/******************************************************************************* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. ******************************************************************************/ /* * Copyright 2003 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. */ package at.gv.egovernment.moa.id.auth.servlet; import iaik.x509.X509Certificate; import java.io.IOException; import java.util.Map; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.fileupload.FileUploadException; import org.apache.commons.lang.StringEscapeUtils; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.id.util.ServletUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.spss.util.CertificateUtils; /** * Servlet requested for getting the foreign eID * provided by the security layer implementation. * Utilizes the {@link AuthenticationServer}. * */ public class VerifyCertificateServlet extends AuthServlet { /** * */ private static final long serialVersionUID = -4110159749768152538L; /** * Constructor for VerifyCertificateServlet. */ public VerifyCertificateServlet() { super(); } /** * GET requested by security layer implementation to verify * that data URL resource is available. * @see javax.servlet.http.HttpServlet#doGet(HttpServletRequest, HttpServletResponse) */ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { Logger.debug("GET VerifyCertificateServlet"); resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES); resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA); resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL); resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE); } /** * Gets the signer certificate from the InfoboxReadRequest and * responds with a new * CreateXMLSignatureRequest. *
* Request parameters: * * @see javax.servlet.http.HttpServlet#doPost(HttpServletRequest, HttpServletResponse) */ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { Logger.debug("POST VerifyCertificateServlet"); resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES); resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA); resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL); resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE); String pendingRequestID = null; Map parameters; try { parameters = getParameters(req); } catch (FileUploadException e) { Logger.error("Parsing mulitpart/form-data request parameters failed: " + e.getMessage()); throw new IOException(e.getMessage()); } String sessionID = req.getParameter(PARAM_SESSIONID); // escape parameter strings sessionID = StringEscapeUtils.escapeHtml(sessionID); pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID); AuthenticationSession session = null; try { // check parameter if (!ParamValidatorUtils.isValidSessionID(sessionID)) throw new WrongParametersException("VerifyCertificate", PARAM_SESSIONID, "auth.12"); session = AuthenticationServer.getSession(sessionID); //change MOASessionID sessionID = AuthenticationSessionStoreage.changeSessionID(session); X509Certificate cert = AuthenticationServer.getInstance().getCertificate(sessionID, parameters); if (cert == null) { Logger.error("Certificate could not be read."); throw new AuthenticationException("auth.14", null); } boolean useMandate = session.getUseMandate(); if (useMandate) { // verify certificate for OrganWalter String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().verifyCertificate(session, cert); try { AuthenticationSessionStoreage.storeSession(session); } catch (MOADatabaseException e) { throw new MOAIDException("session store error", null); } ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyCertificate"); } else { String countrycode = CertificateUtils.getIssuerCountry(cert); if (countrycode != null) { if (countrycode.compareToIgnoreCase("AT") == 0) { Logger.error("Certificate issuer country code is \"AT\". Login not support in foreign identities mode."); throw new AuthenticationException("auth.22", null); } } // Foreign Identities Modus String createXMLSignatureRequest = AuthenticationServer.getInstance().createXMLSignatureRequestForeignID(session, cert); // build dataurl (to the GetForeignIDSerlvet) String dataurl = new DataURLBuilder().buildDataURL( session.getAuthURL(), REQ_GET_FOREIGN_ID, session.getSessionID()); try { AuthenticationSessionStoreage.storeSession(session); } catch (MOADatabaseException e) { throw new MOAIDException("session store error", null); } ServletUtils.writeCreateXMLSignatureRequest(resp, session, createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "GetForeignID", dataurl); Logger.debug("Send CreateXMLSignatureRequest to BKU"); } } catch (MOAIDException ex) { handleError(null, ex, req, resp, pendingRequestID); } finally { ConfigurationDBUtils.closeSession(); } } }