/******************************************************************************* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. *******************************************************************************/ package at.gv.egovernment.moa.id.demoOA.servlet.pvp2; import java.io.IOException; import java.security.KeyStore; import java.util.ArrayList; import java.util.List; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.apache.log4j.Logger; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.decoding.HTTPPostDecoder; import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder; import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule; import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.EncryptedAssertion; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.encryption.Decrypter; import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.security.MetadataCredentialResolver; import org.opensaml.security.MetadataCredentialResolverFactory; import org.opensaml.security.MetadataCriteria; import org.opensaml.security.SAMLSignatureProfileValidator; import org.opensaml.ws.security.SecurityPolicyResolver; import org.opensaml.ws.security.provider.BasicSecurityPolicy; import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver; import org.opensaml.ws.transport.http.HttpServletRequestAdapter; import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver; import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.CriteriaSet; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.criteria.EntityIDCriteria; import org.opensaml.xml.security.criteria.UsageCriteria; import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver; import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver; import org.opensaml.xml.security.keyinfo.KeyInfoProvider; import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider; import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider; import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider; import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.Signature; import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine; import at.gv.egiz.eaaf.core.impl.utils.DOMUtils; import at.gv.egovernment.moa.id.demoOA.Configuration; import at.gv.egovernment.moa.id.demoOA.Constants; import at.gv.egovernment.moa.id.demoOA.PVPConstants; import at.gv.egovernment.moa.id.demoOA.utils.ApplicationBean; import at.gv.egovernment.moa.id.demoOA.utils.SAML2Utils; public class DemoApplication extends HttpServlet { Logger log = Logger.getLogger(DemoApplication.class); private static final long serialVersionUID = -2129228304760706063L; private void process(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { ApplicationBean bean = new ApplicationBean(); log.debug("Receive request on secure-area endpoint ..."); String method = request.getMethod(); HttpSession session = request.getSession(); if (session == null) { log.info("NO HTTP Session"); bean.setErrorMessage("NO HTTP session"); setAnser(request, response, bean); return; } try { Configuration config = Configuration.getInstance(); Response samlResponse = null; if (method.equals("GET")) { log.debug("Find possible SAML2 Redirect-Binding response ..."); HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder(new BasicParserPool()); BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); messageContext.setInboundMessageTransport(new HttpServletRequestAdapter(request)); messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); messageContext.setMetadataProvider(config.getMetaDataProvier()); MetadataCredentialResolver resolver = new MetadataCredentialResolver(config.getMetaDataProvier()); List keyInfoProvider = new ArrayList(); keyInfoProvider.add(new DSAKeyValueProvider()); keyInfoProvider.add(new RSAKeyValueProvider()); keyInfoProvider.add(new InlineX509DataProvider()); KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( keyInfoProvider); ExplicitKeySignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine( resolver, keyInfoResolver); SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule(engine); SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule(); BasicSecurityPolicy policy = new BasicSecurityPolicy(); policy.getPolicyRules().add(signatureRule); policy.getPolicyRules().add(signedRole); SecurityPolicyResolver resolver1 = new StaticSecurityPolicyResolver(policy); messageContext.setSecurityPolicyResolver(resolver1); decode.decode(messageContext); log.info("PVP2 Assertion with Redirect-Binding is valid"); } else if (method.equals("POST")) { log.debug("Find possible SAML2 Post-Binding response ..."); //Decode with HttpPost Binding HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool()); BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); messageContext .setInboundMessageTransport(new HttpServletRequestAdapter( request)); decode.decode(messageContext); samlResponse = (Response) messageContext.getInboundMessage(); Signature sign = samlResponse.getSignature(); if (sign == null) { log.info("Only http POST Requests can be used"); bean.setErrorMessage("Only http POST Requests can be used"); setAnser(request, response, bean); return; } //Validate Signature SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); profileValidator.validate(sign); //Verify Signature List keyInfoProvider = new ArrayList(); keyInfoProvider.add(new DSAKeyValueProvider()); keyInfoProvider.add(new RSAKeyValueProvider()); keyInfoProvider.add(new InlineX509DataProvider()); KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( keyInfoProvider); MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory(); MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(config.getMetaDataProvier()); CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS)); criteriaSet.add(new EntityIDCriteria(config.getPVP2IDPMetadataEntityName())); criteriaSet.add(new UsageCriteria(UsageType.SIGNING)); ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver); trustEngine.validate(sign, criteriaSet); log.info("PVP2 Assertion with POST-Binding is valid"); } else { bean.setErrorMessage("Die Demoapplikation unterstützt nur SAML2 POST-Binding."); setAnser(request, response, bean); return; } if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { List saml2assertions = new ArrayList(); //check encrypted Assertion List encryAssertionList = samlResponse.getEncryptedAssertions(); if (encryAssertionList != null && encryAssertionList.size() > 0) { //decrypt assertions log.debug("Found encryped assertion. Start decryption ..."); KeyStore keyStore = config.getPVP2KeyStore(); X509Credential authDecCredential = new KeyStoreX509CredentialAdapter( keyStore, config.getPVP2KeystoreAuthRequestEncryptionKeyAlias(), config.getPVP2KeystoreAuthRequestEncryptionKeyPassword().toCharArray()); StaticKeyInfoCredentialResolver skicr = new StaticKeyInfoCredentialResolver(authDecCredential); ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); Decrypter samlDecrypter = new Decrypter(null, skicr, encryptedKeyResolver); for (EncryptedAssertion encAssertion : encryAssertionList) { saml2assertions.add(samlDecrypter.decrypt(encAssertion)); } log.debug("Assertion decryption finished. "); } else { saml2assertions = samlResponse.getAssertions(); } samlResponse.getAssertions().clear(); samlResponse.getAssertions().addAll(saml2assertions); //set assertion org.w3c.dom.Document doc = SAML2Utils.asDOMDocument(samlResponse); String assertion = DOMUtils.serializeNode(doc); bean.setAssertion(assertion); String principleId = null; String givenName = null; String familyName = null; String birthday = null; for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { try { principleId = saml2assertion.getSubject().getNameID().getValue(); } catch (Exception e) { log.warn("Can not read SubjectNameId", e); } //loop through the nodes to get what we want List attributeStatements = saml2assertion.getAttributeStatements(); for (int i = 0; i < attributeStatements.size(); i++) { List attributes = attributeStatements.get(i).getAttributes(); for (int x = 0; x < attributes.size(); x++) { String strAttributeName = attributes.get(x).getDOM().getAttribute("Name"); if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME)) familyName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue(); if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME)) givenName = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue(); if (strAttributeName.equals(PVPConstants.BIRTHDATE_NAME)) { birthday = attributes.get(x).getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue(); } } } request.getSession().setAttribute(Constants.SESSION_NAMEIDFORMAT, saml2assertion.getSubject().getNameID().getFormat()); request.getSession().setAttribute(Constants.SESSION_NAMEID, saml2assertion.getSubject().getNameID().getValue()); } bean.setPrincipleId(principleId); bean.setDateOfBirth(birthday); bean.setFamilyName(familyName); bean.setGivenName(givenName); bean.setLogin(true); setAnser(request, response, bean); return; } else { bean.setErrorMessage("Der Anmeldevorgang wurde abgebrochen.
Eine genaue Beschreibung des Fehlers finden Sie in der darunterliegenden Assertion."); setAnser(request, response, bean); return; } } catch (Exception e) { log.warn(e); bean.setErrorMessage("Internal Error: " + e.getMessage()); setAnser(request, response, bean); return; } } private void setAnser(HttpServletRequest request, HttpServletResponse response, ApplicationBean answersBean) throws ServletException, IOException { // store bean in session request.setAttribute("answers", answersBean); // you now can forward to some view, for example some results.jsp request.getRequestDispatcher("demoapp.jsp").forward(request, response); } /** * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse * response) */ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { process(request, response); } /** * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse * response) */ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { process(request, response); } }