From 945c4d28535724f0a54d220f9eb0ebd25b8227c4 Mon Sep 17 00:00:00 2001 From: Florian Reimair Date: Tue, 14 Apr 2015 13:58:27 +0200 Subject: respect multi-part stork responses --- ...onnectorHandleResponseWithoutSignatureTask.java | 18 +++++++++++------ .../modules/stork/tasks/PepsConnectorTask.java | 23 ++++++++++++++-------- 2 files changed, 27 insertions(+), 14 deletions(-) (limited to 'id/server/modules/module-stork/src') diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java index 3338804b4..e2c3880ac 100644 --- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java +++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java @@ -136,7 +136,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep try { // validate SAML Token Logger.debug("Starting validation of SAML response"); - authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost()); + authnResponse = engine.validateSTORKAuthnResponseWithQuery(decSamlToken, (String) request.getRemoteHost()); Logger.info("SAML response succesfully verified!"); } catch (STORKSAMLEngineException e) { Logger.error("Failed to verify STORK SAML Response", e); @@ -211,10 +211,16 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID); - // //////////// incorporate gender from parameters if not in stork response - IPersonalAttributeList attributeList = authnResponse.getPersonalAttributeList(); + // first, try to fetch the attributes from the list of total attributes. Note that this very list is only filled + // with ALL attributes when there is more than one assertion in the SAML2 STORK message. + IPersonalAttributeList attributeList = authnResponse.getTotalPersonalAttributeList(); + + // if the list is empty, there was just one assertion... probably + if(attributeList.isEmpty()) + attributeList = authnResponse.getPersonalAttributeList(); + // //////////// incorporate gender from parameters if not in stork response // but first, check if we have a representation case if (STORKResponseProcessor.hasAttribute("mandateContent", attributeList) || STORKResponseProcessor.hasAttribute("representative", attributeList) @@ -233,7 +239,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep tmp.add(gendervalue); gender.setValue(tmp); - authnResponse.getPersonalAttributeList().add(gender); + attributeList.add(gender); } } } @@ -246,7 +252,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep // extract signed doc element and citizen signature String citizenSignature = null; try { - PersonalAttribute signedDoc = authnResponse.getPersonalAttributeList().get("signedDoc"); + PersonalAttribute signedDoc = attributeList.get("signedDoc"); String signatureInfo = null; // FIXME: Remove nonsense code (signedDoc attribute... (throw Exception for "should not occur" situations)), adjust error messages in order to reflect the true problem... if (signedDoc != null) { @@ -259,7 +265,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep // store authnResponse // moaSession.setAuthnResponse(authnResponse);//not serializable - moaSession.setAuthnResponseGetPersonalAttributeList(authnResponse.getPersonalAttributeList()); + moaSession.setAuthnResponseGetPersonalAttributeList(attributeList); String authnContextClassRef = null; try { diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java index 6e0bd19ff..9df0ff37b 100644 --- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java +++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java @@ -162,7 +162,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask { try { // validate SAML Token Logger.debug("Starting validation of SAML response"); - authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost()); + authnResponse = engine.validateSTORKAuthnResponseWithQuery(decSamlToken, (String) request.getRemoteHost()); Logger.info("SAML response succesfully verified!"); } catch (STORKSAMLEngineException e) { Logger.error("Failed to verify STORK SAML Response", e); @@ -297,9 +297,16 @@ public class PepsConnectorTask extends AbstractAuthServletTask { Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID); - // //////////// incorporate gender from parameters if not in stork response - IPersonalAttributeList attributeList = authnResponse.getPersonalAttributeList(); + // first, try to fetch the attributes from the list of total attributes. Note that this very list is only filled + // with ALL attributes when there is more than one assertion in the SAML2 STORK message. + IPersonalAttributeList attributeList = authnResponse.getTotalPersonalAttributeList(); + + // if the list is empty, there was just one assertion... probably + if(attributeList.isEmpty()) + attributeList = authnResponse.getPersonalAttributeList(); + + // //////////// incorporate gender from parameters if not in stork response // but first, check if we have a representation case if (STORKResponseProcessor.hasAttribute("mandateContent", attributeList) @@ -320,7 +327,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask { tmp.add(gendervalue); gender.setValue(tmp); - authnResponse.getPersonalAttributeList().add(gender); + attributeList.add(gender); } } } @@ -336,15 +343,15 @@ public class PepsConnectorTask extends AbstractAuthServletTask { // extract signed doc element and citizen signature try { - if (authnResponse.getPersonalAttributeList().get("signedDoc") == null - || authnResponse.getPersonalAttributeList().get("signedDoc").getValue() == null - || authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0) == null) { + if (attributeList.get("signedDoc") == null + || attributeList.get("signedDoc").getValue() == null + || attributeList.get("signedDoc").getValue().get(0) == null) { Logger.info("STORK Response include NO signedDoc attribute!"); throw new STORKException("STORK Response include NO signedDoc attribute."); } - String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); + String signatureInfo = attributeList.get("signedDoc").getValue().get(0); Logger.debug("signatureInfo:" + signatureInfo); -- cgit v1.2.3 From bc41be7e1478e4b213c0357135a24572fce5f21d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 20 Apr 2015 13:52:25 +0200 Subject: update STORK authentication module --- .../modules/stork/tasks/CreateStorkAuthRequestFormTask.java | 8 +++++--- .../tasks/PepsConnectorHandleLocalSignResponseTask.java | 12 +++++++----- .../PepsConnectorHandleResponseWithoutSignatureTask.java | 12 +++++++----- .../moa/id/auth/modules/stork/tasks/PepsConnectorTask.java | 8 +++++--- 4 files changed, 24 insertions(+), 16 deletions(-) (limited to 'id/server/modules/module-stork/src') diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/CreateStorkAuthRequestFormTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/CreateStorkAuthRequestFormTask.java index f8cc17b93..021ee62cf 100644 --- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/CreateStorkAuthRequestFormTask.java +++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/CreateStorkAuthRequestFormTask.java @@ -15,6 +15,7 @@ import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; +import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.stork.CPEPS; @@ -63,7 +64,7 @@ public class CreateStorkAuthRequestFormTask extends AbstractAuthServletTask { @Override public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp) - throws Exception { + throws TaskExecutionException { String pendingRequestID = null; String sessionID = null; @@ -97,11 +98,12 @@ public class CreateStorkAuthRequestFormTask extends AbstractAuthServletTask { AuthenticationServer.startSTORKAuthentication(req, resp, moasession); } catch (MOAIDException ex) { - handleError(null, ex, req, resp, pendingRequestID); + throw new TaskExecutionException(ex.getMessage(), ex); } catch (Exception e) { Logger.error("CreateStorkAuthRequestFormTask has an interal Error.", e); - throw new MOAIDException("Internal error.", new Object[] { sessionID }, e); + throw new TaskExecutionException("CreateStorkAuthRequestFormTask has an interal Error.", e); + } finally { diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleLocalSignResponseTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleLocalSignResponseTask.java index 077bb2dee..1ae66f24e 100644 --- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleLocalSignResponseTask.java +++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleLocalSignResponseTask.java @@ -22,6 +22,7 @@ import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.stork.STORKException; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.moduls.ModulUtils; @@ -79,7 +80,7 @@ public class PepsConnectorHandleLocalSignResponseTask extends AbstractPepsConnec @Override public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) - throws Exception { + throws TaskExecutionException { String moaSessionID = request.getParameter("moaSessionID"); String signResponse = request.getParameter("signresponse"); Logger.info("moaSessionID:" + moaSessionID); @@ -90,13 +91,13 @@ public class PepsConnectorHandleLocalSignResponseTask extends AbstractPepsConnec handleSignResponse(executionContext, request, response); } else { // should not occur - throw new IOException("should not occur"); + throw new TaskExecutionException("Parsing mulitpart/form-data request parameters failed", null); } return; } private void handleSignResponse(ExecutionContext executionContext, HttpServletRequest request, - HttpServletResponse response) { + HttpServletResponse response) throws TaskExecutionException { Logger.info("handleSignResponse started"); String moaSessionID = request.getParameter("moaSessionID"); String signResponse = request.getParameter("signresponse"); @@ -199,13 +200,14 @@ public class PepsConnectorHandleLocalSignResponseTask extends AbstractPepsConnec Logger.info("REDIRECT TO: " + redirectURL); } catch (AuthenticationException e) { - handleError(null, e, request, response, pendingRequestID); + throw new TaskExecutionException(e.getMessage(), e); } catch (MOAIDException e) { - handleError(null, e, request, response, pendingRequestID); + throw new TaskExecutionException(e.getMessage(), e); } catch (Exception e) { Logger.error("PEPSConnector has an interal Error.", e); + throw new TaskExecutionException(e.getMessage(), e); } finally { diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java index e2c3880ac..08da21460 100644 --- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java +++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java @@ -25,6 +25,7 @@ import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorWithLocalSigningServlet; import at.gv.egovernment.moa.id.auth.stork.STORKException; import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor; @@ -83,7 +84,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep @Override public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) - throws Exception { + throws TaskExecutionException { String moaSessionID = request.getParameter("moaSessionID"); String signResponse = request.getParameter("signresponse"); Logger.info("moaSessionID:" + moaSessionID); @@ -95,13 +96,13 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep } else { // should not occur - throw new IOException("should not occur"); + throw new TaskExecutionException("Parsing mulitpart/form-data request parameters failed", null); } return; } private void handleSAMLResponse(ExecutionContext executionContext, HttpServletRequest request, - HttpServletResponse response) { + HttpServletResponse response) throws TaskExecutionException { Logger.info("handleSAMLResponse started"); String pendingRequestID = null; @@ -399,13 +400,14 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep Logger.info("REDIRECT TO: " + redirectURL); } catch (AuthenticationException e) { - handleError(null, e, request, response, pendingRequestID); + throw new TaskExecutionException(e.getMessage(), e); } catch (MOAIDException e) { - handleError(null, e, request, response, pendingRequestID); + throw new TaskExecutionException(e.getMessage(), e); } catch (Exception e) { Logger.error("PEPSConnector has an interal Error.", e); + throw new TaskExecutionException(e.getMessage(), e); } finally { diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java index 9df0ff37b..81c7c3a7b 100644 --- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java +++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java @@ -41,6 +41,7 @@ import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; +import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet; import at.gv.egovernment.moa.id.auth.stork.STORKException; @@ -128,7 +129,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask { @Override public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) - throws Exception { + throws TaskExecutionException { String pendingRequestID = null; setNoCachingHeaders(response); @@ -613,13 +614,14 @@ public class PepsConnectorTask extends AbstractAuthServletTask { Logger.info("REDIRECT TO: " + redirectURL); } catch (AuthenticationException e) { - handleError(null, e, request, response, pendingRequestID); + throw new TaskExecutionException(e.getMessage(), e); } catch (MOAIDException e) { - handleError(null, e, request, response, pendingRequestID); + throw new TaskExecutionException(e.getMessage(), e); } catch (Exception e) { Logger.error("PEPSConnector has an interal Error.", e); + throw new TaskExecutionException(e.getMessage(), e); } finally { -- cgit v1.2.3 From 7d8b6f80bb6faf33c4a19aac2d23784a8dbbddc2 Mon Sep 17 00:00:00 2001 From: Florian Reimair Date: Tue, 5 May 2015 13:01:43 +0200 Subject: refactored some code regarding multi-part SAML responses --- .../stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java | 2 +- .../moa/id/auth/modules/stork/tasks/PepsConnectorTask.java | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'id/server/modules/module-stork/src') diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java index 08da21460..aff69aa9c 100644 --- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java +++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java @@ -342,7 +342,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep // FIXME: Same here; we do not have the citizen's signature, so this code might be regarded as dead code. try { - SZRGInsertion(moaSession, authnResponse.getPersonalAttributeList(), authnResponse.getAssertions() + SZRGInsertion(moaSession, attributeList, authnResponse.getAssertions() .get(0).getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef() .getAuthnContextClassRef(), citizenSignature); } catch (STORKException e) { diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java index 81c7c3a7b..6eabc0538 100644 --- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java +++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java @@ -506,7 +506,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask { Logger.debug("Starting connecting SZR Gateway"); identityLink = STORKResponseProcessor.connectToSZRGateway( - authnResponse.getPersonalAttributeList(), + attributeList, oaParam.getFriendlyName(), targetType, null, @@ -560,7 +560,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask { moaSession.setIdentityLink(identityLink); Logger.debug("Adding addtional STORK attributes to MOA session"); - moaSession.setStorkAttributes(authnResponse.getPersonalAttributeList()); + moaSession.setStorkAttributes(attributeList); Logger.debug("Add full STORK AuthnResponse to MOA session"); moaSession.setStorkAuthnResponse(request.getParameter("SAMLResponse")); -- cgit v1.2.3