From 7e854376747e199ba45d28de1c645bf5eb369117 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 30 Jan 2017 15:24:37 +0100 Subject: small change in VelocityProvider --- .../auth/frontend/velocity/VelocityProvider.java | 32 +++++++++++++--------- 1 file changed, 19 insertions(+), 13 deletions(-) (limited to 'id/server') diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityProvider.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityProvider.java index 21fe110ca..015d8e321 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityProvider.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityProvider.java @@ -62,19 +62,22 @@ import org.apache.velocity.runtime.RuntimeConstants; */ public class VelocityProvider { + private static VelocityEngine velocityEngine = null; + /** * Gets velocityEngine from Classpath * @return VelocityEngine * @throws Exception */ public static VelocityEngine getClassPathVelocityEngine() throws Exception { - VelocityEngine velocityEngine = getBaseVelocityEngine(); - velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath"); - velocityEngine.setProperty("classpath.resource.loader.class", - "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader"); - - - velocityEngine.init(); + if (velocityEngine == null) { + velocityEngine = getBaseVelocityEngine(); + velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath"); + velocityEngine.setProperty("classpath.resource.loader.class", + "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader"); + velocityEngine.init(); + + } return velocityEngine; } @@ -86,13 +89,16 @@ public class VelocityProvider { * @throws Exception */ public static VelocityEngine getFileVelocityEngine(String rootPath) throws Exception { - VelocityEngine velocityEngine = getBaseVelocityEngine(); - velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "file"); - velocityEngine.setProperty("file.resource.loader.class", - "org.apache.velocity.runtime.resource.loader.FileResourceLoader"); - velocityEngine.setProperty("file.resource.loader.path", rootPath); + if (velocityEngine == null) { + velocityEngine = getBaseVelocityEngine(); + velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "file"); + velocityEngine.setProperty("file.resource.loader.class", + "org.apache.velocity.runtime.resource.loader.FileResourceLoader"); + velocityEngine.setProperty("file.resource.loader.path", rootPath); - velocityEngine.init(); + velocityEngine.init(); + + } return velocityEngine; } -- cgit v1.2.3 From d0804f617695cc2ee1bb1c1e86fcef8cda98d7b9 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 31 Jan 2017 10:01:31 +0100 Subject: fix problem with selection of authentication process and eIDAS authentication --- .../id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'id/server') diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java index b0efb100a..7caf2f5a1 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java @@ -26,8 +26,9 @@ public class DefaultCitizenCardAuthModuleImpl implements AuthModule { if (performBKUSelectionObj != null && performBKUSelectionObj instanceof Boolean) performBKUSelection = (boolean) performBKUSelectionObj; - if (StringUtils.isBlank((String) context.get("ccc")) && - StringUtils.isNotBlank((String) context.get(MOAIDAuthConstants.PARAM_BKU)) && + if ( (StringUtils.isBlank((String) context.get("ccc")) && + StringUtils.isBlank((String) context.get("CCC")) ) && + StringUtils.isNotBlank((String) context.get(MOAIDAuthConstants.PARAM_BKU)) && !performBKUSelection) return "DefaultAuthentication"; -- cgit v1.2.3 From 7d9c2ec8e170df74fa544cdb83d8967c3d654ed2 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 31 Jan 2017 13:18:30 +0100 Subject: fix problem with iaik pki-module and worker threads --- .../moa/id/commons/utils/ssl/SSLUtils.java | 27 ++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) (limited to 'id/server') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java index 4ecda435d..109390132 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java @@ -61,6 +61,8 @@ import javax.net.ssl.TrustManager; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.KeyStoreUtils; +import at.gv.egovernment.moaspss.logging.LoggingContext; +import at.gv.egovernment.moaspss.logging.LoggingContextManager; import iaik.pki.DefaultPKIConfiguration; import iaik.pki.PKIException; import iaik.pki.PKIFactory; @@ -94,6 +96,21 @@ public class SSLUtils { } + /** + * IAIK PKI module and MOA-SIG uses a ThreadLocal variable for logging + * check if current thread has set this variable and set loggingcontext otherwise + * + * @param url transactionID for logging + */ + private static void checkMoaSigLoggingContext(String url) { + LoggingContextManager logMgr = LoggingContextManager.getInstance(); + if (logMgr.getLoggingContext() == null) { + LoggingContext ctx = new LoggingContext(url); + logMgr.setLoggingContext(ctx); + + } + } + public static SSLSocketFactory getSSLSocketFactory( String url, String certStoreRootDirParam, @@ -111,8 +128,11 @@ public class SSLUtils { Logger.debug("Get SSLSocketFactory for " + url); // retrieve SSLSocketFactory if already created SSLSocketFactory ssf = (SSLSocketFactory)sslSocketFactories.get(url); - if (ssf != null) - return ssf; + if (ssf != null) { + checkMoaSigLoggingContext(url); + return ssf; + + } TrustManager[] tms = getTrustManagers( certStoreRootDirParam, @@ -129,6 +149,9 @@ public class SSLUtils { ssf = ctx.getSocketFactory(); // store SSLSocketFactory sslSocketFactories.put(url, ssf); + + checkMoaSigLoggingContext(url); + return ssf; } -- cgit v1.2.3 From 6f8fabef2ee6abaef940d6a2a64cd6ec79de0542 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 21 Feb 2017 15:30:11 +0100 Subject: update javadoc --- .../java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id/server') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java index d2c827d55..fcf4c3ffa 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java @@ -32,7 +32,7 @@ public interface AuthConfiguration extends ConfigurationProvider{ * Get a configuration value from basic file based MOA-ID configuration * * @param key configuration key - * @return configuration value + * @return configuration value or null if it is not found */ public String getBasicMOAIDConfiguration(final String key); -- cgit v1.2.3 From 27933ddff7201ea229e1f9572c88eecba47304c7 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 10 Mar 2017 16:02:16 +0100 Subject: fix possible DoS Bug --- .../src/main/java/at/gv/egovernment/moa/util/DOMUtils.java | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'id/server') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java index fed968443..62a168ac8 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java @@ -28,6 +28,7 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; +import java.util.Collections; import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; @@ -542,6 +543,7 @@ public class DOMUtils { /** * A convenience method to parse an XML document non validating. + * This method disallow DocType declarations * * @param inputStream The InputStream containing the XML * document. @@ -552,10 +554,16 @@ public class DOMUtils { * parser. */ public static Element parseXmlNonValidating(InputStream inputStream) - throws ParserConfigurationException, SAXException, IOException { + throws ParserConfigurationException, SAXException, IOException { return DOMUtils - .parseDocument(inputStream, false, Constants.ALL_SCHEMA_LOCATIONS, null, null) - .getDocumentElement(); + .parseDocument(inputStream, false, Constants.ALL_SCHEMA_LOCATIONS, null, + Collections.unmodifiableMap(new HashMap() { + private static final long serialVersionUID = 1L; + { + put(DOMUtils.DISALLOW_DOCTYPE_FEATURE, true); + + } + })).getDocumentElement(); } /** -- cgit v1.2.3 From a3f328d74992d6f706a2ec7f719f15f3c35164ab Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 13 Mar 2017 10:49:05 +0100 Subject: update build process to support current JDK version --- id/server/moa-id-commons/pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'id/server') diff --git a/id/server/moa-id-commons/pom.xml b/id/server/moa-id-commons/pom.xml index d8d2e0d3d..51cb6d5af 100644 --- a/id/server/moa-id-commons/pom.xml +++ b/id/server/moa-id-commons/pom.xml @@ -317,7 +317,7 @@ org.apache.maven.plugins maven-compiler-plugin - 2.0.2 + 3.6.1 1.7 1.7 @@ -375,7 +375,7 @@ - + org.apache.maven.plugins maven-jar-plugin -- cgit v1.2.3 From 583b352de3eda9dd57f427c9d59aa1c395f182a2 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 14 Mar 2017 08:35:56 +0100 Subject: workaround to fix possible problem with OpenSAML SecureRandomIdentifierGenerator in combination with JDK 8.121 and IAIK_JCE that cause in a java.lang.ArrayIndexOutOfBoundsException --- .../moa/id/protocols/pvp2x/utils/SAML2Utils.java | 16 +++++++++++++++- .../main/java/at/gv/egovernment/moa/id/util/Random.java | 12 +++++++++++- 2 files changed, 26 insertions(+), 2 deletions(-) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java index 9d57c2bae..28a85b4af 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java @@ -46,6 +46,8 @@ import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.io.MarshallingException; import org.w3c.dom.Document; +import at.gv.egovernment.moa.id.util.Random; + public class SAML2Utils { public static T createSAMLObject(final Class clazz) { @@ -66,7 +68,19 @@ public class SAML2Utils { } public static String getSecureIdentifier() { - return idGenerator.generateIdentifier(); + return "_".concat(Random.nextHexRandom16()); + + /*Bug-Fix: There are open problems with RandomNumberGenerator via Java SPI and Java JDK 8.121 + * Generation of a 16bit Random identifier FAILES with an Caused by: java.lang.ArrayIndexOutOfBoundsException + * Caused by: java.lang.ArrayIndexOutOfBoundsException + at iaik.security.random.o.engineNextBytes(Unknown Source) + at iaik.security.random.SecRandomSpi.engineNextBytes(Unknown Source) + at java.security.SecureRandom.nextBytes(SecureRandom.java:468) + at org.opensaml.common.impl.SecureRandomIdentifierGenerator.generateIdentifier(SecureRandomIdentifierGenerator.java:62) + at org.opensaml.common.impl.SecureRandomIdentifierGenerator.generateIdentifier(SecureRandomIdentifierGenerator.java:56) + at at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils.getSecureIdentifier(SAML2Utils.java:69) + */ + //return idGenerator.generateIdentifier(); } private static SecureRandomIdentifierGenerator idGenerator; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java index ba45a3679..1f9050a31 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java @@ -114,9 +114,19 @@ public class Random { * * @return random hex encoded value [256bit] */ - public static String nextHexRandom() { + public static String nextHexRandom32() { return new String(Hex.encodeHex(nextByteRandom(32))); // 32 bytes = 256 bits + } + + /** + * Creates a new random number [128bit], and encode it as hex value. + * + * @return random hex encoded value [128bit] + */ + public static String nextHexRandom16() { + return new String(Hex.encodeHex(nextByteRandom(16))); // 16 bytes = 128 bits + } /** -- cgit v1.2.3 From 60e6b93ead4df30f24dc08d92ddcf4e0c04a8ec4 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 15 Mar 2017 22:20:39 +0100 Subject: Fix bug in statistic logger that broke the authentication process on some protocols if database persist operation failes --- .../moa/id/advancedlogging/StatisticLogger.java | 27 ++++++++++++++++++---- 1 file changed, 22 insertions(+), 5 deletions(-) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java index 5b0f5115d..dfea14a72 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java @@ -205,8 +205,14 @@ public class StatisticLogger implements IStatisticLogger{ } } } - - entityManager.persist(dblog); + + try { + entityManager.persist(dblog); + + } catch (Exception e) { + Logger.warn("Write 'success' statisticLog to database FAILED.", e); + + } } } @@ -227,8 +233,13 @@ public class StatisticLogger implements IStatisticLogger{ } - - entityManager.persist(dblog); + try { + entityManager.persist(dblog); + + } catch (Exception e) { + Logger.warn("Write 'error' statisticLog to database FAILED.", e); + + } } @@ -282,7 +293,13 @@ public class StatisticLogger implements IStatisticLogger{ generateErrorLogFormThrowable(throwable, dblog); - entityManager.persist(dblog); + try { + entityManager.persist(dblog); + + } catch (Exception e) { + Logger.warn("Write 'error' statisticLog to database FAILED.", e); + + } } } -- cgit v1.2.3 From dcd4734b89908ad91bf9a537bdb5c3d615537fc2 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 16 Mar 2017 06:07:06 +0100 Subject: make nextByteRandom synchronized to additionally prevent problems with IAIK_JCE and Java JDK => 8u111 --- .../idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java index 1f9050a31..ac2b3c415 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java @@ -168,7 +168,7 @@ public class Random { * @param size Size of random number in bits * @return */ - private static byte[] nextByteRandom(int size) { + private static synchronized byte[] nextByteRandom(int size) { byte[] b = new byte[size]; random.nextBytes(b); return b; -- cgit v1.2.3 From 05646346f18cf24471d05f1124f61d80feb1e69e Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 16 Mar 2017 06:27:23 +0100 Subject: limit length of some logged identifier to max length of 254 characters --- .../moa/id/advancedlogging/StatisticLogger.java | 27 ++++++++++++++-------- 1 file changed, 18 insertions(+), 9 deletions(-) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java index dfea14a72..6f700d1cb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java @@ -74,6 +74,7 @@ public class StatisticLogger implements IStatisticLogger{ private static final String MANTATORTYPE_NAT = "nat"; private static final int MAXERRORLENGTH = 200; + private static final int MAXOAIDENTIFIER_LENGTH = 254; private static final String ERRORTYPE_UNKNOWN = "unkown"; private static final String ERRORTYPE_BKU = "bku"; @@ -119,7 +120,7 @@ public class StatisticLogger implements IStatisticLogger{ //dblog.setOaID(dbOA.getHjid()); //log basic AuthInformation - dblog.setOaurlprefix(protocolRequest.getOAURL()); + dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH)); dblog.setOafriendlyName(dbOA.getFriendlyName()); boolean isbusinessservice = isBusinessService(dbOA); @@ -254,12 +255,15 @@ public class StatisticLogger implements IStatisticLogger{ dblog.setTimestamp(new Date()); - dblog.setOaurlprefix(errorRequest.getOAURL()); + dblog.setOaurlprefix(getMessageWithMaxLength(errorRequest.getOAURL(), MAXOAIDENTIFIER_LENGTH)); dblog.setProtocoltype(errorRequest.requestedModule()); dblog.setProtocolsubtype(errorRequest.requestedAction()); + generateErrorLogFormThrowable(throwable, dblog); + IOAAuthParameters dbOA = errorRequest.getOnlineApplicationConfiguration(); if (dbOA != null) { + dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH)); dblog.setOafriendlyName(dbOA.getFriendlyName()); dblog.setOatarget(dbOA.getTarget()); //dblog.setOaID(dbOA.getHjid()); @@ -291,17 +295,18 @@ public class StatisticLogger implements IStatisticLogger{ dblog.setMandatelogin(moasession.isMandateUsed()); } - generateErrorLogFormThrowable(throwable, dblog); - try { - entityManager.persist(dblog); + + } - } catch (Exception e) { - Logger.warn("Write 'error' statisticLog to database FAILED.", e); + try { + entityManager.persist(dblog); - } - + } catch (Exception e) { + Logger.warn("Write 'error' statisticLog to database FAILED.", e); + } + } } @@ -313,6 +318,10 @@ public class StatisticLogger implements IStatisticLogger{ return false; } + private String getMessageWithMaxLength(String msg, int maxlength) { + return getErrorMessageWithMaxLength(msg, maxlength); + + } private String getErrorMessageWithMaxLength(String error, int maxlength) { if (error != null) { -- cgit v1.2.3