From 8ab6d299cbbc2b9faa7f0d70b45e00ce54645e55 Mon Sep 17 00:00:00 2001 From: Andreas Fitzek Date: Tue, 7 May 2013 13:59:10 +0200 Subject: PVP2.X Post and Redirect binding, signing and verification, added PVP2.x Citizen Token attributes --- .../moa/id/entrypoints/DispatcherServlet.java | 10 +- .../gv/egovernment/moa/id/moduls/IModulInfo.java | 4 +- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 20 ++- .../id/protocols/pvp2x/PVPAssertionStorage.java | 47 +++++++ .../id/protocols/pvp2x/PVPTargetConfiguration.java | 2 - .../protocols/pvp2x/binding/ArtifactBinding.java | 143 +++++++++++++++++++++ .../moa/id/protocols/pvp2x/binding/IDecoder.java | 2 - .../id/protocols/pvp2x/binding/PostBinding.java | 1 - .../pvp2x/builder/CitizenTokenBuilder.java | 126 ++++++++++++++++++ .../pvp2x/metadata/MOAMetadataProvider.java | 4 +- .../pvp2x/requestHandler/AuthnRequestHandler.java | 10 +- .../pvp2x/requestHandler/IRequestHandler.java | 2 - .../moa/id/protocols/pvp2x/utils/SAML2Utils.java | 4 +- .../id/protocols/pvp2x/utils/StoredAssertion.java | 48 +++++++ .../pvp2x/verification/SAMLVerifierMOASP.java | 4 +- .../moa/id/protocols/saml1/GetArtifactServlet.java | 4 - .../saml1/GetAuthenticationDataService.java | 2 - .../protocols/saml1/SAML1AuthenticationServer.java | 2 + .../moa/id/protocols/saml1/SAML1Protocol.java | 4 +- .../stork/vidp/messages/common/STORKBootstrap.java | 8 +- 20 files changed, 404 insertions(+), 43 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPAssertionStorage.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/StoredAssertion.java (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 27cd2b5a5..585655e7c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -179,9 +179,9 @@ public class DispatcherServlet extends AuthServlet { } HttpSession httpSession = req.getSession(); - + IRequest protocolRequest = null; try { - IRequest protocolRequest = RequestStorage + protocolRequest = RequestStorage .getPendingRequest(httpSession); if (protocolRequest != null) { @@ -250,12 +250,14 @@ public class DispatcherServlet extends AuthServlet { } moduleAction.processRequest(protocolRequest, req, resp); - + RequestStorage.removePendingRequest(httpSession); + AuthenticationManager.logout(req, resp); + } catch (Throwable e) { // Try handle module specific, if not possible rethrow - if (!info.generateErrorMessage(e, req, resp)) { + if (!info.generateErrorMessage(e, req, resp, protocolRequest)) { throw e; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IModulInfo.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IModulInfo.java index 181955c2a..5a2bb1efc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IModulInfo.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IModulInfo.java @@ -19,5 +19,7 @@ public interface IModulInfo { public IAction canHandleRequest(HttpServletRequest request, HttpServletResponse response); - public boolean generateErrorMessage(Throwable e,HttpServletRequest request, HttpServletResponse response); + public boolean generateErrorMessage(Throwable e, + HttpServletRequest request, HttpServletResponse response, + IRequest protocolRequest) throws Throwable; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 847f1ae54..feaf59cb2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -14,10 +14,10 @@ import org.apache.commons.lang.StringEscapeUtils; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.AuthnRequest; import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.Status; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.StatusMessage; +import org.opensaml.saml2.core.StatusResponseType; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; @@ -29,8 +29,8 @@ import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException; import at.gv.egovernment.moa.id.moduls.ServletInfo; import at.gv.egovernment.moa.id.moduls.ServletType; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; @@ -174,8 +174,15 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { } public boolean generateErrorMessage(Throwable e, - HttpServletRequest request, HttpServletResponse response) { - Response samlResponse = SAML2Utils.createSAMLObject(Response.class); + HttpServletRequest request, HttpServletResponse response, + IRequest protocolRequest) throws Throwable { + + if(protocolRequest == null) { + throw e; + } + + StatusResponseType samlResponse = + SAML2Utils.createSAMLObject(StatusResponseType.class); Status status = SAML2Utils.createSAMLObject(Status.class); StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); @@ -190,7 +197,10 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { status.setStatusCode(statusCode); status.setStatusMessage(statusMessage); samlResponse.setStatus(status); - return false; + IEncoder encoder = new RedirectBinding(); + + encoder.encodeRespone(request, response, samlResponse, protocolRequest.getOAURL()); + return true; } public IAction getAction(String action) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPAssertionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPAssertionStorage.java new file mode 100644 index 000000000..c188914df --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPAssertionStorage.java @@ -0,0 +1,47 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x; + +import java.util.HashMap; +import java.util.Map; + +import org.opensaml.common.SAMLObject; +import org.opensaml.common.binding.artifact.SAMLArtifactMap; +import org.opensaml.xml.io.MarshallingException; + +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.StoredAssertion; + +public class PVPAssertionStorage implements SAMLArtifactMap { + + private static PVPAssertionStorage instance = null; + + public static PVPAssertionStorage getInstance() { + if(instance == null) { + instance = new PVPAssertionStorage(); + } + return instance; + } + + private Map assertions = new HashMap(); + + public boolean contains(String artifact) { + return assertions.containsKey(artifact); + } + + public void put(String artifact, String relyingPartyId, String issuerId, + SAMLObject samlMessage) throws MarshallingException { + SAMLArtifactMapEntry assertion = new StoredAssertion(artifact, + relyingPartyId, + issuerId, + samlMessage); + + assertions.put(artifact, assertion); + } + + public SAMLArtifactMapEntry get(String artifact) { + return assertions.get(artifact); + } + + public void remove(String artifact) { + assertions.remove(artifact); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index f19602c1e..1f13cdfb5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -1,7 +1,5 @@ package at.gv.egovernment.moa.id.protocols.pvp2x; -import org.opensaml.saml2.core.RequestAbstractType; - import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java new file mode 100644 index 000000000..a7b4a5bc7 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java @@ -0,0 +1,143 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.binding; + +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.IOException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.UnrecoverableKeyException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.velocity.app.VelocityEngine; +import org.apache.velocity.runtime.RuntimeConstants; +import org.opensaml.common.SAMLObject; +import org.opensaml.common.binding.BasicSAMLMessageContext; +import org.opensaml.saml2.binding.encoding.HTTPArtifactEncoder; +import org.opensaml.saml2.binding.encoding.HTTPPostEncoder; +import org.opensaml.saml2.core.RequestAbstractType; +import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.saml2.metadata.SingleSignOnService; +import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder; +import org.opensaml.ws.message.decoder.MessageDecodingException; +import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.ws.transport.http.HttpServletResponseAdapter; +import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.credential.BasicCredential; +import org.opensaml.xml.security.credential.UsageType; +import org.opensaml.xml.signature.Signature; +import org.opensaml.xml.signature.SignatureConstants; + +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPAssertionStorage; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; + +public class ArtifactBinding implements IDecoder, IEncoder { + + public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, + RequestAbstractType request, String targetLocation) + throws MessageEncodingException, SecurityException { + // TODO Auto-generated method stub + + } + + public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, + StatusResponseType response, String targetLocation) + throws MessageEncodingException, SecurityException { + KeyStore keyStore; + + try { + keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); + + FileInputStream inputStream = new FileInputStream( + "/home/afitzek/server/moaid_conf/moaid/pvp.ks"); + keyStore.load(inputStream, "123456".toCharArray()); + inputStream.close(); + + BasicCredential credentials = new BasicCredential(); + PrivateKey key = (PrivateKey) keyStore.getKey("pvpIDP", + "123456".toCharArray()); + Certificate cert = keyStore.getCertificate("pvpIDP"); + credentials.setPublicKey(cert.getPublicKey()); + credentials.setPrivateKey(key); + credentials.setUsageType(UsageType.SIGNING); + + Signature signer = SAML2Utils.createSAMLObject(Signature.class); + signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1); + signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); + signer.setSigningCredential(credentials); + + response.setSignature(signer); + VelocityEngine engine = new VelocityEngine(); + engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8"); + engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8"); + engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8"); + engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath"); + engine.setProperty("classpath.resource.loader.class", + "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader"); + engine.init(); + + HTTPArtifactEncoder encoder = new HTTPArtifactEncoder(engine, + "resources/templates/pvp_postbinding_template.html", + PVPAssertionStorage.getInstance()); + + encoder.setPostEncoding(false); + HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( + resp, true); + BasicSAMLMessageContext context = new BasicSAMLMessageContext(); + SingleSignOnService service = new SingleSignOnServiceBuilder() + .buildObject(); + service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"); + service.setLocation(targetLocation); + context.setOutboundSAMLMessageSigningCredential(credentials); + context.setPeerEntityEndpoint(service); + // context.setOutboundMessage(authReq); + context.setOutboundSAMLMessage(response); + context.setOutboundMessageTransport(responseAdapter); + + encoder.encode(context); + } catch (KeyStoreException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (FileNotFoundException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (NoSuchAlgorithmException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (CertificateException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (IOException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (UnrecoverableKeyException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + } + + public MOARequest decodeRequest(HttpServletRequest req, + HttpServletResponse resp) throws MessageDecodingException, + SecurityException { + // TODO Auto-generated method stub + return null; + } + + public MOAResponse decodeRespone(HttpServletRequest req, + HttpServletResponse resp) throws MessageDecodingException, + SecurityException { + // TODO Auto-generated method stub + return null; + } + + public boolean handleDecode(String action) { + // TODO Auto-generated method stub + return false; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java index 8e27de7a5..2778016ba 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java @@ -3,8 +3,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.Response; import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.xml.security.SecurityException; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 06ce311cf..38be055be 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -20,7 +20,6 @@ import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; import org.opensaml.saml2.binding.decoding.HTTPPostDecoder; import org.opensaml.saml2.binding.encoding.HTTPPostEncoder; -import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusResponseType; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java new file mode 100644 index 000000000..0b280fe48 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java @@ -0,0 +1,126 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder; + +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeStatement; +import org.opensaml.saml2.core.AttributeValue; +import org.opensaml.xml.Configuration; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.schema.XSInteger; +import org.opensaml.xml.schema.XSString; +import org.opensaml.xml.schema.impl.XSIntegerBuilder; +import org.opensaml.xml.schema.impl.XSStringBuilder; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; + +public class CitizenTokenBuilder { + + public static XMLObject buildAttributeStringValue(String value) { + XSStringBuilder stringBuilder = (XSStringBuilder) Configuration.getBuilderFactory().getBuilder(XSString.TYPE_NAME); + XSString stringValue = stringBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME); + stringValue.setValue(value); + return stringValue; + } + + public static XMLObject buildAttributeIntegerValue(int value) { + XSIntegerBuilder integerBuilder = (XSIntegerBuilder) Configuration.getBuilderFactory().getBuilder(XSInteger.TYPE_NAME); + XSInteger integerValue = integerBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSInteger.TYPE_NAME); + integerValue.setValue(value); + return integerValue; + } + + public static Attribute buildStringAttribute(String friendlyName, + String name, String value) { + Attribute attribute = + SAML2Utils.createSAMLObject(Attribute.class); + attribute.setFriendlyName(friendlyName); + attribute.setName(name); + attribute.getAttributeValues().add(buildAttributeStringValue(value)); + return attribute; + } + + public static Attribute buildIntegerAttribute(String friendlyName, + String name, int value) { + Attribute attribute = + SAML2Utils.createSAMLObject(Attribute.class); + attribute.setFriendlyName(friendlyName); + attribute.setName(name); + attribute.getAttributeValues().add(buildAttributeIntegerValue(value)); + return attribute; + } + + public static Attribute buildPVPVersion(String value) { + return buildStringAttribute("PVP-VERSION", + "urn:oid:1.2.40.0.10.2.1.1.261.10", value); + } + + public static Attribute buildSecClass(int value) { + return buildIntegerAttribute("SECCLASS", + "", value); + } + + public static Attribute buildPrincipalName(String value) { + return buildStringAttribute("PRINCIPAL-NAME", + "urn:oid:1.2.40.0.10.2.1.1.261.20", value); + } + + public static Attribute buildGivenName(String value) { + return buildStringAttribute("GIVEN-NAME", + "urn:oid:2.5.4.42", value); + } + + public static Attribute buildBirthday(String value) { + return buildStringAttribute("BIRTHDATE", + "urn:oid:1.2.40.0.10.2.1.1.55", value); + } + + public static Attribute buildBPK(String value) { + return buildStringAttribute("BPK", + "urn:oid:1.2.40.0.10.2.1.1.149", value); + } + + public static Attribute buildEID_CITIZEN_QAALEVEL(int value) { + return buildIntegerAttribute("EID-CITIZEN-QAA-LEVEL", + "urn:oid:1.2.40.0.10.2.1.1.261.94", value); + } + + public static Attribute buildEID_ISSUING_NATION(String value) { + return buildStringAttribute("EID-ISSUING-NATION", + "urn:oid:1.2.40.0.10.2.1.1.261.32", value); + } + + public static Attribute buildEID_SECTOR_FOR_IDENTIFIER(String value) { + return buildStringAttribute("EID-SECTOR-FOR-IDENTIFIER", + "urn:oid:1.2.40.0.10.2.1.1.261.34", value); + } + + + public static AttributeStatement buildCitizenToken(MOARequest obj, + AuthenticationSession authSession) { + AttributeStatement statement = + SAML2Utils.createSAMLObject(AttributeStatement.class); + + Attribute pvpVersion = buildPVPVersion("2.1"); + Attribute secClass = buildSecClass(3); + Attribute principalName = buildPrincipalName(authSession.getAuthData().getFamilyName()); + Attribute givenName = buildGivenName(authSession.getAuthData().getGivenName()); + Attribute birthdate = buildBirthday(authSession.getAuthData().getDateOfBirth()); + Attribute bpk = buildBPK(authSession.getAuthData().getIdentificationValue()); + Attribute eid_citizen_qaa = buildEID_CITIZEN_QAALEVEL(3); + Attribute eid_issuing_nation = buildEID_ISSUING_NATION("AT"); + Attribute eid_sector_for_id = buildEID_SECTOR_FOR_IDENTIFIER(authSession.getAuthData().getIdentificationType()); + + statement.getAttributes().add(pvpVersion); + statement.getAttributes().add(secClass); + statement.getAttributes().add(principalName); + statement.getAttributes().add(givenName); + statement.getAttributes().add(birthdate); + statement.getAttributes().add(bpk); + statement.getAttributes().add(eid_citizen_qaa); + statement.getAttributes().add(eid_issuing_nation); + statement.getAttributes().add(eid_sector_for_id); + + return statement; + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 8dad932e2..346883a94 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -5,15 +5,13 @@ import java.util.List; import javax.xml.namespace.QName; -import org.opensaml.DefaultBootstrap; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.RoleDescriptor; +import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider; import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.opensaml.saml2.metadata.provider.MetadataProviderException; -import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider; -import org.opensaml.xml.ConfigurationException; import org.opensaml.xml.XMLObject; import org.opensaml.xml.parse.BasicParserPool; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index 4af35e325..27e248081 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -11,25 +11,19 @@ import org.opensaml.saml2.core.AuthnContext; import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnRequest; import org.opensaml.saml2.core.AuthnStatement; -import org.opensaml.saml2.core.BaseID; import org.opensaml.saml2.core.Issuer; import org.opensaml.saml2.core.NameID; -import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Subject; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; -import edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.StoredIDStore.PersistentIdEntry; - import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.moduls.AuthenticationManager; -import at.gv.egovernment.moa.id.moduls.AuthenticationSessionStore; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.CitizenTokenBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.id.util.HTTPUtils; public class AuthnRequestHandler implements IRequestHandler { @@ -70,6 +64,8 @@ public class AuthnRequestHandler implements IRequestHandler { subjectNameID.setValue(authSession.getAuthData().getIdentificationValue()); subject.setNameID(subjectNameID); + assertion.getAttributeStatements().add(CitizenTokenBuilder.buildCitizenToken(obj, authSession)); + Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); issuer.setValue("pvpIDP"); assertion.setIssuer(issuer); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java index 74e8d8d4b..a971df93b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java @@ -3,8 +3,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.opensaml.saml2.core.RequestAbstractType; - import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; public interface IRequestHandler { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java index fa2ce4f79..0fa5a7193 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java @@ -11,15 +11,12 @@ import javax.xml.transform.TransformerException; import org.opensaml.Configuration; import org.opensaml.saml2.core.Status; import org.opensaml.saml2.core.StatusCode; -import org.opensaml.saml2.core.StatusMessage; import org.opensaml.xml.XMLObject; import org.opensaml.xml.XMLObjectBuilderFactory; import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.io.MarshallingException; import org.w3c.dom.Document; -import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException; - public class SAML2Utils { public static T createSAMLObject(final Class clazz) { @@ -29,6 +26,7 @@ public class SAML2Utils { QName defaultElementName = (QName) clazz.getDeclaredField( "DEFAULT_ELEMENT_NAME").get(null); + @SuppressWarnings("unchecked") T object = (T) builderFactory.getBuilder(defaultElementName) .buildObject(defaultElementName); return object; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/StoredAssertion.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/StoredAssertion.java new file mode 100644 index 000000000..70793d073 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/StoredAssertion.java @@ -0,0 +1,48 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.utils; + +import org.joda.time.DateTime; +import org.opensaml.common.SAMLObject; +import org.opensaml.common.binding.artifact.SAMLArtifactMap.SAMLArtifactMapEntry; + +public class StoredAssertion implements SAMLArtifactMapEntry { + private String artifact; + private String relyingPartyId; + private String issuerId; + private SAMLObject samlMessage; + private DateTime expirationTime; + + public StoredAssertion(String artifact, + String relyingPartyId, + String issuerId, + SAMLObject samlMessage) { + this.artifact = artifact; + this.relyingPartyId = relyingPartyId; + this.issuerId = issuerId; + this.samlMessage = samlMessage; + this.expirationTime = new DateTime(); + this.expirationTime.plusMinutes(5); + } + + public DateTime getExpirationTime() { + return expirationTime; + } + + public boolean isExpired() { + return this.expirationTime.isAfterNow(); + } + + public void onExpire() { + } + public String getArtifact() { + return artifact; + } + public String getIssuerId() { + return issuerId; + } + public String getRelyingPartyId() { + return relyingPartyId; + } + public SAMLObject getSamlMessage() { + return samlMessage; + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java index af77213df..37289a8e3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java @@ -5,9 +5,6 @@ import org.opensaml.security.SAMLSignatureProfileValidator; import org.opensaml.xml.validation.ValidationException; import org.w3c.dom.Element; -import eu.stork.vidp.messages.util.SAMLUtil; -import eu.stork.vidp.messages.util.XMLUtil; - import at.gv.egovernment.moa.id.BuildException; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.ParseException; @@ -19,6 +16,7 @@ import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.logging.Logger; +import eu.stork.vidp.messages.util.XMLUtil; public class SAMLVerifierMOASP implements ISAMLVerifier { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java index 54bea4bb4..f5219f7e9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java @@ -1,7 +1,6 @@ package at.gv.egovernment.moa.id.protocols.saml1; import java.io.IOException; -import java.io.OutputStream; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; @@ -13,12 +12,9 @@ import org.apache.commons.lang.StringEscapeUtils; import at.gv.egovernment.moa.id.AuthenticationException; import at.gv.egovernment.moa.id.BuildException; import at.gv.egovernment.moa.id.auth.WrongParametersException; -import at.gv.egovernment.moa.id.auth.builder.LoginConfirmationBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java index 3a9b79163..784dec0df 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java @@ -28,12 +28,10 @@ import java.util.Calendar; import org.apache.axis.AxisFault; import org.w3c.dom.Element; - import org.w3c.dom.NodeList; import at.gv.egovernment.moa.id.AuthenticationException; import at.gv.egovernment.moa.id.MOAIDException; -import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.builder.SAMLResponseBuilder; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 7e4313087..4399c556b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -38,6 +38,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { // TODO: for clustering we have to replicate this data to other servers // We might need to introduce a openEJB to accomplish this /** authentication data store (assertion handle -> AuthenticationData) */ + @SuppressWarnings("rawtypes") private static Map authenticationDataStore = new HashMap(); /** @@ -270,6 +271,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { * @throws AuthenticationException * when SAML artifact is invalid */ + @SuppressWarnings("unchecked") private static void storeAuthenticationData(String samlArtifact, AuthenticationData authData) throws AuthenticationException { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index d184643c4..1731a738c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -76,7 +76,9 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { } public boolean generateErrorMessage(Throwable e, - HttpServletRequest request, HttpServletResponse response) { + HttpServletRequest request, HttpServletResponse response, + IRequest protocolRequest) + throws Throwable{ // TODO Auto-generated method stub return false; } diff --git a/id/server/stork-saml-engine/src/main/java/eu/stork/vidp/messages/common/STORKBootstrap.java b/id/server/stork-saml-engine/src/main/java/eu/stork/vidp/messages/common/STORKBootstrap.java index 80556cfa5..d75a4c2eb 100644 --- a/id/server/stork-saml-engine/src/main/java/eu/stork/vidp/messages/common/STORKBootstrap.java +++ b/id/server/stork-saml-engine/src/main/java/eu/stork/vidp/messages/common/STORKBootstrap.java @@ -45,13 +45,15 @@ public class STORKBootstrap extends DefaultBootstrap { * @throws ConfigurationException */ public static synchronized void bootstrap() throws ConfigurationException { + + DefaultBootstrap.bootstrap(); - SAMLSchemaBuilder.addExtensionSchema("stork-schema-assertion-1.0.xsd"); + /*SAMLSchemaBuilder.addExtensionSchema("stork-schema-assertion-1.0.xsd"); SAMLSchemaBuilder.addExtensionSchema("stork-schema-protocol-1.0.xsd"); - DefaultBootstrap.bootstrap(); + - initStorkConfig("saml2-stork-config.xml"); + initStorkConfig("saml2-stork-config.xml"); */ } -- cgit v1.2.3