From 333ed628cc5be8dfbece822d9caff0a8fe49438a Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 10 Mar 2014 08:42:26 +0100
Subject: Improvement for cluster operations  - only use http GET parameter for
 session management and no information from browser sessions.

---
 .../moa/id/auth/servlet/PEPSConnectorServlet.java  | 18 +++++--
 .../moa/id/protocols/pvp2x/binding/MOARequest.java | 62 ++++++++++++++++++----
 .../id/protocols/pvp2x/binding/PostBinding.java    |  2 +-
 .../protocols/pvp2x/binding/RedirectBinding.java   |  2 +-
 .../pvp2x/requestHandler/AuthnRequestHandler.java  |  3 +-
 5 files changed, 67 insertions(+), 20 deletions(-)

(limited to 'id/server/idserverlib/src')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
index 7c96c2194..83d0ced20 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
@@ -52,6 +52,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.data.IdentityLink;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.stork.STORKException;
 import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor;
 import at.gv.egovernment.moa.id.auth.stork.VelocityProvider;
@@ -62,6 +63,7 @@ import at.gv.egovernment.moa.id.moduls.ModulUtils;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.HTTPUtils;
+import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.StringUtils;
 import at.gv.util.xsd.xmldsig.SignatureType;
@@ -123,9 +125,18 @@ public class PEPSConnectorServlet extends AuthServlet {
 				Logger.error("MOA-SessionID was not found, no previous AuthnRequest had been started");
 				throw new AuthenticationException("auth.02", new Object[] { moaSessionID });
 			}
-			
+
+	         if (!ParamValidatorUtils.isValidSessionID(moaSessionID))
+	             throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_SESSIONID, "auth.12");
+
 			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(moaSessionID);
 			
+			//load MOASession from database
+			AuthenticationSession moaSession = AuthenticationServer.getSession(moaSessionID);
+			
+			//change MOASessionID
+			moaSessionID = AuthenticationSessionStoreage.changeSessionID(moaSession);
+			
 			Logger.info("Found MOA sessionID: " + moaSessionID);
 			
 			Logger.debug("Beginning to extract SAMLResponse out of HTTP Request");
@@ -166,10 +177,7 @@ public class PEPSConnectorServlet extends AuthServlet {
 			}
 			
 			Logger.info("Got SAML response with authentication success message.");
-			
-			//check if authentication request was created before
-			AuthenticationSession moaSession = AuthenticationServer.getSession(moaSessionID);
-			
+						
 			Logger.debug("MOA session is still valid");
 			
 			STORKAuthnRequest storkAuthnRequest = moaSession.getStorkAuthnRequest();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java
index d28c5eeec..c1104f9f5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java
@@ -24,27 +24,51 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding;
 
 import java.io.Serializable;
 
+import org.opensaml.Configuration;
 import org.opensaml.saml2.core.RequestAbstractType;
+import org.opensaml.saml2.core.impl.RequestAbstractTypeMarshaller;
+import org.opensaml.saml2.core.impl.RequestAbstractTypeUnmarshaller;
 import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.io.Unmarshaller;
+import org.opensaml.xml.io.UnmarshallerFactory;
+import org.opensaml.xml.io.UnmarshallingException;
+import org.w3c.dom.Element;
+
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
+import at.gv.egovernment.moa.logging.Logger;
 
 public class MOARequest implements Serializable{
 
 	private static final long serialVersionUID = 2395131650841669663L;
 	
-	private RequestAbstractType samlRequest;
-	private EntityDescriptor entityMetadata; 
+	private Element samlRequest;
 	private boolean verified = false;
-
+	private String entityID = null;
+	
 	public MOARequest(RequestAbstractType request) {
-		samlRequest = request;
+		samlRequest = request.getDOM();
 	}
 
 	public RequestAbstractType getSamlRequest() {
-		return samlRequest;
+		UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
+		Unmarshaller unmashaller = unmarshallerFactory.getUnmarshaller(samlRequest);
+		
+		try {
+			return (RequestAbstractType) unmashaller.unmarshall(samlRequest);
+			
+		} catch (UnmarshallingException e) {
+			Logger.warn("AuthnRequest Unmarshaller error", e);
+			return null;
+		}
+		
 	}
 
 	public void setSamlRequest(RequestAbstractType request) {
-		this.samlRequest = request;
+		this.samlRequest = request.getDOM();
 	}
 
 	public boolean isVerified() {
@@ -55,13 +79,29 @@ public class MOARequest implements Serializable{
 		this.verified = verified;
 	}
 
-	public EntityDescriptor getEntityMetadata() {
-		return entityMetadata;
+	public EntityDescriptor getEntityMetadata() throws NoMetadataInformationException {
+		
+		try {
+			return MOAMetadataProvider.getInstance().getEntityDescriptor(this.entityID);
+			
+		} catch (MetadataProviderException e) {
+			Logger.warn("No Metadata for EntitiyID " + entityID);
+			throw new NoMetadataInformationException();
+		}			
 	}
 
-	public void setEntityMetadata(EntityDescriptor entityMetadata) {
-		this.entityMetadata = entityMetadata;
+	/**
+	 * @return the entitiyID
+	 */
+	public String getEntityID() {
+		return entityID;
+	}
+
+	/**
+	 * @param entitiyID the entitiyID to set
+	 */
+	public void setEntityID(String entitiyID) {
+		this.entityID = entitiyID;
 	}
-	
 	
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index af29054e1..d00b1cc16 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -128,7 +128,7 @@ public class PostBinding implements IDecoder, IEncoder {
 		
 		MOARequest request = new MOARequest(inboundMessage);
 		request.setVerified(false);
-		request.setEntityMetadata(messageContext.getPeerEntityMetadata());
+		request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID());
 		return request;
 
 	}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
index 7c9cc6259..f09178f55 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java
@@ -131,7 +131,7 @@ public class RedirectBinding implements IDecoder, IEncoder {
 				.getInboundMessage();
 		MOARequest request = new MOARequest(inboundMessage);
 		request.setVerified(true);
-		request.setEntityMetadata(messageContext.getPeerEntityMetadata());
+		request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID());
 		return request;
 	}
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
index 4d143058b..b6ab357b8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
@@ -154,8 +154,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants {
 			
 		}
 	
-		//TODO: insert!!!!!!
-		if (encryptionCredentials != null && false) {
+		if (encryptionCredentials != null) {
 			//encrypt SAML2 assertion
 				
 			try {
-- 
cgit v1.2.3