From 42e2547a52439611b52e6a42c6e1098acff997c6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 7 Feb 2014 12:46:53 +0100 Subject: * use MOADefaultBootstrap to set SHA256 as default security parameter * SAMLEngine: deaktivate DefaultBootStrap. --- .../moa/id/auth/AuthenticationServer.java | 4 ++-- .../id/config/auth/AuthConfigurationProvider.java | 4 +++- .../moa/id/protocols/pvp2x/MetadataAction.java | 26 ++++++++++++++++++++-- .../moa/id/protocols/pvp2x/PVPConstants.java | 9 ++++++++ .../protocols/pvp2x/config/PVPConfiguration.java | 4 +++- .../pvp2x/requestHandler/AuthnRequestHandler.java | 23 ++++++++----------- .../java/eu/stork/peps/auth/engine/SAMLEngine.java | 13 ++++++----- 7 files changed, 57 insertions(+), 26 deletions(-) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index a5e92c701..d8d375db2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -265,10 +265,10 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (domainIdentifier.startsWith(PREFIX_WPBK)) { - isbuisness = false; + isbuisness = true; } else { - isbuisness = true; + isbuisness = false; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 304b63de0..c0f47d781 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -110,6 +110,7 @@ import at.gv.egovernment.moa.id.config.auth.data.ProtocolAllowed; import at.gv.egovernment.moa.id.config.legacy.BuildFromLegacyConfig; import at.gv.egovernment.moa.id.config.stork.STORKConfig; import at.gv.egovernment.moa.id.data.IssuerAndSerial; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -365,7 +366,8 @@ public class AuthConfigurationProvider extends ConfigurationProvider { //Initialize OpenSAML for STORK Logger.info("Starting initialization of OpenSAML..."); - DefaultBootstrap.bootstrap(); + MOADefaultBootstrap.bootstrap(); + //DefaultBootstrap.bootstrap(); Logger.debug("OpenSAML successfully initialized"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index 78fe43daa..7e6d1e2c7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -36,6 +36,7 @@ import javax.xml.transform.stream.StreamResult; import org.joda.time.DateTime; import org.opensaml.Configuration; +import org.opensaml.common.impl.SAMLObjectContentReference; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.NameIDType; import org.opensaml.saml2.metadata.ContactPerson; @@ -45,12 +46,15 @@ import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.KeyDescriptor; import org.opensaml.saml2.metadata.NameIDFormat; import org.opensaml.saml2.metadata.SingleSignOnService; +import org.opensaml.xml.encryption.EncryptionConstants; import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; +import org.opensaml.xml.signature.ContentReference; import org.opensaml.xml.signature.Signature; +import org.opensaml.xml.signature.SignatureConstants; import org.opensaml.xml.signature.Signer; import org.w3c.dom.Document; @@ -114,13 +118,31 @@ public class MetadataAction implements IAction { Credential metadataSigningCredential = CredentialProvider.getIDPMetaDataSigningCredential(); Signature signature = CredentialProvider .getIDPSignature(metadataSigningCredential); + + idpEntitiesDescriptor.setSignature(signature); + +// //set SignatureMethode +// signature.setSignatureAlgorithm(PVPConstants.DEFAULT_SIGNING_METHODE); +// +// //set DigestMethode +// List contentList = signature.getContentReferences(); +// for (ContentReference content : contentList) { +// +// if (content instanceof SAMLObjectContentReference) { +// +// SAMLObjectContentReference el = (SAMLObjectContentReference) content; +// el.setDigestAlgorithm(PVPConstants.DEFAULT_DIGESTMETHODE); +// +// } +// } + // KeyInfoBuilder metadataKeyInfoBuilder = new KeyInfoBuilder(); // KeyInfo metadataKeyInfo = metadataKeyInfoBuilder.buildObject(); // //KeyInfoHelper.addCertificate(metadataKeyInfo, metadataSigningCredential.); // signature.setKeyInfo(metadataKeyInfo ); - idpEntitiesDescriptor.setSignature(signature); + IDPSSODescriptor idpSSODescriptor = SAML2Utils .createSAMLObject(IDPSSODescriptor.class); @@ -222,7 +244,7 @@ public class MetadataAction implements IAction { String metadataXML = sw.toString(); - //System.out.println("METADATA: " + metadataXML); + System.out.println("METADATA: " + metadataXML); httpResp.setContentType("text/xml"); httpResp.getOutputStream().write(metadataXML.getBytes()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java index 0172cce2d..7946c7596 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java @@ -22,8 +22,17 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x; +import org.opensaml.xml.encryption.EncryptionConstants; +import org.opensaml.xml.signature.SignatureConstants; + public interface PVPConstants { + public static final String DEFAULT_SIGNING_METHODE = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256; + public static final String DEFAULT_DIGESTMETHODE = SignatureConstants.ALGO_ID_DIGEST_SHA256; + public static final String DEFAULT_SYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128; + public static final String DEFAULT_ASYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP; + + public static final String STORK_QAA_PREFIX = "http://www.stork.gov.eu/1.0/citizenQAALevel/"; public static final String STORK_QAA_1_1 = "http://www.stork.gov.eu/1.0/citizenQAALevel/1"; public static final String STORK_QAA_1_2 = "http://www.stork.gov.eu/1.0/citizenQAALevel/2"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index 5d71b915f..bf82efb79 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -33,6 +33,7 @@ import java.util.Properties; import java.util.jar.Attributes; import java.util.jar.Manifest; +import org.opensaml.Configuration; import org.opensaml.saml2.metadata.Company; import org.opensaml.saml2.metadata.ContactPerson; import org.opensaml.saml2.metadata.ContactPersonTypeEnumeration; @@ -45,6 +46,7 @@ import org.opensaml.saml2.metadata.OrganizationName; import org.opensaml.saml2.metadata.OrganizationURL; import org.opensaml.saml2.metadata.SurName; import org.opensaml.saml2.metadata.TelephoneNumber; +import org.opensaml.xml.security.SecurityConfiguration; import at.gv.egovernment.moa.id.commons.db.dao.config.Contact; import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; @@ -115,7 +117,7 @@ public class PVPConfiguration { try { //generalpvpconfigdb = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig(); props = AuthConfigurationProvider.getInstance().getGeneralPVP2ProperiesConfig(); - + } catch (ConfigurationException e) { e.printStackTrace(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index 21c0d85a1..229158778 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -24,7 +24,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler; import java.util.ArrayList; import java.util.List; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -45,7 +44,6 @@ import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.security.MetadataCredentialResolver; import org.opensaml.security.MetadataCriteria; import org.opensaml.ws.message.encoder.MessageEncodingException; -import org.opensaml.xml.encryption.EncryptionConstants; import org.opensaml.xml.encryption.EncryptionException; import org.opensaml.xml.encryption.EncryptionParameters; import org.opensaml.xml.encryption.KeyEncryptionParameters; @@ -57,6 +55,7 @@ import org.opensaml.xml.security.criteria.UsageCriteria; import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory; import org.opensaml.xml.security.x509.X509Credential; + import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; @@ -125,12 +124,11 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { AssertionConsumerService consumerService = spSSODescriptor .getAssertionConsumerServices().get(idx); - if (consumerService == null) { - //TODO: maybe use default ConsumerService - + if (consumerService == null) { throw new InvalidAssertionConsumerServiceException(idx); } + String oaURL = consumerService.getLocation(); //check, if metadata includes an encryption key @@ -158,19 +156,19 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { try { EncryptionParameters dataEncParams = new EncryptionParameters(); - dataEncParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128); - + dataEncParams.setAlgorithm(PVPConstants.DEFAULT_SYM_ENCRYPTION_METHODE); + List keyEncParamList = new ArrayList(); KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters(); keyEncParam.setEncryptionCredential(encryptionCredentials); - keyEncParam.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP); + keyEncParam.setAlgorithm(PVPConstants.DEFAULT_ASYM_ENCRYPTION_METHODE); KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration() .getKeyInfoGeneratorManager().getDefaultManager() .getFactory(encryptionCredentials); keyEncParam.setKeyInfoGenerator(kigf.newInstance()); keyEncParamList.add(keyEncParam); - + Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList); //samlEncrypter.setKeyPlacement(KeyPlacement.INLINE); samlEncrypter.setKeyPlacement(KeyPlacement.PEER); @@ -178,7 +176,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { EncryptedAssertion encryptAssertion = null; encryptAssertion = samlEncrypter.encrypt(assertion); - + authResponse.getEncryptedAssertions().add(encryptAssertion); } catch (EncryptionException e1) { @@ -191,10 +189,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { authResponse.getAssertions().add(assertion); } - - - - + IEncoder binding = null; if (consumerService.getBinding().equals( diff --git a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/SAMLEngine.java b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/SAMLEngine.java index 48718242b..e993c0e46 100644 --- a/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/SAMLEngine.java +++ b/id/server/stork2-saml-engine/src/main/java/eu/stork/peps/auth/engine/SAMLEngine.java @@ -143,12 +143,13 @@ public class SAMLEngine { LOG.info("SAMLEngine: Initialize OpenSAML"); - try { - DefaultBootstrap.bootstrap(); - } catch (ConfigurationException e) { - LOG.error("Problem initializing the OpenSAML library."); - throw new STORKSAMLEngineRuntimeException(e); - } + //TLenz: MOA-ID uses an own Bootstrap +// try { +// DefaultBootstrap.bootstrap(); +// } catch (ConfigurationException e) { +// LOG.error("Problem initializing the OpenSAML library."); +// throw new STORKSAMLEngineRuntimeException(e); +// } LOG.debug("Read all file configurations. (instances of SAMLEngine)"); try { -- cgit v1.2.3 From 9b67dbb64ed665be5430c213607854c8c7e3584b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 11 Feb 2014 08:07:20 +0100 Subject: change metadata validto area to 24 hours --- .../gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index 7e6d1e2c7..1668c31ce 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -36,7 +36,6 @@ import javax.xml.transform.stream.StreamResult; import org.joda.time.DateTime; import org.opensaml.Configuration; -import org.opensaml.common.impl.SAMLObjectContentReference; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.NameIDType; import org.opensaml.saml2.metadata.ContactPerson; @@ -46,15 +45,12 @@ import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.KeyDescriptor; import org.opensaml.saml2.metadata.NameIDFormat; import org.opensaml.saml2.metadata.SingleSignOnService; -import org.opensaml.xml.encryption.EncryptionConstants; import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; -import org.opensaml.xml.signature.ContentReference; import org.opensaml.xml.signature.Signature; -import org.opensaml.xml.signature.SignatureConstants; import org.opensaml.xml.signature.Signer; import org.w3c.dom.Document; @@ -70,7 +66,7 @@ import at.gv.egovernment.moa.logging.Logger; public class MetadataAction implements IAction { - private static final int VALIDUNTIL_IN_DAYES = 30; + private static final int VALIDUNTIL_IN_HOURS = 24; public String processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { @@ -85,7 +81,7 @@ public class MetadataAction implements IAction { DateTime date = new DateTime(); - idpEntitiesDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_DAYES)); + idpEntitiesDescriptor.setValidUntil(date.plusHours(VALIDUNTIL_IN_HOURS)); EntityDescriptor idpEntityDescriptor = SAML2Utils .createSAMLObject(EntityDescriptor.class); @@ -99,7 +95,7 @@ public class MetadataAction implements IAction { idpEntityDescriptor .setEntityID(PVPConfiguration.getInstance().getIDPPublicPath()); - idpEntityDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_DAYES)); + idpEntityDescriptor.setValidUntil(date.plusDays(VALIDUNTIL_IN_HOURS)); List persons = PVPConfiguration.getInstance() .getIDPContacts(); -- cgit v1.2.3 From f86ebab09aad5971c86dce3827d46a0d41003994 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 11 Feb 2014 08:09:48 +0100 Subject: customize OpenSAML bootstrap to use SHA256 by default --- .../pvp2x/config/MOADefaultBootstrap.java | 61 ++++++++++ .../MOADefaultSecurityConfigurationBootstrap.java | 129 +++++++++++++++++++++ 2 files changed, 190 insertions(+) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java new file mode 100644 index 000000000..80789cd12 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java @@ -0,0 +1,61 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.config; + +import org.opensaml.Configuration; +import org.opensaml.DefaultBootstrap; +import org.opensaml.common.binding.BasicSAMLMessageContext; +import org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder; +import org.opensaml.xml.ConfigurationException; + +/** + * @author tlenz + * + */ +public class MOADefaultBootstrap extends DefaultBootstrap { + + public static synchronized void bootstrap() throws ConfigurationException { + + initializeXMLSecurity(); + + initializeXMLTooling(); + + initializeArtifactBuilderFactories(); + + initializeGlobalSecurityConfiguration(); + + initializeParserPool(); + + initializeESAPI(); + + } + + + + /** + * Initializes the default global security configuration. + */ + protected static void initializeGlobalSecurityConfiguration() { + Configuration.setGlobalSecurityConfiguration(MOADefaultSecurityConfigurationBootstrap.buildDefaultConfig()); + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java new file mode 100644 index 000000000..1563ba9be --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java @@ -0,0 +1,129 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.config; + +import org.opensaml.xml.encryption.EncryptionConstants; +import org.opensaml.xml.security.BasicSecurityConfiguration; +import org.opensaml.xml.security.DefaultSecurityConfigurationBootstrap; +import org.opensaml.xml.signature.SignatureConstants; + +/** + * @author tlenz + * + */ +public class MOADefaultSecurityConfigurationBootstrap extends + DefaultSecurityConfigurationBootstrap { + + public static BasicSecurityConfiguration buildDefaultConfig() { + BasicSecurityConfiguration config = new BasicSecurityConfiguration(); + + populateSignatureParams(config); + populateEncryptionParams(config); + populateKeyInfoCredentialResolverParams(config); + populateKeyInfoGeneratorManager(config); + populateKeyParams(config); + + return config; + } + + protected static void populateSignatureParams( + BasicSecurityConfiguration config) { + + //use SHA256 instead of SHA1 + config.registerSignatureAlgorithmURI("RSA", + SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); + + config.registerSignatureAlgorithmURI("DSA", + "http://www.w3.org/2000/09/xmldsig#dsa-sha1"); + + //use SHA256 instead of SHA1 + config.registerSignatureAlgorithmURI("EC", + SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256); + + //use SHA256 instead of SHA1 + config.registerSignatureAlgorithmURI("AES", + SignatureConstants.ALGO_ID_MAC_HMAC_SHA256); + + + config.registerSignatureAlgorithmURI("DESede", + SignatureConstants.ALGO_ID_MAC_HMAC_SHA256); + + config.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#"); + config.setSignatureHMACOutputLength(null); + + //use SHA256 instead of SHA1 + config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256); + } + + protected static void populateEncryptionParams( + BasicSecurityConfiguration config) { + config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128), + "http://www.w3.org/2001/04/xmlenc#aes128-cbc"); + config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192), + "http://www.w3.org/2001/04/xmlenc#aes192-cbc"); + config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256), + "http://www.w3.org/2001/04/xmlenc#aes256-cbc"); + + //support GCM mode + config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128), + EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM); + + config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192), + EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM); + + config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256), + EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM); + + + config.registerDataEncryptionAlgorithmURI("DESede", + Integer.valueOf(168), + "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"); + config.registerDataEncryptionAlgorithmURI("DESede", + Integer.valueOf(192), + "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"); + + config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "AES", + "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"); + + config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, + "DESede", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"); + + config.registerKeyTransportEncryptionAlgorithmURI("AES", + Integer.valueOf(128), null, + "http://www.w3.org/2001/04/xmlenc#kw-aes128"); + config.registerKeyTransportEncryptionAlgorithmURI("AES", + Integer.valueOf(192), null, + "http://www.w3.org/2001/04/xmlenc#kw-aes192"); + config.registerKeyTransportEncryptionAlgorithmURI("AES", + Integer.valueOf(256), null, + "http://www.w3.org/2001/04/xmlenc#kw-aes256"); + config.registerKeyTransportEncryptionAlgorithmURI("DESede", + Integer.valueOf(168), null, + "http://www.w3.org/2001/04/xmlenc#kw-tripledes"); + config.registerKeyTransportEncryptionAlgorithmURI("DESede", + Integer.valueOf(192), null, + "http://www.w3.org/2001/04/xmlenc#kw-tripledes"); + + config.setAutoGeneratedDataEncryptionKeyAlgorithmURI("http://www.w3.org/2001/04/xmlenc#aes128-cbc"); + } +} -- cgit v1.2.3 From b905c43b4630d290026d03e744413b20f1b73551 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 11 Feb 2014 08:13:51 +0100 Subject: * add OA specific BKU selection template * add OA specific send-assertion template * add OA specific applet height and width configuration * add PVP2.x reload checkbox in PVP2.x OA configuration * add new elements to MOA-ID configuration --- .../auth/builder/GetIdentityLinkFormBuilder.java | 8 ++- .../moa/id/auth/builder/LoginFormBuilder.java | 18 ++++- .../id/auth/builder/SendAssertionFormBuilder.java | 79 +++++++++++++++------- .../servlet/GenerateIFrameTemplateServlet.java | 11 +-- .../moa/id/config/auth/OAAuthParameter.java | 27 ++++++++ .../moa/id/entrypoints/DispatcherServlet.java | 8 +-- .../gv/egovernment/moa/id/util/FormBuildUtils.java | 2 + .../resources/properties/id_messages_de.properties | 2 + .../src/main/resources/config/moaid_config_2.0.xsd | 58 ++-------------- 9 files changed, 121 insertions(+), 92 deletions(-) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java index 70aa1a160..2e08fad6b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java @@ -167,8 +167,10 @@ public class GetIdentityLinkFormBuilder extends Builder { htmlForm = replaceTag(htmlForm, CERTINFO_XMLREQUEST_TAG, encodeParameter(certInfoXMLRequest), true, ALL); htmlForm = replaceTag(htmlForm, CERTINFO_DATAURL_TAG, certInfoDataURL, true, ALL); + Map map = null; + if (oaParam != null) { - Map map = oaParam.getFormCustomizaten(); + map = oaParam.getFormCustomizaten(); htmlForm = replaceTag(htmlForm, COLOR_TAG, map.get(FormBuildUtils.MAIN_BACKGROUNDCOLOR), false, ALL); htmlForm = replaceTag(htmlForm, REDIRECTTARGETTAG, map.get(FormBuildUtils.REDIRECTTARGET), false, ALL); @@ -179,11 +181,15 @@ public class GetIdentityLinkFormBuilder extends Builder { if (MiscUtil.isNotEmpty(appletheigth)) htmlForm = replaceTag(htmlForm, APPLETHEIGHT_TAG, appletheigth, false, ALL); + else if (map != null && MiscUtil.isNotEmpty(map.get(FormBuildUtils.APPLET_HEIGHT))) + htmlForm = replaceTag(htmlForm, APPLETHEIGHT_TAG, map.get(FormBuildUtils.APPLET_HEIGHT), false, ALL); else htmlForm = replaceTag(htmlForm, APPLETHEIGHT_TAG, "160", false, ALL); if (MiscUtil.isNotEmpty(appletwidth)) htmlForm = replaceTag(htmlForm, APPLETWIDTH_TAG, appletwidth, false, ALL); + else if (map != null && MiscUtil.isNotEmpty(map.get(FormBuildUtils.APPLET_WIDTH))) + htmlForm = replaceTag(htmlForm, APPLETWIDTH_TAG, map.get(FormBuildUtils.APPLET_WIDTH), false, ALL); else htmlForm = replaceTag(htmlForm, APPLETWIDTH_TAG, "250", false, ALL); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java index 90ad3cf42..ff3b7b170 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java @@ -22,6 +22,7 @@ ******************************************************************************/ package at.gv.egovernment.moa.id.auth.builder; +import java.io.ByteArrayInputStream; import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; @@ -58,7 +59,7 @@ public class LoginFormBuilder { private static String SERVLET = CONTEXTPATH+"/GenerateIframeTemplate"; - public static String getTemplate() { + private static String getTemplate() { String pathLocation =""; InputStream input = null; @@ -118,8 +119,21 @@ public class LoginFormBuilder { } public static String buildLoginForm(String modul, String action, OAAuthParameter oaParam, String contextpath, String moaSessionID) { - String value = getTemplate(); + String value = null; + + byte[] oatemplate = oaParam.getBKUSelectionTemplate(); + // OA specific template requires a size of 8 bits minimum + if (oatemplate != null && oatemplate.length > 7) { + InputStream is = new ByteArrayInputStream(oatemplate); + value = getTemplate(is); + + } else { + //load default BKU-selection template + value = getTemplate(); + + } + if(value != null) { if(modul == null) { modul = SAML1Protocol.PATH; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java index f65a3c011..24b848176 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java @@ -22,6 +22,7 @@ ******************************************************************************/ package at.gv.egovernment.moa.id.auth.builder; +import java.io.ByteArrayInputStream; import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; @@ -58,32 +59,50 @@ public class SendAssertionFormBuilder { private static String SERVLET = CONTEXTPATH+"/SSOSendAssertionServlet"; private static String getTemplate() { - - String template = null; - InputStream input = null; - try { - String pathLocation; - - String rootconfigdir = AuthConfigurationProvider.getInstance().getRootConfigFileDir(); - pathLocation = rootconfigdir + HTMLTEMPLATESDIR + HTMLTEMPLATEFULL; + String pathLocation; + InputStream input = null; + try { + String rootconfigdir = AuthConfigurationProvider.getInstance().getRootConfigFileDir(); + pathLocation = rootconfigdir + HTMLTEMPLATESDIR + HTMLTEMPLATEFULL; + + try { + File file = new File(new URI(pathLocation)); + input = new FileInputStream(file); + + } catch (FileNotFoundException e) { - try { - File file = new File(new URI(pathLocation)); - input = new FileInputStream(file); - - } catch (FileNotFoundException e) { - - Logger.warn("No LoginFormTempaltes found. Use Generic Templates from package."); - - pathLocation = "resources/templates/" + HTMLTEMPLATEFULL; - - input = Thread.currentThread() - .getContextClassLoader() - .getResourceAsStream(pathLocation); - - } + Logger.warn("No LoginFormTempaltes found. Use Generic Templates from package."); + + pathLocation = "resources/templates/" + HTMLTEMPLATEFULL; + + input = Thread.currentThread() + .getContextClassLoader() + .getResourceAsStream(pathLocation); + + } + + return getTemplate(input); + + } catch (Exception e) { + try { + input.close(); + } catch (IOException e1) { + Logger.warn("SendAssertionTemplate inputstream can not be closed.", e); + } + + return null; + } + + } + + private static String getTemplate(InputStream input) { + + String template = null; + + try { + StringWriter writer = new StringWriter(); IOUtils.copy(input, writer); template = writer.toString(); @@ -105,7 +124,19 @@ public class SendAssertionFormBuilder { } public static String buildForm(String modul, String action, String id, OAAuthParameter oaParam, String contextpath) { - String value = getTemplate(); + String value = null; + + byte[] oatemplate = oaParam.getSendAssertionTemplate(); + // OA specific template requires a size of 8 bits minimum + if (oatemplate != null && oatemplate.length > 7) { + InputStream is = new ByteArrayInputStream(oatemplate); + value = getTemplate(is); + + } else { + //load default BKU-selection template + value = getTemplate(); + + } if(value != null) { if(modul == null) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java index c66e19eb0..d2d458e74 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java @@ -82,9 +82,12 @@ public class GenerateIFrameTemplateServlet extends AuthServlet { AuthenticationSession moasession = null; - try { - //moasessionid = (String) req.getSession().getAttribute(AuthenticationManager.MOA_SESSION); - + if (MiscUtil.isEmpty(bkuid) || MiscUtil.isEmpty(moasessionid)) { + Logger.warn("MOASessionID or BKU-type is empty. Maybe an old BKU-selection template is in use."); + throw new MOAIDException("auth.23", new Object[] {}); + } + + try { pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(moasessionid); moasession = AuthenticationSessionStoreage.getSession(moasessionid); @@ -112,7 +115,7 @@ public class GenerateIFrameTemplateServlet extends AuthServlet { //load Parameters from config String target = oaParam.getTarget(); - + String bkuURL = oaParam.getBKUURL(bkuid); if (MiscUtil.isEmpty(bkuURL)) { Logger.info("No OA specific BKU defined. Use BKU from default configuration"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 7a38e2afd..8e7ca0779 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -320,6 +320,12 @@ public Map getFormCustomizaten() { if (MiscUtil.isNotEmpty(bkuselection.getAppletRedirectTarget())) map.put(FormBuildUtils.REDIRECTTARGET, bkuselection.getAppletRedirectTarget()); + if (MiscUtil.isNotEmpty(bkuselection.getAppletHeight())) + map.put(FormBuildUtils.APPLET_HEIGHT, bkuselection.getAppletHeight()); + + if (MiscUtil.isNotEmpty(bkuselection.getAppletWidth())) + map.put(FormBuildUtils.APPLET_WIDTH, bkuselection.getAppletWidth()); + } } @@ -343,6 +349,27 @@ public List getRequestedAttributes() { } +public byte[] getBKUSelectionTemplate() { + + TemplatesType templates = oa_auth.getTemplates(); + if (templates != null && templates.getBKUSelectionTemplate() != null) { + return templates.getBKUSelectionTemplate().getTransformation(); + + } + + return null; +} + +public byte[] getSendAssertionTemplate() { + + TemplatesType templates = oa_auth.getTemplates(); + if (templates != null && templates.getSendAssertionTemplate() != null) { + return templates.getSendAssertionTemplate().getTransformation(); + + } + + return null; +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 1f526caca..6b774261d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -22,14 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.entrypoints; - - -import iaik.security.ecc.provider.ECCProvider; -import iaik.security.provider.IAIK; - import java.io.IOException; -import java.io.PrintWriter; -import java.security.Security; + import java.util.Iterator; import java.util.Map; import java.util.Set; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java index 37ead5cff..d3ac574f8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java @@ -43,6 +43,8 @@ public class FormBuildUtils { public static String FONTFAMILY = "#FONTTYPE#"; public static String HEADER_TEXT = "#HEADER_TEXT#"; public static String REDIRECTTARGET = "#REDIRECTTARGET#"; + public static String APPLET_HEIGHT = "#APPLETHEIGHT#"; + public static String APPLET_WIDTH = "#APPLETWIDTH#"; private static String MANDATEVISIBLE = "#MANDATEVISIBLE#"; private static String MANDATECHECKED = "#MANDATECHECKED#"; diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index a6c0601e4..2f956bd39 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -41,6 +41,8 @@ auth.19=Die Authentifizierung kann nicht passiv durchgef\u00FChrt werden. auth.20=No valid MOA session found. Authentification process is abourted. auth.21=Der Anmeldevorgang wurde durch den Benutzer abgebrochen. auth.22=Das Protokoll {0} ist deaktiviert. +auth.23=Das BKU-Selektion Template entspricht nicht der Spezifikation von MOA-ID 2.x. +auth.24=Das Send-Assertion Template entspricht nicht der Spezifikation von MOA-ID 2.x. init.00=MOA ID Authentisierung wurde erfolgreich gestartet init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m\u00F6glicherweise nicht verf\u00FCgbar diff --git a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd index 7944a7321..2461e1274 100644 --- a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd +++ b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd @@ -160,36 +160,6 @@ - - - enthält Konfigurationsparameter der - Proxy-Komponente - - - - - - - enthält Parameter für die Kommunikation zw. - Proxykomponente und Authenttisierungskomponente - - - - - - - enthält Parameter für die SOAP-Verbindung - von der Proxy-Komponente zur Auth-Komponente (vgl. - AuthComponent/MOA-SP/ConnectionParameter) - - - - - - - - - enthält Parameter für die OA @@ -463,6 +433,8 @@ + + @@ -507,7 +479,6 @@ - @@ -557,29 +528,6 @@ maxOccurs="1"/ --> - - - enthält Parameter über die OA, die die - Proxy-Komponente betreffen - - - - - - - enthält Parameter über die OA, die die - Proxy-Komponente betreffen - - - - - - - - - - - @@ -995,6 +943,8 @@ + + -- cgit v1.2.3 From 119ff8a43e3e592c1257f6550ba737c0f37d9ed7 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 11 Feb 2014 13:42:19 +0100 Subject: update MOA-ID documentation --- .../moa-id-configtool.properties | 75 +++++++++++++++++++++ .../conf/moa-id-configuration/moa-id.properties | 75 --------------------- .../errorpages/errorpage-auth_debug.jsp | 53 +++++++++++++++ .../errorpages/errorpage-auth_empty.jsp | 13 ++++ .../errorpages/errorpage-proxy_debug.jsp | 53 +++++++++++++++ .../errorpages/errorpage-proxy_empty.jsp | 13 ++++ .../deploy/errorpages/errorpage-auth_debug.jsp | 53 --------------- .../deploy/errorpages/errorpage-auth_empty.jsp | 13 ---- .../deploy/errorpages/errorpage-proxy_debug.jsp | 53 --------------- .../deploy/errorpages/errorpage-proxy_empty.jsp | 13 ---- id/server/data/deploy/tomcat/unix/tomcat-start.sh | 6 +- id/server/data/deploy/tomcat/win32/startTomcat.bat | 5 +- id/server/doc/MOA-ID PreRelease-1.9.98.pdf | Bin 417730 -> 481774 bytes 13 files changed, 214 insertions(+), 211 deletions(-) create mode 100644 id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties delete mode 100644 id/server/data/deploy/conf/moa-id-configuration/moa-id.properties create mode 100644 id/server/data/deploy/conf/moa-id-proxy/errorpages/errorpage-auth_debug.jsp create mode 100644 id/server/data/deploy/conf/moa-id-proxy/errorpages/errorpage-auth_empty.jsp create mode 100644 id/server/data/deploy/conf/moa-id-proxy/errorpages/errorpage-proxy_debug.jsp create mode 100644 id/server/data/deploy/conf/moa-id-proxy/errorpages/errorpage-proxy_empty.jsp delete mode 100644 id/server/data/deploy/errorpages/errorpage-auth_debug.jsp delete mode 100644 id/server/data/deploy/errorpages/errorpage-auth_empty.jsp delete mode 100644 id/server/data/deploy/errorpages/errorpage-proxy_debug.jsp delete mode 100644 id/server/data/deploy/errorpages/errorpage-proxy_empty.jsp (limited to 'id/server') diff --git a/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties new file mode 100644 index 000000000..2bb9cb005 --- /dev/null +++ b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties @@ -0,0 +1,75 @@ +#General config +general.login.deaktivate=false +general.publicURLContext=https://localhost:8443/moa-id-configuration + +##Mail +general.mail.host=smtp.localhost... +#general.mail.host.port= +#general.mail.host.username= +#general.mail.host.password= + +general.mail.from.name=MOA-ID 2.x Konfigurationstool +general.mail.from.address=no-reply@localhost + +general.mail.useraccountrequest.verification.subject=MOA-ID 2.x - Benutzerverifikation +general.mail.useraccountrequest.verification.template=mail/verification_template.html + +general.mail.useraccountrequest.isactive.subject=MOA-ID 2.x - Benutzeraktivierung +general.mail.useraccountrequest.isactive.template=mail/activation_template.html +general.mail.useraccountrequest.rejected.template=mail/rejected_template.html + +general.mail.createOArequest.isactive.subject=MOA-ID 2.x - Online-Applikationsaktivierung +general.mail.createOArequest.isactive.template=mail/oa_activation_template.html + +general.mail.admin.adress=admin@localhost +general.mail.admin.subject=MOA-ID 2.x - Statusmeldung +general.mail.admin.adresses.template=mail/admin_template.html + + +general.moaid.instance.url=https://localhost:8443/moa-id-auth/ + +##PVP2 Authentication +general.login.pvp2.isactive=true + +general.login.pvp2.idp.metadata.url=https://localhost:8443/moa-id-auth/pvp2/metadata +general.login.pvp2.idp.metadata.certificate=$PATH_TO_CONFIG$/conf/moa-id-configuration/keys/moa_idp.crt +general.login.pvp2.idp.metadata.entityID=https://localhost:8443/moa-id-auth +general.login.pvp2.idp.sso.logout.url=https://localhost:8443/moa-id-auth/LogOut?redirect= + +general.login.pvp2.metadata.entities.name=MOA-ID 2.x Configuration Tool +general.login.pvp2.keystore.url=$PATH_TO_CONFIG$/conf/moa-id-configuration/keys/application.p12 +general.login.pvp2.keystore.password=password +general.login.pvp2.keystore.type=PKCS12 + +general.login.pvp2.keystore.metadata.key.alias=pvp_metadata +general.login.pvp2.keystore.metadata.key.password=password + +general.login.pvp2.keystore.authrequest.encryption.key.alias=pvp_encryption +general.login.pvp2.keystore.authrequest.encryption.key.password=password + +general.login.pvp2.keystore.authrequest.key.alias=pvp_request +general.login.pvp2.keystore.authrequest.key.password=password + +#UserRequestCleanUP time in hours +general.userrequests.cleanup.delay=18 + +##Hibnerate configuration for MOA-ID 2.0 configuration +hibernate.dialect=org.hibernate.dialect.MySQLDialect +hibernate.connection.url=jdbc:mysql://localhost/moa-id-config?charSet=utf-8&autoReconnect=true +hibernate.connection.charSet=utf-8 +hibernate.connection.driver_class=com.mysql.jdbc.Driver +hibernate.connection.username= +hibernate.connection.password= + +hibernate.hbm2ddl.auto=update +hibernate.current_session_context_class=thread +hibernate.transaction.flush_before_completion=true +hibernate.transaction.auto_close_session=true +hibernate.show_sql=false +hibernate.format_sql=true +hibernate.c3p0.acquire_increment=3 +hibernate.c3p0.idle_test_period=300 +hibernate.c3p0.timeout=300 +hibernate.c3p0.max_size=20 +hibernate.c3p0.max_statements=0 +hibernate.c3p0.min_size=3 \ No newline at end of file diff --git a/id/server/data/deploy/conf/moa-id-configuration/moa-id.properties b/id/server/data/deploy/conf/moa-id-configuration/moa-id.properties deleted file mode 100644 index 2bb9cb005..000000000 --- a/id/server/data/deploy/conf/moa-id-configuration/moa-id.properties +++ /dev/null @@ -1,75 +0,0 @@ -#General config -general.login.deaktivate=false -general.publicURLContext=https://localhost:8443/moa-id-configuration - -##Mail -general.mail.host=smtp.localhost... -#general.mail.host.port= -#general.mail.host.username= -#general.mail.host.password= - -general.mail.from.name=MOA-ID 2.x Konfigurationstool -general.mail.from.address=no-reply@localhost - -general.mail.useraccountrequest.verification.subject=MOA-ID 2.x - Benutzerverifikation -general.mail.useraccountrequest.verification.template=mail/verification_template.html - -general.mail.useraccountrequest.isactive.subject=MOA-ID 2.x - Benutzeraktivierung -general.mail.useraccountrequest.isactive.template=mail/activation_template.html -general.mail.useraccountrequest.rejected.template=mail/rejected_template.html - -general.mail.createOArequest.isactive.subject=MOA-ID 2.x - Online-Applikationsaktivierung -general.mail.createOArequest.isactive.template=mail/oa_activation_template.html - -general.mail.admin.adress=admin@localhost -general.mail.admin.subject=MOA-ID 2.x - Statusmeldung -general.mail.admin.adresses.template=mail/admin_template.html - - -general.moaid.instance.url=https://localhost:8443/moa-id-auth/ - -##PVP2 Authentication -general.login.pvp2.isactive=true - -general.login.pvp2.idp.metadata.url=https://localhost:8443/moa-id-auth/pvp2/metadata -general.login.pvp2.idp.metadata.certificate=$PATH_TO_CONFIG$/conf/moa-id-configuration/keys/moa_idp.crt -general.login.pvp2.idp.metadata.entityID=https://localhost:8443/moa-id-auth -general.login.pvp2.idp.sso.logout.url=https://localhost:8443/moa-id-auth/LogOut?redirect= - -general.login.pvp2.metadata.entities.name=MOA-ID 2.x Configuration Tool -general.login.pvp2.keystore.url=$PATH_TO_CONFIG$/conf/moa-id-configuration/keys/application.p12 -general.login.pvp2.keystore.password=password -general.login.pvp2.keystore.type=PKCS12 - -general.login.pvp2.keystore.metadata.key.alias=pvp_metadata -general.login.pvp2.keystore.metadata.key.password=password - -general.login.pvp2.keystore.authrequest.encryption.key.alias=pvp_encryption -general.login.pvp2.keystore.authrequest.encryption.key.password=password - -general.login.pvp2.keystore.authrequest.key.alias=pvp_request -general.login.pvp2.keystore.authrequest.key.password=password - -#UserRequestCleanUP time in hours -general.userrequests.cleanup.delay=18 - -##Hibnerate configuration for MOA-ID 2.0 configuration -hibernate.dialect=org.hibernate.dialect.MySQLDialect -hibernate.connection.url=jdbc:mysql://localhost/moa-id-config?charSet=utf-8&autoReconnect=true -hibernate.connection.charSet=utf-8 -hibernate.connection.driver_class=com.mysql.jdbc.Driver -hibernate.connection.username= -hibernate.connection.password= - -hibernate.hbm2ddl.auto=update -hibernate.current_session_context_class=thread -hibernate.transaction.flush_before_completion=true -hibernate.transaction.auto_close_session=true -hibernate.show_sql=false -hibernate.format_sql=true -hibernate.c3p0.acquire_increment=3 -hibernate.c3p0.idle_test_period=300 -hibernate.c3p0.timeout=300 -hibernate.c3p0.max_size=20 -hibernate.c3p0.max_statements=0 -hibernate.c3p0.min_size=3 \ No newline at end of file diff --git a/id/server/data/deploy/conf/moa-id-proxy/errorpages/errorpage-auth_debug.jsp b/id/server/data/deploy/conf/moa-id-proxy/errorpages/errorpage-auth_debug.jsp new file mode 100644 index 000000000..8e1e331d6 --- /dev/null +++ b/id/server/data/deploy/conf/moa-id-proxy/errorpages/errorpage-auth_debug.jsp @@ -0,0 +1,53 @@ + +<%@ page contentType="text/html; charset=UTF-8" %> + + +Ein Fehler ist aufgetreten + +<% Throwable exceptionThrown = (Throwable)request.getAttribute("ExceptionThrown"); + String errorMessage = (String)request.getAttribute("ErrorMessage"); + String wrongParameters = (String)request.getAttribute("WrongParameters"); + String logLevel = (String)request.getAttribute("LogLevel"); +%> + + +

Fehler bei der Anmeldung

+

Bei der Anmeldung ist ein Fehler aufgetreten.

+ +<% if (logLevel != null) { %> +<% if (errorMessage != null) { %> +

+<%= errorMessage%>
+

+<% } %> +<% if (exceptionThrown != null) { %> +

+<%= exceptionThrown.getMessage()%> +

+<% } %> +<% if (wrongParameters != null) { %> +

Die Angabe der Parameter ist unvollständig.

+ <%= wrongParameters %>
+

+ Beispiele für korrekte Links zur MOA-ID Authentisierung sind: +

+

+<a href="https://<MOA-URL>/StartAuthentication?Target=<Geschäftsbereich>&OA=<OA-URL>&Template=<Template-URL>"> +

+

+<a href="https://<MOA-URL>/SelectBKU?Target=<Geschäftsbereich>&OA=<OA-URL>&Template=<Template-URL>&BKUSelectionTemplate=<BKU-Template-URL>"> +

+

+Im Falle einer Applikation aus dem privatwirtschaftlichen Bereich (type="businessService") entfällt die Angabe des Target Parameters: +

+

+<a href="https://<MOA-URL>/StartAuthentication?OA=<OA-URL>&Template=<Template-URL>"> +

+

+<a href="https://<MOA-URL>/SelectBKU?OA=<OA-URL>&Template=<Template-URL>&BKUSelectionTemplate=<BKU-Template-URL>"> +

+

Die Angabe der Parameter "Template" und "BKUSelectionTemplate" ist optional.

+<% } %> +<% } %> + + \ No newline at end of file diff --git a/id/server/data/deploy/conf/moa-id-proxy/errorpages/errorpage-auth_empty.jsp b/id/server/data/deploy/conf/moa-id-proxy/errorpages/errorpage-auth_empty.jsp new file mode 100644 index 000000000..40739efea --- /dev/null +++ b/id/server/data/deploy/conf/moa-id-proxy/errorpages/errorpage-auth_empty.jsp @@ -0,0 +1,13 @@ + +<%@ page contentType="text/html; charset=UTF-8" %> + + +Ein Fehler ist aufgetreten + + + +

Fehler bei der Anmeldung

+

Bei der Anmeldung ist ein Fehler aufgetreten.

+ + + \ No newline at end of file diff --git a/id/server/data/deploy/conf/moa-id-proxy/errorpages/errorpage-proxy_debug.jsp b/id/server/data/deploy/conf/moa-id-proxy/errorpages/errorpage-proxy_debug.jsp new file mode 100644 index 000000000..8e1e331d6 --- /dev/null +++ b/id/server/data/deploy/conf/moa-id-proxy/errorpages/errorpage-proxy_debug.jsp @@ -0,0 +1,53 @@ + +<%@ page contentType="text/html; charset=UTF-8" %> + + +Ein Fehler ist aufgetreten + +<% Throwable exceptionThrown = (Throwable)request.getAttribute("ExceptionThrown"); + String errorMessage = (String)request.getAttribute("ErrorMessage"); + String wrongParameters = (String)request.getAttribute("WrongParameters"); + String logLevel = (String)request.getAttribute("LogLevel"); +%> + + +

Fehler bei der Anmeldung

+

Bei der Anmeldung ist ein Fehler aufgetreten.

+ +<% if (logLevel != null) { %> +<% if (errorMessage != null) { %> +

+<%= errorMessage%>
+

+<% } %> +<% if (exceptionThrown != null) { %> +

+<%= exceptionThrown.getMessage()%> +

+<% } %> +<% if (wrongParameters != null) { %> +

Die Angabe der Parameter ist unvollständig.

+ <%= wrongParameters %>
+

+ Beispiele für korrekte Links zur MOA-ID Authentisierung sind: +

+

+<a href="https://<MOA-URL>/StartAuthentication?Target=<Geschäftsbereich>&OA=<OA-URL>&Template=<Template-URL>"> +

+

+<a href="https://<MOA-URL>/SelectBKU?Target=<Geschäftsbereich>&OA=<OA-URL>&Template=<Template-URL>&BKUSelectionTemplate=<BKU-Template-URL>"> +

+

+Im Falle einer Applikation aus dem privatwirtschaftlichen Bereich (type="businessService") entfällt die Angabe des Target Parameters: +

+

+<a href="https://<MOA-URL>/StartAuthentication?OA=<OA-URL>&Template=<Template-URL>"> +

+

+<a href="https://<MOA-URL>/SelectBKU?OA=<OA-URL>&Template=<Template-URL>&BKUSelectionTemplate=<BKU-Template-URL>"> +

+

Die Angabe der Parameter "Template" und "BKUSelectionTemplate" ist optional.

+<% } %> +<% } %> + + \ No newline at end of file diff --git a/id/server/data/deploy/conf/moa-id-proxy/errorpages/errorpage-proxy_empty.jsp b/id/server/data/deploy/conf/moa-id-proxy/errorpages/errorpage-proxy_empty.jsp new file mode 100644 index 000000000..40739efea --- /dev/null +++ b/id/server/data/deploy/conf/moa-id-proxy/errorpages/errorpage-proxy_empty.jsp @@ -0,0 +1,13 @@ + +<%@ page contentType="text/html; charset=UTF-8" %> + + +Ein Fehler ist aufgetreten + + + +

Fehler bei der Anmeldung

+

Bei der Anmeldung ist ein Fehler aufgetreten.

+ + + \ No newline at end of file diff --git a/id/server/data/deploy/errorpages/errorpage-auth_debug.jsp b/id/server/data/deploy/errorpages/errorpage-auth_debug.jsp deleted file mode 100644 index 8e1e331d6..000000000 --- a/id/server/data/deploy/errorpages/errorpage-auth_debug.jsp +++ /dev/null @@ -1,53 +0,0 @@ - -<%@ page contentType="text/html; charset=UTF-8" %> - - -Ein Fehler ist aufgetreten - -<% Throwable exceptionThrown = (Throwable)request.getAttribute("ExceptionThrown"); - String errorMessage = (String)request.getAttribute("ErrorMessage"); - String wrongParameters = (String)request.getAttribute("WrongParameters"); - String logLevel = (String)request.getAttribute("LogLevel"); -%> - - -

Fehler bei der Anmeldung

-

Bei der Anmeldung ist ein Fehler aufgetreten.

- -<% if (logLevel != null) { %> -<% if (errorMessage != null) { %> -

-<%= errorMessage%>
-

-<% } %> -<% if (exceptionThrown != null) { %> -

-<%= exceptionThrown.getMessage()%> -

-<% } %> -<% if (wrongParameters != null) { %> -

Die Angabe der Parameter ist unvollständig.

- <%= wrongParameters %>
-

- Beispiele für korrekte Links zur MOA-ID Authentisierung sind: -

-

-<a href="https://<MOA-URL>/StartAuthentication?Target=<Geschäftsbereich>&OA=<OA-URL>&Template=<Template-URL>"> -

-

-<a href="https://<MOA-URL>/SelectBKU?Target=<Geschäftsbereich>&OA=<OA-URL>&Template=<Template-URL>&BKUSelectionTemplate=<BKU-Template-URL>"> -

-

-Im Falle einer Applikation aus dem privatwirtschaftlichen Bereich (type="businessService") entfällt die Angabe des Target Parameters: -

-

-<a href="https://<MOA-URL>/StartAuthentication?OA=<OA-URL>&Template=<Template-URL>"> -

-

-<a href="https://<MOA-URL>/SelectBKU?OA=<OA-URL>&Template=<Template-URL>&BKUSelectionTemplate=<BKU-Template-URL>"> -

-

Die Angabe der Parameter "Template" und "BKUSelectionTemplate" ist optional.

-<% } %> -<% } %> - - \ No newline at end of file diff --git a/id/server/data/deploy/errorpages/errorpage-auth_empty.jsp b/id/server/data/deploy/errorpages/errorpage-auth_empty.jsp deleted file mode 100644 index 40739efea..000000000 --- a/id/server/data/deploy/errorpages/errorpage-auth_empty.jsp +++ /dev/null @@ -1,13 +0,0 @@ - -<%@ page contentType="text/html; charset=UTF-8" %> - - -Ein Fehler ist aufgetreten - - - -

Fehler bei der Anmeldung

-

Bei der Anmeldung ist ein Fehler aufgetreten.

- - - \ No newline at end of file diff --git a/id/server/data/deploy/errorpages/errorpage-proxy_debug.jsp b/id/server/data/deploy/errorpages/errorpage-proxy_debug.jsp deleted file mode 100644 index 8e1e331d6..000000000 --- a/id/server/data/deploy/errorpages/errorpage-proxy_debug.jsp +++ /dev/null @@ -1,53 +0,0 @@ - -<%@ page contentType="text/html; charset=UTF-8" %> - - -Ein Fehler ist aufgetreten - -<% Throwable exceptionThrown = (Throwable)request.getAttribute("ExceptionThrown"); - String errorMessage = (String)request.getAttribute("ErrorMessage"); - String wrongParameters = (String)request.getAttribute("WrongParameters"); - String logLevel = (String)request.getAttribute("LogLevel"); -%> - - -

Fehler bei der Anmeldung

-

Bei der Anmeldung ist ein Fehler aufgetreten.

- -<% if (logLevel != null) { %> -<% if (errorMessage != null) { %> -

-<%= errorMessage%>
-

-<% } %> -<% if (exceptionThrown != null) { %> -

-<%= exceptionThrown.getMessage()%> -

-<% } %> -<% if (wrongParameters != null) { %> -

Die Angabe der Parameter ist unvollständig.

- <%= wrongParameters %>
-

- Beispiele für korrekte Links zur MOA-ID Authentisierung sind: -

-

-<a href="https://<MOA-URL>/StartAuthentication?Target=<Geschäftsbereich>&OA=<OA-URL>&Template=<Template-URL>"> -

-

-<a href="https://<MOA-URL>/SelectBKU?Target=<Geschäftsbereich>&OA=<OA-URL>&Template=<Template-URL>&BKUSelectionTemplate=<BKU-Template-URL>"> -

-

-Im Falle einer Applikation aus dem privatwirtschaftlichen Bereich (type="businessService") entfällt die Angabe des Target Parameters: -

-

-<a href="https://<MOA-URL>/StartAuthentication?OA=<OA-URL>&Template=<Template-URL>"> -

-

-<a href="https://<MOA-URL>/SelectBKU?OA=<OA-URL>&Template=<Template-URL>&BKUSelectionTemplate=<BKU-Template-URL>"> -

-

Die Angabe der Parameter "Template" und "BKUSelectionTemplate" ist optional.

-<% } %> -<% } %> - - \ No newline at end of file diff --git a/id/server/data/deploy/errorpages/errorpage-proxy_empty.jsp b/id/server/data/deploy/errorpages/errorpage-proxy_empty.jsp deleted file mode 100644 index 40739efea..000000000 --- a/id/server/data/deploy/errorpages/errorpage-proxy_empty.jsp +++ /dev/null @@ -1,13 +0,0 @@ - -<%@ page contentType="text/html; charset=UTF-8" %> - - -Ein Fehler ist aufgetreten - - - -

Fehler bei der Anmeldung

-

Bei der Anmeldung ist ein Fehler aufgetreten.

- - - \ No newline at end of file diff --git a/id/server/data/deploy/tomcat/unix/tomcat-start.sh b/id/server/data/deploy/tomcat/unix/tomcat-start.sh index 6310b1070..10bade1bd 100644 --- a/id/server/data/deploy/tomcat/unix/tomcat-start.sh +++ b/id/server/data/deploy/tomcat/unix/tomcat-start.sh @@ -8,15 +8,17 @@ LOGGING_OPT=-Dlog4j.configuration=file:$CATALINA_BASE/conf/moa-id/log4j.properti CONFIG_OPT=-Dmoa.id.configuration=$CATALINA_BASE/conf/moa-id/moa-id.properties SPSS_OPT=-Dmoa.spss.server.configuration=$CATALINA_BASE/conf/moa-spss/SampleMOASPSSConfiguration.xml -CONFIGTOOL_OPT=-Dmoa.id.webconfig=$CATALINA_BASE/conf/moa-id-configuration/moa-id.properties +CONFIGTOOL_OPT=-Dmoa.id.webconfig=$CATALINA_BASE/conf/moa-id-configuration/moa-id-configtool.properties DEMOOA_OPT=-Dmoa.id.demoOA=$CATALINA_BASE/conf/moa-id-oa/oa.properties STORK_OPT=-Deu.stork.samlengine.config.location=$CATALINA_BASE/conf/moa-id/stork/ +PROXY_OPT=-Dmoa.id.proxy.configuration=$CATALINA_BASE/conf/moa-id-proxy/MOAIDConfiguration.xml + #TRUST_STORE_OPT=-Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/moa-spss/keys/clients/trustedMOAClients-password=changeit.keystore #TRUST_STORE_PASS_OPT=-Djavax.net.ssl.trustStorePassword=changeit #TRUST_STORE_TYPE_OPT=-Djavax.net.ssl.trustStoreType=jks -export CATALINA_OPTS="$CONFIG_OPT $LOGGING_OPT $SPSS_OPT $TRUST_STORE_OPT $TRUST_STORE_PASS_OPT $TRUST_STORE_TYPE_OPT $CONFIGTOOL_OPT $DEMOOA_OPT $STORK_OPT" +export CATALINA_OPTS="$CONFIG_OPT $LOGGING_OPT $SPSS_OPT $TRUST_STORE_OPT $TRUST_STORE_PASS_OPT $TRUST_STORE_TYPE_OPT $CONFIGTOOL_OPT $DEMOOA_OPT $STORK_OPT $PROXY_OPT" echo CATALINA_HOME: $CATALINA_HOME echo CATALINA_BASE: $CATALINA_BASE diff --git a/id/server/data/deploy/tomcat/win32/startTomcat.bat b/id/server/data/deploy/tomcat/win32/startTomcat.bat index 65b2bef23..7730137c5 100644 --- a/id/server/data/deploy/tomcat/win32/startTomcat.bat +++ b/id/server/data/deploy/tomcat/win32/startTomcat.bat @@ -13,11 +13,12 @@ set LOGGING_OPT=-Dlog4j.configuration=file:%CATALINA_HOME%/conf/moa-id/log4j.pro set CONFIG_OPT_SPSS=-Dmoa.spss.server.configuration=%CATALINA_HOME%/conf/moa-spss/SampleMOASPSSConfiguration.xml set CONFIG_OPT_ID=-Dmoa.id.configuration=%CATALINA_HOME%/conf/moa-id/moa-id.properties -set CONFIGTOOL_OPT=-Dmoa.id.webconfig=%CATALINA_HOME%/conf/moa-id-configuration/moa-id.properties +set CONFIGTOOL_OPT=-Dmoa.id.webconfig=%CATALINA_HOME%/conf/moa-id-configuration/moa-id-configtool.properties set DEMOOA_OPT=-Dmoa.id.demoOA=%CATALINA_HOME%/conf/moa-id-oa/oa.properties set STORK_OPT=-Deu.stork.samlengine.config.location=%CATALINA_HOME%/conf/moa-id/stork/ +set PROXY_OPT=-Dmoa.id.proxy.configuration=%CATALINA_HOME%/conf/moa-id-proxy/MOAIDConfiguration.xml -set PARAMS_MOA=%CONFIG_OPT_SPSS% %CONFIG_OPT_ID% %LOGGING_OPT% %CONFIGTOOL_OPT% %DEMOOA_OPT% %STORK_OPT% +set PARAMS_MOA=%CONFIG_OPT_SPSS% %CONFIG_OPT_ID% %LOGGING_OPT% %CONFIGTOOL_OPT% %DEMOOA_OPT% %STORK_OPT% %PROXY_OPT% rem set PARAM_TRUST_STORE=-Djavax.net.ssl.trustStore=truststore.jks rem set PARAM_TRUST_STORE_PASS=-Djavax.net.ssl.trustStorePassword=changeit diff --git a/id/server/doc/MOA-ID PreRelease-1.9.98.pdf b/id/server/doc/MOA-ID PreRelease-1.9.98.pdf index 527251961..4ee41f513 100644 Binary files a/id/server/doc/MOA-ID PreRelease-1.9.98.pdf and b/id/server/doc/MOA-ID PreRelease-1.9.98.pdf differ -- cgit v1.2.3 From f361911ce08962a04b26d67fa7d4698d7294cc74 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 13 Feb 2014 09:41:29 +0100 Subject: * add new error message if MOA-ID-Proxy configuration is not found * change SAML1 legacy-request parameter validation * change OA-SL Template labels --- .../egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java | 2 +- .../main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java | 4 ++-- .../src/main/resources/resources/properties/id_messages_de.properties | 3 ++- 3 files changed, 5 insertions(+), 4 deletions(-) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java index 93de902ef..66d330d20 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java @@ -118,7 +118,7 @@ public class ProxyConfigurationProvider extends ConfigurationProvider { throws ConfigurationException { String fileName = System.getProperty(PROXY_CONFIG_PROPERTY_NAME); if (fileName == null) { - throw new ConfigurationException("config.01", null); + throw new ConfigurationException("config.20", null); } Logger.info("Loading MOA-ID-PROXY configuration " + fileName); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java index 327170054..bd6514c5c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java @@ -513,8 +513,8 @@ public class ParamValidatorUtils implements MOAIDAuthConstants{ throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); if (MiscUtil.isEmpty(bkuURL)) throw new WrongParametersException("StartAuthentication", PARAM_BKU, "auth.12"); - if (MiscUtil.isEmpty(templateURL)) - throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); +// if (MiscUtil.isEmpty(templateURL)) +// throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); if (!ParamValidatorUtils.isValidUseMandate(useMandate)) throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12"); if (!ParamValidatorUtils.isValidCCC(ccc)) diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 2f956bd39..93e8cdb99 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -69,7 +69,8 @@ config.15=Das Personenbindungs-Trust-Profil (TrustProfileID \= {0}) darf nicht f config.16=MOA ID Proxy konnte nicht gestartet werden. Das Element ConnnectionParameter im allgemeinen Konfigurationsteil der MOA-ID-PROXY Konfigurationsdatei fehlt. config.17=Fehler beim initialisieren von Hibernate config.18=Keine MOA-ID 2.x Konfiguration gefunden. -config.19=Kein Schl?ssel f\u00FCr die Resignierung der Personenbindung gefunden. +config.19=Kein Schl?ssel f\u00FCr die Resignierung der Personenbindung gefunden. +config.20=Umgebungsvariable "moa.id.proxy.configuration" nicht gesetzt parser.00=Leichter Fehler beim Parsen: {0} parser.01=Fehler beim Parsen: {0} -- cgit v1.2.3 From 6fabc9a604d61622f19ff8ca0b9237c114021c0e Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 13 Feb 2014 09:44:35 +0100 Subject: Now the whole metadata file is NOT rejected if a single entity is not valid. --- .../verification/MetadataSignatureFilter.java | 41 ++++++++++++++++++---- 1 file changed, 34 insertions(+), 7 deletions(-) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java index f0ae6f446..ed0cf9c62 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java @@ -25,7 +25,9 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; import iaik.x509.X509Certificate; import java.security.cert.CertificateException; +import java.util.ArrayList; import java.util.Iterator; +import java.util.List; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; @@ -69,13 +71,17 @@ public class MetadataSignatureFilter implements MetadataFilter { while(entID.hasNext()) { processEntitiesDescriptor(entID.next()); } - + Iterator entIT = desc.getEntityDescriptors().iterator(); - - //check every Entity + + List verifiedEntIT = new ArrayList(); + + //check every Entity + while(entIT.hasNext()) { EntityDescriptor entity = entIT.next(); + String entityID = entity.getEntityID(); //CHECK if Entity also match MetaData signature. @@ -92,17 +98,31 @@ public class MetadataSignatureFilter implements MetadataFilter { EntityVerifier.verify(desc, entityCrendential); + //add entity to verified entity-list + verifiedEntIT.add(entity); + } catch (Exception e) { - throw new MOAIDException("The App", null, e); + + //remove entity of signature can not be verified. + Logger.info("Entity " + entityID + " is removed from metadata " + + desc.getName() + ". Entity verification error: " + e.getMessage()); +// throw new MOAIDException("The App", null, e); } } else { - throw new NoCredentialsException("NO Certificate found for OA " + entityID); + //remove entity if it is not registrated as OA + Logger.info("Entity " + entityID + " is removed from metadata " + + desc.getName() + ". Entity is not registrated or no certificate is found!"); +// throw new NoCredentialsException("NO Certificate found for OA " + entityID); } - + //TODO: insert to support signed Entity-Elements //processEntityDescriptorr(entIT.next()); - } + } + + //set only verified entity elements + desc.getEntityDescriptors().clear(); + desc.getEntityDescriptors().addAll(verifiedEntIT); } public void doFilter(XMLObject metadata) throws FilterException { @@ -114,6 +134,13 @@ public class MetadataSignatureFilter implements MetadataFilter { } processEntitiesDescriptor(entitiesDescriptor); + + if (entitiesDescriptor.getEntityDescriptors().size() == 0) { + throw new MOAIDException("No valid entity in metadata " + + entitiesDescriptor.getName() + ". Metadata is not loaded.", null); + } + + } else if (metadata instanceof EntityDescriptor) { EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; processEntityDescriptorr(entityDescriptor); -- cgit v1.2.3 From 713ca50cbcb276254689088ea558401af018ffcd Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 13 Feb 2014 09:56:50 +0100 Subject: now fetchSavedCredential use a database query to get the certificate from entity --- .../pvp2x/verification/EntityVerifier.java | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java index 4ef9919ca..550643da1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java @@ -22,7 +22,6 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; -import java.util.Iterator; import java.util.List; import org.opensaml.saml2.metadata.EntitiesDescriptor; @@ -44,18 +43,25 @@ import at.gv.egovernment.moa.logging.Logger; public class EntityVerifier { public static byte[] fetchSavedCredential(String entityID) { - List oaList = ConfigurationDBRead - .getAllActiveOnlineApplications(); - Iterator oaIt = oaList.iterator(); - while (oaIt.hasNext()) { - OnlineApplication oa = oaIt.next(); - if (oa.getPublicURLPrefix().equals(entityID)) { +// List oaList = ConfigurationDBRead +// .getAllActiveOnlineApplications(); + + OnlineApplication oa = ConfigurationDBRead + .getActiveOnlineApplication(entityID); + +// Iterator oaIt = oaList.iterator(); +// while (oaIt.hasNext()) { +// OnlineApplication oa = oaIt.next(); +// if (oa.getPublicURLPrefix().equals(entityID)) { + + if (oa != null && oa.getAuthComponentOA() != null) { + OAPVP2 pvp2Config = oa.getAuthComponentOA().getOAPVP2(); if (pvp2Config != null) { return pvp2Config.getCertificate(); } } - } +// } return null; } -- cgit v1.2.3