From a06f94c9da130af5cf755b7d6465c8905d37d75b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 5 Jun 2018 15:05:50 +0200 Subject: add one method to AssertionAttributeExtractor and add some log messages --- .../sl20_auth/tasks/ReceiveQualeIDTask.java | 44 +++++++++++++++------- 1 file changed, 30 insertions(+), 14 deletions(-) (limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java') diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java index 9262e43e9..03db52695 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java @@ -49,15 +49,16 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask { @Override public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) - throws TaskExecutionException { + throws TaskExecutionException { + String sl20Result = null; try { Logger.debug("Receiving SL2.0 response process .... "); - JsonObject sl20ReqObj = null; + JsonObject sl20ReqObj = null; try { //get SL2.0 command or result from HTTP request Map reqParams = getParameters(request); - String sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM); + sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM); if (MiscUtil.isEmpty(sl20Result)) { @@ -103,10 +104,15 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask { VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20ReqObj, joseTools, authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)); - if (payLoadContainer.isValidSigned() == null || - !payLoadContainer.isValidSigned()) { - Logger.info("SL20 result from VDA was not valid signed"); - throw new SL20SecurityException(new Object[]{"Signature on SL20 result NOT valid."}); + if ( (payLoadContainer.isValidSigned() == null || !payLoadContainer.isValidSigned())) { + if (authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)) { + Logger.info("SL20 result from VDA was not valid signed"); + throw new SL20SecurityException(new Object[]{"Signature on SL20 result NOT valid."}); + + } else { + Logger.warn("SL20 result from VDA is NOT valid signed, but signatures-verification is DISABLED by configuration!"); + + } } @@ -158,6 +164,8 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask { } catch (MOAIDException e) { Logger.warn("SL2.0 processing error:", e); + if (sl20Result != null) + Logger.debug("Received SL2.0 result: " + sl20Result); pendingReq.setGenericDataToSession( Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, new TaskExecutionException(pendingReq, "SL2.0 Authentication FAILED. Msg: " + e.getMessage(), e)); @@ -165,6 +173,8 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask { } catch (Exception e) { Logger.warn("ERROR:", e); Logger.warn("SL2.0 Authentication FAILED with a generic error.", e); + if (sl20Result != null) + Logger.debug("Received SL2.0 result: " + sl20Result); pendingReq.setGenericDataToSession( Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, new TaskExecutionException(pendingReq, e.getMessage(), e)); @@ -182,8 +192,10 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask { } } catch (Exception e) { - //write internal server errror 500 according to SL2.0 specification, chapter https transport binding + //write internal server errror 500 according to SL2.0 specification, chapter https transport binding Logger.warn("Can NOT build SL2.0 response. Reason: " + e.getMessage(), e); + if (sl20Result != null) + Logger.debug("Received SL2.0 result: " + sl20Result); try { response.sendError(500, "Internal Server Error."); @@ -207,7 +219,8 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask { error , null); - Logger.debug("Client request containts 'native client' header ... "); + Logger.debug("Client request containts 'native client' header ... "); + Logger.trace("SL20 response to VDA: " + respContainer); StringWriter writer = new StringWriter(); writer.write(respContainer.toString()); final byte[] content = writer.toString().getBytes("UTF-8"); @@ -230,13 +243,14 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask { JsonObject callCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_CALL, callReqParams); //build first redirect command for app - JsonObject redirectOneParams = SL20JSONBuilderUtils.createRedirectCommandParameters("", callCommand, null, true); + JsonObject redirectOneParams = SL20JSONBuilderUtils.createRedirectCommandParameters("", + callCommand, null, true); JsonObject redirectOneCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectOneParams); //build second redirect command for IDP JsonObject redirectTwoParams = SL20JSONBuilderUtils.createRedirectCommandParameters( new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), Constants.HTTP_ENDPOINT_RESUME, null), - redirectOneCommand, null, true); + redirectOneCommand, null, false); JsonObject redirectTwoCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectTwoParams); //build generic SL2.0 response container @@ -247,10 +261,12 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask { redirectTwoCommand, null); - //workaround for SIC VDA + //workaround for A-Trust if (request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE) != null && - request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE)) { - Logger.debug("Client request containts 'native client' header ... "); + request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE) + || true) { + Logger.debug("Client request containts 'native client' header ... "); + Logger.trace("SL20 response to VDA: " + respContainer); StringWriter writer = new StringWriter(); writer.write(respContainer.toString()); final byte[] content = writer.toString().getBytes("UTF-8"); -- cgit v1.2.3