From 168a6bd6dd7268d6afe001312ef3705e6b87b02d Mon Sep 17 00:00:00 2001 From: kstranacher Date: Wed, 22 Jun 2011 17:02:14 +0000 Subject: =?UTF-8?q?*=20Update=20SAML=20Assertion=20f=C3=BCr=20Vollmachten?= =?UTF-8?q?=20*=20Update=20BK-Auswahl=20Template=20(neue=20Grafiken)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1209 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../moa/id/auth/AuthenticationServer.java | 149 ++++++++++----------- .../AuthenticationBlockAssertionBuilder.java | 52 ++++++- .../AuthenticationDataAssertionBuilder.java | 4 + .../moa/id/auth/data/AuthenticationSession.java | 23 +++- .../id/auth/servlet/GetMISSessionIDServlet.java | 80 ++++++----- 5 files changed, 191 insertions(+), 117 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 0bbfe25b2..e0ebcbab3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -548,7 +548,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { // now validate the extended infoboxes verifyInfoboxes(session, infoboxReadResponseParameters, !oaParam.getProvideStammzahl()); - return getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam); + return getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam, false); } @@ -610,7 +610,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { } - return getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam); + return getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam, true); } /** @@ -623,7 +623,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * @throws BuildException * @throws ValidateException */ - public String getCreateXMLSignatureRequestAuthBlockOrRedirect(AuthenticationSession session, AuthConfigurationProvider authConf, OAAuthParameter oaParam) + public String getCreateXMLSignatureRequestAuthBlockOrRedirect(AuthenticationSession session, AuthConfigurationProvider authConf, OAAuthParameter oaParam, boolean fromMandate) throws ConfigurationException, BuildException, @@ -635,21 +635,24 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (authConf==null) authConf = AuthConfigurationProvider.getInstance(); if (oaParam==null) oaParam = AuthConfigurationProvider.getInstance(). getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - - //BZ.., calculate bPK for signing to be already present in AuthBlock - IdentityLink identityLink = session.getIdentityLink(); - if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - // only compute bPK if online application is a public service and we have the Stammzahl - String bpkBase64 = new BPKBuilder().buildBPK( - identityLink.getIdentificationValue(), - session.getTarget()); - identityLink.setIdentificationValue(bpkBase64); - } - //..BZ + + if (!fromMandate) { + //BZ.., calculate bPK for signing to be already present in AuthBlock + IdentityLink identityLink = session.getIdentityLink(); + if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + // only compute bPK if online application is a public service and we have the Stammzahl + String bpkBase64 = new BPKBuilder().buildBPK( + identityLink.getIdentificationValue(), + session.getTarget()); + identityLink.setIdentificationValue(bpkBase64); + } + //..BZ + } // builds the AUTH-block - String authBlock = buildAuthenticationBlock(session); + String authBlock = buildAuthenticationBlock(session, fromMandate); + // session.setAuthBlock(authBlock); // builds the String[] transformsInfos = oaParam.getTransformsInfos(); @@ -832,7 +835,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * @throws BuildException If an error occurs on serializing an extended SAML attribute * to be appended to the AUTH-Block. */ - private String buildAuthenticationBlock(AuthenticationSession session) throws BuildException { + private String buildAuthenticationBlock(AuthenticationSession session, boolean fromMandate) throws BuildException { IdentityLink identityLink = session.getIdentityLink(); String issuer = identityLink.getName(); String gebDat = identityLink.getDateOfBirth(); @@ -857,7 +860,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { oaURL, gebDat, extendedSAMLAttributes, - session); + session, + fromMandate); return authBlock; } @@ -1204,7 +1208,6 @@ public class AuthenticationServer implements MOAIDAuthConstants { String dob = ParepUtils.extractMandatorDateOfBirth(mandator); if (dob != null && !"".equals(dob)) { extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(ParepValidator.EXT_SAML_MANDATE_DOB, dob, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY)); - } // Mandate @@ -1398,77 +1401,73 @@ public class AuthenticationServer implements MOAIDAuthConstants { } } + // Exchange person data information by a mandate if needed + boolean mandateMode = session.getUseMandate(); + List oaAttributes = session.getExtendedSAMLAttributesOA(); IdentityLink replacementIdentityLink = null; - if (session.isMandateCompatibilityMode() && oaAttributes != null && oaAttributes.size()>0) { - // look if we have a mandate - boolean foundMandate = false; - Iterator it = oaAttributes.iterator(); - while (!foundMandate && it.hasNext()) { - ExtendedSAMLAttribute samlAttribute = (ExtendedSAMLAttribute)it.next(); - if (ParepValidator.EXT_SAML_MANDATE_RAW.equals(samlAttribute.getName())) { - Object value = samlAttribute.getValue(); - if (value instanceof Element) { - Element mandate = (Element) value; - replacementIdentityLink = new IdentityLink(); - Element mandator = ParepUtils.extractMandator(mandate); - String dateOfBirth = ""; - Element prPerson = null; - String familyName = ""; - String givenName = ""; - String identificationType = ""; - String identificationValue = ""; - if (mandator != null) { - boolean physical = ParepUtils.isPhysicalPerson(mandator); - if (physical) { - familyName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:FamilyName/text()"); - givenName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:GivenName/text()"); - dateOfBirth = ParepUtils.extractMandatorDateOfBirth(mandator); - } else { - familyName = ParepUtils.extractMandatorFullName(mandator); - } - identificationType = ParepUtils.getIdentification(mandator, "Type"); - identificationValue = ParepUtils.extractMandatorWbpk(mandator); - prPerson = ParepUtils.extractPrPersonOfMandate(mandate); - if (physical && session.getBusinessService() && identificationType!=null && Constants.URN_PREFIX_BASEID.equals(identificationType)) { - // now we calculate the wbPK and do so if we got it from the BKU - identificationType = Constants.URN_PREFIX_WBPK + "+" + session.getDomainIdentifier(); - identificationValue = new BPKBuilder().buildWBPK(identificationValue, session.getDomainIdentifier()); - ParepUtils.HideStammZahlen(prPerson, true, null, null, true); - } - } - replacementIdentityLink.setDateOfBirth(dateOfBirth); - replacementIdentityLink.setFamilyName(familyName); - replacementIdentityLink.setGivenName(givenName); - replacementIdentityLink.setIdentificationType(identificationType); - replacementIdentityLink.setIdentificationValue(identificationValue); - replacementIdentityLink.setPrPerson(prPerson); - try { - replacementIdentityLink.setSamlAssertion(session.getIdentityLink().getSamlAssertion()); - } catch (Exception e) { - throw new ValidateException("validator.64", null); - } - } else { - Logger.info("The type of Mandate SAML-Attribute is not \"org.w3c.dom.Element\""); - throw new ValidateException("validator.64", null); - } - } - } - } +// if (mandateMode) { +// Iterator it = oaAttributes.iterator(); +// //ExtendedSAMLAttribute samlAttribute = (ExtendedSAMLAttribute)it.next(); +// Element mandate = session.getMandateElem(); +// replacementIdentityLink = new IdentityLink(); +// Element mandator = ParepUtils.extractMandator(mandate); +// String dateOfBirth = ""; +// Element prPerson = null; +// String familyName = ""; +// String givenName = ""; +// String identificationType = ""; +// String identificationValue = ""; +// if (mandator != null) { +// boolean physical = ParepUtils.isPhysicalPerson(mandator); +// if (physical) { +// familyName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:FamilyName/text()"); +// givenName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:GivenName/text()"); +// dateOfBirth = ParepUtils.extractMandatorDateOfBirth(mandator); +// } else { +// familyName = ParepUtils.extractMandatorFullName(mandator); +// } +// identificationType = ParepUtils.getIdentification(mandator, "Type"); +// identificationValue = ParepUtils.extractMandatorWbpk(mandator); +// prPerson = ParepUtils.extractPrPersonOfMandate(mandate); +// if (physical && session.getBusinessService() && identificationType!=null && Constants.URN_PREFIX_BASEID.equals(identificationType)) { +// // now we calculate the wbPK and do so if we got it from the BKU +// identificationType = Constants.URN_PREFIX_WBPK + "+" + session.getDomainIdentifier(); +// identificationValue = new BPKBuilder().buildWBPK(identificationValue, session.getDomainIdentifier()); +// ParepUtils.HideStammZahlen(prPerson, true, null, null, true); +// } +// +// +// replacementIdentityLink.setDateOfBirth(dateOfBirth); +// replacementIdentityLink.setFamilyName(familyName); +// replacementIdentityLink.setGivenName(givenName); +// replacementIdentityLink.setIdentificationType(identificationType); +// replacementIdentityLink.setIdentificationValue(identificationValue); +// replacementIdentityLink.setPrPerson(prPerson); +// try { +// replacementIdentityLink.setSamlAssertion(session.getIdentityLink().getSamlAssertion()); +// } catch (Exception e) { +// throw new ValidateException("validator.64", null); +// } +// +// } +// +// } // builds authentication data and stores it together with a SAML artifact AuthenticationData authData = buildAuthenticationData(session, vsresp, replacementIdentityLink); String samlArtifact = - new SAMLArtifactBuilder().build(session.getAuthURL(), session.getSessionID()); + new SAMLArtifactBuilder().build(session.getAuthURL(), session.getSessionID()); storeAuthenticationData(samlArtifact, authData); // invalidates the authentication session sessionStore.remove(sessionID); Logger.info( - "Anmeldedaten zu MOASession " + sessionID + " angelegt, SAML Artifakt " + samlArtifact); + "Anmeldedaten zu MOASession " + sessionID + " angelegt, SAML Artifakt " + samlArtifact); return samlArtifact; + } /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index 98bc0197f..d48054e4b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -24,10 +24,21 @@ package at.gv.egovernment.moa.id.auth.builder; +import java.io.StringWriter; import java.text.MessageFormat; import java.util.List; +import javax.xml.transform.Result; +import javax.xml.transform.Source; +import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerConfigurationException; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactory; +import javax.xml.transform.dom.DOMSource; +import javax.xml.transform.stream.StreamResult; + import org.w3c.dom.Element; +import org.w3c.dom.Node; import at.gv.egovernment.moa.id.BuildException; import at.gv.egovernment.moa.id.ParseException; @@ -143,7 +154,8 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion String oaURL, String gebDat, List extendedSAMLAttributes, - AuthenticationSession session) + AuthenticationSession session, + boolean fromMandate) throws BuildException { session.setSAMLAttributeGebeORwbpk(true); @@ -197,12 +209,21 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion Logger.error("Error on building AUTH-Block: " + e.getMessage()); throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); } - ExtendedSAMLAttribute bpkAttribute = - new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - System.out.println("extendedSAMLAttributes: " + extendedSAMLAttributes.size()); +// String s = xmlToString(bpkSamlValueElement); +// System.out.println("bpkSamlValueElement: " + s); + + + if (!fromMandate) { + ExtendedSAMLAttribute bpkAttribute = + new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + + //System.out.println("extendedSAMLAttributes: " + extendedSAMLAttributes.size()); + + extendedSAMLAttributes.add(bpkAttribute); + } + - extendedSAMLAttributes.add(bpkAttribute); //gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; @@ -332,6 +353,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion Logger.error("Error on building AUTH-Block: " + e.getMessage()); throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); } + ExtendedSAMLAttribute bpkAttribute = new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); @@ -370,5 +392,23 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion return assertion; } - + + + public static String xmlToString(Node node) { + try { + Source source = new DOMSource(node); + StringWriter stringWriter = new StringWriter(); + Result result = new StreamResult(stringWriter); + TransformerFactory factory = TransformerFactory.newInstance(); + Transformer transformer = factory.newTransformer(); + transformer.transform(source, result); + return stringWriter.getBuffer().toString(); + } catch (TransformerConfigurationException e) { + e.printStackTrace(); + } catch (TransformerException e) { + e.printStackTrace(); + } + return null; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java index 7af327180..640c60e49 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java @@ -155,8 +155,12 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB pkValue = authData.getBPK(); } +// System.out.println("pkType; " + pkType); +// System.out.println("pkValue; " + pkValue); + String assertion; try { + assertion = MessageFormat.format(AUTH_DATA, new Object[] { authData.getAssertionID(), authData.getIssuer(), diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index d67d5cd83..bae95c2a6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -32,6 +32,8 @@ import java.util.Iterator; import java.util.List; import java.util.Vector; +import org.w3c.dom.Element; + import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils; import at.gv.egovernment.moa.logging.Logger; @@ -84,7 +86,26 @@ public class AuthenticationSession { */ private boolean useMandate; - /** + /** + * Selected mandate + */ + private Element mandateElem; + + /** + * @return the mandateElem + */ + public Element getMandateElem() { + return mandateElem; + } + + /** + * @param mandateElem the mandateElem to set + */ + public void setMandateElem(Element mandateElem) { + this.mandateElem = mandateElem; + } + + /** * SessionID for MIS */ private String misSessionID; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java index ad0592694..5c193aca1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java @@ -24,40 +24,40 @@ package at.gv.egovernment.moa.id.auth.servlet; -import iaik.pki.PKIException; - -import java.io.IOException; -import java.io.PrintWriter; -import java.security.GeneralSecurityException; -import java.util.List; -import java.util.Map; - -import javax.net.ssl.SSLSocketFactory; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.apache.commons.fileupload.FileUploadException; -import org.apache.commons.lang.StringEscapeUtils; - -import at.gv.egovernment.moa.id.AuthenticationException; -import at.gv.egovernment.moa.id.BuildException; -import at.gv.egovernment.moa.id.MOAIDException; -import at.gv.egovernment.moa.id.auth.AuthenticationServer; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.auth.WrongParametersException; -import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; -import at.gv.egovernment.moa.id.auth.builder.GetIdentityLinkFormBuilder; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; -import at.gv.egovernment.moa.id.config.ConnectionParameter; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; -import at.gv.egovernment.moa.id.util.ParamValidatorUtils; -import at.gv.egovernment.moa.id.util.SSLUtils; -import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; -import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient; -import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClientException; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.FileUtils; +import iaik.pki.PKIException; + +import java.io.IOException; +import java.io.PrintWriter; +import java.security.GeneralSecurityException; +import java.util.List; + +import javax.net.ssl.SSLSocketFactory; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.parsers.ParserConfigurationException; + +import org.apache.commons.lang.StringEscapeUtils; +import org.w3c.dom.Document; +import org.xml.sax.SAXException; + +import at.gv.egovernment.moa.id.BuildException; +import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.id.auth.AuthenticationServer; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.WrongParametersException; +import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; +import at.gv.egovernment.moa.id.auth.builder.GetIdentityLinkFormBuilder; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.config.ConnectionParameter; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; +import at.gv.egovernment.moa.id.util.SSLUtils; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClientException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.DOMUtils; /** * Servlet requested for getting the foreign eID @@ -161,7 +161,13 @@ public class GetMISSessionIDServlet extends AuthServlet { // verify mandate signature String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().verifyMandate(sessionID, mandate); - + + byte[] byteMandate = mandate.getMandate(); + String stringMandate = new String(byteMandate); + Document mandateDoc = DOMUtils.parseDocument(stringMandate, false, null, null); + session.setMandateElem(mandateDoc.getDocumentElement()); + //System.out.println("stringMandate: " + stringMandate); + String dataurl = new DataURLBuilder().buildDataURL( session.getAuthURL(), @@ -187,6 +193,10 @@ public class GetMISSessionIDServlet extends AuthServlet { handleError(null, e, req, resp); } catch (MISSimpleClientException e) { handleError(null, e, req, resp); + } catch (SAXException e) { + handleError(null, e, req, resp); + } catch (ParserConfigurationException e) { + handleError(null, e, req, resp); } } -- cgit v1.2.3