From ac531e30d13d6714e2ac61f7329e6adc130aa288 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 24 May 2019 12:23:41 +0200 Subject: untested switch to EAAF-components 1.0.7 --- .../id/auth/servlet/CitizenCardAuthProcessEngineSignalController.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'id/server/modules/moa-id-modul-citizencard_authentication/src/main') diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/servlet/CitizenCardAuthProcessEngineSignalController.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/servlet/CitizenCardAuthProcessEngineSignalController.java index 582af517c..b63501a6f 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/servlet/CitizenCardAuthProcessEngineSignalController.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/servlet/CitizenCardAuthProcessEngineSignalController.java @@ -31,6 +31,7 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController; /** @@ -47,7 +48,7 @@ public class CitizenCardAuthProcessEngineSignalController extends AbstractProces "/VerifyIdentityLink" }, method = {RequestMethod.POST, RequestMethod.GET}) - public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { signalProcessManagement(req, resp); } -- cgit v1.2.3 From 66859cd53d4181350525e91c4d35071932675ca7 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 29 May 2019 14:04:44 +0200 Subject: refactoring from MOA-ID 3.4.x to MOA E-ID Proxy 4.0.x --- .../gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id/server/modules/moa-id-modul-citizencard_authentication/src/main') diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java index fe0e659c7..596b28576 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java @@ -305,7 +305,7 @@ public class MISSimpleClient { try { httpclient = HttpClientWithProxySupport.getHttpClient( sSLSocketFactory, - authConfig.getBasicMOAIDConfigurationBoolean(AuthConfiguration.PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION, true)); + authConfig.getBasicConfigurationBoolean(AuthConfiguration.PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION, true)); // set http POST Request HttpPost post = new HttpPost(webServiceURL); -- cgit v1.2.3 From e0bce6a84299b41cd601f89478182623042613b9 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 8 Aug 2019 07:40:20 +0200 Subject: re-add configuration parameter to disable 'targetFriendlyName' validation in signed AuthBlock --- .../moa/id/auth/AuthenticationServer.java | 8 ++++++-- .../tasks/VerifyAuthenticationBlockTask.java | 7 ++++++- .../CreateXMLSignatureResponseValidator.java | 20 +++++++++++++++----- 3 files changed, 27 insertions(+), 8 deletions(-) (limited to 'id/server/modules/moa-id-modul-citizencard_authentication/src/main') diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index a500a7c93..348c204bf 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -20,6 +20,7 @@ import org.apache.xpath.XPathAPI; import org.opensaml.xml.util.Base64; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; +import org.springframework.util.Base64Utils; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.NodeList; @@ -69,6 +70,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; import at.gv.egovernment.moa.id.commons.api.exceptions.BKUException; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.config.ConfigurationProviderImpl; import at.gv.egovernment.moa.id.logging.SpecificTraceLogger; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.logging.Logger; @@ -448,7 +450,7 @@ public class AuthenticationServer extends BaseAuthenticationServer { .build(authBlock, oaParam.getKeyBoxIdentifier(), transformsInfos); - SpecificTraceLogger.trace("Req. Authblock: " + createXMLSignatureRequest); + SpecificTraceLogger.trace("Req. Authblock: " + Base64Utils.encodeToString(createXMLSignatureRequest.getBytes())); SpecificTraceLogger.trace("OA config: " + pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class).toString()); SpecificTraceLogger.trace("saml1RequestedTarget: " + pendingReq.getRawData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class)); SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + pendingReq.getRawData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class)); @@ -965,7 +967,9 @@ public class AuthenticationServer extends BaseAuthenticationServer { new CreateXMLSignatureResponseValidator().validateSSO(csresp, session, pendingReq); else - new CreateXMLSignatureResponseValidator().validate(csresp, session, pendingReq); + new CreateXMLSignatureResponseValidator().validate(csresp, session, pendingReq, + authConfig.getBasicConfigurationBoolean( + ConfigurationProviderImpl.VALIDATION_AUTHBLOCK_TARGETFRIENDLYNAME, true)); // builds a for a MOA-SPSS call List vtids = authConfig.getMoaSpAuthBlockVerifyTransformsInfoIDs(); diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java index c8b562282..9b9b76ffc 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java @@ -12,6 +12,7 @@ import org.apache.commons.fileupload.FileUploadException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.stereotype.Component; +import org.springframework.util.Base64Utils; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; @@ -21,6 +22,7 @@ import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.logging.SpecificTraceLogger; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; @@ -80,7 +82,10 @@ public class VerifyAuthenticationBlockTask extends AbstractAuthServletTask { } String createXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE); - + if (createXMLSignatureResponse != null) + SpecificTraceLogger.trace("Raw signed AuthBlock: " + Base64Utils.encodeToString(createXMLSignatureResponse.getBytes())); + + try { //check if authblock is received if (!ParamValidatorUtils.isValidXMLDocument(createXMLSignatureResponse)) diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 78d999971..49b2d2032 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -54,6 +54,7 @@ import java.util.List; import javax.xml.bind.DatatypeConverter; import org.jaxen.SimpleNamespaceContext; +import org.springframework.util.Base64Utils; import org.w3c.dom.Element; import at.gv.egiz.eaaf.core.api.IRequest; @@ -131,12 +132,13 @@ public class CreateXMLSignatureResponseValidator { * The Method validate is used for validating an explicit {@link CreateXMLSignatureResponse} * @param createXMLSignatureResponse * @param session - * @param pendingReq + * @param pendingReq + * @param validateTargetFriendlyName * @throws ValidateException * @throws BuildException * @throws ConfigurationException */ - public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq) + public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq, boolean validateTargetFriendlyName) throws ValidateException, BuildException, ConfigurationException, EAAFBuilderException { // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier IOAAuthParameters oaParam = pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class); @@ -273,8 +275,16 @@ public class CreateXMLSignatureResponseValidator { } String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")"; - if (!refValueSector.equals((String)samlAttribute.getValue())) - throw new ValidateException("validator.13", new Object[] {(String)samlAttribute.getValue(), refValueSector}); + if (!refValueSector.equals((String)samlAttribute.getValue())) { + if (validateTargetFriendlyName) + throw new ValidateException("validator.13", new Object[] {(String)samlAttribute.getValue(), refValueSector}); + + else { + Logger.warn("AuthBlock 'TargetFriendlyName' " + samlAttribute.getValue() + " does not match to " + refValueSector); + + } + + } } else throw new ValidateException("validator.12", null); @@ -430,7 +440,7 @@ public class CreateXMLSignatureResponseValidator { } catch (Exception e) { SpecificTraceLogger.trace("Validate AuthBlock without SSO"); - SpecificTraceLogger.trace("Signed AuthBlock: " + session.getAuthBlock()); + SpecificTraceLogger.trace("Signed AuthBlock: " + Base64Utils.encodeToString(session.getAuthBlock().getBytes())); SpecificTraceLogger.trace("OA config: " + oaParam.toString()); SpecificTraceLogger.trace("saml1RequestedTarget: " + saml1RequestedTarget); SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + saml1RequestedFriendlyName); -- cgit v1.2.3 From 394e5228bac26ecf02b5aca4f0db27d05ea0a0cd Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 3 Sep 2019 11:23:46 +0200 Subject: add additional log message for debugging --- .../auth/modules/internal/tasks/PrepareAuthBlockSignatureTask.java | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'id/server/modules/moa-id-modul-citizencard_authentication/src/main') diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareAuthBlockSignatureTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareAuthBlockSignatureTask.java index a02032e74..1ca214761 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareAuthBlockSignatureTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareAuthBlockSignatureTask.java @@ -6,6 +6,7 @@ import javax.servlet.http.HttpServletResponse; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.stereotype.Component; +import org.springframework.util.Base64Utils; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; @@ -13,6 +14,7 @@ import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.logging.SpecificTraceLogger; import at.gv.egovernment.moa.id.util.CitizenCardServletUtils; import at.gv.egovernment.moa.logging.Logger; @@ -59,6 +61,9 @@ public class PrepareAuthBlockSignatureTask extends AbstractAuthServletTask { //store pending request with new MOASession data information requestStoreage.storePendingRequest(pendingReq); + //log AuthBlock into specialLogger + SpecificTraceLogger.trace("Raw AuthBlock: " + Base64Utils.encodeToString(createXMLSignatureRequest.getBytes("UTF-8"))); + //write response CitizenCardServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, pendingReq, createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, -- cgit v1.2.3 From e4fa532f93f10115e1f39c97cc96e5950a048884 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 11 Dec 2019 16:01:38 +0100 Subject: update to EAAF-Components 1.0.13.1 Enforce E-ID authentication based on Service-Provider configuration --- .../moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'id/server/modules/moa-id-modul-citizencard_authentication/src/main') diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java index 1962d6c82..82fb42c32 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java @@ -3,6 +3,7 @@ package at.gv.egovernment.moa.id.auth.modules.internal; import org.apache.commons.lang3.StringUtils; +import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; @@ -18,7 +19,7 @@ public class DefaultCitizenCardAuthModuleImpl implements AuthModule { } @Override - public String selectProcess(ExecutionContext context) { + public String selectProcess(ExecutionContext context, IRequest pendingReq) { //select process if BKU is selected and it is no STORK authentication boolean performBKUSelection = false; -- cgit v1.2.3 From 1292f854aa98b167a849dc0f202a1957a5ce2514 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 13 Dec 2019 09:56:15 +0100 Subject: set NeedConsentFlag to 'false' if authentication was done without SSO --- .../id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java | 3 +++ 1 file changed, 3 insertions(+) (limited to 'id/server/modules/moa-id-modul-citizencard_authentication/src/main') diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java index 9b9b76ffc..4102a15b0 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java @@ -99,6 +99,9 @@ public class VerifyAuthenticationBlockTask extends AbstractAuthServletTask { //verify authBlock authServer.verifyAuthenticationBlock(pendingReq, moasession, createXMLSignatureResponse); + //set NeedConsent to false, because user gives consont during authentication + pendingReq.setNeedUserConsent(false); + //store pending request with new MOASession data information requestStoreage.storePendingRequest(pendingReq); -- cgit v1.2.3