug(createXMLSignatureRequestOrRedirect); - - //String request = getHTMLForm(createXMLSignatureRequestOrRedirect, session.getBkuURL(), dataurl, session.getPublicOAURLPrefix()); - String request = null; - resp.setContentType("text/html;charset=UTF-8"); - PrintWriter out = new PrintWriter(resp.getOutputStream()); - out.print(request); - out.flush(); - + String redirectURL = null; + String samlArtifactBase64 = + AuthenticationServer.getInstance().verifyAuthenticationBlockMandate(sessionID, mandateDoc); + + + if (!samlArtifactBase64.equals("Redirect to Input Processor")) { + redirectURL = session.getOAURLRequested(); + if (!session.getBusinessService()) { + redirectURL = addURLParameter(redirectURL, PARAM_TARGET, URLEncoder.encode(session.getTarget(), "UTF-8")); + } + redirectURL = addURLParameter(redirectURL, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); + redirectURL = resp.encodeRedirectURL(redirectURL); + } else { + redirectURL = new DataURLBuilder().buildDataURL(session.getAuthURL(), AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, session.getSessionID()); + } + resp.setContentType("text/html"); + resp.setStatus(302); + + resp.addHeader("Location", redirectURL); + Logger.debug("REDIRECT TO: " + redirectURL); + } catch (MOAIDException ex) { @@ -198,6 +199,21 @@ public class GetMISSessionIDServlet extends AuthServlet { } catch (ParserConfigurationException e) { handleError(null, e, req, resp); } + } + + /** + * Adds a parameter to a URL. + * @param url the URL + * @param paramname parameter name + * @param paramvalue parameter value + * @return the URL with parameter added + */ + private static String addURLParameter(String url, String paramname, String paramvalue) { + String param = paramname + "=" + paramvalue; + if (url.indexOf("?") < 0) + return url + "?" + param; + else + return url + "&" + param; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java index 1dfc266a9..b5c57d5cf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java @@ -175,7 +175,7 @@ public class ProcessValidatorInputServlet extends AuthServlet { AuthenticationSession session = AuthenticationServer.getSession(sessionID); AuthenticationServer.processInput(session, parameters); - String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().getCreateXMLSignatureRequestAuthBlockOrRedirect(session, null, null, false); + String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().getCreateXMLSignatureRequestAuthBlockOrRedirect(session, null, null); if (!createXMLSignatureRequestOrRedirect.startsWith("Redirect")) { // Now sign the AUTH Block String dataURL = new DataURLBuilder().buildDataURL( diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java index 5b9995709..f7f9d8fed 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java @@ -39,8 +39,10 @@ import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.WrongParametersException; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; +import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilderCertificate; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; +import at.gv.egovernment.moa.id.util.ServletUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.URLEncoder; @@ -140,6 +142,28 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { AuthenticationSession session = AuthenticationServer.getSession(sessionID); String samlArtifactBase64 = AuthenticationServer.getInstance().verifyAuthenticationBlock(sessionID, createXMLSignatureResponse); + + if (samlArtifactBase64 == null) { + //mandate Mode + + Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate."); + + String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true); + + // build dataurl + String dataurl = + new DataURLBuilder().buildDataURL( + session.getAuthURL(), + REQ_VERIFY_CERTIFICATE, + session.getSessionID()); + + + //Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)"); + //ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl); + Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)"); + ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl); + + } if (!samlArtifactBase64.equals("Redirect to Input Processor")) { redirectURL = session.getOAURLRequested(); if (!session.getBusinessService()) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java index c9f9491bb..181c46bf9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java @@ -150,7 +150,9 @@ public class VerifyCertificateServlet extends AuthServlet { throw new AuthenticationException("auth.14", null); } - boolean useMandate = session.getUseMandate(); + boolean useMandate = session.getUseMandate(); + + if (useMandate) { // Mandate Modus // make request to MIS @@ -162,8 +164,6 @@ public class VerifyCertificateServlet extends AuthServlet { // get identitity link as byte[] Element elem = session.getIdentityLink().getSamlAssertion(); String s = DOMUtils.serializeNode(elem); -// byte[] idl = DOMUtils.nodeToByteArray(elem); -// String s = new String(idl); byte[] idl = s.getBytes(); // redirect url @@ -187,8 +187,10 @@ public class VerifyCertificateServlet extends AuthServlet { for(int i = 0; i < profilesArray.length; i++) { profilesArray[i] = profilesArray[i].trim(); } - - MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(connectionParameters.getUrl(), idl, cert.getEncoded(), redirectURL, profilesArray, sslFactory); + + String oaFriendlyName = oaParam.getFriendlyName(); + String mandateReferenceValue = session.getMandateReferenceValue(); + MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(connectionParameters.getUrl(), idl, cert.getEncoded(), oaFriendlyName, redirectURL, mandateReferenceValue, profilesArray, sslFactory); String redirectMISGUI = misSessionID.getRedirectURL(); if (misSessionID == null) { @@ -235,21 +237,6 @@ public class VerifyCertificateServlet extends AuthServlet { } } - /** - * Adds a parameter to a URL. - * @param url the URL - * @param paramname parameter name - * @param paramvalue parameter value - * @return the URL with parameter added - */ - private static String addURLParameter(String url, String paramname, String paramvalue) { - String param = paramname + "=" + paramvalue; - if (url.indexOf("?") < 0) - return url + "?" + param; - else - return url + "&" + param; - } - /** * Does the request to the SZR-GW * @param givenname @@ -312,50 +299,42 @@ public class VerifyCertificateServlet extends AuthServlet { // // } - /** - * Builds the szrgw:GetIdentityLinkRequest für the SZR-GW - * @param givenname - * @param familyname - * @param birthday - * @return - */ - private static Document buildGetIdentityLinkRequest(X509Certificate cert) { - - try { - byte[] certbyte = cert.getEncoded(); - String certstring = Base64.encode(certbyte); - - DocumentBuilderFactory factory =DocumentBuilderFactory.newInstance(); - factory.setNamespaceAware(true); - DocumentBuilder builder = factory.newDocumentBuilder(); - Document doc = builder.newDocument(); - - Element getIdentityLink = doc.createElementNS(SZRGWConstants.SZRGW_REQUEST_NS, "szrgw:GetIdentityLinkRequest"); - getIdentityLink.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:szrgw", SZRGWConstants.SZRGW_REQUEST_NS); - doc.appendChild(getIdentityLink); - - Element x509certificate = doc.createElementNS(SZRGWConstants.SZRGW_REQUEST_NS, "szrgw:X509Certificate"); - getIdentityLink.appendChild(x509certificate); - Text certbase64 = doc.createTextNode(certstring); - x509certificate.appendChild(certbase64); - - return doc; - } catch (ParserConfigurationException e) { - e.printStackTrace(); - } catch (CertificateEncodingException e) { - e.printStackTrace(); - } - return null; - - } - - /** - * Checks a parameter. - * @param param parameter - * @return true if the parameter is null or empty - */ - private boolean isEmpty(String param) { - return param == null || param.length() == 0; - } - +// /** +// * Builds the szrgw:GetIdentityLinkRequest für the SZR-GW +// * @param givenname +// * @param familyname +// * @param birthday +// * @return +// */ +// private static Document buildGetIdentityLinkRequest(X509Certificate cert) { +// +// try { +// byte[] certbyte = cert.getEncoded(); +// String certstring = Base64.encode(certbyte); +// +// DocumentBuilderFactory factory =DocumentBuilderFactory.newInstance(); +// factory.setNamespaceAware(true); +// DocumentBuilder builder = factory.newDocumentBuilder(); +// Document doc = builder.newDocument(); +// +// Element getIdentityLink = doc.createElementNS(SZRGWConstants.SZRGW_REQUEST_NS, "szrgw:GetIdentityLinkRequest"); +// getIdentityLink.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:szrgw", SZRGWConstants.SZRGW_REQUEST_NS); +// doc.appendChild(getIdentityLink); +// +// Element x509certificate = doc.createElementNS(SZRGWConstants.SZRGW_REQUEST_NS, "szrgw:X509Certificate"); +// getIdentityLink.appendChild(x509certificate); +// Text certbase64 = doc.createTextNode(certstring); +// x509certificate.appendChild(certbase64); +// +// return doc; +// } catch (ParserConfigurationException e) { +// e.printStackTrace(); +// } catch (CertificateEncodingException e) { +// e.printStackTrace(); +// } +// return null; +// +// } +// + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java index 99ae497ba..df5abe4f5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java @@ -171,33 +171,9 @@ public class VerifyIdentityLinkServlet extends AuthServlet { } } -// else { -// boolean useMandate = session.getUseMandate(); -// if (useMandate) { // Mandate modus -// // read certificate and set dataurl to VerifyCertificateServlet -// -// Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate."); -// -// String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true); -// -// // build dataurl -// String dataurl = -// new DataURLBuilder().buildDataURL( -// session.getAuthURL(), -// REQ_VERIFY_CERTIFICATE, -// session.getSessionID()); -// -// -// //Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)"); -// //ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl); -// Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)"); -// ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl); -// -// } - else { - ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink"); - } -// } + else { + ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink"); + } } catch (ParseException ex) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java index 3b8caca4c..60678fe22 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java @@ -56,6 +56,7 @@ import org.xml.sax.SAXNotSupportedException; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWSecureSocketFactory; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.StringUtils; public class MISSimpleClient { @@ -134,7 +135,7 @@ public class MISSimpleClient { } } - public static MISSessionId sendSessionIdRequest(String webServiceURL, byte[] idl, byte[] cert, String redirectURL, String mandateIdentifier[], SSLSocketFactory sSLSocketFactory) throws MISSimpleClientException { + public static MISSessionId sendSessionIdRequest(String webServiceURL, byte[] idl, byte[] cert, String oaFriendlyName, String redirectURL, String referenceValue, String mandateIdentifier[], SSLSocketFactory sSLSocketFactory) throws MISSimpleClientException { if (webServiceURL == null) { throw new NullPointerException("Argument webServiceURL must not be null."); } @@ -165,10 +166,22 @@ public class MISSimpleClient { //certElement.appendChild(doc.createTextNode(Base64.encodeBase64(cert))); // certElement.appendChild(doc.createTextNode(new String(Base64.encodeBase64(cert)))); mirElement.appendChild(certElement); - } + } + + if (!StringUtils.isEmpty(oaFriendlyName)) { + Element oaFriendlyNameElement = doc.createElementNS(MIS_NS, "OAFriendlyName"); + oaFriendlyNameElement.appendChild(doc.createTextNode(oaFriendlyName)); + mirElement.appendChild(oaFriendlyNameElement); + } + Element redirectElement = doc.createElementNS(MIS_NS, "RedirectURL"); redirectElement.appendChild(doc.createTextNode(redirectURL)); - mirElement.appendChild(redirectElement); + mirElement.appendChild(redirectElement); + + Element referenceValueElement = doc.createElementNS(MIS_NS, "ReferenceValue"); + referenceValueElement.appendChild(doc.createTextNode(referenceValue)); + mirElement.appendChild(referenceValueElement); + if (mandateIdentifier != null && mandateIdentifier.length > 0) { Element filtersElement = doc.createElementNS(MIS_NS, "Filters"); Element mandateIdentifiersElement = doc.createElementNS(MIS_NS, "MandateIdentifiers"); -- cgit v1.2.3