/******************************************************************************* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. ******************************************************************************/ package at.gv.egovernment.moa.id.auth.parser; import java.util.List; import javax.servlet.http.HttpServletRequest; import org.apache.commons.lang.StringEscapeUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; @Service("StartAuthentificationParameterParser") public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ @Autowired AuthConfiguration authConfig; public void parse(AuthenticationSession moasession, String target, String oaURL, String bkuURL, String templateURL, String useMandate, String ccc, HttpServletRequest req, IRequest protocolReq) throws WrongParametersException, MOAIDException { String targetFriendlyName = null; // escape parameter strings target = StringEscapeUtils.escapeHtml(target); bkuURL = StringEscapeUtils.escapeHtml(bkuURL); templateURL = StringEscapeUtils.escapeHtml(templateURL); useMandate = StringEscapeUtils.escapeHtml(useMandate); ccc = StringEscapeUtils.escapeHtml(ccc); //validate parameters if (!ParamValidatorUtils.isValidUseMandate(useMandate)) throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12"); if (!ParamValidatorUtils.isValidCCC(ccc)) throw new WrongParametersException("StartAuthentication", PARAM_CCC, "auth.12"); //check UseMandate flag String useMandateString = null; boolean useMandateBoolean = false; if ((useMandate != null) && (useMandate.compareTo("") != 0)) { useMandateString = useMandate; } else { useMandateString = "false"; } if (useMandateString.compareToIgnoreCase("true") == 0) useMandateBoolean = true; else useMandateBoolean = false; moasession.setUseMandate(useMandateString); //load OnlineApplication configuration IOAAuthParameters oaParam = protocolReq.getOnlineApplicationConfiguration(); if (oaParam == null) throw new AuthenticationException("auth.00", new Object[] { protocolReq.getOAURL() }); // get target and target friendly name from config String targetConfig = oaParam.getTarget(); String targetFriendlyNameConfig = oaParam.getTargetFriendlyName(); if (!oaParam.getBusinessService()) { if (StringUtils.isEmpty(targetConfig) || (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") && !StringUtils.isEmpty(target)) ) { //INFO: ONLY SAML1 legacy mode // if SAML1 is used and target attribute is given in request // use requested target // check target parameter if (!ParamValidatorUtils.isValidTarget(target)) { Logger.error("Selected target is invalid. Using target: " + target); throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12"); } if (MiscUtil.isNotEmpty(targetConfig)) targetFriendlyName = targetFriendlyNameConfig; else { String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); if (MiscUtil.isNotEmpty(sectorName)) targetFriendlyName = sectorName; else { //check target contains subSector int delimiter = target.indexOf("-"); if (delimiter > 0) { targetFriendlyName = TargetToSectorNameMapper.getSectorNameViaTarget(target.substring(0, delimiter)); } } } } else { // use target from config target = targetConfig; targetFriendlyName = targetFriendlyNameConfig; } if (isEmpty(target)) throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.05"); protocolReq.setGenericDataToSession(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, target); protocolReq.setGenericDataToSession( MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, targetFriendlyName); Logger.debug("Service-Provider is of type 'PublicService' with DomainIdentifier:" + target); } else { Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + oaParam.getIdentityLinkDomainIdentifier()); if (useMandateBoolean) { Logger.error("Online-Mandate Mode for business application not supported."); throw new AuthenticationException("auth.17", null); } } //Validate BKU URI List allowedbkus = oaParam.getBKUURL(); allowedbkus.addAll(authConfig.getDefaultBKUURLs()); if (!ParamValidatorUtils.isValidBKUURI(bkuURL, allowedbkus)) throw new WrongParametersException("StartAuthentication", PARAM_BKU, "auth.12"); moasession.setBkuURL(bkuURL); //validate securityLayer-template if (MiscUtil.isEmpty(templateURL)) { List templateURLList = oaParam.getTemplateURL(); List defaulTemplateURLList = authConfig.getSLRequestTemplates(); if ( templateURLList != null && templateURLList.size() > 0 && MiscUtil.isNotEmpty(templateURLList.get(0)) ) { templateURL = FileUtils.makeAbsoluteURL( oaParam.getTemplateURL().get(0), authConfig.getRootConfigFileDir()); Logger.info("No SL-Template in request, load SL-Template from OA configuration (URL: " + templateURL + ")"); } else if ( (defaulTemplateURLList.size() > 0) && MiscUtil.isNotEmpty(defaulTemplateURLList.get(0))) { templateURL = FileUtils.makeAbsoluteURL( defaulTemplateURLList.get(0), authConfig.getRootConfigFileDir()); Logger.info("No SL-Template in request, load SL-Template from general configuration (URL: " + templateURL + ")"); } else { Logger.error("NO SL-Tempalte found in OA config"); throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); } } if (!ParamValidatorUtils.isValidTemplate(req, templateURL, oaParam.getTemplateURL())) throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); protocolReq.setGenericDataToSession( MOAIDAuthConstants.AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE, templateURL); //validate SSO functionality String domainIdentifier = authConfig.getSSOTagetIdentifier(); if (MiscUtil.isEmpty(domainIdentifier) && protocolReq.needSingleSignOnFunctionality()) { //do not use SSO if no Target is set Logger.warn("NO SSO-Target found in configuration. Single Sign-On is deaktivated!"); protocolReq.setNeedSingleSignOnFunctionality(false); } if (protocolReq.needSingleSignOnFunctionality() && useMandateBoolean) { Logger.info("Usage of Mandate-Service does not allow Single Sign-On. --> SSO is disabled for this request."); protocolReq.setNeedSingleSignOnFunctionality(false); } } public void parse(ExecutionContext ec, HttpServletRequest req, AuthenticationSession moasession, IRequest request) throws WrongParametersException, MOAIDException { //get Parameters from request String oaURL = (String) ec.get(PARAM_OA); String bkuURL = (String) ec.get(PARAM_BKU); String templateURL = (String) ec.get(PARAM_TEMPLATE); String useMandate = (String) ec.get(PARAM_USEMANDATE); String ccc = (String) ec.get(PARAM_CCC); if (request.getOnlineApplicationConfiguration() != null && request.getOnlineApplicationConfiguration().isOnlyMandateAllowed()) { Logger.debug("Service " + request.getOnlineApplicationConfiguration().getPublicURLPrefix() + " only allows authentication with mandates. --> Set useMandate to TRUE."); useMandate = String.valueOf(request.getOnlineApplicationConfiguration().isOnlyMandateAllowed()); } oaURL = request.getOAURL(); //only needed for SAML1 String target = request.getGenericData("saml1_target", String.class); parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, req, request); } /** * Checks a parameter. * * @param param * parameter * @return true if the parameter is null or empty */ private boolean isEmpty(String param) { return param == null || param.length() == 0; } }