From 945c4d28535724f0a54d220f9eb0ebd25b8227c4 Mon Sep 17 00:00:00 2001 From: Florian Reimair Date: Tue, 14 Apr 2015 13:58:27 +0200 Subject: respect multi-part stork responses --- ...onnectorHandleResponseWithoutSignatureTask.java | 18 +++++++++++------ .../modules/stork/tasks/PepsConnectorTask.java | 23 ++++++++++++++-------- 2 files changed, 27 insertions(+), 14 deletions(-) (limited to 'id/server/modules/module-stork') diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java index 3338804b4..e2c3880ac 100644 --- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java +++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java @@ -136,7 +136,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep try { // validate SAML Token Logger.debug("Starting validation of SAML response"); - authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost()); + authnResponse = engine.validateSTORKAuthnResponseWithQuery(decSamlToken, (String) request.getRemoteHost()); Logger.info("SAML response succesfully verified!"); } catch (STORKSAMLEngineException e) { Logger.error("Failed to verify STORK SAML Response", e); @@ -211,10 +211,16 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID); - // //////////// incorporate gender from parameters if not in stork response - IPersonalAttributeList attributeList = authnResponse.getPersonalAttributeList(); + // first, try to fetch the attributes from the list of total attributes. Note that this very list is only filled + // with ALL attributes when there is more than one assertion in the SAML2 STORK message. + IPersonalAttributeList attributeList = authnResponse.getTotalPersonalAttributeList(); + + // if the list is empty, there was just one assertion... probably + if(attributeList.isEmpty()) + attributeList = authnResponse.getPersonalAttributeList(); + // //////////// incorporate gender from parameters if not in stork response // but first, check if we have a representation case if (STORKResponseProcessor.hasAttribute("mandateContent", attributeList) || STORKResponseProcessor.hasAttribute("representative", attributeList) @@ -233,7 +239,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep tmp.add(gendervalue); gender.setValue(tmp); - authnResponse.getPersonalAttributeList().add(gender); + attributeList.add(gender); } } } @@ -246,7 +252,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep // extract signed doc element and citizen signature String citizenSignature = null; try { - PersonalAttribute signedDoc = authnResponse.getPersonalAttributeList().get("signedDoc"); + PersonalAttribute signedDoc = attributeList.get("signedDoc"); String signatureInfo = null; // FIXME: Remove nonsense code (signedDoc attribute... (throw Exception for "should not occur" situations)), adjust error messages in order to reflect the true problem... if (signedDoc != null) { @@ -259,7 +265,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep // store authnResponse // moaSession.setAuthnResponse(authnResponse);//not serializable - moaSession.setAuthnResponseGetPersonalAttributeList(authnResponse.getPersonalAttributeList()); + moaSession.setAuthnResponseGetPersonalAttributeList(attributeList); String authnContextClassRef = null; try { diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java index 6e0bd19ff..9df0ff37b 100644 --- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java +++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java @@ -162,7 +162,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask { try { // validate SAML Token Logger.debug("Starting validation of SAML response"); - authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost()); + authnResponse = engine.validateSTORKAuthnResponseWithQuery(decSamlToken, (String) request.getRemoteHost()); Logger.info("SAML response succesfully verified!"); } catch (STORKSAMLEngineException e) { Logger.error("Failed to verify STORK SAML Response", e); @@ -297,9 +297,16 @@ public class PepsConnectorTask extends AbstractAuthServletTask { Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID); - // //////////// incorporate gender from parameters if not in stork response - IPersonalAttributeList attributeList = authnResponse.getPersonalAttributeList(); + // first, try to fetch the attributes from the list of total attributes. Note that this very list is only filled + // with ALL attributes when there is more than one assertion in the SAML2 STORK message. + IPersonalAttributeList attributeList = authnResponse.getTotalPersonalAttributeList(); + + // if the list is empty, there was just one assertion... probably + if(attributeList.isEmpty()) + attributeList = authnResponse.getPersonalAttributeList(); + + // //////////// incorporate gender from parameters if not in stork response // but first, check if we have a representation case if (STORKResponseProcessor.hasAttribute("mandateContent", attributeList) @@ -320,7 +327,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask { tmp.add(gendervalue); gender.setValue(tmp); - authnResponse.getPersonalAttributeList().add(gender); + attributeList.add(gender); } } } @@ -336,15 +343,15 @@ public class PepsConnectorTask extends AbstractAuthServletTask { // extract signed doc element and citizen signature try { - if (authnResponse.getPersonalAttributeList().get("signedDoc") == null - || authnResponse.getPersonalAttributeList().get("signedDoc").getValue() == null - || authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0) == null) { + if (attributeList.get("signedDoc") == null + || attributeList.get("signedDoc").getValue() == null + || attributeList.get("signedDoc").getValue().get(0) == null) { Logger.info("STORK Response include NO signedDoc attribute!"); throw new STORKException("STORK Response include NO signedDoc attribute."); } - String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); + String signatureInfo = attributeList.get("signedDoc").getValue().get(0); Logger.debug("signatureInfo:" + signatureInfo); -- cgit v1.2.3