From c61850c5607d066a3c322794c1220f26b31103a0 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 16 May 2018 09:29:09 +0200 Subject: add initial version of Security-Layer 2.0 Authentication module --- .../moa/id/auth/builder/DataURLBuilder.java | 4 ++- .../moa/id/auth/servlet/AbstractController.java | 9 ++++-- .../AbstractProcessEngineSignalController.java | 2 +- .../moa/id/moduls/AuthenticationManager.java | 23 ++++++++++++++ .../at/gv/egovernment/moa/id/util/SSLUtils.java | 37 ++++++++++++++++++++++ .../resources/properties/id_messages_de.properties | 9 ++++++ .../protocol_response_statuscodes_de.properties | 6 ++++ 7 files changed, 86 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java index c78361eda..583bb2ab4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java @@ -84,7 +84,9 @@ public class DataURLBuilder { dataURL = authBaseURL + authServletName; - dataURL = addParameter(dataURL, MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, sessionID); + if (sessionID != null) + dataURL = addParameter(dataURL, MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, sessionID); + return dataURL; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java index f61b9a4da..50cafb4f6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java @@ -134,7 +134,12 @@ public abstract class AbstractController extends MOAIDAuthConstants { try { //switch to protocol-finalize method to generate a protocol-specific error message - + + //log error directly in debug mode + if (Logger.isDebugEnabled()) + Logger.warn(loggedException.getMessage(), loggedException); + + //put exception into transaction store for redirect String key = Random.nextLongRandom(); if (pendingReq != null) { @@ -147,7 +152,7 @@ public abstract class AbstractController extends MOAIDAuthConstants { new ExceptionContainer(null, loggedException),-1); } - + //build up redirect URL String redirectURL = null; redirectURL = ServletUtils.getBaseUrl(req); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java index 32f103ca7..18641c090 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java @@ -55,7 +55,7 @@ public abstract class AbstractProcessEngineSignalController extends AbstractCont // wake up next task processEngine.signal(pendingReq); - } catch (Exception ex) { + } catch (Exception ex) { handleError(null, ex, req, resp, pendingReq); } finally { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 7f183c5eb..a24683545 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -92,6 +92,7 @@ import at.gv.egovernment.moa.util.MiscUtil; public class AuthenticationManager extends MOAIDAuthConstants { private static List reqParameterWhiteListeForModules = new ArrayList(); + private static List reqHeaderWhiteListeForModules = new ArrayList(); public static final String MOA_SESSION = "MoaAuthenticationSession"; public static final String MOA_AUTHENTICATED = "MoaAuthenticated"; @@ -321,6 +322,16 @@ public class AuthenticationManager extends MOAIDAuthConstants { } + /** + * Add a request header to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext} + * + * @param httpReqParam http header name, but never null + */ + public void addHeaderNameToWhiteList(String httpReqParam) { + if (MiscUtil.isNotEmpty(httpReqParam)) + reqHeaderWhiteListeForModules.add(httpReqParam.toLowerCase()); + + } /** * Checks if a authenticated MOASession already exists and if {protocolRequest} is authenticated @@ -422,6 +433,18 @@ public class AuthenticationManager extends MOAIDAuthConstants { } } + //add additional http request parameter to context + if (!reqHeaderWhiteListeForModules.isEmpty()) { + Enumeration reqHeaderNames = httpReq.getHeaderNames(); + while(reqHeaderNames.hasMoreElements()) { + String paramName = reqHeaderNames.nextElement(); + if (MiscUtil.isNotEmpty(paramName) && reqHeaderWhiteListeForModules.contains(paramName.toLowerCase()) ) { + executionContext.put(paramName, + StringEscapeUtils.escapeHtml(httpReq.getHeader(paramName))); + } + } + } + //start process engine startProcessEngine(pendingReq, executionContext); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java index cd700c74a..611dff3b1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java @@ -89,6 +89,43 @@ public class SSLUtils { } + public static SSLSocketFactory getSSLSocketFactory( + ConfigurationProvider conf, String url ) + throws IOException, GeneralSecurityException, ConfigurationException, PKIException { + + // else create new SSLSocketFactory + String trustStoreURL = conf.getTrustedCACertificates(); + + if (trustStoreURL == null) + throw new ConfigurationException( + "config.08", new Object[] {"TrustedCACertificates"}); + + String acceptedServerCertURL = ""; + + //INFO: MOA-ID 2.x always use defaultChainingMode + + try { + SSLSocketFactory ssf = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory( + url, + null, + trustStoreURL, + acceptedServerCertURL, + AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode(), + AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking(), + AuthConfigurationProviderFactory.getInstance().getRevocationMethodOrder(), + null, + null, + "pkcs12"); + + return ssf; + + } catch (SSLConfigurationException e) { + throw new ConfigurationException(e.getErrorID(), e.getParameters(), e.getE()); + + } + } + + /** * Creates an SSLSocketFactory which utilizes an * IAIKX509TrustManager for the given trust store, diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 4205f2175..9cc4b0b5e 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -336,3 +336,12 @@ slo.02=Es wurde keine aktive SSO Session gefunden oder Sie sind bei keiner Onlin process.01=Fehler beim Ausf\u00FChren des Prozesses. process.02=Fehler beim Erstellen eines geeigneten Prozesses f\u00FCr die SessionID {0}. process.03=Fehler beim Weiterf\u00FChren es Prozesses. Msg:{0} + +sl20.00=Allgemeiner Fehler w\u00e4hrend SL2.0 Authentifizierung. Msg: {0} +sl20.01=Fehler beim Generieren des SL2.0 Kommandos. Msg: {0} +sl20.02=Fehler beim Parsen des SL2.0 Kommandos. Msg: {0} +sl20.03=Fehlende Konfiguration im SL2.0 Modul. Msg: {0} +sl20.04=Http request enth\u00e4lt keinen SL2.0 Transportcontainer. +sl20.05=Fehler beim Validieren eines JWS oder JWE Tokens. Reason: {0}. +sl20.06=Http transport-binding error. Reason: {0} + diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index 0a37fdc91..6de581cae 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -253,6 +253,12 @@ oauth20.06=1000 oauth20.09=9005 oauth20.10=9102 +sl20.00=14999 +sl20.01=14000 +sl20.02=14001 +sl20.03=14800 +sl20.04=14001 + ##Map MIS/BKU statuscodes to MOA-ID-Auth statuscodes mis.301=1005 bku.6001=1005 \ No newline at end of file -- cgit v1.2.3