From aae0d003526cb8665df93bb715ba126dd12a473d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 15 May 2014 09:08:44 +0200 Subject: add additional errorcodes if SAML request validation failed --- .../moa/id/entrypoints/DispatcherServlet.java | 20 ++- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 29 +++- .../id/protocols/pvp2x/binding/MOAURICompare.java | 3 +- .../protocols/pvp2x/binding/RedirectBinding.java | 2 +- .../id/protocols/pvp2x/binding/SoapBinding.java | 2 +- .../pvp2x/verification/SAMLVerificationEngine.java | 11 +- .../moa/id/util/ErrorResponseUtils.java | 2 +- .../resources/properties/id_messages_de.properties | 3 + .../protocol_response_statuscodes.properties | 184 -------------------- .../protocol_response_statuscodes_de.properties | 187 +++++++++++++++++++++ 10 files changed, 241 insertions(+), 202 deletions(-) delete mode 100644 id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes.properties create mode 100644 id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 4eba83ad5..a3827ab73 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -36,6 +36,7 @@ import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; @@ -56,6 +57,7 @@ import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestValidatorException; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.storage.DBExceptionStoreImpl; +import at.gv.egovernment.moa.id.util.ErrorResponseUtils; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.id.util.legacy.LegacyHelper; @@ -310,11 +312,23 @@ public class DispatcherServlet extends AuthServlet{ StatisticLogger logger = StatisticLogger.getInstance(); logger.logErrorOperation(e, e.getErrorRequest()); return; - - } catch (MOAIDException e) { + + }catch (InvalidProtocolRequestException e) { + ErrorResponseUtils utils = ErrorResponseUtils.getInstance(); + String code = utils.mapInternalErrorToExternalError(e.getMessageId()); + String descr = e.getMessage(); + Logger.error("Protocol validation FAILED!"); + resp.setContentType("text/html;charset=UTF-8"); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Protocol validation FAILED!" + + "(Errorcode=" + code + + " | Description=" + descr + ")"); + return; + } catch (MOAIDException e) { Logger.error("Failed to generate a valid protocol request!"); resp.setContentType("text/html;charset=UTF-8"); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!"); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!" + + "(Errorcode=6000" + +" | Description=Das Authentifizierungsprotokoll wurde nicht erkannt oder wird nicht unterst\u00FCzt" + ")"); return; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 8732409b5..863bfe501 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -22,8 +22,6 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x; -import iaik.pkcs.pkcs11.objects.Object; - import java.io.IOException; import java.util.ArrayList; import java.util.HashMap; @@ -52,12 +50,15 @@ import org.opensaml.saml2.metadata.AssertionConsumerService; import org.opensaml.saml2.metadata.AttributeConsumingService; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.ws.security.SecurityPolicyException; import org.opensaml.xml.io.MarshallingException; +import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.signature.SignableXMLObject; import edu.emory.mathcs.backport.java.util.Arrays; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; @@ -191,16 +192,20 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { return null; } try { - InboundMessage msg = (InboundMessage) decoder.decode(request, response); + if (MiscUtil.isEmpty(msg.getEntityID())) { + throw new InvalidProtocolRequestException("pvp2.20", new Object[] {}); + + } + if(!msg.isVerified()) { SAMLVerificationEngine engine = new SAMLVerificationEngine(); engine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); msg.setVerified(true); } - + if (msg instanceof MOARequest && ((MOARequest)msg).getSamlRequest() instanceof AuthnRequest) return preProcessAuthRequest(request, response, (MOARequest) msg); @@ -252,9 +257,23 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { throw new MOAIDException("Unsupported PVP21 message", new Object[] {}); } - } catch (PVP2Exception e) { throw e; + + } catch (SecurityPolicyException e) { + String samlRequest = request.getParameter("SAMLRequest"); + Logger.warn("Receive INVALID protocol request: " + samlRequest, e); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); + + } catch (SecurityException e) { + String samlRequest = request.getParameter("SAMLRequest"); + Logger.warn("Receive INVALID protocol request: " + samlRequest, e); + throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); + + } catch (InvalidProtocolRequestException e) { + String samlRequest = request.getParameter("SAMLRequest"); + Logger.warn("Receive INVALID protocol request: " + samlRequest, e); + throw e; } catch (Throwable e) { String samlRequest = request.getParameter("SAMLRequest"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java index 3094abba8..6080f8a33 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java @@ -36,8 +36,7 @@ public class MOAURICompare implements URIComparator { this.serviceURL = serviceURL; } - public boolean compare(String uri1, String uri2) { - + public boolean compare(String uri1, String uri2) { if (this.serviceURL.equals(uri1)) return true; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index f5dba014b..8fba6cde0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -148,7 +148,7 @@ public class RedirectBinding implements IDecoder, IEncoder { .setInboundMessageTransport(new HttpServletRequestAdapter(req)); decode.decode(messageContext); - + messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index 048c7f14c..75332cfea 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -79,7 +79,7 @@ public class SoapBinding implements IDecoder, IEncoder { if (!xmlElemList.isEmpty()) { SignableXMLObject attrReq = (SignableXMLObject) xmlElemList.get(0); MOARequest request = new MOARequest(attrReq, getSAML2BindingName()); - + request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); request.setVerified(false); return request; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index fde453920..6388042d9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -51,6 +51,7 @@ import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.SignatureTrustEngine; import org.opensaml.xml.validation.ValidationException; +import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; @@ -91,11 +92,11 @@ public class SAMLVerificationEngine { try { if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { - throw new Exception("Signature was either invalid or signing key could not be established as trusted"); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } } catch (SecurityException e) { - // Indicates processing error evaluating the signature e.printStackTrace(); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } } @@ -116,11 +117,11 @@ public class SAMLVerificationEngine { try { if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { - throw new Exception("Signature was either invalid or signing key could not be established as trusted"); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } } catch (SecurityException e) { - // Indicates processing error evaluating the signature - e.printStackTrace(); + e.printStackTrace(); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ErrorResponseUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ErrorResponseUtils.java index 778351d1f..aff7e5057 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ErrorResponseUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ErrorResponseUtils.java @@ -42,7 +42,7 @@ public class ErrorResponseUtils { private static ErrorResponseUtils instance = null; private static final String[] DEFAULT_MESSAGE_RESOURCES = - { "resources/properties/id_messages" }; + { "resources/properties/protocol_response_statuscodes" }; private static final Locale[] DEFAULT_MESSAGE_LOCALES = new Locale[] { new Locale("de", "AT") }; private Messages messages = null; diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 603815154..c8cca157d 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -243,6 +243,9 @@ pvp2.16=Fehler beim verschl\u00FCsseln der PVP2 Assertion pvp2.17=Der QAA Level {0} entspricht nicht dem angeforderten QAA Level {1} pvp2.18=Es konnten nicht alle Single Sign-On Sessions beendet werden. pvp2.19=Der Single LogOut Vorgang musste wegen eines unkorregierbaren Fehler abgebrochen werden. +pvp2.20=Für die im Request angegebene EntityID konnten keine g\u00FCltigen Metadaten gefunden werden. +pvp2.21=Die Signature des Requests konnte nicht g\u00FCltig validiert werden. +pvp2.22=Der Request konnte nicht g\u00FCltig validiert werden (Fehler={0}). oauth20.01=Fehlerhafte redirect url oauth20.02=Fehlender Parameter "{0}" diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes.properties deleted file mode 100644 index 99be5df59..000000000 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes.properties +++ /dev/null @@ -1,184 +0,0 @@ -auth.00=1000 -auth.01=1001 -auth.02=1100 -auth.03=9000 -auth.04=9100 -auth.05=1002 -auth.06=6200 -auth.07=1003 -auth.08=40 -auth.09=9100 -auth.10=1002 -auth.11=9100 -auth.12=1002 -auth.13=1007 -auth.14=1004 -auth.15=1108 -auth.16=9102 -auth.17=1006 -auth.18=1100 -auth.20=1100 -auth.21=1005 -auth.22=6000 -auth.23=9000 -auth.24=9001 -auth.25=1109 - -init.00=9199 -init.01=9199 -init.02=9199 -init.04=9101 - -config.00=9199 -config.01=9199 -config.02=9199 -config.03=9199 -config.04=9199 -config.05=9199 -config.06=9199 -config.07=9199 -config.08=9199 -config.09=9199 -config.10=9199 -config.11=9199 -config.12=9199 -config.13=9199 -config.14=9199 -config.15=9199 -config.16=9199 -config.17=9199 -config.18=9199 -config.19=9199 -config.20=9199 -config.21=9006 - -parser.00=1101 -parser.01=1101 -parser.02=1101 -parser.03=1101 -parser.04=1101 -parser.05=1101 -parser.06=1101 -parser.07=1101 - -builder.00=9102 -builder.01=9103 -builder.02=9102 -builder.03=9102 -builder.04=Die Personenbindung konnte nicht neu signiert werden und wird aus diesem Grund nicht ausgeliefert. MOA-SS lieferte folgenden Fehlercode {0} und Fehler {1} zur\u00FCck. -builder.05=Beim resignieren der Personenbindung ist ein allgemeiner Fehler aufgetreten und wird aus diesem Grund nicht ausgeliefert. -builder.06=4400 -builder.07=9002 - -service.00=4300 -service.03=4300 -service.04=41000 -service.05=411 -service.06=41001 -service.07=4200 -service.08=4201 -service.09=9007 - -validator.00=1102 -validator.01=1102 -validator.02=1102 -validator.03=1102 -validator.04=1102 -validator.05=1102 - -validator.06=1103 -validator.07=1104 -validator.08=1103 -validator.09=1106 - -validator.10=1106 -validator.11=1106 -validator.12=1106 -validator.13=1106 -validator.14=1106 -validator.15=1106 -validator.16=1106 - -validator.17=1104 -validator.18=1104 - -validator.19=1105 - -validator.21=1103 -validator.22=1103 -validator.23=1103 -validator.24=1103 -validator.25=1103 - -validator.26=1106 -validator.27=1106 -validator.28=1106 -validator.29=1106 -validator.30=1106 -validator.31=1106 - -validator.32=1106 -validator.33=1106 -validator.34=1106 -validator.35=1106 -validator.36=1106 -validator.37=1106 -validator.38=1106 -validator.39=1106 - -validator.40=9199 -validator.41=9199 -validator.42=9199 -validator.43=9199 -validator.44=9199 -validator.45=9102 -validator.46=9102 -validator.47=9102 -validator.48=9199 - -validator.49=1104 -validator.50=1106 - -validator.64=9102 - -validator.67=1106 -validator.68=1106 -validator.69=1106 -validator.70=1106 -validator.71=1105 - -ssl.01=1107 - -stork.00=1200 -stork.01=1200 -stork.02=1200 -stork.04=1201 -stork.05=1201 -stork.06=1202 -stork.07=1201 -stork.08=1201 -stork.09=1201 -stork.10=4200 -stork.11=1203 -stork.12=9003 -stork.13=1203 -stork.14=6001 -stork.15=6001 -stork.16=1203 -stork.17=1203 -stork.18=9004 - -pvp2.01=6100 -pvp2.06=6100 -pvp2.13=9199 -pvp2.16=6101 -pvp2.17=6102 - -oauth20.01=6200 -oauth20.06=1000 -oauth20.09=9005 -oauth20.10=9102 - -##Map MIS/BKU statuscodes to MOA-ID-Auth statuscodes -mis.301=1005 -bku.6001=1005 \ No newline at end of file diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties new file mode 100644 index 000000000..2a55ea64c --- /dev/null +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -0,0 +1,187 @@ +auth.00=1000 +auth.01=1001 +auth.02=1100 +auth.03=9000 +auth.04=9100 +auth.05=1002 +auth.06=6200 +auth.07=1003 +auth.08=40 +auth.09=9100 +auth.10=1002 +auth.11=9100 +auth.12=1002 +auth.13=1007 +auth.14=1004 +auth.15=1108 +auth.16=9102 +auth.17=1006 +auth.18=1100 +auth.20=1100 +auth.21=1005 +auth.22=6000 +auth.23=9000 +auth.24=9001 +auth.25=1109 + +init.00=9199 +init.01=9199 +init.02=9199 +init.04=9101 + +config.00=9199 +config.01=9199 +config.02=9199 +config.03=9199 +config.04=9199 +config.05=9199 +config.06=9199 +config.07=9199 +config.08=9199 +config.09=9199 +config.10=9199 +config.11=9199 +config.12=9199 +config.13=9199 +config.14=9199 +config.15=9199 +config.16=9199 +config.17=9199 +config.18=9199 +config.19=9199 +config.20=9199 +config.21=9006 + +parser.00=1101 +parser.01=1101 +parser.02=1101 +parser.03=1101 +parser.04=1101 +parser.05=1101 +parser.06=1101 +parser.07=1101 + +builder.00=9102 +builder.01=9103 +builder.02=9102 +builder.03=9102 +builder.04=Die Personenbindung konnte nicht neu signiert werden und wird aus diesem Grund nicht ausgeliefert. MOA-SS lieferte folgenden Fehlercode {0} und Fehler {1} zur\u00FCck. +builder.05=Beim resignieren der Personenbindung ist ein allgemeiner Fehler aufgetreten und wird aus diesem Grund nicht ausgeliefert. +builder.06=4400 +builder.07=9002 + +service.00=4300 +service.03=4300 +service.04=41000 +service.05=411 +service.06=41001 +service.07=4200 +service.08=4201 +service.09=9007 + +validator.00=1102 +validator.01=1102 +validator.02=1102 +validator.03=1102 +validator.04=1102 +validator.05=1102 + +validator.06=1103 +validator.07=1104 +validator.08=1103 +validator.09=1106 + +validator.10=1106 +validator.11=1106 +validator.12=1106 +validator.13=1106 +validator.14=1106 +validator.15=1106 +validator.16=1106 + +validator.17=1104 +validator.18=1104 + +validator.19=1105 + +validator.21=1103 +validator.22=1103 +validator.23=1103 +validator.24=1103 +validator.25=1103 + +validator.26=1106 +validator.27=1106 +validator.28=1106 +validator.29=1106 +validator.30=1106 +validator.31=1106 + +validator.32=1106 +validator.33=1106 +validator.34=1106 +validator.35=1106 +validator.36=1106 +validator.37=1106 +validator.38=1106 +validator.39=1106 + +validator.40=9199 +validator.41=9199 +validator.42=9199 +validator.43=9199 +validator.44=9199 +validator.45=9102 +validator.46=9102 +validator.47=9102 +validator.48=9199 + +validator.49=1104 +validator.50=1106 + +validator.64=9102 + +validator.67=1106 +validator.68=1106 +validator.69=1106 +validator.70=1106 +validator.71=1105 + +ssl.01=1107 + +stork.00=1200 +stork.01=1200 +stork.02=1200 +stork.04=1201 +stork.05=1201 +stork.06=1202 +stork.07=1201 +stork.08=1201 +stork.09=1201 +stork.10=4200 +stork.11=1203 +stork.12=9003 +stork.13=1203 +stork.14=6001 +stork.15=6001 +stork.16=1203 +stork.17=1203 +stork.18=9004 + +pvp2.01=6100 +pvp2.06=6100 +pvp2.13=9199 +pvp2.16=6101 +pvp2.17=6102 +pvp2.20=6103 +pvp2.21=6104 +pvp2.22=6105 + +oauth20.01=6200 +oauth20.06=1000 +oauth20.09=9005 +oauth20.10=9102 + +##Map MIS/BKU statuscodes to MOA-ID-Auth statuscodes +mis.301=1005 +bku.6001=1005 \ No newline at end of file -- cgit v1.2.3