From 576f5ea5cfaf2ea174f198dc5df238c1ca0c331a Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 10 Mar 2016 15:35:48 +0100 Subject: MOA-ID, which use MOA-Sig (includes new IAIK-MOA, with iaik_xect, iaik_eccelerate, and new iaik_PKI module --- .../moa/id/auth/MOAIDAuthInitializer.java | 10 +- .../pvp2x/builder/PVPMetadataBuilder.java | 28 +---- .../pvp2x/signer/AbstractCredentialProvider.java | 3 +- .../moa/id/util/ECDSAKeyValueConverter.java | 122 +++++++++++---------- .../at/gv/egovernment/moa/id/util/SSLUtils.java | 8 +- 5 files changed, 75 insertions(+), 96 deletions(-) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java index 458f9afe6..4acce2813 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java @@ -40,14 +40,14 @@ import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.id.util.SSLUtils; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.logging.LoggingContext; -import at.gv.egovernment.moa.logging.LoggingContextManager; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; import at.gv.egovernment.moa.spss.server.iaik.config.IaikConfigurator; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.egovernment.moaspss.logging.LoggingContext; +import at.gv.egovernment.moaspss.logging.LoggingContextManager; import iaik.pki.PKIException; -import iaik.security.ecc.provider.ECCProvider; +import iaik.security.ec.provider.ECCelerate; import iaik.security.provider.IAIK; /** @@ -104,7 +104,7 @@ public class MOAIDAuthInitializer { Logger.info("Loading Java security providers."); IAIK.addAsProvider(); - ECCProvider.addAsProvider(); + ECCelerate.addAsProvider(); // Initializes SSLSocketFactory store SSLUtils.initialize(); @@ -146,7 +146,7 @@ public class MOAIDAuthInitializer { //ECCProvider.addAsProvider(); Security.insertProviderAt(IAIK.getInstance(), 0); - Security.addProvider(new ECCProvider()); + Security.addProvider(new ECCelerate()); if (Logger.isDebugEnabled()) { Logger.debug("Loaded Security Provider:"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java index 3418ffb69..84285a318 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java @@ -24,8 +24,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder; import java.io.IOException; import java.io.StringWriter; -import java.security.PrivateKey; -import java.security.interfaces.RSAPrivateKey; import java.util.List; import javax.xml.parsers.DocumentBuilder; @@ -66,7 +64,6 @@ import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; import org.opensaml.xml.signature.Signature; -import org.opensaml.xml.signature.SignatureConstants; import org.opensaml.xml.signature.SignatureException; import org.opensaml.xml.signature.Signer; import org.springframework.stereotype.Service; @@ -74,6 +71,7 @@ import org.w3c.dom.Document; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; @@ -153,7 +151,7 @@ public class PVPMetadataBuilder { //set metadata signature parameters Credential metadataSignCred = config.getMetadataSigningCredentials(); - Signature signature = getIDPSignature(metadataSignCred); + Signature signature = AbstractCredentialProvider.getIDPSignature(metadataSignCred); SecurityHelper.prepareSignatureParams(signature, metadataSignCred, null, null); @@ -434,27 +432,5 @@ public class PVPMetadataBuilder { return idpSSODescriptor; } - - private Signature getIDPSignature(Credential credentials) { - PrivateKey privatekey = credentials.getPrivateKey(); - Signature signer = SAML2Utils.createSAMLObject(Signature.class); - if (privatekey instanceof RSAPrivateKey) { - signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); - - } else if (privatekey instanceof iaik.security.ecc.ecdsa.ECPrivateKey) { - signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1); - - } else { - Logger.warn("Could NOT evaluate the Private-Key type from " + credentials.getEntityId() + " credential."); - - - } - - signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); - signer.setSigningCredential(credentials); - return signer; - - } - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java index 4c9a1e59f..9102606a2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java @@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.signer; import java.security.KeyStore; import java.security.PrivateKey; +import java.security.interfaces.ECPrivateKey; import java.security.interfaces.RSAPrivateKey; import org.opensaml.xml.security.credential.Credential; @@ -197,7 +198,7 @@ public abstract class AbstractCredentialProvider { if (privatekey instanceof RSAPrivateKey) { signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); - } else if (privatekey instanceof iaik.security.ecc.ecdsa.ECPrivateKey) { + } else if (privatekey instanceof ECPrivateKey) { signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1); } else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java index 2c0a82708..f37ae0b0b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java @@ -20,48 +20,15 @@ * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - package at.gv.egovernment.moa.id.util; -import iaik.security.ecc.ecdsa.ECDSAParameter; -import iaik.security.ecc.ecdsa.ECPublicKey; -import iaik.security.ecc.math.ecgroup.AffineCoordinate; -import iaik.security.ecc.math.ecgroup.Coordinate; -import iaik.security.ecc.math.ecgroup.CoordinateTypes; -import iaik.security.ecc.math.ecgroup.ECGroupFactory; -import iaik.security.ecc.math.ecgroup.ECPoint; -import iaik.security.ecc.math.ecgroup.EllipticCurve; -import iaik.security.ecc.math.field.Field; -import iaik.security.ecc.math.field.FieldElement; -import iaik.security.ecc.math.field.PrimeField; -import iaik.security.ecc.parameter.ECCParameterFactory; -import iaik.security.ecc.spec.ECCParameterSpec; - import java.math.BigInteger; import java.security.PublicKey; +import java.security.spec.ECField; +import java.security.spec.ECFieldF2m; +import java.security.spec.ECFieldFp; +import java.security.spec.ECPoint; import java.util.HashMap; import java.util.Iterator; import java.util.Vector; @@ -72,6 +39,15 @@ import org.w3c.dom.NamedNodeMap; import org.w3c.dom.Node; import org.w3c.dom.NodeList; +import at.gv.egovernment.moa.logging.Logger; +import iaik.security.ec.common.ECParameterSpec; +import iaik.security.ec.common.ECPublicKey; +import iaik.security.ec.common.ECStandardizedParameterFactory; +import iaik.security.ec.common.EllipticCurve; +import iaik.security.ec.math.field.Field; +import iaik.security.ec.math.field.FieldElement; +import iaik.security.ec.math.field.PrimeField; + public class ECDSAKeyValueConverter { @@ -94,15 +70,13 @@ public class ECDSAKeyValueConverter if (domainParams == null) throw new Exception("Domain parameters must not be implicit."); Element namedCurve = getChildElement(domainParams, ecdsaNS, "NamedCurve", 1); - ECCParameterSpec eccParameterSpec; + ECParameterSpec eccParameterSpec; if (namedCurve != null) { // URL curveNameURN = new URL(namedCurve.getAttributeNS(null, "URN")); String curveNameOID = namedCurve.getAttributeNS(null, "URN").substring(8); - ECCParameterFactory eccParamFactory = ECCParameterFactory.getInstance(); - // eccParameterSpec = eccParamFactory.getParameterByOID(curveNameURN.getPath().substring(4)); - eccParameterSpec = eccParamFactory.getParameterByOID(curveNameOID); + eccParameterSpec = ECStandardizedParameterFactory.getParametersByOID(curveNameOID); } else { @@ -167,14 +141,21 @@ public class ECDSAKeyValueConverter String cofactorStr = getChildElementText(basePointParams, ecdsaNS, "Cofactor", 1); BigInteger cofactor = (cofactorStr != null) ? new BigInteger(cofactorStr, 10) : null; + BigInteger a = new BigInteger(aStr, 10); + BigInteger b = new BigInteger(bStr, 10); + BigInteger basePointX = new BigInteger(basePointXStr, 10); + BigInteger basePointY = new BigInteger(basePointYStr, 10); + if (fieldParamsType == FIELD_TYPE_PRIME) - { - BigInteger a = new BigInteger(aStr, 10); - BigInteger b = new BigInteger(bStr, 10); - BigInteger basePointX = new BigInteger(basePointXStr, 10); - BigInteger basePointY = new BigInteger(basePointYStr, 10); - eccParameterSpec = new ECCParameterSpec(p, cofactor, order, seed, null, a, b, basePointX, - basePointY, null); + { + ECField javaECField = new ECFieldFp(p); + java.security.spec.EllipticCurve curve = + new java.security.spec.EllipticCurve(javaECField, a, b, seed.toByteArray()); + java.security.spec.ECPoint javaECbasePoint = + new java.security.spec.ECPoint(basePointX, basePointY); + java.security.spec.ECParameterSpec javaECSpec = + new java.security.spec.ECParameterSpec(curve, javaECbasePoint, order, cofactor.intValue()); + eccParameterSpec = ECParameterSpec.getParameterSpec(javaECSpec); } else { @@ -193,9 +174,19 @@ public class ECDSAKeyValueConverter irreducible[k1/32] += 1 << k1 % 32; irreducible[0] += 1; } - eccParameterSpec = new ECCParameterSpec(irreducible, cofactor, order, octetString2IntArray(aStr), - octetString2IntArray(bStr), octetString2IntArray(basePointXStr), - octetString2IntArray(basePointYStr), null); + + ECField javaECField = new ECFieldF2m(m, irreducible); + java.security.spec.EllipticCurve curve = + new java.security.spec.EllipticCurve(javaECField, a, b, seed.toByteArray()); + java.security.spec.ECPoint javaECbasePoint = + new java.security.spec.ECPoint(basePointX, basePointY); + java.security.spec.ECParameterSpec javaECSpec = + new java.security.spec.ECParameterSpec(curve, javaECbasePoint, order, cofactor.intValue()); + eccParameterSpec = ECParameterSpec.getParameterSpec(javaECSpec); + +// eccParameterSpec = new ECCParameterSpec(irreducible, cofactor, order, octetString2IntArray(aStr), +// octetString2IntArray(bStr), octetString2IntArray(basePointXStr), +// octetString2IntArray(basePointYStr), null); } } @@ -206,10 +197,14 @@ public class ECDSAKeyValueConverter Element publicKeyYElem = getChildElement(publicKeyElem, ecdsaNS, "Y", 1); String publicKeyYStr = publicKeyYElem.getAttributeNS(null, "Value"); - ECDSAParameter ecdsaParams = new ECDSAParameter(eccParameterSpec, CoordinateTypes.PROJECTIVE_COORDINATES); - ECGroupFactory ecGroupFactory = ECGroupFactory.getInstance(); - EllipticCurve eCurve = ecGroupFactory.getCurve(eccParameterSpec.getA(), - eccParameterSpec.getB(), eccParameterSpec.getR(), CoordinateTypes.PROJECTIVE_COORDINATES); + //ECParameterSpec ecdsaParams = new ECParameterSpec(eccParameterSpec, CoordinateTypes.PROJECTIVE_COORDINATES); + //ECGroupFactory ecGroupFactory = ECGroupFactory.getInstance(); + + EllipticCurve eCurve = eccParameterSpec.getCurve(); + +// EllipticCurve eCurve = ecGroupFactory.getCurve(eccParameterSpec.getA(), +// eccParameterSpec.getB(), eccParameterSpec.getR(), CoordinateTypes.PROJECTIVE_COORDINATES); + Field field = eCurve.getField(); // Detect type of public key field elements @@ -239,10 +234,19 @@ public class ECDSAKeyValueConverter } // ProjectiveCoordinate publicKeyPointCoordinate = new ProjectiveCoordinate(publicKeyPointX, // publicKeyPointY, field.getONEelement()); - Coordinate publicKeyPointCoordinate = new AffineCoordinate(publicKeyPointX, - publicKeyPointY).toProjective(); - ECPoint publicKeyPoint = eCurve.newPoint(publicKeyPointCoordinate); - ECPublicKey publicKey = new ECPublicKey(ecdsaParams, publicKeyPoint); +// Coordinate publicKeyPointCoordinate = new AffineCoordinate(publicKeyPointX, +// publicKeyPointY).toProjective(); + + ECPoint publicKeyPointECPoint = new ECPoint(publicKeyPointX.toBigInteger(), + publicKeyPointY.toBigInteger()); + + if (!eCurve.containsPoint(publicKeyPointECPoint)) { + Logger.error("IDL ECC parameter extraction FAILED! Public-Key ECPoint is not on the curve!"); + throw new Exception("IDL ECC parameter extraction FAILED! Public-Key ECPoint is not on the curve!"); + + } + + ECPublicKey publicKey = new ECPublicKey(eccParameterSpec, publicKeyPointECPoint); return publicKey; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java index af3424881..d3fba8854 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java @@ -46,9 +46,6 @@ package at.gv.egovernment.moa.id.util; -import iaik.pki.PKIException; -import iaik.security.provider.IAIK; - import java.io.BufferedInputStream; import java.io.BufferedReader; import java.io.IOException; @@ -71,6 +68,8 @@ import at.gv.egovernment.moa.id.config.ConfigurationProvider; import at.gv.egovernment.moa.id.config.ConnectionParameter; import at.gv.egovernment.moa.id.config.ConnectionParameterInterface; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import iaik.pki.PKIException; +import iaik.security.provider.IAIK; /** @@ -126,8 +125,7 @@ public class SSLUtils { //INFO: MOA-ID 2.x always use defaultChainingMode try { - SSLSocketFactory ssf = - at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory( + SSLSocketFactory ssf = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory( connParam.getUrl(), conf.getCertstoreDirectory(), trustStoreURL, -- cgit v1.2.3 From 4b932484d66ef161bb547a419fdc32f04677fe57 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 7 Apr 2016 10:44:11 +0200 Subject: fix some possible problems with STORK configuration in config-GUI --- .../id/configuration/data/GeneralStorkConfig.java | 38 +++++---- .../id/configuration/data/oa/OASTORKConfig.java | 19 +++-- .../struts/action/EditGeneralConfigAction.java | 99 +++++++++++++++------- .../validation/moaconfig/MOAConfigValidator.java | 2 +- .../validation/moaconfig/StorkConfigValidator.java | 55 ++++++------ .../src/main/webapp/jsp/editMOAConfig.jsp | 7 +- .../task/impl/GeneralMOAIDConfigurationTask.java | 8 +- .../task/impl/GeneralSTORKConfigurationTask.java | 54 ++++++------ .../StartAuthentificationParameterParser.java | 2 +- .../PropertyBasedAuthConfigurationProvider.java | 10 ++- .../moa/id/auth/AuthenticationServer.java | 14 +-- .../data/SSOTransferAuthenticationData.java | 5 +- 12 files changed, 191 insertions(+), 122 deletions(-) (limited to 'id/server/idserverlib/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/GeneralStorkConfig.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/GeneralStorkConfig.java index d8bb0179c..e71bad299 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/GeneralStorkConfig.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/GeneralStorkConfig.java @@ -25,6 +25,8 @@ package at.gv.egovernment.moa.id.configuration.data; import java.util.ArrayList; import java.util.List; +import org.apache.log4j.Logger; + import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.AuthComponentGeneral; import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.CPEPS; import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.ForeignIdentities; @@ -34,8 +36,6 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.StorkAttribute; import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException; import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider; -import org.apache.log4j.Logger; - public class GeneralStorkConfig { private List cpepslist; @@ -61,7 +61,9 @@ public class GeneralStorkConfig { public void parse(MOAIDConfiguration config) { log.info("Initializing general Stork config"); - + + cpepslist = new ArrayList(); + attributes = new ArrayList(); if (config != null) { AuthComponentGeneral auth = config.getAuthComponentGeneral(); @@ -71,15 +73,14 @@ public class GeneralStorkConfig { if (foreign != null) { STORK stork = foreign.getSTORK(); - cpepslist = new ArrayList(); - attributes = new ArrayList(); - + if (stork != null) { // deep clone all the things - // to foreclose lazyloading session timeouts - - for(CPEPS current : stork.getCPEPS()) { - cpepslist.add(current); + // to foreclose lazyloading session timeouts + if (stork.getCPEPS() != null) { + for(CPEPS current : stork.getCPEPS()) { + cpepslist.add(current); + } } List tmp = stork.getAttributes(); @@ -91,19 +92,26 @@ public class GeneralStorkConfig { try { qaa = stork.getQualityAuthenticationAssuranceLevel(); + } catch(NullPointerException e) { qaa = 4; } } - if (cpepslist.isEmpty()) - cpepslist = null; - - if(attributes.isEmpty()) - attributes.add(new StorkAttribute()); } } } + + if (cpepslist.isEmpty()) { + CPEPS defaultCPEPS = new CPEPS(); + defaultCPEPS.setCountryCode("CC"); + defaultCPEPS.setURL("http://"); + defaultCPEPS.setSupportsXMLSignature(true); + cpepslist.add(defaultCPEPS ); + + } + if(attributes.isEmpty()) + attributes.add(new StorkAttribute()); } public List getRawCPEPSList() { diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OASTORKConfig.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OASTORKConfig.java index 33277af07..c0e1eaaf7 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OASTORKConfig.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OASTORKConfig.java @@ -41,6 +41,7 @@ import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException; import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider; import at.gv.egovernment.moa.id.configuration.validation.oa.OASTORKConfigValidation; +import at.gv.egovernment.moa.util.MiscUtil; //import at.gv.egovernment.moa.id.protocols.stork2.AttributeProviderFactory; public class OASTORKConfig implements IOnlineApplicationData{ @@ -120,8 +121,10 @@ public class OASTORKConfig implements IOnlineApplicationData{ enabledCitizenCountries = new ArrayList(); - for(CPEPS current : config.getCPEPS()) - enabledCitizenCountries.add(current.getCountryCode()); + if (config.getCPEPS() != null) { + for(CPEPS current : config.getCPEPS()) + enabledCitizenCountries.add(current.getCountryCode()); + } // prepare attribute helper list attributes = new ArrayList(); @@ -130,9 +133,11 @@ public class OASTORKConfig implements IOnlineApplicationData{ for(StorkAttribute current : dbconfig.getAuthComponentGeneral().getForeignIdentities().getSTORK().getAttributes()) { AttributeHelper tmp = null; - for(OAStorkAttribute sepp : config.getOAAttributes()) - if(sepp.getName().equals(current.getName())) - tmp = new AttributeHelper(sepp); + if (config.getOAAttributes() != null) { + for(OAStorkAttribute sepp : config.getOAAttributes()) + if(sepp.getName() != null && sepp.getName().equals(current.getName())) + tmp = new AttributeHelper(sepp); + } if(null == tmp) tmp = new AttributeHelper(current); @@ -248,12 +253,14 @@ public class OASTORKConfig implements IOnlineApplicationData{ if (generalConfStorkAttr != null) { for(StorkAttribute currentAttribute : generalConfStorkAttr) - if(currentAttribute.getName().equals(current.getName())) { + if(MiscUtil.isNotEmpty(currentAttribute.getName()) && + currentAttribute.getName().equals(current.getName())) { if(current.isUsed() || currentAttribute.isMandatory()) { OAStorkAttribute tmp = new OAStorkAttribute(); tmp.setName(current.getName()); tmp.setMandatory(current.isMandatory()); result.add(tmp); + } break; } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java index 504b598c0..d12c1342c 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java @@ -542,42 +542,77 @@ public class EditGeneralConfigAction extends BasicAction { forcon.setURL(moaconfig.getSzrgwURL()); } - ForeignIdentities foreign = dbauth.getForeignIdentities(); - if (foreign != null) { - STORK stork = foreign.getSTORK(); - if (stork == null) { - stork = new STORK(); - foreign.setSTORK(stork); - - } - - try { - log.error("QAAAA " + storkconfig.getDefaultQaa()); - stork.setQualityAuthenticationAssuranceLevel(storkconfig.getDefaultQaa()); + ForeignIdentities foreign = dbauth.getForeignIdentities(); + if (foreign != null) { + STORK stork = foreign.getSTORK(); + if (stork == null) { + stork = new STORK(); + foreign.setSTORK(stork); - if (storkconfig.getAttributes() != null) - stork.setAttributes(storkconfig.getAttributes()); - - else + } + + try { + log.error("QAAAA " + storkconfig.getDefaultQaa()); + stork.setQualityAuthenticationAssuranceLevel(storkconfig.getDefaultQaa()); + + if (storkconfig.getAttributes() != null) { + List dbStorkAttr = stork.getAttributes(); + if (dbStorkAttr == null) { + dbStorkAttr = new ArrayList(); + stork.setAttributes(dbStorkAttr); + + } + + for (StorkAttribute attr : storkconfig.getAttributes()) { + if (attr != null && MiscUtil.isNotEmpty(attr.getName())) + dbStorkAttr.add(attr); + + else + log.info("Remove null or empty STORK attribute"); + } + + } else stork.setAttributes((List) (new ArrayList())); - if (storkconfig.getCpepslist() != null) - - stork.setCPEPS(storkconfig.getCpepslist()); - else - stork.setCPEPS((List) (new ArrayList())); + if (storkconfig.getCpepslist() != null) { + List dbStorkCPEPS = stork.getCPEPS(); + if (dbStorkCPEPS == null) { + dbStorkCPEPS = new ArrayList(); + stork.setCPEPS(dbStorkCPEPS); + } + + for (CPEPS cpeps : storkconfig.getCpepslist()) { + if (cpeps != null && MiscUtil.isNotEmpty(cpeps.getURL()) && + MiscUtil.isNotEmpty(cpeps.getCountryCode())) { + + if (cpeps.getCountryCode().equals("CC") && + cpeps.getURL().equals("http://")) + log.info("Remove dummy STORK CPEPS entry."); + + else + dbStorkCPEPS.add(cpeps); + + } else + log.info("Remove null or emtpy STORK CPEPS configuration"); + } - } catch (Exception e) { - e.printStackTrace(); - } - - try{ - log.info("CPEPS LIST: " + storkconfig.getCpepslist().size() ); - log.trace("CPEPS 1:" + storkconfig.getCpepslist().get(0).getCountryCode() +storkconfig.getCpepslist().get(0).getURL()); - } catch (Exception ex) { - log.info("CPEPS LIST is null"); - } - } + } else + stork.setCPEPS((List) (new ArrayList())); + + } catch (Exception e) { + e.printStackTrace(); + + } + + try{ + log.info("CPEPS LIST: " + storkconfig.getCpepslist().size() ); + log.trace("CPEPS 1:" + storkconfig.getCpepslist().get(0).getCountryCode() +storkconfig.getCpepslist().get(0).getURL()); + + } catch (Exception ex) { + log.info("CPEPS LIST is null"); + + } + } if (MiscUtil.isNotEmpty(moaconfig.getMandateURL())) { OnlineMandates dbmandate = dbauth.getOnlineMandates(); diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/MOAConfigValidator.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/MOAConfigValidator.java index d4e8e957d..617e9cf51 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/MOAConfigValidator.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/MOAConfigValidator.java @@ -367,7 +367,7 @@ public class MOAConfigValidator { check = form.getSsoTarget(); if (MiscUtil.isEmpty(check)) { log.info("Empty SSO Target"); - errors.add(LanguageHelper.getErrorString("validation.general.sso.target.empty", request)); + //errors.add(LanguageHelper.getErrorString("validation.general.sso.target.empty", request)); } else { if (!ValidationHelper.isValidAdminTarget(check)) { diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java index b73859d81..6b5c51e3f 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java @@ -47,31 +47,33 @@ public class StorkConfigValidator { errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.cc", new Object[] {check}, request )); } + + // check url + check = current.getURL(); + if (MiscUtil.isNotEmpty(check)) { + if (!ValidationHelper.validateURL(check)) { + log.info("CPEPS config URL is invalid : " + check); + errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.url", request)); + } + } else { + log.warn("CPEPS config url is empty : " + check); + errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.empty", + new Object[] {check}, request )); + } + } else { log.warn("CPEPS config countrycode is empty : " + check); - errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.empty", - new Object[] {check}, request )); +// errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.empty", +// new Object[] {check}, request )); } - // check url - check = current.getURL(); - if (MiscUtil.isNotEmpty(check)) { - if (!ValidationHelper.validateURL(check)) { - log.info("CPEPS config URL is invalid : " + check); - errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.url", request)); - } - } else { - log.warn("CPEPS config url is empty : " + check); - errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.empty", - new Object[] {check}, request )); - } } if (form.getCpepslist() != null) { // ensure uniqueness of country code for (CPEPS one : form.getCpepslist()) for (CPEPS another : form.getCpepslist()) - if (null != one && null != another) + if (null != one && null != another && one.getCountryCode() != null) if (!one.equals(another) && one.getCountryCode().equals(another.getCountryCode())) { errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.duplicate", request)); break; @@ -90,17 +92,20 @@ public class StorkConfigValidator { // check attributes if (MiscUtil.isNotEmpty(form.getAttributes())) { for(StorkAttribute check : form.getAttributes()) { - String tmp = check.getName().replace("eidas/attributes/", ""); // since eIDaS attributes come with a "/", we need to exclude them from validation. TODO Or should we require the admin to escape them in the UI? - if (ValidationHelper.containsPotentialCSSCharacter(tmp, true)) { - log.warn("default attributes contains potentail XSS characters: " + check); - errors.add(LanguageHelper.getErrorString("validation.stork.requestedattributes", - new Object[] {ValidationHelper.getPotentialCSSCharacter(true)}, request )); - } - if(!tmp.toLowerCase().matches("^[A-Za-z]*$")) { - log.warn("default attributes do not match the requested format : " + check); + if (check != null && MiscUtil.isNotEmpty(check.getName())) { + String tmp = check.getName().replace("eidas/attributes/", ""); // since eIDaS attributes come with a "/", we need to exclude them from validation. TODO Or should we require the admin to escape them in the UI? + if (ValidationHelper.containsPotentialCSSCharacter(tmp, true)) { + log.warn("default attributes contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.stork.requestedattributes", - new Object[] {check}, request )); - } + new Object[] {ValidationHelper.getPotentialCSSCharacter(true)}, request )); + } + if(!tmp.toLowerCase().matches("^[A-Za-z]*$")) { + log.warn("default attributes do not match the requested format : " + check); + errors.add(LanguageHelper.getErrorString("validation.stork.requestedattributes", + new Object[] {check}, request )); + } + + } } //TODO: STORK attributes check if no attribute is set diff --git a/id/ConfigWebTool/src/main/webapp/jsp/editMOAConfig.jsp b/id/ConfigWebTool/src/main/webapp/jsp/editMOAConfig.jsp index ac2c8de5a..45ea159e4 100644 --- a/id/ConfigWebTool/src/main/webapp/jsp/editMOAConfig.jsp +++ b/id/ConfigWebTool/src/main/webapp/jsp/editMOAConfig.jsp @@ -288,7 +288,12 @@ - + + + + + + " onclick='this.parentNode.parentNode.parentNode.removeChild(this.parentNode.parentNode);'/> diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralMOAIDConfigurationTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralMOAIDConfigurationTask.java index 1c3e0fe13..270d0866c 100644 --- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralMOAIDConfigurationTask.java +++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralMOAIDConfigurationTask.java @@ -435,10 +435,10 @@ public class GeneralMOAIDConfigurationTask extends AbstractTaskValidator impleme check = input.get(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_AUTH_SSO_TARGET, getKeyPrefix())); if (MiscUtil.isEmpty(check)) { log.info("Empty SSO Target"); - errors.add(new ValidationObjectIdentifier( - MOAIDConfigurationConstants.GENERAL_AUTH_SSO_TARGET, - "SSO - Target", - LanguageHelper.getErrorString("validation.general.sso.target.empty"))); +// errors.add(new ValidationObjectIdentifier( +// MOAIDConfigurationConstants.GENERAL_AUTH_SSO_TARGET, +// "SSO - Target", +// LanguageHelper.getErrorString("validation.general.sso.target.empty"))); } else { diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java index 1747e2207..8a1a2925b 100644 --- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java +++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java @@ -133,38 +133,40 @@ public static final List KEYWHITELIST; LanguageHelper.getErrorString("validation.stork.cpeps.cc", new Object[] {cc}))); } - } else { - log.warn("CPEPS config countrycode is empty : " + cc); - errors.add(new ValidationObjectIdentifier( - MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST - + "." + cpepsKey, - "STORK - CPEPS Country", - LanguageHelper.getErrorString("validation.stork.cpeps.empty", - new Object[] {cc}))); - } - - // check url - if (MiscUtil.isNotEmpty(url)) { - if (!ValidationHelper.validateURL(url)) { - log.info("CPEPS config URL is invalid : " + url); + + // check url + if (MiscUtil.isNotEmpty(url)) { + if (!ValidationHelper.validateURL(url)) { + log.info("CPEPS config URL is invalid : " + url); + errors.add(new ValidationObjectIdentifier( + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST + + "." + index + "." + + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_URL, + "STORK - CPEPS URL", + LanguageHelper.getErrorString("validation.stork.cpeps.url"))); + } + } else { + log.warn("CPEPS config url is empty : " + url); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST + "." + index + "." + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_URL, "STORK - CPEPS URL", - LanguageHelper.getErrorString("validation.stork.cpeps.url"))); - } + LanguageHelper.getErrorString("validation.stork.cpeps.empty", + new Object[] {url}))); + + } + } else { - log.warn("CPEPS config url is empty : " + url); - errors.add(new ValidationObjectIdentifier( - MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST - + "." + index + "." - + MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST_URL, - "STORK - CPEPS URL", - LanguageHelper.getErrorString("validation.stork.cpeps.empty", - new Object[] {url}))); - - } + log.warn("CPEPS config countrycode is empty : " + cc); +// errors.add(new ValidationObjectIdentifier( +// MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST +// + "." + cpepsKey, +// "STORK - CPEPS Country", +// LanguageHelper.getErrorString("validation.stork.cpeps.empty", +// new Object[] {cc}))); + } + validatedCPeps.put(cc, url); } else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index 69c155c1e..140c7aebc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -206,7 +206,7 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ //validate SSO functionality - String domainIdentifier = authConfig.getSSOTagetIdentifier().trim(); + String domainIdentifier = authConfig.getSSOTagetIdentifier(); if (MiscUtil.isEmpty(domainIdentifier) && protocolReq.needSingleSignOnFunctionality()) { //do not use SSO if no Target is set Logger.warn("NO SSO-Target found in configuration. Single Sign-On is deaktivated!"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java index 210bda3e6..348b1c45a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java @@ -738,13 +738,17 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide */ public String getSSOTagetIdentifier() throws ConfigurationException { try { - return configuration.getStringValue( + String value = configuration.getStringValue( MOAIDConfigurationConstants.GENERAL_AUTH_SSO_TARGET); - + if (MiscUtil.isNotEmpty(value)) + return value.trim(); + } catch (at.gv.egiz.components.configuration.api.ConfigurationException e) { Logger.warn("Single Sign-On Target can not be read from configuration.", e); - return null; + } + + return null; } /** diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 7122c6577..f5000581c 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -167,12 +167,14 @@ public class AuthenticationServer extends BaseAuthenticationServer { } String infoboxReadRequest = ""; - if (pendingReq.needSingleSignOnFunctionality()) { - Logger.info("SSO Login requested"); + String ssoDomainIdentifier = authConfig.getSSOTagetIdentifier(); + if (MiscUtil.isNotEmpty(ssoDomainIdentifier) && + pendingReq.needSingleSignOnFunctionality()) { + Logger.debug("SSO Login requested"); //load identityLink with SSO Target boolean isbuisness = false; - String domainIdentifier = authConfig.getSSOTagetIdentifier().trim(); - if (domainIdentifier.startsWith(PREFIX_WPBK)) { + + if (ssoDomainIdentifier.startsWith(PREFIX_WPBK)) { isbuisness = true; } else { @@ -182,10 +184,10 @@ public class AuthenticationServer extends BaseAuthenticationServer { //build ReadInfobox request infoboxReadRequest = new InfoboxReadRequestBuilder().build( - isbuisness, domainIdentifier); + isbuisness, ssoDomainIdentifier); } else { - Logger.info("Non-SSO Login requested"); + Logger.debug("Non-SSO Login requested or SSO not allowed/possible"); //build ReadInfobox request infoboxReadRequest = new InfoboxReadRequestBuilder().build( oaParam.getBusinessService(), oaParam diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java index f9cb4c636..78cbd788d 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java @@ -49,8 +49,9 @@ public class SSOTransferAuthenticationData implements IAuthData { public SSOTransferAuthenticationData(AuthConfiguration authConfig, AuthenticationSession authSession) throws ConfigurationException { this.authSession = authSession; - String domainIdentifier = authConfig.getSSOTagetIdentifier().trim(); - isIDPPrivateService = domainIdentifier.startsWith(MOAIDAuthConstants.PREFIX_WPBK); + String domainIdentifier = authConfig.getSSOTagetIdentifier(); + if (domainIdentifier != null) + isIDPPrivateService = domainIdentifier.startsWith(MOAIDAuthConstants.PREFIX_WPBK); } -- cgit v1.2.3 From 581d87d939820b9e74130279692f2825baff6594 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 7 Apr 2016 16:23:18 +0200 Subject: add initial version of a virtual IDP REST URL rewrite filter --- .../interceptor/VHostUrlRewriteServletFilter.java | 185 +++++++++++++++++++++ .../at/gv/egovernment/moa/id/util/HTTPUtils.java | 11 ++ .../moa/id/auth/MOAIDAuthSpringInitializer.java | 13 +- 3 files changed, 203 insertions(+), 6 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/VHostUrlRewriteServletFilter.java (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/VHostUrlRewriteServletFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/VHostUrlRewriteServletFilter.java new file mode 100644 index 000000000..93d74d7ef --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/VHostUrlRewriteServletFilter.java @@ -0,0 +1,185 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.servlet.interceptor; + +import java.io.IOException; +import java.net.MalformedURLException; +import java.net.URL; +import java.util.List; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; + +import org.springframework.context.ApplicationContext; + +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.id.util.HTTPUtils; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class VHostUrlRewriteServletFilter implements Filter { + + private static final String VHOST_PATH = "/vhost/"; + private static final String AUTHURL = "authURL"; + + + private ApplicationContext context = null; + + public VHostUrlRewriteServletFilter(ApplicationContext context) { + Logger.info("Register vHost Servelt Filter"); + this.context = context; + + } + + /* (non-Javadoc) + * @see javax.servlet.Filter#init(javax.servlet.FilterConfig) + */ + @Override + public void init(FilterConfig filterConfig) throws ServletException { + + } + + /* (non-Javadoc) + * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) + */ + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) + throws IOException, ServletException { + HttpServletRequest httpReq = (HttpServletRequest) request; + try { + AuthConfiguration authConfig = context.getBean(AuthConfiguration.class); + List configuredPublicURLPrefix = authConfig.getPublicURLPrefix(); + + //check if End-Point is valid + String publicURLString = HTTPUtils.extractAuthURLFromRequest(httpReq); + URL publicURL; + try { + publicURL = new URL(publicURLString); + + } catch (MalformedURLException e) { + Logger.error("IDP AuthenticationServiceURL Prefix is not a valid URL." + publicURLString, e); + throw new ConfigurationException("1299", null, e); + + } + + //check if virtual IDPs are enabled + if (!authConfig.isVirtualIDPsEnabled()) { + Logger.trace("Virtual IDPs are disabled. Use default IDP PublicURLPrefix from configuration: " + configuredPublicURLPrefix.get(0)); + httpReq.setAttribute(AUTHURL, configuredPublicURLPrefix.get(0)); + chain.doFilter(request, response); + + } else { + String authURLString = HTTPUtils.extractAuthServletPathFromRequest(httpReq); + URL authURL; + try { + authURL = new URL(authURLString); + + } catch (MalformedURLException e) { + Logger.error("IDP AuthenticationServiceURL Prefix is not a valid URL." + authURLString, e); + throw new ConfigurationException("1299", null, e); + + } + + Logger.debug("Extract AuthenticationServiceURL: " + authURLString); + URL resultURL = null; + + for (String el : configuredPublicURLPrefix) { + try { + URL configuredURL = new URL(el); + + //get Ports from URL + int configPort = configuredURL.getPort(); + if (configPort == -1) + configPort = configuredURL.getDefaultPort(); + + int authURLPort = authURL.getPort(); + if (authURLPort == -1) + authURLPort = authURL.getDefaultPort(); + + //check AuthURL against ConfigurationURL + if (configuredURL.getHost().equals(authURL.getHost()) && + configPort == authURLPort && + authURL.getPath().startsWith(configuredURL.getPath())) { + Logger.debug("Select configurated PublicURLPrefix: " + configuredURL + + " for authURL: " + authURLString); + resultURL = configuredURL; + } + + } catch (MalformedURLException e) { + Logger.error("Configurated IDP PublicURLPrefix is not a valid URL." + el); + + } + } + + if (resultURL == null) { + Logger.warn("Extract AuthenticationServiceURL: " + authURL + " is NOT found in configuration."); + throw new ConfigurationException("config.25", new Object[]{authURLString}); + + } else { + httpReq.setAttribute(AUTHURL, resultURL.toExternalForm()); + + } + + String servletPath = httpReq.getServletPath(); + if (servletPath.startsWith(VHOST_PATH)) { + Logger.trace("Found V-IDP selection via REST URL ... "); + String vHostDescriptor = resultURL.toExternalForm().substring(0, publicURLString.length()); + String requestedServlet = authURLString.substring(0, vHostDescriptor.length()); + String newURL = publicURL.toExternalForm().concat(requestedServlet); + httpReq.setAttribute(AUTHURL, newURL); + httpReq.getRequestDispatcher(newURL).forward(httpReq, response); + + } else { + Logger.trace("Found V-IDP selection via Domain ..."); + chain.doFilter(request, response); + + } + + } + + } catch (ConfigurationException e) { + + + } + + } + + /* (non-Javadoc) + * @see javax.servlet.Filter#destroy() + */ + @Override + public void destroy() { + // TODO Auto-generated method stub + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java index d2499af9d..4cb6af127 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/HTTPUtils.java @@ -173,6 +173,17 @@ public class HTTPUtils { } + /** + * Extract the IDP requested URL from authrequest + * + * @param req HttpServletRequest + * @return RequestURL which ends always without / + */ + public static String extractAuthServletPathFromRequest(HttpServletRequest req) { + return extractAuthURLFromRequest(req).concat(req.getServletPath()); + + } + public static String addURLParameter(String url, String paramname, String paramvalue) { String param = paramname + "=" + paramvalue; diff --git a/id/server/moa-id-spring-initializer/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthSpringInitializer.java b/id/server/moa-id-spring-initializer/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthSpringInitializer.java index 636a3ed03..327d659ec 100644 --- a/id/server/moa-id-spring-initializer/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthSpringInitializer.java +++ b/id/server/moa-id-spring-initializer/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthSpringInitializer.java @@ -98,9 +98,7 @@ public class MOAIDAuthSpringInitializer implements WebApplicationInitializer { MOAIDAuthSpringInitializer.class)); } } - - - + Logger.debug("Refreshing context "+ rootContext); rootContext.refresh(); @@ -108,8 +106,7 @@ public class MOAIDAuthSpringInitializer implements WebApplicationInitializer { Logger.trace("Final Beans in "+ rootContext); dumpBeanDefinitions(rootContext); - - + Logger.info("Registering dispatcher configuration"); ServletRegistration.Dynamic dispatcher = servletContext.addServlet( "dispatcher", new DispatcherServlet(rootContext)); @@ -123,7 +120,11 @@ public class MOAIDAuthSpringInitializer implements WebApplicationInitializer { Logger.info("=============== Register RequestContextListener! ==============="); servletContext.addListener(new RequestContextListener()); - + +// Logger.info("=============== Register RequestFilter! ==============="); +// servletContext.addFilter("vHost RequestFilter", new VHostUrlRewriteServletFilter(rootContext)) +// .addMappingForUrlPatterns(null, false, "/*"); + Logger.info("Basic Context initalisation finished --> Start MOA-ID-Auth initialisation process ..."); MOAIDAuthInitializer.initialize(rootContext); Logger.info(MOAIDMessageProvider.getInstance().getMessage( -- cgit v1.2.3 From 1e66fa62ef2114aa412e4c207c8180c18aa07a0b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 8 Apr 2016 06:22:13 +0200 Subject: fix bug in PVP2 assertion builder. - https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf does not allow 'NotBefore' attribute in when 'Method' contains 'urn:oasis:names:tc:SAML:2.0:cm:bearer' (see 554 - 560 chapter 4.1.4.2) --- .../moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 68301d000..483bcb1ec 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -436,7 +436,7 @@ public class PVP2AssertionBuilder implements PVPConstants { .createSAMLObject(SubjectConfirmationData.class); subjectConfirmationData.setInResponseTo(authnRequest.getID()); subjectConfirmationData.setNotOnOrAfter(new DateTime(authData.getSsoSessionValidTo().getTime())); - subjectConfirmationData.setNotBefore(date); +// subjectConfirmationData.setNotBefore(date); subjectConfirmationData.setRecipient(assertionConsumerService.getLocation()); -- cgit v1.2.3 From 41882a0c5601dda478c2749ac99c2087b864c912 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 8 Apr 2016 07:48:40 +0200 Subject: change logLevel to warn --- .../java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java index fd2e03afa..d87480cc1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java @@ -221,7 +221,7 @@ public abstract class AbstractController extends MOAIDAuthConstants { Logger.warn(loggedException.getMessage(), loggedException); } else { - Logger.info(loggedException.getMessage()); + Logger.warn(loggedException.getMessage()); } } -- cgit v1.2.3 From 4790e826491e753882a6da8b414db1ab34924620 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 8 Apr 2016 13:41:52 +0200 Subject: some Update of ELGA MandateService client implementation --- .../java/at/gv/egovernment/moa/id/util/Random.java | 8 ++++++-- .../tasks/ReceiveElgaMandateResponseTask.java | 23 +++++++++++++--------- .../elgamandates/tasks/RequestELGAMandateTask.java | 20 +++++++++++++++++-- 3 files changed, 38 insertions(+), 13 deletions(-) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java index 47f784c33..ba45a3679 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java @@ -99,8 +99,12 @@ public class Random { char preFix = allowedPreFix[Math.abs(random.nextInt() % allowedPreFix.length)]; //generate ID - return preFix + new String(Hex.encodeHex(Bytes.concat(now.getBytes(), randValue))); // 20 bytes = 160 bits - + String returnValue = preFix + new String(Hex.encodeHex(Bytes.concat(now.getBytes(), randValue))); // 20 bytes = 160 bits + if (returnValue.length() > 40) + return returnValue.substring(0, 40); + else + return returnValue; + } diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java index 5604b7640..07bde7762 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java @@ -149,16 +149,21 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask { //load MOASession object defaultTaskInitialization(request, executionContext); + + /** + * Mandate Reference-Value is generated from ELGA MandateServie --> + * MOA-ID generated reference value is not equal to reference-value from ELGA MandateService + * But MOA-ID refernece-value is also validated in 'inResponseTo' attribute from ELGA MandateService response + */ //validate receive mandate reference-value - //TODO: update if ReferenceValue Discussion is finished - String responseRefValue = extractor.getSingleAttributeValue(PVPConstants.MANDATE_REFERENCE_VALUE_NAME); - if (!moasession.getMandateReferenceValue().equals(responseRefValue)) { - Logger.warn("PVP Response from ELGA mandate-service contains a not valid MandateReferenceValue."); - throw new AssertionValidationExeption("sp.pvp2.07", - new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, - PVPConstants.MANDATE_REFERENCE_VALUE_FRIENDLY_NAME}); - - } +// String responseRefValue = extractor.getSingleAttributeValue(PVPConstants.MANDATE_REFERENCE_VALUE_NAME); +// if (!moasession.getMandateReferenceValue().equals(responseRefValue)) { +// Logger.warn("PVP Response from ELGA mandate-service contains a not valid MandateReferenceValue."); +// throw new AssertionValidationExeption("sp.pvp2.07", +// new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, +// PVPConstants.MANDATE_REFERENCE_VALUE_FRIENDLY_NAME}); +// +// } Logger.debug("Validation of PVP Response from ELGA mandate-service is complete."); diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java index 6a7858575..fd918c7f4 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java @@ -150,9 +150,25 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask { } } + //build subjectNameID with bPK-Type Prefix + String bPKPrefix = null; + if (configTarget.startsWith(Constants.URN_PREFIX_WBPK)) + bPKPrefix = configTarget.substring((Constants.URN_PREFIX_WBPK + "+").length()); + + else if (configTarget.startsWith(Constants.URN_PREFIX_CDID)) + bPKPrefix = configTarget.substring((Constants.URN_PREFIX_CDID + "+").length()); + + if (bPKPrefix == null) { + throw new MOAIDException("service.10", + new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, "Configurated bPK-Type is wrong."}); + + } + //set bPK of representative as SAML2 subjectNameID - authnReqConfig.setSubjectNameID(representativeBPK ); - authnReqConfig.setSubjectNameIDQualifier(configTarget); + authnReqConfig.setSubjectNameID(bPKPrefix + ":" + representativeBPK ); + + //is not recommended from ELGA + //authnReqConfig.setSubjectNameIDQualifier(configTarget); //set MandateReferenceValue as RequestID authnReqConfig.setRequestID(moasession.getMandateReferenceValue()); -- cgit v1.2.3 From 361fe44d40c2fdec3d2be10334a16c537166a0e2 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 8 Apr 2016 14:10:58 +0200 Subject: update PVP SubjectNameID generation in case of ELGA MandateService is used --- .../protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 483bcb1ec..8ddd2cb39 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -316,6 +316,15 @@ public class PVP2AssertionBuilder implements PVPConstants { //no sourcePin is included --> search for bPK bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_BPK_NAME, String.class); + try { + if (bpk.contains(":")) + bpk = bpk.split(":")[1]; + + } catch (Exception e) { + Logger.warn("Can not split bPK from mandator attribute!", e); + + } + //set bPK-Type from configuration, because it MUST be equal to service-provider type if (oaParam.getBusinessService()) { if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) -- cgit v1.2.3 From 2f1fb9860c455fa706a5bc9f07e0ec5dd41d376f Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 9 May 2016 09:39:44 +0200 Subject: fix type in Redirect servlet implementation --- .../java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java index d9386d404..3eaede028 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java @@ -131,7 +131,7 @@ public class RedirectServlet { DefaultGUIFormBuilderConfiguration.VIEW_REDIRECT, null); config.putCustomParameter(URL, url); - guiBuilder.build(resp, config, "RedirectForm"); + guiBuilder.build(resp, config, "RedirectForm.html"); } -- cgit v1.2.3 From a4d18ffb736c29d6f7cb026df50fb8a8e4898f9f Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 9 May 2016 09:43:56 +0200 Subject: fix problem with PVP protocol and legacy mode (SP side BKU selection) --- .../main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java index 47ea91753..885d03fd8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java @@ -539,9 +539,7 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ return false; } - if (StringUtils.isEmpty(oaURL) - //|| StringUtils.isEmpty(templateURL) - || StringUtils.isEmpty(bkuURL) ) + if (StringUtils.isEmpty(bkuURL)) return false; else return true; -- cgit v1.2.3 From c3e07d7fb87b2d132ffc838e4878b9479da361a7 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 9 May 2016 16:06:56 +0200 Subject: fix ContentType typo, which make problems with IE11 in some cases --- .../moa/id/auth/servlet/AbstractController.java | 10 ++++++---- .../moa/id/auth/servlet/GUILayoutBuilderServlet.java | 4 ++-- .../egovernment/moa/id/protocols/pvp2x/MetadataAction.java | 4 +++- .../moa/id/auth/frontend/builder/GUIFormBuilderImpl.java | 2 +- .../modules/internal/tasks/CreateIdentityLinkFormTask.java | 6 ++++-- .../egovernment/moa/id/util/CitizenCardServletUtils.java | 6 ++++-- .../auth/modules/eidas/tasks/GenerateAuthnRequestTask.java | 6 ++++-- .../controller/ELGAMandateMetadataController.java | 4 +++- .../modules/ssotransfer/task/RestoreSSOSessionTask.java | 3 ++- .../controller/FederatedAuthMetadataController.java | 4 +++- .../id/protocols/saml1/GetAuthenticationDataService.java | 14 ++++++++------ 11 files changed, 40 insertions(+), 23 deletions(-) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java index d87480cc1..e3efdeac0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java @@ -32,6 +32,8 @@ import javax.servlet.http.HttpServletResponse; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.ExceptionHandler; +import com.google.common.net.MediaType; + import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; import at.gv.egovernment.moa.id.advancedlogging.StatisticLogger; @@ -86,7 +88,7 @@ public abstract class AbstractController extends MOAIDAuthConstants { @ExceptionHandler({Exception.class}) public void GenericExceptionHandler(HttpServletResponse resp, Exception exception) throws IOException { Logger.error("Internel Server Error." , exception); - resp.setContentType("text/html;charset=UTF-8"); + resp.setContentType(MediaType.HTML_UTF_8.toString()); resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Internal Server Error!" + "(Errorcode=9199" +" | Description="+ exception.getMessage() + ")"); @@ -97,7 +99,7 @@ public abstract class AbstractController extends MOAIDAuthConstants { @ExceptionHandler({IOException.class}) public void IOExceptionHandler(HttpServletResponse resp, Throwable exception) { Logger.error("Internel Server Error." , exception); - resp.setContentType("text/html;charset=UTF-8"); + resp.setContentType(MediaType.HTML_UTF_8.toString()); resp.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); return; @@ -232,7 +234,7 @@ public abstract class AbstractController extends MOAIDAuthConstants { String code = utils.mapInternalErrorToExternalError( ((InvalidProtocolRequestException)e).getMessageId()); String descr = e.getMessage(); - resp.setContentType("text/html;charset=UTF-8"); + resp.setContentType(MediaType.HTML_UTF_8.toString()); resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Protocol validation FAILED!" + "(Errorcode=" + code + " | Description=" + descr + ")"); @@ -315,7 +317,7 @@ public abstract class AbstractController extends MOAIDAuthConstants { private void internalMOAIDExceptionHandler(HttpServletRequest req, HttpServletResponse resp, Exception e, boolean writeExceptionToStatisicLog) throws IOException { if (e instanceof ProtocolNotActiveException) { resp.getWriter().write(e.getMessage()); - resp.setContentType("text/html;charset=UTF-8"); + resp.setContentType(MediaType.HTML_UTF_8.toString()); resp.sendError(HttpServletResponse.SC_FORBIDDEN, e.getMessage()); } else if (e instanceof AuthnRequestValidatorException) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java index babc87866..9b658d81b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java @@ -85,7 +85,7 @@ public class GUILayoutBuilderServlet extends AbstractController { null); //build GUI component - formBuilder.build(resp, config, "text/css;charset=UTF-8", "CSS-Form"); + formBuilder.build(resp, config, "text/css; charset=UTF-8", "CSS-Form"); } catch (Exception e) { Logger.warn("GUI ressource:'CSS' generation FAILED."); @@ -114,7 +114,7 @@ public class GUILayoutBuilderServlet extends AbstractController { GeneralProcessEngineSignalController.ENDPOINT_BKUSELECTION_EVALUATION); //build GUI component - formBuilder.build(resp, config, "text/javascript;charset=UTF-8", "JavaScript"); + formBuilder.build(resp, config, "text/javascript; charset=UTF-8", "JavaScript"); } catch (Exception e) { Logger.warn("GUI ressource:'JavaScript' generation FAILED."); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index 2a688da68..b282e3a4b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -28,6 +28,8 @@ import javax.servlet.http.HttpServletResponse; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; +import com.google.common.net.MediaType; + import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; import at.gv.egovernment.moa.id.commons.api.IRequest; @@ -62,7 +64,7 @@ public class MetadataAction implements IAction { String metadataXML = metadatabuilder.buildPVPMetadata(metadataConfig); Logger.debug("METADATA: " + metadataXML); - httpResp.setContentType("text/xml"); + httpResp.setContentType(MediaType.XML_UTF_8.toString()); httpResp.getOutputStream().write(metadataXML.getBytes("UTF-8")); httpResp.getOutputStream().close(); diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java index 94fa4d977..26b37226d 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java @@ -54,7 +54,7 @@ import at.gv.egovernment.moa.util.MiscUtil; @Service("guiFormBuilder") public class GUIFormBuilderImpl implements IGUIFormBuilder { - private static final String DEFAULT_CONTENT_TYPE = "text/html;charset=UTF-8"; + private static final String DEFAULT_CONTENT_TYPE = "text/html; charset=UTF-8"; private static final String CONFIG_HTMLTEMPLATES_DIR = "htmlTemplates/"; private static final String CLASSPATH_HTMLTEMPLATES_DIR = "templates/"; diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java index e82aa8fbb..e47aff83b 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java @@ -10,6 +10,8 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.stereotype.Component; +import com.google.common.net.MediaType; + import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils; import at.gv.egovernment.moa.id.auth.AuthenticationServer; @@ -75,9 +77,9 @@ public class CreateIdentityLinkFormTask extends AbstractAuthServletTask { pendingReq, MOAIDEventConstants.AUTHPROCESS_MANDATES_REQUESTED); revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq, MOAIDEventConstants.AUTHPROCESS_BKU_URL, moasession.getBkuURL()); - + if (!StringUtils.isEmpty(getIdentityLinkForm)) { - resp.setContentType("text/html;charset=UTF-8"); + resp.setContentType(MediaType.HTML_UTF_8.toString()); PrintWriter out = new PrintWriter(resp.getOutputStream()); out.print(getIdentityLinkForm); out.flush(); diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java index 2a8d26566..9fbdf5cd7 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java @@ -55,6 +55,8 @@ import java.net.URLEncoder; import javax.servlet.http.HttpServletResponse; +import com.google.common.net.MediaType; + import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; @@ -91,7 +93,7 @@ public class CitizenCardServletUtils extends ServletUtils{ resp.addHeader("Location", dataURL); //TODO test impact of explicit setting charset with older versions of BKUs (HotSign) - resp.setContentType("text/xml;charset=UTF-8"); + resp.setContentType(MediaType.XML_UTF_8.toString()); OutputStream out = resp.getOutputStream(); out.write(createXMLSignatureRequestOrRedirect.getBytes("UTF-8")); @@ -127,7 +129,7 @@ public class CitizenCardServletUtils extends ServletUtils{ resp.addHeader("Location", dataURL); //TODO test impact of explicit setting charset with older versions of BKUs (HotSign) - resp.setContentType("text/xml;charset=UTF-8"); + resp.setContentType(MediaType.XML_UTF_8.toString()); OutputStream out = resp.getOutputStream(); out.write(createXMLSignatureRequestOrRedirect.getBytes("UTF-8")); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index c82636a8f..30c206025 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -35,6 +35,8 @@ import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; import org.springframework.stereotype.Component; +import com.google.common.net.MediaType; + import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; @@ -176,8 +178,8 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { Logger.debug("Template merge done"); Logger.debug("Sending html content: " + writer.getBuffer().toString()); - - response.setContentType("text/html;charset=UTF-8"); + + response.setContentType(MediaType.HTML_UTF_8.toString()); response.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8")); revisionsLogger.logEvent(oaConfig, pendingReq, diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java index 29bc5ee12..5720e4827 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java @@ -32,6 +32,8 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +import com.google.common.net.MediaType; + import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants; import at.gv.egovernment.moa.id.auth.modules.elgamandates.config.ELGAMandatesMetadataConfiguration; import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider; @@ -80,7 +82,7 @@ public class ELGAMandateMetadataController extends AbstractController { String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig); //write response - resp.setContentType("text/xml"); + resp.setContentType(MediaType.XML_UTF_8.toString()); resp.getOutputStream().write(xmlMetadata.getBytes("UTF-8")); resp.getOutputStream().close(); diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java index dd133e4fb..003ce8c21 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java @@ -39,6 +39,7 @@ import org.opensaml.saml2.core.Response; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; +import com.google.common.net.MediaType; import com.google.gson.JsonObject; import com.google.gson.JsonParser; @@ -216,7 +217,7 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { SSOTransferConstants.SSOCONTAINER_KEY_STATUS, "OK"); response.setStatus(HttpServletResponse.SC_OK); - response.setContentType("text/html;charset=UTF-8"); + response.setContentType(MediaType.HTML_UTF_8.toString()); PrintWriter out = new PrintWriter(response.getOutputStream()); out.print(responseMsg.toString()); out.flush(); diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java index 98240a636..02356d74a 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java @@ -32,6 +32,8 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +import com.google.common.net.MediaType; + import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; import at.gv.egovernment.moa.id.auth.modules.federatedauth.config.FederatedAuthMetadataConfiguration; import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider; @@ -80,7 +82,7 @@ public class FederatedAuthMetadataController extends AbstractController { String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig); //write response - resp.setContentType("text/xml"); + resp.setContentType(MediaType.XML_UTF_8.toString()); resp.getOutputStream().write(xmlMetadata.getBytes("UTF-8")); resp.getOutputStream().close(); diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java index b01ea666d..f00358d02 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java @@ -69,6 +69,8 @@ import org.w3c.dom.Element; import org.w3c.dom.NodeList; import org.xml.sax.SAXException; +import com.google.common.net.MediaType; + import at.gv.egovernment.moa.id.auth.builder.SAMLResponseBuilder; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; @@ -136,13 +138,13 @@ public class GetAuthenticationDataService extends AbstractController implements String respString = DOMUtils.serializeNode(soapResp, true); - resp.setContentType("text/xml;charset=UTF-8"); + resp.setContentType(MediaType.XML_UTF_8.toString()); context.put(CONTEXT_SOAP_ASSERTION, respString); evaluateTemplate(context, resp, TEMPLATE_SOAP_SUCCESS); } catch (ParserConfigurationException | SAXException | IOException | TransformerException e) { Logger.error("SAML1 GetAuthenticationData receive a non-valid request.", e); - resp.setContentType("text/xml;charset=UTF-8"); + resp.setContentType(MediaType.XML_UTF_8.toString()); context.put(CONTEXT_SOAP_ISSUEINSTANT, DateTimeUtils.buildDateTimeUTC(Calendar.getInstance())); context.put(CONTEXT_SOAP_RESPONSEID, Random.nextRandom()); @@ -153,7 +155,7 @@ public class GetAuthenticationDataService extends AbstractController implements } catch (SAML1AssertionResponseBuildException e) { Logger.error("SAML1 GetAuthenticationData response build failed..", e); - resp.setContentType("text/xml;charset=UTF-8"); + resp.setContentType(MediaType.XML_UTF_8.toString()); context.put(CONTEXT_SOAP_ISSUEINSTANT, e.getIssueInstant()); context.put(CONTEXT_SOAP_REQUESTEID, e.getRequestID()); @@ -187,17 +189,17 @@ public class GetAuthenticationDataService extends AbstractController implements if (wsdl_param != null) { //print wsdl - resp.setContentType("text/xml;charset=UTF-8"); + resp.setContentType(MediaType.XML_UTF_8.toString()); evaluateTemplate(context, resp, TEMPLATE_WSDL); } else if (xsd_param != null){ //print xsd - resp.setContentType("text/xml;charset=UTF-8"); + resp.setContentType(MediaType.XML_UTF_8.toString()); evaluateTemplate(context, resp, TEMPLATE_XSD); } else { //print plain info - resp.setContentType("text/html;charset=UTF-8"); + resp.setContentType(MediaType.XML_UTF_8.toString()); evaluateTemplate(context, resp, TEMPLATE_PLAIN_INFO); } -- cgit v1.2.3 From 33eeca29987b49448d9fa95a8ffd2306ff4ce783 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 11 May 2016 13:50:37 +0200 Subject: fix a minor flaw in prof. rep. textual OID description --- .../builder/attributes/MandateProfRepDescAttributeBuilder.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java index b4eed85d0..a611c72b9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java @@ -53,7 +53,10 @@ public class MandateProfRepDescAttributeBuilder implements IPVPAttributeBuilder profRepName = misMandate.getTextualDescriptionOfOID(); - if (MiscUtil.isEmpty(profRepName)) { + //only read textual prof. rep. OID describtion from mandate annotation + // if also OID exists + if (MiscUtil.isEmpty(profRepName) + && MiscUtil.isNotEmpty(misMandate.getProfRep())) { Element mandate = authData.getMandate(); if (mandate == null) { throw new NoMandateDataAttributeException(); -- cgit v1.2.3 From 9b9f042a25d3a1cde69f9dd4d576243317991a2a Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 11 May 2016 15:56:13 +0200 Subject: fix bug in PVP SLO functionality --- .../at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java index af6c79140..52bf16247 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java @@ -125,7 +125,10 @@ public class SingleLogOutAction implements IAction { String moasession = ssomanager.getMOASession(ssoID); try { session = authenticationSessionStorage.getSession(moasession); - + + if (session == null) + throw new MOADatabaseException(); + } catch (MOADatabaseException e) { Logger.info("Can not find active Session. Single LogOut not possible!"); SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq); -- cgit v1.2.3 From 6981edb4e01d3c2300b47429a1ab40f7eaa35c1b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 12 May 2016 15:44:10 +0200 Subject: fix possible nullPointer exception in process engine --- .../at/gv/egovernment/moa/id/process/ProcessEngineImpl.java | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/process/ProcessEngineImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/process/ProcessEngineImpl.java index f9986dccb..76e6605c1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/process/ProcessEngineImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/process/ProcessEngineImpl.java @@ -129,6 +129,11 @@ public class ProcessEngineImpl implements ProcessEngine { ProcessInstance pi = loadProcessInstance(pendingReq.getProcessInstanceId()); + if (pi == null ) { + throw new ProcessExecutionException("Process instance '" + pendingReq.getProcessInstanceId() + "' does not exist."); + + } + MDC.put(MDC_CTX_PI_NAME, pi.getId()); if (!ProcessInstanceState.NOT_STARTED.equals(pi.getState())) { @@ -164,6 +169,11 @@ public class ProcessEngineImpl implements ProcessEngine { ProcessInstance pi = loadProcessInstance(pendingReq.getProcessInstanceId()); + if (pi == null ) { + throw new ProcessExecutionException("Process instance '" + pendingReq.getProcessInstanceId() + "' does not exist."); + + } + MDC.put(MDC_CTX_PI_NAME, pi.getId()); if (!ProcessInstanceState.SUSPENDED.equals(pi.getState())) { -- cgit v1.2.3 From d196dc527712427d9ca865597f713a342ec01209 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 17 May 2016 11:27:40 +0200 Subject: use first AttributeConsumingService from PVP metadata if no one is selected in request or marked as default --- .../pvp2x/builder/assertion/PVP2AssertionBuilder.java | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 8ddd2cb39..200429093 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -208,8 +208,7 @@ public class PVP2AssertionBuilder implements PVPConstants { Integer aIdx = authnRequest.getAttributeConsumingServiceIndex(); int idx = 0; - AttributeConsumingService attributeConsumingService = null; - + AttributeConsumingService attributeConsumingService = null; if (aIdx != null) { idx = aIdx.intValue(); attributeConsumingService = spSSODescriptor @@ -223,6 +222,19 @@ public class PVP2AssertionBuilder implements PVPConstants { } } + /* + * TODO: maybe use first AttributeConsumingService if no is selected + * in request or on service is marked as default + * + */ + if (attributeConsumingService == null ) { + List attrConsumingServiceList = spSSODescriptor.getAttributeConsumingServices(); + if (attrConsumingServiceList != null && !attrConsumingServiceList.isEmpty()) + attributeConsumingService = attrConsumingServiceList.get(0); + + } + + if (attributeConsumingService != null) { Iterator it = attributeConsumingService .getRequestAttributes().iterator(); -- cgit v1.2.3 From f315d259b05c0a33461cc79108a726d93bcc2b3a Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 20 May 2016 10:03:01 +0200 Subject: fix problem with some SAML1 clients to request the SAML1 GetAuthenticationData SOAP service --- .../WebFrontEndSecurityInterceptor.java | 3 ++- .../saml1/GetAuthenticationDataService.java | 28 +++++++++++++++------- 2 files changed, 22 insertions(+), 9 deletions(-) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java index 87804ea6c..9fdec9fbb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java @@ -53,7 +53,8 @@ public class WebFrontEndSecurityInterceptor implements HandlerInterceptor { //only for SAML1 GetAuthenticationData webService functionality String requestedServlet = request.getServletPath(); - if (MiscUtil.isNotEmpty(requestedServlet) && requestedServlet.startsWith("/services/GetAuthenticationData")) { + if (MiscUtil.isNotEmpty(requestedServlet) && + requestedServlet.startsWith("/services")) { Logger.debug("SAML1 GetAuthenticationServices allow access without SSL"); return true; diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java index f00358d02..893799b5d 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java @@ -66,6 +66,7 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.w3c.dom.Element; +import org.w3c.dom.Node; import org.w3c.dom.NodeList; import org.xml.sax.SAXException; @@ -124,7 +125,8 @@ public class GetAuthenticationDataService extends AbstractController implements private static final String CONTEXT_SOAP_STATUSCODE = "statusCode"; private static final String CONTEXT_SOAP_ASSERTION = "assertion"; - @RequestMapping(value = "/services/GetAuthenticationData", method = {RequestMethod.POST}) + @RequestMapping(value = {"/services/GetAuthenticationData", "/services"}, + method = {RequestMethod.POST}) public void getAuthenticationData(HttpServletRequest req, HttpServletResponse resp) throws IOException { InputStream is = null; @@ -225,13 +227,23 @@ public class GetAuthenticationDataService extends AbstractController implements } } - //get first child from body --> should be the SAML1 Request element - Element saml1Req; - if (saml1ReqList.item(0).getFirstChild() instanceof Element) - saml1Req = (Element) saml1ReqList.item(0).getFirstChild(); - - else { - throw new SAXException("First child of 'soap-env:Body' element has a wrong type."); + //get the first child from body which is of type Element (SAML1 Request element) + Element saml1Req = null; + + Node reqObj = saml1ReqList.item(0).getFirstChild(); + while (reqObj != null) { + if (reqObj instanceof Element) { + saml1Req = (Element) reqObj; + break; + + } else { + reqObj = reqObj.getNextSibling(); + + } + } + + if (saml1Req == null) { + throw new SAXException("Every child of 'soap-env:Body' element has a wrong type."); } -- cgit v1.2.3 From cadf8aeca12cb25c84db6a740bc5587363191f1d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 7 Jun 2016 13:07:35 +0200 Subject: update local development demo appl. --- .../src/test/java/test/tlenz/simpletest.java | 197 +++++++++++++-------- 1 file changed, 128 insertions(+), 69 deletions(-) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/test/java/test/tlenz/simpletest.java b/id/server/idserverlib/src/test/java/test/tlenz/simpletest.java index 2c80b7ffd..05cd74ed2 100644 --- a/id/server/idserverlib/src/test/java/test/tlenz/simpletest.java +++ b/id/server/idserverlib/src/test/java/test/tlenz/simpletest.java @@ -1,23 +1,23 @@ package test.tlenz; -import java.io.File; import java.io.FileInputStream; -import java.io.InputStream; -import java.io.ObjectInputStream; -import java.net.URI; -import java.net.URISyntaxException; +import java.util.HashMap; +import java.util.List; -import org.w3c.dom.Element; +import org.apache.commons.io.IOUtils; +import org.w3c.dom.NodeList; -import iaik.asn1.structures.Name; -import iaik.utils.RFC2253NameParser; -import iaik.utils.RFC2253NameParserException; -import at.gv.egovernment.moa.id.auth.data.IdentityLink; -import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; -import at.gv.egovernment.moa.id.data.AuthenticationRole; -import at.gv.egovernment.moa.id.data.AuthenticationRoleFactory; -import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; -import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.spss.api.SPSSFactory; +import at.gv.egovernment.moa.spss.api.SignatureVerificationService; +import at.gv.egovernment.moa.spss.api.common.Content; +import at.gv.egovernment.moa.spss.api.common.ContentBinary; +import at.gv.egovernment.moa.spss.api.common.ContentXML; +import at.gv.egovernment.moa.spss.api.common.InputData; +import at.gv.egovernment.moa.spss.api.common.SignerInfo; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifySignatureInfo; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifySignatureLocation; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse; /******************************************************************************* * Copyright 2014 Federal Chancellery Austria @@ -62,71 +62,130 @@ import at.gv.egovernment.moa.util.DOMUtils; public class simpletest { // public static void main(String[] args) { - - URI fileURI = null; - try { - fileURI = new URI("file:c:/moa3/tomcat8/conf/moa-id/moa-id.properties"); - File propertiesFile = new File(fileURI); + try { + FileInputStream sigDocFIS = null; + sigDocFIS = new FileInputStream("D:/idl_test/identity_link.xml"); - InputStream in = new FileInputStream(propertiesFile); - ObjectInputStream testOIS = new ObjectInputStream(in); + SPSSFactory spssFac = SPSSFactory.getInstance(); + SignatureVerificationService sigVerifyService = SignatureVerificationService.getInstance(); + Content sigDocContent = spssFac.createContent(sigDocFIS, null); + + + // Position der zu pruefenden Signatur + HashMap nSMap = new HashMap(); + nSMap.put("dsig", "http://www.w3.org/2000/09/xmldsig#"); + VerifySignatureLocation sigLocation = spssFac.createVerifySignatureLocation("//dsig:Signature", nSMap); + + // Pruefrequest zusammenstellen + VerifySignatureInfo sigInfo = spssFac.createVerifySignatureInfo(sigDocContent, sigLocation); + VerifyXMLSignatureRequest verifyRequest = spssFac.createVerifyXMLSignatureRequest( + null, // Verwende aktuelle Zeit als Pruefzeit + sigInfo, + null, // Keine Ergaenzungsobjekte + null, // Signaturmanifest-Pruefung soll nicht durchgefuehrt werden + true, // Hash-Inputdaten, d.h. tatsaechlich signierte Daten werden nicht zurueckgeliefert + "MOAIDBuergerkarteAuthentisierungsDaten"); + + + VerifyXMLSignatureResponse verifyResponse = null; + verifyResponse = sigVerifyService.verifyXMLSignature(verifyRequest); + + SignerInfo signerInfo = verifyResponse.getSignerInfo(); + String signerCertificateEncoded = null; + + List hashInputDatas = verifyResponse.getHashInputDatas(); + if (hashInputDatas != null && !hashInputDatas.isEmpty()) { + for (Object el : hashInputDatas) { + InputData inputData = (InputData) el; + switch (inputData.getContentType()) { + case Content.XML_CONTENT : + ContentXML contentXml = (ContentXML) inputData; + NodeList input_XML = contentXml.getXMLContent(); + + break; + case Content.BINARY_CONTENT : + ContentBinary contentBinary = (ContentBinary) inputData; + String input_Binary = IOUtils.toString(contentBinary.getBinaryContent()); + + } + } + } + + - Object test = testOIS.readObject(); + } catch (Exception e) { - } catch (Exception e1) { - e1.printStackTrace(); - } - - try { - fileURI = new URI("file:/c:/moa3/tomcat8/conf/moa-id/moa-id.properties"); - File propertiesFile = new File(fileURI); - } catch (Exception e1) { - e1.printStackTrace(); - } - - try { - fileURI = new URI("file://c:/moa3/tomcat8/conf/moa-id/moa-id.properties"); - File propertiesFile = new File(fileURI); - } catch (Exception e1) { - e1.printStackTrace(); - } - - try { - fileURI = new URI("file:///c:/moa3/tomcat8/conf/moa-id/moa-id.properties"); - File propertiesFile = new File(fileURI); - } catch (Exception e1) { - e1.printStackTrace(); } - try { - InputStream s = new FileInputStream("D:/idl_test/identity_link.xml"); - Element idlTemplate = DOMUtils.parseXmlValidating(s); - - //resign IDL - IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); - Element resignedilAssertion = identitylinkresigner.resignIdentityLink(idlTemplate, "IDLSigning"); - IdentityLink identityLink = new IdentityLinkAssertionParser(resignedilAssertion).parseIdentityLink(); - - } catch (Exception e) { - System.out.println(e.getMessage()); - - } - String subjectName = "serialNumber=896929130327, givenName=OCSP, SN=Responder 03-1, CN=OCSP Responder 03-1, C=AT"; - try { - Name test = new RFC2253NameParser(subjectName).parse(); - - System.out.println(test.getRFC2253String()); - - } catch (RFC2253NameParserException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } +// URI fileURI = null; +// try { +// fileURI = new URI("file:c:/moa3/tomcat8/conf/moa-id/moa-id.properties"); +// File propertiesFile = new File(fileURI); +// +// InputStream in = new FileInputStream(propertiesFile); +// ObjectInputStream testOIS = new ObjectInputStream(in); +// +// Object test = testOIS.readObject(); +// +// +// } catch (Exception e1) { +// e1.printStackTrace(); +// } +// +// try { +// fileURI = new URI("file:/c:/moa3/tomcat8/conf/moa-id/moa-id.properties"); +// File propertiesFile = new File(fileURI); +// } catch (Exception e1) { +// e1.printStackTrace(); +// } +// +// try { +// fileURI = new URI("file://c:/moa3/tomcat8/conf/moa-id/moa-id.properties"); +// File propertiesFile = new File(fileURI); +// } catch (Exception e1) { +// e1.printStackTrace(); +// } +// +// try { +// fileURI = new URI("file:///c:/moa3/tomcat8/conf/moa-id/moa-id.properties"); +// File propertiesFile = new File(fileURI); +// } catch (Exception e1) { +// e1.printStackTrace(); +// } +// +// +// +// try { +// InputStream s = new FileInputStream("D:/idl_test/identity_link.xml"); +// Element idlTemplate = DOMUtils.parseXmlValidating(s); +// +// //resign IDL +// IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); +// Element resignedilAssertion = identitylinkresigner.resignIdentityLink(idlTemplate, "IDLSigning"); +// IdentityLink identityLink = new IdentityLinkAssertionParser(resignedilAssertion).parseIdentityLink(); +// +// } catch (Exception e) { +// System.out.println(e.getMessage()); +// +// } +// +// String subjectName = "serialNumber=896929130327, givenName=OCSP, SN=Responder 03-1, CN=OCSP Responder 03-1, C=AT"; +// +// try { +// Name test = new RFC2253NameParser(subjectName).parse(); +// +// System.out.println(test.getRFC2253String()); +// +// } catch (RFC2253NameParserException e) { +// // TODO Auto-generated catch block +// e.printStackTrace(); +// } // AuthenticationRole test = AuthenticationRoleFactory.buildFormPVPole("ecas-demo-EUROPEAN_COMMISSION(key=A\\,B)"); -- cgit v1.2.3 From 8778f159556fab8853eac6e9c97e659973be0d78 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 21 Jun 2016 11:23:31 +0200 Subject: refactor metadataprovider to Spring implementation --- .../config/ConfigurationProvider.java | 5 +- .../task/impl/ServicesProtocolPVP2XTask.java | 2 +- .../egovernment/moa/id/demoOA/Configuration.java | 4 +- .../moa/id/auth/IDestroyableObject.java | 36 ++++ .../moa/id/auth/IGarbageCollectorProcessing.java | 36 ++++ .../moa/id/auth/MOAGarbageCollector.java | 93 ++++++++++ .../moa/id/auth/MOAIDAuthInitializer.java | 4 - .../id/auth/builder/AuthenticationDataBuilder.java | 3 +- .../config/auth/IGarbageCollectorProcessing.java | 36 ---- .../moa/id/config/auth/MOAGarbageCollector.java | 77 --------- .../moa/id/moduls/AuthenticationManager.java | 5 +- .../gv/egovernment/moa/id/moduls/RequestImpl.java | 4 +- .../id/protocols/pvp2x/AttributQueryAction.java | 3 +- .../id/protocols/pvp2x/AuthenticationAction.java | 5 +- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 15 +- .../id/protocols/pvp2x/PVPTargetConfiguration.java | 9 +- .../id/protocols/pvp2x/binding/SoapBinding.java | 3 +- .../pvp2x/builder/SingleLogOutBuilder.java | 7 +- .../protocols/pvp2x/messages/InboundMessage.java | 10 +- .../pvp2x/metadata/MOAMetadataProvider.java | 190 +++++++++++++-------- .../pvp2x/metadata/SimpleMOAMetadataProvider.java | 2 +- .../pvp2x/verification/SAMLVerificationEngine.java | 6 +- .../main/resources/moaid.authentication.beans.xml | 19 ++- .../moa/id/module/test/TestRequestImpl.java | 4 +- .../egovernment/moa/id/commons/api/IRequest.java | 5 +- .../moa/id/auth/MOAContextCloseHandler.java | 166 ++++++++++++++++++ .../src/main/resources/applicationContext.xml | 3 + .../engine/MOAeIDASChainingMetadataProvider.java | 58 +++++-- .../eidas/tasks/GenerateAuthnRequestTask.java | 6 +- .../eidas/tasks/ReceiveAuthnResponseTask.java | 6 +- .../auth/modules/eidas/utils/SAMLEngineUtils.java | 4 +- .../moa/id/protocols/eidas/EIDASData.java | 3 +- .../moa/id/protocols/eidas/EIDASProtocol.java | 11 +- .../id/protocols/eidas/EidasMetaDataRequest.java | 6 +- .../eidas/eIDASAuthenticationRequest.java | 5 +- .../src/main/resources/moaid_eidas_auth.beans.xml | 3 + .../utils/ELGAMandateServiceMetadataProvider.java | 23 ++- .../oauth20/protocol/OAuth20AuthRequest.java | 3 +- .../oauth20/protocol/OAuth20TokenRequest.java | 3 +- .../tasks/CreateAuthnRequestTask.java | 4 +- .../tasks/ReceiveAuthnResponseTask.java | 10 +- .../moa/id/protocols/saml1/SAML1RequestImpl.java | 3 +- 42 files changed, 637 insertions(+), 263 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IDestroyableObject.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IGarbageCollectorProcessing.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAGarbageCollector.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IGarbageCollectorProcessing.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/MOAGarbageCollector.java create mode 100644 id/server/moa-id-spring-initializer/src/main/java/at/gv/egovernment/moa/id/auth/MOAContextCloseHandler.java (limited to 'id/server/idserverlib/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java index ab6c22858..41a82fe1e 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java @@ -22,8 +22,6 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.configuration.config; -import iaik.x509.X509Certificate; - import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; @@ -65,6 +63,7 @@ import at.gv.egovernment.moa.id.configuration.config.usermanagement.FileBasedUse import at.gv.egovernment.moa.id.configuration.utils.UserRequestCleaner; import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.MiscUtil; +import iaik.x509.X509Certificate; public class ConfigurationProvider { @@ -590,7 +589,7 @@ public class ConfigurationProvider { } } - idpMetadataProvider = new HTTPMetadataProvider(new Timer(), httpClient, metadataurl); + idpMetadataProvider = new HTTPMetadataProvider(new Timer(true), httpClient, metadataurl); idpMetadataProvider.setRequireValidMetadata(true); idpMetadataProvider.setParserPool(new BasicParserPool()); idpMetadataProvider.setMetadataFilter(new MetaDataVerificationFilter(idpCredential)); diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesProtocolPVP2XTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesProtocolPVP2XTask.java index c55c35da0..d69157553 100644 --- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesProtocolPVP2XTask.java +++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesProtocolPVP2XTask.java @@ -186,7 +186,7 @@ public class ServicesProtocolPVP2XTask extends AbstractTaskValidator implements BasicX509Credential credential = new BasicX509Credential(); credential.setEntityCertificate(cert); - timer = new Timer(); + timer = new Timer(true); httpClient = new MOAHttpClient(); if (metadataURL.startsWith("https:")) diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java index 85f16e11f..9be73b3f1 100644 --- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java +++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java @@ -255,7 +255,9 @@ public class Configuration { } //load IDP metadata into metadataprovider - idpMetadataProvider = new HTTPMetadataProvider(new Timer(), new HttpClient(), metadataurl); + idpMetadataProvider = new HTTPMetadataProvider( + new Timer("demoOA", true), + new HttpClient(), metadataurl); idpMetadataProvider.setRequireValidMetadata(true); idpMetadataProvider.setParserPool(new BasicParserPool()); idpMetadataProvider.setMetadataFilter(new MetaDataVerificationFilter(idpCredential)); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IDestroyableObject.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IDestroyableObject.java new file mode 100644 index 000000000..6f98357e2 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IDestroyableObject.java @@ -0,0 +1,36 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth; + +/** + * @author tlenz + * + */ +public interface IDestroyableObject { + /** + * Manually deep destroy a Java object with all child objects like timers and threads + * + */ + public void fullyDestroy(); + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IGarbageCollectorProcessing.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IGarbageCollectorProcessing.java new file mode 100644 index 000000000..27d142f2c --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IGarbageCollectorProcessing.java @@ -0,0 +1,36 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth; + +/** + * @author tlenz + * + */ +public interface IGarbageCollectorProcessing { + + /** + * This method gets executed by the MOA garbage collector at regular intervals. + * + */ + public void runGarbageCollector(); +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAGarbageCollector.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAGarbageCollector.java new file mode 100644 index 000000000..52e30a2f0 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAGarbageCollector.java @@ -0,0 +1,93 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.auth; + + +import java.util.Iterator; +import java.util.Map; +import java.util.Map.Entry; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext; +import org.springframework.scheduling.annotation.EnableScheduling; +import org.springframework.scheduling.annotation.Scheduled; +import org.springframework.stereotype.Service; + +import at.gv.egovernment.moa.logging.Logger; + +@Service("MOAGarbageCollector") +@EnableScheduling +public class MOAGarbageCollector implements Runnable { + + @Autowired ApplicationContext context; + + private static final long INTERVAL = 24 * 60 * 60 * 1000; // 24 hours + //private static final long INITAL_DELAY = 12 * 60 * 60 * 1000; // 12 hours + + private static final long INITAL_DELAY = 2 * 60 * 1000; // 12 hours + +// private static final List processModules = +// new ArrayList(); + + + @Scheduled(fixedRate = INTERVAL, initialDelay = INITAL_DELAY) + public void run() { + + Map processModules = + context.getBeansOfType(IGarbageCollectorProcessing.class); + + if (processModules != null) { + Iterator> interator = processModules.entrySet().iterator(); + while (interator.hasNext()) { + try { + interator.next().getValue().runGarbageCollector(); + + } catch (Throwable e1) { + Logger.warn("Garbage collection FAILED in some module.", e1); + + } + + } + } + } + +// /** +// * Add a module to MOA internal garbage collector. Every module is executed once a day +// * +// * @param modul Module which should be executed by the garbage collector. +// */ +// public static void addModulForGarbageCollection(IGarbageCollectorProcessing modul) { +// processModules.add(modul); +// +// } + +// public static void start() { +// // start the session cleanup thread +// Thread configLoader = new Thread(new MOAGarbageCollector(), "MOAGarbageCollector"); +// configLoader.setName("MOAGarbageCollectorr"); +// configLoader.setDaemon(true); +// configLoader.setPriority(Thread.MIN_PRIORITY); +// configLoader.start(); +// } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java index 8de283c9a..11f47052e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java @@ -36,13 +36,11 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.id.util.SSLUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; import at.gv.egovernment.moa.spss.server.iaik.config.IaikConfigurator; -import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moaspss.logging.LoggingContext; import at.gv.egovernment.moaspss.logging.LoggingContextManager; @@ -155,7 +153,5 @@ public class MOAIDAuthInitializer { Logger.debug(i + ": " + providerList[i].getName() + " Version " + providerList[i].getVersion()); } - - MOAGarbageCollector.start(); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 908c7e7b6..f980f299c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -106,6 +106,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { @Autowired protected AuthConfiguration authConfig; @Autowired private AttributQueryBuilder attributQueryBuilder; @Autowired private SAMLVerificationEngineSP samlVerificationEngine; + @Autowired(required=true) private MOAMetadataProvider metadataProvider; public IAuthData buildAuthenticationData(IRequest pendingReq, @@ -222,7 +223,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { try { samlVerificationEngine.verifyIDPResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine( - MOAMetadataProvider.getInstance())); + metadataProvider)); //create assertion attribute extractor from AttributeQuery response return new AssertionAttributeExtractor(intfResp); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IGarbageCollectorProcessing.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IGarbageCollectorProcessing.java deleted file mode 100644 index a1008e883..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IGarbageCollectorProcessing.java +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.config.auth; - -/** - * @author tlenz - * - */ -public interface IGarbageCollectorProcessing { - - /** - * This method gets executed by the MOA garbage collector at regular intervals. - * - */ - public void runGarbageCollector(); -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/MOAGarbageCollector.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/MOAGarbageCollector.java deleted file mode 100644 index 1072bec5c..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/MOAGarbageCollector.java +++ /dev/null @@ -1,77 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.config.auth; - - -import java.util.ArrayList; -import java.util.List; - -import at.gv.egovernment.moa.logging.Logger; - -public class MOAGarbageCollector implements Runnable { - - private static final long INTERVAL = 24 * 60 * 60; // 24 hours - private static final List processModules = - new ArrayList(); - - public void run() { - while (true) { - try { - Thread.sleep(INTERVAL * 1000); - - try { - for (IGarbageCollectorProcessing element : processModules) - element.runGarbageCollector(); - - } catch (Throwable e1) { - Logger.warn("Garbage collection FAILED in some module.", e1); - } - - } catch (Throwable e) { - Logger.warn("MOA-ID garbage collection is not possible, actually.", e); - - } finally { - - } - } - } - - /** - * Add a module to MOA internal garbage collector. Every module is executed once a day - * - * @param modul Module which should be executed by the garbage collector. - */ - public static void addModulForGarbageCollection(IGarbageCollectorProcessing modul) { - processModules.add(modul); - - } - - public static void start() { - // start the session cleanup thread - Thread configLoader = new Thread(new MOAGarbageCollector(), "MOAGarbageCollector"); - configLoader.setName("MOAGarbageCollectorr"); - configLoader.setDaemon(true); - configLoader.setPriority(Thread.MIN_PRIORITY); - configLoader.start(); - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 3c6042b51..34b250bf0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -104,7 +104,8 @@ public class AuthenticationManager extends MOAIDAuthConstants { @Autowired private SingleLogOutBuilder sloBuilder; @Autowired private SAMLVerificationEngineSP samlVerificationEngine; @Autowired private IGUIFormBuilder guiBuilder; - + @Autowired(required=true) private MOAMetadataProvider metadataProvider; + public void performSingleLogOut(HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession session, PVPTargetConfiguration pvpReq) throws MOAIDException { performSingleLogOut(httpReq, httpResp, session, pvpReq, null); @@ -527,7 +528,7 @@ public class AuthenticationManager extends MOAIDAuthConstants { } else { samlVerificationEngine.verifySLOResponse(sloResp, - TrustEngineFactory.getSignatureKnownKeysTrustEngine(MOAMetadataProvider.getInstance())); + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java index 85e4dc99b..91ba49fe8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java @@ -32,6 +32,8 @@ import java.util.Map; import javax.servlet.http.HttpServletRequest; +import org.opensaml.saml2.metadata.provider.MetadataProvider; + import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils; import at.gv.egovernment.moa.id.commons.MOAIDConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; @@ -174,7 +176,7 @@ public abstract class RequestImpl implements IRequest, Serializable{ * * @return List of PVP 2.1 attribute names with maps all protocol specific attributes */ - public abstract Collection getRequestedAttributes(); + public abstract Collection getRequestedAttributes(MetadataProvider metadataProvider); public void setOAURL(String value) { oaURL = value; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java index 98c6632f1..6375f26a3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -81,6 +81,7 @@ public class AttributQueryAction implements IAction { @Autowired private IDPCredentialProvider pvpCredentials; @Autowired private AuthConfiguration authConfig; @Autowired private MOASessionDBUtils moaSessionDBUtils; + @Autowired(required=true) private MOAMetadataProvider metadataProvider; private final static List DEFAULTSTORKATTRIBUTES = Arrays.asList( new String[]{PVPConstants.EID_STORK_TOKEN_NAME}); @@ -140,7 +141,7 @@ public class AttributQueryAction implements IAction { //build PVP 2.1 response Response authResponse = AuthResponseBuilder.buildResponse( - MOAMetadataProvider.getInstance(), issuerEntityID, attrQuery, date, + metadataProvider, issuerEntityID, attrQuery, date, assertion, authConfig.isPVP2AssertionEncryptionActive()); SoapBinding decoder = new SoapBinding(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java index 8de44a2e8..aac49844e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java @@ -61,6 +61,7 @@ import at.gv.egovernment.moa.logging.Logger; public class AuthenticationAction implements IAction { @Autowired IDPCredentialProvider pvpCredentials; @Autowired AuthConfiguration authConfig; + @Autowired(required=true) private MOAMetadataProvider metadataProvider; public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { @@ -70,7 +71,7 @@ public class AuthenticationAction implements IAction { //get basic information MOARequest moaRequest = (MOARequest) pvpRequest.getRequest(); AuthnRequest authnRequest = (AuthnRequest) moaRequest.getSamlRequest(); - EntityDescriptor peerEntity = moaRequest.getEntityMetadata(); + EntityDescriptor peerEntity = moaRequest.getEntityMetadata(metadataProvider); AssertionConsumerService consumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class); @@ -94,7 +95,7 @@ public class AuthenticationAction implements IAction { peerEntity, date, consumerService, sloInformation); Response authResponse = AuthResponseBuilder.buildResponse( - MOAMetadataProvider.getInstance(), issuerEntityID, authnRequest, + metadataProvider, issuerEntityID, authnRequest, date, assertion, authConfig.isPVP2AssertionEncryptionActive()); IEncoder binding = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 82e46b6ce..127284ae0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -104,6 +104,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { @Autowired IDPCredentialProvider pvpCredentials; @Autowired SAMLVerificationEngineSP samlVerificationEngine; + @Autowired(required=true) private MOAMetadataProvider metadataProvider; public static final String NAME = PVP2XProtocol.class.getName(); public static final String PATH = "id_pvp2x"; @@ -187,7 +188,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { //get POST-Binding decoder implementation InboundMessage msg = (InboundMessage) new PostBinding().decode( - req, resp, MOAMetadataProvider.getInstance(), false, + req, resp, metadataProvider, false, new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService(pendingReq.getAuthURL()))); pendingReq.setRequest(msg); @@ -240,7 +241,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { //get POST-Binding decoder implementation InboundMessage msg = (InboundMessage) new RedirectBinding().decode( - req, resp, MOAMetadataProvider.getInstance(), false, + req, resp, metadataProvider, false, new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService(pendingReq.getAuthURL()))); pendingReq.setRequest(msg); @@ -294,7 +295,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { //get POST-Binding decoder implementation InboundMessage msg = (InboundMessage) new SoapBinding().decode( - req, resp, MOAMetadataProvider.getInstance(), false, + req, resp, metadataProvider, false, new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService(pendingReq.getAuthURL()))); pendingReq.setRequest(msg); @@ -336,7 +337,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { if(!msg.isVerified()) { samlVerificationEngine.verify(msg, - TrustEngineFactory.getSignatureKnownKeysTrustEngine(MOAMetadataProvider.getInstance())); + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); msg.setVerified(true); } @@ -493,7 +494,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { msg = (MOARequest) inMsg; - EntityDescriptor metadata = msg.getEntityMetadata(); + EntityDescriptor metadata = msg.getEntityMetadata(metadataProvider); if(metadata == null) { throw new NoMetadataInformationException(); } @@ -643,7 +644,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { throw new MOAIDException("Unsupported request", new Object[] {}); } - EntityDescriptor metadata = moaRequest.getEntityMetadata(); + EntityDescriptor metadata = moaRequest.getEntityMetadata(metadataProvider); if(metadata == null) { throw new NoMetadataInformationException(); } @@ -735,7 +736,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { } } - String oaURL = moaRequest.getEntityMetadata().getEntityID(); + String oaURL = moaRequest.getEntityMetadata(metadataProvider).getEntityID(); oaURL = StringEscapeUtils.escapeHtml(oaURL); IOAAuthParameters oa = authConfig.getOnlineApplicationParameter(oaURL); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index e7f2a7d4b..caf66942e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -32,6 +32,7 @@ import org.opensaml.saml2.core.impl.AuthnRequestImpl; import org.opensaml.saml2.metadata.AttributeConsumingService; import org.opensaml.saml2.metadata.RequestedAttribute; import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.context.annotation.Scope; import org.springframework.stereotype.Component; @@ -54,7 +55,6 @@ public class PVPTargetConfiguration extends RequestImpl { private static final long serialVersionUID = 4889919265919638188L; - InboundMessage request; String binding; String consumerURL; @@ -88,14 +88,14 @@ public class PVPTargetConfiguration extends RequestImpl { * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() */ @Override - public Collection getRequestedAttributes() { + public Collection getRequestedAttributes(MetadataProvider metadataProvider) { Map reqAttr = new HashMap(); for (String el : PVP2XProtocol.DEFAULTREQUESTEDATTRFORINTERFEDERATION) reqAttr.put(el, ""); try { - SPSSODescriptor spSSODescriptor = getRequest().getEntityMetadata().getSPSSODescriptor(SAMLConstants.SAML20P_NS); + SPSSODescriptor spSSODescriptor = getRequest().getEntityMetadata(metadataProvider).getSPSSODescriptor(SAMLConstants.SAML20P_NS); if (spSSODescriptor.getAttributeConsumingServices() != null && spSSODescriptor.getAttributeConsumingServices().size() > 0) { @@ -139,5 +139,6 @@ public class PVPTargetConfiguration extends RequestImpl { } - } + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index 25b22f0ad..94d91694a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -62,6 +62,7 @@ import at.gv.egovernment.moa.util.MiscUtil; public class SoapBinding implements IDecoder, IEncoder { + @Autowired(required=true) private MOAMetadataProvider metadataProvider; @Autowired private IDPCredentialProvider credentialProvider; public InboundMessageInterface decode(HttpServletRequest req, @@ -109,7 +110,7 @@ public class SoapBinding implements IDecoder, IEncoder { RequestAbstractType attributeRequest = (RequestAbstractType) attrReq; try { if (MiscUtil.isNotEmpty(attributeRequest.getIssuer().getValue()) && - MOAMetadataProvider.getInstance().getRole( + metadataProvider.getRole( attributeRequest.getIssuer().getValue(), SPSSODescriptor.DEFAULT_ELEMENT_NAME) != null) request.setEntityID(attributeRequest.getIssuer().getValue()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java index e5c897aa6..de59e6055 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -94,8 +94,9 @@ import at.gv.egovernment.moa.logging.Logger; @Service("PVP_SingleLogOutBuilder") public class SingleLogOutBuilder { + @Autowired(required=true) private MOAMetadataProvider metadataProvider; @Autowired private IDPCredentialProvider credentialProvider; - + public void checkStatusCode(ISLOInformationContainer sloContainer, LogoutResponse logOutResp) { Status status = logOutResp.getStatus(); if (!status.getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { @@ -353,7 +354,7 @@ public class SingleLogOutBuilder { public SingleLogoutService getRequestSLODescriptor(String entityID) throws NOSLOServiceDescriptorException { try { - EntityDescriptor entity = MOAMetadataProvider.getInstance().getEntityDescriptor(entityID); + EntityDescriptor entity = metadataProvider.getEntityDescriptor(entityID); SSODescriptor spsso = entity.getSPSSODescriptor(SAMLConstants.SAML20P_NS); SingleLogoutService sloService = null; @@ -394,7 +395,7 @@ public class SingleLogOutBuilder { public SingleLogoutService getResponseSLODescriptor(PVPTargetConfiguration spRequest) throws NoMetadataInformationException, NOSLOServiceDescriptorException { MOARequest moaReq = (MOARequest) spRequest.getRequest(); - EntityDescriptor metadata = moaReq.getEntityMetadata(); + EntityDescriptor metadata = moaReq.getEntityMetadata(metadataProvider); SSODescriptor ssodesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); if (ssodesc == null) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessage.java index 332caf967..8c8345bbf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessage.java @@ -25,11 +25,11 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.messages; import java.io.Serializable; import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.w3c.dom.Element; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.logging.Logger; /** @@ -46,10 +46,12 @@ public class InboundMessage implements InboundMessageInterface, Serializable{ private String relayState = null; - public EntityDescriptor getEntityMetadata() throws NoMetadataInformationException { - + public EntityDescriptor getEntityMetadata(MetadataProvider metadataProvider) throws NoMetadataInformationException { try { - return MOAMetadataProvider.getInstance().getEntityDescriptor(this.entityID); + if (metadataProvider == null) + throw new NullPointerException("No PVP MetadataProvider found."); + + return metadataProvider.getEntityDescriptor(this.entityID); } catch (MetadataProviderException e) { Logger.warn("No Metadata for EntitiyID " + entityID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 3002ca179..19adfe4c4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -44,13 +44,14 @@ import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider; import org.opensaml.xml.XMLObject; +import org.springframework.stereotype.Service; +import at.gv.egovernment.moa.id.auth.IDestroyableObject; +import at.gv.egovernment.moa.id.auth.IGarbageCollectorProcessing; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing; -import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPMetadataFilterChain; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; @@ -58,65 +59,85 @@ import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; +@Service("PVPMetadataProvider") public class MOAMetadataProvider extends SimpleMOAMetadataProvider - implements ObservableMetadataProvider, IGarbageCollectorProcessing, IMOARefreshableMetadataProvider { + implements ObservableMetadataProvider, IGarbageCollectorProcessing, + IMOARefreshableMetadataProvider, IDestroyableObject { - private static MOAMetadataProvider instance = null; + //private static final int METADATA_GARBAGE_TIMEOUT_SEC = 604800; //7 days + +// private static MOAMetadataProvider instance = null; + MetadataProvider internalProvider = null; private static Object mutex = new Object(); + //private Map lastAccess = null; - public static MOAMetadataProvider getInstance() { - if (instance == null) { - synchronized (mutex) { - if (instance == null) { - instance = new MOAMetadataProvider(); - - //add this to MOA garbage collector - MOAGarbageCollector.addModulForGarbageCollection(instance); - - } - } - } - return instance; + public MOAMetadataProvider() { + internalProvider = new ChainingMetadataProvider(); + //lastAccess = new HashMap(); + } +// public static MOAMetadataProvider getInstance() { +// if (instance == null) { +// synchronized (mutex) { +// if (instance == null) { +// instance = new MOAMetadataProvider(); +// +// //add this to MOA garbage collector +// MOAGarbageCollector.addModulForGarbageCollection(instance); +// +// } +// } +// } +// return instance; +// } + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing#runGarbageCollector() */ @Override public void runGarbageCollector() { - reInitialize(); - - } - - private static void reInitialize() { synchronized (mutex) { /**add new Metadataprovider or remove Metadataprovider which are not in use any more.**/ - if (instance != null) - try { - Logger.trace("Check consistence of PVP2X metadata"); - instance.addAndRemoveMetadataProvider(); + try { + Logger.trace("Check consistence of PVP2X metadata"); + addAndRemoveMetadataProvider(); - } catch (ConfigurationException e) { - Logger.error("Access to MOA-ID configuration FAILED.", e); + } catch (ConfigurationException e) { + Logger.error("Access to MOA-ID configuration FAILED.", e); - } - else - Logger.info("MOAMetadataProvider is not loaded."); + } } + } - public static void destroy() { - if (instance != null) { - instance.internalDestroy(); + +// private static void reInitialize() { +// synchronized (mutex) { +// +// /**add new Metadataprovider or remove Metadataprovider which are not in use any more.**/ +// if (instance != null) +// try { +// Logger.trace("Check consistence of PVP2X metadata"); +// instance.addAndRemoveMetadataProvider(); +// +// } catch (ConfigurationException e) { +// Logger.error("Access to MOA-ID configuration FAILED.", e); +// +// } +// else +// Logger.info("MOAMetadataProvider is not loaded."); +// } +// } + + public void fullyDestroy() { + internalDestroy(); - } else { - Logger.info("MOAMetadataProvider is not loaded. Accordingly it can not be destroyed"); - } } - MetadataProvider internalProvider; + @Override public boolean refreshMetadataProvider(String entityID) { @@ -208,7 +229,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider private void addAndRemoveMetadataProvider() throws ConfigurationException { if (internalProvider != null && internalProvider instanceof ChainingMetadataProvider) { - Logger.info("Relaod MOAMetaDataProvider."); + Logger.info("Reload MOAMetaDataProvider."); /*OpenSAML ChainingMetadataProvider can not remove a MetadataProvider (UnsupportedOperationException) *The ChainingMetadataProvider use internal a unmodifiableList to hold all registrated MetadataProviders.*/ @@ -217,7 +238,19 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider //get all actually loaded metadata providers Map loadedproviders = getAllActuallyLoadedProviders(); - + + /* TODO: maybe add metadata provider destroy after timeout. + * But could be a problem if one Metadataprovider load an EntitiesDescriptor + * with more the multiple EntityDescriptors. If one of this EntityDesciptors + * are expired the full EntitiesDescriptor is removed. + * + * Timeout requires a better solution in this case! + */ +// Date now = new Date(); +// Date expioredate = new Date(now.getTime() - (METADATA_GARBAGE_TIMEOUT_SEC * 1000)); +// Logger.debug("Starting PVP Metadata garbag collection (Expioredate:" +// + expioredate + ")"); + //load all PVP2 OAs form ConfigurationDatabase and //compare actually loaded Providers with configured PVP2 OAs Map allOAs = AuthConfigurationProviderFactory.getInstance().getConfigurationWithWildCard( @@ -238,30 +271,31 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider HTTPMetadataProvider httpProvider = null; try { if (MiscUtil.isNotEmpty(metadataurl)) { - if (loadedproviders.containsKey(metadataurl)) { + if (loadedproviders.containsKey(metadataurl)) { // PVP2 OA is actually loaded, to nothing providersinuse.put(metadataurl, loadedproviders.get(metadataurl)); loadedproviders.remove(metadataurl); - } else if ( MiscUtil.isNotEmpty(metadataurl) && - !providersinuse.containsKey(metadataurl) ) { - //PVP2 OA is new, add it to MOAMetadataProvider - String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); - if (MiscUtil.isNotEmpty(certBase64)) { - byte[] cert = Base64Utils.decode(certBase64, false); - String oaFriendlyName = oaParam.getFriendlyName(); - - - Logger.info("Loading metadata for: " + oaFriendlyName); - httpProvider = createNewHTTPMetaDataProvider( - metadataurl, - buildMetadataFilterChain(oaParam, metadataurl, cert), - oaFriendlyName); - - if (httpProvider != null) - providersinuse.put(metadataurl, httpProvider); - } + //INFO: load metadata dynamically if they are requested +// } else if ( MiscUtil.isNotEmpty(metadataurl) && +// !providersinuse.containsKey(metadataurl) ) { +// //PVP2 OA is new, add it to MOAMetadataProvider +// String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); +// if (MiscUtil.isNotEmpty(certBase64)) { +// byte[] cert = Base64Utils.decode(certBase64, false); +// String oaFriendlyName = oaParam.getFriendlyName(); +// +// +// Logger.info("Loading metadata for: " + oaFriendlyName); +// httpProvider = createNewHTTPMetaDataProvider( +// metadataurl, +// buildMetadataFilterChain(oaParam, metadataurl, cert), +// oaFriendlyName); +// +// if (httpProvider != null) +// providersinuse.put(metadataurl, httpProvider); +// } } } @@ -339,15 +373,21 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider } } - instance = null; + internalProvider = new ChainingMetadataProvider(); } else { Logger.warn("ReInitalize MOAMetaDataProvider is not possible! MOA-ID Instance has to be restarted manualy"); } } - private MOAMetadataProvider() { + @Deprecated + /** + * Load all PVP metadata from OA configuration + * + * This method is deprecated because OA metadata should be loaded dynamically + * if the corresponding OA is requested. + */ + private void loadAllPVPMetadataFromKonfiguration() { ChainingMetadataProvider chainProvider = new ChainingMetadataProvider(); - Logger.info("Loading metadata"); Map providersinuse = new HashMap(); try { @@ -417,14 +457,15 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider + e.getMessage(), e); } + internalProvider = chainProvider; + } catch (ConfigurationException e) { Logger.error("Access MOA-ID configuration FAILED.", e); } - - internalProvider = chainProvider; + } - + private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException { PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate); filterChain.getFilters().add(new SchemaValidationFilter()); @@ -505,17 +546,30 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider } +// if (entityDesc != null) +// lastAccess.put(entityID, new Date()); + return entityDesc; } public List getRole(String entityID, QName roleName) - throws MetadataProviderException { - return internalProvider.getRole(entityID, roleName); + throws MetadataProviderException { + List result = internalProvider.getRole(entityID, roleName); + +// if (result != null) +// lastAccess.put(entityID, new Date()); + + return result; } public RoleDescriptor getRole(String entityID, QName roleName, String supportedProtocol) throws MetadataProviderException { - return internalProvider.getRole(entityID, roleName, supportedProtocol); + RoleDescriptor result = internalProvider.getRole(entityID, roleName, supportedProtocol); + +// if (result != null) +// lastAccess.put(entityID, new Date()); + + return result; } /* (non-Javadoc) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java index 442455d4b..8261a86c1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java @@ -81,7 +81,7 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{ } } - timer = new Timer(); + timer = new Timer(true); httpProvider = new HTTPMetadataProvider(timer, httpClient, metadataURL); httpProvider.setParserPool(new BasicParserPool()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index f384dd511..f6104bdeb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -41,6 +41,7 @@ import org.opensaml.xml.security.criteria.EntityIDCriteria; import org.opensaml.xml.security.criteria.UsageCriteria; import org.opensaml.xml.signature.SignatureTrustEngine; import org.opensaml.xml.validation.ValidationException; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import org.w3c.dom.Element; import org.xml.sax.SAXException; @@ -56,6 +57,8 @@ import at.gv.egovernment.moa.util.MiscUtil; @Service("SAMLVerificationEngine") public class SAMLVerificationEngine { + + @Autowired(required=true) MOAMetadataProvider metadataProvider; public void verify(InboundMessage msg, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { try { @@ -72,7 +75,8 @@ public class SAMLVerificationEngine { } Logger.debug("PVP2X message validation FAILED. Relead metadata for entityID: " + msg.getEntityID()); - if (!MOAMetadataProvider.getInstance().refreshMetadataProvider(msg.getEntityID())) + + if (metadataProvider == null || !metadataProvider.refreshMetadataProvider(msg.getEntityID())) throw e; else { diff --git a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml index cd5fe6acf..4201d31b1 100644 --- a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml +++ b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml @@ -5,10 +5,16 @@ xmlns:tx="http://www.springframework.org/schema/tx" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:p="http://www.springframework.org/schema/p" + xmlns:task="http://www.springframework.org/schema/task" xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd - http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd"> + http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd + http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-3.0.xsd"> + + + + @@ -54,7 +60,16 @@ class="at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger"/> + class="at.gv.egovernment.moa.id.auth.AuthenticationSessionCleaner"/> + + + + getRequestedAttributes() { + public Collection getRequestedAttributes(MetadataProvider metadataProvider) { // TODO Auto-generated method stub return null; } diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IRequest.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IRequest.java index b23b4474b..25919a937 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IRequest.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IRequest.java @@ -24,6 +24,8 @@ package at.gv.egovernment.moa.id.commons.api; import java.util.Collection; +import org.opensaml.saml2.metadata.provider.MetadataProvider; + import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageException; public interface IRequest { @@ -193,9 +195,10 @@ public interface IRequest { /** * This method get a Set of PVP 2.1 attribute, which are request by this pending-request. + * @param metadataProvider SAML2 Metadata Provider, or null if no metadata provider is required * * @return A set of PVP attribute names or null if no attributes are requested * or the Service Provider, which sends this request needs no attributes */ - public Collection getRequestedAttributes(); + public Collection getRequestedAttributes(MetadataProvider metadataProvider); } diff --git a/id/server/moa-id-spring-initializer/src/main/java/at/gv/egovernment/moa/id/auth/MOAContextCloseHandler.java b/id/server/moa-id-spring-initializer/src/main/java/at/gv/egovernment/moa/id/auth/MOAContextCloseHandler.java new file mode 100644 index 000000000..f99013082 --- /dev/null +++ b/id/server/moa-id-spring-initializer/src/main/java/at/gv/egovernment/moa/id/auth/MOAContextCloseHandler.java @@ -0,0 +1,166 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth; + +import java.util.Iterator; +import java.util.Map; +import java.util.Map.Entry; +import java.util.concurrent.TimeUnit; + +import org.springframework.beans.BeansException; +import org.springframework.beans.factory.config.BeanPostProcessor; +import org.springframework.context.ApplicationContext; +import org.springframework.context.ApplicationContextAware; +import org.springframework.context.ApplicationListener; +import org.springframework.context.event.ContextClosedEvent; +import org.springframework.scheduling.concurrent.ThreadPoolTaskExecutor; +import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler; +import org.springframework.stereotype.Component; + +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +@Component +public class MOAContextCloseHandler implements ApplicationListener, ApplicationContextAware, BeanPostProcessor { + + private ApplicationContext context; + + /* (non-Javadoc) + * @see org.springframework.context.ApplicationListener#onApplicationEvent(org.springframework.context.ApplicationEvent) + */ + @Override + public void onApplicationEvent(ContextClosedEvent arg0) { + Logger.info("MOA-ID-Auth shutdown process started ..."); + + try { + Logger.debug("CleanUp objects with implements the IDestroyable interface ... "); + Map objectsToDestroy = context.getBeansOfType(IDestroyableObject.class); + if (objectsToDestroy != null) { + Iterator> interator = + objectsToDestroy.entrySet().iterator(); + while (interator.hasNext()) { + Entry object = interator.next(); + try { + object.getValue().fullyDestroy(); + Logger.debug("Object with ID:" + object.getKey() + " is destroyed"); + + } catch (Exception e) { + Logger.warn("Destroing object with ID:" + object.getKey() + " FAILED!", e); + + } + } + } + Logger.info("Object cleanUp complete"); + + Logger.debug("Stopping Spring Thread-Pools ... "); + //shut-down task schedulers + Map schedulers = context.getBeansOfType(ThreadPoolTaskScheduler.class); + for (ThreadPoolTaskScheduler scheduler : schedulers.values()) { + scheduler.getScheduledExecutor().shutdown(); + try { + scheduler.getScheduledExecutor().awaitTermination(20000, TimeUnit.MILLISECONDS); + if(scheduler.getScheduledExecutor().isTerminated() || scheduler.getScheduledExecutor().isShutdown()) + Logger.debug("Scheduler "+scheduler.getThreadNamePrefix() + " has stoped"); + else{ + Logger.debug("Scheduler "+scheduler.getThreadNamePrefix() + " has not stoped normally and will be shut down immediately"); + scheduler.getScheduledExecutor().shutdownNow(); + Logger.info("Scheduler "+scheduler.getThreadNamePrefix() + " has shut down immediately"); + } + } catch (IllegalStateException e) { + e.printStackTrace(); + } catch (InterruptedException e) { + e.printStackTrace(); + + } finally { + scheduler.shutdown(); + + } + } + + //shut-down task executors + Map executers = context.getBeansOfType(ThreadPoolTaskExecutor.class); + for (ThreadPoolTaskExecutor executor: executers.values()) { + int retryCount = 0; + while(executor.getActiveCount()>0 && ++retryCount<51){ + try { + Logger.debug("Executer "+executor.getThreadNamePrefix()+" is still working with active " + executor.getActiveCount()+" work. Retry count is "+retryCount); + Thread.sleep(1000); + } catch (InterruptedException e) { + e.printStackTrace(); + } + } + if(!(retryCount<51)) + Logger.debug("Executer "+executor.getThreadNamePrefix()+" is still working.Since Retry count exceeded max value "+retryCount+", will be killed immediately"); + executor.shutdown(); + Logger.debug("Executer "+executor.getThreadNamePrefix()+" with active " + executor.getActiveCount()+" work has killed"); + } + + Logger.debug("Spring Thread-Pools stopped"); + + Logger.info("MOA-ID-Auth shutdown process finished"); + + } catch (Exception e) { + Logger.warn("MOA-ID-Auth shutdown process has an error.", e); + + } + + //System.exit(0); + //Thread.currentThread().interrupt(); + + } + + /* (non-Javadoc) + * @see org.springframework.beans.factory.config.BeanPostProcessor#postProcessAfterInitialization(java.lang.Object, java.lang.String) + */ + @Override + public Object postProcessAfterInitialization(Object arg0, String arg1) throws BeansException { + if(arg0 instanceof ThreadPoolTaskScheduler) + ((ThreadPoolTaskScheduler)arg0).setWaitForTasksToCompleteOnShutdown(true); + if(arg0 instanceof ThreadPoolTaskExecutor) + ((ThreadPoolTaskExecutor)arg0).setWaitForTasksToCompleteOnShutdown(true); + return arg0; + + } + + /* (non-Javadoc) + * @see org.springframework.beans.factory.config.BeanPostProcessor#postProcessBeforeInitialization(java.lang.Object, java.lang.String) + */ + @Override + public Object postProcessBeforeInitialization(Object arg0, String arg1) throws BeansException { + return arg0; + + } + + /* (non-Javadoc) + * @see org.springframework.context.ApplicationContextAware#setApplicationContext(org.springframework.context.ApplicationContext) + */ + @Override + public void setApplicationContext(ApplicationContext arg0) throws BeansException { + this.context = arg0; + + } + +} diff --git a/id/server/moa-id-spring-initializer/src/main/resources/applicationContext.xml b/id/server/moa-id-spring-initializer/src/main/resources/applicationContext.xml index ae38c836e..2c53d55b9 100644 --- a/id/server/moa-id-spring-initializer/src/main/resources/applicationContext.xml +++ b/id/server/moa-id-spring-initializer/src/main/resources/applicationContext.xml @@ -27,5 +27,8 @@ + + diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java index 80a2734f2..f062ad3c2 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java @@ -25,14 +25,15 @@ import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider; import org.opensaml.xml.XMLObject; +import org.springframework.stereotype.Service; +import at.gv.egovernment.moa.id.auth.IDestroyableObject; +import at.gv.egovernment.moa.id.auth.IGarbageCollectorProcessing; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing; -import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetadataSignatureFilter; @@ -41,34 +42,56 @@ import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; import eu.eidas.auth.engine.AbstractSAMLEngine; -public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvider, IGarbageCollectorProcessing { +@Service("eIDASMetadataProvider") +public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvider, + IGarbageCollectorProcessing, IDestroyableObject { - private static MOAeIDASChainingMetadataProvider instance = null; +// private static MOAeIDASChainingMetadataProvider instance = null; private static Object mutex = new Object(); private MetadataProvider internalProvider; private Map lastAccess = null; - public static MOAeIDASChainingMetadataProvider getInstance() { - if (instance == null) { - synchronized (mutex) { - if (instance == null) { - instance = new MOAeIDASChainingMetadataProvider(); - MOAGarbageCollector.addModulForGarbageCollection(instance); - } - } - } - return instance; - } +// public static MOAeIDASChainingMetadataProvider getInstance() { +// if (instance == null) { +// synchronized (mutex) { +// if (instance == null) { +// instance = new MOAeIDASChainingMetadataProvider(); +// MOAGarbageCollector.addModulForGarbageCollection(instance); +// } +// } +// } +// return instance; +// } - private MOAeIDASChainingMetadataProvider() { + public MOAeIDASChainingMetadataProvider() { internalProvider = new ChainingMetadataProvider(); lastAccess = new HashMap(); } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.IDestroyableObject#fullyDestroy() + */ + @Override + public void fullyDestroy() { + Map loadedproviders = getAllActuallyLoadedProviders(); + if (loadedproviders != null) { + for (Entry el : loadedproviders.entrySet()) { + try { + el.getValue().destroy(); + Logger.debug("Destroy eIDAS Matadataprovider: " + el.getKey() + " finished"); + + } catch (Exception e) { + Logger.warn("Destroy eIDAS Matadataprovider: " + el.getKey() + " FAILED"); + + } + } + } + } + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing#runGarbageCollector() */ @@ -196,7 +219,7 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi } } - timer = new Timer(); + timer = new Timer(true); httpProvider = new HTTPMetadataProvider(timer, httpClient, metadataURL); httpProvider.setParserPool(AbstractSAMLEngine.getNewBasicSecuredParserPool()); @@ -405,5 +428,4 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi if (observer != null) observer.onEvent(this); } - } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index 30c206025..2f10df540 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -33,6 +33,7 @@ import org.apache.commons.lang3.StringUtils; import org.apache.velocity.Template; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import com.google.common.net.MediaType; @@ -43,6 +44,7 @@ import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; +import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; @@ -70,6 +72,8 @@ import eu.eidas.engine.exceptions.EIDASSAMLEngineException; @Component("GenerateAuthnRequestTask") public class GenerateAuthnRequestTask extends AbstractAuthServletTask { + @Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider; + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) */ @@ -127,7 +131,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { pAttList.add(newAttribute); } - EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(); + EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider); //build eIDAS AuthnRequest EIDASAuthnRequest authnRequest = new EIDASAuthnRequest(); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java index fae06031a..daa4d8b02 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java @@ -4,6 +4,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.opensaml.saml2.core.StatusCode; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; @@ -11,6 +12,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; +import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.eIDASResponseNotSuccessException; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.MOAPersonalAttributeList; @@ -29,6 +31,8 @@ import eu.eidas.engine.exceptions.EIDASSAMLEngineException; @Component("ReceiveAuthnResponseTask") public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { + @Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider; + @Override public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) throws TaskExecutionException { @@ -48,7 +52,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { byte[] decSamlToken = EIDASUtil.decodeSAMLToken(base64SamlToken); //get eIDAS SAML-engine - EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(); + EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider); //validate SAML token EIDASAuthnResponse samlResp = engine.validateEIDASAuthnResponse(decSamlToken, diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java index eeb8305cf..68640caf7 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java @@ -42,7 +42,7 @@ public class SAMLEngineUtils { private static EIDASSAMLEngine eIDASEngine = null; - public static synchronized EIDASSAMLEngine createSAMLEngine() throws EIDASEngineException{ + public static synchronized EIDASSAMLEngine createSAMLEngine(MOAeIDASChainingMetadataProvider moaeIDASMetadataProvider) throws EIDASEngineException{ if (eIDASEngine == null) { try { @@ -56,7 +56,7 @@ public class SAMLEngineUtils { //set metadata management to eIDAS SAMLengine engine.setMetadataProcessor( new MOAeIDASMetadataProviderDecorator( - MOAeIDASChainingMetadataProvider.getInstance())); + moaeIDASMetadataProvider)); //set MOA specific extension processor ExtensionProcessorI extensionProcessor = new MOAeIDAsExtensionProcessor(); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASData.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASData.java index 563c3a18c..4dffba575 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASData.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASData.java @@ -2,6 +2,7 @@ package at.gv.egovernment.moa.id.protocols.eidas; import java.util.Collection; +import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.context.annotation.Scope; import org.springframework.stereotype.Component; @@ -29,7 +30,7 @@ public class EIDASData extends RequestImpl { private String remoteRelayState; @Override - public Collection getRequestedAttributes() { + public Collection getRequestedAttributes(MetadataProvider metadataProvider) { // TODO Auto-generated method stub return null; } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index 24134f1d9..379a16a96 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -34,6 +34,7 @@ import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.metadata.AssertionConsumerService; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.MediaType; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; @@ -74,6 +75,8 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { public static final String NAME = EIDASProtocol.class.getName(); public static final String PATH = "eidas"; + @Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider; + public EIDASProtocol() { super(); Logger.debug("Registering servlet " + getClass().getName() + @@ -170,7 +173,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { try { //get eIDAS SAML-engine - EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(); + EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider); //validate SAML token EIDASAuthnRequest samlReq = engine.validateEIDASAuthnRequest(decSamlToken); @@ -197,7 +200,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { String reqDestination = samlReq.getDestination(); if (MiscUtil.isNotEmpty(reqDestination)) { boolean isValid = false; - List allowedAssertionConsumerUrl = new MOAeIDASMetadataProviderDecorator(MOAeIDASChainingMetadataProvider.getInstance()) + List allowedAssertionConsumerUrl = new MOAeIDASMetadataProviderDecorator(eIDASMetadataProvider) .getSPSSODescriptor(samlReq.getIssuer()).getAssertionConsumerServices(); for (AssertionConsumerService el : allowedAssertionConsumerUrl) { @@ -279,11 +282,11 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { } - EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(); + EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider); if(null == eidasReq.getEidasRequest().getAssertionConsumerServiceURL()) { String assertionConsumerUrl = MetadataUtil.getAssertionUrlFromMetadata( - new MOAeIDASMetadataProviderDecorator(MOAeIDASChainingMetadataProvider.getInstance()), + new MOAeIDASMetadataProviderDecorator(eIDASMetadataProvider), engine, eidasReq.getEidasRequest()); eidasReq.getEidasRequest().setAssertionConsumerServiceURL(assertionConsumerUrl); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java index b4db5c83d..3fc13406c 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java @@ -23,10 +23,12 @@ import javax.servlet.http.HttpServletResponse; import org.opensaml.saml2.metadata.ContactPerson; import org.opensaml.saml2.metadata.Organization; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.MediaType; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; +import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; import at.gv.egovernment.moa.id.commons.api.IRequest; @@ -50,6 +52,8 @@ import eu.eidas.engine.exceptions.SAMLEngineException; @Service("EidasMetaDataRequest") public class EidasMetaDataRequest implements IAction { + @Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider; + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.moduls.IAction#processRequest(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.data.IAuthData) */ @@ -103,7 +107,7 @@ public class EidasMetaDataRequest implements IAction { public String generateMetadata(String metadata_url, String sp_return_url) throws SAMLEngineException, EIDASEngineException{ String metadata="invalid metadata"; - EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(); + EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider); MetadataGenerator generator = new MetadataGenerator(); MetadataConfigParams mcp=new MetadataConfigParams(); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java index 9943cc5fb..8289e18d2 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java @@ -68,6 +68,7 @@ import eu.eidas.auth.engine.metadata.MetadataUtil; public class eIDASAuthenticationRequest implements IAction { @Autowired protected MOAReversionLogger revisionsLogger; + @Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider; @Override public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { @@ -116,7 +117,7 @@ public class eIDASAuthenticationRequest implements IAction { String token = null; try { - EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(); + EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider); // encryption is done by the SamlEngine, i.e. by the module we provide in the config // but we need to set the appropriate request issuer @@ -125,7 +126,7 @@ public class eIDASAuthenticationRequest implements IAction { if(null == eidasRequest.getEidasRequest().getAssertionConsumerServiceURL()) { String assertionConsumerUrl = MetadataUtil.getAssertionUrlFromMetadata( - new MOAeIDASMetadataProviderDecorator(MOAeIDASChainingMetadataProvider.getInstance()), + new MOAeIDASMetadataProviderDecorator(eIDASMetadataProvider), engine, eidasRequest.getEidasRequest()); eidasRequest.getEidasRequest().setAssertionConsumerServiceURL(assertionConsumerUrl); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/moaid_eidas_auth.beans.xml b/id/server/modules/moa-id-module-eIDAS/src/main/resources/moaid_eidas_auth.beans.xml index 5d79d082a..20395f210 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/resources/moaid_eidas_auth.beans.xml +++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/moaid_eidas_auth.beans.xml @@ -14,6 +14,9 @@ + + getRequestedAttributes() { + public Collection getRequestedAttributes(MetadataProvider metadataProvider) { Map reqAttr = new HashMap(); for (String el : PVP2XProtocol.DEFAULTREQUESTEDATTRFORINTERFEDERATION) reqAttr.put(el, ""); diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java index f35de9c58..50638ebf8 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java @@ -26,6 +26,7 @@ import java.util.Collection; import javax.servlet.http.HttpServletRequest; +import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.context.annotation.Scope; import org.springframework.stereotype.Component; @@ -168,7 +169,7 @@ class OAuth20TokenRequest extends OAuth20BaseRequest { * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() */ @Override - public Collection getRequestedAttributes() { + public Collection getRequestedAttributes(MetadataProvider metadataProvider) { return null; } } diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java index d581e7e75..f5896bc25 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java @@ -62,7 +62,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask { @Autowired PVPAuthnRequestBuilder authnReqBuilder; @Autowired FederatedAuthCredentialProvider credential; - + @Autowired(required=true) MOAMetadataProvider metadataProvider; /* (non-Javadoc) * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) @@ -95,7 +95,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask { } //load IDP SAML2 entitydescriptor - EntityDescriptor idpEntity = MOAMetadataProvider.getInstance(). + EntityDescriptor idpEntity = metadataProvider. getEntityDescriptor(idpEntityID); if (idpEntity == null) { Logger.warn("Requested IDP " + idpEntityID diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java index 1c3134b77..f739940c8 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java @@ -90,7 +90,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { @Autowired private SSOManager ssoManager; @Autowired private AttributQueryBuilder attributQueryBuilder; @Autowired private AuthenticationDataBuilder authDataBuilder; - + @Autowired(required=true) MOAMetadataProvider metadataProvider; /* (non-Javadoc) @@ -125,7 +125,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { //decode PVP response object msg = (InboundMessage) decoder.decode( - request, response, MOAMetadataProvider.getInstance(), true, + request, response, metadataProvider, true, comperator); if (MiscUtil.isEmpty(msg.getEntityID())) { @@ -135,7 +135,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { //validate response signature if(!msg.isVerified()) { - samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine(MOAMetadataProvider.getInstance())); + samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); msg.setVerified(true); } @@ -247,7 +247,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { try { Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... "); - Collection requestedAttr = pendingReq.getRequestedAttributes(); + Collection requestedAttr = pendingReq.getRequestedAttributes(metadataProvider); //check if SAML2 Assertion contains a minimal set of attributes if (!extractor.containsAllRequiredAttributes()) { @@ -267,7 +267,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { //check if all attributes are include if (!extractor.containsAllRequiredAttributes( - pendingReq.getRequestedAttributes())) { + pendingReq.getRequestedAttributes(metadataProvider))) { Logger.warn("PVP Response from federated IDP contains not all requested attributes."); throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING}); diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java index 42fafc01e..1d3525626 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java @@ -26,6 +26,7 @@ import java.util.ArrayList; import java.util.Collection; import java.util.List; +import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.context.annotation.Scope; import org.springframework.stereotype.Component; @@ -81,7 +82,7 @@ public class SAML1RequestImpl extends RequestImpl { * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() */ @Override - public Collection getRequestedAttributes() { + public Collection getRequestedAttributes(MetadataProvider metadataProvider) { List reqAttr = new ArrayList(); reqAttr.addAll(SAML1Protocol.DEFAULTREQUESTEDATTRFORINTERFEDERATION); -- cgit v1.2.3 From e96e4e6cc59ce5ae538b44c45ca9a6a83419a911 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 21 Jun 2016 15:34:36 +0200 Subject: add eIDAS bPK prefix: urn:publicid:gv.at:eidasid+ --- .../at/gv/egovernment/moa/id/configuration/Constants.java | 6 ++++-- .../id/configuration/data/oa/OATargetConfiguration.java | 15 +++++++++++++-- .../validation/task/impl/ServicesProtocolSTORKTask.java | 3 ++- .../egovernment/moa/id/config/auth/OAAuthParameter.java | 5 ++++- .../at/gv/egovernment/moa/id/commons/MOAIDConstants.java | 3 +++ .../id/commons/config/ConfigurationMigrationUtils.java | 12 +++++++++++- 6 files changed, 37 insertions(+), 7 deletions(-) (limited to 'id/server/idserverlib/src') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java index f549db9f3..3062a61e3 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java @@ -22,11 +22,10 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.configuration; +import java.util.Collections; import java.util.Hashtable; import java.util.Map; -import java.util.Collections; - public class Constants { public static final String DEFAULT_VERSION = "1.x"; @@ -96,6 +95,7 @@ public class Constants { public static final String IDENIFICATIONTYPE_ERSB = "ERSB"; public static final String IDENIFICATIONTYPE_ZVR = "ZVR"; public static final String IDENIFICATIONTYPE_STORK = "STORK"; + public static final String IDENIFICATIONTYPE_EIDAS = "eIDAS"; public static final String IDENIFICATIONTYPE_BASEID = "urn:publicid:gv.at:baseid+"; public static final String IDENIFICATIONTYPE_BASEID_FN = IDENIFICATIONTYPE_BASEID + "X" + IDENIFICATIONTYPE_FN; @@ -103,6 +103,7 @@ public class Constants { public static final String PREFIX_WPBK = "urn:publicid:gv.at:wbpk+"; public static final String PREFIX_STORK = "urn:publicid:gv.at:storkid+"; + public static final String PREFIX_EIDAS = "urn:publicid:gv.at:eidasid+"; public static final Map BUSINESSSERVICENAMES; @@ -113,6 +114,7 @@ public class Constants { tmp.put(IDENIFICATIONTYPE_ZVR, "Vereinsnummer"); tmp.put(IDENIFICATIONTYPE_ERSB, "ERsB Kennzahl"); tmp.put(IDENIFICATIONTYPE_STORK, "STORK"); + tmp.put(IDENIFICATIONTYPE_EIDAS, "eIDAS"); BUSINESSSERVICENAMES = Collections.unmodifiableMap(tmp); } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java index 19671e502..f660b5feb 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java @@ -65,7 +65,8 @@ public class OATargetConfiguration implements IOnlineApplicationData { Constants.IDENIFICATIONTYPE_FN, Constants.IDENIFICATIONTYPE_ZVR, Constants.IDENIFICATIONTYPE_ERSB, - Constants.IDENIFICATIONTYPE_STORK); + Constants.IDENIFICATIONTYPE_STORK, + Constants.IDENIFICATIONTYPE_EIDAS); } @@ -120,6 +121,12 @@ public class OATargetConfiguration implements IOnlineApplicationData { if (Constants.PREFIX_WPBK.startsWith(split[0]) && split.length >= 2) { identificationType = split[1]; identificationNumber = split[2]; + + } else if (Constants.PREFIX_EIDAS.startsWith(split[0]) && split.length >= 2) { + //identificationType = split[1]; // setting at as iden category ? + identificationType = Constants.IDENIFICATIONTYPE_EIDAS; + identificationNumber = split[1] + "+" + split[2]; // setting sp country as ident type -> sp ident + } else if (Constants.PREFIX_STORK.startsWith(split[0]) && split.length >= 2) { //identificationType = split[1]; // setting at as iden category ? identificationType = Constants.IDENIFICATIONTYPE_STORK; @@ -185,7 +192,11 @@ public class OATargetConfiguration implements IOnlineApplicationData { if (idnumber == null) idnumber = new IdentificationNumber(); - if (getIdentificationType().equals(Constants.IDENIFICATIONTYPE_STORK)) { + if (getIdentificationType().equals(Constants.IDENIFICATIONTYPE_EIDAS)) { + idnumber.setValue(Constants.PREFIX_EIDAS + num); + idnumber.setType(Constants.BUSINESSSERVICENAMES.get(getIdentificationType())); + + } else if (getIdentificationType().equals(Constants.IDENIFICATIONTYPE_STORK)) { idnumber.setValue(Constants.PREFIX_STORK + "AT" + "+" + num); idnumber.setType(Constants.BUSINESSSERVICENAMES.get(getIdentificationType())); } else { diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesProtocolSTORKTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesProtocolSTORKTask.java index c7a74d1a1..eb881d465 100644 --- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesProtocolSTORKTask.java +++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesProtocolSTORKTask.java @@ -190,7 +190,8 @@ public class ServicesProtocolSTORKTask extends AbstractTaskValidator implements // if (MiscUtil.isEmpty(identificationType) || // !MOAIDConfigurationConstants.IDENIFICATIONTYPE_STORK.equals(identificationType)) { if (MiscUtil.isNotEmpty(identificationType) && - !MOAIDConfigurationConstants.IDENIFICATIONTYPE_STORK.equals(identificationType)) { + !(MOAIDConfigurationConstants.IDENIFICATIONTYPE_STORK.equals(identificationType) + || MOAIDConfigurationConstants.IDENIFICATIONTYPE_EIDAS.equals(identificationType))) { log.info("STORK V-IDP only allowes identification numbers with STORK prefix."); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index b1bba6c17..9f39e32cc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -122,7 +122,10 @@ public String getIdentityLinkDomainIdentifier() { if (MiscUtil.isNotEmpty(type) && MiscUtil.isNotEmpty(value)) { if (MOAIDConstants.IDENIFICATIONTYPE_STORK.equals(type)) { return MOAIDConstants.PREFIX_STORK + "AT" + "+" + value; - + + } else if (MOAIDConstants.IDENIFICATIONTYPE_EIDAS.equals(type)) { + return MOAIDConstants.PREFIX_EIDAS + value; + } else { return MOAIDConstants.PREFIX_WPBK + type + "+" + value; diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java index 6726aacb5..27744273f 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java @@ -40,11 +40,13 @@ public class MOAIDConstants { public static final String PREFIX_WPBK = "urn:publicid:gv.at:wbpk+"; public static final String PREFIX_STORK = "urn:publicid:gv.at:storkid+"; + public static final String PREFIX_EIDAS = "urn:publicid:gv.at:eidasid+"; public static final String IDENIFICATIONTYPE_FN = "FN"; public static final String IDENIFICATIONTYPE_ERSB = "ERSB"; public static final String IDENIFICATIONTYPE_ZVR = "ZVR"; public static final String IDENIFICATIONTYPE_STORK = "STORK"; + public static final String IDENIFICATIONTYPE_EIDAS = "eIDAS"; public static final String KEYBOXIDENTIFIER_SECURE = "SecureSignatureKeypair"; public static final String KEYBOXIDENTIFIER_CERTIFIED = "CertifiedKeypair"; @@ -71,6 +73,7 @@ public class MOAIDConstants { tmp.put(IDENIFICATIONTYPE_ZVR, "Vereinsnummer"); tmp.put(IDENIFICATIONTYPE_ERSB, "ERsB Kennzahl"); tmp.put(IDENIFICATIONTYPE_STORK, "STORK"); + tmp.put(IDENIFICATIONTYPE_EIDAS, "eIDAS"); BUSINESSSERVICENAMES = Collections.unmodifiableMap(tmp); List awbpk = new ArrayList(); diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java index a221d30e4..e865c4ed6 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java @@ -184,6 +184,10 @@ public class ConfigurationMigrationUtils { if (MOAIDConfigurationConstants.PREFIX_WPBK.startsWith(split[0]) && split.length >= 2) { result.put(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE, split[1]); result.put(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE, split[2]); + + } else if (MOAIDConfigurationConstants.PREFIX_EIDAS.startsWith(split[0]) && split.length >= 2) { + result.put(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE, MOAIDConfigurationConstants.IDENIFICATIONTYPE_EIDAS); + result.put(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE, split[1] + "+" + split[2]); } else if (MOAIDConfigurationConstants.PREFIX_STORK.startsWith(split[0]) && split.length >= 2) { result.put(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE, MOAIDConfigurationConstants.IDENIFICATIONTYPE_STORK); @@ -759,9 +763,15 @@ public class ConfigurationMigrationUtils { if (oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE) != null && oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE) != null) { - if (oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE).equals(MOAIDConfigurationConstants.IDENIFICATIONTYPE_STORK)) { + + if (oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE).equals(MOAIDConfigurationConstants.IDENIFICATIONTYPE_EIDAS)) { + idnumber.setValue(MOAIDConfigurationConstants.PREFIX_EIDAS + oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE)); + idnumber.setType(MOAIDConfigurationConstants.BUSINESSSERVICENAMES.get(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE))); + + } else if (oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE).equals(MOAIDConfigurationConstants.IDENIFICATIONTYPE_STORK)) { idnumber.setValue(MOAIDConfigurationConstants.PREFIX_STORK + "AT" + "+" + oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE)); idnumber.setType(MOAIDConfigurationConstants.BUSINESSSERVICENAMES.get(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE))); + } else { idnumber.setValue(MOAIDConfigurationConstants.PREFIX_WPBK + oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE) + "+" + oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE)); idnumber.setType(MOAIDConfigurationConstants.BUSINESSSERVICENAMES.get(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE))); -- cgit v1.2.3 From f200a786bd513ae7432cbf6f741ef9f986e19eb4 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 22 Jun 2016 08:16:34 +0200 Subject: update PVP assertion builder to add user's remote IP address as attribute in 'SubjectConformationData' element --- .../at/gv/egovernment/moa/id/moduls/RequestImpl.java | 17 +++++++++++++++-- .../pvp2x/builder/assertion/PVP2AssertionBuilder.java | 7 +++++++ 2 files changed, 22 insertions(+), 2 deletions(-) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java index 91ba49fe8..1e0dfca8a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java @@ -54,8 +54,12 @@ public abstract class RequestImpl implements IRequest, Serializable{ public static final String DATAID_REQUESTED_ATTRIBUTES = "requestedAttributes"; public static final String DATAID_INTERFEDERATIOIDP_ENTITYID = "interIDPEntityID"; + public static final String DATAID_REQUESTER_IP_ADDRESS = "requesterIP"; + public static final String eIDAS_GENERIC_REQ_DATA_COUNTRY = "country"; + + private static final long serialVersionUID = 1L; private String module = null; @@ -93,10 +97,10 @@ public abstract class RequestImpl implements IRequest, Serializable{ */ public final void initialize(HttpServletRequest req) throws ConfigurationException { //set requestID - requestID = Random.nextRandom(); + requestID = Random.nextLongRandom(); //set unique transaction identifier for logging - uniqueTransactionIdentifer = Random.nextRandom(); + uniqueTransactionIdentifer = Random.nextLongRandom(); TransactionIDUtils.setTransactionId(uniqueTransactionIdentifer); @@ -169,6 +173,15 @@ public abstract class RequestImpl implements IRequest, Serializable{ else Logger.warn("No unique session-identifier FOUND, but it should be allready set into request!?!"); + //set requester's IP address + try { + setGenericDataToSession(DATAID_REQUESTER_IP_ADDRESS, req.getRemoteAddr()); + + } catch (SessionDataStorageException e) { + Logger.warn("Can not store remote IP address to 'pendingRequest' during an exception." , e); + + } + } /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 200429093..55d8fa1ff 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -459,8 +459,15 @@ public class PVP2AssertionBuilder implements PVPConstants { subjectConfirmationData.setNotOnOrAfter(new DateTime(authData.getSsoSessionValidTo().getTime())); // subjectConfirmationData.setNotBefore(date); + //set 'recipient' attribute in subjectConformationData subjectConfirmationData.setRecipient(assertionConsumerService.getLocation()); + //set IP address of the user machine as 'Address' attribute in subjectConformationData + String usersIPAddress = pendingReq.getGenericData( + PVPTargetConfiguration.DATAID_REQUESTER_IP_ADDRESS, String.class); + if (MiscUtil.isNotEmpty(usersIPAddress)) + subjectConfirmationData.setAddress(usersIPAddress); + //set SLO information sloInformation.setUserNameIdentifier(subjectNameID.getValue()); sloInformation.setNameIDFormat(subjectNameID.getFormat()); -- cgit v1.2.3