/******************************************************************************* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.saml1; import java.util.Arrays; import java.util.HashMap; import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringEscapeUtils; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet; import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IModulInfo; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.URLEncoder; public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { public static final String NAME = SAML1Protocol.class.getName(); public static final String PATH = "id_saml1"; public static final String GETARTIFACT = "GetArtifact"; public static final List DEFAULTREQUESTEDATTRFORINTERFEDERATION = Arrays.asList( new String[] { PVPConstants.BPK_NAME, PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME, PVPConstants.GIVEN_NAME_NAME, PVPConstants.PRINCIPAL_NAME_NAME, PVPConstants.BIRTHDATE_NAME, PVPConstants.EID_CCS_URL_NAME, PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, PVPConstants.EID_IDENTITY_LINK_NAME, PVPConstants.EID_SOURCE_PIN_NAME, PVPConstants.EID_SOURCE_PIN_TYPE_NAME }); private static HashMap actions = new HashMap(); static { actions.put(GETARTIFACT, new GetArtifactAction()); instance = new SAML1Protocol(); } private static SAML1Protocol instance = null; public static SAML1Protocol getInstance() { if (instance == null) { instance = new SAML1Protocol(); } return instance; } public String getName() { return NAME; } public String getPath() { return PATH; } public IRequest preProcess(HttpServletRequest request, HttpServletResponse response, String action) throws MOAIDException { SAML1RequestImpl config = new SAML1RequestImpl(); if (!AuthConfigurationProvider.getInstance().getAllowedProtocols().isSAML1Active()) { Logger.info("SAML1 is deaktivated!"); throw new ProtocolNotActiveException("auth.22", new Object[] { "SAML 1" }); } String oaURL = (String) request.getParameter(PARAM_OA); //oaURL = StringEscapeUtils.escapeHtml(oaURL); String target = (String) request.getParameter(PARAM_TARGET); target = StringEscapeUtils.escapeHtml(target); String sourceID = request.getParameter(PARAM_SOURCEID); sourceID = StringEscapeUtils.escapeHtml(sourceID); //the target parameter is used to define the OA in SAML1 standard if (target != null && target.startsWith("http")) { oaURL = target; target = null; } if (MiscUtil.isEmpty(oaURL)) { Logger.info("Receive SAML1 request with no OA parameter. Authentication STOPPED!"); throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); } if (!ParamValidatorUtils.isValidOA(oaURL)) throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); config.setOAURL(oaURL); Logger.info("Dispatch SAML1 Request: OAURL=" + oaURL); if (!ParamValidatorUtils.isValidSourceID(sourceID)) throw new WrongParametersException("StartAuthentication", PARAM_SOURCEID, "auth.12"); //load Target only from OA config OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() .getOnlineApplicationParameter(oaURL); if (oaParam == null) throw new InvalidProtocolRequestException("auth.00", new Object[] { null }); OASAML1 saml1 = oaParam.getSAML1Parameter(); if (saml1 == null || !(saml1.isIsActive() != null && saml1.isIsActive()) ) { Logger.info("Online-Application " + oaURL + " can not use SAML1 for authentication."); throw new InvalidProtocolRequestException("auth.00", new Object[] { null }); } config.setSourceID(sourceID); config.setTarget(oaParam.getTarget()); return config; } public boolean generateErrorMessage(Throwable e, HttpServletRequest request, HttpServletResponse response, IRequest protocolRequest) throws Throwable{ OAAuthParameter oa = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(protocolRequest.getOAURL()); if (!oa.getSAML1Parameter().isProvideAllErrors()) return false; else { SAML1AuthenticationServer saml1authentication = SAML1AuthenticationServer.getInstace(); String samlArtifactBase64 = saml1authentication.BuildErrorAssertion(e, protocolRequest); String url = AuthConfigurationProvider.getInstance().getPublicURLPrefix() + "/RedirectServlet"; url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(protocolRequest.getOAURL(), "UTF-8")); url = addURLParameter(url, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); url = response.encodeRedirectURL(url); response.setContentType("text/html"); response.setStatus(302); response.addHeader("Location", url); Logger.debug("REDIRECT TO: " + url); return true; } } public IAction getAction(String action) { return actions.get(action); } public IAction canHandleRequest(HttpServletRequest request, HttpServletResponse response) { return null; } public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) { return true; } protected static String addURLParameter(String url, String paramname, String paramvalue) { String param = paramname + "=" + paramvalue; if (url.indexOf("?") < 0) return url + "?" + param; else return url + "&" + param; } }