From c38588d66605e8345664ff7fd935aafbf27237f9 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 6 Feb 2014 09:14:23 +0100 Subject: first short changes for BRZ *use different SystemConfigParam for moa-id-proxy *allow legacy request with no SL-template (use it from OA config) Bugfix: *general PVP2 config is not reloaded from database *use idp entityID in as issuer in AuthnResponse --- .../StartAuthentificationParameterParser.java | 10 +++++++- .../moa/id/config/ConfigurationProvider.java | 7 ++++++ .../config/proxy/ProxyConfigurationProvider.java | 2 +- .../protocols/pvp2x/config/PVPConfiguration.java | 29 ++++++++++------------ .../pvp2x/requestHandler/AuthnRequestHandler.java | 4 ++- .../XMLLoginParameterResolverEncryptedData.java | 2 +- .../moa/id/util/ParamValidatorUtils.java | 6 +++-- 7 files changed, 38 insertions(+), 22 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index 67433dde7..bcd7cdc78 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -22,6 +22,8 @@ ******************************************************************************/ package at.gv.egovernment.moa.id.auth.parser; +import iaik.util.logging.Log; + import java.io.UnsupportedEncodingException; import java.util.List; @@ -238,6 +240,12 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ moasession.setBkuURL(bkuURL); + if (MiscUtil.isEmpty(templateURL)) { + templateURL = oaParam.getTemplateURL().get(0).getURL(); + Log.info("No SL-Template in request, load SL-Template from OA config (URL: " + templateURL + ")"); + + } + if (!ParamValidatorUtils.isValidTemplate(req, templateURL, oaParam.getTemplateURL())) throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); moasession.setTemplateURL(templateURL); @@ -275,7 +283,7 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ oaURL = request.getOAURL(); target = request.getTarget(); - + parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, modul, action, req); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java index 84265f4ba..3432a19b1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java @@ -76,6 +76,13 @@ public class ConfigurationProvider { public static final String CONFIG_PROPERTY_NAME = "moa.id.configuration"; + /** + * The name of the system property which contains the file name of the + * configuration file. + */ + public static final String PROXY_CONFIG_PROPERTY_NAME = + "moa.id.proxy.configuration"; + /** * The name of the generic configuration property giving the certstore directory path. */ diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java index ecde454dd..93de902ef 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java @@ -116,7 +116,7 @@ public class ProxyConfigurationProvider extends ConfigurationProvider { */ public static synchronized ProxyConfigurationProvider reload() throws ConfigurationException { - String fileName = System.getProperty(CONFIG_PROPERTY_NAME); + String fileName = System.getProperty(PROXY_CONFIG_PROPERTY_NAME); if (fileName == null) { throw new ConfigurationException("config.01", null); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index 769e36fc1..5d71b915f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -25,9 +25,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.config; import iaik.x509.X509Certificate; import java.io.File; -import java.io.IOException; import java.net.URL; -import java.net.URLClassLoader; import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.List; @@ -50,7 +48,6 @@ import org.opensaml.saml2.metadata.TelephoneNumber; import at.gv.egovernment.moa.id.commons.db.dao.config.Contact; import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; -import at.gv.egovernment.moa.id.commons.db.dao.config.PVP2; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; @@ -111,12 +108,12 @@ public class PVPConfiguration { private static String moaIDVersion = null; - PVP2 generalpvpconfigdb; + //PVP2 generalpvpconfigdb; Properties props; private PVPConfiguration() { try { - generalpvpconfigdb = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig(); + //generalpvpconfigdb = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig(); props = AuthConfigurationProvider.getInstance().getGeneralPVP2ProperiesConfig(); } catch (ConfigurationException e) { @@ -124,8 +121,8 @@ public class PVPConfiguration { } } - public String getIDPPublicPath() { - String publicPath = generalpvpconfigdb.getPublicURLPrefix(); + public String getIDPPublicPath() throws ConfigurationException { + String publicPath = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig().getPublicURLPrefix(); if(publicPath != null) { if(publicPath.endsWith("/")) { int length = publicPath.length(); @@ -135,15 +132,15 @@ public class PVPConfiguration { return publicPath; } - public String getIDPSSOPostService() { + public String getIDPSSOPostService() throws ConfigurationException { return getIDPPublicPath() + PVP2_POST; } - public String getIDPSSORedirectService() { + public String getIDPSSORedirectService() throws ConfigurationException { return getIDPPublicPath() + PVP2_REDIRECT; } - public String getIDPSSOMetadataService() { + public String getIDPSSOMetadataService() throws ConfigurationException { return getIDPPublicPath() + PVP2_METADATA; } @@ -171,13 +168,13 @@ public class PVPConfiguration { return props.getProperty(IDP_KEY_PASSASSERTION); } - public String getIDPIssuerName() { + public String getIDPIssuerName() throws ConfigurationException { if (moaIDVersion == null) { moaIDVersion = parseMOAIDVersionFromManifest(); } - return generalpvpconfigdb.getIssuerName() + moaIDVersion; + return AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig().getIssuerName() + moaIDVersion; } public List getMetadataFiles() { @@ -250,10 +247,10 @@ public class PVPConfiguration { } } - public List getIDPContacts() { + public List getIDPContacts() throws ConfigurationException { List list = new ArrayList(); - List contacts = generalpvpconfigdb.getContact(); + List contacts = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig().getContact(); if (contacts != null) { @@ -344,10 +341,10 @@ public class PVPConfiguration { return list; } - public Organization getIDPOrganisation() { + public Organization getIDPOrganisation() throws ConfigurationException { Organization org = SAML2Utils.createSAMLObject(Organization.class); - at.gv.egovernment.moa.id.commons.db.dao.config.Organization organisation = generalpvpconfigdb.getOrganization(); + at.gv.egovernment.moa.id.commons.db.dao.config.Organization organisation = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig().getOrganization(); String org_name = null; String org_dispname = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index f4b48ece3..21c0d85a1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -96,7 +96,9 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { Response authResponse = SAML2Utils.createSAMLObject(Response.class); Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); - nissuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName()); + + //change to entity value from entity name to IDP EntityID (URL) + nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); nissuer.setFormat(NameID.ENTITY); authResponse.setIssuer(nissuer); authResponse.setInResponseTo(authnRequest.getID()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverEncryptedData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverEncryptedData.java index 86da34e1c..9f3de08aa 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverEncryptedData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverEncryptedData.java @@ -267,7 +267,7 @@ public class XMLLoginParameterResolverEncryptedData implements LoginParameterRes //make file name absolut (if it is relative to main config file) //TODO MOAID XMLLPR check - String moaIDConfigFileName = System.getProperty(ConfigurationProvider.CONFIG_PROPERTY_NAME); + String moaIDConfigFileName = System.getProperty(ConfigurationProvider.PROXY_CONFIG_PROPERTY_NAME); String rootConfigFileDir = new File(moaIDConfigFileName).getParent(); this.identityFile = FileUtils.makeAbsoluteURL(configuration, rootConfigFileDir); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java index 3b6e001bf..327170054 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java @@ -266,7 +266,7 @@ public class ParamValidatorUtils implements MOAIDAuthConstants{ // if non parameter is given return true if (StringUtils.isEmpty(template)) { Logger.debug("Parameter Template bzw. bkuSelectionTemplateURL ist null"); - return true; + return false; } // check if template is a valid URL @@ -524,7 +524,9 @@ public class ParamValidatorUtils implements MOAIDAuthConstants{ return false; } - if (StringUtils.isEmpty(oaURL) || StringUtils.isEmpty(templateURL) || StringUtils.isEmpty(bkuURL)) + if (StringUtils.isEmpty(oaURL) + //|| StringUtils.isEmpty(templateURL) + || StringUtils.isEmpty(bkuURL) ) return false; else return true; -- cgit v1.2.3 From f9b31bdc4781d6eca20bc2d993f08f6a4eb462f2 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 6 Feb 2014 09:15:59 +0100 Subject: new depenency management for moa-id-configuration to avoid problems with HeapSpace --- id/server/idserverlib/pom.xml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/pom.xml b/id/server/idserverlib/pom.xml index 81213f721..68acb8841 100644 --- a/id/server/idserverlib/pom.xml +++ b/id/server/idserverlib/pom.xml @@ -175,17 +175,15 @@ --> - + org.opensaml opensaml - 2.6.0 - - - - org.opensaml - xmltooling - 1.4.0 - + + + org.opensaml + xmltooling + + regexp regexp -- cgit v1.2.3 From 1c567f6eb16fa10d3811fbaaf70c4ab04fb08077 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 6 Feb 2014 15:42:53 +0100 Subject: BRZ: -add SAML1 SourceID parameter in moa-id general Bugfix: -SSO target had an error in case of business-service -OA with business-service whichout single sign-on produce an error --- .../moa/id/auth/AuthenticationServer.java | 22 ++++++++--- .../moa/id/auth/MOAIDAuthConstants.java | 2 + .../moa/id/config/ConfigurationProvider.java | 21 ----------- .../id/config/auth/AuthConfigurationProvider.java | 44 +++++++++++++--------- .../id/config/legacy/BuildFromLegacyConfig.java | 24 ++++++++---- 5 files changed, 62 insertions(+), 51 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 06d5b01bd..a5e92c701 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -2,6 +2,7 @@ package at.gv.egovernment.moa.id.auth; import iaik.asn1.ObjectID; +import iaik.util.logging.Log; import iaik.x509.X509Certificate; import iaik.x509.X509ExtensionInitException; @@ -250,16 +251,27 @@ public class AuthenticationServer implements MOAIDAuthConstants { String infoboxReadRequest = ""; + String domainIdentifier = AuthConfigurationProvider.getInstance().getSSOTagetIdentifier().trim(); + if (MiscUtil.isEmpty(domainIdentifier) && session.isSsoRequested()) { + //do not use SSO if no Target is set + Log.warn("NO SSO-Target found in configuration. Single Sign-On is deaktivated!"); + session.setSsoRequested(false); + + } + if (session.isSsoRequested()) { //load identityLink with SSO Target boolean isbuisness = false; - String domainIdentifier = ""; - IdentificationNumber ssobusiness = AuthConfigurationProvider.getInstance().getSSOBusinessService(); - if (ssobusiness != null) { + + if (domainIdentifier.startsWith(PREFIX_WPBK)) { + + isbuisness = false; + + } else { isbuisness = true; - domainIdentifier = ssobusiness.getValue(); + } - + //build ReadInfobox request infoboxReadRequest = new InfoboxReadRequestBuilder().build( isbuisness, domainIdentifier); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index f555cfb9a..060dc2248 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -104,6 +104,8 @@ public interface MOAIDAuthConstants { // /** the number of the certifcate extension for party organ representatives */ // public static final String PARTY_ORGAN_REPRESENTATION_OID_NUMBER = PARTY_REPRESENTATION_OID_NUMBER + ".10"; + public static final String PREFIX_WPBK = "urn:publicid:gv.at:wbpk+"; + /** OW */ public static final String OW_ORGANWALTER = PARTY_REPRESENTATION_OID_NUMBER + ".4"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java index 3432a19b1..dc5ec430e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java @@ -135,27 +135,6 @@ public class ConfigurationProvider { return rootConfigFileDir; } - /** - * Returns the mapping of generic configuration properties. - * - * @return The mapping of generic configuration properties (a name to value - * mapping) from the configuration. - */ - public Map getGenericConfiguration() { - return genericConfiguration; - } - - /** - * Returns the value of a parameter from the generic configuration section. - * - * @return the parameter value; null if no such parameter - */ - public String getGenericConfigurationParameter(String parameter) { - if (! genericConfiguration.containsKey(parameter)) - return null; - return (String)genericConfiguration.get(parameter); - } - /** * Return the chaining mode for a given trust anchor. * diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 1804b5fd5..304b63de0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -519,6 +519,11 @@ public class AuthConfigurationProvider extends ConfigurationProvider { if (protocols.getSAML1() != null) { allowedProtcols.setSAML1Active(protocols.getSAML1().isIsActive()); + + //load alternative sourceID + if (MiscUtil.isNotEmpty(protocols.getSAML1().getSourceID())) + alternativesourceid = protocols.getSAML1().getSourceID(); + } if (protocols.getOAuth() != null) { @@ -562,8 +567,11 @@ public class AuthConfigurationProvider extends ConfigurationProvider { } //set alternativeSourceID - if (auth.getGeneralConfiguration() != null) - alternativesourceid = auth.getGeneralConfiguration().getAlternativeSourceID(); + if (auth.getGeneralConfiguration() != null) + + //TODO: can be removed in a further version, because it is moved to SAML1 config + if (MiscUtil.isEmpty(alternativesourceid)) + alternativesourceid = auth.getGeneralConfiguration().getAlternativeSourceID(); // sets the authentication session and authentication data time outs BigInteger param = auth.getGeneralConfiguration().getTimeOuts().getMOASessionCreated(); @@ -744,7 +752,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider { } public ProtocolAllowed getAllowedProtocols() { - return this.allowedProtcols; + return allowedProtcols; } public PVP2 getGeneralPVP2DBConfig() { @@ -895,27 +903,27 @@ public class AuthConfigurationProvider extends ConfigurationProvider { } } - public boolean isSSOBusinessService() throws ConfigurationException { - - if (ssoconfig != null && ssoconfig.getIdentificationNumber() != null) - return true; - else - return false; - } +// public boolean isSSOBusinessService() throws ConfigurationException { +// +// if (ssoconfig != null && ssoconfig.getIdentificationNumber() != null) +// return true; +// else +// return false; +// } - public IdentificationNumber getSSOBusinessService() throws ConfigurationException { + public String getSSOTagetIdentifier() throws ConfigurationException { if (ssoconfig != null) - return ssoconfig.getIdentificationNumber(); + return ssoconfig.getTarget(); else return null; } - public String getSSOTarget() throws ConfigurationException { - if (ssoconfig!= null) - return ssoconfig.getTarget(); - - return null; - } +// public String getSSOTarget() throws ConfigurationException { +// if (ssoconfig!= null) +// return ssoconfig.getTarget(); +// +// return null; +// } public String getSSOFriendlyName() { if (ssoconfig!= null) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java index f515ea6bd..7ecd7dde8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/legacy/BuildFromLegacyConfig.java @@ -58,11 +58,13 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.Mandates; import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1; import at.gv.egovernment.moa.id.commons.db.dao.config.OASSO; +import at.gv.egovernment.moa.id.commons.db.dao.config.OAuth; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineMandates; import at.gv.egovernment.moa.id.commons.db.dao.config.Organization; import at.gv.egovernment.moa.id.commons.db.dao.config.PVP2; import at.gv.egovernment.moa.id.commons.db.dao.config.Protocols; +import at.gv.egovernment.moa.id.commons.db.dao.config.SAML1; import at.gv.egovernment.moa.id.commons.db.dao.config.SLRequestTemplates; import at.gv.egovernment.moa.id.commons.db.dao.config.SSO; import at.gv.egovernment.moa.id.commons.db.dao.config.SecurityLayer; @@ -141,11 +143,7 @@ public class BuildFromLegacyConfig { //Load generic Config Map genericConfiguration = builder.buildGenericConfiguration(); GeneralConfiguration authGeneral = new GeneralConfiguration(); - - if (genericConfiguration.containsKey(GENERIC_CONFIG_PARAM_SOURCEID)) - authGeneral.setAlternativeSourceID( - (String)genericConfiguration.get(GENERIC_CONFIG_PARAM_SOURCEID)); - + if (genericConfiguration.containsKey(ConfigurationProvider.TRUST_MANAGER_REVOCATION_CHECKING)) authGeneral.setTrustManagerRevocationChecking( Boolean.valueOf((String)genericConfiguration.get(ConfigurationProvider.TRUST_MANAGER_REVOCATION_CHECKING))); @@ -179,6 +177,19 @@ public class BuildFromLegacyConfig { final List PROTOCOLS_LEGACY_ALLOWED = Arrays.asList("id_saml1","id_pvp2x"); prot_legacy.setProtocolName(PROTOCOLS_LEGACY_ALLOWED); + //set SAML1 config + SAML1 saml1 = new SAML1(); + saml1.setIsActive(true); + if (genericConfiguration.containsKey(GENERIC_CONFIG_PARAM_SOURCEID)) + saml1.setSourceID((String)genericConfiguration.get(GENERIC_CONFIG_PARAM_SOURCEID)); + auth_protocols.setSAML1(saml1); + + //set OAuth config + OAuth oauth = new OAuth(); + oauth.setIsActive(true); + auth_protocols.setOAuth(oauth); + + //set PVP2.1 config PVP2 prot_pvp2 = new PVP2(); auth_protocols.setPVP2(prot_pvp2); prot_pvp2.setPublicURLPrefix("https://...."); @@ -188,7 +199,7 @@ public class BuildFromLegacyConfig { prot_pvp2.setOrganization(pvp2_org); pvp2_org.setDisplayName("OrganisationDisplayName"); pvp2_org.setName("OrganisatioName"); - pvp2_org.setURL("http://www.egiz.gv.at"); + pvp2_org.setURL("http://testorganisation.at"); List pvp2_contacts = new ArrayList(); prot_pvp2.setContact(pvp2_contacts); @@ -357,7 +368,6 @@ public class BuildFromLegacyConfig { // oa_auth.setUseIFrame(false); // oa_auth.setUseUTC(oa.getUseUTC()); - //BKUURLs BKUURLS bkuurls = new BKUURLS(); bkuurls.setOnlineBKU(oldbkuonline); -- cgit v1.2.3 From 42e2547a52439611b52e6a42c6e1098acff997c6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 7 Feb 2014 12:46:53 +0100 Subject: * use MOADefaultBootstrap to set SHA256 as default security parameter * SAMLEngine: deaktivate DefaultBootStrap. --- .../moa/id/auth/AuthenticationServer.java | 4 ++-- .../id/config/auth/AuthConfigurationProvider.java | 4 +++- .../moa/id/protocols/pvp2x/MetadataAction.java | 26 ++++++++++++++++++++-- .../moa/id/protocols/pvp2x/PVPConstants.java | 9 ++++++++ .../protocols/pvp2x/config/PVPConfiguration.java | 4 +++- .../pvp2x/requestHandler/AuthnRequestHandler.java | 23 ++++++++----------- 6 files changed, 50 insertions(+), 20 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index a5e92c701..d8d375db2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -265,10 +265,10 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (domainIdentifier.startsWith(PREFIX_WPBK)) { - isbuisness = false; + isbuisness = true; } else { - isbuisness = true; + isbuisness = false; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 304b63de0..c0f47d781 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -110,6 +110,7 @@ import at.gv.egovernment.moa.id.config.auth.data.ProtocolAllowed; import at.gv.egovernment.moa.id.config.legacy.BuildFromLegacyConfig; import at.gv.egovernment.moa.id.config.stork.STORKConfig; import at.gv.egovernment.moa.id.data.IssuerAndSerial; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -365,7 +366,8 @@ public class AuthConfigurationProvider extends ConfigurationProvider { //Initialize OpenSAML for STORK Logger.info("Starting initialization of OpenSAML..."); - DefaultBootstrap.bootstrap(); + MOADefaultBootstrap.bootstrap(); + //DefaultBootstrap.bootstrap(); Logger.debug("OpenSAML successfully initialized"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index 78fe43daa..7e6d1e2c7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -36,6 +36,7 @@ import javax.xml.transform.stream.StreamResult; import org.joda.time.DateTime; import org.opensaml.Configuration; +import org.opensaml.common.impl.SAMLObjectContentReference; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.NameIDType; import org.opensaml.saml2.metadata.ContactPerson; @@ -45,12 +46,15 @@ import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.KeyDescriptor; import org.opensaml.saml2.metadata.NameIDFormat; import org.opensaml.saml2.metadata.SingleSignOnService; +import org.opensaml.xml.encryption.EncryptionConstants; import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; +import org.opensaml.xml.signature.ContentReference; import org.opensaml.xml.signature.Signature; +import org.opensaml.xml.signature.SignatureConstants; import org.opensaml.xml.signature.Signer; import org.w3c.dom.Document; @@ -114,13 +118,31 @@ public class MetadataAction implements IAction { Credential metadataSigningCredential = CredentialProvider.getIDPMetaDataSigningCredential(); Signature signature = CredentialProvider .getIDPSignature(metadataSigningCredential); + + idpEntitiesDescriptor.setSignature(signature); + +// //set SignatureMethode +// signature.setSignatureAlgorithm(PVPConstants.DEFAULT_SIGNING_METHODE); +// +// //set DigestMethode +// List contentList = signature.getContentReferences(); +// for (ContentReference content : contentList) { +// +// if (content instanceof SAMLObjectContentReference) { +// +// SAMLObjectContentReference el = (SAMLObjectContentReference) content; +// el.setDigestAlgorithm(PVPConstants.DEFAULT_DIGESTMETHODE); +// +// } +// } + // KeyInfoBuilder metadataKeyInfoBuilder = new KeyInfoBuilder(); // KeyInfo metadataKeyInfo = metadataKeyInfoBuilder.buildObject(); // //KeyInfoHelper.addCertificate(metadataKeyInfo, metadataSigningCredential.); // signature.setKeyInfo(metadataKeyInfo ); - idpEntitiesDescriptor.setSignature(signature); + IDPSSODescriptor idpSSODescriptor = SAML2Utils .createSAMLObject(IDPSSODescriptor.class); @@ -222,7 +244,7 @@ public class MetadataAction implements IAction { String metadataXML = sw.toString(); - //System.out.println("METADATA: " + metadataXML); + System.out.println("METADATA: " + metadataXML); httpResp.setContentType("text/xml"); httpResp.getOutputStream().write(metadataXML.getBytes()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java index 0172cce2d..7946c7596 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java @@ -22,8 +22,17 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x; +import org.opensaml.xml.encryption.EncryptionConstants; +import org.opensaml.xml.signature.SignatureConstants; + public interface PVPConstants { + public static final String DEFAULT_SIGNING_METHODE = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256; + public static final String DEFAULT_DIGESTMETHODE = SignatureConstants.ALGO_ID_DIGEST_SHA256; + public static final String DEFAULT_SYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128; + public static final String DEFAULT_ASYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP; + + public static final String STORK_QAA_PREFIX = "http://www.stork.gov.eu/1.0/citizenQAALevel/"; public static final String STORK_QAA_1_1 = "http://www.stork.gov.eu/1.0/citizenQAALevel/1"; public static final String STORK_QAA_1_2 = "http://www.stork.gov.eu/1.0/citizenQAALevel/2"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index 5d71b915f..bf82efb79 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -33,6 +33,7 @@ import java.util.Properties; import java.util.jar.Attributes; import java.util.jar.Manifest; +import org.opensaml.Configuration; import org.opensaml.saml2.metadata.Company; import org.opensaml.saml2.metadata.ContactPerson; import org.opensaml.saml2.metadata.ContactPersonTypeEnumeration; @@ -45,6 +46,7 @@ import org.opensaml.saml2.metadata.OrganizationName; import org.opensaml.saml2.metadata.OrganizationURL; import org.opensaml.saml2.metadata.SurName; import org.opensaml.saml2.metadata.TelephoneNumber; +import org.opensaml.xml.security.SecurityConfiguration; import at.gv.egovernment.moa.id.commons.db.dao.config.Contact; import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; @@ -115,7 +117,7 @@ public class PVPConfiguration { try { //generalpvpconfigdb = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig(); props = AuthConfigurationProvider.getInstance().getGeneralPVP2ProperiesConfig(); - + } catch (ConfigurationException e) { e.printStackTrace(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index 21c0d85a1..229158778 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -24,7 +24,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler; import java.util.ArrayList; import java.util.List; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -45,7 +44,6 @@ import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.security.MetadataCredentialResolver; import org.opensaml.security.MetadataCriteria; import org.opensaml.ws.message.encoder.MessageEncodingException; -import org.opensaml.xml.encryption.EncryptionConstants; import org.opensaml.xml.encryption.EncryptionException; import org.opensaml.xml.encryption.EncryptionParameters; import org.opensaml.xml.encryption.KeyEncryptionParameters; @@ -57,6 +55,7 @@ import org.opensaml.xml.security.criteria.UsageCriteria; import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory; import org.opensaml.xml.security.x509.X509Credential; + import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; @@ -125,12 +124,11 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { AssertionConsumerService consumerService = spSSODescriptor .getAssertionConsumerServices().get(idx); - if (consumerService == null) { - //TODO: maybe use default ConsumerService - + if (consumerService == null) { throw new InvalidAssertionConsumerServiceException(idx); } + String oaURL = consumerService.getLocation(); //check, if metadata includes an encryption key @@ -158,19 +156,19 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { try { EncryptionParameters dataEncParams = new EncryptionParameters(); - dataEncParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128); - + dataEncParams.setAlgorithm(PVPConstants.DEFAULT_SYM_ENCRYPTION_METHODE); + List keyEncParamList = new ArrayList(); KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters(); keyEncParam.setEncryptionCredential(encryptionCredentials); - keyEncParam.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); + keyEncParam.setAlgorithm(PVPConstants.DEFAULT_ASYM_ENCRYPTION_METHODE); KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration() .getKeyInfoGeneratorManager().getDefaultManager() .getFactory(encryptionCredentials); keyEncParam.setKeyInfoGenerator(kigf.newInstance()); keyEncParamList.add(keyEncParam); - + Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList); //samlEncrypter.setKeyPlacement(KeyPlacement.INLINE); samlEncrypter.setKeyPlacement(KeyPlacement.PEER); @@ -178,7 +176,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { EncryptedAssertion encryptAssertion = null; encryptAssertion = samlEncrypter.encrypt(assertion); - + authResponse.getEncryptedAssertions().add(encryptAssertion); } catch (EncryptionException e1) { @@ -191,10 +189,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { authResponse.getAssertions().add(assertion); } - - - - + IEncoder binding = null; if (consumerService.getBinding().equals( -- cgit v1.2.3 From 9b67dbb64ed665be5430c213607854c8c7e3584b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 11 Feb 2014 08:07:20 +0100 Subject: change metadata validto area to 24 hours --- .../gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index 7e6d1e2c7..1668c31ce 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -36,7 +36,6 @@ import javax.xml.transform.stream.StreamResult; import org.joda.time.DateTime; import org.opensaml.Configuration; -import org.opensaml.common.impl.SAMLObjectContentReference; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.NameIDType; import org.opensaml.saml2.metadata.ContactPerson; @@ -46,15 +45,12 @@ import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.KeyDescriptor; import org.opensaml.saml2.metadata.NameIDFormat; import org.opensaml.saml2.metadata.SingleSignOnService; -import org.opensaml.xml.encryption.EncryptionConstants; import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; -import org.opensaml.xml.signature.ContentReference; import org.opensaml.xml.signature.Signature; -import org.opensaml.xml.signature.SignatureConstants; import org.opensaml.xml.signature.Signer; import org.w3c.dom.Document; @@ -70,7 +66,7 @@ import at.gv.egovernment.moa.logging.Logger; public class MetadataAction implements IAction { - private static final int VALIDUNTIL_IN_DAYES = 30; + private static final int VALIDUNTIL_IN_HOURS = 24; public String processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { @@ -85,7 +81,7 @@ public class MetadataAction implements IAction { DateTime date = new DateTime(); - idpEntitiesDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_DAYES)); + idpEntitiesDescriptor.setValidUntil(date.plusHours(VALIDUNTIL_IN_HOURS)); EntityDescriptor idpEntityDescriptor = SAML2Utils .createSAMLObject(EntityDescriptor.class); @@ -99,7 +95,7 @@ public class MetadataAction implements IAction { idpEntityDescriptor .setEntityID(PVPConfiguration.getInstance().getIDPPublicPath()); - idpEntityDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_DAYES)); + idpEntityDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_HOURS)); List persons = PVPConfiguration.getInstance() .getIDPContacts(); -- cgit v1.2.3 From f86ebab09aad5971c86dce3827d46a0d41003994 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 11 Feb 2014 08:09:48 +0100 Subject: customize OpenSAML bootstrap to use SHA256 by default --- .../pvp2x/config/MOADefaultBootstrap.java | 61 ++++++++++ .../MOADefaultSecurityConfigurationBootstrap.java | 129 +++++++++++++++++++++ 2 files changed, 190 insertions(+) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java new file mode 100644 index 000000000..80789cd12 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java @@ -0,0 +1,61 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.config; + +import org.opensaml.Configuration; +import org.opensaml.DefaultBootstrap; +import org.opensaml.common.binding.BasicSAMLMessageContext; +import org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder; +import org.opensaml.xml.ConfigurationException; + +/** + * @author tlenz + * + */ +public class MOADefaultBootstrap extends DefaultBootstrap { + + public static synchronized void bootstrap() throws ConfigurationException { + + initializeXMLSecurity(); + + initializeXMLTooling(); + + initializeArtifactBuilderFactories(); + + initializeGlobalSecurityConfiguration(); + + initializeParserPool(); + + initializeESAPI(); + + } + + + + /** + * Initializes the default global security configuration. + */ + protected static void initializeGlobalSecurityConfiguration() { + Configuration.setGlobalSecurityConfiguration(MOADefaultSecurityConfigurationBootstrap.buildDefaultConfig()); + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java new file mode 100644 index 000000000..1563ba9be --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java @@ -0,0 +1,129 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.config; + +import org.opensaml.xml.encryption.EncryptionConstants; +import org.opensaml.xml.security.BasicSecurityConfiguration; +import org.opensaml.xml.security.DefaultSecurityConfigurationBootstrap; +import org.opensaml.xml.signature.SignatureConstants; + +/** + * @author tlenz + * + */ +public class MOADefaultSecurityConfigurationBootstrap extends + DefaultSecurityConfigurationBootstrap { + + public static BasicSecurityConfiguration buildDefaultConfig() { + BasicSecurityConfiguration config = new BasicSecurityConfiguration(); + + populateSignatureParams(config); + populateEncryptionParams(config); + populateKeyInfoCredentialResolverParams(config); + populateKeyInfoGeneratorManager(config); + populateKeyParams(config); + + return config; + } + + protected static void populateSignatureParams( + BasicSecurityConfiguration config) { + + //use SHA256 instead of SHA1 + config.registerSignatureAlgorithmURI("RSA", + SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); + + config.registerSignatureAlgorithmURI("DSA", + "http://www.w3.org/2000/09/xmldsig#dsa-sha1"); + + //use SHA256 instead of SHA1 + config.registerSignatureAlgorithmURI("EC", + SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256); + + //use SHA256 instead of SHA1 + config.registerSignatureAlgorithmURI("AES", + SignatureConstants.ALGO_ID_MAC_HMAC_SHA256); + + + config.registerSignatureAlgorithmURI("DESede", + SignatureConstants.ALGO_ID_MAC_HMAC_SHA256); + + config.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#"); + config.setSignatureHMACOutputLength(null); + + //use SHA256 instead of SHA1 + config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256); + } + + protected static void populateEncryptionParams( + BasicSecurityConfiguration config) { + config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128), + "http://www.w3.org/2001/04/xmlenc#aes128-cbc"); + config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192), + "http://www.w3.org/2001/04/xmlenc#aes192-cbc"); + config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256), + "http://www.w3.org/2001/04/xmlenc#aes256-cbc"); + + //support GCM mode + config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128), + EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM); + + config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192), + EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM); + + config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256), + EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM); + + + config.registerDataEncryptionAlgorithmURI("DESede", + Integer.valueOf(168), + "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"); + config.registerDataEncryptionAlgorithmURI("DESede", + Integer.valueOf(192), + "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"); + + config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "AES", + "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"); + + config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, + "DESede", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"); + + config.registerKeyTransportEncryptionAlgorithmURI("AES", + Integer.valueOf(128), null, + "http://www.w3.org/2001/04/xmlenc#kw-aes128"); + config.registerKeyTransportEncryptionAlgorithmURI("AES", + Integer.valueOf(192), null, + "http://www.w3.org/2001/04/xmlenc#kw-aes192"); + config.registerKeyTransportEncryptionAlgorithmURI("AES", + Integer.valueOf(256), null, + "http://www.w3.org/2001/04/xmlenc#kw-aes256"); + config.registerKeyTransportEncryptionAlgorithmURI("DESede", + Integer.valueOf(168), null, + "http://www.w3.org/2001/04/xmlenc#kw-tripledes"); + config.registerKeyTransportEncryptionAlgorithmURI("DESede", + Integer.valueOf(192), null, + "http://www.w3.org/2001/04/xmlenc#kw-tripledes"); + + config.setAutoGeneratedDataEncryptionKeyAlgorithmURI("http://www.w3.org/2001/04/xmlenc#aes128-cbc"); + } +} -- cgit v1.2.3 From b905c43b4630d290026d03e744413b20f1b73551 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 11 Feb 2014 08:13:51 +0100 Subject: * add OA specific BKU selection template * add OA specific send-assertion template * add OA specific applet height and width configuration * add PVP2.x reload checkbox in PVP2.x OA configuration * add new elements to MOA-ID configuration --- .../auth/builder/GetIdentityLinkFormBuilder.java | 8 ++- .../moa/id/auth/builder/LoginFormBuilder.java | 18 ++++- .../id/auth/builder/SendAssertionFormBuilder.java | 79 +++++++++++++++------- .../servlet/GenerateIFrameTemplateServlet.java | 11 +-- .../moa/id/config/auth/OAAuthParameter.java | 27 ++++++++ .../moa/id/entrypoints/DispatcherServlet.java | 8 +-- .../gv/egovernment/moa/id/util/FormBuildUtils.java | 2 + .../resources/properties/id_messages_de.properties | 2 + 8 files changed, 117 insertions(+), 38 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java index 70aa1a160..2e08fad6b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java @@ -167,8 +167,10 @@ public class GetIdentityLinkFormBuilder extends Builder { htmlForm = replaceTag(htmlForm, CERTINFO_XMLREQUEST_TAG, encodeParameter(certInfoXMLRequest), true, ALL); htmlForm = replaceTag(htmlForm, CERTINFO_DATAURL_TAG, certInfoDataURL, true, ALL); + Map map = null; + if (oaParam != null) { - Map map = oaParam.getFormCustomizaten(); + map = oaParam.getFormCustomizaten(); htmlForm = replaceTag(htmlForm, COLOR_TAG, map.get(FormBuildUtils.MAIN_BACKGROUNDCOLOR), false, ALL); htmlForm = replaceTag(htmlForm, REDIRECTTARGETTAG, map.get(FormBuildUtils.REDIRECTTARGET), false, ALL); @@ -179,11 +181,15 @@ public class GetIdentityLinkFormBuilder extends Builder { if (MiscUtil.isNotEmpty(appletheigth)) htmlForm = replaceTag(htmlForm, APPLETHEIGHT_TAG, appletheigth, false, ALL); + else if (map != null && MiscUtil.isNotEmpty(map.get(FormBuildUtils.APPLET_HEIGHT))) + htmlForm = replaceTag(htmlForm, APPLETHEIGHT_TAG, map.get(FormBuildUtils.APPLET_HEIGHT), false, ALL); else htmlForm = replaceTag(htmlForm, APPLETHEIGHT_TAG, "160", false, ALL); if (MiscUtil.isNotEmpty(appletwidth)) htmlForm = replaceTag(htmlForm, APPLETWIDTH_TAG, appletwidth, false, ALL); + else if (map != null && MiscUtil.isNotEmpty(map.get(FormBuildUtils.APPLET_WIDTH))) + htmlForm = replaceTag(htmlForm, APPLETWIDTH_TAG, map.get(FormBuildUtils.APPLET_WIDTH), false, ALL); else htmlForm = replaceTag(htmlForm, APPLETWIDTH_TAG, "250", false, ALL); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java index 90ad3cf42..ff3b7b170 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java @@ -22,6 +22,7 @@ ******************************************************************************/ package at.gv.egovernment.moa.id.auth.builder; +import java.io.ByteArrayInputStream; import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; @@ -58,7 +59,7 @@ public class LoginFormBuilder { private static String SERVLET = CONTEXTPATH+"/GenerateIframeTemplate"; - public static String getTemplate() { + private static String getTemplate() { String pathLocation =""; InputStream input = null; @@ -118,8 +119,21 @@ public class LoginFormBuilder { } public static String buildLoginForm(String modul, String action, OAAuthParameter oaParam, String contextpath, String moaSessionID) { - String value = getTemplate(); + String value = null; + + byte[] oatemplate = oaParam.getBKUSelectionTemplate(); + // OA specific template requires a size of 8 bits minimum + if (oatemplate != null && oatemplate.length > 7) { + InputStream is = new ByteArrayInputStream(oatemplate); + value = getTemplate(is); + + } else { + //load default BKU-selection template + value = getTemplate(); + + } + if(value != null) { if(modul == null) { modul = SAML1Protocol.PATH; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java index f65a3c011..24b848176 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java @@ -22,6 +22,7 @@ ******************************************************************************/ package at.gv.egovernment.moa.id.auth.builder; +import java.io.ByteArrayInputStream; import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; @@ -58,32 +59,50 @@ public class SendAssertionFormBuilder { private static String SERVLET = CONTEXTPATH+"/SSOSendAssertionServlet"; private static String getTemplate() { - - String template = null; - InputStream input = null; - try { - String pathLocation; - - String rootconfigdir = AuthConfigurationProvider.getInstance().getRootConfigFileDir(); - pathLocation = rootconfigdir + HTMLTEMPLATESDIR + HTMLTEMPLATEFULL; + String pathLocation; + InputStream input = null; + try { + String rootconfigdir = AuthConfigurationProvider.getInstance().getRootConfigFileDir(); + pathLocation = rootconfigdir + HTMLTEMPLATESDIR + HTMLTEMPLATEFULL; + + try { + File file = new File(new URI(pathLocation)); + input = new FileInputStream(file); + + } catch (FileNotFoundException e) { - try { - File file = new File(new URI(pathLocation)); - input = new FileInputStream(file); - - } catch (FileNotFoundException e) { - - Logger.warn("No LoginFormTempaltes found. Use Generic Templates from package."); - - pathLocation = "resources/templates/" + HTMLTEMPLATEFULL; - - input = Thread.currentThread() - .getContextClassLoader() - .getResourceAsStream(pathLocation); - - } + Logger.warn("No LoginFormTempaltes found. Use Generic Templates from package."); + + pathLocation = "resources/templates/" + HTMLTEMPLATEFULL; + + input = Thread.currentThread() + .getContextClassLoader() + .getResourceAsStream(pathLocation); + + } + + return getTemplate(input); + + } catch (Exception e) { + try { + input.close(); + } catch (IOException e1) { + Logger.warn("SendAssertionTemplate inputstream can not be closed.", e); + } + + return null; + } + + } + + private static String getTemplate(InputStream input) { + + String template = null; + + try { + StringWriter writer = new StringWriter(); IOUtils.copy(input, writer); template = writer.toString(); @@ -105,7 +124,19 @@ public class SendAssertionFormBuilder { } public static String buildForm(String modul, String action, String id, OAAuthParameter oaParam, String contextpath) { - String value = getTemplate(); + String value = null; + + byte[] oatemplate = oaParam.getSendAssertionTemplate(); + // OA specific template requires a size of 8 bits minimum + if (oatemplate != null && oatemplate.length > 7) { + InputStream is = new ByteArrayInputStream(oatemplate); + value = getTemplate(is); + + } else { + //load default BKU-selection template + value = getTemplate(); + + } if(value != null) { if(modul == null) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java index c66e19eb0..d2d458e74 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java @@ -82,9 +82,12 @@ public class GenerateIFrameTemplateServlet extends AuthServlet { AuthenticationSession moasession = null; - try { - //moasessionid = (String) req.getSession().getAttribute(AuthenticationManager.MOA_SESSION); - + if (MiscUtil.isEmpty(bkuid) || MiscUtil.isEmpty(moasessionid)) { + Logger.warn("MOASessionID or BKU-type is empty. Maybe an old BKU-selection template is in use."); + throw new MOAIDException("auth.23", new Object[] {}); + } + + try { pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(moasessionid); moasession = AuthenticationSessionStoreage.getSession(moasessionid); @@ -112,7 +115,7 @@ public class GenerateIFrameTemplateServlet extends AuthServlet { //load Parameters from config String target = oaParam.getTarget(); - + String bkuURL = oaParam.getBKUURL(bkuid); if (MiscUtil.isEmpty(bkuURL)) { Logger.info("No OA specific BKU defined. Use BKU from default configuration"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 7a38e2afd..8e7ca0779 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -320,6 +320,12 @@ public Map getFormCustomizaten() { if (MiscUtil.isNotEmpty(bkuselection.getAppletRedirectTarget())) map.put(FormBuildUtils.REDIRECTTARGET, bkuselection.getAppletRedirectTarget()); + if (MiscUtil.isNotEmpty(bkuselection.getAppletHeight())) + map.put(FormBuildUtils.APPLET_HEIGHT, bkuselection.getAppletHeight()); + + if (MiscUtil.isNotEmpty(bkuselection.getAppletWidth())) + map.put(FormBuildUtils.APPLET_WIDTH, bkuselection.getAppletWidth()); + } } @@ -343,6 +349,27 @@ public List getRequestedAttributes() { } +public byte[] getBKUSelectionTemplate() { + + TemplatesType templates = oa_auth.getTemplates(); + if (templates != null && templates.getBKUSelectionTemplate() != null) { + return templates.getBKUSelectionTemplate().getTransformation(); + + } + + return null; +} + +public byte[] getSendAssertionTemplate() { + + TemplatesType templates = oa_auth.getTemplates(); + if (templates != null && templates.getSendAssertionTemplate() != null) { + return templates.getSendAssertionTemplate().getTransformation(); + + } + + return null; +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 1f526caca..6b774261d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -22,14 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.entrypoints; - - -import iaik.security.ecc.provider.ECCProvider; -import iaik.security.provider.IAIK; - import java.io.IOException; -import java.io.PrintWriter; -import java.security.Security; + import java.util.Iterator; import java.util.Map; import java.util.Set; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java index 37ead5cff..d3ac574f8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java @@ -43,6 +43,8 @@ public class FormBuildUtils { public static String FONTFAMILY = "#FONTTYPE#"; public static String HEADER_TEXT = "#HEADER_TEXT#"; public static String REDIRECTTARGET = "#REDIRECTTARGET#"; + public static String APPLET_HEIGHT = "#APPLETHEIGHT#"; + public static String APPLET_WIDTH = "#APPLETWIDTH#"; private static String MANDATEVISIBLE = "#MANDATEVISIBLE#"; private static String MANDATECHECKED = "#MANDATECHECKED#"; diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index a6c0601e4..2f956bd39 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -41,6 +41,8 @@ auth.19=Die Authentifizierung kann nicht passiv durchgef\u00FChrt werden. auth.20=No valid MOA session found. Authentification process is abourted. auth.21=Der Anmeldevorgang wurde durch den Benutzer abgebrochen. auth.22=Das Protokoll {0} ist deaktiviert. +auth.23=Das BKU-Selektion Template entspricht nicht der Spezifikation von MOA-ID 2.x. +auth.24=Das Send-Assertion Template entspricht nicht der Spezifikation von MOA-ID 2.x. init.00=MOA ID Authentisierung wurde erfolgreich gestartet init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m\u00F6glicherweise nicht verf\u00FCgbar -- cgit v1.2.3 From f361911ce08962a04b26d67fa7d4698d7294cc74 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 13 Feb 2014 09:41:29 +0100 Subject: * add new error message if MOA-ID-Proxy configuration is not found * change SAML1 legacy-request parameter validation * change OA-SL Template labels --- .../egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java | 2 +- .../main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java | 4 ++-- .../src/main/resources/resources/properties/id_messages_de.properties | 3 ++- 3 files changed, 5 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java index 93de902ef..66d330d20 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java @@ -118,7 +118,7 @@ public class ProxyConfigurationProvider extends ConfigurationProvider { throws ConfigurationException { String fileName = System.getProperty(PROXY_CONFIG_PROPERTY_NAME); if (fileName == null) { - throw new ConfigurationException("config.01", null); + throw new ConfigurationException("config.20", null); } Logger.info("Loading MOA-ID-PROXY configuration " + fileName); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java index 327170054..bd6514c5c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java @@ -513,8 +513,8 @@ public class ParamValidatorUtils implements MOAIDAuthConstants{ throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); if (MiscUtil.isEmpty(bkuURL)) throw new WrongParametersException("StartAuthentication", PARAM_BKU, "auth.12"); - if (MiscUtil.isEmpty(templateURL)) - throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); +// if (MiscUtil.isEmpty(templateURL)) +// throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); if (!ParamValidatorUtils.isValidUseMandate(useMandate)) throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12"); if (!ParamValidatorUtils.isValidCCC(ccc)) diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 2f956bd39..93e8cdb99 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -69,7 +69,8 @@ config.15=Das Personenbindungs-Trust-Profil (TrustProfileID \= {0}) darf nicht f config.16=MOA ID Proxy konnte nicht gestartet werden. Das Element ConnnectionParameter im allgemeinen Konfigurationsteil der MOA-ID-PROXY Konfigurationsdatei fehlt. config.17=Fehler beim initialisieren von Hibernate config.18=Keine MOA-ID 2.x Konfiguration gefunden. -config.19=Kein Schl?ssel f\u00FCr die Resignierung der Personenbindung gefunden. +config.19=Kein Schl?ssel f\u00FCr die Resignierung der Personenbindung gefunden. +config.20=Umgebungsvariable "moa.id.proxy.configuration" nicht gesetzt parser.00=Leichter Fehler beim Parsen: {0} parser.01=Fehler beim Parsen: {0} -- cgit v1.2.3 From 6fabc9a604d61622f19ff8ca0b9237c114021c0e Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 13 Feb 2014 09:44:35 +0100 Subject: Now the whole metadata file is NOT rejected if a single entity is not valid. --- .../verification/MetadataSignatureFilter.java | 41 ++++++++++++++++++---- 1 file changed, 34 insertions(+), 7 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java index f0ae6f446..ed0cf9c62 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java @@ -25,7 +25,9 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; import iaik.x509.X509Certificate; import java.security.cert.CertificateException; +import java.util.ArrayList; import java.util.Iterator; +import java.util.List; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; @@ -69,13 +71,17 @@ public class MetadataSignatureFilter implements MetadataFilter { while(entID.hasNext()) { processEntitiesDescriptor(entID.next()); } - + Iterator entIT = desc.getEntityDescriptors().iterator(); - - //check every Entity + + List verifiedEntIT = new ArrayList(); + + //check every Entity + while(entIT.hasNext()) { EntityDescriptor entity = entIT.next(); + String entityID = entity.getEntityID(); //CHECK if Entity also match MetaData signature. @@ -92,17 +98,31 @@ public class MetadataSignatureFilter implements MetadataFilter { EntityVerifier.verify(desc, entityCrendential); + //add entity to verified entity-list + verifiedEntIT.add(entity); + } catch (Exception e) { - throw new MOAIDException("The App", null, e); + + //remove entity of signature can not be verified. + Logger.info("Entity " + entityID + " is removed from metadata " + + desc.getName() + ". Entity verification error: " + e.getMessage()); +// throw new MOAIDException("The App", null, e); } } else { - throw new NoCredentialsException("NO Certificate found for OA " + entityID); + //remove entity if it is not registrated as OA + Logger.info("Entity " + entityID + " is removed from metadata " + + desc.getName() + ". Entity is not registrated or no certificate is found!"); +// throw new NoCredentialsException("NO Certificate found for OA " + entityID); } - + //TODO: insert to support signed Entity-Elements //processEntityDescriptorr(entIT.next()); - } + } + + //set only verified entity elements + desc.getEntityDescriptors().clear(); + desc.getEntityDescriptors().addAll(verifiedEntIT); } public void doFilter(XMLObject metadata) throws FilterException { @@ -114,6 +134,13 @@ public class MetadataSignatureFilter implements MetadataFilter { } processEntitiesDescriptor(entitiesDescriptor); + + if (entitiesDescriptor.getEntityDescriptors().size() == 0) { + throw new MOAIDException("No valid entity in metadata " + + entitiesDescriptor.getName() + ". Metadata is not loaded.", null); + } + + } else if (metadata instanceof EntityDescriptor) { EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; processEntityDescriptorr(entityDescriptor); -- cgit v1.2.3 From 713ca50cbcb276254689088ea558401af018ffcd Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 13 Feb 2014 09:56:50 +0100 Subject: now fetchSavedCredential use a database query to get the certificate from entity --- .../pvp2x/verification/EntityVerifier.java | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java index 4ef9919ca..550643da1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java @@ -22,7 +22,6 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; -import java.util.Iterator; import java.util.List; import org.opensaml.saml2.metadata.EntitiesDescriptor; @@ -44,18 +43,25 @@ import at.gv.egovernment.moa.logging.Logger; public class EntityVerifier { public static byte[] fetchSavedCredential(String entityID) { - List oaList = ConfigurationDBRead - .getAllActiveOnlineApplications(); - Iterator oaIt = oaList.iterator(); - while (oaIt.hasNext()) { - OnlineApplication oa = oaIt.next(); - if (oa.getPublicURLPrefix().equals(entityID)) { +// List oaList = ConfigurationDBRead +// .getAllActiveOnlineApplications(); + + OnlineApplication oa = ConfigurationDBRead + .getActiveOnlineApplication(entityID); + +// Iterator oaIt = oaList.iterator(); +// while (oaIt.hasNext()) { +// OnlineApplication oa = oaIt.next(); +// if (oa.getPublicURLPrefix().equals(entityID)) { + + if (oa != null && oa.getAuthComponentOA() != null) { + OAPVP2 pvp2Config = oa.getAuthComponentOA().getOAPVP2(); if (pvp2Config != null) { return pvp2Config.getCertificate(); } } - } +// } return null; } -- cgit v1.2.3 From 4cc2fc3e44ff1e643c4a16a132ae90e60c84cf37 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 13 Feb 2014 13:19:31 +0100 Subject: * add additional logging * move bkuURL validation --- .../auth/parser/StartAuthentificationParameterParser.java | 15 +++------------ .../egovernment/moa/id/entrypoints/DispatcherServlet.java | 2 +- 2 files changed, 4 insertions(+), 13 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index bcd7cdc78..89cc1d25e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -166,7 +166,9 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ allowedbkus.addAll(AuthConfigurationProvider.getInstance().getDefaultBKUURLs()); if (!ParamValidatorUtils.isValidBKUURI(bkuURL, allowedbkus)) throw new WrongParametersException("StartAuthentication", PARAM_BKU, "auth.12"); - + + moasession.setBkuURL(bkuURL); + if (!oaParam.getBusinessService()) { if (isEmpty(target)) throw new WrongParametersException("StartAuthentication", @@ -229,17 +231,6 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ moasession.setSourceID(sourceID); } - // BKU URL has not been set yet, even if session already exists - if (bkuURL == null) { - if (req.getScheme() != null && req.getScheme().equalsIgnoreCase("https")) { - bkuURL = DEFAULT_BKU_HTTPS; - } else { - bkuURL = DEFAULT_BKU; - } - } - moasession.setBkuURL(bkuURL); - - if (MiscUtil.isEmpty(templateURL)) { templateURL = oaParam.getTemplateURL().get(0).getURL(); Log.info("No SL-Template in request, load SL-Template from OA config (URL: " + templateURL + ")"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 6b774261d..b5f0a7557 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -491,7 +491,7 @@ public class DispatcherServlet extends AuthServlet{ } } catch (Throwable e) { - e.printStackTrace(); + Logger.info("An authentication error occous: " + e.getMessage());; // Try handle module specific, if not possible rethrow if (!info.generateErrorMessage(e, req, resp, protocolRequest)) { throw e; -- cgit v1.2.3 From 650cbb315304e47e0b920c3bc81579cc4efa5514 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 14 Feb 2014 13:47:43 +0100 Subject: allow to load SL-Templates from local file-system --- .../moa/id/auth/AuthenticationServer.java | 1 + .../parser/StartAuthentificationParameterParser.java | 19 +++++++++++++++++-- .../auth/servlet/GenerateIFrameTemplateServlet.java | 19 ++++++++++++++++++- .../egovernment/moa/id/util/ParamValidatorUtils.java | 20 +++++++++++++------- 4 files changed, 49 insertions(+), 10 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index d8d375db2..7608f9f93 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -242,6 +242,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { String template = null; if (session.getTemplateURL() != null) { try { + template = new String(FileUtils.readURL(session.getTemplateURL())); } catch (IOException ex) { throw new AuthenticationException("auth.03", new Object[] { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index 89cc1d25e..f0de8b2e3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; +import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.IRequest; @@ -46,6 +47,7 @@ import at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.BoolUtils; +import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; import at.gv.egovernment.moa.util.URLEncoder; @@ -232,8 +234,21 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ } if (MiscUtil.isEmpty(templateURL)) { - templateURL = oaParam.getTemplateURL().get(0).getURL(); - Log.info("No SL-Template in request, load SL-Template from OA config (URL: " + templateURL + ")"); + + List templateURLList = oaParam.getTemplateURL(); + + if ( templateURLList != null && templateURLList.size() > 0 + && MiscUtil.isNotEmpty(templateURLList.get(0).getURL()) ) { + templateURL = FileUtils.makeAbsoluteURL( + oaParam.getTemplateURL().get(0).getURL(), + AuthConfigurationProvider.getInstance().getRootConfigFileDir()); + Log.info("No SL-Template in request, load SL-Template from OA config (URL: " + templateURL + ")"); + + } else { + Logger.error("NO SL-Tempalte found in OA config"); + throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); + + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java index d2d458e74..deec69c7f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java @@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.auth.servlet; import java.io.IOException; import java.io.PrintWriter; +import java.util.List; import javax.servlet.ServletConfig; import javax.servlet.ServletException; @@ -40,12 +41,14 @@ import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.parser.StartAuthentificationParameterParser; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; @@ -122,7 +125,21 @@ public class GenerateIFrameTemplateServlet extends AuthServlet { bkuURL = AuthConfigurationProvider.getInstance().getDefaultBKUURL(bkuid); } - String templateURL = AuthConfigurationProvider.getInstance().getSLRequestTemplates(bkuid); + //search for OA specific template + String templateURL = null; + List oaTemplateURLList = oaParam.getTemplateURL(); + if ( oaTemplateURLList != null && oaTemplateURLList.size() > 0 + && MiscUtil.isNotEmpty(oaTemplateURLList.get(0).getURL()) ) { + templateURL = oaTemplateURLList.get(0).getURL(); + + } else { + templateURL = AuthConfigurationProvider.getInstance().getSLRequestTemplates(bkuid); + } + + //make url absolut if it is a local url + if (MiscUtil.isNotEmpty(templateURL)) + templateURL = FileUtils.makeAbsoluteURL(templateURL, + AuthConfigurationProvider.getInstance().getRootConfigFileDir()); if (oaParam.isOnlyMandateAllowed()) useMandate = "true"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java index bd6514c5c..9df283965 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java @@ -68,6 +68,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; @@ -293,7 +294,8 @@ public class ParamValidatorUtils implements MOAIDAuthConstants{ //get OA specific template URLs if (oaSlTemplates != null && oaSlTemplates.size() > 0) { for (TemplateType el : oaSlTemplates) - trustedTemplateURLs.add(el.getURL()); + if (MiscUtil.isNotEmpty(el.getURL())) + trustedTemplateURLs.add(el.getURL()); } boolean b = trustedTemplateURLs.contains(template); @@ -308,13 +310,17 @@ public class ParamValidatorUtils implements MOAIDAuthConstants{ } + } else if (template.startsWith("file")){ + new URL(template); + Logger.debug("Parameter Template bzw. bkuSelectionTemplateURL erfolgreich ueberprueft"); + Logger.debug("Load SL-Layer Template from local filesystem " + template); + return true; + + } else { + Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. Paramter beginnt nicht mit http oder https."); + return false; } - else { - Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. Paramter beginnt nicht mit http oder https."); - return false; - } - - + } catch (MalformedURLException e) { Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL.", e); return false; -- cgit v1.2.3 From ac7a4876f15a60d02b829a49c23c6c5ed20f7be8 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 14 Feb 2014 13:48:19 +0100 Subject: bugfix: fix possible nullpointer exception --- .../at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java index 17a5d2be9..d4b5d1c05 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java @@ -247,8 +247,11 @@ public class StatisticLogger { AuthenticationSession moasession = AuthenticationSessionStoreage.getSessionWithPendingRequestID(errorRequest.getRequestID()); if (moasession != null) { - dblog.setBkuurl(moasession.getBkuURL()); - dblog.setBkutype(findBKUType(moasession.getBkuURL(), dbOA)); + if (MiscUtil.isNotEmpty(moasession.getBkuURL())) { + dblog.setBkuurl(moasession.getBkuURL()); + dblog.setBkutype(findBKUType(moasession.getBkuURL(), dbOA)); + } + dblog.setMandatelogin(moasession.getUseMandate()); } -- cgit v1.2.3 From addd90ec1f988bcae99890d1008175c12a98068c Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 20 Feb 2014 17:02:13 +0100 Subject: BugFix: STORK -> MOA-ID-AUTH NullPointerException if no STORK configuration exist --- .../moa/id/config/stork/STORKConfig.java | 23 ++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java index 463930fd7..ff481b825 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java @@ -63,23 +63,26 @@ public class STORKConfig { cpepsMap = new HashMap(); - for(at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS cpep : cpeps) { + if (cpeps != null) { + for(at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS cpep : cpeps) { - try { - CPEPS moacpep = new CPEPS(cpep.getCountryCode(), new URL(cpep.getURL())); + try { + CPEPS moacpep = new CPEPS(cpep.getCountryCode(), new URL(cpep.getURL())); - cpepsMap.put(cpep.getCountryCode(), moacpep); + cpepsMap.put(cpep.getCountryCode(), moacpep); - } catch (MalformedURLException e) { - Logger.warn("Error in MOA-ID Configuration. CPEP entry for country " - + cpep.getCountryCode() + " has an invalid URL and is ignored."); + } catch (MalformedURLException e) { + Logger.warn("Error in MOA-ID Configuration. CPEP entry for country " + + cpep.getCountryCode() + " has an invalid URL and is ignored."); + } } } - attr = new ArrayList(); - for(StorkAttribute current : stork.getAttributes()) { - attr.add(current); + if (stork.getAttributes() != null) { + for(StorkAttribute current : stork.getAttributes()) { + attr.add(current); + } } } -- cgit v1.2.3 From f1d374bb66f3b48f2a14a8d550c4125c04dde7a8 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 24 Feb 2014 11:40:49 +0100 Subject: * add default configuration values * add MOA-ID-Auth publicURLPreFix as mandatory configuration value * remove ReloadConfiguration serlet * change moa-id-lib to use publicURLPreFix * update repository --- .../moa/id/auth/AuthenticationServer.java | 4 +- .../StartAuthentificationParameterParser.java | 21 +--- .../moa/id/auth/servlet/ConfigurationServlet.java | 133 --------------------- .../servlet/GenerateIFrameTemplateServlet.java | 22 ++-- .../moa/id/auth/servlet/LogOutServlet.java | 18 +-- .../CreateXMLSignatureResponseValidator.java | 2 +- .../id/config/auth/AuthConfigurationProvider.java | 115 ++++++++---------- .../moa/id/entrypoints/DispatcherServlet.java | 2 +- .../moa/id/moduls/AuthenticationManager.java | 3 +- .../protocols/pvp2x/config/PVPConfiguration.java | 2 +- .../resources/properties/id_messages_de.properties | 2 +- 11 files changed, 83 insertions(+), 241 deletions(-) delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ConfigurationServlet.java (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 7608f9f93..bebae89db 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -811,9 +811,9 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (session.isSsoRequested()) { - String oaURL =new String(); + String oaURL = new String(); try { - oaURL = AuthConfigurationProvider.getInstance().getSSOPublicUrl(); + oaURL = AuthConfigurationProvider.getInstance().getPublicURLPrefix(); if (MiscUtil.isNotEmpty(oaURL)) oaURL = oaURL.replaceAll("&", "&"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index f0de8b2e3..71d2aae37 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -205,26 +205,13 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ authURL = authURL.concat(":" + req.getServerPort()); } authURL = authURL.concat(req.getContextPath() + "/"); - - if (isEmpty(authURL)) - throw new WrongParametersException("StartAuthentication", - "AuthURL", "auth.05"); - - // check if HTTP Connection may be allowed (through - // FRONTEND_SERVLETS_ENABLE_HTTP_CONNECTION_PROPERTY) - //INFO: removed from MOA-ID 2.0 Config -// String boolStr = AuthConfigurationProvider -// .getInstance() -// .getGenericConfigurationParameter( -// AuthConfigurationProvider.FRONTEND_SERVLETS_ENABLE_HTTP_CONNECTION_PROPERTY); - - if ((!authURL.startsWith("https:")) -// && (false == BoolUtils.valueOf(boolStr)) - ) + + if (!authURL.startsWith("https:")) throw new AuthenticationException("auth.07", new Object[] { authURL + "*" }); - moasession.setAuthURL(authURL); + //set Auth URL from configuration + moasession.setAuthURL(AuthConfigurationProvider.getInstance().getPublicURLPrefix() + "/"); //check and set SourceID if (oaParam.getSAML1Parameter() != null) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ConfigurationServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ConfigurationServlet.java deleted file mode 100644 index 0c2bb66c0..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ConfigurationServlet.java +++ /dev/null @@ -1,133 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.auth.servlet; - -import java.io.IOException; -import java.text.DateFormat; -import java.util.Date; -import java.util.Locale; - -import javax.servlet.ServletConfig; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; -import at.gv.egovernment.moa.id.util.HTTPRequestJSPForwarder; -import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; -import at.gv.egovernment.moa.logging.Logger; - -/** - * Servlet requested for updating the MOA-ID Auth configuration from configuration file - * - * @author Paul Ivancsics - * @version $Id$ - */ -public class ConfigurationServlet extends HttpServlet { - - /** - * - */ - private static final long serialVersionUID = 7455620886605337681L; - -/** - * Handle a HTTP GET request, used to indicated that the MOA - * configuration needs to be updated (reloaded). - * - * @see javax.servlet.http.HttpServlet#doGet(HttpServletRequest, HttpServletResponse) - */ - public void doGet(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - - - response.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES); - response.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA); - response.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL); - response.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE); - - MOAIDMessageProvider msg = MOAIDMessageProvider.getInstance(); - - try { - MOAIDAuthInitializer.initialized=false; - MOAIDAuthInitializer.initialize(); - String message = msg.getMessage("config.00", new Object[] - { DateFormat.getTimeInstance(DateFormat.MEDIUM, Locale.GERMAN).format(new Date())} ); - - Logger.info(message); - HTTPRequestJSPForwarder.forwardNamed(message, "/message-auth.jsp", getServletContext(), request, response); - - } catch (Throwable t) { - String errorMessage = msg.getMessage("config.04", null); - Logger.error(errorMessage, t); - HTTPRequestJSPForwarder.forwardNamed(errorMessage, "/message-auth.jsp", getServletContext(), request, response); - } - } - - /** - * Do the same as doGet. - * - * @see javax.servlet.http.HttpServlet#doPost(HttpServletRequest, HttpServletResponse) - */ - public void doPost(HttpServletRequest request, HttpServletResponse response) - throws ServletException, IOException { - doGet(request, response); - } - - /** - * Calls the web application initializer. - * - * @see javax.servlet.Servlet#init(ServletConfig) - */ - public void init(ServletConfig servletConfig) throws ServletException { - super.init(servletConfig); - } - -} - - diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java index deec69c7f..0a0355bd7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java @@ -57,17 +57,17 @@ public class GenerateIFrameTemplateServlet extends AuthServlet { private static final long serialVersionUID = 1L; public void init(ServletConfig servletConfig) throws ServletException { - try { - super.init(servletConfig); - MOAIDAuthInitializer.initialize(); - Logger.debug("default platform file.encoding: " + System.getProperty("file.encoding")); - Logger.info(MOAIDMessageProvider.getInstance().getMessage("init.00", null)); - } - catch (Exception ex) { - Logger.fatal(MOAIDMessageProvider.getInstance().getMessage("init.02", null), ex); - throw new ServletException(ex); - } - } +// try { +// super.init(servletConfig); +// MOAIDAuthInitializer.initialize(); +// Logger.debug("default platform file.encoding: " + System.getProperty("file.encoding")); +// Logger.info(MOAIDMessageProvider.getInstance().getMessage("init.00", null)); +// } +// catch (Exception ex) { +// Logger.fatal(MOAIDMessageProvider.getInstance().getMessage("init.02", null), ex); +// throw new ServletException(ex); +// } + } protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java index c87a17c7f..f3495966a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java @@ -123,15 +123,15 @@ public class LogOutServlet extends AuthServlet { * @see javax.servlet.Servlet#init(ServletConfig) */ public void init(ServletConfig servletConfig) throws ServletException { - try { - super.init(servletConfig); - MOAIDAuthInitializer.initialize(); - Logger.info(MOAIDMessageProvider.getInstance().getMessage("init.00", null)); - } - catch (Exception ex) { - Logger.fatal(MOAIDMessageProvider.getInstance().getMessage("init.02", null), ex); - throw new ServletException(ex); - } +// try { +// super.init(servletConfig); +// MOAIDAuthInitializer.initialize(); +// Logger.info(MOAIDMessageProvider.getInstance().getMessage("init.00", null)); +// } +// catch (Exception ex) { +// Logger.fatal(MOAIDMessageProvider.getInstance().getMessage("init.02", null), ex); +// throw new ServletException(ex); +// } } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 5471c03f5..b2c47fac0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -417,7 +417,7 @@ public class CreateXMLSignatureResponseValidator { String oaURL; try { - oaURL = AuthConfigurationProvider.getInstance().getSSOPublicUrl(); + oaURL = AuthConfigurationProvider.getInstance().getPublicURLPrefix(); } catch (ConfigurationException e1) { oaURL = new String(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index c0f47d781..1a3c1b0a1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -212,6 +212,8 @@ public class AuthConfigurationProvider extends ConfigurationProvider { private static Date date = null; + private String publicURLPreFix = null; + /** * Return the single instance of configuration data. * @@ -487,32 +489,41 @@ public class AuthConfigurationProvider extends ConfigurationProvider { //set TrustManagerRevocationChecking setTrustManagerRevocationChecking(); - //set TimeOuts - if (auth.getGeneralConfiguration() != null) { - if (auth.getGeneralConfiguration().getTimeOuts() != null) { - - timeouts = new TimeOuts(); - if (auth.getGeneralConfiguration().getTimeOuts().getAssertion() == null) - timeouts.setAssertion(new BigInteger("120")); - else - timeouts.setAssertion(auth.getGeneralConfiguration().getTimeOuts().getAssertion()); - - if (auth.getGeneralConfiguration().getTimeOuts().getMOASessionCreated() == null) - timeouts.setMOASessionCreated(new BigInteger("2700")); - else - timeouts.setMOASessionCreated(auth.getGeneralConfiguration().getTimeOuts().getMOASessionCreated()); - - if (auth.getGeneralConfiguration().getTimeOuts().getMOASessionUpdated() == null) - timeouts.setMOASessionUpdated(new BigInteger("1200")); - else - timeouts.setMOASessionUpdated(auth.getGeneralConfiguration().getTimeOuts().getMOASessionUpdated()); - } - } - else { - Logger.warn("Error in MOA-ID Configuration. No TimeOuts defined."); - throw new ConfigurationException("config.02", null); - } + //set default timeouts + timeouts = new TimeOuts(); + timeouts.setAssertion(new BigInteger("300")); + timeouts.setMOASessionCreated(new BigInteger("2700")); + timeouts.setMOASessionUpdated(new BigInteger("1200")); + //search timeouts in config + if (auth.getGeneralConfiguration() != null) { + if (auth.getGeneralConfiguration().getTimeOuts() != null) { + if (auth.getGeneralConfiguration().getTimeOuts().getAssertion() != null) + timeouts.setAssertion(auth.getGeneralConfiguration().getTimeOuts().getAssertion()); + + if (auth.getGeneralConfiguration().getTimeOuts().getMOASessionCreated() != null) + timeouts.setMOASessionCreated(auth.getGeneralConfiguration().getTimeOuts().getMOASessionCreated()); + + if (auth.getGeneralConfiguration().getTimeOuts().getMOASessionUpdated() != null) + timeouts.setMOASessionUpdated(auth.getGeneralConfiguration().getTimeOuts().getMOASessionUpdated()); + + } else { + Logger.info("No TimeOuts defined. Use default values"); + } + } + + // sets the authentication session and authentication data time outs + AuthenticationServer.getInstance() + .setSecondsSessionTimeOutCreated(timeouts.getMOASessionCreated().longValue()); + + AuthenticationServer.getInstance() + .setSecondsSessionTimeOutUpdated(timeouts.getMOASessionUpdated().longValue()); + + AuthenticationServer.getInstance() + .setSecondsAuthDataTimeOut(timeouts.getAssertion().longValue()); + + + //set PVP2 general config Protocols protocols = auth.getProtocols(); if (protocols != null) { @@ -569,39 +580,21 @@ public class AuthConfigurationProvider extends ConfigurationProvider { } //set alternativeSourceID - if (auth.getGeneralConfiguration() != null) + if (auth.getGeneralConfiguration() != null) { //TODO: can be removed in a further version, because it is moved to SAML1 config if (MiscUtil.isEmpty(alternativesourceid)) alternativesourceid = auth.getGeneralConfiguration().getAlternativeSourceID(); - - // sets the authentication session and authentication data time outs - BigInteger param = auth.getGeneralConfiguration().getTimeOuts().getMOASessionCreated(); - - if (param != null) { - long sessionTimeOut = param.longValue(); - if (sessionTimeOut > 0) - AuthenticationServer.getInstance() - .setSecondsSessionTimeOutCreated(sessionTimeOut); - } - - param = auth.getGeneralConfiguration().getTimeOuts().getMOASessionUpdated(); - if (param != null) { - long sessionTimeOut = param.longValue(); - if (sessionTimeOut > 0) - AuthenticationServer.getInstance() - .setSecondsSessionTimeOutUpdated(sessionTimeOut); - } - - param = auth.getGeneralConfiguration().getTimeOuts().getAssertion(); - if (param != null) { - long authDataTimeOut = param.longValue(); - if (authDataTimeOut > 0) - AuthenticationServer.getInstance() - .setSecondsAuthDataTimeOut(authDataTimeOut); - } - - else { + + if (MiscUtil.isNotEmpty(auth.getGeneralConfiguration().getPublicURLPreFix())) + publicURLPreFix = auth.getGeneralConfiguration().getPublicURLPreFix(); + + else { + Logger.error("No Public URL Prefix configured."); + throw new ConfigurationException("config.05", new Object[]{"Public URL Prefix"}); + } + + } else { Logger.warn("Error in MOA-ID Configuration. No GeneralConfig defined."); throw new ConfigurationException("config.02", null); } @@ -947,16 +940,6 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return new String(); } - public String getSSOPublicUrl() { - if (ssoconfig!= null) { - String url = ssoconfig.getPublicURL(); - if (MiscUtil.isEmpty(url)) - url = new String(); - return url; - } - return new String(); - } - public String getMOASessionEncryptionKey() { String prop = props.getProperty("configuration.moasession.key"); @@ -1005,6 +988,10 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return Boolean.valueOf(prop); } + public String getPublicURLPrefix() { + return publicURLPreFix; + } + /** * Retruns the STORK Configuration * @return STORK Configuration diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index b5f0a7557..c9fc07b70 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -86,7 +86,7 @@ public class DispatcherServlet extends AuthServlet{ null), ex); throw new ServletException(ex); } - Logger.info("Dispatcher Servlet initialization"); + Logger.info("Dispatcher Servlet initialization finished."); } protected void processRequest(HttpServletRequest req, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 90863890f..666224b3a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -238,8 +238,9 @@ public class AuthenticationManager extends AuthServlet { //Build authentication form + String publicURLPreFix = AuthConfigurationProvider.getInstance().getPublicURLPrefix(); String loginForm = LoginFormBuilder.buildLoginForm(target.requestedModule(), - target.requestedAction(), oaParam, request.getContextPath(), moasession.getSessionID()); + target.requestedAction(), oaParam, publicURLPreFix, moasession.getSessionID()); //store MOASession try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index bf82efb79..ebfffb648 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -124,7 +124,7 @@ public class PVPConfiguration { } public String getIDPPublicPath() throws ConfigurationException { - String publicPath = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig().getPublicURLPrefix(); + String publicPath = AuthConfigurationProvider.getInstance().getPublicURLPrefix(); if(publicPath != null) { if(publicPath.endsWith("/")) { int length = publicPath.length(); diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 93e8cdb99..2559d3d18 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -69,7 +69,7 @@ config.15=Das Personenbindungs-Trust-Profil (TrustProfileID \= {0}) darf nicht f config.16=MOA ID Proxy konnte nicht gestartet werden. Das Element ConnnectionParameter im allgemeinen Konfigurationsteil der MOA-ID-PROXY Konfigurationsdatei fehlt. config.17=Fehler beim initialisieren von Hibernate config.18=Keine MOA-ID 2.x Konfiguration gefunden. -config.19=Kein Schl?ssel f\u00FCr die Resignierung der Personenbindung gefunden. +config.19=Kein Schl\u00FCssel f\u00FCr die Resignierung der Personenbindung gefunden. config.20=Umgebungsvariable "moa.id.proxy.configuration" nicht gesetzt parser.00=Leichter Fehler beim Parsen: {0} -- cgit v1.2.3