From c9370266c7553db65e9d18f7fe2a0230ab94d912 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 18 Feb 2016 11:02:55 +0100 Subject: refactor authentication process to use service-provider configuration from pending-request --- .../moa/id/auth/MOAIDAuthConstants.java | 6 + .../id/auth/builder/AuthenticationDataBuilder.java | 4 +- .../builder/CreateXMLSignatureRequestBuilder.java | 16 +- .../moa/id/auth/data/AuthenticationSession.java | 352 +-------------------- .../id/auth/modules/AbstractAuthServletTask.java | 51 +++ .../tasks/CreateInterfedeartionRequestTask.java | 3 +- .../internal/tasks/EvaluateBKUSelectionTask.java | 5 +- .../tasks/GenerateBKUSelectionFrameTask.java | 2 +- .../StartAuthentificationParameterParser.java | 239 ++++++-------- .../id/auth/servlet/IDPSingleLogOutServlet.java | 4 +- .../moa/id/config/auth/IOAAuthParameters.java | 7 + .../moa/id/moduls/AuthenticationManager.java | 3 +- .../egovernment/moa/id/moduls/IRequestStorage.java | 3 +- .../egovernment/moa/id/moduls/RequestStorage.java | 14 +- .../id/protocols/pvp2x/AttributQueryAction.java | 2 +- .../id/protocols/pvp2x/PVPTargetConfiguration.java | 11 +- .../builder/assertion/PVP2AssertionBuilder.java | 27 +- .../pvp2x/requestHandler/AuthnRequestHandler.java | 2 +- .../moa/id/storage/DBTransactionStorage.java | 88 ++++-- .../moa/id/storage/ITransactionStorage.java | 15 +- .../auth/modules/internal/BKUSelection.process.xml | 6 +- .../main/resources/moaid.authentication.beans.xml | 3 + .../resources/templates/loginFormFull.html | 8 +- 23 files changed, 306 insertions(+), 565 deletions(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index 082ebcdcd..d76021bbd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -177,4 +177,10 @@ public class MOAIDAuthConstants extends MOAIDConstants{ public static final String PROCESSCONTEXT_INTERFEDERATION_ENTITYID = "interfederationIDPEntityID"; public static final String PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION = "requireLocalAuthentication"; + //General protocol-request data-store keys + public static final String AUTHPROCESS_DATA_TARGET = "authProces_Target"; + public static final String AUTHPROCESS_DATA_TARGETFRIENDLYNAME = "authProces_TargetFriendlyName"; + public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate"; + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 5bde82899..2f882f41e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -198,7 +198,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { IOAAuthParameters oaParam = null; if (reqAttributes == null) { //get OnlineApplication from MOA-ID-Auth configuration - oaParam = authConfig.getOnlineApplicationParameter(oaID); + oaParam = protocolRequest.getOnlineApplicationConfiguration(); //build OA dynamically from STROK request if this OA is used as STORK<->PVP gateway if (oaParam.isSTORKPVPGateway()) @@ -879,7 +879,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { VerifyXMLSignatureResponse verifyXMLSigResp = session.getXMLVerifySignatureResponse(); - authData.setIssuer(session.getAuthURL()); + authData.setIssuer(protocolRequest.getAuthURL()); //baseID or wbpk in case of BusinessService without SSO or BusinessService SSO authData.setIdentificationValue(identityLink.getIdentificationValue()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java index bbbfacbd1..e763c5355 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java @@ -50,9 +50,10 @@ import java.text.MessageFormat; import java.util.Calendar; import java.util.List; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DateTimeUtils; import at.gv.egovernment.moa.util.StringUtils; @@ -156,7 +157,7 @@ public class CreateXMLSignatureRequestBuilder implements Constants { * @param session current session * @return String representation of <CreateXMLSignatureRequest> */ - public String buildForeignID(String subject, OAAuthParameter oaParam, AuthenticationSession session) { + public String buildForeignID(String subject, IRequest pendingReq) { String request = ""; request += ""; @@ -165,7 +166,7 @@ public class CreateXMLSignatureRequestBuilder implements Constants { request += ""; request += ""; - request += buildForeignIDTextToBeSigned(subject, oaParam, session); + request += buildForeignIDTextToBeSigned(subject,pendingReq); request += ""; request += ""; @@ -180,9 +181,10 @@ public class CreateXMLSignatureRequestBuilder implements Constants { return request; } - public static String buildForeignIDTextToBeSigned(String subject, OAAuthParameter oaParam, AuthenticationSession session) { - - String target = session.getTarget(); + public static String buildForeignIDTextToBeSigned(String subject, IRequest pendingReq) { + IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); + String target = pendingReq.getGenericData( + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); Calendar cal = Calendar.getInstance(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 3849eb8a2..196415ddc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -75,53 +75,12 @@ public class AuthenticationSession implements Serializable { private String sessionID; private Date sessionCreated = null; - - /** - * "Geschäftsbereich" the online application belongs to; maybe null if the - * online application is a business application - */ - private String target; - /** - * Friendly name for the target, if target is configured via MOA-ID configuration - */ - private String targetFriendlyName; - - /** - * SourceID - */ - private String sourceID; - - /** - * public online application URL requested - */ - private String oaURLRequested; - /** - * public online application URL prefix - */ - private String oaPublicURLPrefix; - /** - * URL of MOA ID authentication component - */ - private String authURL; - /** - * HTML template URL - */ - private String templateURL; - + /** * URL of the BKU */ private String bkuURL; - /** - * Indicates whether the corresponding online application is a business service or not - */ - private boolean businessService; - - /** - * Indicates whether the corresponding online application is a stork service or not - */ - private boolean storkService; // Store Mandate /** @@ -131,11 +90,6 @@ public class AuthenticationSession implements Serializable { private boolean isOW = false; - /** - * STORK - */ - private String ccc; - /** * * Mandate element @@ -158,12 +112,6 @@ public class AuthenticationSession implements Serializable { */ private IdentityLink identityLink; - // /** - // * timestamp logging when identity link has been received - // */ - // private Date timestampIdentityLink; - - // store Authblock /** * authentication block to be signed by the user */ @@ -176,11 +124,9 @@ public class AuthenticationSession implements Serializable { */ private String issueInstant; - // Signer certificate /** * Signer certificate of the foreign citizen or for mandate mode */ - // private X509Certificate signerCertificate; private byte[] signerCertificate; /** @@ -200,26 +146,8 @@ public class AuthenticationSession implements Serializable { * the AUTHBlock. */ private List extendedSAMLAttributesAUTH; - -// /** -// * If infobox validators are needed after signing, they can be stored in this list. -// */ -// private List infoboxValidators; - - /** - * The register and number in the register parameter in case of a business service application. - */ - private String domainIdentifier; - - /** - * This string contains all identifiers of infoboxes, the online application is configured to - * accept. The infobox identifiers are comma separated. - */ - private String pushInfobox; - + private boolean authenticated; - - private boolean ssoRequested = false; private String QAALevel = null; @@ -228,15 +156,8 @@ public class AuthenticationSession implements Serializable { private boolean isForeigner; private Map genericSessionDataStorate = new HashedMap(); - - public boolean isAuthenticated() { - return authenticated; - } - - public void setAuthenticated(boolean authenticated) { - this.authenticated = authenticated; - } - + + /** * Constructor for AuthenticationSession. * @@ -249,6 +170,14 @@ public class AuthenticationSession implements Serializable { } + public boolean isAuthenticated() { + return authenticated; + } + + public void setAuthenticated(boolean authenticated) { + this.authenticated = authenticated; + } + public X509Certificate getSignerCertificate() { try { return new X509Certificate(signerCertificate); @@ -310,24 +239,6 @@ public class AuthenticationSession implements Serializable { this.sessionID = sessionId; } - /** - * Returns the oaURLRequested. - * - * @return String - */ - public String getOAURLRequested() { - return oaURLRequested; - } - - /** - * Returns the oaURLRequested. - * - * @return String - */ - public String getPublicOAURLPrefix() { - return oaPublicURLPrefix; - } - /** * Returns the BKU URL. * @@ -336,54 +247,7 @@ public class AuthenticationSession implements Serializable { public String getBkuURL() { return bkuURL; } - - /** - * Returns the target. - * - * @return String - */ - public String getTarget() { - return target; - } - - /** - * Returns the sourceID. - * - * @return String - */ - public String getSourceID() { - return sourceID; - } - - /** - * Returns the target friendly name. - * - * @return String - */ - public String getTargetFriendlyName() { - return targetFriendlyName; - } - - /** - * Sets the oaURLRequested. - * - * @param oaURLRequested - * The oaURLRequested to set - */ - public void setOAURLRequested(String oaURLRequested) { - this.oaURLRequested = oaURLRequested; - } - - /** - * Sets the oaPublicURLPrefix - * - * @param oaPublicURLPrefix - * The oaPublicURLPrefix to set - */ - public void setPublicOAURLPrefix(String oaPublicURLPrefix) { - this.oaPublicURLPrefix = oaPublicURLPrefix; - } - + /** * Sets the bkuURL * @@ -393,63 +257,7 @@ public class AuthenticationSession implements Serializable { public void setBkuURL(String bkuURL) { this.bkuURL = bkuURL; } - - /** - * Sets the target. If the target includes the target prefix, the prefix will be stripped off. - * - * @param target - * The target to set - */ - public void setTarget(String target) { - if (target != null && target.startsWith(TARGET_PREFIX_)) { - // If target starts with prefix "urn:publicid:gv.at:cdid+"; remove - // prefix - this.target = target.substring(TARGET_PREFIX_.length()); - Logger.debug("Target prefix stripped off; resulting target: " + this.target); - } else { - this.target = target; - } - } - - /** - * Sets the sourceID - * - * @param sourceID - * The sourceID to set - */ - public void setSourceID(String sourceID) { - this.sourceID = sourceID; - } - - /** - * Sets the target. If the target includes the target prefix, the prefix will be stripped off. - * - * @param target - * The target to set - */ - public void setTargetFriendlyName(String targetFriendlyName) { - this.targetFriendlyName = targetFriendlyName; - } - - /** - * Returns the authURL. - * - * @return String - */ - public String getAuthURL() { - return authURL; - } - - /** - * Sets the authURL. - * - * @param authURL - * The authURL to set - */ - public void setAuthURL(String authURL) { - this.authURL = authURL; - } - + /** * Returns the authBlock. * @@ -469,61 +277,6 @@ public class AuthenticationSession implements Serializable { this.authBlock = authBlock; } - /** - * Returns the businessService. - * - * @return true if the corresponding online application is a business application, - * otherwise false - */ - public boolean getBusinessService() { - return businessService; - } - - /** - * Sets the businessService variable. - * - * @param businessService - * the value for setting the businessService variable. - */ - public void setBusinessService(boolean businessService) { - this.businessService = businessService; - } - - - /** - * Returns the storkService. - * - * @return true if the corresponding online application is a stork application, - * otherwise false - */ - public boolean getStorkService() { - return storkService; - } - - /** - * Sets the storkService variable. - * - * @param storkService - * the value for setting the storkService variable. - */ - public void setStorkService(boolean storkService) { - this.storkService = storkService; - } - - /** - * @return template URL - */ - public String getTemplateURL() { - return templateURL; - } - - /** - * @param string - * the template URL - */ - public void setTemplateURL(String string) { - templateURL = string; - } /** * Returns the SAML Attributes to be appended to the AUTHBlock. Maybe null. @@ -610,54 +363,6 @@ public class AuthenticationSession implements Serializable { public void setIssueInstant(String issueInstant) { this.issueInstant = issueInstant; } - - /** - * Returns domain identifier (the register and number in the register parameter). - * null in the case of not a business service. - * - * @return the domainIdentifier - */ - public String getDomainIdentifier() { - return domainIdentifier; - } - - /** - * Sets the register and number in the register parameter if the application is a business - * service. If the domain identifier includes the registerAndOrdNr prefix, the prefix will be - * stripped off. - * - * @param domainIdentifier - * the domain identifier to set - */ - public void setDomainIdentifier(String domainIdentifier) { - if (domainIdentifier != null && domainIdentifier.startsWith(REGISTERANDORDNR_PREFIX_)) { - // If domainIdentifier starts with prefix - // "urn:publicid:gv.at:wbpk+"; remove this prefix - this.domainIdentifier = domainIdentifier.substring(REGISTERANDORDNR_PREFIX_.length()); - Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " + this.domainIdentifier); - } else { - this.domainIdentifier = domainIdentifier; - } - } - - /** - * Gets all identifiers of infoboxes, the online application is configured to accept. The - * infobox identifiers are comma separated. - * - * @return the string containing infobox identifiers - */ - public String getPushInfobox() { - if (pushInfobox == null) return ""; - return pushInfobox; - } - - /** - * @param pushInfobox - * the infobox identifiers to set (comma separated) - */ - public void setPushInfobox(String pushInfobox) { - this.pushInfobox = pushInfobox; - } /** * @@ -713,15 +418,7 @@ public class AuthenticationSession implements Serializable { public void setMandateReferenceValue(String mandateReferenceValue) { this.mandateReferenceValue = mandateReferenceValue; } - - public String getCcc() { - return ccc; - } - - public void setCcc(String ccc) { - this.ccc = ccc; - } - + public boolean isForeigner() { return isForeigner; } @@ -745,24 +442,7 @@ public class AuthenticationSession implements Serializable { public void setMISMandate(MISMandate mandate) { this.mandate = mandate; } - - /** - * @return the ssoRequested - */ - - // TODO: SSO only allowed without mandates, actually!!!!!! - public boolean isSsoRequested() { - return ssoRequested && !useMandate; - } - - /** - * @param ssoRequested - * the ssoRequested to set - */ - public void setSsoRequested(boolean ssoRequested) { - this.ssoRequested = ssoRequested; - } - + /** * @return the isOW */ diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/AbstractAuthServletTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/AbstractAuthServletTask.java index a73fd6858..66f91266f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/AbstractAuthServletTask.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/AbstractAuthServletTask.java @@ -7,6 +7,7 @@ import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.HEADER_VALUE_CACH import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE; import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.HEADER_VALUE_EXPIRES; import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.HEADER_VALUE_PRAGMA; +import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID; import java.io.ByteArrayOutputStream; import java.io.IOException; @@ -29,19 +30,24 @@ import org.apache.commons.fileupload.FileItemFactory; import org.apache.commons.fileupload.FileUploadException; import org.apache.commons.fileupload.disk.DiskFileItemFactory; import org.apache.commons.fileupload.servlet.ServletFileUpload; +import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang3.ArrayUtils; +import org.apache.commons.lang3.ObjectUtils; import org.springframework.beans.factory.annotation.Autowired; import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; import at.gv.egovernment.moa.id.advancedlogging.StatisticLogger; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.IRequestStorage; +import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.process.springweb.MoaIdTask; import at.gv.egovernment.moa.id.protocols.AbstractProtocolModulController; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; @@ -66,6 +72,51 @@ public abstract class AbstractAuthServletTask extends MoaIdTask { protected static final String ERROR_CODE_PARAM = "errorid"; + protected IRequest pendingReq = null; + protected AuthenticationSession moasession = null; + + protected void defaultTaskInitialization(HttpServletRequest req, ExecutionContext executionContext) throws MOAIDException, MOADatabaseException { + String pendingRequestID = StringEscapeUtils.escapeHtml( + ObjectUtils.defaultIfNull( + (String) executionContext.get(PARAM_TARGET_PENDINGREQUESTID), + req.getParameter(PARAM_TARGET_PENDINGREQUESTID))); + + if (MiscUtil.isEmpty(pendingRequestID)) { + Logger.info("No PendingRequestID received"); + throw new MOAIDException("auth.10", new Object[]{"VerifyIdentityLink", "pendingRequestID"}); + } + + pendingReq = requestStoreage.getPendingRequest(pendingRequestID); + + if (pendingReq == null) { + Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure."); + throw new MOAIDException("auth.28", new Object[]{pendingRequestID}); + + } + + //change pending-request ID + String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq); + executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID); + + try { + moasession = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier()); + + if (moasession == null) { + Logger.warn("MOASessionID is empty."); + throw new MOAIDException("auth.18", new Object[] {}); + } + + } catch (MOADatabaseException e) { + Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database"); + throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() }); + + } catch (Throwable e) { + Logger.info("No HTTP Session found!"); + throw new MOAIDException("auth.18", new Object[] {}); + } + + } + protected void handleErrorNoRedirect(String errorMessage, Throwable exceptionThrown, HttpServletRequest req, HttpServletResponse resp) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateInterfedeartionRequestTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateInterfedeartionRequestTask.java index f1ab58ee0..053f5d7ff 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateInterfedeartionRequestTask.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateInterfedeartionRequestTask.java @@ -53,6 +53,7 @@ import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.RequestImpl; @@ -103,7 +104,7 @@ public class CreateInterfedeartionRequestTask extends AbstractAuthServletTask { try { OAAuthParameter idp = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(idpEntityID); - OAAuthParameter sp = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(pendingReq.getOAURL()); + IOAAuthParameters sp = pendingReq.getOnlineApplicationConfiguration(); String requestedIDP = pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/EvaluateBKUSelectionTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/EvaluateBKUSelectionTask.java index fe3e8680c..9db5baeab 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/EvaluateBKUSelectionTask.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/EvaluateBKUSelectionTask.java @@ -56,7 +56,7 @@ public class EvaluateBKUSelectionTask extends AbstractAuthServletTask { throws TaskExecutionException { try { //load pending request - String pendingReqID = request.getParameter(MOAIDAuthConstants.PARAM_SESSIONID); + String pendingReqID = request.getParameter(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID); pendingReqID = StringEscapeUtils.escapeHtml(pendingReqID); IRequest pendingReq = requestStoreage.getPendingRequest(pendingReqID); @@ -86,7 +86,8 @@ public class EvaluateBKUSelectionTask extends AbstractAuthServletTask { Enumeration reqParamNames = request.getParameterNames(); while(reqParamNames.hasMoreElements()) { String paramName = reqParamNames.nextElement(); - if (MiscUtil.isNotEmpty(paramName)) + if (MiscUtil.isNotEmpty(paramName) && + !MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID.equalsIgnoreCase(paramName)) executionContext.put(paramName, request.getParameter(paramName)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java index 1bdc132d9..cb0b63276 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java @@ -80,7 +80,7 @@ public class GenerateBKUSelectionFrameTask extends AbstractAuthServletTask { if (publicURLPreFix.endsWith("/")) publicURLPreFix = publicURLPreFix.substring(0, publicURLPreFix.length() - 1); String loginForm = LoginFormBuilder.buildLoginForm(pendingReq.requestedModule(), - pendingReq.requestedAction(), oaParam, publicURLPreFix, MOAIDAuthConstants.PARAM_SESSIONID); + pendingReq.requestedAction(), oaParam, publicURLPreFix, pendingReq.getRequestID()); response.setContentType("text/html;charset=UTF-8"); PrintWriter out = new PrintWriter(response.getOutputStream()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index 8af8ed238..3699633bd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -27,6 +27,8 @@ import java.util.List; import javax.servlet.http.HttpServletRequest; import org.apache.commons.lang.StringEscapeUtils; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; @@ -34,8 +36,8 @@ import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; @@ -44,9 +46,12 @@ import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; +@Service("StartAuthentificationParameterParser") public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ - public static void parse(AuthenticationSession moasession, + @Autowired AuthConfiguration authConfig; + + public void parse(AuthenticationSession moasession, String target, String oaURL, String bkuURL, @@ -57,30 +62,20 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ IRequest protocolReq) throws WrongParametersException, MOAIDException { String targetFriendlyName = null; - -// String sso = req.getParameter(PARAM_SSO); - + // escape parameter strings target = StringEscapeUtils.escapeHtml(target); - //oaURL = StringEscapeUtils.escapeHtml(oaURL); bkuURL = StringEscapeUtils.escapeHtml(bkuURL); templateURL = StringEscapeUtils.escapeHtml(templateURL); useMandate = StringEscapeUtils.escapeHtml(useMandate); ccc = StringEscapeUtils.escapeHtml(ccc); - // sso = StringEscapeUtils.escapeHtml(sso); - - // check parameter - - //pvp2.x can use general identifier (equals oaURL in SAML1) -// if (!ParamValidatorUtils.isValidOA(oaURL)) -// throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); + //validate parameters if (!ParamValidatorUtils.isValidUseMandate(useMandate)) throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12"); if (!ParamValidatorUtils.isValidCCC(ccc)) throw new WrongParametersException("StartAuthentication", PARAM_CCC, "auth.12"); -// if (!ParamValidatorUtils.isValidUseMandate(sso)) -// throw new WrongParametersException("StartAuthentication", PARAM_SSO, "auth.12"); + //check UseMandate flag String useMandateString = null; @@ -100,161 +95,98 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ //load OnlineApplication configuration - OAAuthParameter oaParam; - if (moasession.getPublicOAURLPrefix() != null) { - Logger.debug("Loading OA parameters for PublicURLPrefix: " + moasession.getPublicOAURLPrefix()); - oaParam = AuthConfigurationProviderFactory.getInstance() - .getOnlineApplicationParameter( - moasession.getPublicOAURLPrefix()); - - if (oaParam == null) - throw new AuthenticationException("auth.00", - new Object[] { moasession.getPublicOAURLPrefix() }); - - } else { - oaParam = AuthConfigurationProviderFactory.getInstance() - .getOnlineApplicationParameter(oaURL); - - if (oaParam == null) + IOAAuthParameters oaParam = protocolReq.getOnlineApplicationConfiguration(); + if (oaParam == null) throw new AuthenticationException("auth.00", - new Object[] { oaURL }); + new Object[] { protocolReq.getOAURL() }); - // get target and target friendly name from config - String targetConfig = oaParam.getTarget(); - String targetFriendlyNameConfig = oaParam.getTargetFriendlyName(); + // get target and target friendly name from config + String targetConfig = oaParam.getTarget(); + String targetFriendlyNameConfig = oaParam.getTargetFriendlyName(); - if (!oaParam.getBusinessService()) { - if (StringUtils.isEmpty(targetConfig) - || (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") && - !StringUtils.isEmpty(target)) - ) { - //INFO: ONLY SAML1 legacy mode - // if SAML1 is used and target attribute is given in request - // use requested target - // check target parameter - if (!ParamValidatorUtils.isValidTarget(target)) { - Logger.error("Selected target is invalid. Using target: " + target); - throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12"); - } - if (MiscUtil.isNotEmpty(targetConfig)) - targetFriendlyName = targetFriendlyNameConfig; + if (!oaParam.getBusinessService()) { + if (StringUtils.isEmpty(targetConfig) + || (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") && + !StringUtils.isEmpty(target)) + ) { + //INFO: ONLY SAML1 legacy mode + // if SAML1 is used and target attribute is given in request + // use requested target + // check target parameter + if (!ParamValidatorUtils.isValidTarget(target)) { + Logger.error("Selected target is invalid. Using target: " + target); + throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12"); + } + if (MiscUtil.isNotEmpty(targetConfig)) + targetFriendlyName = targetFriendlyNameConfig; + + else { + String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); + if (MiscUtil.isNotEmpty(sectorName)) + targetFriendlyName = sectorName; else { - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); - if (MiscUtil.isNotEmpty(sectorName)) - targetFriendlyName = sectorName; - - else { - //check target contains subSector - int delimiter = target.indexOf("-"); - if (delimiter > 0) { - targetFriendlyName = - TargetToSectorNameMapper.getSectorNameViaTarget(target.substring(0, delimiter)); - - } - } - } - - } else { - // use target from config - target = targetConfig; - targetFriendlyName = targetFriendlyNameConfig; + //check target contains subSector + int delimiter = target.indexOf("-"); + if (delimiter > 0) { + targetFriendlyName = + TargetToSectorNameMapper.getSectorNameViaTarget(target.substring(0, delimiter)); + + } + } } - moasession.setTarget(target); - moasession.setTargetFriendlyName(targetFriendlyName); - + } else { - Logger.debug("Business: " + moasession.getBusinessService() + " stork: " + moasession.getStorkService()); - moasession.setDomainIdentifier(oaParam.getIdentityLinkDomainIdentifier()); - + // use target from config + target = targetConfig; + targetFriendlyName = targetFriendlyNameConfig; } + if (isEmpty(target)) + throw new WrongParametersException("StartAuthentication", + PARAM_TARGET, "auth.05"); -// //check useSSO flag -// String useSSOString = null; -// boolean useSSOBoolean = false; -// if ((sso != null) && (sso.compareTo("") != 0)) { -// useSSOString = sso; -// } else { -// useSSOString = "false"; -// } - // -// if (useSSOString.compareToIgnoreCase("true") == 0) -// useSSOBoolean = true; -// else -// useSSOBoolean = false; - - //moasession.setSsoRequested(useSSOBoolean); - moasession.setSsoRequested(true && oaParam.useSSO()); //make always SSO if OA requested it!!!! + protocolReq.setGenericDataToSession(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, target); + protocolReq.setGenericDataToSession( + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, targetFriendlyName); + Logger.debug("Service-Provider is of type 'PublicService' with DomainIdentifier:" + target); + + } else { + Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + oaParam.getIdentityLinkDomainIdentifier()); - //Validate BKU URI - List allowedbkus = oaParam.getBKUURL(); - allowedbkus.addAll(AuthConfigurationProviderFactory.getInstance().getDefaultBKUURLs()); - if (!ParamValidatorUtils.isValidBKUURI(bkuURL, allowedbkus)) - throw new WrongParametersException("StartAuthentication", PARAM_BKU, "auth.12"); - - moasession.setBkuURL(bkuURL); - - if ((!oaParam.getBusinessService())) { - if (isEmpty(target)) - throw new WrongParametersException("StartAuthentication", - PARAM_TARGET, "auth.05"); - - } else { - if (useMandateBoolean) { - Logger.error("Online-Mandate Mode for business application not supported."); - throw new AuthenticationException("auth.17", null); - } - target = null; - targetFriendlyName = null; + if (useMandateBoolean) { + Logger.error("Online-Mandate Mode for business application not supported."); + throw new AuthenticationException("auth.17", null); } - moasession.setPublicOAURLPrefix(oaParam.getPublicURLPrefix()); - moasession.setBusinessService(oaParam.getBusinessService()); - - //moasession.setStorkService(oaParam.getStorkService()); - } - - //check OnlineApplicationURL - if (isEmpty(oaURL)) - throw new WrongParametersException("StartAuthentication", - PARAM_OA, "auth.05"); - moasession.setOAURLRequested(oaURL); - - //check AuthURL - String authURL = protocolReq.getAuthURL(); - if (!authURL.startsWith("https:") && !AuthConfigurationProviderFactory.getInstance().isHTTPAuthAllowed()) - throw new AuthenticationException("auth.07", - new Object[] { authURL + "*" }); - - //set Auth URL from configuration - moasession.setAuthURL(authURL); - - //check and set SourceID - if (oaParam.getSAML1Parameter() != null) { - String sourceID = oaParam.getSAML1Parameter().getSourceID(); - if (MiscUtil.isNotEmpty(sourceID)) - moasession.setSourceID(sourceID); } - + + //Validate BKU URI + List allowedbkus = oaParam.getBKUURL(); + allowedbkus.addAll(authConfig.getDefaultBKUURLs()); + if (!ParamValidatorUtils.isValidBKUURI(bkuURL, allowedbkus)) + throw new WrongParametersException("StartAuthentication", PARAM_BKU, "auth.12"); + moasession.setBkuURL(bkuURL); + + //validate securityLayer-template if (MiscUtil.isEmpty(templateURL)) { List templateURLList = oaParam.getTemplateURL(); List defaulTemplateURLList = - AuthConfigurationProviderFactory.getInstance().getSLRequestTemplates(); + authConfig.getSLRequestTemplates(); if ( templateURLList != null && templateURLList.size() > 0 && MiscUtil.isNotEmpty(templateURLList.get(0)) ) { templateURL = FileUtils.makeAbsoluteURL( oaParam.getTemplateURL().get(0), - AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir()); + authConfig.getRootConfigFileDir()); Logger.info("No SL-Template in request, load SL-Template from OA configuration (URL: " + templateURL + ")"); } else if ( (defaulTemplateURLList.size() > 0) && MiscUtil.isNotEmpty(defaulTemplateURLList.get(0))) { templateURL = FileUtils.makeAbsoluteURL( defaulTemplateURLList.get(0), - AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir()); + authConfig.getRootConfigFileDir()); Logger.info("No SL-Template in request, load SL-Template from general configuration (URL: " + templateURL + ")"); } else { @@ -267,13 +199,22 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ if (!ParamValidatorUtils.isValidTemplate(req, templateURL, oaParam.getTemplateURL())) throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); - moasession.setTemplateURL(templateURL); - - moasession.setCcc(ccc); - + protocolReq.setGenericDataToSession( + MOAIDAuthConstants.AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE, + templateURL); + + + //validate SSO functionality + String domainIdentifier = authConfig.getSSOTagetIdentifier().trim(); + if (MiscUtil.isEmpty(domainIdentifier) && protocolReq.needSingleSignOnFunctionality()) { + //do not use SSO if no Target is set + Logger.warn("NO SSO-Target found in configuration. Single Sign-On is deaktivated!"); + protocolReq.setNeedSingleSignOnFunctionality(false); + + } } - public static void parse(ExecutionContext ec, HttpServletRequest req, + public void parse(ExecutionContext ec, HttpServletRequest req, AuthenticationSession moasession, IRequest request) throws WrongParametersException, MOAIDException { //get Parameters from request @@ -294,7 +235,7 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ oaURL = request.getOAURL(); //only needed for SAML1 - String target = request.getGenericData("target", String.class); + String target = request.getGenericData("saml1_target", String.class); parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, req, request); @@ -307,7 +248,7 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ * parameter * @return true if the parameter is null or empty */ - private static boolean isEmpty(String param) { + private boolean isEmpty(String param) { return param == null || param.length() == 0; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java index 48292cee1..87d41dbf1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java @@ -110,10 +110,10 @@ public class IDPSingleLogOutServlet extends AbstractController { ssoManager.printSingleLogOutInfo(context, resp); } catch (MOAIDException e) { - handleErrorNoRedirect(e, req, resp); + handleErrorNoRedirect(e, req, resp, false); } catch (MOADatabaseException e) { - handleErrorNoRedirect(e, req, resp); + handleErrorNoRedirect(e, req, resp, false); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java index 7f0a1c157..58034cc7b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java @@ -66,6 +66,11 @@ public interface IOAAuthParameters { public boolean getBusinessService(); + /** + * Get target of a public service-provider + * + * @return target identifier without prefix + */ public String getTarget(); public String getTargetFriendlyName(); @@ -77,6 +82,8 @@ public interface IOAAuthParameters { public boolean isRemovePBKFromAuthBlock(); /** + * Return the private-service domain-identifier with PreFix + * * @return the identityLinkDomainIdentifier */ public String getIdentityLinkDomainIdentifier(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index b6df5e5c6..4131e49fc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -496,6 +496,7 @@ public class AuthenticationManager extends MOAIDAuthConstants { AuthenticationSession moasession; try { moasession = authenticatedSessionStore.createSession(pendingReq); + pendingReq.setMOASessionIdentifier(moasession.getSessionID()); } catch (MOADatabaseException e1) { Logger.error("Database Error! MOASession can not be created!"); @@ -514,7 +515,7 @@ public class AuthenticationManager extends MOAIDAuthConstants { boolean leagacyMode = (legacyallowed && legacyparamavail); executionContext.put("isLegacyRequest", leagacyMode); - executionContext.put("performBKUSelection", leagacyMode + executionContext.put("performBKUSelection", !leagacyMode && MiscUtil.isEmpty(pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class))); //add leagcy parameters to context diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequestStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequestStorage.java index 6f46edce3..d26af89a2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequestStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequestStorage.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.moduls; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; /** * @author tlenz @@ -36,6 +37,6 @@ public interface IRequestStorage { public void removePendingRequest(String requestID); - public String changePendingRequestID(IRequest pendingRequest) throws MOAIDException; + public String changePendingRequestID(IRequest pendingRequest) throws MOAIDException, MOADatabaseException; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java index 66ca42398..c49df43fa 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java @@ -44,14 +44,19 @@ public class RequestStorage implements IRequestStorage{ try { IRequest pendingRequest = transactionStorage.get(pendingReqID, IRequest.class); - + if (pendingRequest == null) { + Logger.info("No PendingRequst found with pendingRequestID " + pendingReqID); + return null; + + } + //set transactionID and sessionID to Logger TransactionIDUtils.setTransactionId(pendingRequest.getUniqueTransactionIdentifier()); TransactionIDUtils.setSessionId(pendingRequest.getUniqueSessionIdentifier()); return pendingRequest; - } catch (MOADatabaseException e) { + } catch (MOADatabaseException | NullPointerException e) { Logger.info("No PendingRequst found with pendingRequestID " + pendingReqID); return null; @@ -106,16 +111,17 @@ public class RequestStorage implements IRequestStorage{ * @see at.gv.egovernment.moa.id.storage.IRequestStorage#changePendingRequestID(at.gv.egovernment.moa.id.moduls.IRequest) */ @Override - public String changePendingRequestID(IRequest pendingRequest) throws MOAIDException { + public String changePendingRequestID(IRequest pendingRequest) throws MOAIDException, MOADatabaseException { if (pendingRequest instanceof RequestImpl) { String newRequestID = Random.nextRandom(); + String oldRequestID = pendingRequest.getRequestID(); Logger.debug("Change pendingRequestID from " + pendingRequest.getRequestID() + " to " + newRequestID); ((RequestImpl)pendingRequest).setRequestID(newRequestID); - storePendingRequest(pendingRequest); + transactionStorage.changeKey(oldRequestID, newRequestID, pendingRequest); return newRequestID; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java index c9a34496a..36145375b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -107,7 +107,7 @@ public class AttributQueryAction implements IAction { List attrList = addDefaultAttributes(attrQuery, authData); //build PVP 2.1 assertion - Assertion assertion = PVP2AssertionBuilder.buildAssertion(req.getAuthURL(), attrQuery, attrList, authData, date, authData.getSessionIndex()); + Assertion assertion = PVP2AssertionBuilder.buildAssertion(req, attrQuery, attrList, authData, date, authData.getSessionIndex()); //build PVP 2.1 response Response authResponse = AuthResponseBuilder.buildResponse(req.getAuthURL(), attrQuery, date, assertion); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index 07367e1d0..181e89806 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -36,8 +36,6 @@ import org.opensaml.saml2.metadata.RequestedAttribute; import org.opensaml.saml2.metadata.SPSSODescriptor; import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; @@ -98,9 +96,7 @@ public class PVPTargetConfiguration extends RequestImpl { for (String el : PVP2XProtocol.DEFAULTREQUESTEDATTRFORINTERFEDERATION) reqAttr.put(el, ""); - try { - OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(getOAURL()); - + try { SPSSODescriptor spSSODescriptor = getRequest().getEntityMetadata().getSPSSODescriptor(SAMLConstants.SAML20P_NS); if (spSSODescriptor.getAttributeConsumingServices() != null && spSSODescriptor.getAttributeConsumingServices().size() > 0) { @@ -136,15 +132,12 @@ public class PVPTargetConfiguration extends RequestImpl { reqAttr.put(attr.getName(), ""); } - return AttributQueryBuilder.buildSAML2AttributeList(oa, reqAttr.keySet().iterator()); + return AttributQueryBuilder.buildSAML2AttributeList(this.getOnlineApplicationConfiguration(), reqAttr.keySet().iterator()); } catch (NoMetadataInformationException e) { Logger.warn("NO metadata found for Entity " + getRequest().getEntityID()); return null; - } catch (ConfigurationException e) { - Logger.error("Load configuration for OA " + getOAURL() + " FAILED", e); - return null; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 065118e2b..208cd67f2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -55,7 +55,6 @@ import org.opensaml.saml2.metadata.RequestedAttribute; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.w3c.dom.Element; - import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; @@ -64,21 +63,18 @@ import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationImpl; +import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.QAANotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.UnprovideableAttributeException; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.id.util.QAALevelVerifier; @@ -90,7 +86,7 @@ import at.gv.egovernment.moa.util.MiscUtil; public class PVP2AssertionBuilder implements PVPConstants { - public static Assertion buildAssertion(String authURL, AttributeQuery attrQuery, + public static Assertion buildAssertion(IRequest pendingReq, AttributeQuery attrQuery, List reqAttributes, IAuthData authData, DateTime date, String sessionIndex) throws ConfigurationException { @@ -136,12 +132,12 @@ public class PVP2AssertionBuilder implements PVPConstants { SubjectConfirmationData subjectConfirmationData = null; - return buildGenericAssertion(authURL, attrQuery.getIssuer().getValue(), date, + return buildGenericAssertion(pendingReq, attrQuery.getIssuer().getValue(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, new DateTime(authData.getSsoSessionValidTo().getTime())); } - public static Assertion buildAssertion(String authURL, AuthnRequest authnRequest, + public static Assertion buildAssertion(PVPTargetConfiguration pendingReq, AuthnRequest authnRequest, IAuthData authData, EntityDescriptor peerEntity, DateTime date, AssertionConsumerService assertionConsumerService, SLOInformationImpl sloInformation) throws MOAIDException { @@ -153,9 +149,7 @@ public class PVP2AssertionBuilder implements PVPConstants { AuthnContextClassRef authnContextClassRef = SAML2Utils .createSAMLObject(AuthnContextClassRef.class); - OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance() - .getOnlineApplicationParameter( - peerEntity.getEntityID()); + IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); if (reqAuthnContext == null) { authnContextClassRef.setAuthnContextClassRef(authData.getQAALevel()); @@ -416,12 +410,12 @@ public class PVP2AssertionBuilder implements PVPConstants { sloInformation.setNameIDFormat(subjectNameID.getFormat()); sloInformation.setSessionIndex(sessionIndex); - return buildGenericAssertion(authURL, peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter()); + return buildGenericAssertion(pendingReq, peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter()); } /** * - * @param authURL IDP PublicURL PreFix + * @param pendingReq IDP PublicURL PreFix * @param entityID Service Provider EntityID * @param date * @param authnContextClassRef @@ -434,7 +428,7 @@ public class PVP2AssertionBuilder implements PVPConstants { * @throws ConfigurationException */ - private static Assertion buildGenericAssertion(String authURL, String entityID, DateTime date, + private static Assertion buildGenericAssertion(IRequest pendingReq, String entityID, DateTime date, AuthnContextClassRef authnContextClassRef, List attrList, NameID subjectNameID, SubjectConfirmationData subjectConfirmationData, String sessionIndex, DateTime isValidTo) throws ConfigurationException { @@ -486,6 +480,7 @@ public class PVP2AssertionBuilder implements PVPConstants { Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); + String authURL = pendingReq.getAuthURL(); if (authURL.endsWith("/")) authURL = authURL.substring(0, authURL.length()-1); issuer.setValue(authURL); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index 974d90e11..4fbca5b13 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -81,7 +81,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { SLOInformationImpl sloInformation = new SLOInformationImpl(); //build Assertion - Assertion assertion = PVP2AssertionBuilder.buildAssertion(obj.getAuthURL(), authnRequest, authData, + Assertion assertion = PVP2AssertionBuilder.buildAssertion(obj, authnRequest, authData, peerEntity, date, consumerService, sloInformation); Response authResponse = AuthResponseBuilder.buildResponse(obj.getAuthURL(), authnRequest, date, assertion); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java index f33a7549c..ff631a720 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java @@ -53,28 +53,38 @@ public class DBTransactionStorage implements ITransactionStorage { } - public void put(String key, Object value) throws MOADatabaseException { - //setup AssertionStore element - AssertionStore element = new AssertionStore(); - element.setArtifact(key); - element.setType(value.getClass().getName()); - element.setDatatime(new Date()); - - //serialize the Assertion for Database storage - byte[] data = SerializationUtils.serialize((Serializable) value); - element.setAssertion(data); + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.storage.ITransactionStorage#changeKey(java.lang.String, java.lang.String, java.lang.Object) + */ + @Override + public void changeKey(String oldKey, String newKey, Object value) throws MOADatabaseException { + //search if key already exists + AssertionStore element = searchInDatabase(oldKey); + if (element == null) { + Logger.info("No transaction-data with oldKey:" + oldKey + + " found. Process gets stopped."); + throw new MOADatabaseException("No transaction-data with oldKey:" + oldKey + + " found. Process gets stopped."); + + } - //store AssertionStore element to Database - try { - MOASessionDBUtils.saveOrUpdate(element); - Logger.info(value.getClass().getName() + " with ID: " + key + " is stored in Database"); - } catch (MOADatabaseException e) { - Logger.warn("Sessioninformation could not be stored."); - throw new MOADatabaseException(e); + put(element, newKey, value); + + } + + public void put(String key, Object value) throws MOADatabaseException { + //search if key already exists + AssertionStore element = searchInDatabase(key); + + //create a new entry if key does not exists already + if (element == null) { + element = new AssertionStore(); + } + put(element, key, value); } - + public T get(String key, final Class clazz) throws MOADatabaseException { @@ -93,6 +103,9 @@ public class DBTransactionStorage implements ITransactionStorage { AssertionStore element = searchInDatabase(key); + if (element == null) + return null; + if (dataTimeOut > -1) { //check timeout long now = new Date().getTime(); @@ -155,13 +168,18 @@ public class DBTransactionStorage implements ITransactionStorage { try { AssertionStore element = searchInDatabase(key); + if (element == null) { + Logger.debug("Sessioninformation not removed! (Sessioninformation with ID=" + key + + "not found)"); + return; + } + cleanDelete(element); - Logger.info("Remove stored information with ID: " + key); + Logger.debug("Remove stored information with ID: " + key); } catch (MOADatabaseException e) { - Logger.info("Sessioninformation not removed! (Sessioninformation with ID=" + key - + "not found)"); + Logger.info("Sessioninformation not removed! (Message:"+ e.getMessage() + ")"); } catch (HibernateException e) { Logger.warn("Sessioninformation not removed! (Error during Database communication)", e); @@ -206,10 +224,34 @@ public class DBTransactionStorage implements ITransactionStorage { //Assertion requires an unique artifact if (result.size() != 1) { - Logger.trace("No entries found."); - throw new MOADatabaseException("No sessioninformation found with this ID"); + Logger.debug("No transaction information with ID:" + artifact + " found."); + return null; + } return (AssertionStore) result.get(0); } + + private void put(AssertionStore element, String key, Object value) throws MOADatabaseException { + element.setArtifact(key); + element.setType(value.getClass().getName()); + element.setDatatime(new Date()); + + //serialize the Assertion for Database storage + byte[] data = SerializationUtils.serialize((Serializable) value); + element.setAssertion(data); + + //store AssertionStore element to Database + try { + MOASessionDBUtils.saveOrUpdate(element); + Logger.debug(value.getClass().getName() + " with ID: " + key + " is stored in Database"); + + } catch (MOADatabaseException e) { + Logger.warn("Sessioninformation could not be stored."); + throw new MOADatabaseException(e); + + } + + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java index d05689e68..48283d2b6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/ITransactionStorage.java @@ -55,7 +55,7 @@ public interface ITransactionStorage { * * @param key Id which identifiers the data object * @param clazz The class type which is stored with this key - * @return The transaction-data object from type class + * @return The transaction-data object from type class, or null * @throws MOADatabaseException In case of load operation failed */ public T get(String key, final Class clazz) throws MOADatabaseException; @@ -66,12 +66,23 @@ public interface ITransactionStorage { * @param key Id which identifiers the data object * @param clazz The class type which is stored with this key * @param Data-object timeout in [ms] - * @return The transaction-data object from type class + * @return The transaction-data object from type class, or null * @throws MOADatabaseException In case of load operation failed * @throws AuthenticationException In case of data-object timeout occurs */ public T get(String key, final Class clazz, long dataTimeOut) throws MOADatabaseException, AuthenticationException; + + /** + * Change the key of a data object and store it under the new key + * + * @param oldKey Old key of the data object + * @param newKey New key, which should be used to store the data object + * @param value Data object which should be stored + * @throws MOADatabaseException In case of store operation failed + */ + public void changeKey(String oldKey, String newKey, Object value) throws MOADatabaseException; + /** * Remove a data object from transaction storage * diff --git a/id/server/idserverlib/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/BKUSelection.process.xml b/id/server/idserverlib/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/BKUSelection.process.xml index b61ee5f2d..307ba836a 100644 --- a/id/server/idserverlib/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/BKUSelection.process.xml +++ b/id/server/idserverlib/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/BKUSelection.process.xml @@ -5,9 +5,9 @@ - National authentication with Austrian Citizen Card and mobile signature with our without mandate. - Legacy authentication for foreign citizens using MOCCA supported signature cards. --> - - - + + + diff --git a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml index 05ceb65f4..82579977c 100644 --- a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml +++ b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml @@ -15,6 +15,9 @@ + + diff --git a/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html b/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html index 2b0115d4a..af133525e 100644 --- a/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html +++ b/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html @@ -674,7 +674,7 @@ /* iFrameURL += "&SSO=" + document.getElementById("useSSO").value; */ iFrameURL += "&MODUL=" + "#MODUL#"; iFrameURL += "&ACTION=" + "#ACTION#"; - iFrameURL += "&MOASessionID=" + "#SESSIONID#"; + iFrameURL += "&pendingid=" + "#SESSIONID#"; generateIFrame(iFrameURL); } function bkuHandyClicked() { @@ -691,7 +691,7 @@ /* iFrameURL += "&SSO=" + document.getElementById("useSSO").value; */ iFrameURL += "&MODUL=" + "#MODUL#"; iFrameURL += "&ACTION=" + "#ACTION#"; - iFrameURL += "&MOASessionID=" + "#SESSIONID#"; + iFrameURL += "&pendingid=" + "#SESSIONID#"; generateIFrame(iFrameURL); } function storkClicked() { @@ -714,7 +714,7 @@ /* iFrameURL += "&SSO=" + document.getElementById("useSSO").value; */ iFrameURL += "&MODUL=" + "#MODUL#"; iFrameURL += "&ACTION=" + "#ACTION#"; - iFrameURL += "&MOASessionID=" + "#SESSIONID#"; + iFrameURL += "&pendingid=" + "#SESSIONID#"; generateIFrame(iFrameURL); } function generateIFrame(iFrameURL) { @@ -876,7 +876,7 @@ type="hidden" name="ccc" id="ccc"> + name="pendingid" value="#SESSIONID#"> -- cgit v1.2.3