From 4c59c85ac46957ed4610b9f2c19467cf8026705d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 28 Aug 2017 16:05:54 +0200 Subject: catch possible NullPointerException --- .../moa/id/protocols/pvp2x/verification/EntityVerifier.java | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java index 2ded32bac..d05d180e1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java @@ -55,6 +55,12 @@ public class EntityVerifier { try { IOAAuthParameters oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID); + if (oa == null) { + Logger.debug("No OnlineApplication with EntityID: " + entityID); + return null; + + } + String certBase64 = oa.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); if (MiscUtil.isNotEmpty(certBase64)) { return Base64Utils.decode(certBase64, false); -- cgit v1.2.3 From 6af6c5fdffb071ce407a303cf3fd307359df1ef1 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 28 Aug 2017 16:29:40 +0200 Subject: update IAIK libs --- id/moa-spss-container/pom.xml | 17 ++++++++++------- .../egovernment/moa/id/util/ECDSAKeyValueConverter.java | 4 ++-- 2 files changed, 12 insertions(+), 9 deletions(-) (limited to 'id') diff --git a/id/moa-spss-container/pom.xml b/id/moa-spss-container/pom.xml index fe6ea0c47..6cf5d41b3 100644 --- a/id/moa-spss-container/pom.xml +++ b/id/moa-spss-container/pom.xml @@ -47,7 +47,7 @@ MOA.spss.server moa-sig-lib - 3.1.0 + 3.1.1 commons-logging @@ -65,7 +65,7 @@ MOA.spss common - 3.1.0 + 3.1.1 MOA.spss @@ -90,13 +90,16 @@ iaik.prod iaik_eccelerate - 3.1_eval + 4.02_eval - + + + + iaik.prod iaik_eccelerate_cms @@ -115,12 +118,12 @@ iaik.prod iaik_moa - 2.04 + 2.05 iaik.prod iaik_pki_module - 1.02_moa + 1.03_moa iaik.prod diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java index f37ae0b0b..d30ce4924 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java @@ -44,9 +44,9 @@ import iaik.security.ec.common.ECParameterSpec; import iaik.security.ec.common.ECPublicKey; import iaik.security.ec.common.ECStandardizedParameterFactory; import iaik.security.ec.common.EllipticCurve; +import iaik.security.ec.math.field.AbstractPrimeField; import iaik.security.ec.math.field.Field; import iaik.security.ec.math.field.FieldElement; -import iaik.security.ec.math.field.PrimeField; public class ECDSAKeyValueConverter { @@ -221,7 +221,7 @@ public class ECDSAKeyValueConverter // Value xValue = FieldFactory.getInstance().getPrimeFieldValue(new BigInteger(publicKeyXStr, 10)); // publicKeyPointX = field.newElement(xValue); - PrimeField pf = (PrimeField) field; + AbstractPrimeField pf = (AbstractPrimeField) field; publicKeyPointX = pf.newElement(new BigInteger(publicKeyXStr, 10)); // Value yValue = FieldFactory.getInstance().getPrimeFieldValue(new BigInteger(publicKeyYStr, 10)); // publicKeyPointY = field.newElement(yValue); -- cgit v1.2.3 From b45f0fe1efd4572b86689b6de9c3be1748fdafac Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 28 Aug 2017 16:40:52 +0200 Subject: update history.txt and add readme_3.2.3.txt --- id/history.txt | 6 + id/readme_3.2.3.txt | 731 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 737 insertions(+) create mode 100644 id/readme_3.2.3.txt (limited to 'id') diff --git a/id/history.txt b/id/history.txt index befe0ffbc..1869e28cb 100644 --- a/id/history.txt +++ b/id/history.txt @@ -1,5 +1,11 @@ Dieses Dokument zeigt die Veränderungen und Erweiterungen von MOA-ID auf. +Version MOA-ID Release 3.2.3: Änderungen seit Version MOA-ID 3.2.2 +- Änderungen + - Bug-Fix - Possible problem in combination with IAIK_JCE and JAVA JDK >= 8u141 + - Bug-Fix - Wrong logging entries + - Stabilitsverbesserungen + Version MOA-ID Release 3.2.2: Änderungen seit Version MOA-ID 3.2.1 - Änderungen - Security-Fix - Struts2 (CVE-2017-5638) diff --git a/id/readme_3.2.3.txt b/id/readme_3.2.3.txt new file mode 100644 index 000000000..a1582805d --- /dev/null +++ b/id/readme_3.2.3.txt @@ -0,0 +1,731 @@ +=============================================================================== +MOA ID Version Release 3.2.3 - Wichtige Informationen zur Installation +=============================================================================== + +------------------------------------------------------------------------------- +A. Neuerungen/Änderungen +------------------------------------------------------------------------------- + +Mit MOA ID Version 3.2.3 wurden folgende Neuerungen und Änderungen eingeführt, +die jetzt erstmals in der Veröffentlichung enthalten sind (siehe auch +history.txt im gleichen Verzeichnis). + +- Änderungen + - Behebung eines möglichen Problems mit JAVA JDK 8u141 + - Bug-Fixes + - Stabilitätsverbesserungen + +------------------------------------------------------------------------------- +B. Durchführung eines Updates +------------------------------------------------------------------------------- + +Es wird generell eine Neuinstallation lt. Handbuch empfohlen! Dennoch ist auch +eine Aktualisierung bestehender Installationen möglich. Je nachdem von welcher +MOA-ID Version ausgegangen wird ergibt sich eine Kombination der nachfolgend +angebebenen Updateschritte. + +Hinweis: Wenn Sie die bestehende Konfiguration von MOA-ID 2.x.x in MOA-ID 3.2.x +reimportieren möchten, so muss diese vor dem Update mit Hilfe der import/export +Funktion der grafischen Konfigurationsoberfläche in eine Datei exportiert werden. +Diese Datei dient dann als Basis für den Import in MOA-ID 3.2.x. + +............................................................................... +A.1 Durchführung eines Updates von Version 3.2.x auf Version 3.2.3 +............................................................................... +1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. + Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. + +2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.2.3.zip) in + ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST + bezeichnet. + +3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth + beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, + wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation + für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war + als auch das komplette Verzeichnis moa-id-auth. + +4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach + CATALINA_HOME_ID/webapps. + +5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach + CATALINA_HOME_ID/webapps. + +6. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis + JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach. + +7. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das + Verzeichnis JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr + unterstuetzt). + +8. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im + Logging von MOA ID beim Einlesen der Konfiguration. + + +............................................................................... +B.1 Durchführung eines Updates von Version 3.1.x auf Version 3.2.3 +............................................................................... +1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. + Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. + +2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.2.3.zip) in + ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST + bezeichnet. + +3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth + beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, + wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation + für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war + als auch das komplette Verzeichnis moa-id-auth. + +4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach + CATALINA_HOME_ID/webapps. + +5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach + CATALINA_HOME_ID/webapps. + +6. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis + JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach. + +7. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das + Verzeichnis JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr + unterstuetzt). + +8. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth + Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties + a.) moasession.jpaVendorAdapter.generateDdl=true + moasession.dbcp.connectionProperties= + moasession.dbcp.initialSize=5 + moasession.dbcp.maxActive=100 + moasession.dbcp.maxIdle=8 + moasession.dbcp.minIdle=5 + moasession.dbcp.maxWaitMillis=-1 + moasession.dbcp.testOnBorrow=true + moasession.dbcp.testOnReturn=false + moasession.dbcp.testWhileIdle=false + moasession.dbcp.validationQuery=select 1 + b.) advancedlogging.jpaVendorAdapter.generateDdl=true + advancedlogging.dbcp.initialSize=0 + advancedlogging.dbcp.maxActive=50 + advancedlogging.dbcp.maxIdle=8 + advancedlogging.dbcp.minIdle=0 + advancedlogging.dbcp.maxWaitMillis=-1 + advancedlogging.dbcp.testOnBorrow=true + advancedlogging.dbcp.testOnReturn=false + advancedlogging.dbcp.testWhileIdle=false + advancedlogging.dbcp.validationQuery=SELECT 1 + c.) *.hibernate.connection.url=... um den GET Parameter '&serverTimezone=UTC' erweitern + d.) configuration.ssl.validation.revocation.method.order=crl,ocsp + e.) Zusätzliche neu, aber optionale Parameter finden Sie in der Beispielkonfiguration + +9. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im + Logging von MOA ID beim Einlesen der Konfiguration. + + +............................................................................... +B.1 Durchführung eines Updates von Version 3.0.x auf Version 3.2.3 +............................................................................... +1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. + Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. + +2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.2.2.zip) in + ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST + bezeichnet. + +3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth + beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, + wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation + für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war + als auch das komplette Verzeichnis moa-id-auth. + +4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach + CATALINA_HOME_ID/webapps. + +5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach + CATALINA_HOME_ID/webapps. + +6. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis + JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach. + +7. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das + Verzeichnis JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr + unterstuetzt). + +8. Update der TrustStores für WebService Zugriffe. + a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\certs\ca-certs + in das Verzeichnis CATALINA_HOME\conf\moa-id\certs\ca-certs. + b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\certs\certstore\toBeAdded + in das Verzeichnis CATALINA_HOME\conf\moa-id\certs\certstore\toBeAdded. + +9. Hinzufügen der zusätzlichen Konfigurationsparameter in der + MOA-ID-Configuration Konfigurationsdatei + CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties + a.) dbcp.validationQuery=..... (SQL Query zum Validieren der + Datenbankverbindung + z.B: "SELECT 1" für mySQL + "select 1 from dual" für OracleDB) + +10. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth + Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties + a.) configuration.dbcp.validationQuery=..... (SQL Query zum + Validieren der Datenbankverbindung + z.B: "SELECT 1" für mySQL + "select 1 from dual" für OracleDB) + b.) moasession.jpaVendorAdapter.generateDdl=true + moasession.dbcp.connectionProperties= + moasession.dbcp.initialSize=5 + moasession.dbcp.maxActive=100 + moasession.dbcp.maxIdle=8 + moasession.dbcp.minIdle=5 + moasession.dbcp.maxWaitMillis=-1 + moasession.dbcp.testOnBorrow=true + moasession.dbcp.testOnReturn=false + moasession.dbcp.testWhileIdle=false + moasession.dbcp.validationQuery=select 1 + c.) advancedlogging.jpaVendorAdapter.generateDdl=true + advancedlogging.dbcp.initialSize=0 + advancedlogging.dbcp.maxActive=50 + advancedlogging.dbcp.maxIdle=8 + advancedlogging.dbcp.minIdle=0 + advancedlogging.dbcp.maxWaitMillis=-1 + advancedlogging.dbcp.testOnBorrow=true + advancedlogging.dbcp.testOnReturn=false + advancedlogging.dbcp.testWhileIdle=false + advancedlogging.dbcp.validationQuery=SELECT 1 + d.) *.hibernate.connection.url=... um den GET Parameter '&serverTimezone=UTC' erweitern + e.) configuration.ssl.validation.revocation.method.order=crl,ocsp + f.) Zusätzliche neu, aber optionale Parameter finden Sie in der Beispielkonfigration + +11. Update der Default html-Templates für die Bürgerkartenauswahl. + a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates + in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates. + b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates + in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates. + +12. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im + Logging von MOA ID beim Einlesen der Konfiguration. + + +............................................................................... +B.3 Durchführung eines Updates von Version 2.2.1 auf Version 3.2.3 +............................................................................... + +1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. + Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. + +2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-3.2.2.zip) in + ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST + bezeichnet. + +3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth + beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, + wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation + für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war und + moa-id-configuration.war als auch das komplette Verzeichnis moa-id-auth + und das komplette Verzeichnis moa-id-configuration. + +4. Erstellen Sie eine Sicherungskopie aller "*.jar"-Dateien im Verzeichnis + CATALINA_HOME_ID\endorsed und loeschen Sie diese Dateien danach. + +5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach + CATALINA_HOME_ID/webapps. + +6. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach + CATALINA_HOME_ID/webapps. + +7. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis + JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach. + +8. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das + Verzeichnis JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr + unterstuetzt). + +9. Update des Cert-Stores. + Kopieren Sie den Inhalt des Verzeichnisses + MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis + CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie + vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann + bejahen sie das. + +10. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen + wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile + beibehalten wollen, dann gehen Sie vor, wie in Punkt b). + + a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen: + + 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles. + 2) Kopieren Sie das Verzeichnis + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis + CATALINA_HOME\conf\moa-spss. + + b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie + folgt vor, um die Profile auf den aktuellen Stand zu bringen: + + 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den + entsprechenden Profilen im Verzeichnis + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren + Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt + der einzelnen Profile aus der Distribution + (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden + Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles) + kopieren und dabei die vorhandenen gleichnamigen Zertifikate + überschreiben), also z.B: Kopieren des Inhalts von + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\ + MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach + CATALINA_HOME\conf\moa-spss\trustProfiles\ + MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw. + +11. Update der Default html-Templates für die Bürgerkartenauswahl. + + a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates + in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates. + b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates + in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates. + +12. Update der STORK Konfiguration + a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork + in das Verzeichnis CATALINA_HOME\conf\moa-id\stork. + b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration -> + 2.4 Konfiguration des SamlEngines an. + +13. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei + CATALINA_HOME\conf\moa-id\moa-id.properties + +14. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Configration Konfigurationsdatei + CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties + +15. Hinzufügen der zusätzlichen Konfigurationsdatei in der MOA-ID-Configuration + CATALINA_HOME\conf\moa-id-configuration\userdatabase.properties + +16. Update der Tomcat Start-Skripts: + - Die Konfigurationsdateien für MOA-ID-Auth und MOA-ID-Configuration müssen + nur als URI (file:/...) übergeben werden. + +17. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im + Logging von MOA ID beim Einlesen der Konfiguration. + + +............................................................................... +B.4 Durchführung eines Updates von Version 2.2.0 auf Version 2.2.1 +............................................................................... +1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. + Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. + +2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.2.1.zip) in + ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST + bezeichnet. + +3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth + beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, + wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation + für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war und + moa-id-configuration.war als auch das komplette Verzeichnis moa-id-auth + und das komplette Verzeichnis moa-id-configuration. + +4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach + CATALINA_HOME_ID/webapps. + +5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach + CATALINA_HOME_ID/webapps. + +6. Update des Cert-Stores. + Kopieren Sie den Inhalt des Verzeichnisses + MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis + CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie + vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann + bejahen sie das. + +7. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen + wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile + beibehalten wollen, dann gehen Sie vor, wie in Punkt b). + + a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen: + + 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles. + 2) Kopieren Sie das Verzeichnis + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis + CATALINA_HOME\conf\moa-spss. + + b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie + folgt vor, um die Profile auf den aktuellen Stand zu bringen: + + 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den + entsprechenden Profilen im Verzeichnis + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren + Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt + der einzelnen Profile aus der Distribution + (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden + Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles) + kopieren und dabei die vorhandenen gleichnamigen Zertifikate + überschreiben), also z.B: Kopieren des Inhalts von + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\ + MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach + CATALINA_HOME\conf\moa-spss\trustProfiles\ + MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw. + +8. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im + Logging von MOA ID beim Einlesen der Konfiguration. + +............................................................................... +B.1 Durchführung eines Updates von Version 2.1.2 auf Version 2.2.0 +............................................................................... + 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. + Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. + +2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.2.0.zip) in + ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST + bezeichnet. + +3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth + beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, + wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation + für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war und + moa-id-configuration.war als auch das komplette Verzeichnis moa-id-auth + und das komplette Verzeichnis moa-id-configuration. + +4. Erstellen Sie eine Sicherungskopie aller "*.jar"-Dateien im Verzeichnis + CATALINA_HOME_ID\endorsed und loeschen Sie diese Dateien danach. + +6. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach + CATALINA_HOME_ID/webapps. + +7. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach + CATALINA_HOME_ID/webapps. + +8. Kopieren der folgenden Dateien: + Sollte die Datei bereits vorhanden sein erstellen Sie ein Backup der + Datei bevor Sie diese durch die neue Version ersetzen. + a.) MOA_ID_AUTH_INST/conf/moa-id/stork/StorkSamlEngine_VIDP.xml -> + CATALINA_HOME/conf/moa-id/stork/StorkSamlEngine_VIDP.xml + b.) MOA_ID_AUTH_INST/conf/moa-id/stork/StorkSamlEngine_outgoing.xml -> + CATALINA_HOME/conf/moa-id/stork/StorkSamlEngine_outgoing.xml + +9. Dem STORK KeyStores unter MOA_ID_AUTH_INST/conf/moa-id/keys/storkDemoKeys.jks + (Passwort=local-demo) wurden neue vertrauenswürdige Zertifikate hinzugefügt. + Gleichen Sie bei Bedarf die Zertifikate dieses KeyStores mit Ihrem aktuell + verwendeten KeyStore ab. + +10. Update des Cert-Stores. + Kopieren Sie den Inhalt des Verzeichnisses + MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis + CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie + vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann + bejahen sie das. + +11. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen + wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile + beibehalten wollen, dann gehen Sie vor, wie in Punkt b). + + a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen: + + 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles. + 2) Kopieren Sie das Verzeichnis + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis + CATALINA_HOME\conf\moa-spss. + + b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie + folgt vor, um die Profile auf den aktuellen Stand zu bringen: + + 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den + entsprechenden Profilen im Verzeichnis + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren + Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt + der einzelnen Profile aus der Distribution + (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden + Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles) + kopieren und dabei die vorhandenen gleichnamigen Zertifikate + überschreiben), also z.B: Kopieren des Inhalts von + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\ + MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach + CATALINA_HOME\conf\moa-spss\trustProfiles\ + MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw. + + +12. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im + Logging von MOA ID beim Einlesen der Konfiguration. + +............................................................................... +B.2 Durchführung eines Updates von Version 2.1.1 auf Version 2.1.2 +............................................................................... + 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. + Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. + +2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.2.zip) in + ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST + bezeichnet. + +3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth + beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, + wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation + für MOA ID steht). Löschen Sie darin sowohl die Dateien moa-id-auth.war und + moa-id-configuration.war als auch das komplette Verzeichnis moa-id-auth + und das komplette Verzeichnis moa-id-configuration. + +4. Erstellen Sie eine Sicherungskopie aller "*.jar"-Dateien im Verzeichnis + CATALINA_HOME_ID\endorsed und loeschen Sie diese Dateien danach. + +5. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\endorsed in das + Verzeichnis CATALINA_HOME_ID\endorsed + +6. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach + CATALINA_HOME_ID/webapps. + +7. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach + CATALINA_HOME_ID/webapps. + +8. Kopieren der folgenden Dateien + a.) MOA_ID_AUTH_INST/conf/moa-id/stork/StorkSamlEngine_VIDP.xml -> + CATALINA_HOME/conf/moa-id/stork/StorkSamlEngine_VIDP.xml + Sollte die Datei bereits vorhanden sein erstellen Sie ein Backup der + Datei slo_template.html bevor Sie diese durch die neue Version ersetzen. + +9. Dem STORK KeyStores unter MOA_ID_AUTH_INST/conf/moa-id/keys/storkDemoKeys.jks + (Passwort=local-demo) wurden neue vertrauenswürdige Zertifikate hinzugefügt. + Gleichen Sie bei Bedarf die Zertifikate dieses KeyStores mit Ihrem aktuell + verwendeten KeyStore ab. + +10. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im + Logging von MOA ID beim Einlesen der Konfiguration. + + +............................................................................... +B.3 Durchführung eines Updates von Version 2.1.0 auf Version 2.1.1 +............................................................................... + 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. + Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. + +2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.0.zip) in + ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST + bezeichnet. + +3. Erstellen Sie eine Sicherungskopie aller "iaik*.jar"-Dateien im Verzeichnis + JAVA_HOME\jre\lib\ext und loeschen Sie diese Dateien danach. + +4. Kopieren Sie alle Dateien aus dem Verzeichnis MOA_ID_AUTH_INST\ext in das + Verzeichnis JAVA_HOME\jre\lib\ext (Achtung: Java 1.4.x wird nicht mehr + unterstuetzt). + +5. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth + beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, + wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation + für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als + auch das komplette Verzeichnis moa-id-auth. + +6. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach + CATALINA_HOME_ID/webapps. + +7. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach + CATALINA_HOME_ID/webapps. + +8. Hinzufügen der zusätzlichen Konfigurationsparameter in der + MOA-ID-Configuration Konfigurationsdatei + CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties + a.) general.moaconfig.key=..... (Passwort zum Ver- und + Entschlüsseln von Konfigurationsparametern in der Datenbank) + +9. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth + Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties + a.) configuration.moaconfig.key=..... (Passwort zum Ver- und + Entschlüsseln von Konfigurationsparametern in der Datenbank) + +10. Kopieren der folgenden Dateien + a.) MOA_ID_AUTH_INST/conf/moa-id/htmlTemplates/slo_template.html -> + CATALINA_HOME/conf/moa-id/htmlTemplates/slo_template.html + Sollte die Datei bereits vorhanden sein erstellen Sie ein Backup der + Datei slo_template.html bevor Sie diese durch die neue Version ersetzen. + +11. Update des Cert-Stores. + Kopieren Sie den Inhalt des Verzeichnisses + MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis + CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie + vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann + bejahen sie das. + +12. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen + wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile + beibehalten wollen, dann gehen Sie vor, wie in Punkt b). + + a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen: + + 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles. + 2) Kopieren Sie das Verzeichnis + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis + CATALINA_HOME\conf\moa-spss. + + b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie + folgt vor, um die Profile auf den aktuellen Stand zu bringen: + + 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den + entsprechenden Profilen im Verzeichnis + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren + Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt + der einzelnen Profile aus der Distribution + (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden + Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles) + kopieren und dabei die vorhandenen gleichnamigen Zertifikate + überschreiben), also z.B: Kopieren des Inhalts von + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\ + MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach + CATALINA_HOME\conf\moa-spss\trustProfiles\ + MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw. + +13. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im + Logging von MOA ID beim Einlesen der Konfiguration. + + +............................................................................... +B.4 Durchführung eines Updates von Version 2.0.1 auf Version 2.1.0 +............................................................................... + 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. + Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. + +2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.0.zip) in + ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST + bezeichnet. + +3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth + beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, + wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation + für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als + auch das komplette Verzeichnis moa-id-auth. + +4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach + CATALINA_HOME_ID/webapps. + +5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach + CATALINA_HOME_ID/webapps. + +6. Update der STORK Konfiguration + a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork + in das Verzeichnis CATALINA_HOME\conf\moa-id\stork. + b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration -> + 2.4 Konfiguration des SamlEngines an. + +7. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Configuration Konfigurationsdatei + CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties + a.) general.ssl.certstore=certs/certstore + b.) general.ssl.truststore=certs/truststore + +8. Kopieren des folgenden zusätzlichen Ordners MOA_ID_AUTH_INST/conf/moa-id-configuration/certs + nach CATALINA_HOME\conf\moa-id-configuration\ + +9. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei + CATALINA_HOME\conf\moa-id\moa-id.properties und Anpassung an das zu verwendeten Schlüsselpaar. + a.) protocols.pvp2.idp.ks.assertion.encryption.alias=pvp_assertion + protocols.pvp2.idp.ks.assertion.encryption.keypassword=password + +10. Kopieren der folgenden zusätzlichen Ordner aus MOA_ID_AUTH_INST/conf/moa-id/ + nach CATALINA_HOME\conf\moa-id\ + a.) MOA_ID_AUTH_INST/conf/moa-id/SLTemplates -> CATALINA_HOME\conf\moa-id\ + b.) MOA_ID_AUTH_INST/conf/moa-id/htmlTemplates/slo_template.html -> + CATALINA_HOME/conf/moa-id/htmlTemplates/slo_template.html + +11. Neuinitialisieren des Datenbank Schema für die MOA-Session. Hierfür stehen + zwei Varianten zur Verfügung. + a.) Ändern Sie in der Konfigurationsdatei für das Modul MOA-ID-Auth + CATALINA_HOME\conf\moa-id\moa-id.properties die Zeile + moasession.hibernate.hbm2ddl.auto=update + zu + moasession.hibernate.hbm2ddl.auto=create + Danach werden die Tabellen beim nächsten Startvorgang neu generiert. + + b.) Löschen Sie alle Tabellen aus dem Datenbank Schema für die MOA-Sessixson + Informationen per Hand. Alle Tabellen werden beim nächsten Start autmatisch neu generiert. + +12 . Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im + Logging von MOA ID beim Einlesen der Konfiguration. + + +............................................................................... +B.5 Durchführung eines Updates von Version 2.0-RC1 auf Version 2.0.1 +............................................................................... + +1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. + Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. + +2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.0.1.zip) in + ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST + bezeichnet. + Für MOA ID Proxy: + Entpacken Sie die Distribution von MOA-ID-Proxy (moa-id-proxy-2.0.1.zip) in + ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_PROXY_INST + bezeichnet. + +3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth + beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, + wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation + für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als + auch das komplette Verzeichnis moa-id-auth. + +4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach + CATALINA_HOME_ID/webapps. + +5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach + CATALINA_HOME_ID/webapps. + +6. Update des Cert-Stores. + Kopieren Sie den Inhalt des Verzeichnisses + MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis + CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie + vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann + bejahen sie das. + +7. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen + wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile + beibehalten wollen, dann gehen Sie vor, wie in Punkt b). + + a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen: + + 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles. + 2) Kopieren Sie das Verzeichnis + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis + CATALINA_HOME\conf\moa-spss. + + b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie + folgt vor, um die Profile auf den aktuellen Stand zu bringen: + + 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den + entsprechenden Profilen im Verzeichnis + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren + Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt + der einzelnen Profile aus der Distribution + (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden + Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles) + kopieren und dabei die vorhandenen gleichnamigen Zertifikate + überschreiben), also z.B: Kopieren des Inhalts von + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\ + MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach + CATALINA_HOME\conf\moa-spss\trustProfiles\ + MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw. + +8. Update der Default html-Templates für die Bürgerkartenauswahl. + + a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates + in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates. + b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates + in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates. + +9. Update der STORK Konfiguration + a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork + in das Verzeichnis CATALINA_HOME\conf\moa-id\stork. + b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration -> + 2.4 Konfiguration des SamlEngines an. + +10. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei + CATALINA_HOME\conf\moa-id\moa-id.properties + + a.) configuration.validation.certificate.QC.ignore=false + b.) protocols.pvp2.assertion.encryption.active=false + +11. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im + Logging von MOA ID beim Einlesen der Konfiguration. + + +............................................................................... +B.6 Durchführung eines Updates von Version <= 1.5.1 +............................................................................... + +Bitte führen Sie eine Neuinstallation von MOA ID laut Handbuch durch und passen +Sie die mitgelieferte Musterkonfiguration entsprechend Ihren Bedürfnissen unter +Zuhilfenahme Ihrer bisherigen Konfiguration an. + -- cgit v1.2.3 From 211fd182136ba3def6b31f6acd86b91c1521d092 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 6 Sep 2017 12:38:50 +0200 Subject: update StatisticLogger to handle unknown BKUTypes --- .../gv/egovernment/moa/id/advancedlogging/StatisticLogger.java | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java index b57e6ed69..55b1a7c9a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java @@ -69,6 +69,7 @@ public class StatisticLogger implements IStatisticLogger{ private static final String GENERIC_LOCALBKU = ":3496/https-security-layer-request"; private static final String GENERIC_HANDYBKU = "https://www.handy-signatur.at/"; + private static final String GENERIC_ONLINE_BKU = "bkuonline"; private static final String MANTATORTYPE_JUR = "jur"; private static final String MANTATORTYPE_NAT = "nat"; @@ -422,8 +423,13 @@ public class StatisticLogger implements IStatisticLogger{ return IOAAuthParameters.HANDYBKU; } - Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.ONLINEBKU); - return IOAAuthParameters.ONLINEBKU; + if (bkuURL.contains(GENERIC_ONLINE_BKU)) { + Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.ONLINEBKU); + return IOAAuthParameters.ONLINEBKU; + } + + Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.AUTHTYPE_OTHERS); + return IOAAuthParameters.AUTHTYPE_OTHERS; } } -- cgit v1.2.3 From 41275a296c73a5ecb29d52829116f4b6e99ce006 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 6 Sep 2017 12:39:48 +0200 Subject: add xsd schema for eIDAS specific SAML2 extensions --- .../java/at/gv/egovernment/moa/util/Constants.java | 9 ++++++- .../resources/schemas/eIDAS_saml_extensions.xsd | 31 ++++++++++++++++++++++ .../auth/modules/eidas/utils/SAMLEngineUtils.java | 4 +++ .../resources/schema/eIDAS_saml_extensions.xsd | 31 ++++++++++++++++++++++ 4 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 id/server/moa-id-commons/src/main/resources/resources/schemas/eIDAS_saml_extensions.xsd create mode 100644 id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd (limited to 'id') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java index 129478270..2a4e3b362 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java @@ -394,6 +394,12 @@ public interface Constants { public static final String SAML2_METADATA_SCHEMA_LOCATION = SCHEMA_ROOT + "saml-schema-metadata-2.0.xsd"; + + /* Prefix and Schema definition for eIDAS specific SAML2 extensions*/ + public static final String SAML2_eIDAS_EXTENSIONS_PREFIX = "eidas"; + public static final String SAML2_eIDAS_EXTENSIONS = "http://eidas.europa.eu/saml-extensions"; + public static final String SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION = SCHEMA_ROOT + "eIDAS_saml_extensions.xsd"; + /** * Contains all namespaces and local schema locations for XML schema * definitions relevant for MOA. For use in validating XML parsers. @@ -427,7 +433,8 @@ public interface Constants { + (STORK_NS_URI + " " + STORK_SCHEMA_LOCATION + " ") + (STORKP_NS_URI + " " + STORKP_SCHEMA_LOCATION + " ") + (SAML2_METADATA_URI + " " + SAML2_METADATA_SCHEMA_LOCATION + " ") - + (XENC_NS_URI + " " + XENC_SCHEMA_LOCATION); + + (XENC_NS_URI + " " + XENC_SCHEMA_LOCATION) + + (SAML2_eIDAS_EXTENSIONS + " " + SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION); /** URN prefix for bPK and wbPK. */ public static final String URN_PREFIX = "urn:publicid:gv.at"; diff --git a/id/server/moa-id-commons/src/main/resources/resources/schemas/eIDAS_saml_extensions.xsd b/id/server/moa-id-commons/src/main/resources/resources/schemas/eIDAS_saml_extensions.xsd new file mode 100644 index 000000000..76b82a267 --- /dev/null +++ b/id/server/moa-id-commons/src/main/resources/resources/schemas/eIDAS_saml_extensions.xsd @@ -0,0 +1,31 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java index d469ca28c..02a5df098 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java @@ -28,6 +28,7 @@ import java.net.URL; import java.util.HashMap; import java.util.Map; +import org.opensaml.common.xml.SAMLSchemaBuilder; import org.opensaml.xml.ConfigurationException; import org.opensaml.xml.XMLConfigurator; @@ -107,6 +108,9 @@ public class SAMLEngineUtils { //overwrite eIDAS response validator suite because Condition-Valitator has not time jitter initOpenSAMLConfig("own-saml-eidasnode-config.xml"); + //add eIDAS specific SAML2 extensions to eIDAS Schema validatior + SAMLSchemaBuilder.addExtensionSchema( + at.gv.egovernment.moa.util.Constants.SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION); eIDASEngine = engine; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd b/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd new file mode 100644 index 000000000..76b82a267 --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd @@ -0,0 +1,31 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + -- cgit v1.2.3 From e36b3381215d1e29ba83658314e22085a3daff14 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 6 Sep 2017 14:30:42 +0200 Subject: fix wrong entries in eIDAS metadata extensions --- .../moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'id') diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java index d0c003b31..bb52d2ffe 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java @@ -168,12 +168,12 @@ public class NewMoaEidasMetadata { } private void generateDigest(Extensions eidasExtensions) throws EIDASSAMLEngineException { - if (!(StringUtils.isEmpty(this.params.getDigestMethods()))) { - Set signatureMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getDigestMethods()); + if (!(StringUtils.isEmpty(this.params.getSigningMethods()))) { + Set signatureMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getSigningMethods()); Set digestMethods = new HashSet(); for (String signatureMethod : signatureMethods) { digestMethods.add(CertificateUtil.validateDigestAlgorithm(signatureMethod)); - } + } for (String digestMethod : digestMethods) { DigestMethod dm = (DigestMethod) BuilderFactoryUtil.buildXmlObject(DigestMethod.DEF_ELEMENT_NAME); if (dm != null) { @@ -203,7 +203,7 @@ public class NewMoaEidasMetadata { generateDigest(eidasExtensions); if (!(StringUtils.isEmpty(this.params.getSigningMethods()))) { - Set signMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getDigestMethods()); + Set signMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getSigningMethods()); for (String signMethod : signMethods) { SigningMethod sm = (SigningMethod) BuilderFactoryUtil .buildXmlObject(SigningMethod.DEF_ELEMENT_NAME); -- cgit v1.2.3 From cfc0d2f6db21b4a07ef80ec31d589cbeb1f32a92 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 6 Sep 2017 14:31:25 +0200 Subject: add static variable and update demo OA --- .../egovernment/moa/id/demoOA/Configuration.java | 8 + .../at/gv/egovernment/moa/id/demoOA/Constants.java | 1 + .../moa/id/demoOA/servlet/pvp2/Authenticate.java | 119 ++++++----- .../moa/id/demoOA/servlet/pvp2/BuildMetadata.java | 11 +- .../id/demoOA/servlet/pvp2/DemoApplication.java | 225 ++++++++++++--------- .../moa/id/commons/api/IOAAuthParameters.java | 1 + 6 files changed, 220 insertions(+), 145 deletions(-) (limited to 'id') diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java index 95347c265..09069ac7f 100644 --- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java +++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Configuration.java @@ -174,6 +174,14 @@ public class Configuration { } + public boolean useRedirectBindingRequest() { + return Boolean.parseBoolean(props.getProperty("general.login.pvp2.binding.req.redirect", "true")); + } + + public boolean useRedirectBindingResponse() { + return Boolean.parseBoolean(props.getProperty("general.login.pvp2.binding.resp.redirect", "false")); + } + public void initializePVP2Login() throws ConfigurationException { if (!pvp2logininitialzied) initalPVP2Login(); diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java index d6d2b32da..00e7c3619 100644 --- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java +++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/Constants.java @@ -34,4 +34,5 @@ public class Constants { public static final String SESSION_NAMEID = "pvp2nameID"; public static final String SESSION_NAMEIDFORMAT = "pvp2nameIDFormat"; + } diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java index 2641797ed..4c909ff80 100644 --- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java +++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/Authenticate.java @@ -34,11 +34,15 @@ import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; +import org.apache.commons.lang3.RandomUtils; +import org.apache.velocity.app.VelocityEngine; +import org.apache.velocity.runtime.RuntimeConstants; import org.joda.time.DateTime; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; import org.opensaml.common.impl.SecureRandomIdentifierGenerator; import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.binding.encoding.HTTPPostEncoder; import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; @@ -107,8 +111,13 @@ public class Authenticate extends HttpServlet { SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator(); authReq.setID(gen.generateIdentifier()); + String relayState = String.valueOf(RandomUtils.nextLong()); - authReq.setAssertionConsumerServiceIndex(0); + if (config.useRedirectBindingResponse()) + authReq.setAssertionConsumerServiceIndex(1); + else + authReq.setAssertionConsumerServiceIndex(0); + authReq.setAttributeConsumingServiceIndex(0); authReq.setIssueInstant(new DateTime()); @@ -152,17 +161,24 @@ public class Authenticate extends HttpServlet { for (SingleSignOnService sss : idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) { -// //Get the service address for the binding you wish to use -// if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { -// redirectEndpoint = sss; -// } + //Get the service address for the binding you wish to use + if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI) && !config.useRedirectBindingRequest()) { + redirectEndpoint = sss; + } //Get the service address for the binding you wish to use - if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { + if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) && config.useRedirectBindingRequest()) { redirectEndpoint = sss; } } + + if (redirectEndpoint == null) { + log.warn("Can not find valid EndPoint for SAML2 response"); + throw new ConfigurationException("Can not find valid EndPoint for SAML2 response"); + + } + authReq.setDestination(redirectEndpoint.getLocation()); //authReq.setDestination("http://test.test.test"); @@ -195,49 +211,54 @@ public class Authenticate extends HttpServlet { signer.setSigningCredential(authcredential); authReq.setSignature(signer); - //generate Http-POST Binding message -// VelocityEngine engine = new VelocityEngine(); -// engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8"); -// engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8"); -// engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8"); -// engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath"); -// engine.setProperty("classpath.resource.loader.class", -// "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader"); -// engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS, -// "org.apache.velocity.runtime.log.SimpleLog4JLogSystem"); -// engine.init(); -// -// HTTPPostEncoder encoder = new HTTPPostEncoder(engine, -// "templates/pvp_postbinding_template.html"); -// HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( -// response, true); -// BasicSAMLMessageContext context = new BasicSAMLMessageContext(); -// SingleSignOnService service = new SingleSignOnServiceBuilder() -// .buildObject(); -// service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"); -// service.setLocation(redirectEndpoint.getLocation());; -// -// context.setOutboundSAMLMessageSigningCredential(authcredential); -// context.setPeerEntityEndpoint(service); -// context.setOutboundSAMLMessage(authReq); -// context.setOutboundMessageTransport(responseAdapter); - - //generate Redirect Binding message - HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder(); - HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( - response, true); - BasicSAMLMessageContext context = new BasicSAMLMessageContext(); - SingleSignOnService service = new SingleSignOnServiceBuilder() - .buildObject(); - service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); - service.setLocation(redirectEndpoint.getLocation()); - context.setOutboundSAMLMessageSigningCredential(authcredential); - context.setPeerEntityEndpoint(service); - context.setOutboundSAMLMessage(authReq); - context.setOutboundMessageTransport(responseAdapter); - //context.setRelayState(relayState); - - encoder.encode(context); + + if (!config.useRedirectBindingRequest()) { + //generate Http-POST Binding message + VelocityEngine engine = new VelocityEngine(); + engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8"); + engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8"); + engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8"); + engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath"); + engine.setProperty("classpath.resource.loader.class", + "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader"); + engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS, + "org.apache.velocity.runtime.log.SimpleLog4JLogSystem"); + engine.init(); + + HTTPPostEncoder encoder = new HTTPPostEncoder(engine, + "templates/pvp_postbinding_template.html"); + HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( + response, true); + BasicSAMLMessageContext context = new BasicSAMLMessageContext(); + SingleSignOnService service = new SingleSignOnServiceBuilder() + .buildObject(); + service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"); + service.setLocation(redirectEndpoint.getLocation());; + context.setOutboundSAMLMessageSigningCredential(authcredential); + context.setPeerEntityEndpoint(service); + context.setOutboundSAMLMessage(authReq); + context.setOutboundMessageTransport(responseAdapter); + context.setRelayState(relayState); + encoder.encode(context); + + } else { + //generate Redirect Binding message + HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder(); + HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( + response, true); + BasicSAMLMessageContext context = new BasicSAMLMessageContext(); + SingleSignOnService service = new SingleSignOnServiceBuilder() + .buildObject(); + service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + service.setLocation(redirectEndpoint.getLocation()); + context.setOutboundSAMLMessageSigningCredential(authcredential); + context.setPeerEntityEndpoint(service); + context.setOutboundSAMLMessage(authReq); + context.setOutboundMessageTransport(responseAdapter); + context.setRelayState(relayState); + encoder.encode(context); + + } } catch (Exception e) { log.warn("Authentication Request can not be generated", e); diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java index 75b54cfc4..d28f94fd6 100644 --- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java +++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/BuildMetadata.java @@ -234,13 +234,20 @@ public class BuildMetadata extends HttpServlet { //set HTTP-POST Binding assertion consumer service AssertionConsumerService postassertionConsumerService = - SAML2Utils.createSAMLObject(AssertionConsumerService.class); - + SAML2Utils.createSAMLObject(AssertionConsumerService.class); postassertionConsumerService.setIndex(0); postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); postassertionConsumerService.setLocation(serviceURL + Constants.SERVLET_PVP2ASSERTION); spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService); + //set HTTP-Redirect Binding assertion consumer service + AssertionConsumerService redirectassertionConsumerService = + SAML2Utils.createSAMLObject(AssertionConsumerService.class); + redirectassertionConsumerService.setIndex(1); + redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + redirectassertionConsumerService.setLocation(serviceURL + Constants.SERVLET_PVP2ASSERTION); + spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService); + //set Single Log-Out service SingleLogoutService sloService = SAML2Utils.createSAMLObject(SingleLogoutService.class); sloService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java index cfc170011..31a3be7e2 100644 --- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java +++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java @@ -38,6 +38,9 @@ import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.decoding.HTTPPostDecoder; +import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder; +import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule; +import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.EncryptedAssertion; @@ -46,10 +49,14 @@ import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.encryption.Decrypter; import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; import org.opensaml.saml2.metadata.IDPSSODescriptor; +import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.security.MetadataCredentialResolver; import org.opensaml.security.MetadataCredentialResolverFactory; import org.opensaml.security.MetadataCriteria; import org.opensaml.security.SAMLSignatureProfileValidator; +import org.opensaml.ws.security.SecurityPolicyResolver; +import org.opensaml.ws.security.provider.BasicSecurityPolicy; +import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver; import org.opensaml.ws.transport.http.HttpServletRequestAdapter; import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver; import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; @@ -101,11 +108,40 @@ public class DemoApplication extends HttpServlet { return; } - if (method.equals("POST")) { - - try { - Configuration config = Configuration.getInstance(); + try { + Configuration config = Configuration.getInstance(); + Response samlResponse = null; + + if (method.equals("GET")) { + HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(new BasicParserPool()); + BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); + + messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request)); + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + + messageContext.setMetadataProvider(config.getMetaDataProvier()); + + MetadataCredentialResolver resolver = new MetadataCredentialResolver(config.getMetaDataProvier()); + List keyInfoProvider = new ArrayList(); + keyInfoProvider.add(new DSAKeyValueProvider()); + keyInfoProvider.add(new RSAKeyValueProvider()); + keyInfoProvider.add(new InlineX509DataProvider()); + KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( + keyInfoProvider); + ExplicitKeySignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine( + resolver, keyInfoResolver); + + SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(engine); + SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule(); + BasicSecurityPolicy policy = new BasicSecurityPolicy(); + policy.getPolicyRules().add(signatureRule); + policy.getPolicyRules().add(signedRole); + SecurityPolicyResolver resolver1 = new StaticSecurityPolicyResolver(policy); + messageContext.setSecurityPolicyResolver(resolver1); + decode.decode(messageContext); + + } else if (method.equals("POST")) { //Decode with HttpPost Binding HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool()); BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); @@ -114,7 +150,7 @@ public class DemoApplication extends HttpServlet { request)); decode.decode(messageContext); - Response samlResponse = (Response) messageContext.getInboundMessage(); + samlResponse = (Response) messageContext.getInboundMessage(); Signature sign = samlResponse.getSignature(); if (sign == null) { @@ -148,116 +184,117 @@ public class DemoApplication extends HttpServlet { ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver); trustEngine.validate(sign, criteriaSet); - log.info("PVP2 Assertion is valid"); + log.info("PVP2 Assertion with POST-Binding is valid"); - //set assertion - org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse); - String assertion = DOMUtils.serializeNode(doc); - bean.setAssertion(assertion); + } else { + bean.setErrorMessage("Die Demoapplikation unterstützt nur SAML2 POST-Binding."); + setAnser(request, response, bean); + return; - if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { + } - List saml2assertions = new ArrayList(); - - //check encrypted Assertion - List encryAssertionList = samlResponse.getEncryptedAssertions(); - if (encryAssertionList != null && encryAssertionList.size() > 0) { - //decrypt assertions - - log.debug("Found encryped assertion. Start decryption ..."); - - KeyStore keyStore = config.getPVP2KeyStore(); - - X509Credential authDecCredential = new KeyStoreX509CredentialAdapter( - keyStore, - config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(), - config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray()); - - - StaticKeyInfoCredentialResolver skicr = - new StaticKeyInfoCredentialResolver(authDecCredential); - - ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); - encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); - encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); - encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); - - Decrypter samlDecrypter = - new Decrypter(null, skicr, encryptedKeyResolver); - - for (EncryptedAssertion encAssertion : encryAssertionList) { - saml2assertions.add(samlDecrypter.decrypt(encAssertion)); - - } - - log.debug("Assertion decryption finished. "); - - } else { - saml2assertions = samlResponse.getAssertions(); + //set assertion + org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse); + String assertion = DOMUtils.serializeNode(doc); + bean.setAssertion(assertion); + + if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { + + List saml2assertions = new ArrayList(); - } + //check encrypted Assertion + List encryAssertionList = samlResponse.getEncryptedAssertions(); + if (encryAssertionList != null && encryAssertionList.size() > 0) { + //decrypt assertions - String givenName = null; - String familyName = null; - String birthday = null; + log.debug("Found encryped assertion. Start decryption ..."); - for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { - - //loop through the nodes to get what we want - List attributeStatements = saml2assertion.getAttributeStatements(); - for (int i = 0; i < attributeStatements.size(); i++) - { - List attributes = attributeStatements.get(i).getAttributes(); - for (int x = 0; x < attributes.size(); x++) - { - String strAttributeName = attributes.get(x).getDOM().getAttribute("Name"); + KeyStore keyStore = config.getPVP2KeyStore(); + + X509Credential authDecCredential = new KeyStoreX509CredentialAdapter( + keyStore, + config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(), + config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray()); + + + StaticKeyInfoCredentialResolver skicr = + new StaticKeyInfoCredentialResolver(authDecCredential); + + ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); + encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); + encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); + encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); + + Decrypter samlDecrypter = + new Decrypter(null, skicr, encryptedKeyResolver); + + for (EncryptedAssertion encAssertion : encryAssertionList) { + saml2assertions.add(samlDecrypter.decrypt(encAssertion)); - if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME)) - familyName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue(); - if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME)) - givenName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue(); - - if (strAttributeName.equals(PVPConstants.BIRTHDATE_NAME)) { - birthday = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue(); - } - } - } - request.getSession().setAttribute(Constants.SESSION_NAMEIDFORMAT, - saml2assertion.getSubject().getNameID().getFormat()); - request.getSession().setAttribute(Constants.SESSION_NAMEID, - saml2assertion.getSubject().getNameID().getValue()); - } - - bean.setDateOfBirth(birthday); - bean.setFamilyName(familyName); - bean.setGivenName(givenName); - bean.setLogin(true); - - setAnser(request, response, bean); - return; + log.debug("Assertion decryption finished. "); } else { - bean.setErrorMessage("Der Anmeldevorgang wurde abgebrochen.
Eine genaue Beschreibung des Fehlers finden Sie in der darunterliegenden Assertion."); - setAnser(request, response, bean); - return; + saml2assertions = samlResponse.getAssertions(); + + } + + String givenName = null; + String familyName = null; + String birthday = null; + + for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { + + //loop through the nodes to get what we want + List attributeStatements = saml2assertion.getAttributeStatements(); + for (int i = 0; i < attributeStatements.size(); i++) + { + List attributes = attributeStatements.get(i).getAttributes(); + for (int x = 0; x < attributes.size(); x++) + { + String strAttributeName = attributes.get(x).getDOM().getAttribute("Name"); + + if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME)) + familyName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue(); + if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME)) + givenName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue(); + + if (strAttributeName.equals(PVPConstants.BIRTHDATE_NAME)) { + birthday = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue(); + } + } + } + request.getSession().setAttribute(Constants.SESSION_NAMEIDFORMAT, + saml2assertion.getSubject().getNameID().getFormat()); + request.getSession().setAttribute(Constants.SESSION_NAMEID, + saml2assertion.getSubject().getNameID().getValue()); } + + bean.setDateOfBirth(birthday); + bean.setFamilyName(familyName); + bean.setGivenName(givenName); + bean.setLogin(true); + + setAnser(request, response, bean); + return; + - } catch (Exception e) { - log.warn(e); - bean.setErrorMessage("Internal Error: " + e.getMessage()); + } else { + bean.setErrorMessage("Der Anmeldevorgang wurde abgebrochen.
Eine genaue Beschreibung des Fehlers finden Sie in der darunterliegenden Assertion."); setAnser(request, response, bean); return; + } - } else { - bean.setErrorMessage("Die Demoapplikation unterstützt nur SAML2 POST-Binding."); + } catch (Exception e) { + log.warn(e); + bean.setErrorMessage("Internal Error: " + e.getMessage()); setAnser(request, response, bean); return; - } + } private void setAnser(HttpServletRequest request, HttpServletResponse response, ApplicationBean answersBean) throws ServletException, IOException { diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java index 971e401ca..bba6d0541 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java @@ -43,6 +43,7 @@ public interface IOAAuthParameters { public static final String LOCALBKU = "local"; public static final String INDERFEDERATEDIDP = "interfederated"; public static final String EIDAS = "eIDAS"; + public static final String AUTHTYPE_OTHERS = "others"; /** * Get the full key/value configuration for this online application -- cgit v1.2.3 From 98e5c09745c58ef1b04132a9c92c60143332540e Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 6 Sep 2017 14:32:27 +0200 Subject: switch to eIDAS SAML-engine 1.4.0-RC1 --- id/server/modules/moa-id-module-eIDAS/pom.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'id') diff --git a/id/server/modules/moa-id-module-eIDAS/pom.xml b/id/server/modules/moa-id-module-eIDAS/pom.xml index 5bdead8b2..f3d8eeb36 100644 --- a/id/server/modules/moa-id-module-eIDAS/pom.xml +++ b/id/server/modules/moa-id-module-eIDAS/pom.xml @@ -12,11 +12,11 @@ ${basedir}/../../../../repository - 1.3.0 - 1.3.0 - 1.3.0 - 1.3.0 - 1.3.0 + 1.4.0-SNAPSHOT + 1.4.0-SNAPSHOT + 1.4.0-SNAPSHOT + 1.4.0-SNAPSHOT + 1.4.0-SNAPSHOT -- cgit v1.2.3 From 02ea379722e57b38a185b7886eb4e39421fb4371 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 7 Sep 2017 09:10:03 +0200 Subject: update Struts2 to current version --- .../moa/id/configuration/filter/AuthenticationFilter.java | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'id') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java index 67fef3b1d..c69998fa2 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java @@ -28,9 +28,6 @@ import java.util.Date; import java.util.StringTokenizer; import java.util.regex.Pattern; -import org.apache.commons.lang.StringUtils; -import org.apache.log4j.Logger; - import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; @@ -42,6 +39,9 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; +import org.apache.commons.lang.StringUtils; +import org.apache.log4j.Logger; + import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException; import at.gv.egovernment.moa.id.configuration.Constants; import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; @@ -205,7 +205,9 @@ public class AuthenticationFilter implements Filter{ filterchain.doFilter(req, resp); } catch (Exception e) { - + + log.error("Servlet filter catchs an unhandled exception! Msg: " + e.getMessage(), e); + //String redirectURL = "./index.action"; //HttpServletResponse httpResp = (HttpServletResponse) resp; //redirectURL = httpResp.encodeRedirectURL(redirectURL); -- cgit v1.2.3 From b61d91cedc7ff94c45cd39fbd5345d4ac746e87d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 7 Sep 2017 09:10:55 +0200 Subject: update MOA-Sig and IAIK libs to solve some problems with JDK8u141 and certificate validation --- id/moa-spss-container/pom.xml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) (limited to 'id') diff --git a/id/moa-spss-container/pom.xml b/id/moa-spss-container/pom.xml index 6cf5d41b3..085c731fd 100644 --- a/id/moa-spss-container/pom.xml +++ b/id/moa-spss-container/pom.xml @@ -93,17 +93,16 @@ 4.02_eval
- - + 4.02 +
iaik.prod iaik_eccelerate_cms - 3.01 + 4.02 iaik.prod @@ -120,10 +119,10 @@ iaik_moa 2.05 - + iaik.prod iaik_pki_module - 1.03_moa + 1.04_moa iaik.prod -- cgit v1.2.3 From a512ce06caa134ea978ca54a87a8b78d5c10bf1c Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 7 Sep 2017 09:11:18 +0200 Subject: update readme_3.2.3.txt and history.txt --- id/history.txt | 5 +++-- id/readme_3.2.3.txt | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'id') diff --git a/id/history.txt b/id/history.txt index 1869e28cb..1734d69e9 100644 --- a/id/history.txt +++ b/id/history.txt @@ -2,9 +2,10 @@ Dieses Dokument zeigt die Ver Version MOA-ID Release 3.2.3: Änderungen seit Version MOA-ID 3.2.2 - Änderungen - - Bug-Fix - Possible problem in combination with IAIK_JCE and JAVA JDK >= 8u141 + - Bug-Fix - Possible problem in combination with IAIK_JCE and JAVA JDK >= 8u141 + - Bug-Fix - Possible thread looking during certificate validation - Bug-Fix - Wrong logging entries - - Stabilitsverbesserungen + - Stability improvements Version MOA-ID Release 3.2.2: Änderungen seit Version MOA-ID 3.2.1 - Änderungen diff --git a/id/readme_3.2.3.txt b/id/readme_3.2.3.txt index a1582805d..edb75f6de 100644 --- a/id/readme_3.2.3.txt +++ b/id/readme_3.2.3.txt @@ -12,6 +12,7 @@ history.txt im gleichen Verzeichnis). - Änderungen - Behebung eines möglichen Problems mit JAVA JDK 8u141 + - Behebung eines möglichen Thread Look Problems während Zertifikatsprüfung - Bug-Fixes - Stabilitätsverbesserungen -- cgit v1.2.3 From 656b8b4910798dec7b253ea8f4b7dbec77715012 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 8 Sep 2017 14:32:14 +0200 Subject: update eIDAS bPK target validation --- .../moa/id/auth/modules/eidas/Constants.java | 2 ++ .../moa/id/protocols/eidas/EIDASProtocol.java | 33 ++++++++++++++++++---- 2 files changed, 30 insertions(+), 5 deletions(-) (limited to 'id') diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java index c0101b553..d975b6e0a 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java @@ -69,6 +69,8 @@ public class Constants { public static final String CONIG_PROPS_EIDAS_METADATA_URLS_LIST_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".metadata.url"; + public static final String CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".bpk.target."; + //timeouts and clock skews diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index 940b91b44..4b67370d6 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -56,6 +56,7 @@ import at.gv.egovernment.moa.id.commons.MOAIDConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController; import at.gv.egovernment.moa.logging.Logger; @@ -283,14 +284,22 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { } else { String[] splittedTarget = eIDASTarget.split("\\+"); if (!splittedTarget[2].equalsIgnoreCase(reqCC)) { - Logger.error("Configuration for eIDAS-node:" + samlReq.getIssuer() + Logger.debug("Configuration for eIDAS-node:" + samlReq.getIssuer() + " Destination Country from request (" + reqCC - + ") does not match to configuration:" + eIDASTarget); - throw new MOAIDException("eIDAS.01", - new Object[]{"Destination Country from request does not match to configuration"}); + + ") does not match to configuration:" + eIDASTarget + + " --> Perform additional organisation check ..."); + + //check if eIDAS domain for bPK calculation is a valid target + if (!iseIDASTargetAValidOrganisation(reqCC, splittedTarget[2])) { + throw new MOAIDException("eIDAS.01", + new Object[]{"Destination Country from request does not match to configuration"}); + + } + } - Logger.debug("CountryCode from request matches eIDAS-node configuration target"); + Logger.debug("CountryCode from request matches eIDAS-node configuration target: " + eIDASTarget); + } @@ -439,6 +448,20 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) { return false; } + + private boolean iseIDASTargetAValidOrganisation(String reqCC, String bPKTargetArea) { + if (MiscUtil.isNotEmpty(reqCC)) { + List allowedOrganisations = KeyValueUtils.getListOfCSVValues( + authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX + reqCC.toLowerCase())); + if (allowedOrganisations.contains(bPKTargetArea)) { + Logger.debug(bPKTargetArea + " is a valid OrganisationIdentifier for request-country: "+ reqCC); + return true; + } + } + + Logger.info("OrganisationIdentifier: " + bPKTargetArea + " is not allowed for country: " + reqCC); + return false; + } } -- cgit v1.2.3 From 77c0e0bf1c565766eb2cecfb31b509b51c92b3d7 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 8 Sep 2017 14:33:54 +0200 Subject: update error handling for wrong encoded BKU error responses --- .../moa/id/auth/parser/ErrorResponseParser.java | 39 +++++++++++++++++----- .../id/auth/parser/InfoboxReadResponseParser.java | 1 + 2 files changed, 31 insertions(+), 9 deletions(-) (limited to 'id') diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java index a09f0a2a8..602914229 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java @@ -46,10 +46,16 @@ package at.gv.egovernment.moa.id.auth.parser; +import java.io.IOException; + +import javax.xml.transform.TransformerException; + import org.w3c.dom.Element; import org.w3c.dom.NodeList; import at.gv.egovernment.moa.id.auth.exception.ParseException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.util.DOMUtils; /** * Parses an <ErrorResponse>. @@ -84,15 +90,30 @@ public class ErrorResponseParser { */ public ErrorResponseParser(Element errorElement) throws ParseException { if (errorElement != null) { - String namespace = errorElement.getNamespaceURI(); - NodeList nl = errorElement.getElementsByTagNameNS(namespace, "ErrorCode"); - if (nl.getLength() == 1) { - errorCode_ = ((Element)nl.item(0)).getFirstChild().getNodeValue(); - } - nl = errorElement.getElementsByTagNameNS(namespace, "Info"); - if (nl.getLength() == 1) { - errorInfo_ = ((Element)nl.item(0)).getFirstChild().getNodeValue(); - } + try { + String namespace = errorElement.getNamespaceURI(); + NodeList nl = errorElement.getElementsByTagNameNS(namespace, "ErrorCode"); + if (nl.getLength() == 1) { + errorCode_ = ((Element)nl.item(0)).getFirstChild().getNodeValue(); + } + nl = errorElement.getElementsByTagNameNS(namespace, "Info"); + if (nl.getLength() == 1 && ((Element)nl.item(0)).getFirstChild() != null) { + errorInfo_ = ((Element)nl.item(0)).getFirstChild().getNodeValue(); + + } + } catch ( Exception e) { + try { + if (Logger.isDebugEnabled()) + Logger.warn("Can not extract error code from BKU response. Full-response: " + DOMUtils.serializeNode(errorElement), e) ; + else + Logger.warn("Can not extract error code from BKU response. Exception: " + e.getMessage()) ; + + } catch (TransformerException | IOException e1) { + Logger.warn("Can not extract error code from BKU response.", e); + Logger.warn("Can not serialize error response.", e1); + + } + } } } diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java index 275a85129..154092b03 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java @@ -150,6 +150,7 @@ public class InfoboxReadResponseParser { if ("InfoboxReadResponse".equals(responseElem.getLocalName())) { infoBoxElem_ = responseElem; + } else { ErrorResponseParser erp = new ErrorResponseParser(responseElem); throw new BKUException("auth.08", -- cgit v1.2.3 From eb32c9b2cc8720c69090e9fd82fbd6861429b599 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 8 Sep 2017 14:34:10 +0200 Subject: remove unused code --- .../moa/id/commons/utils/ssl/SSLUtils.java | 27 ++++++++++------------ 1 file changed, 12 insertions(+), 15 deletions(-) (limited to 'id') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java index 109390132..abf2d211c 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java @@ -49,7 +49,6 @@ package at.gv.egovernment.moa.id.commons.utils.ssl; import java.io.IOException; import java.security.GeneralSecurityException; import java.security.KeyStore; -import java.security.Security; import java.util.HashMap; import java.util.Map; @@ -66,8 +65,6 @@ import at.gv.egovernment.moaspss.logging.LoggingContextManager; import iaik.pki.DefaultPKIConfiguration; import iaik.pki.PKIException; import iaik.pki.PKIFactory; -//import iaik.pki.jsse.IAIKX509TrustManager; -import iaik.security.provider.IAIK; /** @@ -83,18 +80,18 @@ public class SSLUtils { /** SSLSocketFactory store, mapping URL->SSLSocketFactory **/ private static Map sslSocketFactories = new HashMap(); - /** - * Initializes the SSLSocketFactory store. - */ - public static void initialize() { - sslSocketFactories = new HashMap(); - // JSSE Abhängigkeit - //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()); - Security.addProvider(new IAIK()); - //System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol"); - - - } +// /** +// * Initializes the SSLSocketFactory store. +// */ +// public static void initialize() { +// sslSocketFactories = new HashMap(); +// // JSSE Abhängigkeit +// //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()); +// Security.addProvider(new IAIK()); +// //System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol"); +// +// +// } /** * IAIK PKI module and MOA-SIG uses a ThreadLocal variable for logging -- cgit v1.2.3 From 90d1f0733edddfb2fbc5527713c3a8a012855612 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 8 Sep 2017 14:34:29 +0200 Subject: add additional log messages into demoOA --- .../gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'id') diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java index 31a3be7e2..93622f828 100644 --- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java +++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/DemoApplication.java @@ -98,6 +98,7 @@ public class DemoApplication extends HttpServlet { ApplicationBean bean = new ApplicationBean(); + log.debug("Receive request on secure-area endpoint ..."); String method = request.getMethod(); HttpSession session = request.getSession(); @@ -113,6 +114,7 @@ public class DemoApplication extends HttpServlet { Response samlResponse = null; if (method.equals("GET")) { + log.debug("Find possible SAML2 Redirect-Binding response ..."); HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(new BasicParserPool()); BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); @@ -140,8 +142,11 @@ public class DemoApplication extends HttpServlet { messageContext.setSecurityPolicyResolver(resolver1); decode.decode(messageContext); + + log.info("PVP2 Assertion with Redirect-Binding is valid"); - } else if (method.equals("POST")) { + } else if (method.equals("POST")) { + log.debug("Find possible SAML2 Post-Binding response ..."); //Decode with HttpPost Binding HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool()); BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); -- cgit v1.2.3 From 91cf10d88f06b1ff26721c8796deb8d6510c1df7 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 13 Sep 2017 15:52:52 +0200 Subject: update eIDAS country selector --- .../id/configuration/validation/moaconfig/StorkConfigValidator.java | 2 +- .../webgui/validation/task/impl/GeneralSTORKConfigurationTask.java | 2 +- .../builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java | 5 +++-- 3 files changed, 5 insertions(+), 4 deletions(-) (limited to 'id') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java index 8e8020d75..fbd2f3bb3 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java @@ -43,7 +43,7 @@ public class StorkConfigValidator { errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.cc", new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); } - if(!check.toLowerCase().matches("(^[a-z][a-z]$)|(^[a-z][a-z]-[a-z]*)")) { + if(!check.toLowerCase().matches("(^[a-z][a-z]$)|(^[a-z][a-z]-[a-z,0-9]*)")) { log.warn("CPEPS config countrycode does not comply to ISO 3166-2 : " + check); errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.cc", new Object[] {check}, request )); diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java index fb675ad43..df67ca2f1 100644 --- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java +++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java @@ -125,7 +125,7 @@ public static final List KEYWHITELIST; LanguageHelper.getErrorString("validation.stork.cpeps.cc", new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}))); } - if(!cc.toLowerCase().matches("(^[a-z][a-z]$)|(^[a-z][a-z]-[a-z]*)")) { + if(!cc.toLowerCase().matches("(^[a-z][a-z]$)|(^[a-z][a-z]-[a-z,0-9]*)")) { log.warn("CPEPS config countrycode does not comply to ISO 3166-2 : " + cc); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java index 63df81b3c..8244d630d 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java @@ -97,10 +97,11 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); if (oaParam != null) { params.put(PARAM_OANAME, oaParam.getFriendlyName()); - - + if (oaParam.isShowStorkLogin()) addCountrySelection(params, oaParam); + else + params.put(PARAM_COUNTRYLIST, ""); FormBuildUtils.customiceLayoutBKUSelection(params, oaParam); -- cgit v1.2.3 From 9b0dd388aca4bea80055284e558b6c16edefcec6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 13 Sep 2017 15:53:07 +0200 Subject: update wrong log message --- .../modules/eidas/tasks/GenerateAuthnRequestTask.java | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) (limited to 'id') diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index 6f1d75bfe..3e7a4e875 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -22,16 +22,17 @@ */ package at.gv.egovernment.moa.id.auth.modules.eidas.tasks; +import java.awt.PageAttributes.MediaType; import java.io.StringWriter; import java.util.ArrayList; import java.util.Collection; import java.util.List; +import java.util.logging.Logger; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang3.BooleanUtils; -import org.apache.commons.lang3.StringUtils; import org.apache.velocity.Template; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; @@ -41,8 +42,7 @@ import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; - -import com.google.common.net.MediaType; +import org.springframework.util.StringUtils; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; @@ -53,16 +53,8 @@ import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; -import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.commons.api.IRequest; -import at.gv.egovernment.moa.id.commons.api.data.CPEPS; -import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; import eu.eidas.auth.commons.EidasStringUtil; import eu.eidas.auth.commons.attribute.AttributeDefinition; import eu.eidas.auth.commons.attribute.AttributeDefinition.Builder; @@ -306,7 +298,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { context.put("RelayState", pendingReq.getRequestID()); - Logger.debug("Using assertion consumer url as action: " + authnReqEndpoint.getLocation()); + Logger.debug("Using SingleSignOnService url as action: " + authnReqEndpoint.getLocation()); context.put("action", authnReqEndpoint.getLocation()); Logger.debug("Starting template merge"); -- cgit v1.2.3 From 22ccfa1baf256635268a3a65ac59d5a415d19356 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 19 Sep 2017 14:28:36 +0200 Subject: update TransactionUtis for MDC logging and add unique OA identifier as additional MDC variable --- id/server/data/deploy/conf/moa-id/log4j.properties | 7 ++-- id/server/doc/handbook/install/install.html | 9 +++-- .../moa/id/advancedlogging/TransactionIDUtils.java | 45 +++++++++++++++++++--- .../moa/id/auth/AuthenticationSessionCleaner.java | 14 +++++-- .../moa/id/auth/servlet/AbstractController.java | 7 ++-- .../AbstractProcessEngineSignalController.java | 9 +---- .../UniqueSessionIdentifierInterceptor.java | 6 +-- .../moa/id/data/ExceptionContainer.java | 24 ++++++++++-- .../moa/id/moduls/AuthenticationManager.java | 15 +++++--- .../egovernment/moa/id/moduls/RequestStorage.java | 5 +-- .../moa/id/commons/MOAIDAuthConstants.java | 2 + 11 files changed, 102 insertions(+), 41 deletions(-) (limited to 'id') diff --git a/id/server/data/deploy/conf/moa-id/log4j.properties b/id/server/data/deploy/conf/moa-id/log4j.properties index d83e8e550..f37100a5b 100644 --- a/id/server/data/deploy/conf/moa-id/log4j.properties +++ b/id/server/data/deploy/conf/moa-id/log4j.properties @@ -19,8 +19,7 @@ log4j.logger.at.gv.egovernment.moa.id.configuration=info,CONFIGTOOL # configure the stdout appender log4j.appender.stdout=org.apache.log4j.ConsoleAppender log4j.appender.stdout.layout=org.apache.log4j.PatternLayout -#log4j.appender.stdout.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} | %20c | %10t | %m%n -log4j.appender.stdout.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} |%20.20c | %10t | %m%n +log4j.appender.stdout.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} |%20.20c | %10t | %m%n # configure the rolling file appender (R) log4j.appender.R=org.apache.log4j.RollingFileAppender @@ -28,7 +27,7 @@ log4j.appender.R.File=${catalina.base}/logs/moa-id.log log4j.appender.R.MaxFileSize=10000KB log4j.appender.R.MaxBackupIndex=1 log4j.appender.R.layout=org.apache.log4j.PatternLayout -log4j.appender.R.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} | %t | %m%n +log4j.appender.R.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} | %t | %m%n # configure the rolling file appender (R) log4j.appender.CONFIGTOOL=org.apache.log4j.RollingFileAppender @@ -36,4 +35,4 @@ log4j.appender.CONFIGTOOL.File=${catalina.base}/logs/moa-id-webgui.log log4j.appender.CONFIGTOOL.MaxFileSize=10000KB log4j.appender.CONFIGTOOL.MaxBackupIndex=1 log4j.appender.CONFIGTOOL.layout=org.apache.log4j.PatternLayout -log4j.appender.CONFIGTOOL.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} | %t | %m%n \ No newline at end of file +log4j.appender.CONFIGTOOL.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} | %t | %m%n \ No newline at end of file diff --git a/id/server/doc/handbook/install/install.html b/id/server/doc/handbook/install/install.html index aa4114539..db96cda3c 100644 --- a/id/server/doc/handbook/install/install.html +++ b/id/server/doc/handbook/install/install.html @@ -235,8 +235,8 @@ https://<host>:<port>/egiz-configuration-webapp/
2.1.3.1 Format der Log-Meldungen

Anhand einer konkreten Log-Meldung wird das Format der MOA SP/SS Log-Meldungen erläutert:

-INFO | 01 21:25:26,540 | Thread-3 | TID=1049225059594-100 NID=node1 
-  MSG=Starte neue Transaktion: TID=1049225059594-100, Service=SignatureVerification
+ INFO | 2017-09-18 10:29:22,904 | SID-7947921060553739539 | TID-4708232418268334030 | https://sso.demosp.at/handysignatur 
+      | ajp-nio-28109-exec-7 | No SSO Session cookie found
 

Der Wert INFO besagt, dass die Log-Meldung im Log-Level INFO entstanden ist. Folgende Log-Levels existieren:

    @@ -257,7 +257,10 @@ INFO | 01 21:25:26,540 | Thread-3 | TID=1049225059594-100 NID=node1

Der nächste Wert 01 21:25:26,540 gibt den Zeitpunkt an, zu dem die Log-Meldung generiert wurde (in diesem Fall den 1. Tag im aktuellen Monat, sowie die genaue Uhrzeit).

-

Der Wert Thread-3 bezeichnet den Thread, von dem die Anfrage bearbeitet wird.

+

Der Wert SID-7947921060553739539 bezeichnet die SessionID, welche diesem Request zugeordnet wurde. Eine SessionID ist innerhalb einer SSO auch über mehrere Authentifizierungsrequests eindeutig. Das Loggen der SessionID kann mittels %X{sessionId} in der log4j Konfiguration gesetzt werden

+

Der Wert TID-4708232418268334030 bezeichnet die TransactionsID, welche diesem Request zugeordnet wurde. Eine TransactionsID ist innerhalb eines Authentifizierungsrequests eindeutig. Das Loggen der TransactionsID kann mittels %X{transactionId} in der log4j Konfiguration gesetzt werden

+

Der Wert https://sso.demosp.at/handysignatur bezeichnet die Online Applikation (eindeutiger Identifier dieses Service Providers) für welchen dieser Authentifizierungsrequest durchgeführt wird. Das Loggen des OA Identifiers kann mittels %X{oaId} in der log4j Konfiguration gesetzt werden

+

Der Wert ajp-nio-28109-exec-7 bezeichnet den Thread, von dem die Anfrage bearbeitet wird.

Der Rest der Zeile einer Log-Meldung ist der eigentliche Text, mit dem das System bestimmte Informationen anzeigt. Im Fehlerfall ist häufig ein Java Stack-Trace angefügt, der eine genauere Ursachen-Forschung ermöglicht.

2.1.3.2 Wichtige Log-Meldungen

Neben den im Abschnitt 2.1.2.4.3 beschriebenen Log-Meldungen, die anzeigen, ob das Service ordnungsgemäß gestartet wurde, geben nachfolgenden Log-Meldungen Aufschluss über die Abarbeitung von Anfragen.

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java index 6d53fd510..0b066f3b9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java @@ -23,10 +23,8 @@ package at.gv.egovernment.moa.id.advancedlogging; -import java.util.Date; - import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; -import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.egovernment.moa.id.commons.api.IRequest; /** * @author tlenz @@ -34,6 +32,43 @@ import at.gv.egovernment.moa.util.MiscUtil; */ public class TransactionIDUtils { + /** + * Set all MDC variables from pending request to this threat context
+ * These includes SessionID, TransactionID, and unique service-provider identifier + * + * @param pendingRequest + */ + public static void setAllLoggingVariables(IRequest pendingRequest) { + setTransactionId(pendingRequest.getUniqueTransactionIdentifier()); + setSessionId(pendingRequest.getUniqueSessionIdentifier()); + setServiceProviderId(pendingRequest.getOnlineApplicationConfiguration().getPublicURLPrefix()); + + } + + /** + * Remove all MDC variables from this threat context + * + */ + public static void removeAllLoggingVariables() { + removeSessionId(); + removeTransactionId(); + removeServiceProviderId(); + + } + + + public static void setServiceProviderId(String oaUniqueId) { + org.apache.log4j.MDC.put(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID, oaUniqueId); + org.slf4j.MDC.put(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID, oaUniqueId); + + } + + public static void removeServiceProviderId() { + org.apache.log4j.MDC.remove(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID); + org.slf4j.MDC.remove(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID); + + } + public static void setTransactionId(String pendingRequestID) { org.apache.log4j.MDC.put(MOAIDAuthConstants.MDC_TRANSACTION_ID, "TID-" + pendingRequestID); @@ -50,9 +85,9 @@ public class TransactionIDUtils { public static void setSessionId(String uniqueSessionId) { org.apache.log4j.MDC.put(MOAIDAuthConstants.MDC_SESSION_ID, - "TID-" + uniqueSessionId); + "SID-" + uniqueSessionId); org.slf4j.MDC.put(MOAIDAuthConstants.MDC_SESSION_ID, - "TID-" + uniqueSessionId); + "SID-" + uniqueSessionId); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java index bbb322a4f..34d0d4be1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java @@ -74,20 +74,26 @@ public class AuthenticationSessionCleaner implements Runnable { ExceptionContainer exContainer = (ExceptionContainer) entry; if (exContainer.getExceptionThrown() != null) { - //add session and transaction ID to log if exists + //add session, transaction, and service-provider IDs into logging context if exists if (MiscUtil.isNotEmpty(exContainer.getUniqueTransactionID())) TransactionIDUtils.setTransactionId(exContainer.getUniqueTransactionID()); if (MiscUtil.isNotEmpty(exContainer.getUniqueSessionID())) TransactionIDUtils.setSessionId(exContainer.getUniqueSessionID()); + if (MiscUtil.isNotEmpty(exContainer.getUniqueServiceProviderId())) + TransactionIDUtils.setServiceProviderId(exContainer.getUniqueServiceProviderId()); + //log exception to technical log logExceptionToTechnicalLog(exContainer.getExceptionThrown()); //remove session and transaction ID from thread - TransactionIDUtils.removeSessionId(); - TransactionIDUtils.removeTransactionId(); - } + TransactionIDUtils.removeAllLoggingVariables(); + + } else { + Logger.warn("Receive an ExceptionContainer that includes no 'Exception' object. Somethinge is suspect!!!!!"); + + } } } catch (Exception e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java index 1431911a3..353261085 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java @@ -33,6 +33,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.ExceptionHandler; import com.google.common.net.MediaType; + import at.gv.egovernment.moa.id.advancedlogging.IStatisticLogger; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; @@ -139,13 +140,11 @@ public abstract class AbstractController extends MOAIDAuthConstants { if (pendingReq != null) { revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR); transactionStorage.put(key, - new ExceptionContainer(pendingReq.getUniqueSessionIdentifier(), - pendingReq.getUniqueTransactionIdentifier(), loggedException),-1); + new ExceptionContainer(pendingReq, loggedException),-1); } else { transactionStorage.put(key, - new ExceptionContainer(null, - null, loggedException),-1); + new ExceptionContainer(null, loggedException),-1); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java index 0ce7b0050..32f103ca7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java @@ -45,11 +45,7 @@ public abstract class AbstractProcessEngineSignalController extends AbstractCont //change pending-request ID requestStorage.changePendingRequestID(pendingReq); pendingRequestID = pendingReq.getRequestID(); - - //add transactionID and unique sessionID to Logger - TransactionIDUtils.setSessionId(pendingReq.getUniqueSessionIdentifier()); - TransactionIDUtils.setTransactionId(pendingReq.getUniqueTransactionIdentifier()); - + // process instance is mandatory if (pendingReq.getProcessInstanceId() == null) { throw new MOAIllegalStateException("process.03", new Object[]{"MOA session does not provide process instance id."}); @@ -64,8 +60,7 @@ public abstract class AbstractProcessEngineSignalController extends AbstractCont } finally { //MOASessionDBUtils.closeSession(); - TransactionIDUtils.removeTransactionId(); - TransactionIDUtils.removeSessionId(); + TransactionIDUtils.removeAllLoggingVariables(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java index bedc67513..466364adb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java @@ -57,8 +57,8 @@ public class UniqueSessionIdentifierInterceptor implements HandlerInterceptor { String uniqueSessionIdentifier = ssomanager.getUniqueSessionIdentifier(ssoId); if (MiscUtil.isEmpty(uniqueSessionIdentifier)) uniqueSessionIdentifier = Random.nextRandom(); - TransactionIDUtils.setSessionId(uniqueSessionIdentifier); + TransactionIDUtils.setSessionId(uniqueSessionIdentifier); request.setAttribute(MOAIDConstants.UNIQUESESSIONIDENTIFIER, uniqueSessionIdentifier); return true; @@ -79,8 +79,8 @@ public class UniqueSessionIdentifierInterceptor implements HandlerInterceptor { @Override public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception { - // TODO Auto-generated method stub - + TransactionIDUtils.removeAllLoggingVariables(); + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java index 1c6fdcb65..4820b6fdc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java @@ -24,6 +24,8 @@ package at.gv.egovernment.moa.id.data; import java.io.Serializable; +import at.gv.egovernment.moa.id.commons.api.IRequest; + /** * @author tlenz * @@ -34,13 +36,21 @@ public class ExceptionContainer implements Serializable { private Throwable exceptionThrown = null; private String uniqueSessionID = null; private String uniqueTransactionID = null; + private String uniqueServiceProviderId = null; /** * */ - public ExceptionContainer(String uniqueSessionID, String uniqueTransactionID, Throwable exception) { - this.uniqueSessionID = uniqueSessionID; - this.uniqueTransactionID = uniqueTransactionID; + public ExceptionContainer(IRequest pendingReq, Throwable exception) { + if (pendingReq != null) { + this.uniqueSessionID = pendingReq.getUniqueSessionIdentifier(); + this.uniqueTransactionID = pendingReq.getUniqueTransactionIdentifier(); + + if (pendingReq.getOnlineApplicationConfiguration() != null) + this.uniqueServiceProviderId = pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix(); + + } + this.exceptionThrown = exception; } @@ -62,6 +72,14 @@ public class ExceptionContainer implements Serializable { public String getUniqueTransactionID() { return uniqueTransactionID; } + + /** + * @return the uniqueServiceProviderId + */ + public String getUniqueServiceProviderId() { + return uniqueServiceProviderId; + } + diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index ab0a1ec40..60b8b31de 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -47,6 +47,7 @@ import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; +import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; @@ -202,6 +203,14 @@ public class AuthenticationManager extends MOAIDAuthConstants { public AuthenticationSession doAuthentication(HttpServletRequest httpReq, HttpServletResponse httpResp, RequestImpl pendingReq) throws MOADatabaseException, ServletException, IOException, MOAIDException { + //load OA configuration from pending request + IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); + + //set logging context and log unique OA identifier to revision log + TransactionIDUtils.setServiceProviderId(pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix()); + revisionsLogger.logEvent(oaParam, + pendingReq, MOAIDEventConstants.AUTHPROCESS_SERVICEPROVIDER, pendingReq.getOAURL()); + //generic authentication request validation if (pendingReq.isPassiv() && pendingReq.forceAuth()) { @@ -236,12 +245,8 @@ public class AuthenticationManager extends MOAIDAuthConstants { boolean isValidSSOSession = ssoManager.isValidSSOSession(ssoId, pendingReq); // check if Service-Provider allows SSO sessions - IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); boolean useSSOOA = oaParam.useSSO() || oaParam.isInderfederationIDP(); - - revisionsLogger.logEvent(oaParam, - pendingReq, MOAIDEventConstants.AUTHPROCESS_SERVICEPROVIDER, pendingReq.getOAURL()); - + //if a legacy request is used SSO should not be allowed in case of mandate authentication boolean isUseMandateRequested = LegacyHelper.isUseMandateRequested(httpReq); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java index eec48e0f3..90ccb3c27 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java @@ -52,9 +52,8 @@ public class RequestStorage implements IRequestStorage{ } //set transactionID and sessionID to Logger - TransactionIDUtils.setTransactionId(pendingRequest.getUniqueTransactionIdentifier()); - TransactionIDUtils.setSessionId(pendingRequest.getUniqueSessionIdentifier()); - + TransactionIDUtils.setAllLoggingVariables(pendingRequest); + return pendingRequest; } catch (MOADatabaseException | NullPointerException e) { diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java index b16941f51..d8d3dbeee 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java @@ -171,8 +171,10 @@ public class MOAIDAuthConstants extends MOAIDConstants{ public static final String REGEX_PATTERN_TARGET = "^[A-Za-z]{2}(-.*)?$"; + //MDC variables for logging public static final String MDC_TRANSACTION_ID = "transactionId"; public static final String MDC_SESSION_ID = "sessionId"; + public static final String MDC_SERVICEPROVIDER_ID = "oaId"; //AuthnRequest IssueInstant validation public static final int TIME_JITTER = 5; //all 5 minutes time jitter -- cgit v1.2.3 From 3c81d3fef06204f2259b6c0377c8a2a00974c614 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 20 Sep 2017 12:15:20 +0200 Subject: make SAML2 http POST-Binding template and mandate-service selection-template configurable for every online application --- .../configuration/data/FormularCustomization.java | 53 +++++ .../configuration/struts/action/BasicOAAction.java | 4 +- .../resources/applicationResources_de.properties | 7 + .../resources/applicationResources_en.properties | 8 + .../webapp/jsp/snippets/OA/formCustomization.jsp | 21 +- .../task/impl/ServicesBKUSelectionTask.java | 37 +++- .../htmlTemplates/pvp_postbinding_template.html | 46 ++++ id/server/doc/handbook/config/config.html | 44 ++-- .../tasks/GenerateBKUSelectionFrameTask.java | 8 +- .../GenerateSSOConsentEvaluatorFrameTask.java | 8 +- .../id/auth/servlet/GUILayoutBuilderServlet.java | 22 +- .../moa/id/moduls/AuthenticationManager.java | 4 +- .../moa/id/opemsaml/MOAIDHTTPPostEncoder.java | 114 ++++++++++ .../id/protocols/pvp2x/AttributQueryAction.java | 6 +- .../id/protocols/pvp2x/AuthenticationAction.java | 8 +- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 8 +- .../moa/id/protocols/pvp2x/SingleLogOutAction.java | 4 +- .../moa/id/protocols/pvp2x/binding/IEncoder.java | 7 +- .../id/protocols/pvp2x/binding/PostBinding.java | 53 +++-- .../protocols/pvp2x/binding/RedirectBinding.java | 7 +- .../id/protocols/pvp2x/binding/SoapBinding.java | 7 +- .../pvp2x/builder/PVPAuthnRequestBuilder.java | 9 +- .../pvp2x/builder/SingleLogOutBuilder.java | 11 +- .../resources/templates/ParepMinTemplate.html | 193 ----------------- .../resources/templates/ParepTemplate.html | 235 --------------------- .../resources/resources/templates/fetchGender.html | 16 -- .../templates/oasis_dss_webform_binding.vm | 36 ---- .../templates/pvp_postbinding_template.html | 48 ----- .../templates/pvp_postbinding_template.html | 46 ++++ .../config/ConfigurationMigrationUtils.java | 7 +- .../config/MOAIDConfigurationConstants.java | 3 + .../dao/config/deprecated/OnlineApplication.java | 34 +++ ...roviderSpecificGUIFormBuilderConfiguration.java | 187 ++++++++++++++++ .../auth/frontend/builder/GUIFormBuilderImpl.java | 45 ++-- .../id/auth/frontend/builder/IGUIFormBuilder.java | 1 + ...PSpecificGUIBuilderConfigurationWithDBLoad.java | 82 +++++++ ...cGUIBuilderConfigurationWithFileSystemLoad.java | 110 ++++++++++ ...roviderSpecificGUIFormBuilderConfiguration.java | 187 ---------------- .../eidas/tasks/GenerateAuthnRequestTask.java | 12 +- .../tasks/SelectMandateServiceTask.java | 15 +- 40 files changed, 938 insertions(+), 815 deletions(-) create mode 100644 id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java delete mode 100644 id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html delete mode 100644 id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html delete mode 100644 id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html delete mode 100644 id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm delete mode 100644 id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html create mode 100644 id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html create mode 100644 id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java create mode 100644 id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java create mode 100644 id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java delete mode 100644 id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java (limited to 'id') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java index 80800543b..5ee2ee6a7 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java @@ -97,6 +97,9 @@ public class FormularCustomization implements IOnlineApplicationData { private String aditionalAuthBlockText = null; private boolean isHideBPKAuthBlock = false; + private String saml2PostBindingTemplate = null; + private String mandateServiceSelectionTemplate = null; + public FormularCustomization() { new FormularCustomization(null); } @@ -128,6 +131,9 @@ public class FormularCustomization implements IOnlineApplicationData { public List parse(OnlineApplication dbOA, AuthenticatedUser authUser, HttpServletRequest request) { AuthComponentOA auth = dbOA.getAuthComponentOA(); + mandateServiceSelectionTemplate = dbOA.getMandateServiceSelectionTemplateURL(); + saml2PostBindingTemplate = dbOA.getSaml2PostBindingTemplateURL(); + if (dbOA.getAuthComponentOA() != null) isHideBPKAuthBlock = dbOA.isRemoveBPKFromAuthBlock(); @@ -243,6 +249,9 @@ public class FormularCustomization implements IOnlineApplicationData { dbOA.setRemoveBPKFromAuthBlock(isHideBPKAuthBlock()); + dbOA.setMandateServiceSelectionTemplateURL(mandateServiceSelectionTemplate); + dbOA.setSaml2PostBindingTemplateURL(saml2PostBindingTemplate); + TemplatesType templates = authoa.getTemplates(); if (templates == null) { templates = new TemplatesType(); @@ -382,6 +391,21 @@ public class FormularCustomization implements IOnlineApplicationData { } + check = getSaml2PostBindingTemplate(); + if (MiscUtil.isNotEmpty(check) && ValidationHelper.isNotValidIdentityLinkSigner(check) ) { + log.info("URL to SAML2 POST-Binding template is not valid"); + errors.add(LanguageHelper.getErrorString("validation.general.templates.saml2.postbinding.valid", request)); + + } + + check = getMandateServiceSelectionTemplate(); + if (MiscUtil.isNotEmpty(check) && ValidationHelper.isNotValidIdentityLinkSigner(check) ) { + log.info("URL to mandate-service selection-template is not valid"); + errors.add(LanguageHelper.getErrorString("validation.general.templates.mandateserviceselection.valid", request)); + + } + + //validate BKUFormCustomization errors.addAll(new FormularCustomizationValitator().validate(this, request)); @@ -813,7 +837,36 @@ public class FormularCustomization implements IOnlineApplicationData { */ public Map getFormMap() { return map; + } + + /** + * @return the saml2PostBindingTemplate + */ + public String getSaml2PostBindingTemplate() { + return saml2PostBindingTemplate; + } + + /** + * @param saml2PostBindingTemplate the saml2PostBindingTemplate to set + */ + public void setSaml2PostBindingTemplate(String saml2PostBindingTemplate) { + this.saml2PostBindingTemplate = saml2PostBindingTemplate; + } + + /** + * @return the mandateServiceSelectionTemplate + */ + public String getMandateServiceSelectionTemplate() { + return mandateServiceSelectionTemplate; + } + + /** + * @param mandateServiceSelectionTemplate the mandateServiceSelectionTemplate to set + */ + public void setMandateServiceSelectionTemplate(String mandateServiceSelectionTemplate) { + this.mandateServiceSelectionTemplate = mandateServiceSelectionTemplate; } + } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java index 5022be915..539deac9e 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java @@ -44,7 +44,7 @@ import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; import at.gv.egiz.components.configuration.meta.api.ConfigurationStorageException; -import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.frontend.builder.AbstractServiceProviderSpecificGUIFormBuilderConfiguration; import at.gv.egovernment.moa.id.auth.frontend.utils.FormBuildUtils; import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; import at.gv.egovernment.moa.id.commons.config.ConfigurationMigrationUtils; @@ -610,7 +610,7 @@ public class BasicOAAction extends BasicAction { //set parameters Map params = (Map) mapobj; params.put( - ServiceProviderSpecificGUIFormBuilderConfiguration.PARAM_AUTHCONTEXT, + AbstractServiceProviderSpecificGUIFormBuilderConfiguration.PARAM_AUTHCONTEXT, contextpath); request.setCharacterEncoding("UTF-8"); diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties index d75403575..728ce989a 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties @@ -218,6 +218,11 @@ webpages.oaconfig.general.bku.bkuselection.upload=Neues Template hochladen webpages.oaconfig.general.bku.sendassertion.header=Send-Assertion Template webpages.oaconfig.general.bku.sendassertion.filename=Dateiname webpages.oaconfig.general.bku.sendassertion.upload=Neues Template hochladen +webpages.oaconfig.general.templates.elgamandates.header=Template zur Vollmachtenserviceauswahl +webpages.oaconfig.general.templates.elgamandates.url=Template URL +webpages.oaconfig.general.templates.saml2.postbinding.header=SAML2 POST Binding Formular +webpages.oaconfig.general.templates.saml2.postbinding.url=Template URL + webpages.oaconfig.bPKEncDec.header=Fremd-bPK Konfiguration webpages.oaconfig.bPKEncDec.keystore.header=KeyStore Konfiguration @@ -493,6 +498,8 @@ validation.general.sendassertion.filename.valid=Der Dateiname des Send-Assertion validation.general.sendassertion.file.valid=Das Send-Assertion Templates konnte nicht geladen werden. validation.general.sendassertion.file.selected=Es kann nur EIN Send-Assertion Template angegeben werden. validation.general.testcredentials.oid.valid=Die Testdaten OID {0} ist ung\u00FCltig. +validation.general.templates.saml2.postbinding.valid=URL zum Template f\u00FCr das SAML2 POST-Binding Formular ist nicht g\u00FCltig. +validation.general.templates.mandateserviceselection.valid=URL zum Template z\u00FCr Auswahl des Vollmachtenservices ist nicht g\u00FCltig. validation.bPKDec.keyStorePassword.empty=Das Password f\u00FCr den KeyStore ist leer. validation.bPKDec.keyStorePassword.valid=Das Password f\u00FCr den KeyStore enth\u00E4lt nicht erlaubte Zeichen. Folgende Zeichen sind nicht erlaubt\: {0} diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties index 708cc605e..a8f4be796 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties @@ -224,6 +224,12 @@ webpages.oaconfig.general.bku.sendassertion.header=Send-Assertion Template webpages.oaconfig.general.bku.sendassertion.filename=Filename webpages.oaconfig.general.bku.sendassertion.upload=Upload new template +webpages.oaconfig.general.templates.elgamandates.header=Template to select a specific mandate service +webpages.oaconfig.general.templates.elgamandates.url=Template URL +webpages.oaconfig.general.templates.saml2.postbinding.header=SAML2 POST-Binding Formular +webpages.oaconfig.general.templates.saml2.postbinding.url=Template URL + + webpages.oaconfig.bPKEncDec.header=Foreign-bPK Configuration webpages.oaconfig.bPKEncDec.keystore.header=Keystore configuration webpages.oaconfig.bPKEncDec.filename=Filename @@ -491,6 +497,8 @@ validation.general.sendassertion.filename.valid=The file name of Send-Assertion validation.general.sendassertion.file.valid=Send-Assertion Templates could not be loaded. validation.general.sendassertion.file.selected=Only one Send-Assertion Template can be provided. validation.general.testcredentials.oid.valid=The OID {0} for test credentials is not a valid. +validation.general.templates.saml2.postbinding.valid=URL to SAML2 POST-Binding template is not valid +validation.general.templates.mandateserviceselection.valid=URL to mandate-service selection-template is not valid validation.bPKDec.keyStorePassword.empty=KeyStore password is blank. validation.bPKDec.keyStorePassword.valid=The keyStore password contains forbidden characters. The following characters are not allowed\: {0} diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/formCustomization.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/formCustomization.jsp index 008a8b521..424fdfacc 100644 --- a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/formCustomization.jsp +++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/formCustomization.jsp @@ -160,7 +160,7 @@ -
+

<%=LanguageHelper.getGUIString("webpages.oaconfig.general.bku.bkuselection.header", request) %>

@@ -202,6 +202,25 @@
+
+

<%=LanguageHelper.getGUIString("webpages.oaconfig.general.templates.elgamandates.header", request) %>

+ + +
+
+

<%=LanguageHelper.getGUIString("webpages.oaconfig.general.templates.saml2.postbinding.header", request) %>

+ + +
+
diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesBKUSelectionTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesBKUSelectionTask.java index ca1109aa1..f8ce21c99 100644 --- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesBKUSelectionTask.java +++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesBKUSelectionTask.java @@ -41,7 +41,6 @@ import at.gv.egovernment.moa.id.config.webgui.helper.GUIDataParser; import at.gv.egovernment.moa.id.config.webgui.helper.LanguageHelper; import at.gv.egovernment.moa.id.config.webgui.validation.task.AbstractTaskValidator; import at.gv.egovernment.moa.id.config.webgui.validation.task.ITaskValidator; -import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; /** @@ -82,18 +81,27 @@ public class ServicesBKUSelectionTask extends AbstractTaskValidator implements I Map newConfigValues = new HashMap(); + //delete configuration key if the configuration value is empty or null + if (MiscUtil.isEmpty(input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL))) + keysToDelete.add(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL); + + //delete configuration key if the configuration value is empty or null + if (MiscUtil.isEmpty(input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL))) + keysToDelete.add(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL); + + String bkuSelectTemplateUploadedFileName = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_BKUSELECTION_FILENAME); if (MiscUtil.isNotEmpty(bkuSelectTemplateUploadedFileName)) { newConfigValues.put(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_BKUSELECTION_PREVIEW, bkuSelectTemplateUploadedFileName); } - + String sendAssertionTemplateUploadedFileName = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SENDASSERTION_FILENAME); if (MiscUtil.isNotEmpty(sendAssertionTemplateUploadedFileName)) { newConfigValues.put(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_BKUSELECTION_PREVIEW, sendAssertionTemplateUploadedFileName); } - + String bkuSelectionFileUpload = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_BKUSELECTION_DATA); String bkuSelectionFile = GUIDataParser.getBase64ContentFromGUIUpload(bkuSelectionFileUpload); if (bkuSelectionFile != null) @@ -253,6 +261,29 @@ public class ServicesBKUSelectionTask extends AbstractTaskValidator implements I } + + //validate template URLs + check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL); + if (MiscUtil.isNotEmpty(check) && ValidationHelper.isNotValidIdentityLinkSigner(check) ) { + log.info("URL to SAML2 POST-Binding template is not valid"); + errors.add(new ValidationObjectIdentifier( + MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL, + "Templates - SAML2 Post-Binding", + LanguageHelper.getErrorString("validation.general.templates.saml2.postbinding.valid"))); + + } + check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL); + if (MiscUtil.isNotEmpty(check) && ValidationHelper.isNotValidIdentityLinkSigner(check) ) { + log.info("URL to mandate-service selection-template is not valid"); + errors.add(new ValidationObjectIdentifier( + MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL, + "Templates - Mandate-Service selection", + LanguageHelper.getErrorString("validation.general.templates.mandateserviceselection.valid"))); + + } + + + //check Template customization parameters check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_BACKGROUNDCOLOR); if (MiscUtil.isNotEmpty(check)) { if (!check.startsWith("#")) diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html new file mode 100644 index 000000000..4ea9a4873 --- /dev/null +++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html @@ -0,0 +1,46 @@ +## ## Velocity Template for SAML 2 HTTP-POST binding ## ## Velocity +##context may contain the following properties ## action - String - the +##action URL for the form ## RelayState - String - the relay state for the +##message ## SAMLRequest - String - the Base64 encoded SAML Request ## +##SAMLResponse - String - the Base64 encoded SAML Response + + + + + + + +
Your login is being processed. Thank you for + waiting.
+ + + +
+
+ #if($RelayState) #end + #if($SAMLRequest) #end + #if($SAMLResponse) #end +
+ +
+ + + \ No newline at end of file diff --git a/id/server/doc/handbook/config/config.html b/id/server/doc/handbook/config/config.html index 0361442ac..52eb21ab3 100644 --- a/id/server/doc/handbook/config/config.html +++ b/id/server/doc/handbook/config/config.html @@ -1724,20 +1724,6 @@ Soll die Bürgerkartenauswahl weiterhin, wie in MOA-ID 1.5.1 im Kontext der X Über diese Funktion können drei zusätzliche SecurtityLayer-Request Templates für diese Online-Applikation definiert werden. Diese hier definierten Templates dienen als zusätzliche WhiteList für Templates welche im „StartAuthentication“ Request mit dem Parameter „template“ übergeben werden. Sollte im „StartAuthentication“ Request der Parameter „template“ fehlen, es wurde jedoch eine „bkuURL“ übergeben, dann wird für den Authentifizierungsvorgang das erste Template in dieser Liste verwendet. Detailinformationen zum Legacy Request finden Sie im Kapitel Protokolle. - - BKU-Selection Template -   - X - X - Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates für die Bürgerkartenauswahl. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus Kapitel 4.1 umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle für Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen. - - - Send-Assertion Template -   - X - X - Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates für die zusätzliche Anmeldeabfrage im Falle einer Single Sign-On Anmeldung. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus Kapitel 4.2 umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle für Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen. -

3.2.3 Test Identitäten

In diesem Abschnitt können für diese Online-Applikation Testidentitäten erlaubt werden. Diese Testidentitäten können auch bei produktiven Instanzen freigeschalten werden, da die Unterschiedung zwischen Produkt- und Testidentität anhand einer speziellen OID im Signaturzertifikat der Testidentität getroffen wird. Folgende Konfigurationsparameter stehen hierfür zur Verfügung.

@@ -2074,7 +2060,37 @@ wenn die individuelle Security-Layer Transformation den Formvorschriften der Sp X Wird diese Option gewählt wird im AuthBlock, welcher im Anmeldevorgang signiert wird, keine bPK oder wbPK dargestellt. + + BKU-Selection Template +   + X + X + Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates für die Bürgerkartenauswahl. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus Kapitel 4.1 umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle für Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen. + + + Send-Assertion Template +   + X + X + Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates für die zusätzliche Anmeldeabfrage im Falle einer Single Sign-On Anmeldung. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus Kapitel 4.2 umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle für Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen. + + + SAML2 Post-Binding Template +   + X + X + Pfad zum online-applikationsspezifischen Template für SAML2 (PVP2 S-Profil) http POST-Binding. Relative Pfadangaben werden dabei relativ zum Verzeichnis, in dem sich die MOA-ID-Auth Basiskonfigurationsdatei befindet, interpretiert. Das Template kann ausschließlich aus dem Dateisystem geladen werden. + + + Vollmachtenservice Auswahlseite Template +   + X + X + Pfad zum online-applikationsspezifischen Template zur Auswahl des gewünschten Vollmachtenservices. Relative Pfadangaben werden dabei relativ zum Verzeichnis, in dem sich die MOA-ID-Auth Basiskonfigurationsdatei befindet, interpretiert. Das Template kann ausschließlich aus dem Dateisystem geladen werden. + +
 
+
 
3.2.9.1 Login-Fenster Konfiguration

Diese Konfigurationsparameter bieten zusätzliche Einstellungen für eine Anpassung der Bürgerkartenauswahl welche von MOA-ID-Auth generiert wird. Zur besseren Handhabung werden die angegebenen Parameter direkt in einer Vorschau dargestellt. diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java index c582050ad..710008714 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java @@ -32,7 +32,7 @@ import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder; -import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad; import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; @@ -68,10 +68,10 @@ public class GenerateBKUSelectionFrameTask extends AbstractAuthServletTask { throw new AuthenticationException("auth.00", new Object[] { pendingReq.getOAURL() }); } - - IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration( + + IGUIBuilderConfiguration config = new SPSpecificGUIBuilderConfigurationWithDBLoad( pendingReq, - ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_BKUSELECTION, + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_BKUSELECTION, GeneralProcessEngineSignalController.ENDPOINT_BKUSELECTION_EVALUATION); guiBuilder.build(response, config, "BKU-Selection form"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java index ca99e9ba3..475009cf2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java @@ -31,7 +31,7 @@ import org.springframework.stereotype.Component; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder; -import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad; import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; @@ -67,10 +67,10 @@ public class GenerateSSOConsentEvaluatorFrameTask extends AbstractAuthServletTas //store pending request requestStoreage.storePendingRequest(pendingReq); - //build consents evaluator form - IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration( + //build consents evaluator form + IGUIBuilderConfiguration config = new SPSpecificGUIBuilderConfigurationWithDBLoad( pendingReq, - ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_SENDASSERTION, + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_SENDASSERTION, GeneralProcessEngineSignalController.ENDPOINT_SENDASSERTION_EVALUATION); guiBuilder.build(response, config, "SendAssertion-Evaluation"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java index 9b658d81b..416e787a7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java @@ -34,7 +34,7 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder; -import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IRequest; @@ -71,17 +71,17 @@ public class GUILayoutBuilderServlet extends AbstractController { IRequest pendingReq = extractPendingRequest(req); //initialize GUI builder configuration - ServiceProviderSpecificGUIFormBuilderConfiguration config = null; + SPSpecificGUIBuilderConfigurationWithDBLoad config = null; if (pendingReq != null) - config = new ServiceProviderSpecificGUIFormBuilderConfiguration( + config = new SPSpecificGUIBuilderConfigurationWithDBLoad( pendingReq, - ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_CSS, + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_CSS, null); else - config = new ServiceProviderSpecificGUIFormBuilderConfiguration( + config = new SPSpecificGUIBuilderConfigurationWithDBLoad( HTTPUtils.extractAuthURLFromRequest(req), - ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_CSS, + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_CSS, null); //build GUI component @@ -100,17 +100,17 @@ public class GUILayoutBuilderServlet extends AbstractController { IRequest pendingReq = extractPendingRequest(req); //initialize GUI builder configuration - ServiceProviderSpecificGUIFormBuilderConfiguration config = null; + SPSpecificGUIBuilderConfigurationWithDBLoad config = null; if (pendingReq != null) - config = new ServiceProviderSpecificGUIFormBuilderConfiguration( + config = new SPSpecificGUIBuilderConfigurationWithDBLoad( pendingReq, - ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_JS, + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_JS, GeneralProcessEngineSignalController.ENDPOINT_BKUSELECTION_EVALUATION); else - config = new ServiceProviderSpecificGUIFormBuilderConfiguration( + config = new SPSpecificGUIBuilderConfigurationWithDBLoad( HTTPUtils.extractAuthURLFromRequest(req), - ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_JS, + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_JS, GeneralProcessEngineSignalController.ENDPOINT_BKUSELECTION_EVALUATION); //build GUI component diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 60b8b31de..7c581d470 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -620,7 +620,7 @@ public class AuthenticationManager extends MOAIDAuthConstants { //send SLO response to SLO request issuer SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq); LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs()); - sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState); + sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq); } else { //print SLO information directly @@ -656,7 +656,7 @@ public class AuthenticationManager extends MOAIDAuthConstants { if (pvpReq != null) { SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq); LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); - sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState); + sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq); revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java new file mode 100644 index 000000000..b05e60e94 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java @@ -0,0 +1,114 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.opemsaml; + +import java.io.BufferedReader; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.io.OutputStreamWriter; +import java.io.Writer; + +import org.apache.velocity.VelocityContext; +import org.apache.velocity.app.VelocityEngine; +import org.opensaml.common.binding.SAMLMessageContext; +import org.opensaml.saml2.binding.encoding.HTTPPostEncoder; +import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.ws.transport.http.HTTPOutTransport; +import org.opensaml.ws.transport.http.HTTPTransportUtils; + +import at.gv.egovernment.moa.id.auth.frontend.builder.GUIFormBuilderImpl; +import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class MOAIDHTTPPostEncoder extends HTTPPostEncoder { + + private VelocityEngine velocityEngine; + private IGUIBuilderConfiguration guiConfig; + private GUIFormBuilderImpl guiBuilder; + + /** + * @param engine + * @param templateId + */ + public MOAIDHTTPPostEncoder(IGUIBuilderConfiguration guiConfig, GUIFormBuilderImpl guiBuilder, VelocityEngine engine) { + super(engine, null); + this.velocityEngine = engine; + this.guiConfig = guiConfig; + this.guiBuilder = guiBuilder; + + } + + /** + * Base64 and POST encodes the outbound message and writes it to the outbound transport. + * + * @param messageContext current message context + * @param endpointURL endpoint URL to which to encode message + * + * @throws MessageEncodingException thrown if there is a problem encoding the message + */ + protected void postEncode(SAMLMessageContext messageContext, String endpointURL) throws MessageEncodingException { + Logger.debug("Invoking Velocity template to create POST body"); + InputStream is = null; + try { + //build Velocity Context from GUI input paramters + VelocityContext context = guiBuilder.generateVelocityContextFromConfiguration(guiConfig); + + //load template + is = guiBuilder.getTemplateInputStream(guiConfig); + + //populate velocity context with SAML2 parameters + populateVelocityContext(context, messageContext, endpointURL); + + //populate transport parameter + HTTPOutTransport outTransport = (HTTPOutTransport) messageContext.getOutboundMessageTransport(); + HTTPTransportUtils.addNoCacheHeaders(outTransport); + HTTPTransportUtils.setUTF8Encoding(outTransport); + HTTPTransportUtils.setContentType(outTransport, "text/html"); + + //evaluate template and write content to response + Writer out = new OutputStreamWriter(outTransport.getOutgoingStream(), "UTF-8"); + velocityEngine.evaluate(context, out, "SAML2_POST_BINDING", new BufferedReader(new InputStreamReader(is))); + out.flush(); + + } catch (Exception e) { + Logger.error("Error invoking Velocity template", e); + throw new MessageEncodingException("Error creating output document", e); + + } finally { + if (is != null) { + try { + is.close(); + + } catch (IOException e) { + Logger.error("Can NOT close GUI-Template InputStream.", e); + } + } + + } + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java index 365a31fe1..643e30ac9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -39,6 +39,7 @@ import org.opensaml.saml2.core.Response; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; @@ -79,6 +80,7 @@ public class AttributQueryAction implements IAction { @Autowired private IDPCredentialProvider pvpCredentials; @Autowired private AuthConfiguration authConfig; @Autowired(required=true) private MOAMetadataProvider metadataProvider; + @Autowired(required=true) ApplicationContext springContext; private final static List DEFAULTSTORKATTRIBUTES = Arrays.asList( new String[]{PVPConstants.EID_STORK_TOKEN_NAME}); @@ -141,9 +143,9 @@ public class AttributQueryAction implements IAction { metadataProvider, issuerEntityID, attrQuery, date, assertion, authConfig.isPVP2AssertionEncryptionActive()); - SoapBinding decoder = new SoapBinding(); + SoapBinding decoder = springContext.getBean("PVPSOAPBinding", SoapBinding.class); decoder.encodeRespone(httpReq, httpResp, authResponse, null, null, - pvpCredentials.getIDPAssertionSigningCredential()); + pvpCredentials.getIDPAssertionSigningCredential(), pendingReq); return null; } catch (MessageEncodingException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java index aac49844e..9d60ae4b2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java @@ -35,6 +35,7 @@ import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; @@ -62,6 +63,7 @@ public class AuthenticationAction implements IAction { @Autowired IDPCredentialProvider pvpCredentials; @Autowired AuthConfiguration authConfig; @Autowired(required=true) private MOAMetadataProvider metadataProvider; + @Autowired(required=true) ApplicationContext springContext; public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { @@ -102,11 +104,11 @@ public class AuthenticationAction implements IAction { if (consumerService.getBinding().equals( SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { - binding = new RedirectBinding(); + binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class); } else if (consumerService.getBinding().equals( SAMLConstants.SAML2_POST_BINDING_URI)) { - binding = new PostBinding(); + binding = springContext.getBean("PVPPOSTBinding", PostBinding.class); } @@ -117,7 +119,7 @@ public class AuthenticationAction implements IAction { try { binding.encodeRespone(httpReq, httpResp, authResponse, consumerService.getLocation(), moaRequest.getRelayState(), - pvpCredentials.getIDPAssertionSigningCredential()); + pvpCredentials.getIDPAssertionSigningCredential(), req); //set protocol type sloInformation.setProtocolType(req.requestedModule()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index a7a249eed..216d7a8b1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -444,13 +444,13 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { IEncoder encoder = null; if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { - encoder = new RedirectBinding(); + encoder = applicationContext.getBean("PVPRedirectBinding", RedirectBinding.class); } else if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { - encoder = new PostBinding(); + encoder = applicationContext.getBean("PVPPOSTBinding", PostBinding.class); } else if (pvpRequest.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) { - encoder = new SoapBinding(); + encoder = applicationContext.getBean("PVPSOAPBinding", SoapBinding.class); } if(encoder == null) { @@ -465,7 +465,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { X509Credential signCred = pvpCredentials.getIDPAssertionSigningCredential(); encoder.encodeRespone(request, response, samlResponse, pvpRequest.getConsumerURL(), - relayState, signCred); + relayState, signCred, protocolRequest); return true; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java index ff703d585..f709da213 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java @@ -111,7 +111,7 @@ public class SingleLogOutAction implements IAction { //LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, null); Logger.info("Sending SLO success message to requester ..."); - sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); + sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState(), pvpReq); return null; } else { @@ -127,7 +127,7 @@ public class SingleLogOutAction implements IAction { //LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, null); Logger.info("Sending SLO success message to requester ..."); - sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); + sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState(), pvpReq); return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java index 3b2fb3687..ccbef6e6c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java @@ -31,6 +31,7 @@ import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; public interface IEncoder { @@ -43,12 +44,13 @@ public interface IEncoder { * @param targetLocation URL, where the request should be transmit * @param relayState token for session handling * @param credentials Credential to sign the request object + * @param pendingReq Internal MOA-ID request object that contains session-state informations but never null * @throws MessageEncodingException * @throws SecurityException * @throws PVP2Exception */ public void encodeRequest(HttpServletRequest req, - HttpServletResponse resp, RequestAbstractType request, String targetLocation, String relayState, Credential credentials) + HttpServletResponse resp, RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException, PVP2Exception; /** @@ -59,10 +61,11 @@ public interface IEncoder { * @param targetLocation URL, where the request should be transmit * @param relayState token for session handling * @param credentials Credential to sign the response object + * @param pendingReq Internal MOA-ID request object that contains session-state informations but never null * @throws MessageEncodingException * @throws SecurityException */ public void encodeRespone(HttpServletRequest req, - HttpServletResponse resp, StatusResponseType response, String targetLocation, String relayState, Credential credentials) + HttpServletResponse resp, StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException, PVP2Exception; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 9977e607b..c7688c14b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -25,13 +25,11 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.apache.velocity.app.VelocityEngine; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; import org.opensaml.common.binding.decoding.URIComparator; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.decoding.HTTPPostDecoder; -import org.opensaml.saml2.binding.encoding.HTTPPostEncoder; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.saml2.metadata.IDPSSODescriptor; @@ -49,8 +47,17 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; +import at.gv.egovernment.moa.id.auth.frontend.builder.GUIFormBuilderImpl; +import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithFileSystemLoad; import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; +import at.gv.egovernment.moa.id.opemsaml.MOAIDHTTPPostEncoder; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; @@ -62,10 +69,14 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; +@Service("PVPPOSTBinding") public class PostBinding implements IDecoder, IEncoder { + + @Autowired(required=true) AuthConfiguration authConfig; + @Autowired(required=true) GUIFormBuilderImpl guiBuilder; public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation, String relayState, Credential credentials) + RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException { try { @@ -75,9 +86,18 @@ public class PostBinding implements IDecoder, IEncoder { //load default PVP security configurations MOADefaultBootstrap.initializeDefaultPVPConfiguration(); - VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine(); - HTTPPostEncoder encoder = new HTTPPostEncoder(engine, - "resources/templates/pvp_postbinding_template.html"); + //initialize POST binding encoder with template decoration + IGUIBuilderConfiguration guiConfig = + new SPSpecificGUIBuilderConfigurationWithFileSystemLoad( + pendingReq, + "pvp_postbinding_template.html", + MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL, + null, + authConfig.getRootConfigFileDir()); + MOAIDHTTPPostEncoder encoder = new MOAIDHTTPPostEncoder(guiConfig, guiBuilder, + VelocityProvider.getClassPathVelocityEngine()); + + //set OpenSAML2 process parameter into binding context dao HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( resp, true); BasicSAMLMessageContext context = new BasicSAMLMessageContext(); @@ -103,22 +123,27 @@ public class PostBinding implements IDecoder, IEncoder { } public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, - StatusResponseType response, String targetLocation, String relayState, Credential credentials) + StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException { try { -// X509Credential credentials = credentialProvider -// .getIDPAssertionSigningCredential(); - //load default PVP security configurations MOADefaultBootstrap.initializeDefaultPVPConfiguration(); Logger.debug("create SAML POSTBinding response"); - VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine(); - - HTTPPostEncoder encoder = new HTTPPostEncoder(engine, - "resources/templates/pvp_postbinding_template.html"); + //initialize POST binding encoder with template decoration + IGUIBuilderConfiguration guiConfig = + new SPSpecificGUIBuilderConfigurationWithFileSystemLoad( + pendingReq, + "pvp_postbinding_template.html", + MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL, + null, + authConfig.getRootConfigFileDir()); + MOAIDHTTPPostEncoder encoder = new MOAIDHTTPPostEncoder(guiConfig, guiBuilder, + VelocityProvider.getClassPathVelocityEngine()); + + //set OpenSAML2 process parameter into binding context dao HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( resp, true); BasicSAMLMessageContext context = new BasicSAMLMessageContext(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 279038967..4f44a6202 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -50,7 +50,9 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; +import org.springframework.stereotype.Service; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; @@ -62,10 +64,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; +@Service("PVPRedirectBinding") public class RedirectBinding implements IDecoder, IEncoder { public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation, String relayState, Credential credentials) + RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException { // try { @@ -100,7 +103,7 @@ public class RedirectBinding implements IDecoder, IEncoder { public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, StatusResponseType response, String targetLocation, String relayState, - Credential credentials) throws MessageEncodingException, SecurityException { + Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException { // try { // X509Credential credentials = credentialProvider // .getIDPAssertionSigningCredential(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index 94d91694a..552b64ac6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -48,7 +48,9 @@ import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.signature.SignableXMLObject; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; @@ -60,6 +62,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; +@Service("PVPSOAPBinding") public class SoapBinding implements IDecoder, IEncoder { @Autowired(required=true) private MOAMetadataProvider metadataProvider; @@ -136,13 +139,13 @@ public class SoapBinding implements IDecoder, IEncoder { } public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation, String relayState, Credential credentials) + RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException, PVP2Exception { } public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, - StatusResponseType response, String targetLocation, String relayState, Credential credentials) + StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException, PVP2Exception { // try { // Credential credentials = credentialProvider diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java index 01ef4a43d..f29418853 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java @@ -44,6 +44,8 @@ import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.commons.api.IRequest; @@ -64,6 +66,7 @@ import at.gv.egovernment.moa.util.MiscUtil; @Service("PVPAuthnRequestBuilder") public class PVPAuthnRequestBuilder { + @Autowired(required=true) ApplicationContext springContext; /** * Build a PVP2.x specific authentication request @@ -202,17 +205,17 @@ public class PVPAuthnRequestBuilder { IEncoder binding = null; if (endpoint.getBinding().equals( SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { - binding = new RedirectBinding(); + binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class); } else if (endpoint.getBinding().equals( SAMLConstants.SAML2_POST_BINDING_URI)) { - binding = new PostBinding(); + binding = springContext.getBean("PVPPOSTBinding", PostBinding.class); } //encode message binding.encodeRequest(null, httpResp, authReq, - endpoint.getLocation(), pendingReq.getRequestID(), config.getAuthnRequestSigningCredential()); + endpoint.getLocation(), pendingReq.getRequestID(), config.getAuthnRequestSigningCredential(), pendingReq); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java index de59e6055..4fef52aec 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -59,6 +59,7 @@ import org.opensaml.xml.signature.Signature; import org.opensaml.xml.signature.SignatureConstants; import org.opensaml.xml.signature.Signer; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Service; import org.w3c.dom.Document; @@ -95,7 +96,9 @@ import at.gv.egovernment.moa.logging.Logger; public class SingleLogOutBuilder { @Autowired(required=true) private MOAMetadataProvider metadataProvider; + @Autowired(required=true) ApplicationContext springContext; @Autowired private IDPCredentialProvider credentialProvider; + public void checkStatusCode(ISLOInformationContainer sloContainer, LogoutResponse logOutResp) { Status status = logOutResp.getStatus(); @@ -185,15 +188,15 @@ public class SingleLogOutBuilder { public void sendFrontChannelSLOMessage(SingleLogoutService consumerService, LogoutResponse sloResp, HttpServletRequest req, HttpServletResponse resp, - String relayState) throws MOAIDException { + String relayState, PVPTargetConfiguration pvpReq) throws MOAIDException { IEncoder binding = null; if (consumerService.getBinding().equals( SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { - binding = new RedirectBinding(); + binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class); } else if (consumerService.getBinding().equals( SAMLConstants.SAML2_POST_BINDING_URI)) { - binding = new PostBinding(); + binding = springContext.getBean("PVPPOSTBinding", PostBinding.class); } @@ -204,7 +207,7 @@ public class SingleLogOutBuilder { try { binding.encodeRespone(req, resp, sloResp, consumerService.getLocation(), relayState, - credentialProvider.getIDPAssertionSigningCredential()); + credentialProvider.getIDPAssertionSigningCredential(), pvpReq); } catch (MessageEncodingException e) { Logger.error("Message Encoding exception", e); diff --git a/id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html b/id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html deleted file mode 100644 index f5bca7f1f..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html +++ /dev/null @@ -1,193 +0,0 @@ - - - - - - Berufsmäßige Parteieinvertretung - - - Berufsmäßige Parteienvertretung einer - natürlichen/juristischen Person -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Vertreter:
Vorname Stern -
Name Stern -
Geburtsdatum Stern - -

Ich bin berufsmäßig - berechtigt für die nachfolgend genannte Person in deren Namen - mit der Bürgerkarte einzuschreiten.
 

Vertretene Person:
 natürliche - Person: 
Vorname Stern Info
Name Stern Info
Geburtsdatum Stern - -  Info
optional: -
Straße  
Hausnummer  Info
Einh. Nr.  Info
Postleitzahl  Info
Gemeinde  Info
 
 juristische - Person: 
Name Stern Info
 Stern Info
-
- -

- Bitte halten Sie Ihre Bürgerkartenumgebung bereit. -

-

- - -

-
- - - diff --git a/id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html b/id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html deleted file mode 100644 index cffc46981..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html +++ /dev/null @@ -1,235 +0,0 @@ - - - - - - - Berufsmäßige Parteieinvertretung - - - - - - - - - - -
- -   - - -
-
- E-Gov Logo -
-
-

Berufsmäßige Parteienvertretung

-
-
Bitte beachten Sie
-
-
- Stern  Feld muss - ausgefüllt sein -
-
- Info  Ausfüllhilfe -
-
- Rufezeichen  - Fehlerhinweis -
-
 
- -

Berufsmäßige Parteienvertretung einer - natürlichen/juristischen Person

-
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Vertreter:
Vorname Stern -
Name Stern -
Geburtsdatum Stern - -

Ich bin berufsmäßig - berechtigt für die nachfolgend genannte Person in deren - Namen mit der Bürgerkarte einzuschreiten.
 

Vertretene Person:
 natürliche - Person: 
Vorname Stern Info
Name Stern Info
Geburtsdatum Stern - -  Info
optional: -
Straße  
Hausnummer  Info -
Einh. Nr.  Info
Postleitzahl  Info
Gemeinde  Info
 
 juristische - Person: 
Name Stern Info
 Stern Info
-
- -

- Bitte halten Sie Ihre Bürgerkartenumgebung bereit. -

-

- - -

-
- -
- - diff --git a/id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html b/id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html deleted file mode 100644 index f47ee53ff..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html +++ /dev/null @@ -1,16 +0,0 @@ - - - -
-
- -
-

Please indicate the gender of the represented.

-
- - -
-
- - - \ No newline at end of file diff --git a/id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm b/id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm deleted file mode 100644 index 7fcc1bb36..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm +++ /dev/null @@ -1,36 +0,0 @@ -## -## Velocity Template for OASIS WEBFORM BINDING -## -## Velocity context may contain the following properties -## action - String - the action URL for the form -## signresponse - String - the Base64 encoded SAML Request -## verifyresponse - String - the Base64 encoded SAML Response -## clienturl - String - URL where the USer gets redirected after the signature process - - - - - - -
-
- #if($signrequest)#end - - #if($verifyrequest)#end - #if($clienturl)#end - -
- -
- - - \ No newline at end of file diff --git a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html b/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html deleted file mode 100644 index 64e88a688..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html +++ /dev/null @@ -1,48 +0,0 @@ -## ## Velocity Template for SAML 2 HTTP-POST binding ## ## Velocity -##context may contain the following properties ## action - String - the -##action URL for the form ## RelayState - String - the relay state for the -##message ## SAMLRequest - String - the Base64 encoded SAML Request ## -##SAMLResponse - String - the Base64 encoded SAML Response - - - - - - - -
Your login is being processed. Thank you for - waiting.
- - - -
-
- #if($RelayState)#end #if($SAMLRequest)#end #if($SAMLResponse)#end - -
- -
- - - \ No newline at end of file diff --git a/id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html b/id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html new file mode 100644 index 000000000..45c183215 --- /dev/null +++ b/id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html @@ -0,0 +1,46 @@ +## ## Velocity Template for SAML 2 HTTP-POST binding ## ## Velocity +##context may contain the following properties ## action - String - the +##action URL for the form ## RelayState - String - the relay state for the +##message ## SAMLRequest - String - the Base64 encoded SAML Request ## +##SAMLResponse - String - the Base64 encoded SAML Response + + + + + + + +
Your login is being processed. Thank you for + waiting.
+ + + +
+
+ #if($RelayState) #end + #if($SAMLRequest) #end + #if($SAMLResponse) #end +
+ +
+ + + \ No newline at end of file diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java index b8284c8f9..5091195d8 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java @@ -143,7 +143,9 @@ public class ConfigurationMigrationUtils { if (MiscUtil.isNotEmpty(oa.getEventCodes())) { result.put(MOAIDConfigurationConstants.SERVICE_REVERSION_LOGS_EVENTCODES, oa.getEventCodes()); } - + + result.put(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL, oa.getMandateServiceSelectionTemplateURL()); + result.put(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL, oa.getSaml2PostBindingTemplateURL()); //convert target String target_full = oa.getTarget(); @@ -769,6 +771,9 @@ public class ConfigurationMigrationUtils { } dbOA.setSelectedSZRGWServiceURL(oa.get(MOAIDConfigurationConstants.SERVICE_EXTERNAL_SZRGW_SERVICE_URL)); + + dbOA.setMandateServiceSelectionTemplateURL(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL)); + dbOA.setSaml2PostBindingTemplateURL(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL)); if (Boolean.valueOf(oa.get(MOAIDConfigurationConstants.SERVICE_BUSINESSSERVICE))) { dbOA.setType(MOA_CONFIG_BUSINESSSERVICE); diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java index 9fe90daa4..b72034002 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java @@ -105,6 +105,9 @@ public final class MOAIDConfigurationConstants extends MOAIDConstants { public static final String SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETHEIGHT = SERVICE_AUTH_TEMPLATES_CUSTOMIZATION + ".applet.hight"; public static final String SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETWIDTH = SERVICE_AUTH_TEMPLATES_CUSTOMIZATION + ".applet.width"; + public static final String SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL = SERVICE_AUTH_TEMPLATES + ".saml2.postbinding.url"; + public static final String SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL = SERVICE_AUTH_TEMPLATES + ".elga.mandateserviceselection.url"; + private static final String SERVICE_AUTH_TESTCREDENTIALS = AUTH + "." + TESTCREDENTIALS; public static final String SERVICE_AUTH_TESTCREDENTIALS_ENABLED = SERVICE_AUTH_TESTCREDENTIALS + ".enabled"; public static final String SERVICE_AUTH_TESTCREDENTIALS_OIDs = SERVICE_AUTH_TESTCREDENTIALS + ".oids"; diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java index 4aee10bc1..196923ce6 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java @@ -109,10 +109,44 @@ public class OnlineApplication @XmlTransient protected String selectedSZRGWServiceURL = null; + @XmlTransient + protected String saml2PostBindingTemplateURL = null; + + @XmlTransient + protected String mandateServiceSelectionTemplateURL = null; + /** + * @return the saml2PostBindingTemplateURL + */ + public String getSaml2PostBindingTemplateURL() { + return saml2PostBindingTemplateURL; + } + + /** + * @param saml2PostBindingTemplateURL the saml2PostBindingTemplateURL to set + */ + public void setSaml2PostBindingTemplateURL(String saml2PostBindingTemplateURL) { + this.saml2PostBindingTemplateURL = saml2PostBindingTemplateURL; + } + + /** + * @return the mandateServiceSelectionTemplateURL + */ + public String getMandateServiceSelectionTemplateURL() { + return mandateServiceSelectionTemplateURL; + } + + /** + * @param mandateServiceSelectionTemplateURL the mandateServiceSelectionTemplateURL to set + */ + public void setMandateServiceSelectionTemplateURL(String mandateServiceSelectionTemplateURL) { + this.mandateServiceSelectionTemplateURL = mandateServiceSelectionTemplateURL; + } + + /** * @return the selectedSZRGWServiceURL */ public String getSelectedSZRGWServiceURL() { diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java new file mode 100644 index 000000000..4bb4b0e27 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java @@ -0,0 +1,187 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.frontend.builder; + +import java.io.ByteArrayInputStream; +import java.io.InputStream; +import java.util.HashMap; +import java.util.Map; + +import at.gv.egovernment.moa.id.auth.frontend.utils.FormBuildUtils; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.data.CPEPS; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration extends AbstractGUIFormBuilderConfiguration { + + public static final String VIEW_BKUSELECTION = "loginFormFull.html"; + public static final String VIEW_SENDASSERTION = "sendAssertionFormFull.html"; + public static final String VIEW_TEMPLATE_CSS = "css_template.css"; + public static final String VIEW_TEMPLATE_JS = "javascript_tempalte.js"; + + public static final String PARAM_BKU_ONLINE = "bkuOnline"; + public static final String PARAM_BKU_HANDY = "bkuHandy"; + public static final String PARAM_BKU_LOCAL = "bkuLocal"; + + public static final String PARAM_OANAME = "OAName"; + public static final String PARAM_COUNTRYLIST = "countryList"; + + protected IRequest pendingReq = null; + + /** + * @param authURL PublicURLPrefix of the IDP but never null + * @param viewName Name of the template (with suffix) but never null + * @param formSubmitEndpoint EndPoint on which the form should be submitted, + * or null if the form must not submitted + */ + public AbstractServiceProviderSpecificGUIFormBuilderConfiguration(String authURL, String viewName, + String formSubmitEndpoint) { + super(authURL, viewName, formSubmitEndpoint); + + } + + /** + * @param Current processed pending-request DAO but never null + * @param viewName Name of the template (with suffix) but never null + * @param formSubmitEndpoint EndPoint on which the form should be submitted, + * or null if the form must not submitted + */ + public AbstractServiceProviderSpecificGUIFormBuilderConfiguration(IRequest pendingReq, String viewName, + String formSubmitEndpoint) { + super(pendingReq.getAuthURL(), viewName, formSubmitEndpoint); + this.pendingReq = pendingReq; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration#getViewParameters() + */ + @Override + public Map getSpecificViewParameters() { + Map params = new HashMap(); + params.put(PARAM_BKU_ONLINE, IOAAuthParameters.ONLINEBKU); + params.put(PARAM_BKU_HANDY, IOAAuthParameters.HANDYBKU); + params.put(PARAM_BKU_LOCAL, IOAAuthParameters.LOCALBKU); + + if (pendingReq != null) { + params.put(PARAM_PENDINGREQUESTID, pendingReq.getRequestID()); + + //add service-provider specific GUI parameters + IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); + if (oaParam != null) { + params.put(PARAM_OANAME, oaParam.getFriendlyName()); + + if (oaParam.isShowStorkLogin()) + addCountrySelection(params, oaParam); + else + params.put(PARAM_COUNTRYLIST, ""); + + FormBuildUtils.customiceLayoutBKUSelection(params, oaParam); + + } else + FormBuildUtils.defaultLayoutBKUSelection(params); + + + } else { + //add default GUI parameters + FormBuildUtils.defaultLayoutBKUSelection(params); + + } + + return params; + } + + /** + * @param params + * @param oaParam + */ + private void addCountrySelection(Map params, IOAAuthParameters oaParam) { + String pepslist = ""; + try { + for (CPEPS current : oaParam.getPepsList()) { + String countryName = null; + if (MiscUtil.isNotEmpty(MOAIDAuthConstants.COUNTRYCODE_XX_TO_NAME.get(current.getFullCountryCode().toUpperCase()))) + countryName = MOAIDAuthConstants.COUNTRYCODE_XX_TO_NAME.get(current.getFullCountryCode().toUpperCase()); + else + countryName = current.getFullCountryCode().toUpperCase(); + + pepslist += "\n"; + + } + params.put(PARAM_COUNTRYLIST, pepslist); + + } catch (NullPointerException e) { + Logger.warn("Can not at Countries to GUI. Msg:" + e.getMessage()); + + } + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getClasspathTemplateDir() + */ + @Override + public String getClasspathTemplateDir() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String) + */ + @Override + public InputStream getTemplate(String viewName) { + if (pendingReq != null && pendingReq.getOnlineApplicationConfiguration() != null) { + + byte[] oatemplate = null; + if (VIEW_BKUSELECTION.equals(viewName)) + oatemplate = pendingReq.getOnlineApplicationConfiguration().getBKUSelectionTemplate(); + + else if (VIEW_SENDASSERTION.equals(viewName)) + oatemplate = pendingReq.getOnlineApplicationConfiguration().getSendAssertionTemplate(); + + // OA specific template requires a size of 8 bits minimum + if (oatemplate != null && oatemplate.length > 7) + return new ByteArrayInputStream(oatemplate); + } + + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getDefaultContentType() + */ + @Override + public String getDefaultContentType() { + return null; + } + +} diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java index e8cd60afb..285c90163 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java @@ -78,24 +78,16 @@ public class GUIFormBuilderImpl implements IGUIFormBuilder { build(httpResp, config, getInternalContentType(config), loggerName); } - - + @Override public void build(HttpServletResponse httpResp, IGUIBuilderConfiguration config, String contentType, String loggerName) throws GUIBuildException { InputStream is = null; try { - String viewName = config.getViewName(); + String viewName = config.getViewName(); + is = getTemplateInputStream(config); - //load Tempate - is = getInternalTemplate(config); - if (is == null) { - Logger.warn("No GUI with viewName:" + viewName + " FOUND."); - throw new GUIBuildException("No GUI with viewName:" + viewName + " FOUND."); - - } - //build Velocity Context from input paramters VelocityContext context = buildContextFromViewParams(config.getViewParameters()); @@ -137,6 +129,35 @@ public class GUIFormBuilderImpl implements IGUIFormBuilder { } + /** + * Generate a new {@link VelocityContext} and populate it with MOA-ID GUI parameters + * + * @param config + * @return + */ + public VelocityContext generateVelocityContextFromConfiguration(IGUIBuilderConfiguration config) { + return buildContextFromViewParams(config.getViewParameters()); + + } + + /** + * Load the template from different resources + * + * @param config + * @return An {@link InputStream} but never null. The {@link InputStream} had to be closed be the invoking method + * @throws GUIBuildException + */ + public InputStream getTemplateInputStream(IGUIBuilderConfiguration config) throws GUIBuildException { + InputStream is = getInternalTemplate(config); + if (is == null) { + Logger.warn("No GUI with viewName:" + config.getViewName() + " FOUND."); + throw new GUIBuildException("No GUI with viewName:" + config.getViewName() + " FOUND."); + + } + return is; + + } + private String getInternalContentType(IGUIBuilderConfiguration config) { if (MiscUtil.isEmpty(config.getDefaultContentType())) return DEFAULT_CONTENT_TYPE; @@ -167,7 +188,7 @@ public class GUIFormBuilderImpl implements IGUIFormBuilder { } catch (Exception e) { //load template from classpath as backup - Logger.info("GUI template:" + viewName + " is not found in configuration directory. " + Logger.debug("GUI template:" + viewName + " is not found in configuration directory. " + " Load template from project library ... "); try { pathLocation = getInternalClasspathTemplateDir(config) + viewName; diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java index 198220e97..8e8a63094 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java @@ -64,4 +64,5 @@ public interface IGUIFormBuilder { */ void build(HttpServletResponse httpResp, IGUIBuilderConfiguration config, String contentType, String loggerName) throws GUIBuildException; + } diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java new file mode 100644 index 000000000..13d8d3bb7 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java @@ -0,0 +1,82 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.frontend.builder; + +import java.io.ByteArrayInputStream; +import java.io.InputStream; + +import at.gv.egovernment.moa.id.commons.api.IRequest; + +/** + * @author tlenz + * + */ +public class SPSpecificGUIBuilderConfigurationWithDBLoad extends AbstractServiceProviderSpecificGUIFormBuilderConfiguration { + + /** + * @param authURL PublicURLPrefix of the IDP but never null + * @param viewName Name of the template (with suffix) but never null + * @param formSubmitEndpoint EndPoint on which the form should be submitted, + * or null if the form must not submitted + */ + public SPSpecificGUIBuilderConfigurationWithDBLoad(String authURL, String viewName, + String formSubmitEndpoint) { + super(authURL, viewName, formSubmitEndpoint); + + } + + /** + * @param Current processed pending-request DAO but never null + * @param viewName Name of the template (with suffix) but never null + * @param formSubmitEndpoint EndPoint on which the form should be submitted, + * or null if the form must not submitted + */ + public SPSpecificGUIBuilderConfigurationWithDBLoad(IRequest pendingReq, String viewName, + String formSubmitEndpoint) { + super(pendingReq, viewName, formSubmitEndpoint); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String) + */ + @Override + public InputStream getTemplate(String viewName) { + if (pendingReq != null && pendingReq.getOnlineApplicationConfiguration() != null) { + + byte[] oatemplate = null; + if (VIEW_BKUSELECTION.equals(viewName)) + oatemplate = pendingReq.getOnlineApplicationConfiguration().getBKUSelectionTemplate(); + + else if (VIEW_SENDASSERTION.equals(viewName)) + oatemplate = pendingReq.getOnlineApplicationConfiguration().getSendAssertionTemplate(); + + // OA specific template requires a size of 8 bits minimum + if (oatemplate != null && oatemplate.length > 7) + return new ByteArrayInputStream(oatemplate); + } + + return null; + } + +} diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java new file mode 100644 index 000000000..8bb6bc4e3 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java @@ -0,0 +1,110 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.frontend.builder; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.InputStream; +import java.net.MalformedURLException; +import java.net.URI; +import java.net.URISyntaxException; +import java.net.URL; + +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.FileUtils; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +public class SPSpecificGUIBuilderConfigurationWithFileSystemLoad extends AbstractServiceProviderSpecificGUIFormBuilderConfiguration { + + private String configKeyIdentifier = null; + private String configRootContextDir = null; + + /** + * @param authURL PublicURLPrefix of the IDP but never null + * @param viewName Name of the template (with suffix) but never null + * @param configKeyIdentifier Identifier of the configuration key in OA configuration that holds the filesystem URI to template + * @param formSubmitEndpoint EndPoint on which the form should be submitted + * @param configRootContextDir Path to MOA-ID-Auth configuration root directory + * or null if the form must not submitted + */ + public SPSpecificGUIBuilderConfigurationWithFileSystemLoad(String authURL, String viewName, + String configKeyIdentifier, String formSubmitEndpoint, String configRootContextDir) { + super(authURL, viewName, formSubmitEndpoint); + this.configKeyIdentifier = configKeyIdentifier; + this.configRootContextDir = configRootContextDir; + + } + + /** + * @param Current processed pending-request DAO but never null + * @param viewName Name of the template (with suffix) but never null + * @param configKeyIdentifier Identifier of the configuration key in OA configuration that holds the filesystem URI to template + * @param formSubmitEndpoint EndPoint on which the form should be submitted + * @param configRootContextDir Path to MOA-ID-Auth configuration root directory + */ + public SPSpecificGUIBuilderConfigurationWithFileSystemLoad(IRequest pendingReq, String viewName, + String configKeyIdentifier, String formSubmitEndpoint, String configRootContextDir) { + super(pendingReq, viewName, formSubmitEndpoint); + this.configKeyIdentifier = configKeyIdentifier; + this.configRootContextDir = configRootContextDir; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String) + */ + @Override + public InputStream getTemplate(String viewName) { + if (pendingReq != null && pendingReq.getOnlineApplicationConfiguration() != null && + configKeyIdentifier != null) { + try { + String templateURL = pendingReq.getOnlineApplicationConfiguration().getConfigurationValue(configKeyIdentifier); + if (MiscUtil.isNotEmpty(templateURL)) { + String absURL = FileUtils.makeAbsoluteURL(templateURL, configRootContextDir); + if (!absURL.startsWith("file:")) { + Logger.warn("GUI template are only loadable from filesystem! " + + "(templateURL: " + absURL + ")"); + return null; + } + + Logger.debug("Load template URL for view: " + viewName + " from: " + absURL); + URI uri = new URL(absURL).toURI(); + return new FileInputStream(new File(uri)); + + } + } catch (FileNotFoundException | URISyntaxException | MalformedURLException e) { + Logger.warn("Template for view: " + viewName + " is NOT loadable! -> Switch to default template", e); + + } + } + + return null; + } + +} diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java deleted file mode 100644 index 8244d630d..000000000 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java +++ /dev/null @@ -1,187 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.auth.frontend.builder; - -import java.io.ByteArrayInputStream; -import java.io.InputStream; -import java.util.HashMap; -import java.util.Map; - -import at.gv.egovernment.moa.id.auth.frontend.utils.FormBuildUtils; -import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.commons.api.IRequest; -import at.gv.egovernment.moa.id.commons.api.data.CPEPS; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; - -/** - * @author tlenz - * - */ -public class ServiceProviderSpecificGUIFormBuilderConfiguration extends AbstractGUIFormBuilderConfiguration { - - public static final String VIEW_BKUSELECTION = "loginFormFull.html"; - public static final String VIEW_SENDASSERTION = "sendAssertionFormFull.html"; - public static final String VIEW_TEMPLATE_CSS = "css_template.css"; - public static final String VIEW_TEMPLATE_JS = "javascript_tempalte.js"; - - public static final String PARAM_BKU_ONLINE = "bkuOnline"; - public static final String PARAM_BKU_HANDY = "bkuHandy"; - public static final String PARAM_BKU_LOCAL = "bkuLocal"; - - public static final String PARAM_OANAME = "OAName"; - public static final String PARAM_COUNTRYLIST = "countryList"; - - private IRequest pendingReq = null; - - /** - * @param authURL PublicURLPrefix of the IDP but never null - * @param viewName Name of the template (with suffix) but never null - * @param formSubmitEndpoint EndPoint on which the form should be submitted, - * or null if the form must not submitted - */ - public ServiceProviderSpecificGUIFormBuilderConfiguration(String authURL, String viewName, - String formSubmitEndpoint) { - super(authURL, viewName, formSubmitEndpoint); - - } - - /** - * @param Current processed pending-request DAO but never null - * @param viewName Name of the template (with suffix) but never null - * @param formSubmitEndpoint EndPoint on which the form should be submitted, - * or null if the form must not submitted - */ - public ServiceProviderSpecificGUIFormBuilderConfiguration(IRequest pendingReq, String viewName, - String formSubmitEndpoint) { - super(pendingReq.getAuthURL(), viewName, formSubmitEndpoint); - this.pendingReq = pendingReq; - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration#getViewParameters() - */ - @Override - public Map getSpecificViewParameters() { - Map params = new HashMap(); - params.put(PARAM_BKU_ONLINE, IOAAuthParameters.ONLINEBKU); - params.put(PARAM_BKU_HANDY, IOAAuthParameters.HANDYBKU); - params.put(PARAM_BKU_LOCAL, IOAAuthParameters.LOCALBKU); - - if (pendingReq != null) { - params.put(PARAM_PENDINGREQUESTID, pendingReq.getRequestID()); - - //add service-provider specific GUI parameters - IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); - if (oaParam != null) { - params.put(PARAM_OANAME, oaParam.getFriendlyName()); - - if (oaParam.isShowStorkLogin()) - addCountrySelection(params, oaParam); - else - params.put(PARAM_COUNTRYLIST, ""); - - FormBuildUtils.customiceLayoutBKUSelection(params, oaParam); - - } else - FormBuildUtils.defaultLayoutBKUSelection(params); - - - } else { - //add default GUI parameters - FormBuildUtils.defaultLayoutBKUSelection(params); - - } - - return params; - } - - /** - * @param params - * @param oaParam - */ - private void addCountrySelection(Map params, IOAAuthParameters oaParam) { - String pepslist = ""; - try { - for (CPEPS current : oaParam.getPepsList()) { - String countryName = null; - if (MiscUtil.isNotEmpty(MOAIDAuthConstants.COUNTRYCODE_XX_TO_NAME.get(current.getFullCountryCode().toUpperCase()))) - countryName = MOAIDAuthConstants.COUNTRYCODE_XX_TO_NAME.get(current.getFullCountryCode().toUpperCase()); - else - countryName = current.getFullCountryCode().toUpperCase(); - - pepslist += "\n"; - - } - params.put(PARAM_COUNTRYLIST, pepslist); - - } catch (NullPointerException e) { - Logger.warn("Can not at Countries to GUI. Msg:" + e.getMessage()); - - } - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getClasspathTemplateDir() - */ - @Override - public String getClasspathTemplateDir() { - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String) - */ - @Override - public InputStream getTemplate(String viewName) { - if (pendingReq != null && pendingReq.getOnlineApplicationConfiguration() != null) { - - byte[] oatemplate = null; - if (VIEW_BKUSELECTION.equals(viewName)) - oatemplate = pendingReq.getOnlineApplicationConfiguration().getBKUSelectionTemplate(); - - else if (VIEW_SENDASSERTION.equals(viewName)) - oatemplate = pendingReq.getOnlineApplicationConfiguration().getSendAssertionTemplate(); - - // OA specific template requires a size of 8 bits minimum - if (oatemplate != null && oatemplate.length > 7) - return new ByteArrayInputStream(oatemplate); - } - - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getDefaultContentType() - */ - @Override - public String getDefaultContentType() { - return null; - } - -} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index 3e7a4e875..c55b5a749 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -22,12 +22,10 @@ */ package at.gv.egovernment.moa.id.auth.modules.eidas.tasks; -import java.awt.PageAttributes.MediaType; import java.io.StringWriter; import java.util.ArrayList; import java.util.Collection; import java.util.List; -import java.util.logging.Logger; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -44,6 +42,8 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import org.springframework.util.StringUtils; +import com.google.common.net.MediaType; + import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; @@ -53,8 +53,16 @@ import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.data.CPEPS; +import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; import eu.eidas.auth.commons.EidasStringUtil; import eu.eidas.auth.commons.attribute.AttributeDefinition; import eu.eidas.auth.commons.attribute.AttributeDefinition.Builder; diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java index 98f8d13c7..52970e240 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java @@ -30,7 +30,7 @@ import org.springframework.stereotype.Component; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder; -import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithFileSystemLoad; import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; @@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConsta import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateUtils; import at.gv.egovernment.moa.id.auth.servlet.GeneralProcessEngineSignalController; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.logging.Logger; @@ -60,11 +61,13 @@ public class SelectMandateServiceTask extends AbstractAuthServletTask { //check if Service-Provider allows ELGA-mandates if (ELGAMandateUtils.checkServiceProviderAgainstELGAModulConfigration(authConfig, pendingReq)) { Logger.trace("Build GUI for mandate-service selection ..."); - - IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration( - pendingReq, - ELGAMandatesAuthConstants.TEMPLATE_MANDATE_SERVICE_SELECTION, - GeneralProcessEngineSignalController.ENDPOINT_GENERIC); + + IGUIBuilderConfiguration config = new SPSpecificGUIBuilderConfigurationWithFileSystemLoad( + pendingReq, + ELGAMandatesAuthConstants.TEMPLATE_MANDATE_SERVICE_SELECTION, + MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL, + GeneralProcessEngineSignalController.ENDPOINT_GENERIC, + authConfig.getRootConfigFileDir()); guiBuilder.build(response, config, "Mandate-Service selection"); -- cgit v1.2.3 From d4e3d5a75ae1922f576a9f28b6bf2267f4bd9ce6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 20 Sep 2017 14:07:55 +0200 Subject: move some elements in OA configuration GUI --- .../src/main/webapp/jsp/snippets/OA/formCustomization.jsp | 9 --------- id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/pvp2.jsp | 11 +++++++++++ id/server/doc/handbook/config/config.html | 14 +++++++------- 3 files changed, 18 insertions(+), 16 deletions(-) (limited to 'id') diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/formCustomization.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/formCustomization.jsp index 424fdfacc..6dbed0047 100644 --- a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/formCustomization.jsp +++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/formCustomization.jsp @@ -211,15 +211,6 @@ cssClass="textfield_long">
-
-

<%=LanguageHelper.getGUIString("webpages.oaconfig.general.templates.saml2.postbinding.header", request) %>

- - -
diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/pvp2.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/pvp2.jsp index 7e40fc60b..693ef8073 100644 --- a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/pvp2.jsp +++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/pvp2.jsp @@ -23,6 +23,17 @@
+ +
+

<%=LanguageHelper.getGUIString("webpages.oaconfig.general.templates.saml2.postbinding.header", request) %>

+ + +
+ \ No newline at end of file diff --git a/id/server/doc/handbook/config/config.html b/id/server/doc/handbook/config/config.html index 52eb21ab3..84590aaee 100644 --- a/id/server/doc/handbook/config/config.html +++ b/id/server/doc/handbook/config/config.html @@ -1993,6 +1993,13 @@ Soll die Bürgerkartenauswahl weiterhin, wie in MOA-ID 1.5.1 im Kontext der   Zertifikat mit dem die Metadaten der Online-Applikation signiert sind. Dieses wird benötigt um die Metadaten zu verifizieren. + + SAML2 Post-Binding Template +   + X + X + Pfad zum online-applikationsspezifischen Template für SAML2 (PVP2 S-Profil) http POST-Binding. Relative Pfadangaben werden dabei relativ zum Verzeichnis, in dem sich die MOA-ID-Auth Basiskonfigurationsdatei befindet, interpretiert. Das Template kann ausschließlich aus dem Dateisystem geladen werden. +
3.2.8.3 OpenID Connect

In diesem Bereich erfolgt die applikationsspezifische Konfiguration für OpenID Connect (OAuth 2.0).

@@ -2074,13 +2081,6 @@ wenn die individuelle Security-Layer Transformation den Formvorschriften der Sp X Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates für die zusätzliche Anmeldeabfrage im Falle einer Single Sign-On Anmeldung. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus Kapitel 4.2 umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle für Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen. - - SAML2 Post-Binding Template -   - X - X - Pfad zum online-applikationsspezifischen Template für SAML2 (PVP2 S-Profil) http POST-Binding. Relative Pfadangaben werden dabei relativ zum Verzeichnis, in dem sich die MOA-ID-Auth Basiskonfigurationsdatei befindet, interpretiert. Das Template kann ausschließlich aus dem Dateisystem geladen werden. - Vollmachtenservice Auswahlseite Template   -- cgit v1.2.3 From c498c2812a9f2b97da2356774527aaec0ae1f608 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 20 Sep 2017 14:08:07 +0200 Subject: add log message --- .../builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id') diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java index 8bb6bc4e3..b5c50004b 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java @@ -103,7 +103,7 @@ public class SPSpecificGUIBuilderConfigurationWithFileSystemLoad extends Abstrac } } - + Logger.trace("NO ServiceProvider specific template for view: " + viewName + " available"); return null; } -- cgit v1.2.3