From cdbfcdbdf4b0a55071f1aad9e514a5024563ddea Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 5 Jul 2013 13:17:06 +0200 Subject: move AuthData generation from VerifyAuthBlock step to generate Assertion step This requires also some changes in PVP2 module --- .../moa/id/auth/AuthenticationServer.java | 63 +++++++++-------- .../moa/id/auth/data/AuthenticationSession.java | 44 +++++++----- .../id/auth/data/VerifyXMLSignatureResponse.java | 9 ++- .../StartAuthentificationParameterParser.java | 2 +- .../servlet/VerifyAuthenticationBlockServlet.java | 2 + .../pvp2x/builder/CitizenTokenBuilder.java | 79 ++++++++++++++++------ .../pvp2x/requestHandler/AuthnRequestHandler.java | 25 ++++++- .../protocols/saml1/SAML1AuthenticationServer.java | 6 +- 8 files changed, 159 insertions(+), 71 deletions(-) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 87bd4ffea..14bb53eb7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -1891,37 +1891,35 @@ public class AuthenticationServer implements MOAIDAuthConstants { } } - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() - .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - boolean useUTC = oaParam.getUseUTC(); - boolean useCondition = oaParam.getUseCondition(); - int conditionLength = oaParam.getConditionLength(); - - // builds authentication data and stores it together with a SAML - // artifact - AuthenticationData authData = buildAuthenticationData(session, vsresp, - useUTC, false); +// OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() +// .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); +// boolean useUTC = oaParam.getUseUTC(); +// boolean useCondition = oaParam.getUseCondition(); +// int conditionLength = oaParam.getConditionLength(); - //set Authblock - session.setAuthData(authData); - //set signer certificate + //TL: moved to Authentification Data generation +// AuthenticationData authData = buildAuthenticationData(session, vsresp, +// useUTC, false); +// +// //set Authblock +// session.setAuthData(authData); + + + session.setXMLVerifySignatureResponse(vsresp); session.setSignerCertificate(vsresp.getX509certificate()); + vsresp.setX509certificate(null); + session.setForeigner(false); if (session.getUseMandate()) { // mandate mode - - // session.setAssertionAuthBlock(assertionAuthBlock) return null; + } else { - - + session.setAuthenticatedUsed(false); session.setAuthenticated(true); - - //TODO: check if this element is needed!!! - //session.setXMLVerifySignatureResponse(vsresp); - + String oldsessionID = session.getSessionID(); //Session is implicte stored in changeSessionID!!! @@ -2325,22 +2323,27 @@ public class AuthenticationServer implements MOAIDAuthConstants { X509Certificate cert = session.getSignerCertificate(); vsresp.setX509certificate(cert); - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() - .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - boolean useUTC = oaParam.getUseUTC(); +// OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() +// .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); +// boolean useUTC = oaParam.getUseUTC(); // boolean useCondition = oaParam.getUseCondition(); // int conditionLength = oaParam.getConditionLength(); - AuthenticationData authData = buildAuthenticationData(session, vsresp, - useUTC, true); + //TL: moved to Assertion generation. +// AuthenticationData authData = buildAuthenticationData(session, vsresp, +// useUTC, true); +// +// session.setAuthData(authData); - session.setAuthData(authData); session.setAuthenticatedUsed(false); session.setAuthenticated(true); - //TODO: check, if it element is in use!!!! - //session.setXMLVerifySignatureResponse(vsresp); + + session.setXMLVerifySignatureResponse(vsresp); + session.setSignerCertificate(vsresp.getX509certificate()); + vsresp.setX509certificate(null); + session.setForeigner(true); //session is implicit stored in changeSessionID!!!! String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session); @@ -2402,7 +2405,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * @throws BuildException * while building the <saml:Assertion> */ - protected static AuthenticationData buildAuthenticationData( + public static AuthenticationData buildAuthenticationData( AuthenticationSession session, VerifyXMLSignatureResponse verifyXMLSigResp, boolean useUTC, boolean isForeigner) throws ConfigurationException, BuildException { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 6cfb12380..7a4c3da8b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -206,7 +206,7 @@ public class AuthenticationSession implements Serializable { - private AuthenticationData authData; + //private AuthenticationData authData; //protocol selection private String action; @@ -256,7 +256,11 @@ public class AuthenticationSession implements Serializable { // */ // private Date timestampStart; // private CreateXMLSignatureResponse XMLCreateSignatureResponse; -// private VerifyXMLSignatureResponse XMLVerifySignatureResponse; + + private VerifyXMLSignatureResponse XMLVerifySignatureResponse; + + private boolean isForeigner; + // private String requestedProtocolURL = null; public String getModul() { @@ -283,13 +287,13 @@ public class AuthenticationSession implements Serializable { this.mandateData = mandateData; } - public AuthenticationData getAuthData() { - return authData; - } - - public void setAuthData(AuthenticationData authData) { - this.authData = authData; - } +// public AuthenticationData getAuthData() { +// return authData; +// } +// +// public void setAuthData(AuthenticationData authData) { +// this.authData = authData; +// } public boolean isAuthenticatedUsed() { return authenticatedUsed; @@ -1050,12 +1054,20 @@ public class AuthenticationSession implements Serializable { // XMLCreateSignatureResponse = xMLCreateSignatureResponse; // } -// public VerifyXMLSignatureResponse getXMLVerifySignatureResponse() { -// return XMLVerifySignatureResponse; -// } -// -// public void setXMLVerifySignatureResponse(VerifyXMLSignatureResponse xMLVerifySignatureResponse) { -// XMLVerifySignatureResponse = xMLVerifySignatureResponse; -// } + public boolean isForeigner() { + return isForeigner; + } + + public void setForeigner(boolean isForeigner) { + this.isForeigner = isForeigner; + } + + public VerifyXMLSignatureResponse getXMLVerifySignatureResponse() { + return XMLVerifySignatureResponse; + } + + public void setXMLVerifySignatureResponse(VerifyXMLSignatureResponse xMLVerifySignatureResponse) { + XMLVerifySignatureResponse = xMLVerifySignatureResponse; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/VerifyXMLSignatureResponse.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/VerifyXMLSignatureResponse.java index ce418de01..c41de1904 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/VerifyXMLSignatureResponse.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/VerifyXMLSignatureResponse.java @@ -24,6 +24,8 @@ package at.gv.egovernment.moa.id.auth.data; +import java.io.Serializable; + import iaik.x509.X509Certificate; /** @@ -34,8 +36,11 @@ import iaik.x509.X509Certificate; * @version $Id$ * */ -public class VerifyXMLSignatureResponse { - /** The xmlDsigSubjectName to be stored */ +public class VerifyXMLSignatureResponse implements Serializable{ + + private static final long serialVersionUID = 1L; + +/** The xmlDsigSubjectName to be stored */ private String xmlDsigSubjectName; /** The signatureCheckCode to be stored */ private int signatureCheckCode; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index 1d3c82aaf..2e07a39a7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -105,7 +105,7 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ // no target attribut is given in OA config // target is used from request // check parameter - if (!ParamValidatorUtils.isValidTarget(target)) + if (!ParamValidatorUtils.isValidTarget(target)) throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12"); } else { // use target from config diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java index 2f866ca78..f8a828f6f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java @@ -247,8 +247,10 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { } redirectURL = addURLParameter(redirectURL, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); redirectURL = resp.encodeRedirectURL(redirectURL);*/ + redirectURL = new DataURLBuilder().buildDataURL(session.getAuthURL(), ModulUtils.buildAuthURL(session.getModul(), session.getAction()), samlArtifactBase64); + } else { redirectURL = new DataURLBuilder().buildDataURL(session.getAuthURL(), AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, session.getSessionID()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java index 0b280fe48..18f981243 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java @@ -10,7 +10,13 @@ import org.opensaml.xml.schema.XSString; import org.opensaml.xml.schema.impl.XSIntegerBuilder; import org.opensaml.xml.schema.impl.XSStringBuilder; +import at.gv.egovernment.moa.id.BuildException; +import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; @@ -100,27 +106,60 @@ public class CitizenTokenBuilder { AuthenticationSession authSession) { AttributeStatement statement = SAML2Utils.createSAMLObject(AttributeStatement.class); + + //TL: AuthData generation is moved out from VerifyAuthBlockServlet + try { + + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() + .getOnlineApplicationParameter(authSession.getPublicOAURLPrefix()); + boolean useUTC = oaParam.getUseUTC(); - Attribute pvpVersion = buildPVPVersion("2.1"); - Attribute secClass = buildSecClass(3); - Attribute principalName = buildPrincipalName(authSession.getAuthData().getFamilyName()); - Attribute givenName = buildGivenName(authSession.getAuthData().getGivenName()); - Attribute birthdate = buildBirthday(authSession.getAuthData().getDateOfBirth()); - Attribute bpk = buildBPK(authSession.getAuthData().getIdentificationValue()); - Attribute eid_citizen_qaa = buildEID_CITIZEN_QAALEVEL(3); - Attribute eid_issuing_nation = buildEID_ISSUING_NATION("AT"); - Attribute eid_sector_for_id = buildEID_SECTOR_FOR_IDENTIFIER(authSession.getAuthData().getIdentificationType()); - - statement.getAttributes().add(pvpVersion); - statement.getAttributes().add(secClass); - statement.getAttributes().add(principalName); - statement.getAttributes().add(givenName); - statement.getAttributes().add(birthdate); - statement.getAttributes().add(bpk); - statement.getAttributes().add(eid_citizen_qaa); - statement.getAttributes().add(eid_issuing_nation); - statement.getAttributes().add(eid_sector_for_id); + AuthenticationData authData; + + authData = AuthenticationServer.buildAuthenticationData(authSession, + authSession.getXMLVerifySignatureResponse(), + useUTC, + authSession.isForeigner()); + + Attribute pvpVersion = buildPVPVersion("2.1"); + Attribute secClass = buildSecClass(3); + Attribute principalName = buildPrincipalName(authData.getFamilyName()); + Attribute givenName = buildGivenName(authData.getGivenName()); + Attribute birthdate = buildBirthday(authData.getDateOfBirth()); + + //TL: getIdentificationValue holds the baseID --> change to pBK + Attribute bpk; + if (authSession.getBusinessService()) + bpk = buildBPK(authData.getWBPK()); + else + bpk = buildBPK(authData.getBPK()); + + Attribute eid_citizen_qaa = buildEID_CITIZEN_QAALEVEL(3); + Attribute eid_issuing_nation = buildEID_ISSUING_NATION("AT"); + Attribute eid_sector_for_id = buildEID_SECTOR_FOR_IDENTIFIER(authData.getIdentificationType()); + + statement.getAttributes().add(pvpVersion); + statement.getAttributes().add(secClass); + statement.getAttributes().add(principalName); + statement.getAttributes().add(givenName); + statement.getAttributes().add(birthdate); + statement.getAttributes().add(bpk); + statement.getAttributes().add(eid_citizen_qaa); + statement.getAttributes().add(eid_issuing_nation); + statement.getAttributes().add(eid_sector_for_id); + + return statement; + + } catch (ConfigurationException e) { + + // TODO: check Exception Handling + return null; + } catch (BuildException e) { + + // TODO: check Exception Handling + return null; + } - return statement; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index f05866f70..6b35d7640 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -25,7 +25,11 @@ import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; @@ -95,7 +99,26 @@ public class AuthnRequestHandler implements IRequestHandler { Subject subject = SAML2Utils.createSAMLObject(Subject.class); NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); subjectNameID.setFormat(NameID.PERSISTENT); - subjectNameID.setValue(authSession.getAuthData().getIdentificationValue()); + + + //TL: AuthData generation is moved to Assertion generation. + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() + .getOnlineApplicationParameter(authSession.getPublicOAURLPrefix()); + boolean useUTC = oaParam.getUseUTC(); + + AuthenticationData authData = AuthenticationServer.buildAuthenticationData(authSession, + authSession.getXMLVerifySignatureResponse(), + useUTC, + authSession.isForeigner()); + + //TL: getIdentificationValue holds the baseID --> change to pBK + //subjectNameID.setValue(authData.getIdentificationValue()); + if (authSession.getBusinessService()) + subjectNameID.setValue(authData.getWBPK()); + else + subjectNameID.setValue(authData.getBPK()); + + subject.setNameID(subjectNameID); //assertion.getAttributeStatements().add(CitizenTokenBuilder.buildCitizenToken(obj, authSession)); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 6a86eb4a5..36fd75d8b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -112,7 +112,11 @@ public class SAML1AuthenticationServer extends AuthenticationServer { //TODO: check, if this is correct!!!! //AuthenticationData authData = buildAuthenticationData(session, session.getXMLVerifySignatureResponse(), // useUTC, false); - AuthenticationData authData = session.getAuthData(); + + AuthenticationData authData = buildAuthenticationData(session, + session.getXMLVerifySignatureResponse(), + useUTC, + session.isForeigner()); //TODO: check, if this is correct!!!! // String samlAssertion = new AuthenticationDataAssertionBuilder().build( -- cgit v1.2.3