From 0265338e3f2553d9f6926c930561d29a65035847 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 15 Jul 2014 11:05:19 +0200 Subject: solve problems with Target configuration --- .../data/oa/OATargetConfiguration.java | 26 ++++++++++++++++++---- .../webapp/jsp/snippets/OA/targetConfiguration.jsp | 4 ++-- 2 files changed, 24 insertions(+), 6 deletions(-) (limited to 'id') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java index e988cc292..150cd959e 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OATargetConfiguration.java @@ -82,9 +82,7 @@ public class OATargetConfiguration implements IOnlineApplicationData { */ @Override public List parse(OnlineApplication dbOA, - AuthenticatedUser authUser, HttpServletRequest request) { - subTargetSet = MiscUtil.isNotEmpty(getTarget_subsector()); - + AuthenticatedUser authUser, HttpServletRequest request) { String target_full = dbOA.getTarget(); if (MiscUtil.isNotEmpty(target_full)) { if (TargetValidator.isValidTarget(target_full)) { @@ -95,8 +93,10 @@ public class OATargetConfiguration implements IOnlineApplicationData { if (TargetValidator.isValidTarget(target_split[0])) { target = target_split[0]; - if (target_split.length > 1) + if (target_split.length > 1) { target_subsector = target_split[1]; + subTargetSet = true; + } } else { target = ""; @@ -367,4 +367,22 @@ public class OATargetConfiguration implements IOnlineApplicationData { public void setDeaktivededBusinessService(boolean deaktivededBusinessService) { this.deaktivededBusinessService = deaktivededBusinessService; } + + + /** + * @return the subTargetSet + */ + public boolean isSubTargetSet() { + return subTargetSet; + } + + + /** + * @param subTargetSet the subTargetSet to set + */ + public void setSubTargetSet(boolean subTargetSet) { + this.subTargetSet = subTargetSet; + } + + } diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/targetConfiguration.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/targetConfiguration.jsp index 261966a86..b8bd1dc02 100644 --- a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/targetConfiguration.jsp +++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/targetConfiguration.jsp @@ -46,8 +46,8 @@ - Date: Thu, 17 Jul 2014 16:13:37 +0200 Subject: todo --- .../gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java | 2 +- .../moa/id/protocols/stork2/MandateRetrievalRequest.java | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 64447b20e..40c358b7e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -244,7 +244,7 @@ public class PEPSConnectorServlet extends AuthServlet { //extract signed doc element and citizen signature String citizenSignature = null; try { - String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); + String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); // TODO ERROR HANDLING SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo))); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java index 139c438f9..ba849f959 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java @@ -71,6 +71,7 @@ public class MandateRetrievalRequest implements IAction { httpResp.reset(); this.representingIdentityLink = authData.getIdentityLink(); + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(req.getOAURL()); if (oaParam == null) throw new AuthenticationException("stork.12", new Object[]{req.getOAURL()}); @@ -96,7 +97,7 @@ public class MandateRetrievalRequest implements IAction { MandateContainer mandateContainer = null; try { - mandateContainer = new CorporateBodyMandateContainer(new String(authData.getMISMandate().getMandate(), "UTF-8")); + mandateContainer = new CorporateBodyMandateContain er(new String(authData.getMISMandate().getMandate(), "UTF-8")); } catch (Exception ex) { try { mandateContainer = new PhyPersonMandateContainer(new String(authData.getMISMandate().getMandate(), "UTF-8")); @@ -449,7 +450,8 @@ public class MandateRetrievalRequest implements IAction { } if (!mandateContainer.getPhysicalRepresentativeIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - Logger.error("Incorrect identity link (MIS): identification type is not correct! Got: " + this.representingIdentityLink.getIdentificationType()); + Logger.error("Incorrect identity link (MIS): identification type is not correct! Got: " + this.representingIdentityLink.getIdentificationType() + " (representingIdentityLink) and " + mandateContainer.getPhysicalRepresentativeIdentificationType() + " (mandateContainer.phyRepresentative)"); + Logger.debug("mandatecontainervalue: " + mandateContainer.getPhysicalRepresentativeIdentificationValue() + ", representingidentitylinkvalue: " + this.representingIdentityLink.getIdentificationValue()); throw new MOAIDException("stork.20", new Object[]{}); // TODO } @@ -491,7 +493,7 @@ public class MandateRetrievalRequest implements IAction { represented.setType(getCompanyType(corporateBodyMandateContainer.corpMandatorFullName, corporateBodyMandateContainer.corpMandatorIdentificationType, sourceAttribute)); } else if (mandateContainer instanceof PhyPersonMandateContainer) { PhyPersonMandateContainer phyPersonMandateContainer = (PhyPersonMandateContainer) mandateContainer; - represented.setEIdentifier(getRepresentedStorkeIdentifier(mandateContainer)); // TODO CALCULATE + represented.setEIdentifier(getRepresentedStorkeIdentifier(mandateContainer)); represented.setGivenName(phyPersonMandateContainer.getPhyPersMandatorGivenName()); represented.setSurname(phyPersonMandateContainer.getPhyPersMandatorFamilyName()); represented.setDateOfBirth(phyPersonMandateContainer.getPhyPersMandatorBirthDate()); -- cgit v1.2.3 From 708009bbfc5433c3338278b95e9f150b424d2a03 Mon Sep 17 00:00:00 2001 From: Bojan Suzic Date: Thu, 17 Jul 2014 16:18:30 +0200 Subject: typo --- .../gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java index ba849f959..baa91a854 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java @@ -97,7 +97,7 @@ public class MandateRetrievalRequest implements IAction { MandateContainer mandateContainer = null; try { - mandateContainer = new CorporateBodyMandateContain er(new String(authData.getMISMandate().getMandate(), "UTF-8")); + mandateContainer = new CorporateBodyMandateContainer(new String(authData.getMISMandate().getMandate(), "UTF-8")); } catch (Exception ex) { try { mandateContainer = new PhyPersonMandateContainer(new String(authData.getMISMandate().getMandate(), "UTF-8")); -- cgit v1.2.3 From 078c7784e9e278bd5fdd96465a38558776cacb04 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 4 Aug 2014 12:57:39 +0200 Subject: MOA federation with USP - add some initial methodes --- .../id/auth/builder/AuthenticationDataBuilder.java | 72 ++++++++++++---------- .../moa/id/entrypoints/DispatcherServlet.java | 2 +- .../pvp2x/utils/AssertionAttributeExtractor.java | 14 +++++ 3 files changed, 54 insertions(+), 34 deletions(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 17d6898ee..ddcc6e1d1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -39,6 +39,7 @@ import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.ws.soap.common.SOAPException; import org.opensaml.xml.XMLObject; import org.opensaml.xml.security.SecurityException; @@ -76,6 +77,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExt import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; @@ -239,11 +241,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { attributs = reqQueryAttr; //IDP is a service provider IDP and request interfederated IDP to collect attributes - } else { - - //TODO: check if response include attributes and map this attributes to requested attributes - //TODO: insert code to parse Attributes from AuthnRespones for USP --> Zustelldienst - + } else { //get PVP 2.1 attributes from protocol specific requested attributes attributs = req.getRequestedAttributes(); @@ -255,44 +253,52 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix()); throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null); } + + + //TODO: check if response include attributes and map this attributes to requested attributes + //TODO: insert code to parse Attributes from AuthnRespones for USP --> Zustelldienst + Response intfResp = (Response) req.getInterfederationResponse().getResponse(); + AssertionAttributeExtractor extractor = + new AssertionAttributeExtractor(intfResp); - //build attributQuery request - AttributeQuery query = - AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); + if (!extractor.containsAllRequiredAttributes()) { + //build attributQuery request + AttributeQuery query = + AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); - //build SOAP request - List xmlObjects = MOASAMLSOAPClient.send(endpoint, query); + //build SOAP request + List xmlObjects = MOASAMLSOAPClient.send(endpoint, query); - if (xmlObjects.size() == 0) { - Logger.error("Receive emptry AttributeQuery response-body."); - throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); + if (xmlObjects.size() == 0) { + Logger.error("Receive emptry AttributeQuery response-body."); + throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); - } + } - if (xmlObjects.get(0) instanceof Response) { - Response intfResp = (Response) xmlObjects.get(0); + if (xmlObjects.get(0) instanceof Response) { + intfResp = (Response) xmlObjects.get(0); - //validate PVP 2.1 response - try { - SAMLVerificationEngine engine = new SAMLVerificationEngine(); - engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + //validate PVP 2.1 response + try { + SAMLVerificationEngine engine = new SAMLVerificationEngine(); + engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); - SAMLVerificationEngine.validateAssertion(intfResp, false); + SAMLVerificationEngine.validateAssertion(intfResp, false); - } catch (Exception e) { - Logger.warn("PVP 2.1 assertion validation FAILED.", e); - throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e); - } - - //parse response information to authData - buildAuthDataFormInterfederationResponse(authdata, session, intfResp); - - } else { - Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); - throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); + } catch (Exception e) { + Logger.warn("PVP 2.1 assertion validation FAILED.", e); + throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e); + } + + } else { + Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); + throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); + } } - + //parse response information to authData + buildAuthDataFormInterfederationResponse(authdata, session, intfResp); + } catch (SOAPException e) { throw new BuildException("builder.06", null, e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 0d34fcb87..1e38bd4ff 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -269,7 +269,7 @@ public class DispatcherServlet extends AuthServlet{ info = ModulStorage.getModuleByPath(protocolRequest.requestedModule()); moduleAction = info.getAction(protocolRequest.requestedAction()); - //create interfederated mOASession + //create interfederated MOASession String sessionID = AuthenticationSessionStoreage.createInterfederatedSession(protocolRequest, true, ssoId); req.getParameterMap().put(PARAM_SESSIONID, sessionID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index ee0088576..9aadfdc28 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.utils; import java.util.List; import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnStatement; import org.opensaml.saml2.core.Response; @@ -54,6 +55,19 @@ public class AssertionAttributeExtractor { throw new AssertionAttributeExtractorExeption(); } + public boolean containsAllRequiredAttributes() { + //TODO: add default attribute list + return containsAllRequiredAttributes(null); + + } + + public boolean containsAllRequiredAttributes(List attributs) { + //TODO: add validation + return false; + + } + + public String getNameID() throws AssertionAttributeExtractorExeption { if (assertion.getSubject() != null) { Subject subject = assertion.getSubject(); -- cgit v1.2.3 From 296ebbfb36ef207abe4611cb8d3727d2f86a692b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 19 Aug 2014 15:00:17 +0200 Subject: update PVP 2.1 SAML2 bindings --- .../id/protocols/pvp2x/binding/PostBinding.java | 20 ++++++++------- .../protocols/pvp2x/binding/RedirectBinding.java | 20 ++++++++++----- .../id/protocols/pvp2x/binding/SoapBinding.java | 30 +++++++++++++++++++--- 3 files changed, 51 insertions(+), 19 deletions(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 7f73b1ed7..1a268c812 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -147,20 +147,22 @@ public class PostBinding implements IDecoder, IEncoder { messageContext .setInboundMessageTransport(new HttpServletRequestAdapter(req)); try { - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); - + //set metadata descriptor type + if (isSPEndPoint) { + messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService())); + + } else { + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); + } + } catch (ConfigurationException e) { throw new SecurityException(e); } messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); - - //set metadata descriptor type - if (isSPEndPoint) - messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); - else - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - + decode.decode(messageContext); InboundMessage msg = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 26f6f3a62..f11561c14 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -135,18 +135,26 @@ public class RedirectBinding implements IDecoder, IEncoder { HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( new BasicParserPool()); + BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); + messageContext + .setInboundMessageTransport(new HttpServletRequestAdapter(req)); + try { - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService())); + //set metadata descriptor type + if (isSPEndPoint) { + messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService())); + + } else { + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); + } } catch (ConfigurationException e) { throw new SecurityException(e); } - - BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); - messageContext - .setInboundMessageTransport(new HttpServletRequestAdapter(req)); - + messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index f0eafe272..a2583c706 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -33,6 +33,7 @@ import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.ws.soap.client.BasicSOAPMessageContext; @@ -52,9 +53,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedEx import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; public class SoapBinding implements IDecoder, IEncoder { @@ -66,8 +69,10 @@ public class SoapBinding implements IDecoder, IEncoder { new BasicSAMLMessageContext(); messageContext .setInboundMessageTransport(new HttpServletRequestAdapter( - req)); - + req)); + //messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); + soapDecoder.decode(messageContext); Envelope inboundMessage = (Envelope) messageContext @@ -78,8 +83,25 @@ public class SoapBinding implements IDecoder, IEncoder { if (!xmlElemList.isEmpty()) { SignableXMLObject attrReq = (SignableXMLObject) xmlElemList.get(0); - MOARequest request = new MOARequest(attrReq, getSAML2BindingName()); - request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); + MOARequest request = new MOARequest(attrReq, getSAML2BindingName()); + + if (messageContext.getPeerEntityMetadata() != null) + request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); + + else if (attrReq instanceof RequestAbstractType) { + RequestAbstractType attributeRequest = (RequestAbstractType) attrReq; + try { + if (MiscUtil.isNotEmpty(attributeRequest.getIssuer().getValue()) && + MOAMetadataProvider.getInstance().getRole( + attributeRequest.getIssuer().getValue(), + SPSSODescriptor.DEFAULT_ELEMENT_NAME) != null) + request.setEntityID(attributeRequest.getIssuer().getValue()); + + } catch (Exception e) { + Logger.warn("No Metadata found with EntityID " + attributeRequest.getIssuer().getValue()); + } + } + request.setVerified(false); return request; -- cgit v1.2.3 From 1ab0f1d4d991464b906c34befefe2ecaf485d485 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 19 Aug 2014 15:03:42 +0200 Subject: add interfederation without attributequery request which use encrypted bPKs (this functionality is required for federation with USP) --- .../id/auth/builder/AuthenticationDataBuilder.java | 355 +++++++++++++-------- .../moa/id/auth/builder/BPKBuilder.java | 94 ++++++ .../exception/DatabaseEncryptionException.java | 46 +++ .../id/config/auth/AuthConfigurationProvider.java | 11 + .../moa/id/config/auth/IOAAuthParameters.java | 4 + .../moa/id/config/auth/OAAuthParameter.java | 36 +++ .../config/auth/data/BPKDecryptionParameters.java | 127 ++++++++ .../config/auth/data/DynamicOAAuthParameters.java | 10 + .../moa/id/data/AuthenticationData.java | 21 +- .../gv/egovernment/moa/id/data/EncryptedbPK.java | 33 ++ .../at/gv/egovernment/moa/id/data/IAuthData.java | 3 + .../attributes/EncryptedBPKAttributeBuilder.java | 70 ++++ .../MandateFullMandateAttributeBuilder.java | 7 +- .../pvp2x/utils/AssertionAttributeExtractor.java | 89 +++++- .../protocols/saml1/SAML1AuthenticationServer.java | 5 +- .../id/storage/AuthenticationSessionStoreage.java | 4 +- .../moa/id/util/AbstractEncrytionUtil.java | 157 +++++++++ .../moa/id/util/ConfigurationEncrytionUtil.java | 71 +++++ .../moa/id/util/SessionEncrytionUtil.java | 132 +++----- .../moa/id/util/client/mis/simple/MISMandate.java | 14 + .../id/util/client/mis/simple/MISSimpleClient.java | 2 + .../src/main/resources/config/moaid_config_2.0.xsd | 28 +- 22 files changed, 1085 insertions(+), 234 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index ddcc6e1d1..3c029f261 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -24,31 +24,35 @@ package at.gv.egovernment.moa.id.auth.builder; import iaik.x509.X509Certificate; +import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; +import java.security.PrivateKey; import java.util.ArrayList; +import java.util.Arrays; import java.util.Date; -import java.util.GregorianCalendar; import java.util.List; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBException; +import javax.xml.bind.Marshaller; -import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeQuery; -import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.ws.soap.common.SOAPException; import org.opensaml.xml.XMLObject; import org.opensaml.xml.security.SecurityException; import org.w3c.dom.Element; import org.w3c.dom.Node; -import eu.stork.peps.auth.commons.PersonalAttribute; -import eu.stork.peps.auth.commons.PersonalAttributeList; - +import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; +import at.gv.e_government.reference.namespace.mandates._20040701_.Mandator; +import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; +import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; +import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; @@ -151,7 +155,6 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } } - } InterfederationSessionStore interfIDP = AuthenticationSessionStoreage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session); @@ -295,9 +298,13 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); } + + //create assertion attribute extractor from AttributeQuery response + extractor = new AssertionAttributeExtractor(intfResp); + } //parse response information to authData - buildAuthDataFormInterfederationResponse(authdata, session, intfResp); + buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam); } catch (SOAPException e) { throw new BuildException("builder.06", null, e); @@ -320,146 +327,242 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } } - private static void buildAuthDataFormInterfederationResponse(AuthenticationData authData, AuthenticationSession session, - Response intfResp) throws BuildException, AssertionAttributeExtractorExeption { + private static void buildAuthDataFormInterfederationResponse( + AuthenticationData authData, + AuthenticationSession session, + AssertionAttributeExtractor extractor, + IOAAuthParameters oaParam) + throws BuildException, AssertionAttributeExtractorExeption { Logger.debug("Build AuthData from assertion starts ...."); - Assertion assertion = intfResp.getAssertions().get(0); + authData.setFamilyName(extractor.getAttribute(PVPConstants.PRINCIPAL_NAME_NAME)); + authData.setGivenName(extractor.getAttribute(PVPConstants.GIVEN_NAME_NAME)); + authData.setDateOfBirth(extractor.getAttribute(PVPConstants.BIRTHDATE_NAME)); + authData.setBPKType(extractor.getAttribute(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)); + authData.setCcc(extractor.getAttribute(PVPConstants.EID_ISSUING_NATION_NAME)); + authData.setBkuURL(extractor.getAttribute(PVPConstants.EID_CCS_URL_NAME)); + authData.setIdentificationValue(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_NAME)); + authData.setIdentificationType(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)); - if (assertion.getAttributeStatements().size() == 0) { - Logger.warn("Can not build AuthData from Assertion. NO Attributes included."); - throw new AssertionAttributeExtractorExeption("Can not build AuthData from Assertion. NO Attributes included.", null); - + if (extractor.containsAttribute(PVPConstants.BPK_NAME)) { + String pvpbPK = extractor.getAttribute(PVPConstants.BPK_NAME); + authData.setBPK(pvpbPK.split(":")[1]); } - AttributeStatement attrStat = assertion.getAttributeStatements().get(0); - for (Attribute attr : attrStat.getAttributes()) { - - if (attr.getName().equals(PVPConstants.PRINCIPAL_NAME_NAME)) - authData.setFamilyName(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.GIVEN_NAME_NAME)) - authData.setGivenName(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.BIRTHDATE_NAME)) - authData.setDateOfBirth(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.BPK_NAME)) { - String pvpbPK = attr.getAttributeValues().get(0).getDOM().getTextContent(); - authData.setBPK(pvpbPK.split(":")[1]); - } - - if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) - authData.setBPKType(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) - authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + - attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.EID_ISSUING_NATION_NAME)) - authData.setCcc(attr.getAttributeValues().get(0).getDOM().getTextContent()); + if (extractor.containsAttribute(PVPConstants.ENC_BPK_LIST_NAME)) { + List encbPKList = Arrays.asList( + extractor.getAttribute(PVPConstants.ENC_BPK_LIST_NAME).split(";")); + authData.setEncbPKList(encbPKList); + for (String fullEncbPK : encbPKList) { + int index = fullEncbPK.indexOf("|"); + if (index >= 0) { + String encbPK = fullEncbPK.substring(index+1); + String second = fullEncbPK.substring(0, index); + int secIndex = second.indexOf("+"); + if (secIndex >= 0) { + if (oaParam.getTarget().equals(second.substring(secIndex+1))) { + Logger.debug("Found encrypted bPK for online-application " + + oaParam.getPublicURLPrefix() + + " Start decryption process ..."); + PrivateKey privKey = oaParam.getBPKDecBpkDecryptionKey(); + if (privKey != null) { + try { + String bPK = BPKBuilder.decryptBPK(encbPK, oaParam.getTarget(), privKey); + if (MiscUtil.isNotEmpty(bPK)) { + if (MiscUtil.isEmpty(authData.getBPK())) { + authData.setBPK(bPK); + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); + Logger.info("bPK decryption process finished successfully."); + } + + } else { + Logger.error("bPK decryption FAILED."); + + } + } catch (BuildException e) { + Logger.error("bPK decryption FAILED.", e); + + } + + } else { + Logger.info("bPK decryption FAILED, because no valid decryption key is found."); + + } + + } else { + Logger.info("Found encrypted bPK but " + + "encrypted bPK target does not match to online-application target"); + + } + } + } + } + } + + if (MiscUtil.isEmpty(authData.getBPK()) && authData.getEncbPKList().size() == 0) { + Logger.error("Federated assertion include no bPK or encrypted bPK"); + throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME + + " or " + PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME); - if (attr.getName().equals(PVPConstants.EID_CCS_URL_NAME)) - authData.setBkuURL(attr.getAttributeValues().get(0).getDOM().getTextContent()); + } + + if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) + authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + + extractor.getAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)); + + if (extractor.containsAttribute(PVPConstants.EID_AUTH_BLOCK_NAME)) { + try { + byte[] authBlock = Base64Utils.decode(extractor.getAttribute(PVPConstants.EID_AUTH_BLOCK_NAME), false); + authData.setAuthBlock(new String(authBlock, "UTF-8")); - if (attr.getName().equals(PVPConstants.EID_AUTH_BLOCK_NAME)) { - try { - byte[] authBlock = Base64Utils.decode(attr.getAttributeValues().get(0).getDOM().getTextContent(), false); - authData.setAuthBlock(new String(authBlock, "UTF-8")); + } catch (IOException e) { + Logger.error("Received AuthBlock is not valid", e); - } catch (IOException e) { - Logger.error("Received AuthBlock is not valid", e); - - } - } - - if (attr.getName().equals(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) { - try { - authData.setSignerCertificate(Base64Utils.decode( - attr.getAttributeValues().get(0).getDOM().getTextContent(), false)); - - } catch (IOException e) { - Logger.error("Received SignerCertificate is not valid", e); - - } - } - - if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_NAME)) - authData.setIdentificationValue(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)) - authData.setIdentificationType(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - if (attr.getName().equals(PVPConstants.EID_IDENTITY_LINK_NAME)) { - try { - InputStream idlStream = Base64Utils.decodeToStream(attr.getAttributeValues().get(0).getDOM().getTextContent(), false); - IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink(); - authData.setIdentityLink(idl); - - } catch (ParseException e) { - Logger.error("Received IdentityLink is not valid", e); - - } catch (Exception e) { - Logger.error("Received IdentityLink is not valid", e); - - } } - - if (attr.getName().equals(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)) - authData.setMandateReferenceValue(attr.getAttributeValues().get(0).getDOM().getTextContent()); - - - if (attr.getName().equals(PVPConstants.MANDATE_FULL_MANDATE_NAME)) { - try { - byte[] mandate = Base64Utils.decode( - attr.getAttributeValues().get(0).getDOM().getTextContent(), false); - - if (authData.getMISMandate() == null) - authData.setMISMandate(new MISMandate()); - authData.getMISMandate().setMandate(mandate); + } + + if (extractor.containsAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) { + try { + authData.setSignerCertificate(Base64Utils.decode( + extractor.getAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME), false)); + + } catch (IOException e) { + Logger.error("Received SignerCertificate is not valid", e); + + } + } + + if (extractor.containsAttribute(PVPConstants.EID_IDENTITY_LINK_NAME)) { + try { + InputStream idlStream = Base64Utils.decodeToStream(extractor.getAttribute(PVPConstants.EID_IDENTITY_LINK_NAME), false); + IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink(); + authData.setIdentityLink(idl); + + } catch (ParseException e) { + Logger.error("Received IdentityLink is not valid", e); + + } catch (Exception e) { + Logger.error("Received IdentityLink is not valid", e); - authData.setUseMandate(true); - - } catch (Exception e) { - Logger.error("Received Mandate is not valid", e); - throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME); - - } } - - if (attr.getName().equals(PVPConstants.MANDATE_PROF_REP_OID_NAME)) { + } + + + // set mandate attributes + authData.setMandateReferenceValue(extractor.getAttribute(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)); + + if (extractor.containsAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)) { + try { + byte[] mandate = Base64Utils.decode( + (extractor.getAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)), false); + if (authData.getMISMandate() == null) authData.setMISMandate(new MISMandate()); - authData.getMISMandate().setProfRep( - attr.getAttributeValues().get(0).getDOM().getTextContent()); + authData.getMISMandate().setMandate(mandate); + authData.getMISMandate().setFullMandateIncluded(true); + authData.setUseMandate(true); + + } catch (Exception e) { + Logger.error("Received Mandate is not valid", e); + throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME); + + } + } + + //TODO: build short mandate if full mandate is no included. + if (authData.getMISMandate() == null && + (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) + || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME) + || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)) ) { + Logger.info("Federated assertion contains no full mandate. Start short mandate generation process ... "); + + MISMandate misMandate = new MISMandate(); + misMandate.setFullMandateIncluded(false); + + Mandate mandateObject = new Mandate(); + Mandator mandator = new Mandator(); + mandateObject.setMandator(mandator); + + //build legal person short mandate + if (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME) && + extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) && + extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)) { + CorporateBodyType legalperson = new CorporateBodyType(); + IdentificationType legalID = new IdentificationType(); + Value idvalue = new Value(); + legalID.setValue(idvalue ); + legalperson.getIdentification().add(legalID ); + mandator.setCorporateBody(legalperson ); + + legalperson.setFullName(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME)); + legalID.setType(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)); + idvalue.setValue(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME)); + + //build natural person short mandate + } else if ( (extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME) || + extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME)) && + extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME) && + extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME) && + extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME)) { + throw new AssertionAttributeExtractorExeption("Federation with short mandates for natural persons are not supported!", null); + + + + } else { + Logger.error("Short mandate could not generated. Assertion contains not all attributes which are necessary."); + throw new AssertionAttributeExtractorExeption("Assertion contains not all attributes which are necessary for mandate generation", null); - } - - if (attr.getName().equals(PVPConstants.EID_STORK_TOKEN_NAME)) { - authData.setStorkAuthnResponse(attr.getAttributeValues().get(0).getDOM().getTextContent()); - authData.setForeigner(true); } - if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) { + try { + JAXBContext jc = JAXBContext.newInstance("at.gv.e_government.reference.namespace.mandates._20040701_"); + Marshaller m = jc.createMarshaller(); + ByteArrayOutputStream stream = new ByteArrayOutputStream(); + m.marshal(mandateObject, stream); + misMandate.setMandate(Base64Utils.encode(stream.toByteArray()).getBytes()); + stream.close(); - if (authData.getStorkAttributes() == null) - authData.setStorkAttributes(new PersonalAttributeList()); + } catch (JAXBException e) { + Logger.error("Failed to parse short mandate", e); + throw new AssertionAttributeExtractorExeption(); + + } catch (IOException e) { + Logger.error("Failed to parse short mandate", e); + throw new AssertionAttributeExtractorExeption(); - List storkAttrValues = new ArrayList(); - storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent()); - PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(), - false, storkAttrValues , "Available"); - authData.getStorkAttributes().put(attr.getName(), storkAttr ); - authData.setForeigner(true); - } - + } + authData.setUseMandate(true); + } + + if (extractor.containsAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME)) { + if (authData.getMISMandate() == null) + authData.setMISMandate(new MISMandate()); + authData.getMISMandate().setProfRep( + extractor.getAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME)); + + } + + + //set STORK attributes + if (extractor.containsAttribute(PVPConstants.EID_STORK_TOKEN_NAME)) { + authData.setStorkAuthnResponse(extractor.getAttribute(PVPConstants.EID_STORK_TOKEN_NAME)); + authData.setForeigner(true); + + } + + if (!extractor.getSTORKAttributes().isEmpty()) { + authData.setStorkAttributes(extractor.getSTORKAttributes()); + authData.setForeigner(true); + + } + authData.setSsoSession(true); - if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null) - authData.setSsoSessionValidTo(assertion.getConditions().getNotOnOrAfter().toDate()); + if (extractor.getFullAssertion().getConditions() != null && extractor.getFullAssertion().getConditions().getNotOnOrAfter() != null) + authData.setSsoSessionValidTo(extractor.getFullAssertion().getConditions().getNotOnOrAfter().toDate()); //only for SAML1 if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel())) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index 20641ca7c..b122ba17e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -46,13 +46,27 @@ package at.gv.egovernment.moa.id.auth.builder; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; +import java.io.UnsupportedEncodingException; +import java.security.InvalidKeyException; import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.text.SimpleDateFormat; +import java.util.Date; + +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.NoSuchPaddingException; /** * Builder for the bPK, as defined in @@ -135,6 +149,58 @@ public class BPKBuilder { } } + public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException { + MiscUtil.assertNotNull(bpk, "BPK"); + MiscUtil.assertNotNull(publicKey, "publicKey"); + + SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss"); + if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) + target = target.substring((Constants.URN_PREFIX_CDID + "+").length()); + + String input = "V1::urn:publicid:gv.at:cdid+" + target + "::" + + bpk + "::" + + sdf.format(new Date()); + System.out.println(input); + byte[] result; + try { + byte[] inputBytes = input.getBytes("ISO-8859-1"); + result = encrypt(inputBytes, publicKey); + return new String(Base64Utils.encode(result, "ISO-8859-1")).replaceAll("\r\n", ""); + + } catch (Exception e) { + throw new BuildException("bPK encryption FAILED", null, e); + } + } + + public static String decryptBPK(String encryptedBpk, String target, PrivateKey privateKey) throws BuildException { + MiscUtil.assertNotEmpty(encryptedBpk, "Encrypted BPK"); + MiscUtil.assertNotNull(privateKey, "Private key"); + String decryptedString; + try { + byte[] encryptedBytes = Base64Utils.decode(encryptedBpk, false, "ISO-8859-1"); + byte[] decryptedBytes = decrypt(encryptedBytes, privateKey); + decryptedString = new String(decryptedBytes, "ISO-8859-1"); + + } catch (Exception e) { + throw new BuildException("bPK decryption FAILED", null, e); + } + String tmp = decryptedString.substring(decryptedString.indexOf('+') + 1); + String sector = tmp.substring(0, tmp.indexOf("::")); + tmp = tmp.substring(tmp.indexOf("::") + 2); + String bPK = tmp.substring(0, tmp.indexOf("::")); + + if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) + target = target.substring((Constants.URN_PREFIX_CDID + "+").length()); + + if (target.equals(sector)) + return bPK; + + else { + Logger.error("Decrypted bPK does not match to request bPK target."); + return null; + } + } + /** * Builds the storkeid from the given parameters. * @@ -214,6 +280,34 @@ public class BPKBuilder { throw new BuildException("builder.00", new Object[]{"storkid", ex.toString()}, ex); } } + + private static byte[] encrypt(byte[] inputBytes, PublicKey publicKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException { + byte[] result; + Cipher cipher = null; + try { + cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle + } catch(NoSuchAlgorithmException e) { + cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider + } + cipher.init(Cipher.ENCRYPT_MODE, publicKey); + result = cipher.doFinal(inputBytes); + + return result; + } + + private static byte[] decrypt(byte[] encryptedBytes, PrivateKey privateKey) + throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException{ + byte[] result; + Cipher cipher = null; + try { + cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle + } catch(NoSuchAlgorithmException e) { + cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider + } + cipher.init(Cipher.DECRYPT_MODE, privateKey); + result = cipher.doFinal(encryptedBytes); + return result; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java new file mode 100644 index 000000000..69802d7e6 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DatabaseEncryptionException.java @@ -0,0 +1,46 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.exception; + +/** + * @author tlenz + * + */ +public class DatabaseEncryptionException extends MOAIDException { + + /** + * + */ + private static final long serialVersionUID = 6387519847869308880L; + + /** + * @param messageId + * @param parameters + * @param wrapped + */ + public DatabaseEncryptionException(String messageId, Object[] parameters, + Throwable wrapped) { + super(messageId, parameters, wrapped); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 6fc1d28c1..a62de27fc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -961,6 +961,17 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return prop; } + /** + * @return + */ + public String getMOAConfigurationEncryptionKey() { + String prop = props.getProperty("configuration.moaconfig.key"); + if (MiscUtil.isEmpty(prop)) + return null; + else + return prop; + } + public boolean isIdentityLinkResigning() { String prop = props.getProperty("configuration.resignidentitylink.active", "false"); return Boolean.valueOf(prop); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java index 6398de34f..4c6519b57 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java @@ -22,6 +22,7 @@ */ package at.gv.egovernment.moa.id.config.auth; +import java.security.PrivateKey; import java.util.List; import java.util.Map; @@ -31,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1; import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute; import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; +import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters; /** * @author tlenz @@ -149,4 +151,6 @@ public interface IOAAuthParameters { List getTestCredentialOIDs(); + PrivateKey getBPKDecBpkDecryptionKey(); + } \ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index f58fe2495..673d23373 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -46,11 +46,15 @@ package at.gv.egovernment.moa.id.config.auth; +import java.security.PrivateKey; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; +import org.apache.commons.lang.SerializationUtils; + +import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.commons.db.dao.config.AttributeProviderPlugin; import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentOA; import at.gv.egovernment.moa.id.commons.db.dao.config.BKUSelectionCustomizationType; @@ -71,6 +75,9 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentials; import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType; import at.gv.egovernment.moa.id.config.ConfigurationUtils; import at.gv.egovernment.moa.id.config.OAParameter; +import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters; +import at.gv.egovernment.moa.id.data.EncryptedData; +import at.gv.egovernment.moa.id.util.ConfigurationEncrytionUtil; import at.gv.egovernment.moa.id.util.FormBuildUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -555,4 +562,33 @@ public List getTestCredentialOIDs() { return null; } + +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBPKDecBpkDecryptionParameters() + */ +@Override +public PrivateKey getBPKDecBpkDecryptionKey() { + + try { + EncryptedData encdata = new EncryptedData( + oa_auth.getEncBPKInformation().getBPKDecryption().getKeyInformation(), + oa_auth.getEncBPKInformation().getBPKDecryption().getIv()); + byte[] serializedData = ConfigurationEncrytionUtil.getInstance().decrypt(encdata); + BPKDecryptionParameters data = + (BPKDecryptionParameters) SerializationUtils.deserialize(serializedData); + + return data.getPrivateKey(); + + } catch (BuildException e) { + // TODO Auto-generated catch block + Logger.error("Can not decrypt key information for bPK decryption", e); + + } catch (NullPointerException e) { + Logger.error("No keyInformation found for bPK decryption"); + + } + return null; + +} + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java new file mode 100644 index 000000000..787a480f0 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java @@ -0,0 +1,127 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.config.auth.data; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.Serializable; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.UnrecoverableKeyException; +import java.security.cert.Certificate; + +import org.apache.commons.lang.SerializationUtils; + +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.KeyStoreUtils; + + +/** + * @author tlenz + * + */ +public class BPKDecryptionParameters implements Serializable{ + + private static final long serialVersionUID = 1L; + + private byte[] keyStore = null; + private String keyStorePassword = null; + private String keyAlias = null; + private String keyPassword = null; + + /** + * @return + */ + public PrivateKey getPrivateKey() { + try { + InputStream in = new ByteArrayInputStream(keyStore); + KeyStore store = KeyStoreUtils.loadKeyStore(in , keyStorePassword); + + char[] chPassword = " ".toCharArray(); + if (keyPassword != null) + chPassword = keyPassword.toCharArray(); + +// Certificate test = store.getCertificate(keyAlias); +// Base64Utils.encode(test.getPublicKey().getEncoded()); + + return (PrivateKey) store.getKey(keyAlias, chPassword); + + + } catch (KeyStoreException e) { + Logger.error("Can not load private key from keystore.", e); + + } catch (IOException e) { + Logger.error("Can not load private key from keystore.", e); + + } catch (UnrecoverableKeyException e) { + Logger.error("Can not load private key from keystore.", e); + + } catch (NoSuchAlgorithmException e) { + Logger.error("Can not load private key from keystore.", e); + + } + + return null; + } + + public byte[] serialize() { + return SerializationUtils.serialize(this); + + } + + /** + * @param keyStore the keyStore to set + */ + public void setKeyStore(byte[] keyStore) { + this.keyStore = keyStore; + } + + /** + * @param keyStorePassword the keyStorePassword to set + */ + public void setKeyStorePassword(String keyStorePassword) { + this.keyStorePassword = keyStorePassword; + } + + /** + * @param keyAlias the keyAlias to set + */ + public void setKeyAlias(String keyAlias) { + this.keyAlias = keyAlias; + } + + /** + * @param keyPassword the keyPassword to set + */ + public void setKeyPassword(String keyPassword) { + this.keyPassword = keyPassword; + } + + + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java index eddf605a6..7dbdcfa52 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -22,6 +22,7 @@ */ package at.gv.egovernment.moa.id.config.auth.data; +import java.security.PrivateKey; import java.util.List; import java.util.Map; @@ -399,6 +400,15 @@ public class DynamicOAAuthParameters implements IOAAuthParameters { return null; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBPKDecBpkDecryptionParameters() + */ + @Override + public PrivateKey getBPKDecBpkDecryptionKey() { + // TODO Auto-generated method stub + return null; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index 5685977bc..6fd327add 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -27,6 +27,7 @@ import java.text.DateFormat; import java.text.ParseException; import java.text.SimpleDateFormat; import java.util.Date; +import java.util.List; import org.w3c.dom.Element; @@ -126,7 +127,9 @@ public class AuthenticationData implements IAuthData, Serializable { private byte[] signerCertificate = null; private String authBlock = null; - + private List encbPKList = null; + + private boolean useMandate = false; private MISMandate mandate = null; private String mandateReferenceValue = null; @@ -672,6 +675,22 @@ public class AuthenticationData implements IAuthData, Serializable { this.ssoSessionValidTo = ssoSessionValidTo; } + /** + * @return the encbPKList + */ + public List getEncbPKList() { + return encbPKList; + } + + /** + * @param encbPKList the encbPKList to set + */ + public void setEncbPKList(List encbPKList) { + this.encbPKList = encbPKList; + } + + + diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java new file mode 100644 index 000000000..da6840fd7 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/EncryptedbPK.java @@ -0,0 +1,33 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.data; + +/** + * @author tlenz + * + */ +public class EncryptedbPK { + private String vkz = null; + private String target = null; + private String encbPK = null; +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java index 7e421da0f..8ce33021d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.data; import java.util.Date; +import java.util.List; import org.w3c.dom.Element; @@ -62,6 +63,8 @@ public interface IAuthData { String getBkuURL(); + List getEncbPKList(); + IdentityLink getIdentityLink(); byte[] getSignerCertificate(); String getAuthBlock(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java new file mode 100644 index 000000000..b3256ac9a --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java @@ -0,0 +1,70 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; + +public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder { + + public String getName() { + return ENC_BPK_LIST_NAME; + } + + public ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator g) throws AttributeException { + + if (authData.getEncbPKList() != null && + authData.getEncbPKList().size() > 0) { + String value = authData.getEncbPKList().get(0); + for (int i=1; i ATT buildEmpty(IAttributeGenerator g) { + return g.buildEmptyAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java index 670398ff6..790c1e8ca 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java @@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.DOMUtils; @@ -44,7 +45,9 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { if (authData.isUseMandate()) { - if (authData.getMandate() != null) { + //only provide full mandate if it is included. + //In case of federation only a short mandate could be include + if (authData.getMandate() != null && authData.getMISMandate().isFullMandateIncluded()) { String fullMandate; try { fullMandate = DOMUtils.serializeNode(authData @@ -57,6 +60,8 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder Logger.error("Failed to generate Full Mandate", e); } } + throw new NoMandateDataAttributeException(); + } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index 9aadfdc28..1c12e7398 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -22,16 +22,25 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.utils; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashMap; import java.util.List; +import java.util.Map; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnStatement; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.saml2.core.Subject; +import eu.stork.peps.auth.commons.PersonalAttribute; +import eu.stork.peps.auth.commons.PersonalAttributeList; + +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -39,6 +48,14 @@ import at.gv.egovernment.moa.util.MiscUtil; public class AssertionAttributeExtractor { private Assertion assertion = null; + private Map attributs = new HashMap(); + private PersonalAttributeList storkAttributes = new PersonalAttributeList(); + + private final List minimalAttributeNameList = Arrays.asList( + PVPConstants.PRINCIPAL_NAME_NAME, + PVPConstants.GIVEN_NAME_NAME, + PVPConstants.BIRTHDATE_NAME); + public AssertionAttributeExtractor(StatusResponseType samlResponse) throws AssertionAttributeExtractorExeption { if (samlResponse != null && samlResponse instanceof Response) { @@ -49,24 +66,80 @@ public class AssertionAttributeExtractor { else if (assertions.size() > 1) Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used."); - assertion = assertions.get(0); - + assertion = assertions.get(0); + + if (assertion.getAttributeStatements() != null && + assertion.getAttributeStatements().size() > 0) { + AttributeStatement attrStat = assertion.getAttributeStatements().get(0); + for (Attribute attr : attrStat.getAttributes()) { + if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) { + List storkAttrValues = new ArrayList(); + storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent()); + PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(), + false, storkAttrValues , "Available"); + storkAttributes.put(attr.getName(), storkAttr ); + + } else + attributs.put(attr.getName(), attr.getAttributeValues().get(0).getDOM().getTextContent()); + } + + } + + attributs.put(PVPConstants.ENC_BPK_LIST_NAME, "Test+BF|sKWq790t2mn1Uw7xTMQTu1LNYD1xbhjOpZ7/dO+zvzSZB8eClH0HIoH71YLxktykMor268y0IEG7UgLfs9Zviy/naprdeRhJxgxCFpQJdIlqc1qv4ll8q7Z55Qhge1he8ZYibqylaa7GSOXeoEBcto5LeWd0e6QnI4JgFqwalZlTVY0+2xH2G3cAMX0OGIw5bqqrjL+wl0DztDD610I4oxTtxPzvIX8Jk9wg0Of2RvDfxxj+SSibNS+8+/QOavrQ+iaghOxtPzZQWvW26O1BrFenszCn5J/IrrylKIK6kAi/raBzVnzgKlgmNhaqYZIKeP1Urc2wgXMJGov1R9P6tw=="); + } else throw new AssertionAttributeExtractorExeption(); } + /** + * check attributes from assertion with minimal required attribute list + * @return + */ public boolean containsAllRequiredAttributes() { - //TODO: add default attribute list - return containsAllRequiredAttributes(null); + return containsAllRequiredAttributes(minimalAttributeNameList); } - public boolean containsAllRequiredAttributes(List attributs) { - //TODO: add validation + /** + * check attributes from assertion with attributeNameList + * bPK or enc_bPK is always needed + * + * @param List of attributes which are required + * + * @return + */ + public boolean containsAllRequiredAttributes(List attributeNameList) { + + //first check if a bPK or an encrypted bPK is available + if (attributs.containsKey(PVPConstants.ENC_BPK_LIST_NAME) || + (attributs.containsKey(PVPConstants.BPK_NAME) && attributs.containsKey(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME))) { + boolean flag = true; + for (String attr : attributeNameList) { + if (!attributs.containsKey(attr)) + flag = false; + } + + return flag; + + } return false; } + public boolean containsAttribute(String attributeName) { + return attributs.containsKey(attributeName); + + } + + public String getAttribute(String attributeName) { + return attributs.get(attributeName); + + } + + public PersonalAttributeList getSTORKAttributes() { + return storkAttributes; + } + public String getNameID() throws AssertionAttributeExtractorExeption { if (assertion.getSubject() != null) { @@ -113,6 +186,10 @@ public class AssertionAttributeExtractor { throw new AssertionAttributeExtractorExeption("AuthnContextClassRef"); } + public Assertion getFullAssertion() { + return assertion; + } + private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption { List authnList = assertion.getAuthnStatements(); if (authnList.size() == 0) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 08f40f888..fe0d27804 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -208,7 +208,10 @@ public class SAML1AuthenticationServer extends AuthenticationServer { if (authData.isUseMandate()) { List oaAttributes = authData.getExtendedSAMLAttributesOA(); - if (saml1parameter.isProvideFullMandatorData()) { + //only provide full mandate if it is included. + //In case of federation only a short mandate could be include + if (saml1parameter.isProvideFullMandatorData() + && authData.getMISMandate().isFullMandateIncluded()) { try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 350c4e9da..a9f5ed60a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -898,7 +898,7 @@ public class AuthenticationSessionStoreage { private static void encryptSession(AuthenticationSession session, AuthenticatedSessionStore dbsession) throws BuildException { byte[] serialized = SerializationUtils.serialize(session); - EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized); + EncryptedData encdata = SessionEncrytionUtil.getInstance().encrypt(serialized); dbsession.setSession(encdata.getEncData()); dbsession.setIv(encdata.getIv()); } @@ -906,7 +906,7 @@ public class AuthenticationSessionStoreage { private static AuthenticationSession decryptSession(AuthenticatedSessionStore dbsession) throws BuildException { EncryptedData encdata = new EncryptedData(dbsession.getSession(), dbsession.getIv()); - byte[] decrypted = SessionEncrytionUtil.decrypt(encdata); + byte[] decrypted = SessionEncrytionUtil.getInstance().decrypt(encdata); return (AuthenticationSession) SerializationUtils.deserialize(decrypted); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java new file mode 100644 index 000000000..f246c55e1 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/AbstractEncrytionUtil.java @@ -0,0 +1,157 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.util; + +import iaik.security.cipher.PBEKey; +import iaik.security.spec.PBEKeyAndParameterSpec; + +import java.security.InvalidAlgorithmParameterException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.SecureRandom; +import java.security.spec.InvalidKeySpecException; + +import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; + + +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.data.EncryptedData; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +public abstract class AbstractEncrytionUtil { + protected static final String CIPHER_MODE = "AES/CBC/PKCS5Padding"; + protected static final String KEYNAME = "AES"; + + private SecretKey secret = null; + + public AbstractEncrytionUtil() throws DatabaseEncryptionException { + initialize(getKey(), getSalt()); + } + + protected abstract String getSalt(); + protected abstract String getKey(); + + protected void initialize(String key, String salt) throws DatabaseEncryptionException { + try { + if (MiscUtil.isNotEmpty(key)) { + if (MiscUtil.isEmpty(salt)) + salt = "TestSalt"; + + PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray()); + SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK"); + PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec); + + SecureRandom random = new SecureRandom(); + KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK"); + + PBEKeyAndParameterSpec parameterSpec = + new PBEKeyAndParameterSpec(pbeKey.getEncoded(), + salt.getBytes(), + 2000, + 16); + + pbkdf2.init(parameterSpec, random); + SecretKey derivedKey = pbkdf2.generateKey(); + + SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME); + SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK"); + secret = kf.generateSecret(spec); + + } else { + Logger.error("Database encryption can not initialized. No key found!"); + + } + + } catch (NoSuchAlgorithmException e) { + Logger.error("Database encryption can not initialized", e); + throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); + + } catch (NoSuchProviderException e) { + Logger.error("Database encryption can not initialized", e); + throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); + + } catch (InvalidKeySpecException e) { + Logger.error("Database encryption can not initialized", e); + throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); + + } catch (InvalidAlgorithmParameterException e) { + Logger.error("Database encryption can not initialized", e); + throw new DatabaseEncryptionException("Database encryption can not initialized", null, e); + + } + } + + public EncryptedData encrypt(byte[] data) throws BuildException { + Cipher cipher; + + if (secret != null) { + try { + cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); + cipher.init(Cipher.ENCRYPT_MODE, secret); + + Logger.debug("Encrypt MOASession"); + + byte[] encdata = cipher.doFinal(data); + byte[] iv = cipher.getIV(); + + return new EncryptedData(encdata, iv); + + } catch (Exception e) { + Logger.warn("MOASession is not encrypted",e); + throw new BuildException("MOASession is not encrypted", new Object[]{}, e); + } + } else + return new EncryptedData(data, null); + } + + public byte[] decrypt(EncryptedData data) throws BuildException { + Cipher cipher; + + if (secret != null) { + try { + IvParameterSpec iv = new IvParameterSpec(data.getIv()); + + cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); + cipher.init(Cipher.DECRYPT_MODE, secret, iv); + + Logger.debug("Decrypt MOASession"); + return cipher.doFinal(data.getEncData()); + + } catch (Exception e) { + Logger.warn("MOASession is not decrypted",e); + throw new BuildException("MOASession is not decrypted", new Object[]{}, e); + } + } else + return data.getEncData(); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java new file mode 100644 index 000000000..10221604c --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ConfigurationEncrytionUtil.java @@ -0,0 +1,71 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.util; + +import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.logging.Logger; + +public class ConfigurationEncrytionUtil extends AbstractEncrytionUtil { + + private static ConfigurationEncrytionUtil instance = null; + private static String key = null; + + public static ConfigurationEncrytionUtil getInstance() { + if (instance == null) { + try { + key = AuthConfigurationProvider.getInstance().getMOAConfigurationEncryptionKey(); + instance = new ConfigurationEncrytionUtil(); + + } catch (Exception e) { + Logger.warn("MOAConfiguration encryption initialization FAILED.", e); + + } + } + return instance; + } + + /** + * @throws DatabaseEncryptionException + */ + private ConfigurationEncrytionUtil() throws DatabaseEncryptionException { + super(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt() + */ + @Override + protected String getSalt() { + return "Configuration-Salt"; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey() + */ + @Override + protected String getKey() { + return key; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java index acc2a7273..8660f7c09 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java @@ -22,110 +22,50 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.util; -import iaik.security.cipher.PBEKey; -import iaik.security.spec.PBEKeyAndParameterSpec; - -import java.security.SecureRandom; -import java.security.spec.KeySpec; - -import javax.crypto.Cipher; -import javax.crypto.KeyGenerator; -import javax.crypto.SecretKey; -import javax.crypto.SecretKeyFactory; -import javax.crypto.spec.IvParameterSpec; -import javax.crypto.spec.PBEKeySpec; -import javax.crypto.spec.SecretKeySpec; - -import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; -import at.gv.egovernment.moa.id.data.EncryptedData; import at.gv.egovernment.moa.logging.Logger; -public class SessionEncrytionUtil { - - private static final String CIPHER_MODE = "AES/CBC/PKCS5Padding"; - private static final String KEYNAME = "AES"; - - static private SecretKey secret = null; +public class SessionEncrytionUtil extends AbstractEncrytionUtil { - static { - try { - String key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey(); - - if (key != null) { - - PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray()); - SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK"); - PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec); - - - SecureRandom random = new SecureRandom(); - KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK"); - - PBEKeyAndParameterSpec parameterSpec = - new PBEKeyAndParameterSpec(pbeKey.getEncoded(), - "TestSALT".getBytes(), - 2000, - 16); - - pbkdf2.init(parameterSpec, random); - SecretKey derivedKey = pbkdf2.generateKey(); - - SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME); - SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK"); - secret = kf.generateSecret(spec); - - } else { - Logger.warn("MOASession encryption is deaktivated."); - } - - } catch (Exception e) { - Logger.warn("MOASession encryption can not be inizialized.", e); - } - - } + private static SessionEncrytionUtil instance = null; + private static String key = null; - public static EncryptedData encrypt(byte[] data) throws BuildException { - Cipher cipher; - - if (secret != null) { + public static SessionEncrytionUtil getInstance() { + if (instance == null) { try { - cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); - cipher.init(Cipher.ENCRYPT_MODE, secret); - - Logger.debug("Encrypt MOASession"); - - byte[] encdata = cipher.doFinal(data); - byte[] iv = cipher.getIV(); - - return new EncryptedData(encdata, iv); - + key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey(); + instance = new SessionEncrytionUtil(); + } catch (Exception e) { - Logger.warn("MOASession is not encrypted",e); - throw new BuildException("MOASession is not encrypted", new Object[]{}, e); - } - } else - return new EncryptedData(data, null); + Logger.warn("MOASession encryption can not be inizialized.", e); + + } + } + return instance; + } + + /** + * @throws DatabaseEncryptionException + */ + private SessionEncrytionUtil() throws DatabaseEncryptionException { + super(); } - public static byte[] decrypt(EncryptedData data) throws BuildException { - Cipher cipher; - - if (secret != null) { - try { - IvParameterSpec iv = new IvParameterSpec(data.getIv()); - - cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); - cipher.init(Cipher.DECRYPT_MODE, secret, iv); - - Logger.debug("Decrypt MOASession"); - return cipher.doFinal(data.getEncData()); - - } catch (Exception e) { - Logger.warn("MOASession is not decrypted",e); - throw new BuildException("MOASession is not decrypted", new Object[]{}, e); - } - } else - return data.getEncData(); + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt() + */ + @Override + protected String getSalt() { + return "Session-Salt"; } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey() + */ + @Override + protected String getKey() { + return key; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java index f7785d2c2..20cabaf4d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java @@ -70,6 +70,7 @@ public class MISMandate implements Serializable{ private String oid = null; private byte[] mandate = null; private String owBPK = null; + private boolean isFullMandateIncluded = false; public String getProfRep() { return oid; @@ -109,5 +110,18 @@ public class MISMandate implements Serializable{ } } + /** + * @return the isFullMandateIncluded + */ + public boolean isFullMandateIncluded() { + return isFullMandateIncluded; + } + /** + * @param isFullMandateIncluded the isFullMandateIncluded to set + */ + public void setFullMandateIncluded(boolean isFullMandateIncluded) { + this.isFullMandateIncluded = isFullMandateIncluded; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java index aaf793987..15b2a89b5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java @@ -145,6 +145,8 @@ public class MISSimpleClient { //misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate))); misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate).getBytes())); + misMandate.setFullMandateIncluded(true); + foundMandates.add(misMandate); } return foundMandates; diff --git a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd index 066967b44..f2f1949cc 100644 --- a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd +++ b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd @@ -551,6 +551,7 @@ + @@ -558,6 +559,31 @@ + + + + + + + + + + + + + + + + + + + + + + + + + @@ -827,7 +853,7 @@ - + -- cgit v1.2.3 From d4fa369126019a1e41543e99a6beaf8180d3e9d4 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 19 Aug 2014 15:05:01 +0200 Subject: add new OA specific configuration for bPK decryption --- .../moa/id/configuration/Constants.java | 1 + .../config/ConfigurationProvider.java | 5 + .../id/configuration/data/oa/OABPKEncryption.java | 370 +++++++++++++++++++++ .../configuration/struts/action/EditOAAction.java | 18 + .../utils/ConfigurationEncryptionUtils.java | 79 +++++ .../resources/applicationResources_de.properties | 18 + .../resources/applicationResources_en.properties | 23 +- .../src/main/webapp/jsp/editOAGeneral.jsp | 4 +- .../main/webapp/jsp/snippets/OA/bPKDecryption.jsp | 75 +++++ 9 files changed, 590 insertions(+), 3 deletions(-) create mode 100644 id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OABPKEncryption.java create mode 100644 id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/ConfigurationEncryptionUtils.java create mode 100644 id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/bPKDecryption.jsp (limited to 'id') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java index 567978cae..2f4d700a2 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java @@ -60,6 +60,7 @@ public class Constants { public static final String SESSION_BKUSELECTIONTEMPLATE = "bkuSelectionTemplate"; public static final String SESSION_SENDASSERTIONTEMPLATE = "sendAssertionTemplate"; public static final String SESSION_SLTRANSFORMATION = "slTransformation"; + public static final String SESSION_BPKENCRYPTIONDECRYPTION = "bPKEncDec"; public static final String SESSION_SLOERROR = "sloerrormessage"; public static final String SESSION_SLOSUCCESS = "slosuccessmessage"; diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java index bea6220ff..957479b29 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java @@ -457,6 +457,11 @@ public class ConfigurationProvider { } + public String getConfigurationEncryptionKey() { + return props.getProperty("general.moaconfig.key"); + + } + private void initalPVP2Login() throws ConfigurationException { try { diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OABPKEncryption.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OABPKEncryption.java new file mode 100644 index 000000000..6782987e5 --- /dev/null +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OABPKEncryption.java @@ -0,0 +1,370 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.configuration.data.oa; + +import java.io.File; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.Iterator; +import java.util.List; +import java.util.Map; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpSession; + +import org.apache.commons.lang.SerializationUtils; +import org.apache.log4j.Logger; + +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentOA; +import at.gv.egovernment.moa.id.commons.db.dao.config.BPKDecryption; +import at.gv.egovernment.moa.id.commons.db.dao.config.EncBPKInformation; +import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; +import at.gv.egovernment.moa.id.commons.validation.ValidationHelper; +import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters; +import at.gv.egovernment.moa.id.configuration.Constants; +import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; +import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; +import at.gv.egovernment.moa.id.configuration.utils.ConfigurationEncryptionUtils; +import at.gv.egovernment.moa.id.configuration.validation.oa.OAFileUploadValidation; +import at.gv.egovernment.moa.id.data.EncryptedData; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +public class OABPKEncryption implements IOnlineApplicationData { + + private static final Logger log = Logger.getLogger(OABPKEncryption.class); + + private static final String MODULENAME = "bPKEncryptionDecryption"; + + private String keyStorePassword = null; + private String keyAlias = null; + private String keyPassword = null; + + private Map keyStoreForm = new HashMap(); + + private List keyStoreFileUpload = null; + private List keyStoreFileUploadContentType = null; + private List keyStoreFileUploadFileName = new ArrayList();; + private boolean deletekeyStore = false; + private boolean validationError = false; + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.configuration.data.oa.IOnlineApplicationData#getName() + */ + @Override + public String getName() { + // TODO Auto-generated method stub + return MODULENAME; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.configuration.data.oa.IOnlineApplicationData#parse(at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication, at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser, javax.servlet.http.HttpServletRequest) + */ + @Override + public List parse(OnlineApplication dbOA, + AuthenticatedUser authUser, HttpServletRequest request) { + AuthComponentOA oaAuth = dbOA.getAuthComponentOA(); + if (oaAuth != null) { + EncBPKInformation bPKEncDec = oaAuth.getEncBPKInformation(); + if (bPKEncDec != null) { + BPKDecryption bPKDec = bPKEncDec.getBPKDecryption(); + if (bPKDec != null) { + keyAlias = bPKDec.getKeyAlias(); + if (bPKDec.getKeyStoreFileName() != null) + keyStoreFileUploadFileName.add(bPKDec.getKeyStoreFileName()); + + } + } + } + + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.configuration.data.oa.IOnlineApplicationData#store(at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication, at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser, javax.servlet.http.HttpServletRequest) + */ + @Override + public String store(OnlineApplication dbOA, AuthenticatedUser authUser, + HttpServletRequest request) { + AuthComponentOA oaAuth = dbOA.getAuthComponentOA(); + if (oaAuth == null) { + oaAuth = new AuthComponentOA(); + dbOA.setAuthComponentOA(oaAuth); + + } + EncBPKInformation bPKEncDec = oaAuth.getEncBPKInformation(); + if (bPKEncDec == null) { + bPKEncDec = new EncBPKInformation(); + oaAuth.setEncBPKInformation(bPKEncDec); + + } + + BPKDecryption bPKDec = bPKEncDec.getBPKDecryption(); + if (bPKDec == null) { + bPKDec = new BPKDecryption(); + bPKEncDec.setBPKDecryption(bPKDec); + } + + if (isDeletekeyStore()) { + bPKDec.setIv(null); + bPKDec.setKeyAlias(null); + bPKDec.setKeyInformation(null); + bPKDec.setKeyStoreFileName(null); + + } + + BPKDecryptionParameters keyInfo = new BPKDecryptionParameters(); + if (keyStoreForm != null && keyStoreForm.size() > 0) { + keyInfo.setKeyAlias(keyAlias); + keyInfo.setKeyPassword(keyPassword); + keyInfo.setKeyStorePassword(keyStorePassword); + + Iterator interator = keyStoreForm.keySet().iterator(); + bPKDec.setKeyStoreFileName(interator.next()); + bPKDec.setKeyAlias(keyAlias); + keyInfo.setKeyStore(keyStoreForm.get( + bPKDec.getKeyStoreFileName())); + + //encrypt key information + byte[] serKeyInfo = SerializationUtils.serialize(keyInfo); + try { + EncryptedData encryptkeyInfo = ConfigurationEncryptionUtils.getInstance().encrypt(serKeyInfo); + bPKDec.setIv(encryptkeyInfo.getIv()); + bPKDec.setKeyInformation(encryptkeyInfo.getEncData()); + + } catch (BuildException e) { + log.error("Configuration encryption FAILED.", e); + return LanguageHelper.getErrorString("error.general.text", request); + + } + } + + request.getSession().setAttribute(Constants.SESSION_BPKENCRYPTIONDECRYPTION, null); + + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.configuration.data.oa.IOnlineApplicationData#validate(at.gv.egovernment.moa.id.configuration.data.oa.OAGeneralConfig, at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser, javax.servlet.http.HttpServletRequest) + */ + @Override + public List validate(OAGeneralConfig general, + AuthenticatedUser authUser, HttpServletRequest request) { + HttpSession session = request.getSession(); + List errors = new ArrayList(); + + String check = null; + + OAFileUploadValidation valiator_fileUpload = new OAFileUploadValidation(); + //validate BKU-selection template + List templateError = valiator_fileUpload.validate(getKeyStoreFileUploadFileName() + , getKeyStoreFileUpload(), "validation.bPKDec.keyStore", keyStoreForm, request); + if (templateError != null && templateError.size() == 0) { + if (keyStoreForm != null && keyStoreForm.size() > 0) { + session.setAttribute(Constants.SESSION_BPKENCRYPTIONDECRYPTION, keyStoreForm); + + } else + keyStoreForm = (Map) session.getAttribute(Constants.SESSION_BPKENCRYPTIONDECRYPTION); + + } else { + errors.addAll(templateError); + + } + + if (keyStoreForm != null && keyStoreForm.size() > 0) { + check = getKeyStorePassword(); + if (MiscUtil.isEmpty(check)) { + log.info("bPK decryption keystore password is empty"); + errors.add(LanguageHelper.getErrorString("validation.bPKDec.keyStorePassword.empty", request)); + + } else { + if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + log.warn("bPK decryption keystore password contains potentail XSS characters: " + check); + errors.add(LanguageHelper.getErrorString("validation.bPKDec.keyStorePassword.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + + } + } + + check = getKeyAlias(); + if (MiscUtil.isEmpty(check)) { + log.info("bPK decryption key alias is empty"); + errors.add(LanguageHelper.getErrorString("validation.bPKDec.keyAlias.empty", request)); + + } else { + if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + log.warn("bPK decryption key alias contains potentail XSS characters: " + check); + errors.add(LanguageHelper.getErrorString("validation.bPKDec.keyAlias.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + + } + } + + check = getKeyPassword(); + if (MiscUtil.isNotEmpty(check)) { + if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + log.warn("bPK decryption key password contains potentail XSS characters: " + check); + errors.add(LanguageHelper.getErrorString("validation.bPKDec.keyPassword.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + + } + } + + BPKDecryptionParameters keyInfo = new BPKDecryptionParameters(); + keyInfo.setKeyAlias(keyAlias); + keyInfo.setKeyPassword(keyPassword); + keyInfo.setKeyStorePassword(keyStorePassword); + Iterator interator = keyStoreForm.keySet().iterator(); + String fileName = interator.next(); + keyInfo.setKeyStore(keyStoreForm.get(fileName)); + if (keyInfo.getPrivateKey() == null) { + log.info("Open keyStore FAILED."); + errors.add(LanguageHelper.getErrorString("validation.bPKDec.keyStore.file.valid", request)); + + } + } + + if (errors.size() > 0) { + validationError = true; + + } + + return errors; + + } + + /** + * @return the keyStorePassword + */ + public String getKeyStorePassword() { + return keyStorePassword; + } + + /** + * @param keyStorePassword the keyStorePassword to set + */ + public void setKeyStorePassword(String keyStorePassword) { + this.keyStorePassword = keyStorePassword; + } + + /** + * @return the keyAlias + */ + public String getKeyAlias() { + return keyAlias; + } + + /** + * @param keyAlias the keyAlias to set + */ + public void setKeyAlias(String keyAlias) { + this.keyAlias = keyAlias; + } + + /** + * @return the keyPassword + */ + public String getKeyPassword() { + return keyPassword; + } + + /** + * @param keyPassword the keyPassword to set + */ + public void setKeyPassword(String keyPassword) { + this.keyPassword = keyPassword; + } + + /** + * @return the keyStoreFileUpload + */ + public List getKeyStoreFileUpload() { + return keyStoreFileUpload; + } + + /** + * @param keyStoreFileUpload the keyStoreFileUpload to set + */ + public void setKeyStoreFileUpload(List keyStoreFileUpload) { + this.keyStoreFileUpload = keyStoreFileUpload; + } + + /** + * @return the keyStoreFileUploadContentType + */ + public List getKeyStoreFileUploadContentType() { + return keyStoreFileUploadContentType; + } + + /** + * @param keyStoreFileUploadContentType the keyStoreFileUploadContentType to set + */ + public void setKeyStoreFileUploadContentType( + List keyStoreFileUploadContentType) { + this.keyStoreFileUploadContentType = keyStoreFileUploadContentType; + } + + /** + * @return the keyStoreFileUploadFileName + */ + public List getKeyStoreFileUploadFileName() { + return keyStoreFileUploadFileName; + } + + /** + * @param keyStoreFileUploadFileName the keyStoreFileUploadFileName to set + */ + public void setKeyStoreFileUploadFileName( + List keyStoreFileUploadFileName) { + this.keyStoreFileUploadFileName = keyStoreFileUploadFileName; + } + + /** + * @return the deletekeyStore + */ + public boolean isDeletekeyStore() { + return deletekeyStore; + } + + /** + * @param deletekeyStore the deletekeyStore to set + */ + public void setDeletekeyStore(boolean deletekeyStore) { + this.deletekeyStore = deletekeyStore; + } + + /** + * @return the validationError + */ + public boolean isValidationError() { + return validationError; + } + + + +} diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java index 9509f9712..3d96cc1e5 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java @@ -57,6 +57,9 @@ public class EditOAAction extends BasicOAAction { OAAuthenticationData authOA = new OAAuthenticationData(); formList.put(authOA.getName(), authOA); + OABPKEncryption bPKEncDec = new OABPKEncryption(); + formList.put(bPKEncDec.getName(), bPKEncDec); + OASSOConfig ssoOA = new OASSOConfig(); formList.put(ssoOA.getName(), ssoOA); @@ -472,4 +475,19 @@ public class EditOAAction extends BasicOAAction { formList.put(formOA.getName(), formOA); } + /** + * @return the bPK encryption/decryption form + */ + public OABPKEncryption getBPKEncDecr() { + return (OABPKEncryption) formList.get(new OABPKEncryption().getName()); + } + + /** + * @param bPK encryption/decryption form + * the bPK encryption/decryption form to set + */ + public void setBPKEncDecr(OABPKEncryption formOA) { + formList.put(formOA.getName(), formOA); + } + } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/ConfigurationEncryptionUtils.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/ConfigurationEncryptionUtils.java new file mode 100644 index 000000000..08cd7c59d --- /dev/null +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/ConfigurationEncryptionUtils.java @@ -0,0 +1,79 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.configuration.utils; + +import at.gv.egovernment.moa.id.auth.exception.DatabaseEncryptionException; +import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider; +import at.gv.egovernment.moa.id.util.AbstractEncrytionUtil; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class ConfigurationEncryptionUtils extends AbstractEncrytionUtil { + + private static ConfigurationEncryptionUtils instance = null; + private static String key = null; + + public static ConfigurationEncryptionUtils getInstance() { + if (instance == null) { + try { + key = ConfigurationProvider.getInstance().getConfigurationEncryptionKey(); + instance = new ConfigurationEncryptionUtils(); + + } catch (Exception e) { + Logger.warn("MOAConfiguration encryption initialization FAILED.", e); + + } + } + return instance; + } + + /** + * @throws DatabaseEncryptionException + */ + public ConfigurationEncryptionUtils() throws DatabaseEncryptionException { + super(); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getSalt() + */ + @Override + protected String getSalt() { + return "Configuration-Salt"; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.util.AbstractEncrytionUtil#getKey() + */ + @Override + protected String getKey() { + return key; + + } + +} diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties index 2c71d86a5..35ae19f90 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties @@ -200,6 +200,15 @@ webpages.oaconfig.general.bku.sendassertion.header=Send-Assertion Template webpages.oaconfig.general.bku.sendassertion.filename=Dateiname webpages.oaconfig.general.bku.sendassertion.upload=Neues Template hochladen +webpages.oaconfig.bPKEncDec.header=Fremd-bPK Konfiguration +webpages.oaconfig.bPKEncDec.keystore.header=KeyStore Konfiguration +webpages.oaconfig.bPKEncDec.filename=Dateiname +webpages.oaconfig.bPKEncDec.delete=L\u00F6schen +webpages.oaconfig.bPKEncDec.upload=KeyStore hochladen +webpages.oaconfig.bPKEncDec.keyStorePassword=KeyStore Password +webpages.oaconfig.bPKEncDec.keyAlias=Schl\u00FCsselname +webpages.oaconfig.bPKEncDec.keyPassword=Schl\u00FCsselpassword + webpages.oaconfig.general.identification=Eindeutiger Identifikatior (PublicURLPrefix) webpages.oaconfig.general.mandate.header=Vollmachten webpages.oaconfig.general.mandate.profiles=Profile @@ -449,6 +458,15 @@ validation.general.sendassertion.file.valid=Das Send-Assertion Templates konnte validation.general.sendassertion.file.selected=Es kann nur EIN Send-Assertion Template angegeben werden. validation.general.testcredentials.oid.valid=Die Testdaten OID {0} ist ung\u00FCltig. +validation.bPKDec.keyStorePassword.empty=Das Password f\u00FCr den KeyStore ist leer. +validation.bPKDec.keyStorePassword.valid=Das Password f\u00FCr den KeyStore enth\u00E4lt nicht erlaubte Zeichen. Folgende Zeichen sind nicht erlaubt\: {0} +validation.bPKDec.keyAlias.empty=Der Schl\u00FCsselname ist leer. +validation.bPKDec.keyAlias.valid=Der Schl\u00FCsselname enth\u00E4lt nicht erlaubte Zeichen. Folgende Zeichen sind nicht erlaubt\: {0} +validation.bPKDec.keyPassword.empty=Das Password f\u00FCr den privaten Schl\u00FCssel ist leer. +validation.bPKDec.keyPassword.valid=Das Password f\u00FCr den privaten Schl\u00FCssel enth\u00E4lt nicht erlaubte Zeichen. Folgende Zeichen sind nicht erlaubt\: {0} +validation.bPKDec.keyStore.filename.valid=Der Dateiname des KeyStores enth\u00E4lt nicht erlaubte Zeichen. Folgende Zeichen sind nicht erlaubt\: {0} +validation.bPKDec.keyStore.file.valid=Der KeyStore konnte nicht geladen oder ge\u00F6ffnet werden. Eventuell sind das Passwort oder der Schl\u00FCsselname nicht korrekt. +validation.bPKDec.keyStore.file.selected=Es kann nur EIN KeyStore angegeben werden. validation.stork.cpeps.cc=CPEPS L\u00E4ndercode folgt nicht ISO 3166-2 validation.stork.cpeps.empty=CPEPS Konfiguration ist unvollst\u00E4ndig diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties index a494ef089..22b063099 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties @@ -196,12 +196,21 @@ webpages.oaconfig.general.testing.oids=Use special test credential OIDs webpages.oaconfig.general.bku.delete=Remove webpages.oaconfig.general.bku.bkuselection.header=CCE-Selection Template -webpages.oaconfig.general.bku.bkuselection.filename=File name +webpages.oaconfig.general.bku.bkuselection.filename=Filename webpages.oaconfig.general.bku.bkuselection.upload=Upload new template webpages.oaconfig.general.bku.sendassertion.header=Send-Assertion Template -webpages.oaconfig.general.bku.sendassertion.filename=File name +webpages.oaconfig.general.bku.sendassertion.filename=Filename webpages.oaconfig.general.bku.sendassertion.upload=Upload new template +webpages.oaconfig.bPKEncDec.header=Foreign-bPK Configuration +webpages.oaconfig.bPKEncDec.keystore.header=Keystore configuration +webpages.oaconfig.bPKEncDec.filename=Filename +webpages.oaconfig.bPKEncDec.delete=Remove +webpages.oaconfig.bPKEncDec.upload=Upload new keystore +webpages.oaconfig.bPKEncDec.keyStorePassword=Keystore password +webpages.oaconfig.bPKEncDec.keyAlias=Key alias +webpages.oaconfig.bPKEncDec.keyPassword=Key password + webpages.oaconfig.general.identification=Unique identifier (PublicURLPrefix) webpages.oaconfig.general.mandate.header=Mandates webpages.oaconfig.general.mandate.profiles=Profile @@ -447,6 +456,16 @@ validation.general.sendassertion.file.valid=Send-Assertion Templates could not b validation.general.sendassertion.file.selected=Only one Send-Assertion Template can be provided. validation.general.testcredentials.oid.valid=The OID {0} for test credentials is not a valid. +validation.bPKDec.keyStorePassword.empty=KeyStore password is blank. +validation.bPKDec.keyStorePassword.valid=The keyStore password contains forbidden characters. The following characters are not allowed\: {0} +validation.bPKDec.keyAlias.empty=Key alias is blank. +validation.bPKDec.keyAlias.valid=The key alias contains forbidden characters. The following characters are not allowed\: {0} +validation.bPKDec.keyPassword.empty=Key password is blank. +validation.bPKDec.keyPassword.valid=The key password contains forbidden characters. The following characters are not allowed\: {0} +validation.bPKDec.keyStore.filename.valid=The keyStore filename contains forbidden characters. The following characters are not allowed\: {0} +validation.bPKDec.keyStore.file.valid=KeyStore can not loaded. Maybe keyStore password or key alias are wrong. +validation.bPKDec.keyStore.file.selected=Only one keyStore can be provided. + validation.stork.cpeps.cc=CPEPS country code is not based on 3166-2 validation.stork.cpeps.empty=CPEPS configuration is incomplete validation.stork.cpeps.url=CPEPS URL is invalid diff --git a/id/ConfigWebTool/src/main/webapp/jsp/editOAGeneral.jsp b/id/ConfigWebTool/src/main/webapp/jsp/editOAGeneral.jsp index a3541c9a7..c56ad4847 100644 --- a/id/ConfigWebTool/src/main/webapp/jsp/editOAGeneral.jsp +++ b/id/ConfigWebTool/src/main/webapp/jsp/editOAGeneral.jsp @@ -39,6 +39,8 @@ + + @@ -82,7 +84,7 @@ - + diff --git a/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/bPKDecryption.jsp b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/bPKDecryption.jsp new file mode 100644 index 000000000..9f506e7da --- /dev/null +++ b/id/ConfigWebTool/src/main/webapp/jsp/snippets/OA/bPKDecryption.jsp @@ -0,0 +1,75 @@ +<%@page import="at.gv.egovernment.moa.id.configuration.helper.LanguageHelper"%> +<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> +<%@ taglib prefix="s" uri="/struts-tags" %> + + +
+

<%=LanguageHelper.getGUIString("webpages.oaconfig.bPKEncDec.header", request) %>

+ + + <%--

<%=LanguageHelper.getGUIString("webpages.oaconfig.bPKEncDec.keystore.header", request) %>

--%> + +
+ + + +
+ +
+ + + + + + + + + +
+
+
+ +
+ + + + + + + + + + +
+
+ + +
+ \ No newline at end of file -- cgit v1.2.3 From a3e490800378eaaa4d9189bc1d1d606caa8fb41d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 19 Aug 2014 15:21:50 +0200 Subject: remove debug code --- .../moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index 1c12e7398..a16fed9cd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -84,9 +84,7 @@ public class AssertionAttributeExtractor { } } - - attributs.put(PVPConstants.ENC_BPK_LIST_NAME, "Test+BF|sKWq790t2mn1Uw7xTMQTu1LNYD1xbhjOpZ7/dO+zvzSZB8eClH0HIoH71YLxktykMor268y0IEG7UgLfs9Zviy/naprdeRhJxgxCFpQJdIlqc1qv4ll8q7Z55Qhge1he8ZYibqylaa7GSOXeoEBcto5LeWd0e6QnI4JgFqwalZlTVY0+2xH2G3cAMX0OGIw5bqqrjL+wl0DztDD610I4oxTtxPzvIX8Jk9wg0Of2RvDfxxj+SSibNS+8+/QOavrQ+iaghOxtPzZQWvW26O1BrFenszCn5J/IrrylKIK6kAi/raBzVnzgKlgmNhaqYZIKeP1Urc2wgXMJGov1R9P6tw=="); - + } else throw new AssertionAttributeExtractorExeption(); } -- cgit v1.2.3 From 9331771b24160e0ee04324576d9f35caf6ac4d79 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 19 Aug 2014 15:23:07 +0200 Subject: Update handbook, demo-configuration and history.txt --- id/history.txt | 20 +- id/readme_2.1.1.txt | 220 +++++++++++++++++++++ .../moa-id-configtool.properties | 2 + .../data/deploy/conf/moa-id/moa-id.properties | 1 + .../moa-id-configtool.properties | 2 + id/server/doc/conf/moa-id/moa-id.properties | 1 + .../doc/conf/moa-id/stork/StorkSamlEngine_VIDP.xml | 61 ++++-- id/server/doc/handbook/config/config.html | 12 ++ 8 files changed, 296 insertions(+), 23 deletions(-) create mode 100644 id/readme_2.1.1.txt (limited to 'id') diff --git a/id/history.txt b/id/history.txt index 8321e2085..a3146066b 100644 --- a/id/history.txt +++ b/id/history.txt @@ -1,7 +1,16 @@ Dieses Dokument zeigt die Veränderungen und Erweiterungen von MOA-ID auf. -History MOA-ID: +Version MOA-ID Release 2.1.1: Änderungen seit Version MOA-ID 2.1.0 +- Neuerungen: + - Verarbeitung von verschlüsselten bPKs auf Seiten von MOA-ID-Auth + +- Änderungen + - Anpassung VIDP Code für STORK + - Anpassung des Codes für IDP Interfederation + - Kleinere Bug-Fixes + + Version MOA-ID Release 2.1.0: Änderungen seit Version MOA-ID 2.0.1 - Änderungen - Anpassung VIDP Code für STORK @@ -14,6 +23,7 @@ Version MOA-ID Release 2.1.0: - MOA-ID Truststore wird auch für Bezug PVP 2.1 metadaten über https verwendet. - Definition neuer Fehlercodes + Version MOA-ID Release 2.0.1: Änderungen seit Version MOA-ID 2.0.0 - Änderungen: - Anpassungen VIDP Code für STORK @@ -570,7 +580,7 @@ Version MOA-ID 1.2.0d3: Verbesserungen/Erweiterungen: - Umstellung von vPK auf bPK; von ZMR auf Stammzahl. https://forge.cio.gv.at/bugzilla/show_bug.cgi?id=70 -  + - Anpassbare JSP Errorpage und Messagepage für Proxy und Auth Damit die Formatierungen der Benutzermeldungen an die Kundenwünsche und das CI der Kunden angepasst werden können, wird JSP @@ -586,7 +596,7 @@ Verbesserungen/Erweiterungen: Durch die Angabe des Attributs ‚keyBoxIdentifier’ im Element OnlineApplication eine Auswahl des Schlüsselpaars erfolgen. https://forge.cio.gv.at/bugzilla/show_bug.cgi?id=105 -  + - Anpassbare JSP Errorpage für MOA-ID Proxy und MOA-ID Auth https://forge.cio.gv.at/bugzilla/show_bug.cgi?id=70 @@ -595,8 +605,8 @@ Verbesserungen/Erweiterungen: - Ergänzung der mitgelieferten Konfiguration (certstore, trustprofiles auch für Testbürgerkarten) - https://forge.cio.gv.at/bugzilla/show_bug.cgi?id=120  -  + https://forge.cio.gv.at/bugzilla/show_bug.cgi?id=120 + Fixes: - Daten die aus MOA-ID-PROXY an eine OA mittels der Authentisierungsvariante ParamAuth weitergegeben werden, diff --git a/id/readme_2.1.1.txt b/id/readme_2.1.1.txt new file mode 100644 index 000000000..44f591bed --- /dev/null +++ b/id/readme_2.1.1.txt @@ -0,0 +1,220 @@ +=============================================================================== +MOA ID Version Release 2.1.1 - Wichtige Informationen zur Installation +=============================================================================== + +------------------------------------------------------------------------------- +A. Neuerungen/Änderungen +------------------------------------------------------------------------------- + +Mit MOA ID Version 2.1.1 wurden folgende Neuerungen eingeführt, die jetzt +erstmals in der Veröffentlichung enthalten sind (siehe auch history.txt im +gleichen Verzeichnis): + +- Neuerungen: + - Verarbeitung von verschlüsselten bPKs auf Seiten von MOA-ID-Auth + +- Änderungen + - Anpassung VIDP Code für STORK + - Anpassung des Codes für IDP Interfederation + - Kleinere Bug-Fixes + +------------------------------------------------------------------------------- +B. Durchführung eines Updates +------------------------------------------------------------------------------- + +Es wird generell eine Neuinstallation lt. Handbuch empfohlen! Dennoch ist auch +eine Aktualisierung bestehender Installationen möglich. Je nachdem von welcher +MOA-ID Version ausgegangen wird ergibt sich eine Kombination der nachfolgend angebebenen Updateschritte. + +............................................................................... +B.1 Durchführung eines Updates von Version 2.1.0 auf Version 2.1.1 +............................................................................... + 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. + Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. + +2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.0.zip) in + ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST + bezeichnet. + +3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth + beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, + wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation + für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als + auch das komplette Verzeichnis moa-id-auth. + +4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach + CATALINA_HOME_ID/webapps. + +5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach + CATALINA_HOME_ID/webapps. + +6. Hinzufügen der zusätzlichen Konfigurationsparameter in der + MOA-ID-Configuration Konfigurationsdatei + CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties + a.) general.moaconfig.key=..... (Passwort zum Ver- und + Entschlüsseln von Konfigurationsparametern in der Datenbank) + +7. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth + Konfigurationsdatei CATALINA_HOME\conf\moa-id\moa-id.properties + a.) configuration.moaconfig.key=..... (Passwort zum Ver- und + Entschlüsseln von Konfigurationsparametern in der Datenbank) + +8 . Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im + Logging von MOA ID beim Einlesen der Konfiguration. + +............................................................................... +B.2 Durchführung eines Updates von Version 2.0.1 auf Version 2.1.0 +............................................................................... + 1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. + Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. + +2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.1.0.zip) in + ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST + bezeichnet. + +3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth + beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, + wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation + für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als + auch das komplette Verzeichnis moa-id-auth. + +4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach + CATALINA_HOME_ID/webapps. + +5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach + CATALINA_HOME_ID/webapps. + +6. Update der STORK Konfiguration + a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork + in das Verzeichnis CATALINA_HOME\conf\moa-id\stork. + b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration -> + 2.4 Konfiguration des SamlEngines an. + +7. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Configuration Konfigurationsdatei + CATALINA_HOME\conf\moa-id-configuration\moa-id-configtool.properties + a.) general.ssl.certstore=certs/certstore + b.) general.ssl.truststore=certs/truststore + +8. Kopieren des folgenden zusätzlichen Ordners MOA_ID_AUTH_INST/conf/moa-id-configuration/certs + nach CATALINA_HOME\conf\moa-id-configuration\ + +9. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei + CATALINA_HOME\conf\moa-id\moa-id.properties und Anpassung an das zu verwendeten Schlüsselpaar. + a.) protocols.pvp2.idp.ks.assertion.encryption.alias=pvp_assertion + protocols.pvp2.idp.ks.assertion.encryption.keypassword=password + +10. Kopieren der folgenden zusätzlichen Ordner aus MOA_ID_AUTH_INST/conf/moa-id/ + nach CATALINA_HOME\conf\moa-id\ + a.) MOA_ID_AUTH_INST/conf/moa-id/SLTemplates -> CATALINA_HOME\conf\moa-id\ + b.) MOA_ID_AUTH_INST/conf/moa-id/htmlTemplates/slo_template.html -> + CATALINA_HOME/conf/moa-id/htmlTemplates/slo_template.html + +11. Neuinitialisieren des Datenbank Schema für die MOA-Session. Hierfür stehen + zwei Varianten zur Verfügung. + a.) Ändern Sie in der Konfigurationsdatei für das Modul MOA-ID-Auth + CATALINA_HOME\conf\moa-id\moa-id.properties die Zeile + moasession.hibernate.hbm2ddl.auto=update + zu + moasession.hibernate.hbm2ddl.auto=create + Danach werden die Tabellen beim nächsten Startvorgang neu generiert. + + b.) Löschen Sie alle Tabellen aus dem Datenbank Schema für die MOA-Sessixson + Informationen per Hand. Alle Tabellen werden beim nächsten Start autmatisch neu generiert. + +12 . Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im + Logging von MOA ID beim Einlesen der Konfiguration. + + +............................................................................... +B.3 Durchführung eines Updates von Version 2.0-RC1 auf Version 2.0.1 +............................................................................... + +1. Stoppen Sie den Tomcat, in dem Ihre bisherige Installation betrieben wird. + Fertigen Sie eine Sicherungskopie Ihrer kompletten Tomcat-Installation an. + +2. Entpacken Sie die Distribution von MOA-ID-Auth (moa-id-auth-2.0.1.zip) in + ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_AUTH_INST + bezeichnet. + Für MOA ID Proxy: + Entpacken Sie die Distribution von MOA-ID-Proxy (moa-id-proxy-2.0.1.zip) in + ein temporäres Verzeichnis, in weiterer Folge als MOA_ID_PROXY_INST + bezeichnet. + +3. Wechseln Sie in jenes Verzeichnis, das die Webapplikation von MOA ID Auth + beinhaltet (für gewöhnlich ist dieses Verzeichnis CATALINA_HOME_ID/webapps, + wobei CATALINA_HOME_ID für das Basisverzeichnis der Tomcat-Installation + für MOA ID steht). Löschen Sie darin sowohl die Datei moa-id-auth.war als + auch das komplette Verzeichnis moa-id-auth. + +4. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-auth.war nach + CATALINA_HOME_ID/webapps. + +5. Kopieren Sie die Datei MOA_ID_AUTH_INST/moa-id-configuration.war nach + CATALINA_HOME_ID/webapps. + +6. Update des Cert-Stores. + Kopieren Sie den Inhalt des Verzeichnisses + MOA_ID_INST_AUTH\conf\moa-spss\certstore in das Verzeichnis + CATALINA_HOME\conf\moa-spss\certstore. Wenn Sie gefragt werden, ob Sie + vorhandene Dateien oder Unterverzeichnisse überschreiben sollen, dann + bejahen sie das. + +7. Update der Trust-Profile. Wenn Sie Ihre alten Trust-Profile durch die Neuen ersetzen + wollen, dann gehen Sie vor, wie in Punkt a). Wenn Sie Ihre eigenen Trust-Profile + beibehalten wollen, dann gehen Sie vor, wie in Punkt b). + + a. Gehen Sie wie folgt vor, um die Trust-Profile auszutauschen: + + 1) Löschen Sie das Verzeichnis CATALINA_HOME\conf\moa-spss\trustprofiles. + 2) Kopieren Sie das Verzeichnis + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles in das Verzeichnis + CATALINA_HOME\conf\moa-spss. + + b. Falls Sie Ihre alten Trust-Profile beibehalten wollen, gehen Sie wie + folgt vor, um die Profile auf den aktuellen Stand zu bringen: + + 1) Ergänzen Sie ihre Trustprofile durch alle Zertifikate aus den + entsprechenden Profilen im Verzeichnis + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles, die nicht in Ihren + Profilen enthalten sind. Am einfachsten ist es, wenn Sie den Inhalt + der einzelnen Profile aus der Distribution + (MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles) in die entsprechenden + Profile Ihrer Installation (CATALINA_HOME\conf\moa-spss\trustProfiles) + kopieren und dabei die vorhandenen gleichnamigen Zertifikate + überschreiben), also z.B: Kopieren des Inhalts von + MOA_ID_INST_AUTH\conf\moa-spss\trustProfiles\ + MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten nach + CATALINA_HOME\conf\moa-spss\trustProfiles\ + MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten usw. + +8. Update der Default html-Templates für die Bürgerkartenauswahl. + + a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\htmlTemplates + in das Verzeichnis CATALINA_HOME\conf\moa-id\htmlTemplates. + b.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id-configuration\htmlTemplates + in das Verzeichnis CATALINA_HOME\conf\moa-id-configuration\htmlTemplates. + +9. Update der STORK Konfiguration + a.) Kopieren Sie die Dateien aus dem Verzeichnis MOA_ID_INST_AUTH\conf\moa-id\stork + in das Verzeichnis CATALINA_HOME\conf\moa-id\stork. + b.) Passen Sie die STORK Konfiguration laut Handbuch -> Konfiguration -> + 2.4 Konfiguration des SamlEngines an. + +10. Hinzufügen der zusätzlichen Konfigurationsparameter in der MOA-ID-Auth Konfigurationsdatei + CATALINA_HOME\conf\moa-id\moa-id.properties + + a.) configuration.validation.certificate.QC.ignore=false + b.) protocols.pvp2.assertion.encryption.active=false + +11. Starten Sie den Tomcat neu, achten Sie auf eventuelle Fehlermeldungen im + Logging von MOA ID beim Einlesen der Konfiguration. + + +............................................................................... +B.4 Durchführung eines Updates von Version <= 1.5.1 +............................................................................... + +Bitte führen Sie eine Neuinstallation von MOA ID laut Handbuch durch und passen +Sie die mitgelieferte Musterkonfiguration entsprechend Ihren Bedürfnissen unter +Zuhilfenahme Ihrer bisherigen Konfiguration an. + diff --git a/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties index db158ed23..7c71fadcb 100644 --- a/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties +++ b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties @@ -13,6 +13,8 @@ general.defaultlanguage=de general.ssl.certstore=certs/certstore general.ssl.truststore=certs/truststore +general.moaconfig.key=ConfigurationEncryptionKey + ##Mail general.mail.host=smtp.localhost... #general.mail.host.port= diff --git a/id/server/data/deploy/conf/moa-id/moa-id.properties b/id/server/data/deploy/conf/moa-id/moa-id.properties index e8a75c348..4290b1985 100644 --- a/id/server/data/deploy/conf/moa-id/moa-id.properties +++ b/id/server/data/deploy/conf/moa-id/moa-id.properties @@ -17,6 +17,7 @@ protocols.pvp2.assertion.encryption.active=false ##General MOA-ID 2.0 operations #MOA-ID 2.0 session information encryption key (PassPhrase) configuration.moasession.key=SessionEncryptionKey +configuration.moaconfig.key=ConfigurationEncryptionKey #MOA-ID 2.0 Monitoring Servlet configuration.monitoring.active=false diff --git a/id/server/doc/conf/moa-id-configuration/moa-id-configtool.properties b/id/server/doc/conf/moa-id-configuration/moa-id-configtool.properties index db158ed23..7c71fadcb 100644 --- a/id/server/doc/conf/moa-id-configuration/moa-id-configtool.properties +++ b/id/server/doc/conf/moa-id-configuration/moa-id-configtool.properties @@ -13,6 +13,8 @@ general.defaultlanguage=de general.ssl.certstore=certs/certstore general.ssl.truststore=certs/truststore +general.moaconfig.key=ConfigurationEncryptionKey + ##Mail general.mail.host=smtp.localhost... #general.mail.host.port= diff --git a/id/server/doc/conf/moa-id/moa-id.properties b/id/server/doc/conf/moa-id/moa-id.properties index e8a75c348..4290b1985 100644 --- a/id/server/doc/conf/moa-id/moa-id.properties +++ b/id/server/doc/conf/moa-id/moa-id.properties @@ -17,6 +17,7 @@ protocols.pvp2.assertion.encryption.active=false ##General MOA-ID 2.0 operations #MOA-ID 2.0 session information encryption key (PassPhrase) configuration.moasession.key=SessionEncryptionKey +configuration.moaconfig.key=ConfigurationEncryptionKey #MOA-ID 2.0 Monitoring Servlet configuration.monitoring.active=false diff --git a/id/server/doc/conf/moa-id/stork/StorkSamlEngine_VIDP.xml b/id/server/doc/conf/moa-id/stork/StorkSamlEngine_VIDP.xml index 5aff0d1fa..ef5dc23d2 100644 --- a/id/server/doc/conf/moa-id/stork/StorkSamlEngine_VIDP.xml +++ b/id/server/doc/conf/moa-id/stork/StorkSamlEngine_VIDP.xml @@ -23,10 +23,7 @@ - HTTP-POST - - - + HTTP-POST - false true - - http://S-PEPS.gov.xx + + https://testvidp.buergerkarte.at/moa-id-auth/stork2/SendPEPSAuthnRequest - - http://C-PEPS.gov.xx + + https://testvidp.buergerkarte.at/moa-id-auth/stork2/SendPEPSAuthnRequest - 300 + 600 false - + + + true http://www.stork.gov.eu/1.0/eIdentifier @@ -73,7 +71,6 @@ http://www.stork.gov.eu/1.0/pseudonym http://www.stork.gov.eu/1.0/age http://www.stork.gov.eu/1.0/isAgeOver - http://www.stork.gov.eu/1.0/fiscalNumber http://www.stork.gov.eu/1.0/textResidenceAddress http://www.stork.gov.eu/1.0/canonicalResidenceAddress @@ -86,10 +83,38 @@ http://www.stork.gov.eu/1.0/newAttribute1 http://www.stork.gov.eu/1.0/newAttribute2 - http://www.stork.gov.eu/1.0/hasDegree - http://www.stork.gov.eu/1.0/mandateContent - http://www.stork.gov.eu/1.0/representative - http://www.stork.gov.eu/1.0/represented - http://www.stork.gov.eu/1.0/mandateType - + http://www.stork.gov.eu/1.0/hasDegree + + + http://www.stork.gov.eu/1.0/diplomaSupplement + http://www.stork.gov.eu/1.0/currentStudiesSupplement + http://www.stork.gov.eu/1.0/isStudent + http://www.stork.gov.eu/1.0/isAcademicStaff + http://www.stork.gov.eu/1.0/isTeacherOf + http://www.stork.gov.eu/1.0/isCourseCoordinator + http://www.stork.gov.eu/1.0/isAdminStaff + http://www.stork.gov.eu/1.0/habilitation + http://www.stork.gov.eu/1.0/Title + http://www.stork.gov.eu/1.0/hasDegree + http://www.stork.gov.eu/1.0/hasAccountInBank + http://www.stork.gov.eu/1.0/isHealthCareProfessional + + http://www.stork.gov.eu/1.0/eLPIdentifier + http://www.stork.gov.eu/1.0/legalName + http://www.stork.gov.eu/1.0/alternativeName + http://www.stork.gov.eu/1.0/type + http://www.stork.gov.eu/1.0/translatableType + http://www.stork.gov.eu/1.0/status + http://www.stork.gov.eu/1.0/activity + http://www.stork.gov.eu/1.0/registeredAddress + http://www.stork.gov.eu/1.0/registeredCanonicalAddress + http://www.stork.gov.eu/1.0/contactInformation + http://www.stork.gov.eu/1.0/LPFiscalNumber + http://www.stork.gov.eu/1.0/mandate + http://www.stork.gov.eu/1.0/docRequest + + http://www.stork.gov.eu/1.0/mandateContent + http://www.stork.gov.eu/1.0/representative + http://www.stork.gov.eu/1.0/represented + diff --git a/id/server/doc/handbook/config/config.html b/id/server/doc/handbook/config/config.html index 24e80c588..e21aaf421 100644 --- a/id/server/doc/handbook/config/config.html +++ b/id/server/doc/handbook/config/config.html @@ -216,6 +216,12 @@ certs/truststore TrustedCACertificates enthält das Verzeichnis (relativ zur MOA-ID-Auth Basiskonfigurationsdatei), das jene Zertifikate enthält, die als vertrauenswürdig betrachtet werden. Im Zuge der Überprüfung der TLS-Serverzertifikate wird die Zertifikatspfaderstellung an einem dieser Zertifikate beendet. Dieses Verzeichnis wird zur Prüfung der SSL Serverzertifikate beim Download von PVP 2.1 Metadaten verwendet. + + general.moaconfig.key + ConfigurationEncryptionKey +

Passwort zum Verschlüsseln von Konfigurationsteilen welche in der Datenbank abgelegt werden. Hierbei kann jede beliebige Zeichenfolge aus Buchstaben, Zahlen und Sonderzeichen verwendet werden.

+

Hinweis: Dieses Passwort muss identisch zu dem im Modul MOA-ID-Auth hinterlegten Passwort sein.

+ general.userrequests.cleanup.delay 18 @@ -570,6 +576,12 @@ https://<host>:<port>/moa-id-configuration/secure/usermanagementInit aX.J47s#bh7 Passwort zum Verschlüsseln von personenbezogenen Session Daten die während eines Anmeldevorgangs und für Single Sign-On in der Datenbank abgelegt werden. Hierbei kann jede beliebige Zeichenfolge aus Buchstaben, Zahlen und Sonderzeichen verwendet werden. + + configuration.moaconfig.key + ConfigurationEncryptionKey +

Passwort zum Verschlüsseln von Konfigurationsteilen welche in der Datenbank abgelegt werden. Hierbei kann jede beliebige Zeichenfolge aus Buchstaben, Zahlen und Sonderzeichen verwendet werden.

+

Hinweis: Dieses Passwort muss identisch zu dem im Modul MOA-ID-Configuration hinterlegten Passwort sein.

+ configuration.monitoring.active true / false -- cgit v1.2.3 From 3993a8fab1cc23ac1f5e82da88b7e09e27cac563 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 20 Aug 2014 11:18:52 +0200 Subject: update attribute builder --- .../protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java | 9 ++++++++- .../pvp2x/builder/attributes/EIDIdentityLinkBuilder.java | 5 +++++ .../pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java | 8 +++++++- .../moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java | 4 ++++ 4 files changed, 24 insertions(+), 2 deletions(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java index 3dd1dd064..a38446826 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java @@ -25,8 +25,10 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; public class BPKAttributeBuilder implements IPVPAttributeBuilder { @@ -39,9 +41,14 @@ public class BPKAttributeBuilder implements IPVPAttributeBuilder { String bpk = authData.getBPK(); String type = authData.getBPKType(); + if (MiscUtil.isEmpty(bpk)) + throw new UnavailableAttributeException(BPK_NAME); + if (type.startsWith(Constants.URN_PREFIX_WBPK)) type = type.substring((Constants.URN_PREFIX_WBPK + "+").length()); - else if (type.startsWith(Constants.URN_PREFIX_CDID)) type = type.substring((Constants.URN_PREFIX_CDID + "+").length()); + + else if (type.startsWith(Constants.URN_PREFIX_CDID)) + type = type.substring((Constants.URN_PREFIX_CDID + "+").length()); if (bpk.length() > BPK_MAX_LENGTH) { bpk = bpk.substring(0, BPK_MAX_LENGTH); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java index e8aeb8fcd..29d6df040 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java @@ -27,6 +27,7 @@ import java.io.IOException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; @@ -40,6 +41,10 @@ public class EIDIdentityLinkBuilder implements IPVPAttributeBuilder { IAttributeGenerator g) throws AttributeException { try { String ilAssertion = null; + + if (authData.getIdentityLink() == null) + throw new UnavailableAttributeException(EID_IDENTITY_LINK_NAME); + ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); return g.buildStringAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java index 7f52e1d47..463658a3d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java @@ -25,6 +25,8 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.util.MiscUtil; public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder { @@ -33,8 +35,12 @@ public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder { } public ATT build(OAAuthParameter oaParam, IAuthData authData, - IAttributeGenerator g) throws AttributeException { + IAttributeGenerator g) throws AttributeException { String bpktype = authData.getBPKType(); + + if (MiscUtil.isEmpty(authData.getBPKType())) + throw new UnavailableAttributeException(EID_SECTOR_FOR_IDENTIFIER_NAME); + return g.buildStringAttribute(EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, EID_SECTOR_FOR_IDENTIFIER_NAME, bpktype); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java index a8b703fc2..16de43e11 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java @@ -27,6 +27,7 @@ import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.util.MiscUtil; public class EIDSourcePIN implements IPVPAttributeBuilder { @@ -41,6 +42,9 @@ public class EIDSourcePIN implements IPVPAttributeBuilder { throw new AttributePolicyException(EID_SOURCE_PIN_NAME); else { + if (MiscUtil.isEmpty(authData.getIdentificationValue())) + throw new UnavailableAttributeException(EID_SOURCE_PIN_NAME); + return g.buildStringAttribute(EID_SOURCE_PIN_FRIENDLY_NAME, EID_SOURCE_PIN_NAME, authData.getIdentificationValue()); } } -- cgit v1.2.3 From 4e18f04f6956db297e4902fc5c55e920816ef903 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 20 Aug 2014 11:20:20 +0200 Subject: add build process for natural person short mandates in case of IDP federation --- .../id/auth/builder/AuthenticationDataBuilder.java | 54 ++++++++++++++++++++-- 1 file changed, 49 insertions(+), 5 deletions(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 3c029f261..ed2cd3ecb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -31,7 +31,10 @@ import java.security.PrivateKey; import java.util.ArrayList; import java.util.Arrays; import java.util.Date; +import java.util.Iterator; import java.util.List; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; @@ -53,6 +56,9 @@ import at.gv.e_government.reference.namespace.mandates._20040701_.Mandator; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value; +import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType; +import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType.FamilyName; +import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; @@ -487,7 +493,8 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { //build legal person short mandate if (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME) && extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) && - extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)) { + extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)) { + Logger.debug("Build short mandate for legal person ..."); CorporateBodyType legalperson = new CorporateBodyType(); IdentificationType legalID = new IdentificationType(); Value idvalue = new Value(); @@ -505,10 +512,47 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME) && extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME) && extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME)) { - throw new AssertionAttributeExtractorExeption("Federation with short mandates for natural persons are not supported!", null); - - - + Logger.debug("Build short mandate for natural person ..."); + PhysicalPersonType physPerson = new PhysicalPersonType(); + PersonNameType persName = new PersonNameType(); + mandator.setPhysicalPerson(physPerson ); + physPerson.setName(persName ); + FamilyName familyName = new FamilyName(); + persName.getFamilyName().add(familyName ); + IdentificationType persID = new IdentificationType(); + physPerson.getIdentification().add(persID ); + Value idValue = new Value(); + persID.setValue(idValue ); + + String[] pvp2GivenName = extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME).split(" "); + for(int i=0; i Date: Wed, 20 Aug 2014 11:21:11 +0200 Subject: add SAML1 'PersonData' attribute builder if no identitylink is available --- .../moa/id/auth/MOAIDAuthConstants.java | 1 + .../protocols/saml1/SAML1AuthenticationServer.java | 93 ++++++++++++++++++---- 2 files changed, 78 insertions(+), 16 deletions(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index 4cec99b9a..db8b4dd80 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -164,5 +164,6 @@ public interface MOAIDAuthConstants { } }); + public static final String REGEX_PATTERN_TARGET = "^[A-Za-z]{2}(-.*)?$"; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index fe0d27804..7d3c72630 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -22,15 +22,22 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.saml1; +import java.io.ByteArrayOutputStream; import java.io.IOException; import java.util.List; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBElement; +import javax.xml.bind.Marshaller; +import javax.xml.namespace.QName; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; import org.w3c.dom.Element; import org.xml.sax.SAXException; +import com.sun.xml.bind.marshaller.NamespacePrefixMapper; + import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; @@ -60,6 +67,11 @@ import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.StringUtils; +import at.gv.util.xsd.persondata.IdentificationType; +import at.gv.util.xsd.persondata.IdentificationType.Value; +import at.gv.util.xsd.persondata.PersonNameType; +import at.gv.util.xsd.persondata.PersonNameType.FamilyName; +import at.gv.util.xsd.persondata.PhysicalPersonType; public class SAML1AuthenticationServer extends AuthenticationServer { @@ -185,26 +197,75 @@ public class SAML1AuthenticationServer extends AuthenticationServer { //set prPersion boolean provideStammzahl = saml1parameter.isProvideStammzahl() || oaParam.getBusinessService(); - String prPerson = new PersonDataBuilder().build(authData.getIdentityLink(), - provideStammzahl); - //set Authblock - String authBlock = saml1parameter.isProvideAUTHBlock() ? authData - .getAuthBlock() : ""; - - //set IdentityLink for assortion + String prPerson = ""; String ilAssertion = ""; - if (saml1parameter.isProvideIdentityLink()) { - ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); - - if (!provideStammzahl) - ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink() - .getIdentificationValue(), ""); - } - + if (authData.getIdentityLink() != null) { + prPerson = new PersonDataBuilder().build(authData.getIdentityLink(), + provideStammzahl); - String samlAssertion; + //set IdentityLink for assortion + if (saml1parameter.isProvideIdentityLink()) { + ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); + + if (!provideStammzahl) + ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink() + .getIdentificationValue(), ""); + } + } else { + Logger.info("No IdentityLink available! Build attribute 'PersonDate' from givenname, familyname and dateofbirth. "); + PhysicalPersonType person = new PhysicalPersonType(); + PersonNameType name = new PersonNameType(); + person.setName(name); + FamilyName familyName = new FamilyName(); + name.getFamilyName().add(familyName ); + IdentificationType id = new IdentificationType(); + person.getIdentification().add(id ); + Value value = new Value(); + id.setValue(value ); + + id.setType(Constants.URN_PREFIX_BASEID); + value.setValue(""); + familyName.setValue(authData.getFamilyName()); + familyName.setPrimary("undefined"); + name.getGivenName().add(authData.getGivenName()); + person.setDateOfBirth(authData.getFormatedDateOfBirth()); + + JAXBContext jc = JAXBContext.newInstance("at.gv.util.xsd.persondata"); + Marshaller m = jc.createMarshaller(); + m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, Boolean.TRUE); + + m.setProperty("com.sun.xml.bind.namespacePrefixMapper", new NamespacePrefixMapper() { + public String getPreferredPrefix(String arg0, String arg1, boolean arg2) { + if (Constants.PD_NS_URI.equals(arg0)) + return Constants.PD_PREFIX; + else + return arg1; + } + }); + + ByteArrayOutputStream stream = new ByteArrayOutputStream(); + m.marshal( + new JAXBElement(new QName(Constants.PD_NS_URI,"Person"), PhysicalPersonType.class, person), + stream); + prPerson = StringUtils.removeXMLDeclaration(new String(stream.toByteArray(), "UTF-8")); + stream.close(); + + + + } + + //set Authblock + String authBlock = ""; + if (authData.getAuthBlock() != null) { + authBlock = saml1parameter.isProvideAUTHBlock() ? authData.getAuthBlock() : ""; + + } else { + Logger.info("\"provideAuthBlock\" is \"true\", but no authblock available"); + + } + String samlAssertion; if (authData.isUseMandate()) { List oaAttributes = authData.getExtendedSAMLAttributesOA(); -- cgit v1.2.3 From 7af9d603860dab1b618de7981ae3f0a27ea130db Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 20 Aug 2014 16:47:11 +0200 Subject: solve SLO bug --- .../moa/id/demoOA/servlet/pvp2/SingleLogOut.java | 26 ++++++---------------- .../protocols/pvp2x/binding/RedirectBinding.java | 8 +++---- 2 files changed, 11 insertions(+), 23 deletions(-) (limited to 'id') diff --git a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/SingleLogOut.java b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/SingleLogOut.java index 11cc020ff..b87865989 100644 --- a/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/SingleLogOut.java +++ b/id/oa/src/main/java/at/gv/egovernment/moa/id/demoOA/servlet/pvp2/SingleLogOut.java @@ -43,6 +43,7 @@ import org.opensaml.common.binding.BasicSAMLMessageContext; import org.opensaml.common.impl.SecureRandomIdentifierGenerator; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.encoding.HTTPPostEncoder; +import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; import org.opensaml.saml2.core.AuthnRequest; @@ -163,7 +164,7 @@ public class SingleLogOut extends HttpServlet { idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleLogoutServices()) { //Get the service address for the binding you wish to use - if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { + if (sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { redirectEndpoint = sss; } } @@ -182,28 +183,15 @@ public class SingleLogOut extends HttpServlet { signer.setSigningCredential(authcredential); sloReq.setSignature(signer); - //generate Http-POST Binding message - VelocityEngine engine = new VelocityEngine(); - engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8"); - engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8"); - engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8"); - engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath"); - engine.setProperty("classpath.resource.loader.class", - "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader"); - engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS, - "org.apache.velocity.runtime.log.SimpleLog4JLogSystem"); - engine.init(); - - HTTPPostEncoder encoder = new HTTPPostEncoder(engine, - "templates/pvp_postbinding_template.html"); + HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder(); HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( - response, true); + response + , true); BasicSAMLMessageContext context = new BasicSAMLMessageContext(); SingleSignOnService service = new SingleSignOnServiceBuilder() .buildObject(); - service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"); - service.setLocation(redirectEndpoint.getLocation());; - + service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + service.setLocation(redirectEndpoint.getLocation()); context.setOutboundSAMLMessageSigningCredential(authcredential); context.setPeerEntityEndpoint(service); context.setOutboundSAMLMessage(sloReq); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index f11561c14..587d8e935 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -143,11 +143,11 @@ public class RedirectBinding implements IDecoder, IEncoder { //set metadata descriptor type if (isSPEndPoint) { messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService())); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService())); } else { messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService())); } } catch (ConfigurationException e) { @@ -206,8 +206,8 @@ public class RedirectBinding implements IDecoder, IEncoder { } public boolean handleDecode(String action, HttpServletRequest req) { - return (action.equals(PVP2XProtocol.REDIRECT) && req.getMethod() - .equals("GET")); + return ((action.equals(PVP2XProtocol.REDIRECT) || action.equals(PVP2XProtocol.SINGLELOGOUT)) + && req.getMethod().equals("GET")); } public String getSAML2BindingName() { -- cgit v1.2.3 From 559437f6cf63836f0698ea74f003f481eb7bf29d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 20 Aug 2014 16:47:39 +0200 Subject: update SecurityLayer Template --- id/server/auth/src/main/webapp/template_localBKU.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id') diff --git a/id/server/auth/src/main/webapp/template_localBKU.html b/id/server/auth/src/main/webapp/template_localBKU.html index f197d2c5c..88fad25ae 100644 --- a/id/server/auth/src/main/webapp/template_localBKU.html +++ b/id/server/auth/src/main/webapp/template_localBKU.html @@ -11,7 +11,7 @@ -
+ name="CustomizedForm" action="" method="post" enctype="multipart/form-data<>"> Falls Sie nicht automatisch weitergeleitet werden klicken Sie bitte hier: -- cgit v1.2.3 From f9d3790bf9f53fe8b441aa58377101ddcad2597c Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 20 Aug 2014 16:48:09 +0200 Subject: update handbook and defaultconfig --- .../conf/moa-id-oa/keys/Metadata_Signing.cer | 24 +++ id/server/data/deploy/tomcat/unix/tomcat-start.sh | 2 +- id/server/data/deploy/tomcat/win32/startTomcat.bat | 4 +- .../transforms/TransformsInfoAuthBlockTable_DE.xml | 161 +++++++++++++++++++++ .../transforms/TransformsInfoAuthBlockTable_EN.xml | 161 +++++++++++++++++++++ 5 files changed, 349 insertions(+), 3 deletions(-) create mode 100644 id/server/data/deploy/conf/moa-id-oa/keys/Metadata_Signing.cer create mode 100644 id/server/doc/conf/moa-id-configuration/transforms/TransformsInfoAuthBlockTable_DE.xml create mode 100644 id/server/doc/conf/moa-id-configuration/transforms/TransformsInfoAuthBlockTable_EN.xml (limited to 'id') diff --git a/id/server/data/deploy/conf/moa-id-oa/keys/Metadata_Signing.cer b/id/server/data/deploy/conf/moa-id-oa/keys/Metadata_Signing.cer new file mode 100644 index 000000000..bd9640b37 --- /dev/null +++ b/id/server/data/deploy/conf/moa-id-oa/keys/Metadata_Signing.cer @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIECTCCAvGgAwIBAgIJAIHjIpba8E6mMA0GCSqGSIb3DQEBBQUAMGAxCzAJBgNV +BAYTAkFUMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxGTAXBgNVBAMTEE1ldGFkYXRhIFNpZ25pbmcwHhcNMTQw +MjA0MTA0MTA4WhcNMjQwMjAyMTA0MTA4WjBgMQswCQYDVQQGEwJBVDETMBEGA1UE +CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MRkwFwYDVQQDExBNZXRhZGF0YSBTaWduaW5nMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAvfDn2hbBnvywRNc7wmToItDzXitkl9nfM9Q3ubEN9qAh4/PD +ICrKdzFBq08a7NR5xNJhDCUhhZ/W20ZJvh+1dwQdgSzanA91iVKbL4YFYKbnM9/x +tarTAMZMWH34qIkfwkKyTEDWeOqFG2653azO5e+0DFiBV7AytR3dmy1ZnJoqhGIY +O4EzINikof1M7t5I8xBS3gAyQKyu0yhbj5AyUujpNIPX0JeE1C1DsrHaeuAHZXLh +zHEWSG3NVXrn8HAXAAtqGJ+E9SRztqsigDjNjbqrrp/vmPUag9Rb2o8/flEZTPRS +ttCQTHK8jst/I2qgLkePB5kSp65caXUf4xuFqQIDAQABo4HFMIHCMB0GA1UdDgQW +BBQFbqjmW9JHVCWwocMdO0EodAfy/jCBkgYDVR0jBIGKMIGHgBQFbqjmW9JHVCWw +ocMdO0EodAfy/qFkpGIwYDELMAkGA1UEBhMCQVQxEzARBgNVBAgTClNvbWUtU3Rh +dGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEZMBcGA1UEAxMQ +TWV0YWRhdGEgU2lnbmluZ4IJAIHjIpba8E6mMAwGA1UdEwQFMAMBAf8wDQYJKoZI +hvcNAQEFBQADggEBAECK58eJgkd54gQAV9gGXRC2LV1tdBzn89Q57Ff/UwBQzN0M ++uytem8lwVCpUeAk6N01/krzmSbJojqpXId+O/iHhQ8lwDmJnXRrCZH7APiQ3yC0 +p4ufWtxhqixc+Itl96HzHDRXb7eZkXdVERGM26UGwyaBfxkIcLdpMoojlHBJlHaA +oHDYiJHQBmqk5+YMOuEOnpsKY0115MZ38DoppNfeAFG8K4ZDI5vH9VWk8PDJu+jv +tWbhXNsKiiCMdZrsnvGjxPpk/6zJpJpBcwCzhIvnaEobijKMO+6aH/6zfbB6JKn/ +Dz3Rw+0WbypFYbbpIzWRCkXSAQju/w3vHBGnCyI= +-----END CERTIFICATE----- diff --git a/id/server/data/deploy/tomcat/unix/tomcat-start.sh b/id/server/data/deploy/tomcat/unix/tomcat-start.sh index 10bade1bd..59cf2d0a9 100644 --- a/id/server/data/deploy/tomcat/unix/tomcat-start.sh +++ b/id/server/data/deploy/tomcat/unix/tomcat-start.sh @@ -18,7 +18,7 @@ PROXY_OPT=-Dmoa.id.proxy.configuration=$CATALINA_BASE/conf/moa-id-proxy/MOAIDCon #TRUST_STORE_PASS_OPT=-Djavax.net.ssl.trustStorePassword=changeit #TRUST_STORE_TYPE_OPT=-Djavax.net.ssl.trustStoreType=jks -export CATALINA_OPTS="$CONFIG_OPT $LOGGING_OPT $SPSS_OPT $TRUST_STORE_OPT $TRUST_STORE_PASS_OPT $TRUST_STORE_TYPE_OPT $CONFIGTOOL_OPT $DEMOOA_OPT $STORK_OPT $PROXY_OPT" +export CATALINA_OPTS="$CONFIG_OPT $LOGGING_OPT $SPSS_OPT $TRUST_STORE_OPT $TRUST_STORE_PASS_OPT $TRUST_STORE_TYPE_OPT $CONFIGTOOL_OPT $DEMOOA_OPT $STORK_OPT $PROXY_OPT -Xms512m -Xmx1536m -XX:PermSize=256m" echo CATALINA_HOME: $CATALINA_HOME echo CATALINA_BASE: $CATALINA_BASE diff --git a/id/server/data/deploy/tomcat/win32/startTomcat.bat b/id/server/data/deploy/tomcat/win32/startTomcat.bat index 7730137c5..8d6d670bc 100644 --- a/id/server/data/deploy/tomcat/win32/startTomcat.bat +++ b/id/server/data/deploy/tomcat/win32/startTomcat.bat @@ -17,8 +17,8 @@ set CONFIGTOOL_OPT=-Dmoa.id.webconfig=%CATALINA_HOME%/conf/moa-id-configuration/ set DEMOOA_OPT=-Dmoa.id.demoOA=%CATALINA_HOME%/conf/moa-id-oa/oa.properties set STORK_OPT=-Deu.stork.samlengine.config.location=%CATALINA_HOME%/conf/moa-id/stork/ set PROXY_OPT=-Dmoa.id.proxy.configuration=%CATALINA_HOME%/conf/moa-id-proxy/MOAIDConfiguration.xml - -set PARAMS_MOA=%CONFIG_OPT_SPSS% %CONFIG_OPT_ID% %LOGGING_OPT% %CONFIGTOOL_OPT% %DEMOOA_OPT% %STORK_OPT% %PROXY_OPT% + +set PARAMS_MOA=%CONFIG_OPT_SPSS% %CONFIG_OPT_ID% %LOGGING_OPT% %CONFIGTOOL_OPT% %DEMOOA_OPT% %STORK_OPT% %PROXY_OPT% -Xms512m -Xmx1536m -XX:PermSize=256m rem set PARAM_TRUST_STORE=-Djavax.net.ssl.trustStore=truststore.jks rem set PARAM_TRUST_STORE_PASS=-Djavax.net.ssl.trustStorePassword=changeit diff --git a/id/server/doc/conf/moa-id-configuration/transforms/TransformsInfoAuthBlockTable_DE.xml b/id/server/doc/conf/moa-id-configuration/transforms/TransformsInfoAuthBlockTable_DE.xml new file mode 100644 index 000000000..1165d8b32 --- /dev/null +++ b/id/server/doc/conf/moa-id-configuration/transforms/TransformsInfoAuthBlockTable_DE.xml @@ -0,0 +1,161 @@ + + + + + + + + + Signatur der Anmeldedaten + + + +

Anmeldedaten:

+

Daten zur Person

+ + + + + + + + + + + + + + + + + + + + + + + + + +
Name: + +
Geburtsdatum: + + . + + . + +
Rolle: + +
Vollmacht: + Ich melde mich in Vertretung an. Im nächsten Schritt wird mir eine Liste der für mich verfügbaren Vertretungsverhältnisse angezeigt, aus denen ich eines auswählen werde. +
+

Daten zur Anwendung

+ + + + + + + + + +
Name: + +
Staat:Österreich
+

Technische Parameter

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
URL: + +
Bereich: + +
+ Vollmachten-Referenz: + +
+ : + +
Identifikator: + + +
OID: + +
HPI: + +
Datum: + + . + + . + +
Uhrzeit: + + : + + : + +
+ + +
+
+
+ +
+ + application/xhtml+xml + +
diff --git a/id/server/doc/conf/moa-id-configuration/transforms/TransformsInfoAuthBlockTable_EN.xml b/id/server/doc/conf/moa-id-configuration/transforms/TransformsInfoAuthBlockTable_EN.xml new file mode 100644 index 000000000..e220b8f82 --- /dev/null +++ b/id/server/doc/conf/moa-id-configuration/transforms/TransformsInfoAuthBlockTable_EN.xml @@ -0,0 +1,161 @@ + + + + + + + + + Signing the authentication data + + + +

Authentication Data:

+

Personal Data

+ + + + + + + + + + + + + + + + + + + + + + + + + +
Name: + +
Date of Birth: + + . + + . + +
Role: + +
Mandate: + I log in as representative. In the next step a list of available mandates is shown. Here I select one mandate. +
+

Application Data

+ + + + + + + + + +
Name: + +
Country:Austria
+

Technical Parameters

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
URL: + +
Sector: + +
+ Mandate Reference: + +
+ : + +
Identifier: + + +
OID: + +
HPI: + +
Date: + + . + + . + +
Time: + + : + + : + +
+ + +
+
+
+ +
+ + application/xhtml+xml + +
-- cgit v1.2.3 From 23047d5e2c28ce74eb7e76e3a13977f5ab31ec34 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 21 Aug 2014 10:50:11 +0200 Subject: fix typo --- .../src/main/resources/applicationResources_de.properties | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'id') diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties index 35ae19f90..39bfcd36b 100644 --- a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties +++ b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties @@ -8,8 +8,8 @@ config.04=OpenSAML (PVP2 Login) can not be initialized config.05=Configuration file not defined error.title=Fehler: -error.login.internal=W\u00E4hrend der Verarbeitung ist ein interner Fehler auftetreten. Bitte Versuchen Sie es nocheinmal oder kontaktieren Sie den Administrator. -error.general.text=W\u00E4hrend der Verarbeitung ist ein interner Fehler auftetreten. Bitte Versuchen Sie es nocheinmal oder kontaktieren Sie den Administrator. +error.login.internal=W\u00E4hrend der Verarbeitung ist ein interner Fehler aufgetreten. Bitte Versuchen Sie es nocheinmal oder kontaktieren Sie den Administrator. +error.general.text=W\u00E4hrend der Verarbeitung ist ein interner Fehler aufgetreten. Bitte Versuchen Sie es nocheinmal oder kontaktieren Sie den Administrator. errors.listOAs.noOA=Es wurden keine Online-Applikationen in der Datenbank gefunden. errors.listIDPs.noIDP=Es wurden kein IdentityProvider f\u00FCr Interfederation in der Datenbank gefunden. errors.edit.oa.oaid=Es wurde keine g\u00FCtige Online-Applikations-ID \u00FCbergeben. -- cgit v1.2.3 From 537e9f394e0eb0ac1c395fcd6d6d8e202a0ad5dc Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 21 Aug 2014 10:51:19 +0200 Subject: add active user-session cleanup process --- .../moa/id/configuration/Constants.java | 2 ++ .../id/configuration/auth/AuthenticatedUser.java | 23 ++++++++++++++-------- .../configuration/auth/AuthenticationManager.java | 15 ++++++++++++++ .../id/configuration/auth/IActiveUserStorage.java | 4 ++++ .../auth/MemoryActiveUserStorageImpl.java | 19 ++++++++++++++++++ .../auth/pvp2/servlets/SLOBasicServlet.java | 1 - .../configuration/filter/AuthenticationFilter.java | 8 ++++++-- .../id/configuration/helper/FormDataHelper.java | 4 +++- .../configuration/struts/action/IndexAction.java | 20 +++++++++++++++---- .../id/configuration/utils/UserRequestCleaner.java | 7 ++++++- 10 files changed, 86 insertions(+), 17 deletions(-) (limited to 'id') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java index 2f4d700a2..f549db9f3 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java @@ -116,4 +116,6 @@ public class Constants { BUSINESSSERVICENAMES = Collections.unmodifiableMap(tmp); } + + public static final long ONE_MINUTE_IN_MILLIS=60000;//millisecs } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java index 036acf1f6..3bfe409c0 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java @@ -42,6 +42,7 @@ public class AuthenticatedUser { private String institute; private String userName; private Date lastLogin; + private Date sessionExpired; private boolean onlyBusinessService = false; private String businessServiceType; @@ -54,7 +55,7 @@ public class AuthenticatedUser { } - public static AuthenticatedUser generateDefaultUser() { + public static AuthenticatedUser generateDefaultUser(Date sessionExpired) { AuthenticatedUser user = new AuthenticatedUser(); user.familyName = "TestUser"; @@ -67,12 +68,13 @@ public class AuthenticatedUser { user.isMandateUser = false; user.isPVP2Login = false; user.lastLogin = new Date(); + user.sessionExpired = sessionExpired; return user; } public static AuthenticatedUser generateUserRequestUser(UserDatabaseFrom form, - String nameID, String nameIDFormat) { + String nameID, String nameIDFormat, Date sessionExpired) { AuthenticatedUser user = new AuthenticatedUser(); user.familyName = form.getFamilyName(); @@ -85,6 +87,7 @@ public class AuthenticatedUser { user.isMandateUser = form.isIsmandateuser(); user.isPVP2Login = form.isPVPGenerated(); user.lastLogin = new Date(); + user.sessionExpired = sessionExpired; user.nameID = nameID; user.nameIDFormat = nameIDFormat; @@ -93,7 +96,7 @@ public class AuthenticatedUser { } public AuthenticatedUser(UserDatabase userdb, boolean isAuthenticated, boolean isMandateUser, - boolean isPVP2Login, String nameID, String nameIDFormat) { + boolean isPVP2Login, String nameID, String nameIDFormat, Date sessionExpired) { this.familyName = userdb.getFamilyname(); this.givenName = userdb.getGivenname(); @@ -105,6 +108,7 @@ public class AuthenticatedUser { this.isMandateUser = isMandateUser; this.isPVP2Login = isPVP2Login; this.lastLogin = new Date(); + this.sessionExpired = sessionExpired; this.nameID = nameID; this.nameIDFormat = nameIDFormat; @@ -250,10 +254,13 @@ public class AuthenticatedUser { public String getNameIDFormat() { return nameIDFormat; } - - - - - + + /** + * @return the sessionExpired + */ + public Date getSessionExpired() { + return sessionExpired; + } + } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticationManager.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticationManager.java index 6d3afffc9..58142b398 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticationManager.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticationManager.java @@ -22,6 +22,9 @@ */ package at.gv.egovernment.moa.id.configuration.auth; +import java.util.Date; +import java.util.Iterator; + import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -81,4 +84,16 @@ public class AuthenticationManager { activeUsers.removeUser(authUser.getNameID()); } + + public void removeAllUsersAfterTimeOut() { + Iterator expiredUsers = activeUsers.getUserWithSessionTimeOut(new Date()); + while (expiredUsers.hasNext()) { + AuthenticatedUser user = expiredUsers.next(); + activeUsers.removeUser(user.getNameID()); + log.info("LogOut user with ID" + user.getNameID() + " after SessionTimeOut."); + + } + + } + } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/IActiveUserStorage.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/IActiveUserStorage.java index c52fee140..80730c6e0 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/IActiveUserStorage.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/IActiveUserStorage.java @@ -22,6 +22,9 @@ */ package at.gv.egovernment.moa.id.configuration.auth; +import java.util.Date; +import java.util.Iterator; + /** * @author tlenz * @@ -31,5 +34,6 @@ public interface IActiveUserStorage { public AuthenticatedUser getUser(String nameID); public void setUser(String nameID, AuthenticatedUser authUser); public void removeUser(String nameID); + public Iterator getUserWithSessionTimeOut(Date date); } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/MemoryActiveUserStorageImpl.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/MemoryActiveUserStorageImpl.java index 145da2c35..186a2b931 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/MemoryActiveUserStorageImpl.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/MemoryActiveUserStorageImpl.java @@ -22,7 +22,12 @@ */ package at.gv.egovernment.moa.id.configuration.auth; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Date; import java.util.HashMap; +import java.util.Iterator; +import java.util.List; import java.util.Map; /** @@ -68,4 +73,18 @@ public class MemoryActiveUserStorageImpl implements IActiveUserStorage { } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.configuration.auth.IActiveUserStorage#getUserWithSessionTimeOut(java.util.Date) + */ + @Override + public Iterator getUserWithSessionTimeOut(Date date) { + List expiredUsers = new ArrayList(); + for (AuthenticatedUser user : store.values()) { + if (date.after(user.getSessionExpired())) + expiredUsers.add(user); + + } + return expiredUsers.iterator(); + } + } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java index 38c858918..00d6850d3 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java @@ -127,7 +127,6 @@ public class SLOBasicServlet extends HttpServlet { HttpSession session = request.getSession(false); if (session != null) session.invalidate(); - return createSLOResponse(sloReq, StatusCode.SUCCESS_URI, request); } else { diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java index 1f631afea..d13696d51 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java @@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.configuration.filter; import java.io.IOException; import java.util.ArrayList; +import java.util.Date; import java.util.StringTokenizer; import java.util.regex.Pattern; @@ -153,8 +154,11 @@ public class AuthenticationFilter implements Filter{ log.warn("Authentication is deaktivated. Dummy authentication-information are used!"); if (authuser == null) { - - authuser = AuthenticatedUser.generateDefaultUser(); + int sessionTimeOut = session.getMaxInactiveInterval(); + Date sessionExpired = new Date(new Date().getTime() + + (sessionTimeOut * Constants.ONE_MINUTE_IN_MILLIS)); + + authuser = AuthenticatedUser.generateDefaultUser(sessionExpired); authManager.setActiveUser(authuser); //authuser = new AuthenticatedUser(1, "Max", "TestUser", true, false); diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java index cd6c699b9..dc97dd2c8 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.configuration.helper; import java.util.ArrayList; +import java.util.Date; import java.util.List; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; @@ -88,7 +89,8 @@ public class FormDataHelper { userlist.add(new AuthenticatedUser(dbuser, dbuser.isIsActive(), ismandate, - false, null, null)); + false, null, null, new Date()) + ); } return userlist; } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java index 4762f1518..f4a3d0c75 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java @@ -215,12 +215,17 @@ public class IndexAction extends BasicAction { if (dbuser.isIsMandateUser() != null) ismandateuser = dbuser.isIsMandateUser(); + int sessionTimeOut = session.getMaxInactiveInterval(); + Date sessionExpired = new Date(new Date().getTime() + + (sessionTimeOut * Constants.ONE_MINUTE_IN_MILLIS)); + AuthenticatedUser authuser = new AuthenticatedUser(dbuser, true, ismandateuser, false, dbuser.getHjid()+"dbID", - "username/password"); + "username/password", + sessionExpired); //store user as authenticated user AuthenticationManager authManager = AuthenticationManager.getInstance(); @@ -390,6 +395,10 @@ public class IndexAction extends BasicAction { String bpkwbpk = nameID.getNameQualifier() + "+" + nameID.getValue(); + int sessionTimeOut = session.getMaxInactiveInterval(); + Date sessionExpired = new Date(new Date().getTime() + + (sessionTimeOut * Constants.ONE_MINUTE_IN_MILLIS)); + //search user UserDatabase dbuser = ConfigurationDBRead.getUserWithUserBPKWBPK(bpkwbpk); if (dbuser == null) { @@ -434,7 +443,8 @@ public class IndexAction extends BasicAction { //create AuthUser data element authUser = AuthenticatedUser.generateUserRequestUser(user, nameID.getValue(), - nameID.getFormat()); + nameID.getFormat(), + sessionExpired); //store user as authenticated user AuthenticationManager authManager = AuthenticationManager.getInstance(); @@ -464,7 +474,8 @@ public class IndexAction extends BasicAction { dbuser.isIsMandateUser(), true, nameID.getValue(), - nameID.getFormat()); + nameID.getFormat(), + sessionExpired); //store user as authenticated user AuthenticationManager authManager = AuthenticationManager.getInstance(); @@ -491,7 +502,8 @@ public class IndexAction extends BasicAction { ismandateuser, true, nameID.getValue(), - nameID.getFormat()); + nameID.getFormat(), + sessionExpired); //store user as authenticated user AuthenticationManager authManager = AuthenticationManager.getInstance(); diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/UserRequestCleaner.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/UserRequestCleaner.java index 9ec8db858..a75f8307d 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/UserRequestCleaner.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/UserRequestCleaner.java @@ -31,6 +31,7 @@ import org.apache.log4j.Logger; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; +import at.gv.egovernment.moa.id.configuration.auth.AuthenticationManager; import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider; import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException; import at.gv.egovernment.moa.id.configuration.helper.DateTimeHelper; @@ -40,13 +41,14 @@ public class UserRequestCleaner implements Runnable { private static final Logger log = Logger.getLogger(UserRequestCleaner.class); - private static final long SESSION_CLEANUP_INTERVAL = 60 * 60; // 60 min + private static final long SESSION_CLEANUP_INTERVAL = 5 * 60; // 5 min public void run() { while (true) { try { ConfigurationProvider config = ConfigurationProvider.getInstance(); + //clean up user request storage List userrequests = ConfigurationDBRead.getAllOpenUsersRequests(); if (userrequests != null) { Calendar cal = Calendar.getInstance(); @@ -63,6 +65,9 @@ public class UserRequestCleaner implements Runnable { } } + + //clean up active user storage + AuthenticationManager.getInstance().removeAllUsersAfterTimeOut(); Thread.sleep(SESSION_CLEANUP_INTERVAL * 1000); -- cgit v1.2.3 From 99d482d088850f5641d98b12de04cd1eefc030c0 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 21 Aug 2014 10:51:38 +0200 Subject: change sessiontimeout to 45 minutes --- id/ConfigWebTool/src/main/webapp/WEB-INF/web.xml | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'id') diff --git a/id/ConfigWebTool/src/main/webapp/WEB-INF/web.xml b/id/ConfigWebTool/src/main/webapp/WEB-INF/web.xml index a6fe50269..d247faa1e 100644 --- a/id/ConfigWebTool/src/main/webapp/WEB-INF/web.xml +++ b/id/ConfigWebTool/src/main/webapp/WEB-INF/web.xml @@ -120,6 +120,10 @@ /* + + 45 + + /index.action -- cgit v1.2.3 From 5df1984c62b3f214ce9ed368beb9473bce0183e5 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 21 Aug 2014 12:09:00 +0200 Subject: fix some problems with Single LogOut --- .../auth/pvp2/servlets/SLOBasicServlet.java | 17 +++++++++++++---- .../moa/id/moduls/AuthenticationManager.java | 7 ++++--- .../moa/id/protocols/pvp2x/SingleLogOutAction.java | 19 ++++++++++++++----- .../protocols/pvp2x/builder/SingleLogOutBuilder.java | 17 ++++++++++++----- .../moa/id/commons/db/ConfigurationDBRead.java | 2 +- 5 files changed, 44 insertions(+), 18 deletions(-) (limited to 'id') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java index 00d6850d3..dfcde4624 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBasicServlet.java @@ -197,11 +197,20 @@ public class SLOBasicServlet extends HttpServlet { } else if (sloResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { - log.info("Single LogOut process complete."); - request.getSession().setAttribute(Constants.SESSION_SLOSUCCESS, - LanguageHelper.getErrorString("webpages.slo.success", request)); - + if (sloResp.getStatus().getStatusCode().getStatusCode() != null && + !sloResp.getStatus().getStatusCode().getStatusCode().equals(StatusCode.PARTIAL_LOGOUT_URI)) { + log.info("Single LogOut process complete."); + request.getSession().setAttribute(Constants.SESSION_SLOSUCCESS, + LanguageHelper.getErrorString("webpages.slo.success", request)); + + } else { + log.warn("Single LogOut process is not completed."); + request.getSession().setAttribute(Constants.SESSION_SLOERROR, + LanguageHelper.getErrorString("webpages.slo.error", request)); + + } + } else { log.warn("Single LogOut response sends an unsupported statustype " + sloResp.getStatus().getStatusCode().getValue()); request.getSession().setAttribute(Constants.SESSION_SLOERROR, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 8f9417096..daa70efce 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -49,6 +49,7 @@ import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.NameIDPolicy; import org.opensaml.saml2.core.NameIDType; import org.opensaml.saml2.core.RequestedAuthnContext; +import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.Subject; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SingleLogoutService; @@ -252,8 +253,8 @@ public class AuthenticationManager extends AuthServlet { VelocityContext context = new VelocityContext(); context.put("redirectURLs", sloReqList); - context.put("$timeoutURL", timeOutURL); - context.put("$timeout", SLOTIMEOUT); + context.put("timeoutURL", timeOutURL); + context.put("timeout", SLOTIMEOUT); ssomanager.printSingleLogOutInfo(context, httpResp); @@ -284,7 +285,7 @@ public class AuthenticationManager extends AuthServlet { Logger.error("MOA AssertionDatabase ERROR", e); if (pvpReq != null) { SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState); }else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java index 46e02d048..b22941216 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java @@ -135,7 +135,7 @@ public class SingleLogOutAction implements IAction { if (MiscUtil.isEmpty(ssoID)) { Logger.warn("Can not find active Session. Single LogOut not possible!"); SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); return null; @@ -147,7 +147,7 @@ public class SingleLogOutAction implements IAction { } catch (MOADatabaseException e) { Logger.warn("Can not find active Session. Single LogOut not possible!"); SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); return null; @@ -162,7 +162,9 @@ public class SingleLogOutAction implements IAction { ((MOAResponse)pvpReq.getRequest()).getResponse() instanceof LogoutResponse) { Logger.debug("Process Single LogOut response"); LogoutResponse logOutResp = (LogoutResponse) ((MOAResponse)pvpReq.getRequest()).getResponse(); - + + Transaction tx = null; + try { String relayState = pvpReq.getRequest().getRelayState(); if (MiscUtil.isEmpty(relayState)) { @@ -179,7 +181,7 @@ public class SingleLogOutAction implements IAction { //TODO: add counter to prevent deadlock while (!storageSuccess) { - Transaction tx = session.beginTransaction(); + tx = session.beginTransaction(); List result; Query query = session.getNamedQuery("getAssertionWithArtifact"); @@ -235,7 +237,7 @@ public class SingleLogOutAction implements IAction { try { session.delete(element); tx.commit(); - + } catch(HibernateException e) { tx.rollback(); Logger.error("SLOContainter could not deleted from database. "); @@ -292,7 +294,14 @@ public class SingleLogOutAction implements IAction { Logger.error("Finale SLO redirct not possible.", e); throw new AuthenticationException("pvp2.13", new Object[]{}); + } finally { + if (tx != null && !tx.wasCommitted()) { + tx.commit(); + + } } + + } else { Logger.error("Process SingleLogOutAction but request is NOT of type LogoutRequest or LogoutResponse."); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java index eeb1dd104..01139d95c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -213,12 +213,13 @@ public class SingleLogOutBuilder { } - + DateTime now = new DateTime(); Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); issuer.setFormat(NameID.ENTITY); sloReq.setIssuer(issuer); - sloReq.setIssueInstant(new DateTime()); + sloReq.setIssueInstant(now); + sloReq.setNotOnOrAfter(now.plusMinutes(5)); sloReq.setDestination(sloInfo.getServiceURL()); @@ -230,14 +231,17 @@ public class SingleLogOutBuilder { return sloReq; } - public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException { + public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest, String firstLevelStatusCode) throws ConfigurationException, MOAIDException { LogoutResponse sloResp = buildBasicResponse(sloService, spRequest); Status status = SAML2Utils.createSAMLObject(Status.class); StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); - statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusCode.setValue(firstLevelStatusCode); statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null)); + StatusCode secondLevelCode = SAML2Utils.createSAMLObject(StatusCode.class); + secondLevelCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusCode.setStatusCode(secondLevelCode); status.setStatusCode(statusCode); status.setStatusMessage(statusMessage); sloResp.setStatus(status); @@ -255,8 +259,11 @@ public class SingleLogOutBuilder { status = SAML2Utils.createSAMLObject(Status.class); StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); - statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusCode.setValue(StatusCode.SUCCESS_URI); statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null)); + StatusCode secondLevelCode = SAML2Utils.createSAMLObject(StatusCode.class); + secondLevelCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusCode.setStatusCode(secondLevelCode); status.setStatusCode(statusCode); status.setStatusMessage(statusMessage); diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java index e890e2145..848f4ee07 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java @@ -65,7 +65,7 @@ public class ConfigurationDBRead { List result; EntityManager session = ConfigurationDBUtils.getCurrentSession(); - + javax.persistence.Query query = session.createQuery(QUERIES.get("getActiveOnlineApplicationWithID")); //query.setParameter("id", id+"%"); query.setParameter("id", StringEscapeUtils.escapeHtml(id)); -- cgit v1.2.3 From a3fe7879ad2363d1bb37588485b6256bfe848d92 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 22 Aug 2014 12:28:35 +0200 Subject: saml1 target parameter update --- .../moa/id/auth/parser/StartAuthentificationParameterParser.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index ff5e62d96..e3f32d59d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -133,7 +133,9 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ String targetConfig = oaParam.getTarget(); String targetFriendlyNameConfig = oaParam.getTargetFriendlyName(); - if (StringUtils.isEmpty(targetConfig)) { + if (StringUtils.isEmpty(targetConfig) + || (module.equals(SAML1Protocol.PATH) && + !StringUtils.isEmpty(target))) { // no target attribut is given in OA config // target is used from request // check parameter -- cgit v1.2.3 From 7d5c3f516ca56afcbee5b886557a5d682cadadcf Mon Sep 17 00:00:00 2001 From: Bojan Suzic Date: Tue, 26 Aug 2014 16:14:56 +0200 Subject: fixing spcountry issue --- .../main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 33fed945b..d06298efa 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -1845,7 +1845,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { String spSector = StringUtils.isEmpty(moasession.getTarget()) ? "Business" : moasession.getTarget(); String spInstitution = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "UNKNOWN" : oaParam.getFriendlyName(); String spApplication = spInstitution; - String spCountry = "AT"; + String spCountry = "AT"; // intentionally set AT - the flow is limited on that use case only //generate AuthnRquest STORKAuthnRequest authnRequest = new STORKAuthnRequest(); @@ -1855,7 +1855,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { authnRequest.setIssuer(issuerValue); authnRequest.setQaa(oaParam.getQaaLevel()); authnRequest.setSpInstitution(spInstitution); - authnRequest.setCountry(spCountry); + authnRequest.setSpCountry(spCountry); authnRequest.setSpApplication(spApplication); authnRequest.setSpSector(spSector); authnRequest.setPersonalAttributeList(attributeList); -- cgit v1.2.3 From c109c1e86a228bd3b3ed49b97e182b3cd2136d00 Mon Sep 17 00:00:00 2001 From: Bojan Suzic Date: Mon, 1 Sep 2014 14:53:36 +0200 Subject: todo gender question --- .../at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 40c358b7e..0ee003e4f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -223,7 +223,7 @@ public class PEPSConnectorServlet extends AuthServlet { moaSession.setUseMandate("true"); // and check if we have the gender value - PersonalAttribute gender = attributeList.get("gender"); + PersonalAttribute gender = attributeList.get("gender"); // TODO Do we need to check gender value if there is no representation case? if(null == gender) { String gendervalue = (String) request.getParameter("gender"); if(null != gendervalue) { -- cgit v1.2.3