From 6b6c98ae7af48c15e86b189e0db9e39bc1d14edb Mon Sep 17 00:00:00 2001 From: Alexander Marsalek Date: Thu, 5 Mar 2015 12:31:17 +0100 Subject: null safe assignment --- .../main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index fd7c7f237..c638c6324 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -29,6 +29,7 @@ import javax.xml.transform.TransformerException; import org.apache.commons.io.IOUtils; import org.apache.commons.lang.StringEscapeUtils; +import org.apache.commons.lang3.BooleanUtils; import org.apache.velocity.Template; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; @@ -1729,7 +1730,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { boolean globallyMandatory = false; for (StorkAttribute currentGlobalAttribute : storkConfig.getStorkAttributes()) if (current.getName().equals(currentGlobalAttribute.getName())) { - globallyMandatory = currentGlobalAttribute.isMandatory(); + globallyMandatory = BooleanUtils.isTrue(currentGlobalAttribute.isMandatory()); break; } -- cgit v1.2.3 From 8d60f92b63ae39c6e9d308938004f77c29078215 Mon Sep 17 00:00:00 2001 From: Alexander Marsalek Date: Tue, 17 Mar 2015 08:44:18 +0100 Subject: Added mapping AT => Other Countries, request from Thomas K. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit > · „Other Countries“ (dabei handelt es sich um den > Österreichischen Fall, bei dem MOCCA die Signatur mit ausländischen > Karten durchführt) --- .../src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java | 2 ++ 1 file changed, 2 insertions(+) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index db8b4dd80..5223a181d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -149,7 +149,9 @@ public interface MOAIDAuthConstants { Collections.unmodifiableMap(new HashMap() { private static final long serialVersionUID = 1L; { + put("AT", "Other Countries");//"Workaround for PEPS Simulator" put("BE", "België/Belgique"); + //put("CH", "Schweiz"); put("EE", "Eesti"); put("ES", "España"); put("FI", "Suomi"); -- cgit v1.2.3 From e98bdf2b39ecb9100e64c8077752ed7c4ed883b3 Mon Sep 17 00:00:00 2001 From: Florian Reimair Date: Tue, 24 Mar 2015 12:18:49 +0100 Subject: escaped attribute values for saml1 responses --- .../gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java index ea1526ff0..3809ec4bc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java @@ -39,6 +39,7 @@ import javax.xml.transform.TransformerFactoryConfigurationError; import javax.xml.transform.stream.StreamSource; import org.apache.commons.io.IOUtils; +import org.apache.commons.lang3.StringEscapeUtils; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; @@ -286,6 +287,12 @@ public class STORKResponseProcessor { Object attributeValue = attribute.getValue(); if (null == attributeValue) attributeValue = attribute.getComplexValue(); + + // escape attributeValue + attributeValue = StringEscapeUtils.escapeXml10(attributeValue.toString()); + // and remove trailing and tailing brackets. Might break something but we never saw an array with more than one entry! + attributeValue = ((String) attributeValue).substring(1, ((String) attributeValue).length() - 1); + ExtendedSAMLAttribute extendedSAMLAttribute = new ExtendedSAMLAttributeImpl(attribute.getName(), attributeValue, Constants.STORK_NS_URI, 0); moaExtendedSAMLAttributeList.add(extendedSAMLAttribute); -- cgit v1.2.3 From e1c2c42aabf3b1207547dd40b91dc93921303c4a Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 7 Apr 2015 10:19:21 +0200 Subject: add configuration property to deactivate PVP metadata schema validation --- .../data/deploy/conf/moa-id-configuration/moa-id-configtool.properties | 2 ++ 1 file changed, 2 insertions(+) (limited to 'id/server') diff --git a/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties index 7c71fadcb..b10913d69 100644 --- a/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties +++ b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties @@ -15,6 +15,8 @@ general.ssl.truststore=certs/truststore general.moaconfig.key=ConfigurationEncryptionKey +general.pvp.schemavalidation=true + ##Mail general.mail.host=smtp.localhost... #general.mail.host.port= -- cgit v1.2.3 From 8400b9d9734f45d53ac722e85e04c599fdccfe0d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 9 Apr 2015 12:41:11 +0200 Subject: fix wrong PVP attribute friendly names --- .../java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java index 1f3e86ff6..168f2362a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java @@ -237,12 +237,12 @@ public interface PVPConstants { public static final String MANDATE_PROF_REP_OID_OID = "1.2.40.0.10.2.1.1.261.86"; public static final String MANDATE_PROF_REP_OID_NAME = URN_OID_PREFIX + MANDATE_PROF_REP_OID_OID; - public static final String MANDATE_PROF_REP_OID_FRIENDLY_NAME = "MANDATOR-PROF-REP-OID"; + public static final String MANDATE_PROF_REP_OID_FRIENDLY_NAME = "MANDATE-PROF-REP-OID"; public static final int MANDATE_PROF_REP_OID_MAX_LENGTH = 256; public static final String MANDATE_PROF_REP_DESC_OID = "1.2.40.0.10.2.1.1.261.88"; public static final String MANDATE_PROF_REP_DESC_NAME = URN_OID_PREFIX + MANDATE_PROF_REP_DESC_OID; - public static final String MANDATE_PROF_REP_DESC_FRIENDLY_NAME = "MANDATOR-PROF-REP-DESCRIPTION"; + public static final String MANDATE_PROF_REP_DESC_FRIENDLY_NAME = "MANDATE-PROF-REP-DESCRIPTION"; public static final int MANDATE_PROF_REP_DESC_MAX_LENGTH = 1024; public static final String MANDATE_REFERENCE_VALUE_OID = "1.2.40.0.10.2.1.1.261.90"; -- cgit v1.2.3 From a6189a32a78d2b3ed096356f6b7e0049c8870b21 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 14 Apr 2015 16:59:25 +0200 Subject: update error handling in PVP metadata verification filter implemetations --- .../filter/SchemaValidationException.java | 43 ++++++++++++++++ .../filter/SignatureValidationException.java | 58 ++++++++++++++++++++++ .../pvp2x/metadata/MOAMetadataProvider.java | 14 +++++- .../metadata/MetadataSignatureFilter.java | 5 +- .../metadata/SchemaValidationFilter.java | 7 ++- 5 files changed, 119 insertions(+), 8 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SchemaValidationException.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SignatureValidationException.java (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SchemaValidationException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SchemaValidationException.java new file mode 100644 index 000000000..8da5edeed --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SchemaValidationException.java @@ -0,0 +1,43 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter; + +import org.opensaml.saml2.metadata.provider.FilterException; + +/** + * @author tlenz + * + */ +public class SchemaValidationException extends FilterException { + + /** + * @param string + */ + public SchemaValidationException(String string) { + super(string); + + } + + private static final long serialVersionUID = 1L; + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SignatureValidationException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SignatureValidationException.java new file mode 100644 index 000000000..86a6a777b --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SignatureValidationException.java @@ -0,0 +1,58 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter; + +import org.opensaml.saml2.metadata.provider.FilterException; + +/** + * @author tlenz + * + */ +public class SignatureValidationException extends FilterException { + + /** + * @param string + */ + public SignatureValidationException(String string) { + super(string); + + } + + /** + * @param e + */ + public SignatureValidationException(Exception e) { + super(e); + } + + /** + * @param string + * @param object + */ + public SignatureValidationException(String string, Exception e) { + super(string, e); + } + + private static final long serialVersionUID = 1L; + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 12afa14bc..d493ef9e0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -55,6 +55,8 @@ import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; @@ -380,10 +382,18 @@ public class MOAMetadataProvider implements MetadataProvider { return httpProvider; - } catch (Throwable e) { + } catch (Throwable e) { if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { Logger.warn("SSL-Server certificate for metadata " - + metadataURL + " not trusted.", e); + + metadataURL + " not trusted.", e); + + } if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) { + Logger.warn("Signature verification for metadata" + + metadataURL + " FAILED.", e); + + } if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) { + Logger.warn("Schema validation for metadata " + + metadataURL + " FAILED.", e); } Logger.error( diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java index 0405fa114..6dac4bba1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java @@ -39,6 +39,7 @@ import org.opensaml.xml.security.x509.BasicX509Credential; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier; import at.gv.egovernment.moa.logging.Logger; @@ -126,7 +127,7 @@ public class MetadataSignatureFilter implements MetadataFilter { desc.getEntityDescriptors().addAll(verifiedEntIT); } - public void doFilter(XMLObject metadata) throws FilterException { + public void doFilter(XMLObject metadata) throws SignatureValidationException { try { if (metadata instanceof EntitiesDescriptor) { EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; @@ -155,7 +156,7 @@ public class MetadataSignatureFilter implements MetadataFilter { Logger.info("Metadata signature policy check done OK"); } catch (MOAIDException e) { Logger.warn("Metadata signature policy check FAILED.", e); - throw new FilterException(e); + throw new SignatureValidationException(e); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java index 382adb108..f73b541bf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java @@ -22,8 +22,6 @@ */ package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; -import java.io.IOException; - import org.opensaml.saml2.metadata.provider.FilterException; import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.xml.XMLObject; @@ -38,6 +36,7 @@ import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; import at.gv.egovernment.moa.logging.Logger; /** @@ -69,7 +68,7 @@ public class SchemaValidationFilter implements MetadataFilter { * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) */ @Override - public void doFilter(XMLObject arg0) throws FilterException { + public void doFilter(XMLObject arg0) throws SchemaValidationException { String errString = null; @@ -100,7 +99,7 @@ public class SchemaValidationFilter implements MetadataFilter { } - throw new FilterException("Metadata Schema validation FAILED with message: "+ errString); + throw new SchemaValidationException("Metadata Schema validation FAILED with message: "+ errString); } else Logger.info("Metadata Schema validation check is DEACTIVATED!"); -- cgit v1.2.3 From 945c4d28535724f0a54d220f9eb0ebd25b8227c4 Mon Sep 17 00:00:00 2001 From: Florian Reimair Date: Tue, 14 Apr 2015 13:58:27 +0200 Subject: respect multi-part stork responses --- ...onnectorHandleResponseWithoutSignatureTask.java | 18 +++++++++++------ .../modules/stork/tasks/PepsConnectorTask.java | 23 ++++++++++++++-------- 2 files changed, 27 insertions(+), 14 deletions(-) (limited to 'id/server') diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java index 3338804b4..e2c3880ac 100644 --- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java +++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java @@ -136,7 +136,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep try { // validate SAML Token Logger.debug("Starting validation of SAML response"); - authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost()); + authnResponse = engine.validateSTORKAuthnResponseWithQuery(decSamlToken, (String) request.getRemoteHost()); Logger.info("SAML response succesfully verified!"); } catch (STORKSAMLEngineException e) { Logger.error("Failed to verify STORK SAML Response", e); @@ -211,10 +211,16 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID); - // //////////// incorporate gender from parameters if not in stork response - IPersonalAttributeList attributeList = authnResponse.getPersonalAttributeList(); + // first, try to fetch the attributes from the list of total attributes. Note that this very list is only filled + // with ALL attributes when there is more than one assertion in the SAML2 STORK message. + IPersonalAttributeList attributeList = authnResponse.getTotalPersonalAttributeList(); + + // if the list is empty, there was just one assertion... probably + if(attributeList.isEmpty()) + attributeList = authnResponse.getPersonalAttributeList(); + // //////////// incorporate gender from parameters if not in stork response // but first, check if we have a representation case if (STORKResponseProcessor.hasAttribute("mandateContent", attributeList) || STORKResponseProcessor.hasAttribute("representative", attributeList) @@ -233,7 +239,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep tmp.add(gendervalue); gender.setValue(tmp); - authnResponse.getPersonalAttributeList().add(gender); + attributeList.add(gender); } } } @@ -246,7 +252,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep // extract signed doc element and citizen signature String citizenSignature = null; try { - PersonalAttribute signedDoc = authnResponse.getPersonalAttributeList().get("signedDoc"); + PersonalAttribute signedDoc = attributeList.get("signedDoc"); String signatureInfo = null; // FIXME: Remove nonsense code (signedDoc attribute... (throw Exception for "should not occur" situations)), adjust error messages in order to reflect the true problem... if (signedDoc != null) { @@ -259,7 +265,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep // store authnResponse // moaSession.setAuthnResponse(authnResponse);//not serializable - moaSession.setAuthnResponseGetPersonalAttributeList(authnResponse.getPersonalAttributeList()); + moaSession.setAuthnResponseGetPersonalAttributeList(attributeList); String authnContextClassRef = null; try { diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java index 6e0bd19ff..9df0ff37b 100644 --- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java +++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java @@ -162,7 +162,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask { try { // validate SAML Token Logger.debug("Starting validation of SAML response"); - authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost()); + authnResponse = engine.validateSTORKAuthnResponseWithQuery(decSamlToken, (String) request.getRemoteHost()); Logger.info("SAML response succesfully verified!"); } catch (STORKSAMLEngineException e) { Logger.error("Failed to verify STORK SAML Response", e); @@ -297,9 +297,16 @@ public class PepsConnectorTask extends AbstractAuthServletTask { Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID); - // //////////// incorporate gender from parameters if not in stork response - IPersonalAttributeList attributeList = authnResponse.getPersonalAttributeList(); + // first, try to fetch the attributes from the list of total attributes. Note that this very list is only filled + // with ALL attributes when there is more than one assertion in the SAML2 STORK message. + IPersonalAttributeList attributeList = authnResponse.getTotalPersonalAttributeList(); + + // if the list is empty, there was just one assertion... probably + if(attributeList.isEmpty()) + attributeList = authnResponse.getPersonalAttributeList(); + + // //////////// incorporate gender from parameters if not in stork response // but first, check if we have a representation case if (STORKResponseProcessor.hasAttribute("mandateContent", attributeList) @@ -320,7 +327,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask { tmp.add(gendervalue); gender.setValue(tmp); - authnResponse.getPersonalAttributeList().add(gender); + attributeList.add(gender); } } } @@ -336,15 +343,15 @@ public class PepsConnectorTask extends AbstractAuthServletTask { // extract signed doc element and citizen signature try { - if (authnResponse.getPersonalAttributeList().get("signedDoc") == null - || authnResponse.getPersonalAttributeList().get("signedDoc").getValue() == null - || authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0) == null) { + if (attributeList.get("signedDoc") == null + || attributeList.get("signedDoc").getValue() == null + || attributeList.get("signedDoc").getValue().get(0) == null) { Logger.info("STORK Response include NO signedDoc attribute!"); throw new STORKException("STORK Response include NO signedDoc attribute."); } - String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); + String signatureInfo = attributeList.get("signedDoc").getValue().get(0); Logger.debug("signatureInfo:" + signatureInfo); -- cgit v1.2.3 From bd491504c9b77941cdc9a210856142472473d610 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 16 Apr 2015 13:19:59 +0200 Subject: update TrustStore and CertStore with A-Trust-Test-xxx-05 certificates --- ...remium-Sig-05.20141215-20141209.SerNo165fb8.crt | 36 ++++++++++++++++++++++ ...remium-Enc-05.20141215-20141209.SerNo165fb7.crt | 36 ++++++++++++++++++++++ ...remium-Sig-05.20141215-20141209.SerNo165fb8.crt | 36 ++++++++++++++++++++++ 3 files changed, 108 insertions(+) create mode 100644 id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-Test-Premium-Sig-05.20141215-20141209.SerNo165fb8.crt create mode 100644 id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-test-premium-Enc-05.20141215-20141209.SerNo165fb7.crt create mode 100644 id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten/a-sign-Test-Premium-Sig-05.20141215-20141209.SerNo165fb8.crt (limited to 'id/server') diff --git a/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-Test-Premium-Sig-05.20141215-20141209.SerNo165fb8.crt b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-Test-Premium-Sig-05.20141215-20141209.SerNo165fb8.crt new file mode 100644 index 000000000..ee17cdb80 --- /dev/null +++ b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-Test-Premium-Sig-05.20141215-20141209.SerNo165fb8.crt @@ -0,0 +1,36 @@ +-----BEGIN CERTIFICATE----- +MIIGQTCCBCmgAwIBAgIDFl+4MA0GCSqGSIb3DQEBCwUAMIGVMQswCQYDVQQGEwJB +VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp +bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMR0wGwYDVQQLDBRBLVRydXN0LVRl +c3QtUm9vdC0wNTEdMBsGA1UEAwwUQS1UcnVzdC1UZXN0LVJvb3QtMDUwHhcNMTQx +MjE1MTMxMDE5WhcNMjQxMjA5MTIxMDE5WjCBoTELMAkGA1UEBhMCQVQxSDBGBgNV +BAoMP0EtVHJ1c3QgR2VzLiBmLiBTaWNoZXJoZWl0c3N5c3RlbWUgaW0gZWxla3Ry +LiBEYXRlbnZlcmtlaHIgR21iSDEjMCEGA1UECwwaYS1zaWduLVRlc3QtUHJlbWl1 +bS1TaWctMDUxIzAhBgNVBAMMGmEtc2lnbi1UZXN0LVByZW1pdW0tU2lnLTA1MIIC +IDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAq9PRwApA35K3LT0p5IYtNZMS +BFJsIkzjgF4FRQ36PtxeNsPL6iPgfFjWLZzVT1arHrC6ciz97haDWEN5Jq+aVaZp +gvFtvqZXlwYOWP0sshQg1aP7zrfH/N6yqjkrXHyzgmSz3SVIbdj5CqUJz/+94FCR +cA8XkQ3WZAjSkRB+MSIY8umftkmJOVAstaG28OEtpmqwBLRh/QGcNZzfhyrPS2Ls +5BAKQW9SBb1nXn8JOHq0Bd8zHShHbny9X/qT0xqeFfwItZWiW7iu3LgbGqfB3J4d +s+9iecwHDsmYdSb2quGmzJXejmvktFZte9dlF7BuBqier+R3/czdLteRems5S9Ka +hlP3+f3CnFwKihyVMhnuf5HyhCo1Fvrt+igWtNnos38qzB5RzRTJXnvZyrtTJMQE +/8ZuV2B12Oaf0AQjt+o/SPKeaTBX2yes0S1xbQy7xJzNhgBJ2Ir3OI6SoOooVN+9 +kQuzD7NsJBJzIy4dHCvOgs0C1ro8DROaV3Usn58eYOkLDrPGpEBmFq7GnsxnbeEh +5zzlgh00R9cy5PxiO40U+KxnTmQl+/vc9i1plDLsTRePeThKgS0UOIRZP7voYKdu +IJaEzufNXUxZbCc9Mq3V552BmRPhL9Ouf/bfaVMmkY4p7BdU57stxDfVwG9biujj +AVPA7DeRm+S0kzWRq0kCAQOjgY0wgYowPwYDVR0fBDgwNjA0oDKgMIYuaHR0cDov +L2NybC5hLXRydXN0LmF0L2NybC9BLVRydXN0LVRlc3QtUm9vdC0wNTATBgNVHSME +DDAKgAhEL/sUCZKJ0DAPBgNVHRMBAf8EBTADAQH/MBEGA1UdDgQKBAhB0SNOEjM1 +3jAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAEiqm52uEL2giMCy +8i1tIbqKP3SeJnYxhJgN4d3caWqfE1CoEUQjsN8t7sF866TOYJMrQ+/dS8bUqNiG +x4vvPrDq3DUSyKflgPaz+36xtB4BTlIiYTzio7Tnv+d5n+MsM6c/rijJzRx38FLM +tZTAfr7dXv5KxrfYrrEnPrGg0gMlYqX3rB1TKQnPx5qG3e2YXc6tdvDeXhh9cXj3 +76VJony7iV0ccKWNXRRNx1X0po/Luu6EMD/5czArtmO0KmGXO3gK3Fy7pxUbdBra +nSJNsY+Fv4X3zqf5n9ZM4Yut7KSqBiQbuMmIzLZkICJOWN5t9mOTStgmZjGqBdQN +sRuVinaLxA88Fd32ZmFxbagOLeKEXPTQT/ERbDOjhShY6jA2/LkIcg9mwDDOubsp +FcZaYlyXmvD+HNVxL5B4BGDWoGHmCxaj+bcYP4U797bpE90sTnMIQd6JoYEMQSIy +Re0S4jKIOkCqBDkPBIXZf/IizTvJiQoFUtT7civFYhcUHDOcWs69NUU3F6sEBZmq +C1uIRm7zD6FUPNpVcfVIeqcfWsnx5bSKwheh9Dk/A3eTmxjpodV4tIq6BfCLdq52 +85dumPB4zz/EmCuZ0hwy9/TJwaogVMqicvr1/pQXDM7T6fCM0vK9w/e4ejmX61TK +6MsTXFjxlwpIacl4fkAxk6L22xfB +-----END CERTIFICATE----- diff --git a/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-test-premium-Enc-05.20141215-20141209.SerNo165fb7.crt b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-test-premium-Enc-05.20141215-20141209.SerNo165fb7.crt new file mode 100644 index 000000000..9ea6d0c1c --- /dev/null +++ b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-test-premium-Enc-05.20141215-20141209.SerNo165fb7.crt @@ -0,0 +1,36 @@ +-----BEGIN CERTIFICATE----- +MIIGQTCCBCmgAwIBAgIDFl+3MA0GCSqGSIb3DQEBCwUAMIGVMQswCQYDVQQGEwJB +VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp +bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMR0wGwYDVQQLDBRBLVRydXN0LVRl +c3QtUm9vdC0wNTEdMBsGA1UEAwwUQS1UcnVzdC1UZXN0LVJvb3QtMDUwHhcNMTQx +MjE1MTMwOTAwWhcNMjQxMjA5MTIwOTAwWjCBoTELMAkGA1UEBhMCQVQxSDBGBgNV +BAoMP0EtVHJ1c3QgR2VzLiBmLiBTaWNoZXJoZWl0c3N5c3RlbWUgaW0gZWxla3Ry +LiBEYXRlbnZlcmtlaHIgR21iSDEjMCEGA1UECwwaYS1zaWduLVRlc3QtUHJlbWl1 +bS1FbmMtMDUxIzAhBgNVBAMMGmEtc2lnbi1UZXN0LVByZW1pdW0tRW5jLTA1MIIC +IDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEA2YDEweWMfTpWbHjFwzPl5tri +jaL4tmhuHQzuSAEO080+m5Dc38Rj5xHf1MNCxvAx18+3A+b0WDDhtdJh+SXVxAQq +/VhnaOFcdlvun0/4+l4Xynf6xd0r8WfQgnTAER4iFzGoWnOFQZqF3JGsx0mxd5Ss +6kbs+4Gd/FmdAD09qTb+e3FtQC9aszVb5j57LB14Ka+iVXMEFq6J1uvvdjIcwbeL +7gOGOLzn9dArFT4bfMIE/gBOJnY3Ulp16jOMGb2sY+9u9rGJ84jSpYKEsL+RBoJr +23O5rfdrVi/+fWC0QaDqwhI46lLr9Erkk7NjEeElZ+Tj2A5KK4K0FNvzAIqxki1Z +/MQcBfknbq9jxUZs4zUl9QA7ufCqmFhi4qQxycEfUEXsTFlya2IgWqavA1OFZ7Ww +tJQOR/EQUvtH/fIE7nompnxzWxi1iAvVkv0OEsAYVRd9ldviLl9wLzpQoOPvwc/B +kRLvriWH/Bjyc8+SeAfK92ZRHh+a1HBsX7XKuZwKJ/pVKF4EtalbZXlSuQau/Mc0 +ImS49AL/GjfShp/IhGHfBQbTjR3vhZfakG6wvSFnGaRt2ohxMHb0fSK7xNrDpfNV +Orloh77ry44C4jjQIairRW1l4CLilbitKpHO4VtZ443w25fud2FapvdesoUfHogV +KTce4dGvW3jrN7/8TRUCAQOjgY0wgYowPwYDVR0fBDgwNjA0oDKgMIYuaHR0cDov +L2NybC5hLXRydXN0LmF0L2NybC9BLVRydXN0LVRlc3QtUm9vdC0wNTATBgNVHSME +DDAKgAhEL/sUCZKJ0DAPBgNVHRMBAf8EBTADAQH/MBEGA1UdDgQKBAhH2pAliBnO +GzAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBADDqJFkkBD6tUmiu +L45YlXWKogD5eUfM+xnNVdg60M4HXHksVGT49CiY1vWzuLwUD3CXQ1W7yBKnLB5b +GcoaHNgZDhNskYJCZu9K0g8oqNEN3Hb2QoKqyCaOlKV0dXILq/3SbdcXvUkUPS9K +nWkX48tVMcw3OAmRYKwBK6tkUBwVw0VJ49sT+9qgPGCb8HYafSjCTnb3kdKGYK7a +0E6eVBjYf6WcMfvCIYma5Zi4fx7U0K6RN8xJvhRHAZK3uJphk1QciAIxViFIPnex +htgywJNHRautIsDbRGwdDVOUB6VdCFF19HnO9C4p2+pggCi9nT/I4CklZGZ5Q0VB +j9knsSFXYMY9QFGm3feiVIXAy2Pp7IMB21KNZKgqCLQRgANNdvkWwO97lcxpmocS +/p9LIEYDpa9tIvBrTiK39hUixeQaMhvlrSN3H49NqoxsStv8UEvSbjLJAuOcK1oV ++IWA8RbBwippM45729X7nGdPUbxys+rn7F04WNe+oQN96hKX4VJ6OCANz1bca6LV +sPtkFej+SLbpALVH3YvP4ct1UQms3UnuN9m1A0ceB4u4KroHBHlSGLB6K3UI3E42 +cYVaGrbflSvwwXxCHUvrCeL+eNKgI2Vyt29aHVJO0OMAS03Eb1PcygeNU4h6t+CS +UBU+/OTtSQGrLe+kMKP6uBO/cMhv +-----END CERTIFICATE----- diff --git a/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten/a-sign-Test-Premium-Sig-05.20141215-20141209.SerNo165fb8.crt b/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten/a-sign-Test-Premium-Sig-05.20141215-20141209.SerNo165fb8.crt new file mode 100644 index 000000000..ee17cdb80 --- /dev/null +++ b/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten/a-sign-Test-Premium-Sig-05.20141215-20141209.SerNo165fb8.crt @@ -0,0 +1,36 @@ +-----BEGIN CERTIFICATE----- +MIIGQTCCBCmgAwIBAgIDFl+4MA0GCSqGSIb3DQEBCwUAMIGVMQswCQYDVQQGEwJB +VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp +bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMR0wGwYDVQQLDBRBLVRydXN0LVRl +c3QtUm9vdC0wNTEdMBsGA1UEAwwUQS1UcnVzdC1UZXN0LVJvb3QtMDUwHhcNMTQx +MjE1MTMxMDE5WhcNMjQxMjA5MTIxMDE5WjCBoTELMAkGA1UEBhMCQVQxSDBGBgNV +BAoMP0EtVHJ1c3QgR2VzLiBmLiBTaWNoZXJoZWl0c3N5c3RlbWUgaW0gZWxla3Ry +LiBEYXRlbnZlcmtlaHIgR21iSDEjMCEGA1UECwwaYS1zaWduLVRlc3QtUHJlbWl1 +bS1TaWctMDUxIzAhBgNVBAMMGmEtc2lnbi1UZXN0LVByZW1pdW0tU2lnLTA1MIIC +IDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAq9PRwApA35K3LT0p5IYtNZMS +BFJsIkzjgF4FRQ36PtxeNsPL6iPgfFjWLZzVT1arHrC6ciz97haDWEN5Jq+aVaZp +gvFtvqZXlwYOWP0sshQg1aP7zrfH/N6yqjkrXHyzgmSz3SVIbdj5CqUJz/+94FCR +cA8XkQ3WZAjSkRB+MSIY8umftkmJOVAstaG28OEtpmqwBLRh/QGcNZzfhyrPS2Ls +5BAKQW9SBb1nXn8JOHq0Bd8zHShHbny9X/qT0xqeFfwItZWiW7iu3LgbGqfB3J4d +s+9iecwHDsmYdSb2quGmzJXejmvktFZte9dlF7BuBqier+R3/czdLteRems5S9Ka +hlP3+f3CnFwKihyVMhnuf5HyhCo1Fvrt+igWtNnos38qzB5RzRTJXnvZyrtTJMQE +/8ZuV2B12Oaf0AQjt+o/SPKeaTBX2yes0S1xbQy7xJzNhgBJ2Ir3OI6SoOooVN+9 +kQuzD7NsJBJzIy4dHCvOgs0C1ro8DROaV3Usn58eYOkLDrPGpEBmFq7GnsxnbeEh +5zzlgh00R9cy5PxiO40U+KxnTmQl+/vc9i1plDLsTRePeThKgS0UOIRZP7voYKdu +IJaEzufNXUxZbCc9Mq3V552BmRPhL9Ouf/bfaVMmkY4p7BdU57stxDfVwG9biujj +AVPA7DeRm+S0kzWRq0kCAQOjgY0wgYowPwYDVR0fBDgwNjA0oDKgMIYuaHR0cDov +L2NybC5hLXRydXN0LmF0L2NybC9BLVRydXN0LVRlc3QtUm9vdC0wNTATBgNVHSME +DDAKgAhEL/sUCZKJ0DAPBgNVHRMBAf8EBTADAQH/MBEGA1UdDgQKBAhB0SNOEjM1 +3jAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAEiqm52uEL2giMCy +8i1tIbqKP3SeJnYxhJgN4d3caWqfE1CoEUQjsN8t7sF866TOYJMrQ+/dS8bUqNiG +x4vvPrDq3DUSyKflgPaz+36xtB4BTlIiYTzio7Tnv+d5n+MsM6c/rijJzRx38FLM +tZTAfr7dXv5KxrfYrrEnPrGg0gMlYqX3rB1TKQnPx5qG3e2YXc6tdvDeXhh9cXj3 +76VJony7iV0ccKWNXRRNx1X0po/Luu6EMD/5czArtmO0KmGXO3gK3Fy7pxUbdBra +nSJNsY+Fv4X3zqf5n9ZM4Yut7KSqBiQbuMmIzLZkICJOWN5t9mOTStgmZjGqBdQN +sRuVinaLxA88Fd32ZmFxbagOLeKEXPTQT/ERbDOjhShY6jA2/LkIcg9mwDDOubsp +FcZaYlyXmvD+HNVxL5B4BGDWoGHmCxaj+bcYP4U797bpE90sTnMIQd6JoYEMQSIy +Re0S4jKIOkCqBDkPBIXZf/IizTvJiQoFUtT7civFYhcUHDOcWs69NUU3F6sEBZmq +C1uIRm7zD6FUPNpVcfVIeqcfWsnx5bSKwheh9Dk/A3eTmxjpodV4tIq6BfCLdq52 +85dumPB4zz/EmCuZ0hwy9/TJwaogVMqicvr1/pQXDM7T6fCM0vK9w/e4ejmX61TK +6MsTXFjxlwpIacl4fkAxk6L22xfB +-----END CERTIFICATE----- -- cgit v1.2.3 From d28e5b6e0d0793558f3328c5a420c17bdd606104 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 16 Apr 2015 13:48:50 +0200 Subject: update library versions --- id/server/idserverlib/pom.xml | 12 ++++++++++-- id/server/moa-id-commons/pom.xml | 9 ++++----- id/server/stork2-commons/pom.xml | 3 +-- id/server/stork2-saml-engine/pom.xml | 5 ----- 4 files changed, 15 insertions(+), 14 deletions(-) (limited to 'id/server') diff --git a/id/server/idserverlib/pom.xml b/id/server/idserverlib/pom.xml index dbfc19b68..9465b56d1 100644 --- a/id/server/idserverlib/pom.xml +++ b/id/server/idserverlib/pom.xml @@ -113,8 +113,6 @@ at.gv.util egovutils - - 2.0.0 com.sun @@ -142,6 +140,16 @@ + + + org.apache.cxf + cxf-rt-frontend-jaxws + + + org.apache.cxf + cxf-rt-transports-http + + javax.xml.bind diff --git a/id/server/moa-id-commons/pom.xml b/id/server/moa-id-commons/pom.xml index c504a7f0c..27beeaaf3 100644 --- a/id/server/moa-id-commons/pom.xml +++ b/id/server/moa-id-commons/pom.xml @@ -46,23 +46,22 @@ org.hibernate hibernate-core - 4.3.8.Final + ${hibernate.version} org.hibernate hibernate-c3p0 - 4.3.8.Final + ${hibernate.version} org.hibernate hibernate-entitymanager - 4.3.8.Final + ${hibernate.version} org.apache.commons commons-lang3 - 3.3.2 commons-httpclient @@ -122,7 +121,7 @@ mysql mysql-connector-java - 5.1.34 + ${mysql-connector.java} diff --git a/id/server/stork2-commons/pom.xml b/id/server/stork2-commons/pom.xml index 81f2cf4e5..1a8dfd786 100644 --- a/id/server/stork2-commons/pom.xml +++ b/id/server/stork2-commons/pom.xml @@ -34,7 +34,7 @@ joda-time joda-time - 2.3 + ${jodatime.version} @@ -113,7 +113,6 @@ junit junit - 4.11 test diff --git a/id/server/stork2-saml-engine/pom.xml b/id/server/stork2-saml-engine/pom.xml index e5d3dc1f4..36df747e4 100644 --- a/id/server/stork2-saml-engine/pom.xml +++ b/id/server/stork2-saml-engine/pom.xml @@ -96,7 +96,6 @@ org.slf4j slf4j-api - 1.7.10