/******************************************************************************* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. ******************************************************************************/ package at.gv.egovernment.moa.id.auth.servlet; import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringEscapeUtils; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.moduls.ModulUtils; import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; public class SSOSendAssertionServlet extends AuthServlet{ private static final long serialVersionUID = 1L; private static final String PARAM = "value"; private static final String MODULE = "mod"; private static final String ACTION = "action"; private static final String ID = "identifier"; protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String id = null; Logger.info("Receive " + SSOSendAssertionServlet.class + " Request"); try { Object idObject = req.getParameter(ID); if (idObject != null && (idObject instanceof String)) { id = (String) idObject; } String value = req.getParameter(PARAM); value = StringEscapeUtils.escapeHtml(value); if (!ParamValidatorUtils.isValidUseMandate(value)) throw new WrongParametersException("SSOSendAssertionServlet", PARAM, null); //get module and action Object moduleObject = req.getParameter(MODULE); String module = null; if (moduleObject != null && (moduleObject instanceof String)) { module = (String) moduleObject; } Object actionObject = req.getParameter(ACTION); String action = null; if (actionObject != null && (actionObject instanceof String)) { action = (String) actionObject; } if (MiscUtil.isEmpty(module) || MiscUtil.isEmpty(action) || MiscUtil.isEmpty(id)) { Logger.warn("No Moduel or Action parameter received!"); throw new WrongParametersException("Module or Action is empty", "", "auth.10"); } SSOManager ssomanager = SSOManager.getInstance(); //get SSO Cookie for Request String ssoId = ssomanager.getSSOSessionID(req); //check SSO session if (ssoId != null) { String correspondingMOASession = ssomanager.existsOldSSOSession(ssoId); if (correspondingMOASession != null) { Logger.warn("Request sends an old SSO Session ID("+ssoId+")! " + "Invalidate the corresponding MOASession with ID="+ correspondingMOASession); AuthenticationSessionStoreage.destroySession(correspondingMOASession); ssomanager.deleteSSOSessionID(req, resp); } } boolean isValidSSOSession = ssomanager.isValidSSOSession(ssoId, req); String moaSessionID = null; if (isValidSSOSession) { //check UseMandate flag String valueString = null;; if ((value != null) && (value.compareTo("") != 0)) { valueString = value; } else { valueString = "false"; } if (valueString.compareToIgnoreCase("true") == 0) { moaSessionID = AuthenticationSessionStoreage.getMOASessionID(ssoId); AuthenticationSession moasession = AuthenticationSessionStoreage.getSession(moaSessionID); AuthenticationSessionStoreage.setAuthenticated(moaSessionID, true); String redirectURL = new DataURLBuilder().buildDataURL(moasession.getAuthURL(), ModulUtils.buildAuthURL(module, action, id), ""); resp.setContentType("text/html"); resp.setStatus(302); resp.addHeader("Location", redirectURL); Logger.debug("REDIRECT TO: " + redirectURL); } else { throw new AuthenticationException("auth.21", new Object[] {}); } } else { handleError("SSO Session is not valid", null, req, resp, id); } } catch (MOADatabaseException e) { handleError("SSO Session is not found", e, req, resp, id); } catch (WrongParametersException e) { handleError("Parameter is not valid", e, req, resp, id); } catch (AuthenticationException e) { handleError(e.getMessage(), e, req, resp, id); } } }