/******************************************************************************* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. *******************************************************************************/ package at.gv.egovernment.moa.id.moduls; import java.io.IOException; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; import java.util.Enumeration; import java.util.Iterator; import java.util.List; import java.util.Map.Entry; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringEscapeUtils; import org.opensaml.saml2.core.LogoutRequest; import org.opensaml.saml2.core.LogoutResponse; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.metadata.SingleLogoutService; import org.opensaml.ws.soap.common.SOAPException; import org.opensaml.xml.XMLObject; import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.frontend.builder.DefaultGUIFormBuilderConfiguration; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder; import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException; import at.gv.egovernment.moa.id.auth.modules.SingleSignOnConsentsModuleImpl; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.modules.registration.ModuleRegistration; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; import at.gv.egovernment.moa.id.data.SLOInformationContainer; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.process.ExecutionContextImpl; import at.gv.egovernment.moa.id.process.ProcessEngine; import at.gv.egovernment.moa.id.process.ProcessExecutionException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.id.storage.ITransactionStorage; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.id.util.legacy.LegacyHelper; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @Service("MOAID_AuthenticationManager") public class AuthenticationManager extends MOAIDAuthConstants { private static List reqParameterWhiteListeForModules = new ArrayList(); public static final String MOA_SESSION = "MoaAuthenticationSession"; public static final String MOA_AUTHENTICATED = "MoaAuthenticated"; public static final int SLOTIMEOUT = 30 * 1000; //30 sec @Autowired private ProcessEngine processEngine; @Autowired private SSOManager ssoManager; @Autowired private IRequestStorage requestStoreage; @Autowired private ITransactionStorage transactionStorage; @Autowired private IAuthenticationSessionStoreage authenticatedSessionStore; @Autowired private MOAReversionLogger revisionsLogger; @Autowired protected AuthConfiguration authConfig; @Autowired private SingleLogOutBuilder sloBuilder; @Autowired private SAMLVerificationEngineSP samlVerificationEngine; @Autowired private IGUIFormBuilder guiBuilder; @Autowired(required=true) private MOAMetadataProvider metadataProvider; public void performSingleLogOut(HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthenticationSession session, PVPTargetConfiguration pvpReq) throws MOAIDException { performSingleLogOut(httpReq, httpResp, session, pvpReq, null); } public void performSingleLogOut(HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthenticationSession session, String authURL) throws MOAIDException { performSingleLogOut(httpReq, httpResp, session, null, authURL); } /** * @param req * @param resp * @param moasessionid */ public void performOnlyIDPLogOut(AuthenticationSession authSession) { if (authSession == null) { Logger.info("No internal MOA SSO-Session found. Nothing to destroy"); return; } try { authSession.setAuthenticated(false); //HTTPSessionUtils.setHTTPSessionString(session, MOA_SESSION, null); // remove moa session from HTTP Session //log Session_Destroy to reversionslog AuthenticationSessionExtensions sessionExtensions = authenticatedSessionStore.getAuthenticationSessionExtensions(authSession.getSessionID()); revisionsLogger.logEvent(MOAIDEventConstants.SESSION_DESTROYED, sessionExtensions.getUniqueSessionId()); authenticatedSessionStore.destroyInternalSSOSession(authSession.getSessionID()); //session.invalidate(); } catch (MOADatabaseException e) { Logger.info("NO MOA Authentication data for ID " + authSession.getSessionID()); return; } } public void performOnlyIDPLogOut(HttpServletRequest request, HttpServletResponse response, String internalMOASsoSessionID) { Logger.info("Remove active user-session"); if(internalMOASsoSessionID == null) { internalMOASsoSessionID = StringEscapeUtils.escapeHtml((String) request.getParameter(PARAM_SESSIONID)); } if(internalMOASsoSessionID == null) { Logger.info("NO MOA Session to logout"); return; } AuthenticationSession authSession; try { authSession = authenticatedSessionStore.getInternalSSOSession(internalMOASsoSessionID); if(authSession == null) { Logger.info("NO MOA Authentication data for ID " + internalMOASsoSessionID); return; } performOnlyIDPLogOut(authSession); } catch (MOADatabaseException e) { Logger.info("NO MOA Authentication data for ID " + internalMOASsoSessionID); return; } } /** * Authenticates the authentication request {pendingReq}, which is actually processed * * @param httpReq HttpServletRequest * @param httpResp HttpServletResponse * @param protocolRequest Authentication request which is actually in process * * @return Return already authenticated MOASession if exists, otherwise return null * @throws MOADatabaseException * @throws MOAIDException * @throws IOException * @throws ServletException * */ public AuthenticationSession doAuthentication(HttpServletRequest httpReq, HttpServletResponse httpResp, RequestImpl pendingReq) throws MOADatabaseException, ServletException, IOException, MOAIDException { //load OA configuration from pending request IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); //set logging context and log unique OA identifier to revision log TransactionIDUtils.setServiceProviderId(pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix()); revisionsLogger.logEvent(oaParam, pendingReq, MOAIDEventConstants.AUTHPROCESS_SERVICEPROVIDER, pendingReq.getOAURL()); //generic authentication request validation if (pendingReq.isPassiv() && pendingReq.forceAuth()) { // conflict! throw new NoPassivAuthenticationException(); } //get SSO cookie from http request String ssoId = ssoManager.getSSOSessionID(httpReq); //check if interfederation IDP is requested ssoManager.checkInterfederationIsRequested(httpReq, httpResp, pendingReq); //check if SSO session cookie is already used if (ssoId != null) { String correspondingMOASession = ssoManager.existsOldSSOSession(ssoId); if (correspondingMOASession != null) { Logger.warn("Request sends an old SSO Session ID("+ssoId+")! " + "Invalidate the corresponding MOASession with ID="+ correspondingMOASession); revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq, MOAIDEventConstants.AUTHPROCESS_SSO_INVALID); //destroy internal SSO-session object and SSO-session cooky authenticatedSessionStore.destroyInternalSSOSession(correspondingMOASession); ssoManager.deleteSSOSessionID(httpReq, httpResp); } } //check if SSO Session is valid boolean isValidSSOSession = ssoManager.isValidSSOSession(ssoId, pendingReq); // check if Service-Provider allows SSO sessions boolean useSSOOA = oaParam.useSSO() || oaParam.isInderfederationIDP(); //if a legacy request is used SSO should not be allowed in case of mandate authentication boolean isUseMandateRequested = LegacyHelper.isUseMandateRequested(httpReq); //check if SSO is allowed for the actually executed request //INFO: Actually, useMandate disables SSO functionality!!!!! boolean isSSOAllowed = (useSSOOA && !isUseMandateRequested); pendingReq.setNeedSingleSignOnFunctionality(isSSOAllowed); //get MOASession from SSO-Cookie if SSO is allowed AuthenticationSession ssoMOASession = null; if (isValidSSOSession && isSSOAllowed) { ssoMOASession = ssoManager.getInternalMOASession(ssoId); if (ssoMOASession == null) Logger.info("No MOASession FOUND with provided SSO-Cookie."); else { Logger.debug("Found authenticated MOASession with provided SSO-Cookie."); revisionsLogger.logEvent(oaParam, pendingReq, MOAIDEventConstants.AUTHPROCESS_SSO); } } //check if session is already authenticated boolean isSessionAuthenticated = tryPerformAuthentication((RequestImpl) pendingReq, ssoMOASession); //force new authentication authentication process if (pendingReq.forceAuth()) { startAuthenticationProcess(httpReq, httpResp, pendingReq); return null; //perform SSO-Consents evaluation if it it required } else if (isSessionAuthenticated && oaParam.useSSOQuestion()) { sendSingleSignOnConsentsEvaluation(httpReq, httpResp, pendingReq); return null; } else if (pendingReq.isPassiv()) { if (isSessionAuthenticated) { // Passive authentication ok! revisionsLogger.logEvent(oaParam, pendingReq, MOAIDEventConstants.AUTHPROCESS_FINISHED); return ssoMOASession; } else { throw new NoPassivAuthenticationException(); } } else { if (isSessionAuthenticated) { // Is authenticated .. proceed revisionsLogger.logEvent(oaParam, pendingReq, MOAIDEventConstants.AUTHPROCESS_FINISHED); return ssoMOASession; } else { // Start authentication! startAuthenticationProcess(httpReq, httpResp, pendingReq); return null; } } } /** * Add a request parameter to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext} * * @param httpReqParam http parameter name, but never null */ public void addParameterNameToWhiteList(String httpReqParam) { if (MiscUtil.isNotEmpty(httpReqParam)) reqParameterWhiteListeForModules.add(httpReqParam); } /** * Checks if a authenticated MOASession already exists and if {protocolRequest} is authenticated * * @param protocolRequest Authentication request which is actually in process * @param moaSession MOASession with authentication information or null if no active MOASession exists * * @return true if session is already authenticated, otherwise false * @throws MOAIDException */ private boolean tryPerformAuthentication(RequestImpl protocolRequest, AuthenticationSession ssoMOASession) { //if no MOASession exist -> authentication is required if (ssoMOASession == null) { return false; } else { //if MOA SSO-Session is found but not authenticated --> authentication is required if (!ssoMOASession.isAuthenticated()) { return false; } //if MOASession is already authenticated and protocol-request is authenticated // --> no authentication is required any more else if (ssoMOASession.isAuthenticated() && protocolRequest.isAuthenticated()) { protocolRequest.setInternalSSOSessionIdentifier(ssoMOASession.getSessionID()); return true; // if MOASession is authenticated and SSO is allowed --> authenticate pendingRequest } else if (!protocolRequest.isAuthenticated() && ssoMOASession.isAuthenticated() && protocolRequest.needSingleSignOnFunctionality()) { Logger.debug("Found active MOASession and SSO is allowed --> pendingRequest is authenticted"); protocolRequest.setAuthenticated(true); protocolRequest.setInternalSSOSessionIdentifier(ssoMOASession.getSessionID()); return true; } // force authentication as backup solution else { Logger.warn("Authentication-required check find an unsuspected state --> force authentication"); return false; } } } private void startAuthenticationProcess(HttpServletRequest httpReq, HttpServletResponse httpResp, RequestImpl pendingReq) throws ServletException, IOException, MOAIDException { Logger.info("Starting authentication ..."); revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq, MOAIDEventConstants.AUTHPROCESS_START); //is legacy allowed List legacyallowed_prot = authConfig.getLegacyAllowedProtocols(); boolean legacyallowed = legacyallowed_prot.contains(pendingReq.requestedModule()); //check legacy request parameter boolean legacyparamavail = ParamValidatorUtils.areAllLegacyParametersAvailable(httpReq); //create authentication process execution context ExecutionContext executionContext = new ExecutionContextImpl(); //set oaIdentifeir executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_UNIQUE_OA_IDENTFIER, pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix()); //set interfederation authentication flag executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH, MiscUtil.isNotEmpty( pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class))); //set legacy mode or BKU-selection flags boolean leagacyMode = (legacyallowed && legacyparamavail); executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_ISLEGACYREQUEST, leagacyMode); executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, !leagacyMode && MiscUtil.isEmpty(pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class))); //add X509 SSL client certificate if exist if (httpReq.getAttribute("javax.servlet.request.X509Certificate") != null) { Logger.debug("Find SSL-client-certificate on request --> Add it to context"); executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE, ((X509Certificate[])httpReq.getAttribute("javax.servlet.request.X509Certificate"))); } //add additional http request parameter to context if (!reqParameterWhiteListeForModules.isEmpty() || leagacyMode) { Enumeration reqParamNames = httpReq.getParameterNames(); while(reqParamNames.hasMoreElements()) { String paramName = reqParamNames.nextElement(); if (MiscUtil.isNotEmpty(paramName) && ( MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName) || reqParameterWhiteListeForModules.contains(paramName) )) executionContext.put(paramName, StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName))); } } //start process engine startProcessEngine(pendingReq, executionContext); } private void sendSingleSignOnConsentsEvaluation(HttpServletRequest request, HttpServletResponse response, RequestImpl pendingReq) throws ServletException, IOException, MOAIDException { Logger.info("Start SSO user-consents evaluation ..."); //set authenticated flag to false, because user consents is required pendingReq.setAuthenticated(false); //create execution context ExecutionContext executionContext = new ExecutionContextImpl(); executionContext.put(SingleSignOnConsentsModuleImpl.PARAM_SSO_CONSENTS_EVALUATION, true); //start process engine startProcessEngine(pendingReq, executionContext); } private void startProcessEngine(RequestImpl pendingReq, ExecutionContext executionContext) throws MOAIDException { try { //put pending-request ID on execurtionContext executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, pendingReq.getRequestID()); // create process instance String processDefinitionId = ModuleRegistration.getInstance().selectProcess(executionContext); if (processDefinitionId == null) { Logger.warn("No suitable process found for SessionID " + pendingReq.getRequestID() ); throw new MOAIDException("process.02",new Object[] { pendingReq.getRequestID()}); } String processInstanceId = processEngine.createProcessInstance(processDefinitionId, executionContext); // keep process instance id in protocol pending-request pendingReq.setProcessInstanceId(processInstanceId); //store pending-request requestStoreage.storePendingRequest(pendingReq); // start process processEngine.start(pendingReq); } catch (ProcessExecutionException e) { Throwable cause = e.getCause(); if (cause != null && cause instanceof TaskExecutionException) { Throwable taskCause = cause.getCause(); if (taskCause != null && taskCause instanceof MOAIDException) { MOAIDException moaTaskCause = (MOAIDException) taskCause; Logger.warn(taskCause); throw moaTaskCause; } } throw new MOAIDException("process.01", new Object[] { pendingReq.getProcessInstanceId(), pendingReq.getRequestID() }, e); } } private void performSingleLogOut(HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthenticationSession session, PVPTargetConfiguration pvpReq, String authURL) throws MOAIDException { String pvpSLOIssuer = null; String inboundRelayState = null; String uniqueSessionIdentifier = "notSet"; String uniqueTransactionIdentifier = "notSet"; Logger.debug("Start technical Single LogOut process ... "); if (pvpReq != null) { MOARequest samlReq = (MOARequest) pvpReq.getRequest(); LogoutRequest logOutReq = (LogoutRequest) samlReq.getSamlRequest(); pvpSLOIssuer = logOutReq.getIssuer().getValue(); inboundRelayState = samlReq.getRelayState(); uniqueSessionIdentifier = pvpReq.getUniqueSessionIdentifier(); uniqueTransactionIdentifier = pvpReq.getUniqueTransactionIdentifier(); } else { AuthenticationSessionExtensions sessionExt; try { sessionExt = authenticatedSessionStore.getAuthenticationSessionExtensions(session.getSessionID()); if (sessionExt != null) uniqueSessionIdentifier = sessionExt.getUniqueSessionId(); } catch (MOADatabaseException e) { Logger.error("Error during database communication. Can not evaluate 'uniqueSessionIdentifier'", e); } uniqueTransactionIdentifier = Random.nextLongRandom(); revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_IDP_SLO_REQUESTED); } //store active OAs to SLOContaine List dbOAs = authenticatedSessionStore.getAllActiveOAFromMOASession(session); List dbIDPs = authenticatedSessionStore.getAllActiveIDPsFromMOASession(session); SLOInformationContainer sloContainer = new SLOInformationContainer(); sloContainer.setTransactionID(uniqueTransactionIdentifier); sloContainer.setSessionID(uniqueSessionIdentifier); sloContainer.setSloRequest(pvpReq); sloBuilder.parseActiveIDPs(sloContainer, dbIDPs, pvpSLOIssuer); sloBuilder.parseActiveOAs(sloContainer, dbOAs, pvpSLOIssuer); Logger.debug("Active SSO Service-Provider: " + " BackChannel:" + sloContainer.getActiveBackChannelOAs().size() + " FrontChannel:" + sloContainer.getActiveFrontChannalOAs().size() + " NO_SLO_Support:" + sloContainer.getSloFailedOAs().size()); //terminate MOASession try { authenticatedSessionStore.destroyInternalSSOSession(session.getSessionID()); ssoManager.deleteSSOSessionID(httpReq, httpResp); revisionsLogger.logEvent(MOAIDEventConstants.SESSION_DESTROYED, uniqueSessionIdentifier); Logger.debug("Active SSO Session on IDP is remove."); } catch (MOADatabaseException e) { Logger.warn("Delete MOASession FAILED."); sloContainer.putFailedOA(pvpReq.getAuthURL()); } Logger.trace("Starting Service-Provider logout process ... "); revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_STARTED); //start service provider back channel logout process Iterator nextOAInterator = sloContainer.getNextBackChannelOA(); while (nextOAInterator.hasNext()) { SLOInformationImpl sloDescr = sloContainer.getBackChannelOASessionDescripten(nextOAInterator.next()); LogoutRequest sloReq = sloBuilder.buildSLORequestMessage(sloDescr); try { Logger.trace("Send backchannel SLO Request to " + sloDescr.getSpEntityID()); List soapResp = MOASAMLSOAPClient.send(sloDescr.getServiceURL(), sloReq); LogoutResponse sloResp = null; for (XMLObject el : soapResp) { if (el instanceof LogoutResponse) sloResp = (LogoutResponse) el; } if (sloResp == null) { Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID() + " FAILED. NO LogOut response received."); sloContainer.putFailedOA(sloDescr.getSpEntityID()); } else { samlVerificationEngine.verifySLOResponse(sloResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); } sloBuilder.checkStatusCode(sloContainer, sloResp); } catch (SOAPException e) { Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID() + " FAILED.", e); sloContainer.putFailedOA(sloDescr.getSpEntityID()); } catch (SecurityException | InvalidProtocolRequestException e) { Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID() + " FAILED.", e); sloContainer.putFailedOA(sloDescr.getSpEntityID()); } } //start service provider front channel logout process try { if (sloContainer.hasFrontChannelOA()) { String relayState = Random.nextRandom(); Collection> sloDescr = sloContainer.getFrontChannelOASessionDescriptions(); List sloReqList = new ArrayList(); for (Entry el : sloDescr) { Logger.trace("Build frontChannel SLO Request for " + el.getValue().getSpEntityID()); LogoutRequest sloReq = sloBuilder.buildSLORequestMessage(el.getValue()); try { sloReqList.add(sloBuilder.getFrontChannelSLOMessageURL(el.getValue().getServiceURL(), el.getValue().getBinding(), sloReq, httpReq, httpResp, relayState)); } catch (Exception e) { Logger.warn("Failed to build SLO request for OA:" + el.getKey()); sloContainer.putFailedOA(el.getKey()); } } //put SLO process-information into transaction storage transactionStorage.put(relayState, sloContainer, -1); if (MiscUtil.isEmpty(authURL)) authURL = pvpReq.getAuthURL(); String timeOutURL = authURL + "/idpSingleLogout" + "?restart=" + relayState; DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( authURL, DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT, null); config.putCustomParameterWithOutEscaption("redirectURLs", sloReqList); config.putCustomParameterWithOutEscaption("timeoutURL", timeOutURL); config.putCustomParameter("timeout", SLOTIMEOUT); guiBuilder.build(httpResp, config, "Single-LogOut GUI"); } else { if (pvpReq != null) { //send SLO response to SLO request issuer SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq); LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs()); sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq); } else { //print SLO information directly DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( authURL, DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT, null); if (sloContainer.getSloFailedOAs() == null || sloContainer.getSloFailedOAs().size() == 0) { revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_ALL_VALID); config.putCustomParameter("successMsg", MOAIDMessageProvider.getInstance().getMessage("slo.00", null)); } else { revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); config.putCustomParameterWithOutEscaption("errorMsg", MOAIDMessageProvider.getInstance().getMessage("slo.01", null)); } guiBuilder.build(httpResp, config, "Single-LogOut GUI"); } } } catch (GUIBuildException e) { Logger.warn("Can not build GUI:'Single-LogOut'. Msg:" + e.getMessage()); throw new MOAIDException("builder.09", new Object[]{e.getMessage()}, e); } catch (MOADatabaseException e) { Logger.error("MOA AssertionDatabase ERROR", e); if (pvpReq != null) { SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq); LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq); revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); }else { //print SLO information directly DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( authURL, DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT, null); revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); config.putCustomParameterWithOutEscaption("errorMsg", MOAIDMessageProvider.getInstance().getMessage("slo.01", null)); try { guiBuilder.build(httpResp, config, "Single-LogOut GUI"); } catch (GUIBuildException e1) { Logger.warn("Can not build GUI:'Single-LogOut'. Msg:" + e.getMessage()); throw new MOAIDException("builder.09", new Object[]{e.getMessage()}, e); } } } catch (Exception e) { // TODO Auto-generated catch block e.printStackTrace(); } } }