From 369cab87fd4a6f9d96cef321ec7ab88355beb17a Mon Sep 17 00:00:00 2001 From: kstranacher Date: Mon, 27 Feb 2012 14:50:18 +0000 Subject: Uppdates: * Version 1.5.2 * Added: undocumented useCondition and conditionLength configuration parameter (allows to add a saml:Conditions to the SAML assertiopn) git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1273 d688527b-c9ab-4aba-bd8d-4036d912da1d --- id/server/auth/pom.xml | 4 +- id/server/idserverlib/pom.xml | 4 +- .../moa/id/auth/AuthenticationServer.java | 21 ++- .../AuthenticationDataAssertionBuilder.java | 207 ++++++++++++++++++--- .../moa/id/config/ConfigurationBuilder.java | 22 +++ .../moa/id/config/auth/OAAuthParameter.java | 37 ++++ .../test/abnahme/A/Test300VerifyAuthBlock.java | 2 +- id/server/pom.xml | 4 +- id/server/proxy/pom.xml | 4 +- 9 files changed, 262 insertions(+), 43 deletions(-) (limited to 'id/server') diff --git a/id/server/auth/pom.xml b/id/server/auth/pom.xml index e1aeb2802..816e41df0 100644 --- a/id/server/auth/pom.xml +++ b/id/server/auth/pom.xml @@ -2,14 +2,14 @@ MOA.id moa-id - 1.5.1 + 1.5.2 4.0.0 MOA.id.server moa-id-auth war - 1.5.1 + 1.5.2 MOA ID-Auth WebService diff --git a/id/server/idserverlib/pom.xml b/id/server/idserverlib/pom.xml index 9b266e00e..24d9452c2 100644 --- a/id/server/idserverlib/pom.xml +++ b/id/server/idserverlib/pom.xml @@ -2,14 +2,14 @@ MOA.id moa-id - 1.5.1 + 1.5.2 4.0.0 MOA.id.server moa-id-lib jar - 1.5.1 + 1.5.2 MOA ID API diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index e86db4a5c..5ffff2787 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -1508,6 +1508,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( session.getPublicOAURLPrefix()); boolean useUTC = oaParam.getUseUTC(); + boolean useCondition = oaParam.getUseCondition(); + int conditionLength = oaParam.getConditionLength(); // builds authentication data and stores it together with a SAML artifact AuthenticationData authData = buildAuthenticationData(session, vsresp, useUTC); @@ -1532,7 +1534,9 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.getBkuURL(), session.getAssertionSignerCertificateBase64(), session.getAssertionBusinessService(), - session.getExtendedSAMLAttributesOA()); + session.getExtendedSAMLAttributesOA(), + useCondition, + conditionLength); authData.setSamlAssertion(samlAssertion); String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile"); @@ -1661,11 +1665,15 @@ public class AuthenticationServer implements MOAIDAuthConstants { // e.printStackTrace(); // } String mandateData = null; + boolean useCondition = false; + int conditionLength = -1; try { OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( session.getPublicOAURLPrefix()); boolean provideStammzahl = oaParam.getProvideStammzahl(); + useCondition = oaParam.getUseCondition(); + conditionLength = oaParam.getConditionLength(); if (!provideStammzahl) { String isPrPerson = mandatePerson.getAttribute("xsi:type"); @@ -1686,6 +1694,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}); } + String samlAssertion = new AuthenticationDataAssertionBuilder().buildMandate( authData, @@ -1697,7 +1706,9 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.getAssertionSignerCertificateBase64(), session.getAssertionBusinessService(), session.getSourceID(), - session.getExtendedSAMLAttributesOA()); + session.getExtendedSAMLAttributesOA(), + useCondition, + conditionLength); authData.setSamlAssertion(samlAssertion); String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile"); @@ -1799,6 +1810,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { AuthConfigurationProvider.getInstance().getOnlineApplicationParameter( session.getPublicOAURLPrefix()); boolean useUTC = oaParam.getUseUTC(); + boolean useCondition = oaParam.getUseCondition(); + int conditionLength = oaParam.getConditionLength(); AuthenticationData authData = buildAuthenticationData(session, vsresp, useUTC); @@ -1811,7 +1824,9 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.getBkuURL(), session.getAssertionSignerCertificateBase64(), session.getAssertionBusinessService(), - session.getExtendedSAMLAttributesOA()); + session.getExtendedSAMLAttributesOA(), + useCondition, + conditionLength); authData.setSamlAssertion(samlAssertion); String assertionFile = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter("AuthenticationServer.WriteAssertionToFile"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java index b9e44544d..0742261a7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.auth.builder; import java.text.MessageFormat; +import java.util.Calendar; import java.util.List; import at.gv.egovernment.moa.id.BuildException; @@ -32,6 +33,7 @@ import at.gv.egovernment.moa.id.ParseException; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DateTimeUtils; import at.gv.egovernment.moa.util.StringUtils; /** @@ -42,6 +44,10 @@ import at.gv.egovernment.moa.util.StringUtils; * @version $Id$ */ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionBuilder implements Constants { + + /** 5 minutes (=300 seconds) default length of the assertion */ + private static int DEFAULT_CONDITIONS_LENGTH = 300; + /** private static String NL contains the NewLine representation in Java*/ private static final String NL = "\n"; /** @@ -75,6 +81,38 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB " " + NL + ""; + /** + * XML template for the <saml:Assertion> to be built (with Conditions) + */ + private static final String AUTH_DATA_WITH_CONDITIONS = + "" + NL + + "" + NL + + "" + NL + + " " + NL + + " " + NL + + " {6}" + NL + + " " + NL + + " " + MOA_NS_URI + "cm" + NL + + " {7}{8}" + NL + + " " + NL + + " " + NL + + " " + NL + + " {9}" + NL + + " " + NL + + " " + NL + + " {10}" + NL + + " " + NL + + " " + NL + + " {11}" + NL + + " " + NL + + "{12}" + + "{13}" + + "{14}" + + " " + NL + + ""; + /** * XML template for the <saml:Assertion> to be built */ @@ -108,6 +146,41 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB "{13}" + " " + NL + ""; + + /** + * XML template for the <saml:Assertion> to be built + */ + private static final String AUTH_DATA_MANDATE_WITH_CONDITIONS = + "" + NL + + "" + NL + + "" + NL + + " " + NL + + " " + NL + + " {6}" + NL + + " " + NL + + " " + MOA_NS_URI + "cm" + NL + + " {7}{8}" + NL + + " " + NL + + " " + NL + + " " + NL + + " {9}" + NL + + " " + NL + + " " + NL + + " {10}" + NL + + " " + NL + + " " + NL + + " {11}" + NL + + " " + NL + + " " + NL + + " {12}" + NL + + " " + NL + + "{13}" + + "{14}" + + "{15}" + + " " + NL + + ""; /** * XML template for the <saml:Attribute> named "isPublicAuthority", * to be inserted into the <saml:Assertion> @@ -156,7 +229,9 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB String bkuURL, String signerCertificateBase64, boolean businessService, - List extendedSAMLAttributes) + List extendedSAMLAttributes, + boolean useCondition, + int conditionLength) throws BuildException { @@ -195,21 +270,51 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB String assertion; try { + if (!useCondition) { + assertion = MessageFormat.format(AUTH_DATA, new Object[] { + authData.getAssertionID(), + authData.getIssuer(), + authData.getIssueInstant(), + pkType, + pkValue, + StringUtils.removeXMLDeclaration(xmlAuthBlock), + StringUtils.removeXMLDeclaration(xmlIdentityLink), + StringUtils.removeXMLDeclaration(xmlPersonData), + isQualifiedCertificate, + bkuURL, + publicAuthorityAttribute, + signerCertificateAttribute, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } + else { + Calendar cal = Calendar.getInstance(); + String notBefore = DateTimeUtils.buildDateTimeUTC(cal); + if (conditionLength <= 0) + cal.add(Calendar.SECOND, DEFAULT_CONDITIONS_LENGTH); + else + cal.add(Calendar.SECOND, conditionLength); + + String notOnOrAfter = DateTimeUtils.buildDateTimeUTC(cal); + + assertion = MessageFormat.format(AUTH_DATA_WITH_CONDITIONS, new Object[] { + authData.getAssertionID(), + authData.getIssuer(), + authData.getIssueInstant(), + notBefore, + notOnOrAfter, + pkType, + pkValue, + StringUtils.removeXMLDeclaration(xmlAuthBlock), + StringUtils.removeXMLDeclaration(xmlIdentityLink), + StringUtils.removeXMLDeclaration(xmlPersonData), + isQualifiedCertificate, + bkuURL, + publicAuthorityAttribute, + signerCertificateAttribute, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } - assertion = MessageFormat.format(AUTH_DATA, new Object[] { - authData.getAssertionID(), - authData.getIssuer(), - authData.getIssueInstant(), - pkType, - pkValue, - StringUtils.removeXMLDeclaration(xmlAuthBlock), - StringUtils.removeXMLDeclaration(xmlIdentityLink), - StringUtils.removeXMLDeclaration(xmlPersonData), - isQualifiedCertificate, - bkuURL, - publicAuthorityAttribute, - signerCertificateAttribute, - buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } catch (ParseException e) { Logger.error("Error on building Authentication Data Assertion: " + e.getMessage()); throw new BuildException("builder.00", new Object[] { "Authentication Data Assertion", e.toString()}); @@ -246,7 +351,9 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB String signerCertificateBase64, boolean businessService, String sourceID, - List extendedSAMLAttributes) + List extendedSAMLAttributes, + boolean useCondition, + int conditionLength) throws BuildException { @@ -285,21 +392,59 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB String assertion; try { - assertion = MessageFormat.format(AUTH_DATA_MANDATE, new Object[] { - authData.getAssertionID(), - authData.getIssuer(), - authData.getIssueInstant(), - pkType, - pkValue, - StringUtils.removeXMLDeclaration(xmlAuthBlock), - StringUtils.removeXMLDeclaration(xmlIdentityLink), - StringUtils.removeXMLDeclaration(xmlPersonData), - StringUtils.removeXMLDeclaration(xmlMandateData), - isQualifiedCertificate, - bkuURL, - publicAuthorityAttribute, - signerCertificateAttribute, - buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + + + if (!useCondition) { + assertion = MessageFormat.format(AUTH_DATA_MANDATE, new Object[] { + authData.getAssertionID(), + authData.getIssuer(), + authData.getIssueInstant(), + pkType, + pkValue, + StringUtils.removeXMLDeclaration(xmlAuthBlock), + StringUtils.removeXMLDeclaration(xmlIdentityLink), + StringUtils.removeXMLDeclaration(xmlPersonData), + StringUtils.removeXMLDeclaration(xmlMandateData), + isQualifiedCertificate, + bkuURL, + publicAuthorityAttribute, + signerCertificateAttribute, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } + else { + Calendar cal = Calendar.getInstance(); + String notBefore = DateTimeUtils.buildDateTimeUTC(cal); + if (conditionLength <= 0) + cal.add(Calendar.SECOND, DEFAULT_CONDITIONS_LENGTH); + else + cal.add(Calendar.SECOND, conditionLength); + + String notOnOrAfter = DateTimeUtils.buildDateTimeUTC(cal); + + assertion = MessageFormat.format(AUTH_DATA_MANDATE_WITH_CONDITIONS, new Object[] { + authData.getAssertionID(), + authData.getIssuer(), + authData.getIssueInstant(), + notBefore, + notOnOrAfter, + pkType, + pkValue, + StringUtils.removeXMLDeclaration(xmlAuthBlock), + StringUtils.removeXMLDeclaration(xmlIdentityLink), + StringUtils.removeXMLDeclaration(xmlPersonData), + StringUtils.removeXMLDeclaration(xmlMandateData), + isQualifiedCertificate, + bkuURL, + publicAuthorityAttribute, + signerCertificateAttribute, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } + + + + + + } catch (ParseException e) { Logger.error("Error on building Authentication Data Assertion: " + e.getMessage()); throw new BuildException("builder.00", new Object[] { "Authentication Data Assertion", e.toString()}); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java index 8cc51bf93..b7b5bcce6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java @@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.config; +import iaik.ixsil.util.Utils; import iaik.pki.pathvalidation.ChainingModes; import iaik.utils.RFC2253NameParser; import iaik.utils.RFC2253NameParserException; @@ -44,6 +45,8 @@ import org.w3c.dom.Node; import org.w3c.dom.NodeList; import org.w3c.dom.traversal.NodeIterator; +import com.sun.xml.internal.fastinfoset.stax.events.Util; + import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.Schema; import at.gv.egovernment.moa.id.auth.data.SchemaImpl; @@ -580,9 +583,15 @@ public class ConfigurationBuilder { oap.setProvideCertificate(BoolUtils.valueOf(authComponent.getAttribute("provideCertificate"))); oap.setProvideFullMandatorData(BoolUtils.valueOf(authComponent.getAttribute("provideFullMandatorData"))); oap.setUseUTC(BoolUtils.valueOf(authComponent.getAttribute("useUTC"))); + oap.setUseCondition(BoolUtils.valueOf(authComponent.getAttribute("useCondition"))); + oap.setConditionLength(buildConditionLength(authComponent.getAttribute("conditionLength"))); oap.setBkuSelectionTemplateURL(buildTemplateURL(authComponent, OA_AUTH_COMPONENT_BKUSELECT_TEMPLATE_XPATH, bkuSelectionTemplateURL)); oap.setTemplateURL(buildTemplateURL(authComponent, OA_AUTH_COMPONENT_TEMPLATE_XPATH, templateURL)); + System.out.println(publicURLPrefix); + System.out.println("useCondition: " + oap.getUseCondition()); + System.out.println("conditionLength: " + oap.getConditionLength()); + oap.setInputProcessorSignTemplateURL(buildTemplateURL(authComponent, INPUT_PROCESSOR_TEMPLATE_XPATH, inputProcessorSignTemplateURL)); // load OA specific transforms if present String[] transformsInfoFileNames = buildTransformsInfoFileNames(authComponent, OA_AUTH_COMPONENT_TRANSFORMS_INFO_FILENAME_XPATH); @@ -616,6 +625,19 @@ public class ConfigurationBuilder { return result; } + + /** + * Returns the condition length as int + * @param length the condition length as int + * @return + */ + private int buildConditionLength(String length) { + + if (Util.isEmptyString(length)) + return -1; + else + return new Integer(length).intValue(); + } /** * Builds the URL for a BKUSelectionTemplate or a Template. The method selects diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 65e21cbce..2959d9208 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -87,6 +87,12 @@ public class OAAuthParameter extends OAParameter { /** determines wheter the IssueInstant of the SAML assertion is in UTC or not*/ private boolean useUTC; + + /** determines wheter a saml:Condition is added to the SAML assertion or not */ + private boolean useCondition; + + /** determines the validity time of the SAML assertion (if useCondition is true) in seconds */ + private int conditionLength; /** * url to a template for web page "Auswahl der Bürgerkartenumgebung" */ @@ -202,6 +208,22 @@ public class OAAuthParameter extends OAParameter { return useUTC; } + /** + * Returns true if the SAML assertion should contain a saml:Condition, otherwise false. + * @return true if the SAML assertion should contain a saml:Condition, otherwise false. + */ + public boolean getUseCondition() { + return useCondition; + } + + /** + * Returns the validity time of the SAML assertion (if useCondition is true) in seconds + * @return the validity time of the SAML assertion (if useCondition is true) in seconds + */ + public int getConditionLength() { + return conditionLength; + } + /** * Returns the key box identifier. @@ -325,6 +347,21 @@ public class OAAuthParameter extends OAParameter { this.useUTC = useUTC; } + /** + * Sets the useCondition variable + * @param useCondition The useCondition value to set + */ + public void setUseCondition(boolean useCondition) { + this.useCondition = useCondition; + } + + /** + * Sets the conditionLength variable + * @param conditionLength the conditionLength value to set + */ + public void setConditionLength(int conditionLength) { + this.conditionLength = conditionLength; + } /** diff --git a/id/server/idserverlib/src/test/java/test/abnahme/A/Test300VerifyAuthBlock.java b/id/server/idserverlib/src/test/java/test/abnahme/A/Test300VerifyAuthBlock.java index a71fe0181..6e6092b3f 100644 --- a/id/server/idserverlib/src/test/java/test/abnahme/A/Test300VerifyAuthBlock.java +++ b/id/server/idserverlib/src/test/java/test/abnahme/A/Test300VerifyAuthBlock.java @@ -619,7 +619,7 @@ public class Test300VerifyAuthBlock extends AbnahmeTestCase { oaParam.getProvideIdentityLink() ? DOMUtils.serializeNode(identityLink.getSamlAssertion()) : ""; String authBlock = oaParam.getProvideAuthBlock() ? session.getAuthBlock() : ""; String samlAssertion = new AuthenticationDataAssertionBuilder().build( - authData, prPerson, authBlock, ilAssertion, session.getBkuURL(), "", false, null); + authData, prPerson, authBlock, ilAssertion, session.getBkuURL(), "", false, null, false, -1); authData.setSamlAssertion(samlAssertion); return authData; } diff --git a/id/server/pom.xml b/id/server/pom.xml index 72a47385c..4590ae1d0 100644 --- a/id/server/pom.xml +++ b/id/server/pom.xml @@ -4,14 +4,14 @@ MOA id - 1.5.1 + 1.5.2 4.0.0 MOA.id moa-id pom - 1.5.1 + 1.5.2 MOA ID Server diff --git a/id/server/proxy/pom.xml b/id/server/proxy/pom.xml index 50cb3e054..4e7ca3d3a 100644 --- a/id/server/proxy/pom.xml +++ b/id/server/proxy/pom.xml @@ -2,7 +2,7 @@ MOA.id moa-id - 1.5.1 + 1.5.2 @@ -13,7 +13,7 @@ MOA.id.server moa-id-proxy war - 1.5.1 + 1.5.2 MOA ID-Proxy WebService -- cgit v1.2.3